SecBI’s XDR platform enables organizations to unify cyber threat detection and response capabilities throughout all attack vectors across the network, endpoints, devices, and the cloud. In this interview, SecBI CEO Gilad Peleg explains how Autonomous Investigation[™], augmented with unsupervised machine-learning, behavioral analytics, and automated response, can be utilized to protect organizations from cyber attacks.
Please describe SecBI’s background and technology
The founders of SecBi created the company 5 years ago, after participating in an investigation of a major network breach and deciding there must be a faster, easier way to identify and respond to cyberattacks. Very significant to the basic concept of SecBI is to leverage existing security controls, rather than introducing new systems which simply trigger additional alerts, leaving security analysts with unmanageable volumes of data to sift through.
Most midsize or large organizations already have multiple layers of security controls in place, whether it’s antivirus, web gateways, firewall or a full security operations center.
The problem is to tie together all the data derived from these security tools into a contextual, clear, and actionable response plan. On the way, you have to do some investigation to detect malicious activity and propose a response plan for what you found. Only when you have very accurate detection, can you have an accurate and complete response. We’ve taken it as our mission to develop this.
We started by focusing on detection, based on network traffic, because there’s a goldmine of data there that most organizations don’t utilize, simply because it’s typically difficult to analyze. That was a very big challenge so first, we concentrated on overcoming that. Following the success with our network traffic analysis (NTA) solution, we started adding more data sources into the detection to offer an XDR Platform.
Our XDR platform is built on very advanced machine learning and artificial intelligence. We call the technology “Autonomous Investigation[™]” because the key to good detection is investigation.
We can make a quick analogy to a good detective story. When Sherlock Holmes finds the murderer, it’s after a very long investigation process that is unique to each case.
Our Autonomous Investigation technology is like a virtual analyst that mimics an expert analyst at machine speed. That’s the core technology.
Once you have that piece of the puzzle, you have the ability to ingest multiple data sources. To be more specific, you want to ingest data from the network, endpoints, email, cloud, and so on. You also want to ingest the metadata, the telemetry, the logs or events; those are different names for essentially the same thing. And you want to make sense out of all that. That’s the key to Autonomous Investigation.
Here’s a quick preview of what that looks like on the user interface:
We also added an ability to tie the investigation and detection to an automated response. It is very similar to SOAR (Security Orchestration, Automation and Response) – the tight integration between comprehensive detection and automated response is crucial for accurate remediation and continuous prevention.
Response automation can mean different things to different people. You can define an automated response to a situation where an employee lost their laptop, but that’s not what we do. We detect malicious activity and respond automatically, based on that.
How has the market responded to your technology?
Customers have been saying this for a long time, that this was an extremely important piece missing in cybersecurity. It’s where you can finally make sense out of all the noise, the alerts, and the false positives, and get accurate detection with an immediate and tightly-coupled response. This is our unique innovation in the market.
Now, more and more vendors, large and small, have understood what we’ve known for years, and the market has given it a name: eXtended Detention Response (XDR).
What are the roles of AI and ML in cybersecurity?
AI and ML can alleviate the huge shortage of Cybersecurity experts and expertise that everyone is talking about. The current gap is more than 3 million, but the gap is not just in manpower, it is also the expertise. Those people spend a lot of time investigating, detecting, and responding. You need experts in order to do that, and there aren’t that many experts out there.
Even if you hire someone, train them over several months, and give them all the tools and time they need, they still won’t be able to perform these complicated tasks in time to avoid network damage.
The best they can do is come up with a conclusion, which would probably be correct, about whether it’s malicious, how it started, and what happened. It’s a very complex process that requires a lot of expertise, but with Machine learning and AI, it can be automated. I’m not saying we’re going to replace them completely, I prefer the term augmentation, but there’s such a huge shortage that anything that can relieve the gap is important. That’s where Autonomous Investigation comes in, and that’s our AI/ML technology.
What can you tell us about your cluster analysis technology?
That is one of the main components of our unsupervised machine learning modules. What it does is investigate and group together all the events related and relevant to one incident. This grouping process is difficult.
To give you an example, let’s say you go into a classroom, and you’re given a task to group kids together. The first question would be, what’s my objective? Is it to build a football team? a basketball team? A musical band? Find a bride? Knowing how to group requires knowledge and expertise. A basketball coach would know how to group them into teams based on experience level, fitness, etc. If you have a different objective, you’ll need a different expert.
So we built an expert to group together all the events that make up one cybersecurity activity.
Now let’s move from classrooms to networks. Emails, web access, file downloads are continuously on-going. Think of how many events happen on a network of 100, 1,000, or 10,000 employees. It’s billions of events. The most difficult task is to group those events into related activities, and that’s exactly where the unsupervised cluster analysis comes into play. Once that is completed additional modules perform detection activities on those groups/clusters – and the full attack narrative is revealed: Phishing emails sent by hackers, users clicked on a link in those emails, accessed hacked websites, and unknowingly downloaded some files which auto-installed malware. This malicious activity is hidden and goes undetected in many cases.
To summarize: We take billions of logs and group them together using cluster analysis into thousands of activities and behaviors. The machine continuously looks at those activities and behaviors and finds indicators of compromise in each of them. This is another process that we’ve automated.
With so many people now working remotely on multiple channels simultaneously, how can organizations unify their threat detection and response capabilities?
My first answer might be to deploy SecBI to improve your security posture, but I’ll hold that one off. Working remotely is not new. What is different today is the number of people doing it.
The simple way to secure such operations is to use VPN and from there get access to corporate assets or cloud assets. There are, of course, some newer technologies as well. The big buzz now is SASE- Secure Access Service Edge. There are different security controls to ensure proper security like antivirus, endpoint solutions, cloud security, and so on.
At the end of the day, hackers will find a way around these solutions. I’m not saying you don’t need them, they have to be in place. If you patch your operating system and make sure everything is updated, you minimize the risk from 100% to 10 or 5 percent. Whatever it is, there’s still a risk.
Working remotely adds many layers of vulnerability, as it adds another attack vector for the attacker, enlarging the risk.
Whatever you put in place, an XDR platform extends and strengthens your cyber defense, because it takes the basic assumption that sooner or later a hacker will find its way in. It happens every day. They are extremely motivated and smart. You need something to analyze all the events and activities going around your network. SecBI will analyze and detect malicious activity and respond quickly to anything that is detected.
Which trends and technologies do you expect to see more of in the coming years, and why?
Obviously, we’ll see more security solutions for cloud and SaaS, but that’s already happening. In recent years, we’ve seen a continuous pendulum, moving from protecting the endpoint to protecting the network and back to the endpoint. The focus tends to shift every 3-6 years and I expect that to continue.
One thing is clear, ML and AI are going to grow a lot more. It’s a basic, must-have technology for anyone who needs to analyze huge amounts of data, whether it’s a detection system, a prevention system, or anything else.
Hackers and their motivation are not going anywhere, so we need to continue to find ways to be a step ahead of them at any given time.