Cybereason: Scripting the New World Order of Cyber Security

Lior Div, Co-Founder & CEO, CybereasonLior Div, Co-Founder & CEO, Yonatan Striem-Amit, Co-founder & CTO and Yossi Naar, Co-founder & CVO A few decades ago, the concept of cyber warfare seemed far-fetched, to say the least. But the scenario has drastically changed today. While old school bank robbers still exist today and use traditional means with masks and guns to rob banks, savvy cyber criminals can do more damage from the comfort of their office and computer stealing millions of dollars. “Cyber bank robbers can demand payment and steal millions with a few simple key strokes on their computer and it changes dramatically how they are tracked and brought to justice,” says Lior Div, CEO, and Co-founder of Cybereason. Handling such threat environments of today requires understanding the adversary and the attack landscape. As a former Commander in Unit 8200—one of the foremost cyber-intelligence agencies in the world operating under the Israeli Defense Forces—Div is familiar with such hacking operations, and he is an expert in forensics, reverse engineering, malware analysis, cryptography and evasion. “I was taught to do things differently in a creative way, so I could achieve things that other people considered impossible,” states Div. Earning the Medal of Honor for his service, Div uses the same talent and passion for driving Cybereason successfully toward the unchartered territories of cyber defense today.

Cybereason does not concur with the idea of cyber security being a wall for enterprises to hide; instead, the company considers it as a weapon to hunt down intruders. In a way, Cybereason wants to change the concept of ‘cyber defense’ to ‘cyber offense.’The company recently announced a new infusion of $200 million in venture capital from SoftBank and it plans to expand its channel program, hire 200 new employees, open new territories and possibly be involved in M&A activity.

With a specialization in endpoint threat, vulnerability, anomaly detection, and response software coupled with an emphasis on proactive action, Cybereason gives its clients an unfair advantage against bad actors.

The Lock, Stock, and Barrel of Cyber Offense

The cyberattack surface is continuously on the rise today. As the world moves more toward connected ecosystems powered by IoT, high bandwidths, and 5G, the attack surface will expand further, with more access points across networks. “When I served in the military we were successful breaking into systems 100 percent of the time and no system is completely bullet proof,” said Div.

"Using the same system that we deploy to consume information from a smart meter, we can show how an attack went from a PC to server to smart meter and back to PC"

Cybereason labels this phenomenon as its “EEE” approach to cybersecurity and protecting it all: Endpoints (nodes), Enterprise (cloud), and Everything (IoT). In such a scenario, there is not a wall in the digital realm that’s high enough to keep out bad actors; no antivirus will be 100 percent effective, and a well-aimed attack can always bypass the wall. Cybereason realizes this and understands that hackers have shadows. If a white hat went deep to uncover an infiltration, they would often see traces of their “black” adversary’s presence in the networks.
In this case, to prevent attacks, companies need more than just the software, they need the ability to correlate events and understand the threats inside their networks

Cybereason’s powerful weapon for helping enterprises pursue this journey of inimitable cyber offense is its Cyber Defense Platform. The platform can consume massive amounts of data, nearly 500 million incidents per minute, from devices across networks and assess the relationships and activities between them in real-time to fish out even the most subtle patterns of an attack. This is in contrast to how enterprises usually secure their endpoints, which is often through the standalone antivirus/malware software. Many cybersecurity products in the market also limit their focus to just securing individual endpoints. Comparatively, Cybereason’s platform can hover over millions of endpoints in a client’s network and pick anomalous behaviors and share details for optimal threat hunting. “No company in the industry can do that right now. Most companies are focused only on protecting the single endpoints,” states Div. With a full cybersecurity stack that includes antivirus, anti-ransomware, and anti-Power Shell, the Cyber Defense Platform can consume information from all the endpoints in parallel and conduct cross-machine correlation. Div compares the operation of the platform to that of how Facebook maps the relation between users by correlating mutual friends. Cybereason looks at the massive amount of device data influencing each other within networks, and the platform can figure out such interconnected correlation in real-time, across parameters that are changing very fast.

