It’s all about the data. If there was no data to protect we wouldn’t need security. But there is and we do. However, this level of protection really subsumes several other older categories. Sometimes we think of data protection in terms of malware bringing to mind anti-malware tools. But data protection today is much more than that. It also brings to mind end-point protection. But, again, it is more than that.
Data protection must understand all of the data on the enterprise, how it is supposed to behave and how it actually is behaving. In a large enterprise that is a tall order. We found that the successful entries in this category are using machine learning algorithms. They are capable of managing very large amounts of data. And they are capable of keeping tabs on all of those data simultaneously so as to note when something is not behaving as it should.
One way that vendors innovate in this space is to develop the concept of a platform rather than a single product. This allows growth over time as requirements change and evolve. It also allows tuning of individual modules without requiring a complete rebuild. The vendors in this space do things a bit differently though. While one focuses on the platform approach, the other looks at individual data to detect data forgery.
In either case the spotlight is on the data. It may be important to understand where the data is being examined. It could be at rest on a server, at rest on an endpoint or in motion across the network. Regardless of where you examine it, the data fits one of three profiles: legitimate data that are unchanged, legitimate data that have been altered and new, unknown, data that have been introduced into the enterprise in one way or another. Data protection must take all three of these circumstances into account.
There have been several ways of analyzing data introduced over the past few years. Data protection has been built into many other products and we did not consider them here. We were concerned solely with products for which data protection was the primary purpose. In that regard the players are few and the solid innovators fewer.
We have been using CylanceOPTICS in the lab here for some time and we have been watching this innovator almost from the start. Beyond the innovations obvious in their approach to malware detection, they have a unique approach to innovation. We have observed them hypothesizing the evolution of the adversary and his attack techniques almost as far back as the company goes. The result is that they never, to our knowledge, have taken the road most travelled. The results, on occasion, have been spectacular.
In that spirit, Cylance is taking the next evolutionary step. They are scaling to become a platform company and have made excellent strides in that direction already. OPTICS is the first step but their goal is to be the first and largest AI endpoint security company and scale to 100 million endpoints in two years. To do that they already have beefed up their engineering team to 320.
OPTICS is a visibility tool with a lot of promise in other attendant areas. We have used it extensively in threat hunting on the enterprise and the idea of remediation is quite a logical step. At present the tool can isolate endpoints, the first step in remediation. Because it is AI-based and is watching the network/endpoints constantly, automating behavior-based analysis to flag deviations in expected/learned behavior to signal a potential breach is not a very big next step.
Already, Cylance has offered a home edition. This is something that we have seen from antimalware companies but none of them have the capabilities of Cylance. Offering this in a time of remote working and remote access to the organizations’ network from home simply acknowledges that the home machine could be considered a corporate end-point. We always have CylancePROTECT and OPTICS on our laptops when we travel. Sitting in the malware hot-box that hotels can become no longer troubles us.
Another sign of growth and maturity is the move to MSSP partnerships as signaled by the introduction of the Cylance MSSP Console and acknowledgement of the need by government and large financial organizations to isolate their data from the cloud led to the on-premises console. Overall, these guys clearly are one of our poster kids for innovation.
APERIO Systems – Data Forgery Protection
This is a most unusual and most innovative company. The focus is on industrial control systems (ICS) such as SCADA and they are more concerned with the physical operation of the devices on the network than they are with the logical operation. The idea behind this is that certain computers within an ICS provide the command and control for relatively dumb sensors and other physical devices such as valves and switches. Compromising these computers can result in forged commands being sent to the devices.
APERIO validates these communications to ensure that only the correct messages are being sent. The product lives on an historian computer within the network and works from there since the historian has a full view of the ICS network. The historian does not need to be on the monitored network so it can be protected from compromise. More than simply identifying malicious behavior, since the system recognizes malfunctions – whether due to a device fault or a malicious attack – it also can identify failing devices and give early warning of a device failure.
The system knows what the physical data from a device should look like and, in the case of forged data, it recognizes the change of state in the device and takes action. While the focus here is on ICS, overall this innovator is taking the IoT as a whole as its playground. This is the first product we’ve seen that focuses on forged data rather than malicious data streams attacking the target. The approach is unique and given the growth of the IoT we expect that this will be a high-growth company. It is completely unique in its approach to the combination of the physical and logical data on the network. Understanding the physics of the ICS sensors and the data they produce makes this analysis possible.
This is a young, small company but with its wealth of experience in the leadership they put the lie to “size matters”. Already the leadership team is considered a prime resource for serious business and technology media, including this publication. Though around two years since emerging from “stealth,” this innovator has, through very creative and innovative technology, solid engineering and management and a knack for addressing its part of the market, garnered customers, started several proof of concept projects (with a high rate of conversion to sales) and begun hiring scientists and engineers to start rounding out their core team.