F-Secure Enters Incident Response Arena

The focus of security is shifting from perimeter protection to network detection. Anti-virus at the perimeter is no longer enough, and the AV industry itself has long said that it should be part of a multi-layered defense. Now a major AV vendor is providing one of those additional layers with the launch of its own incident detection and response service.

In its announcement today, F-Secure says the “Rapid Detection Service leverages the strengths of both human and machine intelligence to provide an all-in-one intrusion detection and response service that’s ready to go immediately.” 

The machine element comes from lightweight endpoint and network decoy sensors that collect data about events and activities. This data is sent to the F-Secure Rapid Detection Center for threat intelligence and behavioral analysis. Anomalies, which can be detected in near realtime, are highlighted to the F-Secure team of security experts (the human intelligence) who launch any necessary response. The customer will receive breach notification and an offer of assistance within 30 minutes of the system detecting the anomaly.

It’s a logical move for any AV company. They have rested on their laurels for too long, and allowed other firms, like FireEye and SecureWorks, to take center stage in incident response. But AV has all the major components already in place. It has a huge global threat intelligence network; it understands malware and the hacker mentality; and it has more experience in threat detection than any other market segment.

The behavioral analysis engine is maintained in F-Secure’s cloud. “We have a long history of building artificial intelligence-based systems,” Marko Finnig, the director of advanced threat protection at F-Secure, told SecurityWeek; “we actually started the work over 10 years ago. Part of the work is fully extendable to be able to look beyond malware behavior – which is what we have done. We also have a new set of advanced algorithms,” he added, “developed specifically to find relevant security anomalies from stored big data.”

F-Secure is also majoring on the ‘human intelligence’ side of its service. Cyber security advisor Erka Koivunen, comments, “Attackers are human, so to detect them you can’t rely on machines alone. Our experts know how attackers think, the very tactics they use to hide their presence from standard means of detection. The human factor also eliminates false positives, which are an extreme waste of resources.” The Target breach famously followed an automated alert from its threat detection system, supposedly within a large number of false positives. 

The data collected by the F-Secure sensors for analysis is metadata. The sensors are located on the corporate network and user endpoints, and the system doesn’t look inside any files. F-Secure says no private or personal data is collected, and the company expects and has experienced no push back from privacy conscious users. This is increasingly important for compliance with European data protection laws. 

Finnig told SecurityWeek that the system had been tested with almost 40 different organizations, and the privacy policy had evolved from such discussions. “The most common concern of our customers,” he added, “is do we move any personal data – and our answer is no.” He noted that the system has support from PCI-DSS, allowing banks to run the system in PCI-certified environments.