Today we announced that LightCyber has joined Palo Alto Networks. LightCyber’s technology will bring award-winning, highly automated, and accurate behavioral analytics technology to the Palo Alto Networks Next-Generation Security Platform, enhancing its ability to catch hard-to-find threats like internal reconnaissance and lateral movement inside the network. Since its inception, Palo Alto Networks has pioneered new…

With dwell time still averaging about five months, it’s clear that today’s approach to detecting a network intruder or a malicious insider simply is not working. Even with the best preventative security, attackers will find a way to compromise a user. There are far too many ways for a dedicated attacker to find a gap…

Here’s the scenario. An intruder has been lingering in your network for eight months. Since first gaining a foothold by compromising the HR Director’s computer, the intruder has been able to quietly scope out the network and now has an excellent picture of the servers, data stores, cloud data centers, users, networking equipment and IP-enabled…

How to Choose Amongst a Dizzying Array of New Machine Learning Solutions The cracks in traditional threat prevention infrastructure are clearly exposed. Motivated attackers can always find a way into any given network. As a result of this growing challenge, the market has produced a range of new solutions designed to detect active attacks and…

Do your compliance initiatives make you feel more secure? Most likely, the answer is “no.” While PCI compliance is more effective than most regulations, it’s not always easy for organizations to satisfy PCI’s twelve high-level requirements and 200+ sub-requirements. Therefore, some security professionals focus on “checking the box” to meet the minimum requirements for PCI…

Finding active attackers in a network requires a high degree of precision. To maximize detection accuracy, LightCyber Magna monitors user access—as well as network and endpoint activity—to build a baseline of normal behavior. Since every user is unique, LightCyber profiles each user individually. With Magna 3.5, LightCyber has boosted Magna’s user profiling capabilities by detecting…

The industry’s track record of being able to find an active network attacker and prevent a data breach from occurring is immensely poor. One primary reason for not being able to uncover an attack is that organizations simply cannot see attacker activity because they lack the means of detecting it or because it blends in…

LightCyber is excited to announce a new service to qualified organizations: a free purple team assessment. The purple team assessment tests the strength of your security technologies and processes by combining a limited-scope red team attack simulation with a blue team security evaluation. Red Team Operations from a Trusted Security Advisor LightCyber has partnered with…

We are excited to introduce support for Amazon Web Services (AWS) cloud environments and to extend Magna Pathfinder agentless interrogation to Linux devices. LightCyber closes the breach detection gap by detecting command and control, reconnaissance, lateral movement, and data exfiltration to and from the cloud and in hybrid architectures. Our customers are moving their server…

Wednesday’s report about the 2014 and 2015 Office of Personnel Management (OPM) breaches showed us that unsophisticated attackers can gain access to sensitive information. The highly detailed report by the House Committee on Oversight and Government Reform lists the known evidence of how two groups conducted their CNE (computer network exploitation) operations inside the OPM network. While the…

It’s not easy to stop attacks when your best defenses are used against you. This is a hard lesson that many organizations learned on August 13th, when a shifty group calling themselves the “Shadow Brokers” released exploit tools targeting firewalls from Cisco, Juniper, and Fortinet. Now the security system you trust to protect the “front…

If you were like most people, the news in 2015 kept getting worse and worse, when it came to yet another health care data breach that was discovered. Each time you thought that it couldn’t get much worse, it did. Now a massive health care data breach seems to be the norm. News reporters have been getting to the point of saying that breaking news would be when there is not some kind of major breach.

If you were like most people, the news in 2015 kept getting worse and worse, when it came to yet another health care data breach that was discovered. Each time you thought that it couldn’t get much worse, it did. Now a massive health care data breach seems to be the norm. News reporters have been getting to the point of saying that breaking news would be when there is not some kind of major breach.

