Security Start-up Pushes Threat Detection, Correlation With New Platform

A security startup is pushing a mix of threat correlation, sandboxing and traffic inspection to address the challenges posed by sophisticated malware and zero-day attacks.

Emerging from stealth mode, security vendor Cyphort announced the general availability today of its Advanced Threat Defense Platform a month after being named a finalist in the RSA conference’s 2014 Innovation Sandbox competition. The platform combines a number of detection methods together with machine learning and a threat correlation engine.

“Cyphort consists of software-based collectors that are placed at various locations on the networks, including ingress and egress points,” said Anthony James, vice president of products and marketing at Cyphort. “[The] collectors can be deployed as software running on commodity hardware or as VM running on Hypervisor and collecting traffic from virtual TAP ports in a virtual environment and cloud. They are much easier and cost effective to deploy then installing dedicated appliances. Customers can scale collection across their distributed organization cost effectively as the software is provided free of charge.”

According to the company, the product’s architecture separates the collection of traffic from threat detection and analytics without having to deploy appliances everywhere. It also combines multi-sandbox inspection of content with a machine-learning system.

“Sandboxes are part of the inspection phase,” James said. “Suspicious objects are executed in three separate sandbox environments including a VM sandbox, emulation sandbox and a custom image sandbox. Several thousand data points are collected as part of this inspection and used by our machine learning analysis engine to detect malware.”

To block zero-day attacks, the technology relies on dynamic inspection in the sandbox along with the machine learning analysis engine. The platform correlates information and prioritizes threat based on threat intelligence, the particular users and devices targeted and infected and command and control traffic. The product also can dynamically generate policies for firewalls, Web gateways and IPS signatures that can be implemented through the management consoles of those respective products.

“The release we will be demonstrating at RSA (2.5) will include the ability to dynamically update firewalls with the ability to block sources of advanced threats and Internet destinations known to be used for data theft,” James said. “As part of our threat identification process, we extract IP addresses and URLs that are known to be involved in the actual threat. This information can then be dynamically pushed to customers existing firewalls so that immediate protection can be implemented not only for the initially intended victim, but for all other users across the enterprise.”

“Many organizations are either insufficiently tooled to sift through the haystack of presented threats, unequipped to identify which events present real risk to their organization, or both,” said David Monahan, an analyst with Enterprise Management Associates, in a statement. “Cyphort’s ability to identify and prioritize events using a context-based risk ranking helps organizations to respond with significantly higher agility, precision and effectiveness.”

Currently, the Cyphort Platform is able to analyze content across both Windows and OS X environments. Support for Linux is slated to come later this year.