Another month, another startup helping to keep Boston on the map as an epicenter of cybersecurity expertise. From CounterTack to Cyber-Ark to Co3, many companies have been making news in recent months.
This time it’s Cybereason, an Israeli-born startup that has set up headquarters in Cambridge, MA, with help from Charles River Ventures, which put in $4.6 million in Series A funding last year.
Co-founder and CEO Lior Div (at left in photo) gets my attention right off the bat. First of all, he spent six years in the Israeli army and Unit 8200, the intelligence agency, working on information security long before it was sexy. “There is no school to learn it,” Div says. “I didn’t think I’d have a career out of the things I’ve done.”
Second, he says the recent revelations of NSA surveillance have not been surprising to his peers in the security industry, but they do raise a lot of issues. Namely, “who’s going to watch who’s watching us?” he says.
Third, he says it doesn’t matter how many cyber attacks originate from China or any particular place. The focus on the identity of the attacker isn’t useful. “We can’t tell where it [really] comes from. It doesn’t help stop the problem, it’s so widespread,” he says. “The world is changing. The bad guy is winning.”
Cybereason hopes to help the “good guys,” then, by focusing on the critical time between when a hacker first penetrates an organization’s IT system and when—traditionally, at least—the breach is detected and an incident response is initiated. That time period can last from a few minutes to months or more. “Real hacking is very slow, very quiet,” Div says.
His startup is trying to shift the focus away from identifying the malware (the actual code), adversaries (who the attackers are), or their tools and techniques, and toward understanding the hackers’ plan of attack and what their intent is—and then, ideally, stopping them.
Sounds like the Holy Grail of cybersecurity. But through its efforts, the two-year-old company is providing a window into what modern-day hacking actually looks like.
Div and his team call hacker activity “malops”—malicious operations. As he puts it, hacking is “like a huge project, not a straight line.” A particular attack may consist of many subprojects, each with its own purpose. One goal might be to spread malware or to look for data on a network. A more advanced goal might be to get information from a board meeting, say, and then record it, transmit it, and use it to plan the next step of the attack.
Cybereason’s approach is to build a deep statistical model of each organization. This includes how files are related to different users and machines, which machines talk to which machines, and a broad sense of what “normal” activity looks like—what regular working hours are, which workers use which types of software, and so forth. The software also pulls in information from the outside world, such as lists of trusted and untrusted applications and contacts.
The result is an “in-memory graph” that shows the relationship between all entities in the organization, Div says. Crucially, the company’s software tries to figure out when there are deviations from normal activity, and it compiles evidence to decide when “malops” are going on. Then it suggests ways to stop the activity.
But how does it actually work? Div takes a deep breath. “It’s complicated,” he says. “We don’t have a magic algorithm.