This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
It seems the life tech generation cycles is getting shorter these days. It has only been a few years since the emergence of a class of sophisticated solutions that detect and prevent advanced persistent threats (APT) in the enterprise by monitoring URLs and content and forcing them to play out in a sandbox to look for the presence of malware. Fed by the analysis of billions of transactions across the Internet, these solutions can pinpoint malicious behaviors, IP address and URLs and provide intelligence to firewalls, proxies and intrusion prevention systems (IPS) to make them more effective.
Now there is a vendor calling such products "first generation," saying it has an even more sophisticated solution that prioritizes which threats should be addressed first because they pose the highest risk.
Cyphort just announced an enhanced version of its Advanced Threat Defense Platform that it says adds a level of intelligence about the risk each threat poses to the specific organization and how to prioritize these threats for mitigation and remediation. Cyphort introduces the concept of a threat metric which is designed to help incident responders determine where to focus their immediate efforts.
Cyphort launched its Advanced Threat Defense Platform back in February with an architecture that allows for broader coverage at a lower price point. Most advanced threat detection platforms require customers to install a physical appliance on each network segment or route the enterprise traffic to an off-premise cloud solution that inspects emails, files, URLs and such. But that gets expensive and many companies sacrifice coverage to reduce the cost of deployment, and some organizations are hesitant or even prohibited from sending information off-premises to a cloud for inspection.
The Cyphort architecture addresses both of those issues. Cyphort's software can be installed on commodity hardware in an on-premise data center. It uses a core central platform to do the data inspection and analysis and to present prioritized threats on a console. The tool uses collectors that can be put anywhere throughout the network to collect information and feed it back to the core. With Cyphort's new release, the collector software can be installed on a commodity server or a virtual machine. The big breakthrough here is that customers pay for the bandwidth the collectors use, not for the collector software itself. This makes it more cost effective than traditional solutions to cover every aspect of the enterprise infrastructure.
The core analysis platform uses several techniques to determine the presence of malware and other potential threats. For example, it uses multi-method sandboxing in which several types of sandboxes are used to watch for malicious behavior. One is a virtualization environment and another parallel sandbox is an emulation environment. The reasoning is that some of these advanced malware developers are finding ways around virtualization. If the malware is able to detect that is in a virtual environment, it stays dormant, so Cyphort's ability to do not just a virtual sandbox but also an emulation sandbox defeats that technique. Another sandbox uses the enterprise's own chosen image or typical desktop software environment. This brings contextual meaning to the search for malicious activity.
The vendor also delivers threat intelligence to the core analysis platform from its own threat cloud infrastructure. This provides updated machine learning information, static analysis information and threat intelligence to help drive new types of detection mechanisms.
The newest release of the software, due out in early August, will add a layer of guidance to help security experts focus their time and resources. This guidance is based on a calculated threat metric that judges the severity, progression and relevance of a threat or incident.
One element of severity is the intent of the malware or threat. Cyphort analyzes what kind of harm the code intends to do in order to assign a severity level. For example, adware can be dubbed a threat, but what is its intent? Is it merely an annoyance or are there other things occurring on the network that indicate that it is in fact a data theft Trojan? The intent helps determine how urgent it is to mitigate or remediate the threat.
In terms of progression, Cyphort determines where in the kill chain a threat is occurring. Has the malware just been downloaded, meaning it is early in the kill chain progression, or has the threat advanced to exfiltrating data, putting it deep in the kill chain? A deep progression level requires immediate attention, whereas an early stage incident might not warrant an immediate response.
Another aspect of the threat metric is how relevant the threat is to the specific enterprise. For example, a retail organization would find the presence of malware that attacks the point of sale system much more relevant to its risk posture than, say, malware that is attacking a rarely-used test or QA environment.
All of these elements and more are combined to create a score that Cyphort uses to push the most urgent threats to the top of the list for mitigation or remediation. Security experts can view the console and get alerts to guide them on where and how to focus their resources. For an enterprise that has limited resources – and what enterprise doesn't? – Cyphort gives a complete picture of how to chase after the biggest risks to that specific organization.
Another feature Cyphort is bringing to market is auto-mitigation. The initial implementation of auto-mitigation is an integration with Blue Coat Systems' ProxySG and Palo Alto Networks' next generation firewalls to take intelligence from Cyphort's solution and automatically push information like IP address and URLs into block rules that the other systems can immediately implement. Cyphort has a roadmap to integrate with more defense products as well as to provide its intelligence in a more generic Mitre STIX format for threat intelligence exchange.
It is this measurement of the risk and the guidance of resources along with faster mitigation of threats that is pushing the APT threat detection market into its next generation. Many information security experts are overwhelmed with the threats aimed at their organizations, and anything that security vendors can do to prioritize and auto-mitigate the threats adds value.
Linda Musthaler is a Principal Analyst with Essential Solutions Corp., which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.