Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Cyphort provides guidance on prioritizing APTs for mitigation

Linda Musthaler | June 27, 2014
This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.

It seems the life tech generation cycles is getting shorter these days. It has only been a few years since the emergence of a class of sophisticated solutions that detect and prevent advanced persistent threats (APT) in the enterprise by monitoring URLs and content and forcing them to play out in a sandbox to look for the presence of malware. Fed by the analysis of billions of transactions across the Internet, these solutions can pinpoint malicious behaviors, IP address and URLs and provide intelligence to firewalls, proxies and intrusion prevention systems (IPS) to make them more effective.

Now there is a vendor calling such products "first generation," saying it has an even more sophisticated solution that prioritizes which threats should be addressed first because they pose the highest risk.

Cyphort just announced an enhanced version of its Advanced Threat Defense Platform that it says adds a level of intelligence about the risk each threat poses to the specific organization and how to prioritize these threats for mitigation and remediation. Cyphort introduces the concept of a threat metric which is designed to help incident responders determine where to focus their immediate efforts.

Cyphort launched its Advanced Threat Defense Platform back in February with an architecture that allows for broader coverage at a lower price point. Most advanced threat detection platforms require customers to install a physical appliance on each network segment or route the enterprise traffic to an off-premise cloud solution that inspects emails, files, URLs and such. But that gets expensive and many companies sacrifice coverage to reduce the cost of deployment, and some organizations are hesitant or even prohibited from sending information off-premises to a cloud for inspection.

The Cyphort architecture addresses both of those issues. Cyphort's software can be installed on commodity hardware in an on-premise data center. It uses a core central platform to do the data inspection and analysis and to present prioritized threats on a console. The tool uses collectors that can be put anywhere throughout the network to collect information and feed it back to the core. With Cyphort's new release, the collector software can be installed on a commodity server or a virtual machine. The big breakthrough here is that customers pay for the bandwidth the collectors use, not for the collector software itself. This makes it more cost effective than traditional solutions to cover every aspect of the enterprise infrastructure.

The core analysis platform uses several techniques to determine the presence of malware and other potential threats. For example, it uses multi-method sandboxing in which several types of sandboxes are used to watch for malicious behavior. One is a virtualization environment and another parallel sandbox is an emulation environment. The reasoning is that some of these advanced malware developers are finding ways around virtualization. If the malware is able to detect that is in a virtual environment, it stays dormant, so Cyphort's ability to do not just a virtual sandbox but also an emulation sandbox defeats that technique. Another sandbox uses the enterprise's own chosen image or typical desktop software environment. This brings contextual meaning to the search for malicious activity.

 

1  2  3  Next Page 

Sign up for Computerworld eNewsletters.