Last year, cybersecurity experts at Black Hat USA revealed how to hack cars, rifles, and nuclear plants. What hacks will be announced at Black Hat 2016 next week? Attend the conference to find out and visit LightCyber booth #1559 while you’re there. Here’s a preview of what we’re planning for the show. Lock Down Your…

What tools do attackers use? The 2016 Cyber Weapons Report seeks to address this question by analyzing real-world attacks and other anomalous activity in organizations’ networks. This report focuses on the actions that occur after an initial intrusion, including command and control, reconnaissance, lateral movement, and data exfiltration. The Cyber Weapons Report reveals that organizations…

Malicious computer file

Consumers are easy victims when it comes to free utilities to enhance the performance of their computers. Maybe it’s because Windows PCs become sluggish after months of use, or maybe it’s because consumers want the best performance. No matter what the reason, PC cleaners or PC optimization tools should only be installed from reputable sources. In an enterprise environment, however, only IT approved tools should be installed.


Cybercriminals have stepped up their game, using new, advanced attack methods to compromise organizations, rather than individual users. And they have been successful, infiltrating a number of hospitals, schools, universities and government agencies. Post-attack investigations reveal that attackers used reconnaissance and lateral movement to infect as many machines as possible. And new ransomware strains demonstrate worm-like behavior, spreading through network drives and removable storage. But before we look at the latest attack techniques, let’s take a step back and review how ransomware has evolved.

In 2015, a security analyst at a manufacturing company noticed that the anti-virus engines on many of the company’s laptops were out of date even though software had been configured to update automatically. Once the anti-virus software downloaded new virus definition files, the software detected malware on seven laptops. The security analyst, with the assistance of the company’s IT team, quickly reimaged the infected laptops. The security analyst was not surprised that the anti-virus software had found malware, since zero-day and custom malware can easily evade end point protection tools with out-of-date virus definition files. Since anti-virus depends on current signatures, the laptops were easy targets for malware when the virus definition files failed to update.

Web browsers and toolbars can be important tools to increase employee productivity. They are commonly downloaded from various sites without much thought about any security implications. Recently, LightCyber Magna detected a change in behavior of one workstation, having already established a profile of normal activity for this device and its peers. More specifically, using automated endpoint data investigation, Magna detected a large number of failed DNS requests along with what appeared as seemingly random DNS requests from the workstation. Here’s what happened next…

While Shared Administrator accounts are necessary to configure systems and administer other accounts in the environment, these accounts are also the crown jewel for those seeking unauthorized access to servers on the network. This is because attackers with such access can then create any other accounts they desire, change configuration settings, corrupt data, or launch attacks on other hosts. (Reference SANS Recently, Magna detected an account named “Administrator” that was used to login to 38 hosts on the network. This was more than a 35x increase from the learned baseline of 1.08 host logins.

According to 2015 research reports published by Ponemon, Mandiant, and others, median intruder dwell time in a target network prior to detection ranges from just under to just over 200 days. That is a little over six months and as everyone agrees, totally unacceptable. How is it that an intruder can get into a network and remain active for over six months before being discovered? As a quick point of reference, it is important to note that these statistics include both external attackers and internal attackers.

Recently, LightCyber Magna alerted a security analyst that in a single day a workstation in his network generated almost 5,000 failed DNS requests to what appeared invalid domains. This was an 20,000x increase from a calculated baseline of 0.02 failed DNS resolutions since Magna profiled the workstation. One example of these invalid domains is and is shown in the screenshot below. The alert also identified the process that was responsible for generating these DNS requests, which was svchost.exe. It turns out the workstation had been rebooted, and the svchost.exe process made the DNS requests when it started back up.

Today, LightCyber announced the IT security industry’s first-ever Attack Detection Metrics, which objectively measure the quantity and quality of alerts produced by our Magna platform in live customer environments. Our Q1’16 metrics are: Efficiency – 1.1 alerts per 1000 endpoints per day; and Accuracy – 62% of all alerts dispositioned by analysts in a useful way. To our knowledge, this is the first time a security vendor has ever publicly released objective data about their customers’ actual user experience with their products, and we believe that’s because the data for conventional security products would be abysmal.

