The attacks being experienced today on computer networks are increasingly targeted and sophisticated. Attackers carefully research their victims and increasingly write one-off exploits that are highly unlikely to be caught using traditional rules and signature-based security controls. There are a variety of technology vendors coming up with innovative ways to prevent those attackers from being successful.
One such vendor is LightCyber, a relatively young company founded in Israel but that is setting its sights on wider international markets. It states that its mission is to enable organisations "to effectively detect subtle anomalies in the network and identify targeted attackers at early phases of attack, before real damage has been done."
What makes LightCyber's approach innovative is that its technology develops and maintains profiles of every user and device on a network to identify unique patterns of behaviour associated with each as behavioural patterns can vary widely from one role to another. For example, a user from the engineering department will operate in a manner vastly different from a user from human resources and will have different needs in terms of the applications that they use. What is considered normal behaviour for one user may be considered to be suspicious for another.
The technology works by constantly monitoring and tracking all user and device behaviour in real time and comparing activity to the behaviour profiles that have been developed for each user and device in order to detect when a user is behaving differently to that expected. It does this without the use of rules or signatures that can identify known threats and exploits or that block specific types of traffic. Rather, it passively monitors all traffic and looks for anomalous behaviour, such as an attacked who is reconnoitring the network, looking to perform activity outside of what is considered to be normal, such as looking to elevate privileges or move laterally across the network.
In this way, the technology provides an automated means of identifying malicious behaviour-something that has long been done by human analysts as part of incident response teams-and is a tool that can be used by anyone, not just analysts. It provides a means of detecting an attacker at an early stage of an attack so that networks can be protected against even the most advanced threats. Further, it can also be used to forensically investigate any incidents that have occurred to learn from such incidents to prevent them occurring again. As such, it is a light touch tool that can help organisations to protect and defend against even highly targeted, sophisticated attacks and improve the overall security posture of their network.