The vendor also delivers threat intelligence to the core analysis platform from its own threat cloud infrastructure. This provides updated machine learning information, static analysis information and threat intelligence to help drive new types of detection mechanisms.
The newest release of the software, due out in early August, will add a layer of guidance to help security experts focus their time and resources. This guidance is based on a calculated threat metric that judges the severity, progression and relevance of a threat or incident.
One element of severity is the intent of the malware or threat. Cyphort analyzes what kind of harm the code intends to do in order to assign a severity level. For example, adware can be dubbed a threat, but what is its intent? Is it merely an annoyance or are there other things occurring on the network that indicate that it is in fact a data theft Trojan? The intent helps determine how urgent it is to mitigate or remediate the threat.
In terms of progression, Cyphort determines where in the kill chain a threat is occurring. Has the malware just been downloaded, meaning it is early in the kill chain progression, or has the threat advanced to exfiltrating data, putting it deep in the kill chain? A deep progression level requires immediate attention, whereas an early stage incident might not warrant an immediate response.
Another aspect of the threat metric is how relevant the threat is to the specific enterprise. For example, a retail organization would find the presence of malware that attacks the point of sale system much more relevant to its risk posture than, say, malware that is attacking a rarely-used test or QA environment.
All of these elements and more are combined to create a score that Cyphort uses to push the most urgent threats to the top of the list for mitigation or remediation. Security experts can view the console and get alerts to guide them on where and how to focus their resources. For an enterprise that has limited resources — and what enterprise doesn't? — Cyphort gives a complete picture of how to chase after the biggest risks to that specific organization.
Another feature Cyphort is bringing to market is auto-mitigation. The initial implementation of auto-mitigation is an integration with Blue Coat Systems' ProxySG and Palo Alto Networks' next generation firewalls to take intelligence from Cyphort's solution and automatically push information like IP address and URLs into block rules that the other systems can immediately implement. Cyphort has a roadmap to integrate with more defense products as well as to provide its intelligence in a more generic Mitre STIX format for threat intelligence exchange.
Sign up for Computerworld eNewsletters.