By early December last year, global mergers and acquisitions (M&A) had reached an all-time peak of $4.304 trillion in 2015, surpassing a previous high of $4.296 that was set in 2007, according to the Wall Street Journal. Pfizer’s $160 billion merger with Allergan set the year’s record, followed by Anheuser-Busch InBev’s $110 billion takeover of SABMiller. Both of these made the $67 billion Dell deal to acquire EMC seem a bit paltry.

It’s always challenging to educate employees about good security practices, and almost impossible to prevent everyone from clicking on malicious emails targeted towards the organization. Recently, LightCyber Magna detected a large number of outbound email connections from a device at a large professional employee organization, so it automatically activated a Magna Pathfinder scan. Pathfinder interrogated the endpoint to look for the root cause of the network traffic. The Pathfinder scan detected anomalous files or processes and executables on endpoints. In this case it found a Tunneling Process named system_32.exe on an endpoint.

RSA, the world’s largest security conference, is a dizzying carnival of claims, buzzwords, achievements and revelations, all competing for mindshare of the more than 40,000 attendees. Ironically, just as the conference was starting, across the Bay, the University of California, Berkeley reported a data breach that compromised current and former faculty, staff, students and vendors. This is the third data breach disclosed by the school in a 15-month period.

Ransomware Cryptolocker Virus Blog Post image

One of the most feared threats security professionals face today is a rampant attack of ransomware that locks up file shares and the majority of clients. The recent attack on a Hollywood, CA hospital not only made worldwide headlines but sent shockwaves through the security community. It’s also provided proof to cybercriminals that this was a good business and effective endeavor. Ideally, a threat such as Cryptolocker would be prevented with endpoint security. We all wish that prevention is 100% effective, but everyone recognizes it is not.

How to stop insider threats. It’s always challenging to educate employees about good security practices, but even more challenging for new employees. Recently, LightCyber Magna detected a suspicious number of attempted SSH connections from the workstation of a newly hired engineer. The security analyst saw the event on the Magna Analyst Dashboard and sent an email to the user to ascertain what might be going on.

If you were like most people, the news in 2015 kept getting worse and worse, when it came to yet another health care data breach that was discovered. Each time you thought that it couldn’t get much worse, it did. Now a massive health care data breach seems to be the norm. News reporters have been getting to the point of saying that breaking news would be when there is not some kind of major breach.

Today most people equate a data breach with the theft of personal identification, health or financial data—credit card numbers, banking details, social security numbers and more. No doubt this has been a profitable and common focus for cybercriminals. Such data are easily monetized, and a sizable dark market exists for selling them. For many companies, however, the theft of intellectual property (IP) is the top concern. Although there is little news coverage of such activity, it is frighteningly common.

With today’s internal and external threats, it is not longer possible to rely on preventative security. You have to expect that an external attacker will find a way into your network, probably through compromising a host computing device or user account. Will you be able to tell? Can you see the attacker at work, exploring the network and establishing new points of control? With LightCyber Magna, Gigamon can find an active attacker quickly.

Security industry researchers acknowledge not only the obvious rise in data breaches at organizations from large-to-small, but much more importantly the complete paralysis that security organizations experience in trying to protect themselves from becoming the next victim. Consider the recently published shocking research data from Ponemon Institute, which includes research from data collected from 630 IT Security organizations.

One of the greatest determents to security and a major contributor to the inability of finding attackers on a given network is not the strength of a firewall or the sophistication of its policies. Perhaps the greatest detractor is noise. Signs of an active attacker may very well be caught by legacy SIEM or IDS/IPS, but they are likely buried under thousands of false positive security alerts. The “signal” or “signals” of an attacker are overcome by the noise.

The shortcomings of legacy “artifact-based” prevention technologies have forced security vendors to embrace new detection techniques like sandboxing and endpoint detection and response (EDR), which are being billed as “behavioral detection” technologies. This is causing confusion among users regarding value and utility when compared to emerging “behavioral anomaly detection” techniques. To be clear, “behavioral detection” techniques such as sandboxing and EDR are only slight variations of the security techniques employed over the last 20 years, and they are nothing like behavioral anomaly detection.

