Cybereason Takes Its Malicious Ops Detection Platform Out Of Stealth, Backed By $4.6M From CRV

Much of the digital security industry is focused on preventing hacker attacks. Cybereason, a security-focused startup founded by a team of former Israeli intelligence agency members which is launching its enterprise offering commercially today, is taking a different tack.

It argues that enterprises should accept security breaches are inevitable, and instead tool up on the monitoring and detection front — to give themselves a better chance at ultimately preventing serious data breaches.

“In the movies you might see somebody breaking in and then shortly thereafter running out with [corporate secrets]. But in reality there’s a long process and a whole bunch of different actions and things that these attackers are doing one they’re inside,” Cybereason VP Mark Taber tells TechCrunch.

“This sort of sophistication, up until a couple of years ago, was only at the nation state level, was not at the enterprise. But now it’s really coming into the enterprise. And unfortunately enterprises are not very well equipped to discover these sorts of hacking operations as all of their skills, all of their money is on the prevention side.”

Cybereason has built a pro-active security platform for enterprises to continuously monitor systems with the aim of detecting hacker actions and intentions as they attempt to prepare their data heist, and thus give businesses the opportunity to cut hack attacks off long before hackers have the chance to carry off their corporate crown jewels.

So Cybereason’s platform is not looking to detect malware per se, but rather the tell-tale signatures of malicious operations, whatever they might be — such as an incongruous sequence of program installations on multiple machines in a network that perhaps don’t fit the user profile, or other subtly unusual activities.

“Malware can be a part of a malicious operation [but] we’re really looking at a series of things that a hacker or hacking operation would do to accomplish their end goal,” says Taper. “We’re looking for minute traces [of hacker activity]… to uncover the operation and stop it in its tracks.”

A specific example of a malicious operation in progress that Cybereason uncovered at one of its beta users — an unnamed large media and entertainment company — was an incident whereby an IT tool was installed on multiple (non-IT) users’ computers and then subsequently used to remotely switch on cameras and microphones, as the hackers were presumably attempting to eavesdrop on goings on in the building.

“It’s at this point that we stopped this thing, there and then. It was raised to the point of a malicious operation and the company was able to terminate the whole thing,” he adds.

“What was going on was that this attacker was remotely controlling this software and trying to move around and trying to figure out where the executive offices were, and then turn on the camera and the microphone at an appropriate time and record what was going on in that office in a particular meeting, and then steal that information.”

As well as launching the platform commercially today, Cybereason has announced it’s raised a $4.6 million Series A — its first external tranche of funding — from Charles River Ventures.

Commenting on the funding in a statement, Izhar Armony, partner at CRV, said: “The Cybereason team brings a unique approach and fresh insights to a market that today doesn’t have effective solutions and where the damage is measured in many billions of dollars.”

Prior to this Series A, Cybereason was self-funded. The new funding will be used for further development of the platform and for taking the tech to market, according to Taber. 

The platform works autonomously detecting hacker traces, without the need for enterprises to have seasoned security analysts on the payroll 24/7 — using profiling and big data analysis to replace the role of the human security analyst.

“We have collectors, agents that sit on the end points that are looking at all sorts of differential data. So we have applications profiled, we have users profiled, we look at the programs [a particular user would use related to other users with the same job role] and we’re constantly building profiles and looking for rare events of clusters of users, or users across the whole enterprise, or even cross enterprise to see how various companies use different applications,” explains Taber.

“And then we have a big data analytics platform that we then add context, add all different threat intelligence, our knowledge of how these hacker operations work, and we then analyze all of this differential data to the point where the system starts building evidence, and then that evidence leads to suspicions, and then that suspicion would lead to a malicious operation that we would identify.”

The platform can also slot in with enterprises that do employ specialist threat analysts — such as banking companies — as a support tool and data repository for those analysts to work with and query, Taper adds.

Cybereason, which has now moved to and is headquartered in the U.S., was founded back in 2012 but has been in stealth mode up to now, honing its approach with 15 beta users.

In terms of its main competitors, it names Crowdstrike and Triumphant — but argues their respective approaches are different.

“There are two [main competitors] — Crowdstrike is trying to solve the same problem as us, but is using real people to power their cloud service, almost like a Mandiant 2.0. With Cybereason, we’ve built the intelligence of the world’s top security analysts into our platform so that enterprises basically have a virtual army of top analysts searching for malicious operations 24/7,” it tells TechCrunch.

“The other is Triumphant which is going after the same problem with an analytics approach and providing lots of data to enterprises. But, enterprises/security analysts need to know what questions to ask Triumphant in order to find out the right info.  Cybereason lowers the bar for security analysts in that we proactively provide all the right info for them and notify them of possible malicious operations.”

To further lower the bar for enterprises that lack specialist security knowledge to better understand malicious intrusions into their systems, Cybereason’s platform includes a visualisation infographics feature to illustrate/narrate the trajectory of attacks.

“All of this is really complicated. Most companies doesn’t have the sophisticated security people that are going to be able to know the right questions to ask of all of this evidence, and everything that we’re collecting, so a big part of what we do is we then visualise these malicious operations to make it really easy to understand what is happening,” Taper adds.