The term “As a Service” is growing in popularity among vendors, IT and cybersecurity managers. After all, if one can transform a burdensome siloed practice into a service, there are bound to be benefits to all concerned. What’s more, the concept of “As a Service” has been well proven by offerings such as SaaS (Software as a Service), PaaS (Platforms as a Service), and IaaS (Infrastructure as a Service), which have all become well entrenched in organizations worldwide.
Yet there is still plenty of room for more “As a Service” offerings; case in point is the cybersecurity market, where enterprises struggle to defend assets from the latest attack vectors using dozens or more cybersecurity platforms and products. Naturally, it is those siloed security products that often lead to a lack of visibility when an attack surface is overlooked because of all of the noise from the cacophony of individual security products.
If it is an untenable situation for larger enterprises, it is a nightmare for medium and small organizations who struggle with limited budgets and small teams. It is forcing cybersecurity teams to look for better ways of dealing with defenses, making cybersecurity solutions a prime target for “As a Service” offerings.
Take for example CyGlass by Nominet, a pure cloud-native “As a Service” offering in the network and cloud threat detection and response (NDR) market and their solution NDaaS (Network Defense as a Service). CyGlass aims to tear down the silos of numerous cybersecurity products and offer a holistic view into network and cloud traffic while also detecting and surfacing activity using Machine Learning and correlating anomalies against defined policies to defend against cyber threats.
A Closer Look at CyGlass
From the outset, CyGlass was designed as an easily implemented service that is able to analyze the massive volumes of network traffic created by organizations today. What’s more, the service brings additional context to network traffic and correlates activities with actions, devices, and user accounts intelligently, comparing those against threat intelligence defined policies. Simply put, CyGlass turns the discover, detect, and respond cybersecurity model into a service offering.
Once deployed, CyGlass learns the network’s conversations, normalizing that traffic and providing insight into network anomalies and risks. That gathered information is used to build policies that allow expected conversations to happen and alert when those conversations fall out of norms or violate a policy control. Baselines can be built for numerous activities across the network and cloud, giving administrators the opportunity to garner network visibility across locations, service providers, and much anything else that participates in a network conversation.
Hands on with CyGlass
CyGlass uses the SaaS/PaaS (Software as a Service/Platform as a Service) model, which potentially simplifies deployment since there is no need to deploy or provision any proprietary hardware. CyGlass integrates with the existing firewalls, network flow devices, PaaS solutions, and directories to gather data and discover network conversations to learn what traffic is normal. As a full SaaS solution, CyGlass does not require the installation of appliances or on premise software. The service does not require that agents be deployed or virtual machines to be defined.
One of the primary capabilities of the product comes in the form of visibility. In other words, by analyzing traffic, Cyglass is able to create a real-time asset inventory, detect network blind spots, discover rogue devices, and develop insights to how devices communicate.
Network monitoring is done continually as part of traffic analysis, which ensures that new devices are discovered in real-time and asset inventories are kept up to date. However, visibility is only part of the overall CyGlass experience.
The product uses its data collection layer to work hand in hand with an AI engine, which in turn leverages machine learning to define, correlate and analyze traffic. Automated analysis drives alerting, which CyGlass refers to as Smart Alerts. The idea behind Smart Alerts is to eliminate alert fatigue, which occurs when there are numerous false positives presented in a management console.
CyGlass’s smart alerting system correlates activities with anomalous events and risky behaviors to provide actionable information, which administrators can act upon immediately. Ultimately, smart alerting reduces the noise of cybersecurity, allowing cybersecurity administrators to focus on actual threats.
Administrators also benefit from the product’s automated reporting, where reports are automatically generated about structural risks and active or potential threats. However, the product goes one step further and also provides instructions on how to remediate a threat. The reports are comprehensive and offer why a particular threat is important, as well as the impact the threat can have on the organization.
What’s more, policies take the anomalous outputs from the AI engine (activities that are known different) and define them in terms of specific threats which can trigger remediation actions to be taken. That comes in handy when dealing with specific risky events like lateral movement, rogue device based threats, and ransomware type attacks.
As most any cybersecurity professional knows, cybersecurity is all about risk. Risk comes in many forms, such as risky activities, risky devices, or risky connections. However, measuring risk in a useful way has always been a complex endeavor. CyGlass addresses risk with threat scoring, which correlates the level of risk against threats, whether those threats are from network actors, cloud threats or problematic devices. The product’s continuous threat scoring helps administrators to better understand and gauge risk, which in turn helps them to prioritize remediation activities.
Both risk and reporting play a critical role in meeting compliance objectives. Here, CyGlass incorporates prebuilt, automated compliance policies, which enforce compliance rules, while also reporting on common compliance concerns, such as control effectiveness, objective metrics, and SLA tracking. CyGlass offers assurance reports for NIST, Cyber Essentials, FFIEC, NIAC, CMMC, with other reports on the way.
One of the most critical features offered by CyGlass is the product’s ability to stop threats. CyGlass’s automated continuous monitoring enables threats to be discovered in real time, and then further defined using the product’s threat intelligence engine. The correlation of threat intelligence data against attack surfaces further defines the level of risk and prompts cybersecurity managers to take action against surfaced threats. Automated remediation efforts can occur through integrations with firewalls, Active Directory, and DNS security tools.
CyGlass also provides reports to help with forensic investigations. The product’s investigative views display trends, in-depth NetFlow activities, as well as other data, which can be used to narrow down the scope of an attack while also providing usable evidence for investigators to leverage.
Transforming Siloed Security
CyGlass successfully transforms what were once siloed security services into a platform offering that leverages the “as a service” model. The service covers network and cloud visibility, threat detection and response as well as compliance monitoring use cases. The company reports that connecting to a firewall (Fortigate, Sonic Wall, Sophos, WatchGuard, etc.) to initial data ingest takes less than 30 minutes and is done 100% remotely. List price is $4.99 per user per month with volume discount curves for larger numbers.
With network visibility being so critical these days (SolarWinds, Ransomware, etc.) and the service also covering cloud systems like Azure, O365, and AWS, CyGlass should be on the short list for of any medium or small company looking to bolster its network and cloud defenses. The ease of provisioning, as well as critical features, such as smart alerts and remediation steps are an added bonus. All things considered, CyGlass can make a credible argument for taking the place of a SIEM at most smaller enterprises and help make remediation from threats easier.