German Press – Behavior Analysis Detects Intruders

German Press - LANline logo

May 27, 2016

Light Cyber with self-learning Incident Response Solution

Behavior analysis detects intruders on

written by LANline / Dr. Wilhelm Greiner

The start-up vendors Light Cyber supplies with Magna a platform for behavioral analysis of network traffic, applications, users and devices with in order to detect an ongoing attack as quickly as possible (Behavioral Attack Detection). Light Cyber sets knowledge gaps a self-learning analysis against on the basis of network probes and complementary studies. This verification of an attack hypothesis, so the provider will deliver the security team specific warnings instead of time-consuming warning flooding (Alert Floods).

In the IT security market, the focus shifts increasingly from prevention to the fastest possible detection and targeted response to a Komprimittierung of enterprise IT (Attack Detection, Incident Response). Because conventional solutions for securing the network, although like stop the majority of the attacks, they can not stop a persistent attacker permanently, one emphasizes (not only) by Light Cyber. Conventional approaches, including SIEM solutions (security information and event management) would have also proved useful in the early detection of attacks as little.

Invaders therefore often remain undetected for months, the average length of stay undetected (Dwell Time) of an attacker is loud Mandiants Threat Report 2014 at a proud 229 days. Because the activities of the attacker will find the face of widespread abundance by security tools generated false positives and false negatives long “under the radar” of the security team instead.

The market balance of data patterns with predetermined threshold values and known signatures sets Light Cyber its Magna platform contrary: This combines independent learning (machine learning) with an automated investigation discovered discrepancies.

In a learning phase, Magna produces loud Jason Matlof, EVP and Chief Marketing Officer of Light Cyber, initially a baseline of the considered normal behavior. For this purpose the solution uses Network Appliance as probes to investigate the traffic up to the application level by DPI (Deep Packet Inspection); at the same time account is taken but by the tools Pathfinder also the status of the devices as well as information on users (Active Directory-based) in the behavior analysis.

In case of detected deviations from the baseline Magna produces loud Matlof not make alert but accepts automatically the investigation, including balance of unusual event with the known attack patterns. Thus, so Matlof, Light Cyber reducing the alert advent of the now industry standard (According to Ponemon Institute) 172 alerts per day and 1,000 terminals at an efficiency rate of 1.09 alert per day and 1,000 devices – and thus to an extent that for the Security team is meaningful work through.

An example: The Network Probe recognizes that from a client PC in the finance department, a port scan of a computer administrator starts. This falls on the solution, because there is no appropriate baseline for this behavior.Magna is now but no alert from, but begins an automated Unersuchung able: The software Pathfinder scans the client computer to the process that initiated the suspicious behavior, and comes across a malware. At the same time it detects that the computer is communicating with an unknown external Web server.

Magna now draws musical Matlof zoom aggregated threat intelligence feeds that Light Cyber holds in its cloud-based expert system. The external Web site appears here marked orange (so suspiciously, since only a few weeks old, but not on a blacklist). The software can thereby simultaneously track the movement of a potential attacker in the network. Due to the combination of these indicators Magna make now an aggregated alert that that appears to be an attack, enriched by the collected additional information and supplemented with recommendations for action.

Based on the behavioral analysis of suspicious behavior that precedes an alert, Magna achieved loudly Light Cyber Man Matlof an accuracy of 62 percent even at non-prioritized alerts. Stage Magna behavior as “suspicious” one, get the hit rate to 92 percent, “confirmed” the state even at 99 percent.

Thanks to this automated preliminary investigations, so Matlof, the security analyst get prioritized warnings with which he can actually do something. Light Cyber publish the numbers of its efficiency and hit rates on a quarterly basis to ensure that the user companies they could use as a reference for the values of other providers, so Matlof.

The Magna appliances not save the network traffic, but only the metadata from the profiling of network and application activity, the terminal status and the use of User Credentials, emphasized Matlof. Thus they could make the storage and analysis of self-sufficient, the acquisition of an additional database is not therefore necessary.

Light Cyber has recently become active in Europe and has set with Paul Couturier a vice president and general manager for EMEA. Also you entertain now a Magna Cloud Expert System in a European data center, so that the enrichment of metadata held to threat information in the EU judicial area. This one goes in conformity with the EU Data Protection Directive (Directive 95/46 / EC).

Magna provides the security status of an IT environment represents in a dashboard and also offers graphic visualization of the attacker behavior. In addition, integrated loud Light Cyber in a wide range of existing security tools like SIEM, or e-mail security solutions. Integration into firewalls and NAC solutions for automated reactions is possible, so Matlof currently need reactions are initiated manually but – what is desired by the customers too.

Founded in 2012 (the Firmename “Light Cyber” is a pun on “Lightsaber”, ie “Lightsaber” – Star Wars Greetings) markets its solutions exclusively indirectly. Among the partners in this country include cirosec, Control Goods, Infinigate and more. be licensed the appliances per unit and number of monitored nodes.

>> Read more LightCyber Articles