Cyphort provides guidance on prioritizing APTs for mitigation

Cyphort has announced a next generation threat defense system said to prevent and detect threats.

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

It seems the life tech generation cycles is getting shorter these days. It has only been a few years since the emergence of a class of sophisticated solutions that detect and prevent advanced persistent threats (APT) in the enterprise by monitoring URLs and content and forcing them to play out in a sandbox to look for the presence of malware. Fed by the analysis of billions of transactions across the Internet, these solutions can pinpoint malicious behaviors, IP address and URLs and provide intelligence to firewalls, proxies and intrusion prevention systems (IPS) to make them more effective.

Now there is a vendor calling such products "first generation," saying it has an even more sophisticated solution that prioritizes which threats should be addressed first because they pose the highest risk.

Cyphort just announced an enhanced version of its Advanced Threat Defense Platform that it says adds a level of intelligence about the risk each threat poses to the specific organization and how to prioritize these threats for mitigation and remediation. Cyphort introduces the concept of a threat metric which is designed to help incident responders determine where to focus their immediate efforts.

Cyphort launched its Advanced Threat Defense Platform back in February with an architecture that allows for broader coverage at a lower price point. Most advanced threat detection platforms require customers to install a physical appliance on each network segment or route the enterprise traffic to an off-premise cloud solution that inspects emails, files, URLs and such. But that gets expensive and many companies sacrifice coverage to reduce the cost of deployment, and some organizations are hesitant or even prohibited from sending information off-premises to a cloud for inspection.

The Cyphort architecture addresses both of those issues. Cyphort's software can be installed on commodity hardware in an on-premise data center. It uses a core central platform to do the data inspection and analysis and to present prioritized threats on a console. The tool uses collectors that can be put anywhere throughout the network to collect information and feed it back to the core. With Cyphort's new release, the collector software can be installed on a commodity server or a virtual machine. The big breakthrough here is that customers pay for the bandwidth the collectors use, not for the collector software itself. This makes it more cost effective than traditional solutions to cover every aspect of the enterprise infrastructure.

The core analysis platform uses several techniques to determine the presence of malware and other potential threats. For example, it uses multi-method sandboxing in which several types of sandboxes are used to watch for malicious behavior. One is a virtualization environment and another parallel sandbox is an emulation environment. The reasoning is that some of these advanced malware developers are finding ways around virtualization. If the malware is able to detect that is in a virtual environment, it stays dormant, so Cyphort's ability to do not just a virtual sandbox but also an emulation sandbox defeats that technique. Another sandbox uses the enterprise's own chosen image or typical desktop software environment. This brings contextual meaning to the search for malicious activity.

The vendor also delivers threat intelligence to the core analysis platform from its own threat cloud infrastructure. This provides updated machine learning information, static analysis information and threat intelligence to help drive new types of detection mechanisms.

The newest release of the software, due out in early August, will add a layer of guidance to help security experts focus their time and resources. This guidance is based on a calculated threat metric that judges the severity, progression and relevance of a threat or incident.

One element of severity is the intent of the malware or threat. Cyphort analyzes what kind of harm the code intends to do in order to assign a severity level. For example, adware can be dubbed a threat, but what is its intent? Is it merely an annoyance or are there other things occurring on the network that indicate that it is in fact a data theft Trojan? The intent helps determine how urgent it is to mitigate or remediate the threat.

In terms of progression, Cyphort determines where in the kill chain a threat is occurring. Has the malware just been downloaded, meaning it is early in the kill chain progression, or has the threat advanced to exfiltrating data, putting it deep in the kill chain? A deep progression level requires immediate attention, whereas an early stage incident might not warrant an immediate response.

Another aspect of the threat metric is how relevant the threat is to the specific enterprise. For example, a retail organization would find the presence of malware that attacks the point of sale system much more relevant to its risk posture than, say, malware that is attacking a rarely-used test or QA environment.

All of these elements and more are combined to create a score that Cyphort uses to push the most urgent threats to the top of the list for mitigation or remediation. Security experts can view the console and get alerts to guide them on where and how to focus their resources. For an enterprise that has limited resources -- and what enterprise doesn't? -- Cyphort gives a complete picture of how to chase after the biggest risks to that specific organization.

Another feature Cyphort is bringing to market is auto-mitigation. The initial implementation of auto-mitigation is an integration with Blue Coat Systems' ProxySG and Palo Alto Networks' next generation firewalls to take intelligence from Cyphort's solution and automatically push information like IP address and URLs into block rules that the other systems can immediately implement. Cyphort has a roadmap to integrate with more defense products as well as to provide its intelligence in a more generic Mitre STIX format for threat intelligence exchange.

It is this measurement of the risk and the guidance of resources along with faster mitigation of threats that is pushing the APT threat detection market into its next generation. Many information security experts are overwhelmed with the threats aimed at their organizations, and anything that security vendors can do to prioritize and auto-mitigate the threats adds value.

Linda Musthaler is a Principal Analyst with Essential Solutions Corp., which researches the practical value of information technology and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cyphortnetwork securitysecurityadvanced persistent threats

More about AdvancedAPTBlue Coat SystemsIPSPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Linda Musthaler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place