Whenever I talk to potential customers, without fail, they ask how Cybereason can detect advanced persistent threats in real time. They claim the technology required to perform this task doesn't exist, or think we use a different definition of real time.
Cybereason doesn't send security incident updates in intervals of 15 or 30 minutes. Honestly, there's no asterisk next to real time. Real-time detection of APTs is very possible and in this blog post I'll explain how we do it.
Cybereason continuously collects data from endpoints and performs statistical analysis on the server to enable real-time or near real-time detection of attacks. Once the platform determines that a malicious operation is underway, the incident is immediately reported. There's no delay.
Our unique data collection mechanism and in-memory graph technology makes this possible. The in-memory graph, which we have patents on, allows us to track the state of an endpoint and report only what has changed. This means there's less data for the in-memory graph to process, allowing Cybereason to quickly provide details on the detected incident.
Additionally, we developed a proprietary database technology that enables this real-time, in-memory graph technology and statistical analysis in near real time. We found that Hadoop, Cassandra and similar database programs are not designed to handle the tasks associated with real-time quantification. So, we built our own.