The area of behavioral analytics technology and the concept of detection versus prevention have kept me busy over the past six months, and a new name in the vendor space offered me a concept that it described as “BAD”.
BAD in this case stood for “behavioral attack detection” that provides “accurate and efficient security visibility into attacks that have slipped through the cracks of traditional security controls”, and the company offering this concept is LightCyber, who launched in January 2015 and this week expanded its offering to the European space. The company offers a product Magna which integrates user, network and endpoint context to provide security visibility into a range of attack activity.
Talking this week to EVP and CMO Jason Matlof, he said that with the opening of the European headquarters in Amsterdam, complementing its headquarters in California and R&D and Israel, it is offering something “critically important given the state of where we are right now”.
“That is the recognition of 20 years in security, higher and thicker walls that we cannot get to preventative security posture with conventional technology and the need to transcend to a security model that needs to contain both prevention and detection technologies,” he said. “With BAD we are introducing something that is totally novel to compliment the weaknesses of the traditional systems.”
Matlof said that the basic security model focuses on the concept of intrusion and malware, what he described as “biased”, and there is a lack of mature products to find the attacker after the compromise. “So the obvious question now is with zero-day attacks targeted at an audience of one, it is effectively impossible to stop a true attacker so the question is what are we doing and what products exist to have visibility into the attack and the reality is none,” he said.
This is where LightCyber come in, and Matlof said it uses behavioral profiling techniques, and behavioral attack detection to create a baseline of normal for user accounts, IP enabled nodes and find anomalous detection. The problem, he claimed, is around false negatives and defining what is not known; false positives where there is nothing actionable and systems that are built to stop malware.
“Our tool learns what is good and learns by listening to the baseline, the behavioral profile, of all the users credential use and IP-connected nodes on the network and learns how things are supposed to work on the network, and then recognize the anomalous attack behaviors that are necessary to complete the attack technique – that is what we call the learned good model and inherently it compliments the weaknesses and in every environment the baseline is different, so it is difficult for the attacker to spoof a system as every network is novel and users and patterns are different.”
The Magna platform ingests full network deep packet inspection for user and device identity, and also application data, and an agent-less endpoint technology to see suspicious network traffic. He explained that it begins with machine learning and behavioral profiling to create the baseline, and that enables ongoing attack detection.
Matlof explained that BAD is about finding the bad guys by providing visibility into the attack, as the intrusion is just a short-lived cycle. He cited the example of the Target attack as a company being buried in a false positive problem, and this message resonates with companies who come to LightCyber. “As an attacker moves across a network, that is where Magna provides accurate visibility.”
I asked him about some of the other companies in the sector offering behavioral analytics and machine learning, and Jason pointed to some being log or network only, while it can cover network, endpoint and user credential use. I asked him about the user credential detection factor, and he said that there are three different forms, as opposed to looking at logs. “First is through deep packet inspection on the network so we can inspect them so we know the device identity and the identity of the user, and on the host – with the agentless endpoint capability – we can see the source process that is sourcing the traffic and credential associated to the process, and see multiple different vectors of credential use,” he said.
Back in April, the company announced Attack Detection Metrics to enable the measurement of the accuracy and efficiency of security solutions in detecting stealth attackers that have circumvented conventional threat prevention systems. The two elements of the attack detection metrics are: efficiency in terms of the number of alerts produced, and accuracy of how many alerts are useful to a security analyst.
The company is now in Europe, has launched a Technology Alliance Program (LTAP) with Hewlett Packard Enterprise and Gigamon announced as initial integration partners. I expect we’ll hear more about this company and this space.