Cybereason CTO Yonatan Striem-Amit chatted with eWeek about the news that our endpoint detection and response platform can now detect and block ransomware. Striem-Amit told the tech news site that this new capability marks Cybereason's move into the prevention space. "Not only can we detect known and unknown threats, we can also proactively block them," he said.
He also talked about the benefits of using behavioral analysis to detect ransomware instead of relying on a signature-based approach since this type of threat always evolves.
The full article is below.
Security vendor Cybereason is expanding its detection and analysis technology with an update that enables organizations to block threats. Cybereason has enhanced its ability to find, analyze and block ransomware attacks, which have been growing this year. Cybereason has raised $90.5 million to date, including a $59 million Series C funding round in October 2015, to help develop technology and build its market share."So far, Cybereason has been focused very strongly on detection and response, the ability to find hackers, whether they are using malware or not," Yonatan Striem Amit, CTO of Cybereason, told eWEEK. "With today's release, we are entering the prevention space, so not only can we detect known and unknown threats, we can also proactively block them."Blocking attacks can take different technology approaches in an organization, with many making use of network-based technologies such as intrusion-prevention systems or firewall policies, but that's not what Cybereason is doing. According to Amit, Cybereason's blocking technology stops threats at the endpoint level.
"We use our own endpoint technology to block malicious execution on devices, without relying on any type of third-party network technology," Amit said. "Having the blocking technology on the endpoint is critical to actual understand what is happening."
The endpoint technology is what Amit referred to as a "silent sensor"—that is a small footprint piece of software. In Amit's view, the endpoint is the source of truth in an organization to actually have the right context for what malware is attempting to do.With an endpoint agent, that means that there is also the possibility that there are unmanaged devices in a network that do not have the endpoint agent installed. Amit doesn't see that as a problem for Cybereason. He noted that, for example, if a piece of ransomware infects an unmanaged device, the ransomware will often attempt to expand and encrypt a network share, or another device on the network. Cybereason has the ability to detect what goes on in an environment to see behavioral aspects of software that is running, Amit said.When it comes to detecting and blocking ransomware, Amit emphasized that a signature-based approach will not suffice, as threats are always evolving. While there are known indicators of compromise (IOCs) for ransomware, there are also behavioral aspects as well that Cybereason tracks. The company tracks approximately 25 ransomware families, and each has different signatures and actions that are easily modified by attackers and change regularly.While Cybereason also sees exploit kit-based attacks against its customers, basic macro malware as well as phishing attacks are also common, though zero-day vulnerabilities can also be a risk, Amit said.With its new update, Cybereason is also expanding its sensor technology to Linux servers. Amit explained that his company started with Windows and Apple Mac systems for the sensors, but has seen an increasing need to deploy on Linux as well. The new Linux sensor is initially being targeted at Red Hat Enterprise Linux with support for Debian Linux-based systems set to come in the near future.