We use a lot of techniques.” They include machine learning and analytics methods that help translate the team’s hacking knowledge into protective measures. The technology has a handful of patents pending, he says.
One interesting point is that the monitoring and detection is not necessarily an ongoing “big data” problem. Cybereason says it collects less than a megabyte per day from each endpoint. “We’re looking for rare things, differences, and we’re reducing [the data],” Div says.
That’s still only part of the problem, though. Even if the software works well, it has to be usable by technical people in the company who may not be cybersecurity experts. To that end, Cybereason serves up a visual dashboard that uses infographics to show things like how malware is spreading through a network, which machines are infected, and the timeline of events. Users can click and zoom in on evidence of what’s going on, and then the software can propose a remedy—a sequence of steps that might include blocking a certain IP address or removing a process from infected machines.
Cybereason’s software is intended to support IT and security teams while hacking is in progress—which seems to be a lot of the time. By contrast, Div says, you can think of companies like Mandiant (recently bought by FireEye) and Co3 as operating in a later part of the hacking process, during incident response. And Bit9, Cyber-Ark, Rapid7, and others are on the earlier side, around penetration and threat protection. Trusteer (bought by IBM) has a somewhat related analytical approach, but is more focused on Web browsers and fraud protection. (Perhaps Cybereason’s approach has more in common with local firms CounterTack and Fidelis, which is part of General Dynamics.)
In talking with other security business experts, one challenge Cybereason faces is exactly whom to sell to—both across organizations and within them. For now, the company’s software is in limited release with customers that span media, entertainment, utilities, financial services, and information technology. Its business model sounds like a mix of software and services.
Cybereason has a dozen people in Tel Aviv and a handful of workers in the Boston area, including Div and Mark Taber, the company’s vice president of sales and marketing (at right in photo). The startup plans to have dozens of employees by later this year. “We’re ramping fast,” Taber says, but the exact headcount will depend a lot on the quality of job candidates.
I asked Div and Taber about the tradeoff between employee privacy and cybersecurity. After all, having a sophisticated profile of all your employees’ behavior might be considered intrusive. Div says that user privacy is maintained in the normal course of operations, because the profiling is done in aggregate. “We’re fusing this information into metadata,” he says.
Until there’s something fishy, that is. Once a “malop” is detected and vetted, all bets are off and the system tries to hunt down and connect the parties involved.
One last question: Will Cybereason eventually have to change up its own approach in the escalating hacker arms race? Surprisingly, Div says no—instead it sounds like changing up is baked into its approach.
“We created a system that understands we don’t know everything, and reveals new stuff in real time,” he says. “In hacking, if you know something, it’s old.”
