FireMon Asset Manager
Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Real-time Network Visibility and Endpoint Detection & Response
The integration of Carbon Black Endpoint Detection and Response capabilities to Spectre enables you to know whether hosts on your enterprise network are either unmanaged by Carbon Black or unknown to Spectre. The integration enables a "deep-link" context switch from Spectre to the Carbon Black UI, where the user can contain, isolate. and remediate "undefended" endpoints that are vulnerable to cyber attacks. The Carbon Black EDR solution continuously records, centralizes and retains activity from every endpoint to identify attacks and keep a history of an attacker's every action. Spectre's index of all network devices ensures that Carbon Black is aware of all endpoints requiring deployment of the EDR software, so you can ensure 100% coverage to all hosts.

How Does It Work?

Lumeta Spectre accesses the API of Carbon Black (at a polling interval set by the user) and retrieves the inventory of hosts, servers, and other enpoint systems ("Carbon Black managed endpoints").

Lumeta Spectre correlates this inventory against Spectre's authoritative index of IP address space- comparing to advise Carbon Black of any devices where it doesn't see a Carbon Black endpoint indicated on the device, as those would be "undefended/unmanaged" endpoints.

Lumeta Spectre highlights the differences and commonalities into views:

  • Spectre Only IPs: IP addresses Lumeta Spectre knows about, but are unmanaged by Carbon Black
  • Carbon Black Only IPs: IP addresses Carbon Black knows about, but are unknown to Lumeta (e.g., if Lumeta does not have access to a network or an off-network device, but Carbon Black is still aware of the client agent)
     
  • Carbon Black and Spectre Managed IPs: IP addresses both Lumeta and Carbon Black know about.
     

This information is available in Lumeta Spectre via the Endpoint Management Dashboard, as well as reports and maps, facilitating identification and remediation of vulnerable and compromised endpoints.

In reviewing the data on the Spectre dashboard, users can view Device Details. If the user selects Endpoint Context/Action, it will redirect to the Carbon Black UI where the user can take action to restart, remove, sync, or isolate an endpoint.
 
 

Configuring the Carbon Black Feed

Configure the Carbon Black feed as follows:

  1. On Spectre's main menu, browse to Settings > Integrations > Other Solutions > Carbon Black
     
  2. Enable the threat feed by moving Active slider to the right.
    The label changes from a red No to a green Yes.
  3. Input a Polling Interval to indicate the time that should elapse between fetching the latest feed data. Input 24 to poll daily, input 12 to poll twice a day, and so on.
  4. Input your customer key.
  5. Input the IP address of your Carbon Black server.
  6. Click Submit
    Feed is configured.


  • No labels