Security experts agree – there is absolutely no way to ensure your network is 100% safe from cybercriminals – if they really want to get in, they will. All you can do is put as many layers down in front of them to make your system less attractive. In addition, malicious users have become experts at writing code which varies its port usage and encrypts packets to be virtually invisible to many of today’s forensic tools as they hide in normal traffic flows.
Moreover, breaches typically start with a break-in or infiltration, then there is reconnaissance and finally, exfiltration. The ideal goal is to catch the malicious user at the infiltration stage.
This is where a new company, Cyberflow Analytics, comes in – they use something they call Anomalytics to help companies track and monitor threats and attacks. It all starts with smart packet inspection based on metadata as well as multi-model flow fusion – combined to provide predictive analytics. Then, there is threat intelligence which combines black lists, policies, contextual and geolocation data in order to provide real-time reporting of Advanced Persistent Threats or APTs with fewer false positives. Finally, there is an organized visual map (see further below) allowing a user to see in real-time how the breach evolved and what it consists of. The end result is more effective targeting of APTs on your network.
The company is notable because its Chairman & CEO is Dr. Hossein Eslambolchi – formerly CIO & CTO of AT&T. This isn’t meant to take away from the management team which has deep experience at companies such as Paypal, RSA, Wells Fargo, Cisco, and Microsoft.
Getting back to the company’s technology described above:
Advanced Behavioral Analytics has the potential to identify anomalies potentially associated with malware but unseen before. “Multiple models” uses advanced clustering analytics known as Self Organizing Maps (SOM) to machine learn and understand the normal business or industrial processes of an organization. The models detect anomalous communication that occurs outside of the normal learned behaviors.
Each model machine learns normal behavior in its own context: client behavior, server behavior, protocol behavior, etc. This multi-model flow fusion software architecture uses various stages of analytics and policy to calculate anomaly scores and risk scores of every communication. This essentially locks down a network and enables the user to understand device activity that is supposed to be there and activity that is not supposed to be present. Anomalytics engines are built using a distributed, virtualized and horizontally scalable software architecture using cloud-friendly technology stacks. In other words, it is software-based and will live in Docker containers in VMs.
A screen shot of CyberFlow security analytics software that detects high risk anomalous behaviors associated with cyber-attacks. Here, an employee with an infected PC plugged into a corporate network.
A historical bookkeeping is maintained of all IP by IP by Port behaviors through the lenses of the above models including, tracking one-day, seven-day and 30-day changes in device communication behaviors.
CyberFlow Anomalytics software, continuously monitors all IPs, all devices and all protocols on the network including IT and SCADA (M2M) devices which makes it well suited for all organizations embracing the Industrial IoT.
The system only uses network packet meta-data (not deep packet inspections or DPI) to analyze data flows in transit, and then creates statistical “flow records” for each IP by IP by port communication. This means no private or confidential information is stored or processed by the anomalytics engine.
Embedded intelligence, then analyzes anomalies and determines how dangerous or risky they are. By examining the context and behavior of an anomaly, the anomalytics engine calculates a risk factor and estimates what part of the kill chain the activity is linked to. Anomalytics incorporates multiple policies, black lists, knowledge of core assets, such as guarded or admin servers and geo-location while assembling other contextual intelligence, to build up a profile of the high-risk anomalous activity in the network.
The automation that occurs in anomalytics through intelligence, can be thought of as a virtual security analyst which assembles pieces of evidence into a timeline of potential breach activity. For an APT that occurs slowly over a long time period, the automated tracking of a cluster of evolving breach activity is critical.
While companies quite often use firewalls as “set it and forget it” security tools, the reality is, if you aren’t monitoring your network in real-time, you may not be protected from insider threats as well as threats which get past firewall vulnerabilities. In addition, CyberFlow’s solution helps catch advanced polymorphic threats with signatures which make them unidentifiable.
I spoke with President Tom Caldwell (pictured), who told me the company’s solution is complimentary to a firewall – saying they monitor the core while the firewall monitors the perimeter. He also explained their solution is being trialed in smart cities as well as in industrial IoT applications. He further explained the solution acts as an unsupervised neural network – looking at anomalies in an automated fashion. By accumulating a bookkeeping of which devices speak to which other ones and over which port – the system can determine malware, which sits outside the normal business process. Moreover, threats are then added into cases – like detective cases.
Then there is the visualization – which gives a great graphical overview of what’s happening in a network. This allows the potential “needle in the haystack” anomalies to stand out – for example, rare traffic being served by China or Estonia when you don’t normally do business in these areas.
As for system specifics – it can detect DNS tunneling, reverse shell connects or TOR traffic flowing through HTTPS. Expect the solution to be sold through channel partners and available to purchase as you read this.