Age of Cybereason: Security Startup Out to Stop Hackers in the Act

Another month, another startup helping to keep Boston on the map as an epicenter of cybersecurity expertise. From CounterTack to Cyber-Ark to Co3, many companies have been making news in recent months.

This time it’s Cybereason, an Israeli-born startup that has set up headquarters in Cambridge, MA, with help from Charles River Ventures, which put in $4.6 million in Series A funding last year.

Co-founder and CEO Lior Div (at left in photo) gets my attention right off the bat. First of all, he spent six years in the Israeli army and Unit 8200, the intelligence agency, working on information security long before it was sexy. “There is no school to learn it,” Div says. “I didn’t think I’d have a career out of the things I’ve done.”

Second, he says the recent revelations of NSA surveillance have not been surprising to his peers in the security industry, but they do raise a lot of issues. Namely, “who’s going to watch who’s watching us?” he says.

Third, he says it doesn’t matter how many cyber attacks originate from China or any particular place. The focus on the identity of the attacker isn’t useful. “We can’t tell where it [really] comes from. It doesn’t help stop the problem, it’s so widespread,” he says. “The world is changing. The bad guy is winning.”

Cybereason hopes to help the “good guys,” then, by focusing on the critical time between when a hacker first penetrates an organization’s IT system and when—traditionally, at least—the breach is detected and an incident response is initiated. That time period can last from a few minutes to months or more. “Real hacking is very slow, very quiet,” Div says.

His startup is trying to shift the focus away from identifying the malware (the actual code), adversaries (who the attackers are), or their tools and techniques, and toward understanding the hackers’ plan of attack and what their intent is—and then, ideally, stopping them.

Sounds like the Holy Grail of cybersecurity. But through its efforts, the two-year-old company is providing a window into what modern-day hacking actually looks like.

Div and his team call hacker activity “malops”—malicious operations. As he puts it, hacking is “like a huge project, not a straight line.” A particular attack may consist of many subprojects, each with its own purpose. One goal might be to spread malware or to look for data on a network. A more advanced goal might be to get information from a board meeting, say, and then record it, transmit it, and use it to plan the next step of the attack.

Cybereason’s approach is to build a deep statistical model of each organization. This includes how files are related to different users and machines, which machines talk to which machines, and a broad sense of what “normal” activity looks like—what regular working hours are, which workers use which types of software, and so forth. The software also pulls in information from the outside world, such as lists of trusted and untrusted applications and contacts.

The result is an “in-memory graph” that shows the relationship between all entities in the organization, Div says. Crucially, the company’s software tries to figure out when there are deviations from normal activity, and it compiles evidence to decide when “malops” are going on. Then it suggests ways to stop the activity.

But how does it actually work? Div takes a deep breath. “It’s complicated,” he says. “We don’t have a magic algorithm. We use a lot of techniques.” They include machine learning and analytics methods that help translate the team’s hacking knowledge into protective measures. The technology has a handful of patents pending, he says.

One interesting point is that the monitoring and detection is not necessarily an ongoing “big data” problem. Cybereason says it collects less than a megabyte per day from each endpoint. “We’re looking for rare things, differences, and we’re reducing [the data],” Div says.

That’s still only part of the problem, though. Even if the software works well, it has to be usable by technical people in the company who may not be cybersecurity experts. To that end, Cybereason serves up a visual dashboard that uses infographics to show things like how malware is spreading through a network, which machines are infected, and the timeline of events. Users can click and zoom in on evidence of what’s going on, and then the software can propose a remedy—a sequence of steps that might include blocking a certain IP address or removing a process from infected machines.

Cybereason’s software is intended to support IT and security teams while hacking is in progress—which seems to be a lot of the time. By contrast, Div says, you can think of companies like Mandiant (recently bought by FireEye) and Co3 as operating in a later part of the hacking process, during incident response. And Bit9, Cyber-Ark, Rapid7, and others are on the earlier side, around penetration and threat protection. Trusteer (bought by IBM) has a somewhat related analytical approach, but is more focused on Web browsers and fraud protection. (Perhaps Cybereason’s approach has more in common with local firms CounterTack and Fidelis, which is part of General Dynamics.)

In talking with other security business experts, one challenge Cybereason faces is exactly whom to sell to—both across organizations and within them. For now, the company’s software is in limited release with customers that span media, entertainment, utilities, financial services, and information technology. Its business model sounds like a mix of software and services.

Cybereason has a dozen people in Tel Aviv and a handful of workers in the Boston area, including Div and Mark Taber, the company’s vice president of sales and marketing (at right in photo). The startup plans to have dozens of employees by later this year. “We’re ramping fast,” Taber says, but the exact headcount will depend a lot on the quality of job candidates.

I asked Div and Taber about the tradeoff between employee privacy and cybersecurity. After all, having a sophisticated profile of all your employees’ behavior might be considered intrusive. Div says that user privacy is maintained in the normal course of operations, because the profiling is done in aggregate. “We’re fusing this information into metadata,” he says.

Until there’s something fishy, that is. Once a “malop” is detected and vetted, all bets are off and the system tries to hunt down and connect the parties involved.

One last question: Will Cybereason eventually have to change up its own approach in the escalating hacker arms race? Surprisingly, Div says no—instead it sounds like changing up is baked into its approach.

“We created a system that understands we don’t know everything, and reveals new stuff in real time,” he says. “In hacking, if you know something, it’s old.”

Trending on Xconomy