Plan Your Development—Cb Protection


Development Path

Course Description

Cb Protection Introductory Analyst is an entry-level course recommended for those who will use Cb Protection on a daily basis and who will be responsible for monitoring and enforcement of corporate security policy. A Cb Protection Analyst will use the Cb Protection Console for monitoring, reporting, and analysis, and approval of specific software and may also configure approval mechanisms per corporate security policy. This course is appropriate for users who serve as auxiliary administrators, or for new administrators charged with using the Cb Protection Console. Job titles may include Information Security Analyst, Cyber Security Analyst, Security Operations Center Analyst, and IT Security Specialist.

Cb Protection Introductory Analyst is a one day course that provides a high-level understanding of Cb Protection through lecture and hands-on exercises using a consistent scenario. This course does not fulfill the training requirement for implementations or for Partners. Learners who have taken Cb Protection Administrator should not take this course.

Prerequisites: None

Recommended Follow-Up Courses: Cb Protection Rules and Cb Protection Diagnostics and Troubleshooting


Syllabus
DOWNLOAD SYLLABUS

Morning
Welcome/Course Overview
Application Benefits
Architecture and Workflow
Key Concept: File Hashing
Console Overview
Login Accounts and Groups
Policies
Modes and Enforcement Levels
Intro to Removable Device Control
Notifiers
Installing Agents
Computer Details
Local Approval and Time Policy Override
File Visibility and Control

Afternoon
Intro to Software Approvals/Custom Rules
Approval Requests and Justification
Dashboards/System Health
Events
Meters and Alerts
Top Events that Warrant Investigation
Detection/Indicator Sets/Views
Baseline Drift
The Riskiest Files
The Riskiest Endpoints
Debugging Tips
Customer Support/User eXchange

Development Path

Course Description

Cb Protection Administrator is an entry-level course recommended for those who need an in-depth, technical understanding of the Cb Protection system and who will be responsible for the configuration and maintenance of the system according to their organization’s security posture and operational policies. This is someone who may lead, or be a member of, the installation and configuration team. Every implementation typically has one Cb Protection Administrator, though many organizations may have multiple administrators. Job titles may include Information Security Administrator, IT System Administrator, Information Security Engineer, and Security Architect.

Cb Protection Administrator is a two-day course that provides an in-depth, technical understanding of Cb Protection through comprehensive coursework and hands-on exercises using a consistent scenario. This course is required for every Cb Protection implementation and for Carbon Black Partners.

Prerequisites: None

Recommended Follow-Up Courses: Cb Protection Rules and Cb Protection Diagnostics and Troubleshooting


Syllabus
DOWNLOAD SYLLABUS

Day One Morning
Welcome/Course Overview
Operating Environment Requirements
System Benefits
Architecture and Workflow
Key Concept: File Hashing
Server Installation
Console Overview
Policies
Modes and Enforcement Levels
Intro to Removable Device Control
Automatic Local Approval
Notifiers
Installing Agents/Initialization

Day One Afternoon
Login Accounts and Groups
Computer Details
Local Approval and Timed Policy Override
File Visibility and Control
Intro to Software Approvals/Custom Rules
Reputation Approvals
Trusted Updaters
Trusted Publishers
Trusted User
Trusted Directories
Approval Requests and Justification
Comprehensive Medium Enforcement Example

Day Two Morning
Custom Rules
Trusted Path/About Installers
Execution Control
File Integrity Control
File Creation Control
Performance Optimization
How Rules Multiply
Event Rules
Script Rules
Registry Rules
Memory Rules
Dashboards/System Health

Day Two Afternoon
Integrations
Cb Response
External Analytics
Network Security Devices
Events
Meters and Alerts
External Event Logging
Top Events that Warrant Investigation
Detection/Indicator Sets/Views
Baseline Drift
The Riskiest Files
The Riskiest Endpoints
Documents for Installation
Interoperability with Anti-Virus
Debugging Tips
Customer Support/User eXchange

Course Description

Cb Protection Rules, when properly used, lighten the workload of a Carbon Black Protection Administrator by having the system take action when specific conditions are met. However, if rules are too broad or too specific, too complex or not complex enough, they may not do exactly what you intended and may allow or prohibit things you did not want to be impacted. In addition, excessive rules or excessively complex rules can impact your system performance.

Cb Protection Rules is an advanced, half-day course during which we review the parameters that drive rules in Carbon Black Protection and showcase best practices and lessons learned to optimize your own use of rules.

Prerequisites: Cb Protection Administrator or Cb Protection Introductory Analyst

Recommended Follow-Up Courses: Cb Protection Diagnostics and Troubleshooting


Syllabus
DOWNLOAD SYLLABUS

Overview
Why custom rules are used

Custom Rules Basics
Default Custom Rules View
Execute Action Options
Write Action Options
Precedence
Specifying Paths
Specify Multiple Paths or Processes
Specify a Directory, with Sub-Directories
Specify a File or Process
Specify a Local Drive
Specify a UNC Path
Use Macros
Exporting and Importing Rules

Custom Rules Best Practices
The Custom Rule Triad
How Rules Multiply
Installers

Rule Types
File Creation Control
Execution Control
Trusted Path
File Integrity Control
Performance Optimization

Optimizing Custom Rules
Using Events to Drive Custom Rules
Tips for Exporting and Analyzing Events
Expert Advice on Custom Rules

Event Rules
Overview
Creating and Editing Event Rules
Applying Event Rules
Testing a Rule Before Enabling
Re-Applying a New Event Rule to Past Events
Enabling, Disabling, and Deleting Event Rules
Disabling Processing of All Event Rules
Pending Events
File and Process Properties in Event Rule Definitions
Banning Files Not Yet in Your Environment
How Event Rule Approvals Affect Endpoints

Customer Support
Contact Information
User eXchange

Course Description

Cb Protection Diagnostics and Troubleshooting is an advanced, half-day course for experienced users to explore diagnostic components, tools, and common issues for both the Cb Protection Server and the Cb Protection Agent. The Cb Protection Agent troubleshooting section will focus on the Windows Agent. The course presents real-life troubleshooting scenarios, drawn from the experience of top Carbon Black field consultants. Attendees of this advanced course will discover what tools are recommended for uncovering issues, identifying flaws in other software, or tackling unexpected behavior.

Prerequisites: Cb Protection Administrator or Cb Protection Introductory Analyst

Recommended Follow-Up Courses: Cb Protection Rules


Syllabus
DOWNLOAD SYLLABUS

Overview
Architecture and Workflow

General System Consideration
Platform Issues
Agent Issues
Uncovering Unexpected Root Causes
Bisecting the System

Server Capabilities
Major Components
Application Server
Parityserver.exe
Parityreporter.exe
Web Console
Single Database
Tools
Events
System Health Dashboard
Logs
MS SQL Management Studio
Scripts
Tools for Specific Tasks
Common Issues
Scenarios and Solutions

Agent Capabilities
Major Components
Kernel Filter Driver (parity.sys)
User-Space Agent Program (parity.exe)
Agent Cache (cache.db)
Tools
Computer Details
DASCLI
Common Issues
Scenarios and Solutions

Customer Support
Contact Information
User eXchange

Need to Enroll?

Enroll Now

Last modified: Thursday, April 19, 2018, 9:33 AM