This week we unveiled the first public version of the Cyber Attack Training System (CATS) we developed to help professionals understand how network attacks progress and how to detect them quickly. 35% of the total participants representing a variety of industries and across 16 countries won the CATS Hacker Challenge by exfiltrating data as instructed. Many others participated but lacked the time or experience to get to the target data.

A Partner at a major law firm walks into the office of the company’s CIO. “How are we set up to prevent a data breach?” he asks. The CIO explains the various systems and practices that have been put in place over the past year against a backdrop of so many news articles covering the latest organization that has been breached. “So, can we tell if there is an attacker inside our network?” Almost immediately the confident look of the CIO vanishes.

A recent study showed that 63% of large US companies admitted they had one to two network attacks last year alone, and hardly a day passes without some big headline of another major breach. Health care records, financial assets and government secrets have all been compromised on a massive scale. Can companies turn the tide from being the next victim of devastating results that come from a data breach? What are the crucial ingredients to finding a network intruder early?

Let me start by declaring that I’m a big believer in evolution theory (shocker!), and that Charles Darwin is alive and kicking in IT security markets in 2015! Why, you ask? Because every major incumbent vendor is “evolving” their messaging from a prior mantra of “Blocking” and “Preventing” attacks towards a new mindset of breach “Detection” that recognizes the stark reality that not all attacks can be prevented.

What you don’t understand can hurt you, and sometimes that hurt can be colossal. It’s ironic but even with a daily news cycle of freshly uncovered data breaches, most companies still greatly misunderstand the phenomenon. Just start with the term network attack. Some people think of this as the initial intrusion into a network. Others think of it as data exfiltration. The fact is that an attack breach is the entire process after the initial intrusion.

Can an active attack be detected before it’s too late and results in a data breach? That’s a burning question for most companies. Unfortunately the answer for nearly all is an uncomfortable no. Dwell time for attacks still lingers with an average of six months. Six months for an intruder to go undiscovered! Outrageous. Even then, only 18% of organizations uncover the breach themselves. Generally the discovery comes from a financial services company or from law enforcement.

Is your company a sitting duck for cyber attacks? Chances are you are. Consider what James Comey, FBI director said: “There are two kinds of big companies in the United States. There are those who have been hacked…and those who don’t know they have been hacked.” It’s essential to know when and where an attack takes place, and have the solutions in place to enable quick, targeted action before damage is done. We’ve developed an infographic that looks at 4 reasons that companies are sitting cyber ducks when it comes to targeted attacks:

Where should you look for active attackers operating inside your network? Across your network and on your endpoints – because that is where the attackers operate! Cyber attacks today are multi-stage operations conducted by human threat actors. Endpoints are compromised, user accounts are stolen, and devices (endpoints) and the network are used against you as attackers explore your environment, extend their access and control, and ultimately steal or damage your data and systems.

Ransomware Cryptolocker Virus Blog Post image

Would you take Tylenol to treat a brain tumor? That is effectively what most organizations are doing when attempting to address the problem of targeted attacks. Let me explain. Organizations are inundated with logs and alerts. Firewalls generate thousands of alerts a day. IDS systems thousands more. Sandbox solutions create yet hundreds to thousands more, alerting on malware that may or may not have detonated on a vulnerable system. And of course, infrastructure and applications are generating countless logs associated with user activity, whether normal or suspicious.

What do you really know about your network and users? Do you know what domains users access regularly? Do you know what internal network connections they make, and over which port, and at what frequency? Do you know what file shares are commonly used and which aren’t? Do you know who are the admins, what they administer and what tools they use to do so? Do you know where “all” your valuable data is located?

As a kid, I always enjoyed the pessimistic character of Glum from Gulliver’s Travels, who would predict imminent doom at every turn with the frequent quip, “we’ll never make it!” For no malicious reasons, we’re hearing this type of doom and gloom forecast in the security industry today. We are suffering from the worst-ever, out of control data breaches where targeted attackers are penetrating some of the world’s largest organizations at-will and apparently able to operate with unfettered access for months without notice.

