LightCyber Connects Network to Endpoint Processes for Breach Detection

By Sean Michael Kerner  |  Posted 2015-05-09 Print this article Print
breach detection

Modern security isn't just about blocking packets, but about correlating network traffic with processes that can be stopped.

Security firm LightCyber announced the 3.0 release of its Manga active-breach-detection platform on May 7, providing a detailed overview of new features that will become generally available this summer.

The company's Magna 2.8 release was announced in January of this year.

With LightCyber Magna 3.0, one of the big new capabilities is a feature known as Network-to-Process Association (N2PA).

"Monitoring a network gives you the most immediate way to identify that something bad is happening," Gonen Fink, CEO of LightCyber, told eWEEK. "But in order to fix the problem and remediate, you need to understand the process that is running on the endpoint."

The goal of N2PA is to enable the association of a network-monitored event to a running process on an endpoint system. Fink explained that N2PA enables an organization to zoom in on an endpoint to properly remediate for a potential breach.

All modern endpoint systems run a myriad of processes that are legitimate and authorized. Finding and figuring out which processes are potentially malicious is part of the intelligence that LightCyber's platform provides. For example, LightCyber will see some form of suspicious activity on the network and will then go to the endpoint to find out which executable and processes are behind the activity, Fink said.

"Based on threat intelligence, we can determine if the process is a standard Windows process or a known network scanner," he said. "Or we may find that it's a malicious file and not an activity that is generated by a normal, known process."

Fink said LightCyber has a behavior profiling capability that is aware of what system processes are normally doing in an environment. If a process deviates from its normal behavior profile, that could be an indicator of abuse.

"We use deep packet inspection to inspect metadata fields," Fink explained. "When we need to associate the data with a process, the N2PA technology allows us to make the connection with the packets we see in the network."

For example, normally HTTP traffic is generated on endpoints from Web browsers that are legitimately using HTTP to connect over server Port 80 to Web resources. However, if malware is present on an endpoint, that malware might also be using HTTP over Port 80, though that traffic is not associated with a Web browser process.

"Our N2PA technology allows us to recognize that the suspicious HTTP traffic was generated by an unknown process," Fink said.

Another challenge that is common at the network level is the ability to inspect encrypted Secure Sockets Layer/Transport Layer Security (SSL/TLS) data traffic. For LightCyber, Fink said he doesn't care if traffic is encrypted or not as the Magna system will be able to make a determination without the need to decrypt packets.

"We know which domain a packet is trying to access as that's included in the metadata and that's true whether the data is transmitted over HTTP or HTTPS," he said.

Going a step further, the new LightCyber Magna 3.0 platform includes a Malicious File Termination (MFT) feature. Prior to the 3.0 release, the platform's remediation was tied to its integration with an organization's existing infrastructure, including firewalls, according to Fink.

"What we're doing in 3.0 is more accurate. We're providing the ability to terminate a process and remove the malicious file from a system, rather than just quarantine," he said.

Founded in 2011, LightCyber is a privately held security vendor with offices in Israel and the United States.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel