Threat Detection Systems Must Ferret Out the Most Sinister Intrusions
Had Target been using this product last year (sadly for Target, the new version 3.0 isn't shipping until August) the company's IT department would have at least had a better chance of discovering that the malware that took all of those account numbers from its POS network was a serious threat, assuming that the threat detection system had been told that the POS network was a critical part of the infrastructure. The knowledge of the network is an important part of the Cyphort platform's configuration. When the platform is implemented, the customer has to rank what parts of the infrastructure are critical to the needs of the company and which are not. In Target's case, the POS network was critical. But not every company has one of those, which is why it's necessary to tell the platform what are the critical parts of the infrastructure. The Cyphort platform can also tell whether network objects need to be managed directly for threats or not. For example, a malware penetration of a computer that already has security software installed that is capable of killing the malware is a less urgent problem than malware that's aimed at a computer without such defenses. This means the IT or CISO will know to dispatch a mitigation team to an unprotected computer where the malware attacked. But for the computer with appropriate malware protection, all they would need to do is to simply confirm that the protected computer actually handled its threat.In addition, the Cyphort platform is able to tell the difference between what the company calls "data stealing Trojans" and adware, which may be annoying, but isn't otherwise particularly serious. The platform can also let gear from Palo Alto Networks and Bluecoat know what to block to help reduce the persistence of the threat. There are a lot of security systems out there and many of them are both effective and useful. Unfortunately, without some means of discriminating what you need to worry about immediately and what you don't, these systems aren't as much help as they might be. Being able to prioritize where to look first for the most serious threats can only help.
What I liked about the approach to Cyphort's platform is that it does two critical things that help the security team function more effectively. First, it filters out all of those thousands of discrete alerts so you see the threats that actually matter. Second, it prioritizes the threats so you know which need immediate action, which can wait until the most serious threats have been dealt with, and those that only need to be monitored because they aren't immediate threats.