It’s time to make life harder for hackers, but what can we do? “Hacking back” is all the rage right now in angst-fueled discussions. But, hacking back is a horrible idea (unless you are a nation state, and even then, maybe check with the Commander-in-Chief first). Hacking back will simply land you in jail and won’t do any good – do you even know how to appreciably affect the operations of the various hacking groups out there? Which one would you go after? How do you even know it was the one that got you?

To defeat an active network attack, speed and accuracy are critical. Companies cannot afford a flood of alerts that are mostly dominated by false positives. At the same time, active breaches need to be detected expeditiously before theft or damage can occur. Rather than scour logs for some attack indication or search for malicious activity based on statically defined “technical artifacts,” such as signatures or traces of malware, LightCyber utilizes behavioral profiling through machine learning to detect actual attacker behaviors on the network.

It’s not often that that we hear major technology vendor executives acknowledge the shortcomings of their own product portfolio and those of their peers. But when the President of one of the largest security companies in the world acknowledges that the bad guys are winning the security war, and that the defense mechanisms offered by that company are insufficient, it’s time to run for cover.

As some of the details of the recently disclosed data breach of a White House network become clear and some of the finger pointing dissipates, there should be a sobering reflection on what this may mean to companies and organizations. Network intrusions cannot be perfectly prevented. Whether you are the White House, a large health care provider, a major retailer or a bank, if a cybercriminal wants to get into your network badly enough (and has the time and resources), they will eventually succeed.

Here is another monthly cyber breach infographic for cyber attacks reported during January 2015. To see previous infographics see August 2014, September 2014, October 2014, November 2014 and December 2014. The month of January didn’t bring us many new breach notifications, but most of the ones we did learn about involve the compromise of POS (point of sale) systems. Such activity is likely the result of the growing capability of organized crime syndicates to perpetrate these more sophisticated attacks, combined with the ready ability to monetize the results by selling cardholder information to the black market.

known cyber threats

The new era of cyber security threats highlights the difference between known and unknown cyber threats. Known threats are considered “old news,” easily identified through signatures by anti-virus and IDS engines, or through domain reputation blacklists. Unknown threats, on the other hand, are attacks for which no signature exists. Several technologies have come to market, and are presented as capable of detecting unknown threats via static and dynamic file analysis, either at the endpoint or in a simulated environment (also known as sandboxing).

Flip the Odds with Active Breach Detection

The continued and relentless pace of enterprise breach announcements and escalating associated costs clearly convey the the current state of the IT Security industry: beleaguered and squirming in agony. The “bad guy” attackers have the advantage in the current battle, and the IT security operator “good guys” are severely under-equipped for the fight. Largely, this is a result of a confluence of factors:

incident response word cloud

Below is an Incident Response Plan and the basic steps that you should take when you are preparing for, and responding to a breach on your network. If you would like a downloadable PDF version, just let us know. We can divide incident response to 6 main steps: Preparation: get ready to handle an incident by having a CSIRP ready. Identification: detect the incident. Containment: limit the impact of the incident.

cyber security quiz

2014 was definitely a year to be remembered when it comes to cyber attacks, but how much do you remember? Take this 2 minute quiz (7 questions) and test your memory. See what sort of cyber security pro you really are and share your result with your friends:

Cyber Security Issues

The eight months prior to the start of 2015 saw no less than four major system-level vulnerabilities discovered – the latest being the incredible Kerberos Checksum Vulnerability. The scope of these four vulnerabilities is so great, and the potential for cyber attack damage on a nearly biblical scale (by digital standards, of course) so real, that we’ve taken to referring to them internally as Four Horsemen of the Apocalypse.

LightCyber-Its all one big game for the cyber attackers - Infographic

Here is another monthly cyber breach infographic for cyber attacks reported during December 2014. To see previous infographics see August 2014, September 2014, October 2014 and November 2014. The pace of cyber attacks continued unabated even as the industry focused its attention on the after-effects of the Sony hack in November. As is common, the majority of the victims of financially motivated attacks were in fact notified by external parties after customers’ credit card data was found for sale on black sites.

Cyber defense solutions

So far, as an industry, we’ve focused the majority of our IT security efforts at prevention (e.g., firewalls, anti-virus) or the next-gen versions of the same (e.g., NGFW, sandboxing, etc.). This makes sense when you use the wisdom of the physical world: an ounce of prevention is worth a pound of cure. The problem is that such cyber defense solutions are not perfect. In fact, recent research reveals that even the latest and greatest miss from 5-7% of *known* malware – never mind unknown malware.

knowing is half the battle

Let’s start with this: the vast majority of enterprise network security professionals ARE competent. That isn’t to say that they never make mistakes – they do. Sometimes it’s because of incorrect or incomplete information, sometimes it’s because of limited technology or lack of resources, and sometimes it’s because, frankly, a bad decision is made. That happens, and what’s more, fallibility certainly isn’t limited to network security professionals.

social engineering

No matter how strong your network security is, end-users will often be the weakest link in the security chain. Hackers exploit employee naivety and gullibility, or just the harried state of many workers, to execute hacking techniques and phishing scams via social engineering tactics. Here are 8 tips to prevent social engineering attacks for you, as the IT security administrator, to either use yourself or share with your employees.

Horror movie infographic November 2014

Here is another monthly cyber breach infographic for cyber attacks reported during November 2014. To see previous infographics see August 2014, September 2014 and October 2014. The Sony hack is one of the most destructive cases we have seen. While the majority of cyber attacks have a financial motivation, in this case it seems that the attacker was a nation-state with political motives, or certainly an entity motivated to cause maximum damage.

Texas Hold'Em

In previous posts, we compared targeted attacks to hand-to-hand combat (as opposed to a remote drone strike). The idea was that we, as security professionals, need to relate to attackers as individuals that respond to our actions. They punch, we respond, and they react to this response. As we drill further down into the psychology of targeted attacks, and consider more in-depth the strategy of dealing with them, another analogy suggests itself.

Are we missing the big picture, again, in the furor around the Sony hack? It makes a great scene, you can picture it in a movie: Employees showing up on Monday unable to login or begin their day due to the flashing skull on their monitors. Frenzied white-collar workers rushing to secure pen and paper and lining up to use the fax machine. An escalation of damage as a puzzlingly worded extortion threat manifest as leaked sensitive internal information, then deleted and lost data, and finally followed by the loss of the crown jewels themselves – DVD quality rips of yet-to-be-released movies.

Created by defense giant Lockheed Martin, the term “Cyber Kill Chain” has been widely used by the security community to describe the different stages of cyber-attacks. It’s a compelling model, easy to understand, and (let’s face it) the name sounds really cool. However, whenever we look under the hood of the Cyber Kill Chain diagram that graces the Lockheed Martin web site, we can’t help but try to scroll down farther than the diagram reaches.

Here is another monthly cyber breach infographic for cyber attacks reported during October 2014. To see previous infographics see August 2014 and September 2014. In the last few months we have seen a definite focus on the retail industry and it is clear that attackers have built an infrastructure to steal credit card numbers and convert them into money. During September mainly larger brick-and-mortar stores were breached, however, during October we have seen a substantial increase in attacks on online stores.

It’s hard to admit that anything good came out of the recent massive data breach at JPMorgan Chase, which compromised 76 million households and 7 million small business accounts. And the same could be said of the other recent breach disclosures from Target, Home Depot, Albertsons, and almost a dozen financial companies in 2014. The good news is certainly not the millions of dollars the bank will likely be spending over the next few months to repair the damage and restore its reputation.

Gameover Zeus P2P

Those who’ve been in the network security field for a while can remember when mainstream media headlines about cyber attacks were the exception, not the norm. How times have changed! Now, it seems that every week the spotlight shines on yet another major malware campaign, such as one involving the now infamous new Gameover Zeus (NGOZ) botnet. New GameOver Zeus typically spreads through Spear Phishing emails and is designed to steal banking credentials from unsuspecting victims.

