In the ever-evolving landscape of cyber threats, for many organizations, simple detection and remediation is no longer enough. Some cybersecurity companies are now going one step further-providing predictive intelligence that can preempt threats.
In September, Triumfant became the latest to enter this growing field, through a partnership with Booz Allen Hamilton.
“If you’re just offering prevention, you don’t have a complete product. If you have detection and remediation, you’re getting closer,” Triumfant CEO John Prisco says. “When you add predictability, you’re starting to get a fairly robust treatment of the problem.”
Triumfant, founded in 2002, has been evolving in the way it provides endpoint protection. The latest iteration of its AtomicEye platform integrates Booz Allen’s capabilities to reverse engineer an attack with the goal of attribution-looking for the source of the attack-and threat prediction.
“(Booz Allen) will accept the malware from us, detonate it in their lab and reverse engineer it,” Prisco says. “They’ll then use the information they have to try and determine attribution.”
Although not all clients are interested in attribution, the capability is built into AtomicEye so files can be easily collected for the Booz Allen lab.
The AtomicEye platform detects malware by analyzing the computer’s patterns against an established blueprint-an atomic fingerprint based on upward of a million data points that were collected previously to establish the baseline. Once malware is detected, the computer’s operator clicks on a button to remediate the attack.
The offending file can be checked against threat intelligence databases, and, if it’s not listed, that indicates the likelihood of a zero-day attack. The Triumfant platform becomes essentially a filter for potential future analysis.
“If it doesn’t exist in the database, then it’s a real candidate for Booz Allen to do analytical work on it,” Prisco says.
Randy Hayes, Booz Allen Hamilton vice president, says his company is “uniquely qualified to deconstruct the threat in the lab” because it has been providing advanced malware analysis to the U.S. government for years. Booz Allen can use that experience to do things that no one can replicate for getting more actionable threat intelligence, according to Hayes.
“One of the biggest problems with cybersecurity right now is that there is too much focus on technology and automated solutions,” he says. “What we need instead is more intelligence tradecraft to include more mathematics around behavioral analytics, which is what Triumfant does.”
Prisco says what makes his company different in the threat intelligence space is the approach.
He says that typically, threat intelligence platforms would scan a computer for known offenders to see if those types of files exist on the machine. But because there could be millions of files uploaded to the cloud-based threat-intelligent platforms, scanning a computer for all of them would essentially make the machine inoperable, so the platform may scan for a select number.
He points out that’s why, in a recent data breach report, Verizon was critical of threat intelligence platforms.
“It’s difficult to get all the threat intelligence in the cloud fast enough to make a difference,” he says.
AtomicEye, instead, detects the offensive file first, then scans it against the threat-intelligence database.
“That’s much easier to do,” Prisco says. “We’re not trying to burden each computer and scan for each problem.”
In other words, instead of using the typical signature-based detection, Triumfant uses statistical anomaly analysis to find malware.
“For a long time, the industry has been looking at malware variety and zero-day malware, trying to detonate, categorize and understand to enrich cyber intelligence,” Hayes says. “However, because Triumfant’s AtomicEye… is able to isolate and discover behaviors that would indicate the presence of malware on the network, we anticipate being able to get more actionable threat intelligence out to consumers.”
In 2012, Gartner forecast that predictive analytics was the future of business intelligence, fueled by big data. In 2014, the research company said big data analytics would play a critical role in cybersecurity, as well.
Hayes says he’s noticed a shift since that report came out in the way CSOs and CISOs are thinking-moving from post-incident to pre-incident threat intelligence.
He says the trend is in its infancy and has a long way to go “before it is fully baked,” but it could help slightly close the gap the bad actors maintain over the good actors.
Part of the advantage of this approach is the strategic analysis that can help anticipate attacks.
“Human beings launch these attacks, not robots,” he says. “If we focus on who is pulling the trigger, the motivation, the target and the intent, we will have a better chance of mitigating the impact of the attack. We need to shift the focus from the ‘bullets’ to the adversary and its target.”