LightCyber rolls out new features for endpoint malware detection platform

29.01.2015
LightCyber, another security startup with the roots in the Israeli military, has opened its doors in the U.S. and is announcing new products and features to make its mark in the crowded field of endpoint detection and remediation.

The company's Magna Breach Detection Platform monitors and analyzes network traffic as well as activity on Windows endpoints in search of anomalous behavior that they can identify as malware.

So far it's having pretty good success in North America, with about 40 customers signed up for its appliances, software and services. It opened shop in Los Altos, Calif., last year, augmenting its headquarters that was already established in Ramat Gan, Israel, according to the company's chief marketing officer Jason Matlof.

The company is competing in a hot area where the vendors provide a way to closely track what individual endpoints are up to internally and what they are doing across the network in an effort to baseline what is normal and to quickly flag what's not. Competitors include Bit9+Carbon Black, AccessData, Black Ensilo, Fireeye, Guidance, Promisec, Tanium,  "and about 20 others rushing into this space", says Peter Firstbrook, a vice president at Gartner.

The components of LightCyber's products are an on-site analyzer called Magna Detector, a branch office monitoring virtual appliance called Magna Probe, and services called Magna Cloud and Magna Pathfinder.

Detector is a physical appliance that can also be purchased as a virtual appliance that runs on customers' own servers. It connects to span or tap port on a core switch and profiles inbound and outbound traffic, on-network traffic and Internet traffic, and analyzes it to see what is normal behavior so it can point out dangerous anomalies.

+ ALSO ON NETWORK WORLD Endpoint security demands organizational changes +

It also taps into Microsoft Remote Procedure Call (RPC) to gather data from endpoints such as processes running, what ran recently, registry keys, dlls and the like. This is used to gather endpoint information rather than deploying client software to each endpoint.

Probe is a new product that is deployed in branch offices and collects the same type of data but forwards it to a Detector for analysis.

The Magna Cloud service further analyzes the network data collected by Detectors looking for patterns that LightCyber has designated as indicative of specific ongoing attacks or that could be the activity of an unknown attack. Magna Pathfinder does similar analysis of endpoint data, again to detect attacks.

The goal is to provide high-reliability alerts to possible intrusions that cut through the hundreds or thousands of alarms generated daily by other security platforms, Matlof says. The typical customer gets just four or five per day, helping to sort through the clutter and prioritize for security pros what to check out. The platform also provides the data that led it to conclude there was something to be alerted about, giving security teams guidance on where to look for the root of the problem.

The platform is newly integrated with Palo Alto's next-gen firewall as well as Check Point, RSA Arcsight, and FortKnox gear as well as Microsoft Active Directory to provide enforcement points to block discovered malicious activity and isolate affected machines. Such integration with this group of vendors, while not ubiquitous, will address such protection for a wide group of customers, Firstbrook says.

Automating the prioritization of what suspicious activity for human analysts to check out is valuable for stopping attacks early and reducing the damage attackers get away with, he says. "Home Depot and the New York Times attack both had alerts, but nobody followed up on them because there were too many alerts and no easy way to resolve them," he says. Detecting an attack sooner reduces the opportunity for theft and destruction.

Use of RPC to gather endpoint data has its pros and cons, he says. Remote solutions can only do a point-in-time snapshot and then compare snapshots whereas agents on each machine can record and playback all changes. The agent can also isolate affected machines and give security operations centers time to investigate without worrying about continuing damage. Agents can help with remediation by killing malicious processes and rolling back any changes attackers have made, Firstbrook says.

On the other hand RPC can provide quick, lightweight validation of suspected infection, he says.

Windows is the most attacked operating system, so using RPC will be widely effective, but he says Gartner is getting more and more requests from customers for similar visibility from this type of platform for Macs and Linux.

He notes that when laptops the most common device used as traditional desktops in enterprises go mobile, LightCyber offers them no protection.

The company has a healthy pedigree, including its two founders, Michael Mumcuoglu (CTO) and Giora Engel (Chief Product Officer), both of whom were officers in technological units of the Israeli Defense Force and have participated in startups before.

It has brought on Gonen Fink as CEO, one of the first five Check Point employees who rose to be chief architect. It has $12.5 million in funding from Battery Ventures and Glilot Capital Partners.

Magna Detector and Magna Probes are priced based on how many devices they profile, with the starting price at $30,000 to support 1,500 endpoints. Magna Cloud and Magna Pathfinder services have annual subscriptions based on how many hosts they scan.

(www.networkworld.com)

Tim Greene