REVIEW: Cyphort makes advanced threat protection easier than ever

Over the past few months, we’ve reviewed a variety of cutting-edge security tools that combat advanced persistent threats (APTs); everything from threat intelligence to virtual sandboxing to privileged identity management. And while all of these programs have been powerful, they all had varying degrees of complexity when it came to usability and customization.

The Advanced Threat Defense Platform 3.3 from Cyphort aims to provide deep protection while also being simple to use and easy to customize, even for less experienced cybersecurity teams.

It combines multiple layers of security, including sandboxing, signature identification, threat intelligence and machine learning. And it can offer endpoint protection without the need to install agents on every system. We reviewed this new defense platform for several weeks on a large testbed network.

Installing Cyphort’s Advanced Threat Defense Platform can be done as a virtual machine or a hardware appliance. The core appliance handles management functions, while several sensors, called collectors, are deployed at various points on the protected network. The sensors look at traffic coming into a network at the boundary points and also any traffic attempting to move through a network, so it can sense both external threats and the possible lateral movement of advanced threats which are already inside the perimeter.

One of the best features of the Cyphort platform is its ease-of-use, but also its customization options. When setting up the platform, users have the option of defining their network devices to the program in terms of importance. This can be done by identifying individual resources and computers or by specifying an IP range and assigning everything within it a priority level. Later on, this data is used to help calculate threat warnings to security pros watching over the network. For example, you can designate your top executives or your database servers as maximum priority, while machines used by contractors or temporary employees could be set as normal or low.

Cyphort does not ignore the lower priority machines, but uses their designation as a factor in reporting the level of danger that any threat poses. So, for example, a low-level threat such as adware-based malware would normally be shown as a yellow mid-level type concern on the main dashboard, but might get elevated to a higher level if it lands on a high-priority laptop being used by someone from the C-suite.

In our testing, those designations raised the priority of threats, but didn’t really ever downgrade them. So an APT that could potentially compromise an entire network was never downgraded because it landed on a terminal sitting out at reception. It just lets users designate the truly critical pieces of their infrastructure where there needs to be zero tolerance for malware of any type.

The main dashboard is very easy to use. At a glance, we could see all of the threats arrayed against the network ranked by severity over time. High priority threats that needed a quick response were designated as red circles at the top of the main chart while lower priority ones were yellow and pushed farther down.

Clicking on a threat bubble indicator gives all the information Cyphort knows about that threat. This can allow security teams to quickly get a handle on the situation and create a mitigation plan. Some threats may not need to be addressed, such as a Windows-based threat that attempted to land on a Mac. In that case, teams can simply note that the threat would not have been able to install on the targeted machine’s operating system. It can then be removed from the dashboard.

+ BACKGROUND: Cyphort provides guidance on prioritizing APTs for mitigation +

But of course not all threat mitigations are going to be that easy. To help defeat an actual attack, Cyphort shows a condensed version of the kill chain that APTs have to take to reach an actual asset, and can show where in the chain a threat is sitting. For example, at an early stage, the malware code might have been downloaded, but has not yet activated. In that case, removal of the offending program will probably stop the threat.

In later stages, lateral movement might have been detected as well as malicious outside function calls. That might require a more robust response, such as shutting down and purging infected systems. But Cyphort does a good job of showing in real-time exactly what threats are in play using a fairly simple and highly graphical interface. Also, by collapsing the kill chain down into an abbreviated version, and by tying all events related to one infection together, it eliminates multiple alerts each time a single threat makes a move.

While an organization might want to have endpoint protection without installing agents on every system, the drawback is that with a platform like Cyphort you are never really sure if a threat successfully landed on the endpoint in question. To get around this, Cyphort allows users to set up a “golden profile” of systems running on the network. These profiles exist as virtual machines and should ideally contain all of the programs, software and supplemental protection, like anti-virus, running on endpoints. When a threat is detected, users can apply that threat against the “golden image” to see if it likely landed successfully on the target machine, or if, for example, resident anti-virus should have caught it. This can get you close to 100 percent in knowing if a threat actually landed on an endpoint, even without an agent.

If the threat starts trying to move laterally through a network or sends out command and control function calls, the Cyphort collectors will spot it. Good security officers however, will also want to confirm that any potential threat that is staying quiet has been rooted out. To be completely sure, deploying the threat against the golden image is not quite enough. To eliminate those last few degrees of uncertainty, the Cyphort Defense Platform can generate a simple program to check for the presence of a specific piece of malware on a host system. Running the program will confirm if it’s on the endpoint or not.

Right now, there is no way to push that validation program to the endpoint. It’s not set up to deal with agents and this is essentially a mini-agent looking for evidence about a specific threat. So sneaker net might have to be employed, though the confirmation programs are tiny enough to move electronically using file transfer programs or even e-mail.

All of those tools presuppose that threats are actually landing on endpoints or getting a foothold into a protected network. However, the Cyphort Advanced Threat Defense Platform 3.3 also does a good job of stopping those threats in the first place using a variety of techniques. First off, it uses sandboxing, but not in the traditional sense where the sandbox program compares program behavior to a set of rules, which the attackers can eventually learn and try to work around.

Instead, the Cyphort sandbox uses machine learning to watch for telltale signs of an unwanted or malicious program, mostly outside function calls or lateral movement attempts. The Cyphort main console is constantly fed a stream of threat intelligence from the company and is always looking for new data and malware patterns locally in programs it is examining in its sandbox as well. So what it is doing is still basically rule-based sandboxing, but there is no one set of rules that it follows, instead dynamically generating them and learning more as it goes.

The platform also uses signatures of known malware. Even though signature-based protection is easy to get around for advanced and persistent attackers, it can still catch most threats, and can easily eliminate the low-hanging fruit, reducing the number of alerts that security teams need to deal with every day. Between the sandboxing, machine learning, signatures and threat feeds, the Cyphort platform can offer quite a robust defense in depth.

Pricing is also fairly unique because it does not count seats or even collectors. Instead, yearly subscription fees are based on the total amount of bandwidth a customer needs to scan on their network and includes the cost of all the software, threat intelligence services and support. In this way, users are not penalized if they have a large network but low traffic, since they are only paying based on the actual traffic that needs to be inspected. Also, it would allow users to grow and expand as needed if their traffic needs suddenly increase. Subscriptions start at $55,000 per year.

The Cyphort Advanced Threat Defense Platform 3.3 is extremely easy to use, and can protect against, and give good insight into, advanced threats. Doing things like collapsing complicated kill chains down into smaller, graphical blocks can make defense easier for smaller security teams or for those organizations that might just be getting serious about protecting their networks using things like Security Operation Centers. There is also no need for endpoint agents, and with pricing based on bandwidth, organizations that have large numbers of low-level employees who don’t generate a lot of network traffic can find even more value.

It’s tempting to label the Cyphort Advanced Threat Defense Platform 3.3 as a program for entry-level cybersecurity teams to quickly get their footing against today’s advanced threats, and it can be used in that way. But calling it that alone might slight its powerful capabilities. Instead the platform should probably be considered more of a way to provide cybersecurity for every organization regardless of how experienced they happen to be when dealing with the many threats arrayed against them.

John Breeden is an award winning reviewer and public speaker with over 20 years of experience. He is currently the CEO of the Tech Writers Bureau, a group of influential journalists and writers who work in government and other circles. He can be reached at jbreeden@techwritersbureau.com.