Preventing cyber attackers from getting into your network is certainly a strategy that can't be ignored, every organisation should have some prevention infrastructure in place so that the network isn't wide open to attacks but the problem remains that such preventive measures can always be breached and no matter how much money you spend on attack prevention, something will eventually get through.
LightCyber's Magna platform takes a different approach and assumes a breach has already happened, providing a dashboard of information showing the health of the network and mapping confirmed, suspicious and unverified activities which network managers can drill into to be able to investigate further and take remedial action using other tools with which Magna can integrate.
According to Jason, the platform recognises suspicious behaviours based on machine learning to understand what is good behaviour in order to establish a baseline. It is against this baseline that Magna looks for evidence of attacks. It established the baseline based on temporal and peer profiling to see how systems are being used relative to their peers. This prevents it from learning anomolous behaviour that otherwise could be baselined if it were just temporal.
I asked Jason how the machine learning process starts its journey towards understanding baseline behaviour and he explained that the ability of LightCyber to do this comes from the company's knowledge base of cyber warfare.
"There are lots of activity patterns associated with attacks that can't be deduced just by mathematically doing statistical analysis. This would throw up too many false positives. We use multi-context analysis that looks at users, endpoints and networks," he told me.
Keeping security professionals focused
One of the big advantages of behavioural attack detection is the categorisation of detected anomolies and the quality of the alerts. Magna works from the inside and raises few alerts but ones which are worth investigating because they're based on system behaviour which isn't normal, rather than a signature or profile of code which is known to be suspicious.
Jason gave some scope to the level of alerts given by preventive infrastructure by quoting a recent Ponemon report quantifying weekly alert levels from APT detection software as around 75,000, more than a small IT administration team could possibly handle.
There are a lot of alerts because there's a lot of malware. However, a lot of the payloads of that malware are never destined to be triggered, as explained by Jason who told me that most of the time, the links embedded in spammy or phishing e-mails never get cliked on or other malware falls on the stoney ground of an operating system that has the latest security updates. However, it's all malware and so alerts are triggered. "Preventive securty software spends a lot of time identifying malware that is never used," he said.
With a focused choice of preventive infrastructure and a platform like LightCyber Magna to hunt down the malware that gets through, IT security professionals can spend more time productively keeping their networks secure and less time administering false positive alerts.
The LightCyber website has a Magna 3.1 dashboard demonstration
Jonathan Newell is a broadcast and technical journalist who contributes to a range of titles in the technical press.