Breaches are inevitable: Cybereason brings Israeli defense expertise to the cyber-security fight

By Michael Carney , written on February 11, 2014

From The News Desk

The internet is a dangerous place for anyone holding sensitive information. I know it, you know it, and corporations know it. Historically, however, knowing this has meant little in terms of preventing cyber attacks. Cyber-crime still costs the global economy north of $300 billion per year, and the US economy north of $100 million according to a July 2013 study by The Center for Strategic and International Studies.

The problem, according to most experts, is that there are too many attack vectors to protect against and cyber-criminals are evolving faster and playing by a looser set of rules than those people trying to keep them at bay.

Today, Cybereason, a new cyber-security company founded by ex-Israeli Intelligence Services experts and with operations in Cambridge, Mass. and Tel Aviv, Israel, is launching out of stealth to offer what it claims is an altogether different solution than anything currently on the market. The product is available under an early-access program and will be generally available in a matter of months.

While most existing solutions focus either on preventing unauthorized access (zero day) or providing incidence response after an attack has occurred, Cybereason aims instead to identify and neutralize malicious operations – or as its coined the phrase, “Malops” – conducted by hackers once they’ve already penetrated a network.

“It’s not enough to just guard the doors,” says Cyberreason co-founder and CEO Lior Div. “Breaches will occur. You can’t stop them all, so you need to know what happens after. Once inside, attackers need to gain access to more machines and find critical data. This is Malops and it’s where the majority of damage happens.”

Palo Alto Networks CMO René Bonvanie echoes this assessment in a statement on Cybereason’s launch, saying:

As the frequency and sophistication of attacks facing organizations increases, relying on incident response teams to understand and prevent them from spreading in early phases can be futile; an automated technology approach like Cybereason’s is better suited to help in the early detection of the most insidious attacks, especially as they are first spreading across endpoints and the network.

This strategy was also advocated by Gartner fellow emeritus and security analyst Neil MacDonald, who wrote in his Prevention is Futile in 2020 report, “If you assume systems will be compromised with advanced targeted threats, then information security efforts need to shift to detailed, pervasive and context-aware monitoring to detect these threats.”

Cybereason uses big data analytics and machine learning, combined with the forensic expertise of its founding team to first answer the question, “Is there a hacking operation currently going on inside my organization?” As an aside, you could imagine the look on executives’ faces and the impact on sales when product demos turn up live attacks, something Div notes happens from time to time.

Second, the company aims to identify the specific attack vectors and deliver easy to follow remediation instructions, including visualizations, to IT personnel.

For example, at the most simplistic level, Cybereason may look for user accounts that are suddenly in use in abnormal hours, or which are using different tools and accessing different systems. This would be an obvious sign of a user impersonation attack. The system is also capable of detecting abnormal patterns of camera or microphone activity, which can signal an espionage-type attack. Abnormal CPU usage, on the other hand, can be indicative of botnet activity.

“We regularly detect attacks that others cannot,” Div says. “For example, we may detect a rare file on your system and flag it as unusual. But we don’t do anything with it until it starts to propagate to other systems or communicate outside the network.”

The goal of this wait-and-see approach is to reduce false positives while providing near-real-time responsiveness to malicious activity. It can also help corporations better understand what attackers are after and, in some instances, who they are. In its early-access deployments, Cybereason claims to have successfully identified and remediated advanced and targeted attacks like Flame, Doqu, and Stuxnet.

Cybereason believes it solves a critical problem facing most enterprises today: the a lack of trained cyber-security personnel. Even large organizations like those in financial services, energy, and medicine are struggling to find and hire enough talent to defend against cyber attacks. Cybereason offers a continuous monitoring and intelligent analytics solution that supports CISOs and IT departments in identifying and eliminating Malops in real time.

“There isn’t a CEO anywhere that isn’t aware that they are going to get breached,” says Cybereason VP Sales and Marketing Mark Taber. “That’s a huge change from a few years ago. The security teams are trying to grapple with this, but they know that their skills and resources are allocated in the wrong places. You can’t hire the people you need. There are no schools. The schools are the NSA and Israeli.”

As Taber alludes, Israeli intelligence services backgrounds is becoming the new resume item du jour in Silicon Valley, along the lines of time spent at Stanford, MIT, or Google. Cybereason currently has an 18-person team, 12 of which are military and private sector defense cyber security experts.

“We know the threats and know what to do with them,” Div says. “Now we’ve translated that knowledge into a solution.”

Cybereason be a SaaS-based product, although the company continues evaluating a number of different pricing and access structures. Customers will have the option of cloud-based or on-premise deployments. Cybereason claims to be able to deploy its virtual-server and have its cybersecurity system fully operational in less than one day. That said, Cybereason grows more effective over time as it learns user and system behavior.

Cybereason raised a $4.6 million Series A funding from Charles River Ventures (CRV) in May 2013. The company will no doubt need far more capital than this to attack the large and highly competitive enterprise cyber-security market, but should be able to execute its initial go-to-market strategy on this sum.

The company has made some lofty claims, but has yet to prove that it can deliver in a commercial environment. The next step will be for Div and his team to conduct more public trials and share additional case studies and customer testimonials around its product operating in the wild. Following this, the company will need to build out a sizeable sales and marketing team to compete with the incumbent giants like FireEye, Barracuda Networks, WildFire (Palo Alto Networks), and Failsafe (Damballa). As with any instance where a company is attempting to introduce a new solution, Cybereason will also have to overcome a market education challenges.

Security is one of those things that’s difficult to value and even more difficult to quantify. Existing cyber-security solutions are extremely expensive and only marginally effective. If Cybereason is able to offer a significantly more effective mouse trap, then it’s looking at an enormous market opportunity.

“The industry is out there looking to hire people, because they’re not aware that there’s an automated system out there,” Div says. “Installing Cybereason in an environment is equivalent to hiring 100 people working around the clock looking for malicious operations within your system. Once people know what we do, we don’t have to do much to convince them.”

[Image via TechTalktoMe]