Our platform can find a single component of an attack and connect it to other pieces of information to reveal an entire campaign and shut it down

High Impact Threat Management

The amount of data that the Cyber Defense Platform processes in real-time lie somewhere between that of Twitter or Facebook handle per day. “We are more of a big data analytics company than anything else. When a client engages with us, we give them full stack security capabilities to check if they have been infiltrated or if their protection is compromised,” states Div. This is a viable solution to expose more dormant attack vectors. For instance, during Cybereason’s nearly 12 month long Operation Soft Cell investigation—where large scale cyber perpetrations were carried out right under global telco’s nose for over seven years—hackers were using the known paradigm of low and slow. Rather than carrying out the entire intrusion at once, the infection would go to one computer and lay dormant under the noise until it is discovered and pushed out. It would then move from one computer to the other, taking months in the process. The threat actors were attempting to steal all the data stored in the active directory, including the username and password, along with other personally identifiable information, billing data, call records, and geo-location of users. It did so by compromising the networks of telecommunication companies and accessing mobile phone users’ call data records. The intrusive vector was built on the fact that no one could correlate events that happened one day with events from a week or a month ago.

Nevertheless, Cybereason, with its powerful technology and a more open view on infiltration, scanned more than just a single event that happened on a single endpoint.
By going back in time and correlating events using its Replay product, Cybereason was able to expose a massive operation that was possibly carried out by a nation that resorted to multi-wave attacks aimed at total network takeover. “Our platform can find a single component of an attack and connect it to other pieces of information to reveal an entire campaign and shut it down,” says Div. Cybereason’s ability to go back in time and correlate events to expose threat vectors has many such use cases. For example, the company can track a particular event of stolen credentials on a specific machine and relate it to similar instances on a different device from two weeks ago. They can combine such instances to classify them as a malicious operation (Malop) happening currently in an organization, and then create an alert for subsequent reference and occurrence. In effect, Cybereason has changed the game of security by building a managed cybersecurity platform for the future. The platform secures the entirety of the network and not just the user endpoints. “Using the same system that we deploy to consume information from a smart meter, we can show how an attack went from a PC, to a server and a smart meter and then back to the PC,” says Div. Cybereason builds the tech to evolve with this expanding attack surface. “For many companies that do not have the manpower to implement sophisticated cybersecurity analytics, we are doing it for them; we are augmenting clients with the kind of people that they cannot hire,” Div adds.

Architecting a Proactive Future of Cyber Security

Rather than reactive cybersecurity, Cybereason emphasizes on being proactive, meaning that they are trying to detect and block Malops as much as they can, and then hunt down the intrusion. The Cyber Defense Platform looks for indications of an attack or a compromise to build a kind of situational awareness while handling an adversary. As a result, installing the platform in an enterprise makes it a very uncomfortable situation for hackers, thanks to Cybereason’s innovative data analytics. It will act like a hunter who is always on their tail. This is a very different approach than “deception technologies,” where users hope that the attacker will trip on the wire and be discovered. The solution actively looks for hackers in the environment—a process which was initially handled manually—with a system that does it automatically, with high scalability.

Going back to Operation Soft Cell, Cybereason has already provided intelligence briefings to over 80 of the biggest telcos in the world, followed by debriefing several regulators, many governments around the world and U.S. House and Senate Committees. In the past nine months, Cybereason focused on the specialists within their company, who understand how the hacker groups are thinking, to track and neutralize them. Cybereason is the only company in the world that has a platform that can scale to ingest trillions of incidents in a day. The company is currently working with many government agencies to help them understand and ensure that they have the right capability in house, and the right technology to deal with these types of attacks.

With its powerful technology that works on more than just traditional hardware, Cybereason envisions protecting wearables, cars, and Internet of Things devices. The game is now afoot, turning the prey into the predator. Going forward, Cybereason believes that ‘cyber offense’ is not the end, but the beginning—one that will forever change the cybersecurity hierarchy in the years to come, for enterprises and everyone.
- Ava Garcia
    August 26, 2019
Share this Article:


Boston, MA

Lior Div, Co-Founder & CEO, Yonatan Striem-Amit, Co-founder & CTO and Yossi Naar, Co-founder & CVO

Cybereason is a cyber security company specializing in endpoint detection and response software. The company combines endpoint detection and response with next-generation antivirus technology in one lightweight agent. The Cybereason platform is powered by a custom-built in-memory graph engine. It detects behavioral patterns across every endpoint and surfaces malicious operations in a user-friendly interface. Founded by elite intelligence professionals born and bred in offense-first hunting, Cybereason gives enterprises the upper hand over cyber adversaries. Cybereason is privately held and headquartered in Boston with offices in London, Tel Aviv, and Tokyo