There is no denying that cyber-security has become an overly complex beast to manage. Dozens, if not hundreds, of cyber-security vendors all claim to have the most important pieces of the cyber-security puzzle, yet most lack any type of unified cyber-security offering. In other words, enterprises today have to use multiple vendor products to address the ever growing class of threats that plague the internet-connected businesses today.
Rishon Le’Zion, Israel-based cyber-security company Cynet seeks to tame the wild west of cyber-security by converging essential security technologies and expertise into a unified platform, which the company is calling Cynet 360.
A Closer Look at Cynet 360
Cynet is taking a holistic approach to cyber-security and is executing on that ideology with Cynet 360, an all-on-one security platform that incorporates endpoint protection, endpoint detection and response, user behavior analytics, network analytics, vulnerability management, threat intelligence and deception into a unified, centrally managed offering. What’s more, the company also uses artificial intelligence, automation and machine learning-based forensics to greatly simplify cyber-security management overhead for any organization. Cynet 360 supports multiple deployment scenarios, including IAAS, SAAS, on-premises and hybrid deployments.
Getting Started With Cynet 360
One of the company’s most interesting claims is that it can protect tens of thousands of endpoints in as little as two hours. Cynet accomplishes that lofty goal by eliminating traditional installation chores. The company is able to quickly push the necessary components across the network to the various endpoints, using automated deployment technology. Thousands of endpoints can be ingested in a matter of minutes, with tens of thousands of endpoints being registered in less than two hours, meaning even the largest of enterprises can get started very quickly.
Once deployed, Cynet 360 correlates and analyzes indicators across the organization to establish a baseline. Elements such as network traffic, files, users and endpoints are all used to calculate risk, as well as detect previously unidentified threats. The system uses machine learning to further establish a baseline built using a correlation engine that analyzes indicators. What’s more, that correlation engine plays into the process of anomaly detection, where suspicious events, such as network configuration changes, endpoint changes, file modifications, registry changes and other activities that fall out of established norms, are detected and dealt with.
Hands On With Cynet 360
One of the most important elements of any cyber-security product is the concept of IT hygiene, where visibility is needed to expose the issues of cybersecurity weaknesses. Cynet 360 offers visibility into an organization's network and identifies vulnerabilities, assets, inventory, applications and other factors.
Like many other products in the cybersecurity space, Cynet 360 uses a dashboard approach to offer a visual representation for what is happening across an enterprise and keeping administrators keenly aware of an organization's security posture.
The primary dashboard offers a “radar-like” view of what is happening, and divides detected events or statuses into four primary groups; Files, Users, Hosts, and Networks. Indicators on the dashboard show active alerts, severities, and so forth. Administrators can drill down into each element to gather additional information. The dashboard fully meets that at-a-glance requirement that many administrators look for today, where with a quick look, they can determine how their day is going to go.
Of course, there is much more to Cynet 360 than a dashboard. The product also offers additional visualizations that can drive actions. Take, for example, the Alerts screen, which delves into real-time analysis of system alerts.
Cynet Alerts dashboard
From the alerts screen, administrators can delve into detected anomalies, gather forensics information and determine what actions were taken. For example, the Alerts board shows what file may have been accessed, who accessed from what endpoint, and what action was taken to contain a detected threat. The Alerts board comes in handy for identifying new threats, and determining if any additional action is needed beyond the automated remediation that Cynet 360 has performed. Administrators can also quickly identify spikes in alerts, correlate those spikes to dates and times, as well as get summaries on what types of alerts have occurred. The system offers numerous alert types, including memory injection, worms, trojans, ransomware, malicious server traffic and dozens more.
The multiple layers of security enables administrators to detect a wide range of threats--malicious behavior, exploitation, ransomware, lateral movement, brute force, trojans, worms, user login anomalies, DNS Tunneling, privilege escalation, credential theft and others. The alerts are presented to the user via a friendly and intuitive dashboard, providing background per alert, and recommended paths of action. With a click, users can then apply actionable information to perform response actions.
Cynet Single Alert dashboard
One of the most important features a cybersecurity platform can offer comes in the form of risk analysis and security posture. Cynet 360 offers several different, customizable reports that can provide administrators with needed answers. For example, the default risk report offers insight into the most risky files, giving administrators visibility into the types of risks those files present, as well as the outcome of any analytics performed on those files. That proves to be a good indicator of how the product deals with new, or unknown files, which may contain a threat.
Many cybersecurity tools lack effective means to deal with previously unidentified or new files, and by default may block those files as suspicious. That can impact productivity, meaning that file cannot be used until some type of verdicting can be performed on it. Some tools take days to provide any type of a verdict on a file, meaning that administrators are left holding the bag to determine if a file is good or bad. Cynet 360 automatically performs behavioral analysis on new files and detects malicious payloads, helping to defray most threats.