So here is our second infographic showing the main cyber attacks that were reported during September 2014. To see the infographic we prepared on the cyber attacks that were reported during August 2014 click here. As expected September was also an interesting month and our observations and forecasts from recent months have sadly been proven accurate.

cyber security

We tell ourselves that we’re prepared. We tell ourselves that they aren’t us. We believe deep down that it won’t happen to us, anyhow. Why would it, after all? We have the best cyber security solutions and team possible. That is, until it does. We’re talking of course, not about traffic accidents, home burglaries, or other day-to-day mishaps, but about cyber-attacks – especially those of the catastrophic variety.

black and white swan

The recently-discovered Shellshock vulnerability in the popular Unix Bash shell, also known as Bashdoor, has been labeled a black swan event – that is, a “hard-to-predict and rare event beyond the realm of normal expectations”. Patches are being feverishly rolled out even as these lines are written. And security analysts are decrying the unique danger of a vulnerability rooted so deeply in the veteran OS, which has left yet-unknown applications and components exposed to attack.

August 2014 was a really wild month in regards to cyber attacks. The retail attacks became mainstream and the same malware that was used for a targeted attack on Target is now mass malware that targets any retail company to steal credit card numbers. It is clear that once the attackers know how to do it once and generate revenues, they can replicate the same process to attack other companies with much less effort.

In order to thwart attacks from a growing army of sophisticated cyber criminals, many enterprises around the world are deploying Big Data security analytics technologies to fortify their network security systems. And while theoretically speaking this is a smart move, in reality Big Data security analytics technologies are often turning out to be categorically unmanageable — and therefore dangerously ineffective.

Advanced attacks such as those against Adobe Systems, the New York Times, Target, and the Korean credit card system have proved that today’s attackers differ than those of just a few years ago. What was once the modus-operandi of nation-states and nation-backed actors has spread to cyber-crime and industrial espionage, both in terms of capabilities and sophistication.

Kangaroos fighting

Not so, at least based on the (apparently successful) attack on JP Morgan, just revealed last week by the Wall Street Journal. With the FBI and the Secret Service investigating “possible” breaches in other major financial institutions, perhaps it’s time to rethink the way we relate to targeted attacks? A targeted attack is the cyber equivalent of hand-to-hand combat – a back-and-forth battle between two skilled adversaries, in which reactions need to be in sync with actions in order to have effect.


It’s become quite clear that inline prevention solutions, which block traffic identified as an intrusion attempt, cannot provide 100% protection. In fact, persistent attackers actually enjoy the immediate response they get from these solutions – leveraging it to test different attack vectors, until they find a way in. Analysts and vendors realize that the next level in security will be to augment inline prevention security controls with “out of band” detection controls.

The recently-released report from the US Department of Homeland Security and others regarding the Backoff Point of Sale Malware is more important in what it does not address than in what it does. In this report, two high-powered government agencies (DHS and the Secret Service) and one prestigious industry partnership (FS-ISAC) laudably come together to bring a serious threat to the attention of worldwide retailers.

We’re proud to announce that we’ve released the first-ever product to combine network and endpoint analysis into a single real-time detection platform. This makes it easier than ever for organizations to quickly and cost-effectively identify and mitigate attacks – and makes it orders of magnitude more difficult for attackers to operate freely within your network.


In case you missed it, Fast flux is back. This time it’s in the newest variant of the infamous Gameover ZeuS botnet, which has apparently been revived following a massive international takedown in early June this year. In case you’ve forgotten, Fast flux is a veteran technique used by botnet operators to hide malware and phishing sites by rapidly changing DNS records.

Gonen Fink

As CEO, I am honored to launch our LightCyber blog, that will showcase our commitment to both technological innovation and knowledge sharing. I recently returned to the security field after a number of years leading a greentech venture. During my time in this fascinating sector, I was consistently impressed by entrepreneurs, vendors and customers who were driven by an overriding commitment to a cleaner, more healthy planet.