Cybereason up-ends cybersecurity by hunting for suspicious activity in real-time  

Instead of reacting after the fact, the tool actively looks for suspicious activity

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

After following the cybersecurity market for several years now, I've come to realize that some of the most innovative commercial solutions have their roots in the Israeli military. As one IT security company founder explained to me, "When your country's very existence depends on the military being able to provide strong defensive measures, you take your job quite seriously."

Many young people in the Israeli military have a role in cyber defense. They learn to excel at their craft, and after discharge from the military, they start commercial ventures that build on the knowledge and expertise they acquired during their years of service.

One such company is Cybereason, headed by Lior Div. (Follow Div as a contributor to Network World.) Div and his colleagues at Cybereason come from military and government backgrounds, and they have a unique perspective on finding and stopping cyber attacks.

"The most important thing is that we view the problem not as an IT problem but as an offensive problem," says Div. "We view the enterprise from an attacker's point of view, which is that everything that has processing power can be an attack surface." That means laptops, servers, the TV that has intelligence, the thermostats and HVAC systems, automobiles, and so on. If they can run code and communicate, an offensive attacker can use them as an attack surface.

What's more, the attack surface changes over time. Ten years ago, cars were not Internet-enabled, but today this is common. Defenders need to take this into account.

With this perspective, Cybereason is up-ending the way to think about cybersecurity. Rather trying to protect endpoints, or servers or the network and waiting to detect malicious behavior after the fact, Cybereason goes hunting for it in real-time.

The solution starts by collecting information from everything—endpoints, servers, cars, TVs, whatever is in the environment. This collection is done with a silent sensor, a small piece of code that is pushed to the devices via standard IT tools. The code is tuned to various device operating systems so that it can collect meta data and send it to a proprietary big data database. Div says the company tried using standard big data tools like Hadoop and Cassandra but they didn't scale enough, so Cybereason created its own "humongous data" database.

Collecting this massive amount of data allows Cybereason to represent all the relationships among everything—every process that is running, every user connecting to a machine, every computer that exists on the network, all of the connections between everything to everything. You can see where this would be a massive amount of data, which is why the company had to bypass Hadoop in favor of its own technology, what it calls "reactive graph." Then Cybereason processes this information in real-time, which is key to the solution.

Compare this to a human walking into a room and using his senses to collect information about everything in that room. His brain makes immediate associations between what he sees, what he hears, what he smells, and what he feels or tastes. Then his brain starts processing everything to determine if something doesn't seem right, including comparing this current information to what he observed when he walked into the same room an hour ago, or a day ago.

Div even refers to the Cybereason processing engine as a brain. "In a sense when you think about the brain we developed, you can go back in time and see everything that has happened in a specific time frame, and you can process it and understand all the relationships you have," says Div.

The next step is to dig into this data to look for suspicious activity. A human analyst would approach this by asking specific questions, and he'd be limited to the number of questions he can ask at once and the time it takes to interpret the answers. Cybereason has developed powerful rules that allow its solution to do something that a human analyst can't do: ask eight million questions per second about all of the cross-correlated information. In effect, the solution can ask all the questions about everything, in real-time, constantly and continuously.

What gets presented to the human analyst is the conclusions to all the questions that were automatically asked. Div calls it a story. "When an analyst looks at our console, they want to know what is going on in their environment," he explains. "They don't want another alert; they want a full story."

That story includes all the information that might normally take a group of human analysts a month or more to determine, and it's all presented in a concise format.

"First we have to tell the customer what the root cause of the problem is," says Div. "Second, we tell how many users and machines are affected in the environment, and what the magnitude of this event is. For example, is it just local or do the hackers have control of the whole environment? Third, we give the timeline, because every story needs to have a timeline. It needs to start, it needs to progress, it needs to continue. So we show our customer the timeline of the event that is going on right now. Fourth, we describe what tools the hackers are using right now. Sometimes it’s malware and most of the time what we see is that it’s a known malware attack. And the fifth part of the story is what types of communications the hackers are conducting internally inside the organization as well as external to the environment."

According to Div, Cybereason assembles and presents all of this information without interaction from the IT team. "We see this as the future of this type of security tool," says Div. "It's simple to deploy, easy to use, and highly accurate because we take in information from the entire environment."

Deployment is another unique aspect of this solution. " When it comes to deployment, we believe that everything needs to be instant and zero configuration," says Div. "By this I mean that when somebody thinks that they are under attack, they do not want to start by dealing with installation and configuration in a very complex situation." Div compares the Cybereason installation to signing up for hosted email: you simply register for service and everything is configured for you and ready to go.

When a customer wants service from Cybereason, they can get the silent sensor via email and push it out using standard IT management tools. The sensor is self-configuring on devices and it immediately starts to collect the meta data and send it to a server that is hosted in the cloud or on premise. Div says that 90% of their customers utilize the cloud deployment. Once information starts coming in to the server, the processing described above takes place and the results – the story – are presented via a dashboard.

Lockheed Martin tested this solution and quickly became a customer, an investor, a reseller and a managed security service provider using this tool for its own customers. This alone is a testament to the unique approach Cybereason takes toward cybersecurity.

Div strongly believes his company is at the forefront of changes in the cybersecurity arena. "We're not just dealing with IT problems anymore," he says. "The companies that adopt a proactive hunting approach are the ones that understand it's a complex problem, but with the right platforms and tools, you can win."

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.

Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.