Getting Started with Carbon Black Managed Detection and Response

Introduction

This document will provide you with: 

• An overview of MDR functionality and what it provides you. 
• The information needed to set up your Carbon Black Cloud environment for Managed Detection and Managed Detection and Response. 
• Details on communications with the MDR team and threat containment actions & circumstances. 
• Links to additional resources. 

Managed Detection & Response Overview

VMware Carbon Black Managed Detection (MD) and Managed Detection and Response (MDR) augments your SOC or IT team’s efficacy, efficiency, and expertise.  This document will ensure that your Carbon Black Cloud environment is set up to maximize the value of MD or MDR to your organization.  

VMware Carbon Black Managed Detection augments your SOC or IT team with around the clock coverage, triage, and investigation of your most critical CB Analytics alerts generated by Endpoint Standard.  Managed Detection analysts will provide your team with valuable context on likely threats, saving you money and time and protecting your reputation.  Managed Detection and Response offers the functionality of MD while also enabling you to contain the threat 24/7 and allow your team to leverage our expertise during your response and remediation through 2-way email communication with our MDR team.  To learn more read our blog  MD v. MDR – Understanding the Difference. 

Setting up your Carbon Black Cloud environment for MD and MDR

Setting up MD and MDR can be done from the Carbon Black Cloud console in two easy steps: 

Step 1: Configure Notifications 

From the Carbon Black Cloud Console, select Settings -> Managed Detection.

Add individuals or group distribution lists, selecting which communications they should receive. More information about each type of notification and recommended recipients, refer to Communications section.

Step 2: Configure Containment Actions (MDR Only) 

From the Carbon Black Cloud Console, select Enforce -> Policies 

For each policy, determine which containment actions you’d like to authorize the MDR Analyst team to perform.  By default, MDR analysts can ban hashes of malicious processes in your environment. More information about MDR’s containment workflow can be found in the MDR Threat Containment Actions and Circumstances section below. 

Communications

• Welcome Email - New customers will receive a detailed welcome email with additional information to help you get started with MD or MDR. If you don't see it shortly after purchase, you can find the contents on the Carbon Black User Exchange or reach out to support! 
• "Alerts" - When we find a likely threat in your environment, we’ll provide detailed context and recommendations. Managed Detection and Response customers can respond to these emails to initiate 2-way communications with Carbon Black’s team of threat experts. This is recommended for SOC analysts or IT team members. 
  • We’ll only email you when we find a likely, actionable threat in your environment to help your SOC focus on the most critical alerts. For information on alerts the team has determined to be an unlikely threat, read the Daily Summary. 
• "Daily Summary" - A daily email with a list of likely threats and summary of unlikely threats from the past day. This is recommended for SOC or IT managers. 
• "Monthly Reports" - Monthly report with threat advisories as well as key metrics and trends from your environment. This is recommended for SOC or IT managers as well as CISOs or CIOs. 

MDR Threat Containment Actions and Circumstances

• MDR analysts identify the existence of a threat and confirm with senior team members. 
• Potential actions are proposed for containment of the threat, with two approvals required by senior team members for each action. 
• The minimum actions needed to contain the threat will be used to reduce the risk of business system impact; for example, quarantine is used as a last resort, only when appropriately necessary for threat containment. 
• Any policy modifications implemented will be targeted to the threat to eliminate negative impact to the systems affected but also be effective in containing the threat. 
  • Each policy modification is confirmed to be efficacious and tested by senior team members before implementation to ensure unwanted blocks will not occur. 
  • The MDR team will clone the infected system’s original policy to a policy marked as modified by the MDR team.  The MDR team will then modify the new policy with the containment policy rules and move the infected system(s) to the new policy. 
• All actions taken by the MDR team will be communicated in detail to the customer via email. 
• Two-way communication can be initiated by replying to the initial alert email sent by the MDR team. 
• All actions taken by the MDR team can be reversed by the customer. 

Additional Resources

• MDR Data Sheet: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-ds-crbn-black-mngd-dtcn-rspn.pdf 
• MD vs MDR Blog: https://carbonblack.vmware.com/blog/md-vs-mdr-understanding-difference  
• MD/R Analyst Blogs 
  • The Evolution of the Chromeloader Malware 
  • Detecting Log4j in the Carbon Black Console 
  • Wild Blue Yonder: VMware Carbon Black Managed Detection and Response Dissects Bluekeep Windows exploit  
• Carbon Black User Exchange, MD/R Welcome Email & Discussion: https://community.carbonblack.com/t5/Managed-Detection-Discussions/Getting-Started-with-Managed-Detection-and-Response/m-p/105514