Cynet 360 Primary Features
While the company does not claim to incorporate every single cybersecurity feature known to the industry, it does integrate those that are critical for protecting organizations. You won’t find spam filtering, web filtering or software firewalls as part of the platform, but you will find the following cybersecurity capabilities well represented:
Endpoint Protection and EDR (Endpoint Detection and Response):
Cynet 360 uses a lightweight client (agent), which is pushed down to the endpoint. The agent performs scans, monitors activity and works hand in hand with the Cynet 360 server and correlation engine. Cynet 360 correlates endpoint analysis with network traffic analysis from each asset the agent is installed on. Cynet 360 also can also ingest network system logs and be configured to run a syslog listener to provide additional context with network data. The platform is able to use gathered intelligence to look for anomalies and threats. The platform is also able to ingest operational and configuration data to provide additional context.
Cynet 360 uses a proxy approach to filter and block malicious activity. For example, if the platform discovers malicious behavior that may be attempting to access and manipulate password vaults for credential theft, it will prevent the attack, even if the agent is not communicating with the server. Cynet 360 is able to do the same for file system-based attacks. Cynet 360 also incorporates critical component whitelisting and includes real-time memory protection. The agent only allows access only to approved files, processes and communications. Whitelists are created automatically using advanced heuristics and analysis.
Cynet’s EDR capability provides a detailed play-by-play of what took place on an endpoint during and after an attack to detail how an attack was mounted, and if that attack moved laterally. Automated responses can be driven by the EDR capability, blocking and quarantining malicious code, while alerts and reporting can provide administrators with additional actionable information to tailor a custom response if needed. Administrators can choose automatic actions for each triggered alert, or perform manual intervention. Due to privacy concerns, administrators must manually send files to Cynet’s internal CyOps team for analysis, if they desire additional help with a security issue.
To properly understand an organization's threat posture, administrators must gather information on vulnerabilities and then see if those vulnerabilities can impact the organization. Cynet 360 incorporates a vulnerability assessment tool that can save administrators countless hours. The platform can assess and manage endpoint vulnerabilities in four ways, all of them automated.
First, Cynet 360 checks for installed patches and alerts if the patches are missing, while also building an inventory of installed patches. Second, the platform checks for unauthorized applications and/or risky applications on the endpoints. Administrators can edit the generated list to add or remove applications. Third, for application patches and approved versions, Cynet 360 checks if applications are installed with an invalid\old patch. Finally, for security policy compliance, the platform checks if predefined lists of installed applications exist on the endpoints and are currently running.
Cynet 360 correlates endpoint data with network data to create a better picture of activity across the network and, of course, the endpoints. The product captures endpoint data, such as metadata, source IP addresses, active ports, DNS requests and several other elements to give full visualization into network and endpoint activity. The endpoint data is further analyzed and correlated with network data, such as proxy logs, firewall taps and other traffic related elements. Having all of that information and being able to correlate that information provides a much more accurate representation of activity. That means Cynet 360 can quickly detect anomalies, reduce false positives and use context based scoring to escalate alerts, while reducing noise.
One way to deal with suspicious activity is to sandbox it; that means unknown or suspicious code can be isolated from operational systems until it can be determined if the code is good or malicious. Cynet 360 is able to confirm whether something new is a definite threat by automatically placing the suspicious file in a sandbox, where static and dynamic analysis inspection is performed. The sandbox works by executing the file in the context of the original scenario from which the file was found, and indicators are collected during and after execution, including binary files and dependencies, such as DLLs. With this information, malicious behavior can be detected, including even difficult to uncover threats that use anti-debugging, anti-reversing and sandbox-aware techniques.
Protecting enterprise resources from attack is quickly becoming a sleight of hand, where administrators must trick attackers into what can be considered traps. Sometimes those traps are referred to as honeypots, but in reality it is all a game of deception. Cynet 360 integrates deception capabilities to enhance overall detection efficacy. Deception helps administrators protect their networks by misleading attackers and then perform analysis to detect their mistakes. The platform allows administrators to deploy decoy files, folders and settings--which when accessed by the attacker alerts the security team, who then can choose to illuminate the threat or engage in intelligence gathering activities. Cynet 360 uses built-in beaconing, meaning the platform can track and generate alerts for stolen decoys, even outside of the corporate network. The product can also “paint” sensitive files with beacons to track proper use of those files.
Security Operational Analytics:
Cynet 360’s User and Entity Behavior Analytics (UEBA) technology searches for patterns of usage that indicate unusual or anomalous behavior, whether the activities are coming from a hacker, insider, malware or some other process. UEBA can be used to ask employees to self-verify their behavior to help reduce false positives and to automate relevant response for external threats, credential theft or insider threats.
Cynet has done a pretty good job of integrating the critical components of cybersecurity into a holistic platform that is both easy to use and easy to deploy. Cynet also includes a 24/7 cyber ops team (with no extra cost) that performs breach post mortems, analyzes malware, hunts for threats, and--most importantly--notifies their customers proactively whenever a high-severity threat is found in their environment. This service is important, especially for organizations that don’t have large security teams.
From an operational standpoint, the platform introduced no noticeable latency and was easy to navigate. While Cynet 360’s endpoint protection may not have all the bells and whistles of some other products out there, it does an excellent job protecting endpoints from most major threats.
Perhaps future versions of the platform will include web filtering, data leakage protection, spam filtering and other security technologies. However, many organizations deploy those capabilities at the firewall level. This means that if you already have those technologies and are looking to reduce your cybersecurity overhead, Cynet is definitely worth a look.