Sramana Mitra: The example you gave about the propagated malware, does that mean that your system scans every ad that comes into the screen of any employee of your client enterprise?
Manoj Leelanivas: Yes, anything that is coming to an employee on any of the vectors. In this case, it’s going to a web page.
Sramana Mitra: It could be mobile as well.
Manoj Leelanivas: It could be a mobile as well. Let me just siphon off things into two different parts. One is say you’re on a Windows or a Mac machine and you’re doing web surfing or email, we can see that right there because it’s coming through the enterprise. If it’s the mobile device on WiFi, we see it through the enterprise too. For a mobile device that is completely encrypted that is not on the enterprise, we cannot see it.
It just goes through a different channel. In which case, we can’t see the primary attack. However, once you’ve downloaded something, what does it do? It actually tries to move and propagate from the mobile device to something else. The bad part is the lateral communication. We centrally correlate and analyse using machine learning models.
Sramana Mitra: The next question I have, as a follow-up to that is what kind of delay does this introduce? If that amount of data has to go through a filter, what kind of latency are we producing here?
Manoj Leelanivas: That’s a brilliant question. If you don’t mind, I can go a little bit into the architecture so that you can get a good understanding of the fundamentals of this, and then build up the story of the pieces. We de-couple the actual collection of interesting objects or interesting stuff from the enterprise from the actual analysis into two separate pieces. One is called collection and the other is called core. We’ve independently scaled out each component. You have general purpose servers which can scale the collection as much as you want.
If you want to look at hundred sites, you can just do whatever you want using virtualised collectors. That’s the scaling part on the collection aspect. On the analysis part, it’s the cluster, which means that you can just cluster as many servers as you want depending on the capacity you want to analyze. That is how we scale to large enterprises where you look at million of users. That is the fundamental scaling architecture. Having said that, we are not inline because there is still a delay. We need to look at the object on how it behaves maliciously. We have to detonate the object in a sandbox environment.
The average analysis is 15 seconds. It takes a significant amount of time even if we’ve scaled it out. What we do is we sit on a passive tap or a span, collect the information, do the analysis, and then through our API, we can program a firewall. We can program the firewall to put the new blocking rules. Similarly, with a web proxy on a blue code. What we do is we process slightly offline. We are able to find something quick and then prevent the spread. More importantly, if somebody has downloaded something to a Mac, we can actually figure out the dissipation of attack and we can notify the enterprise to clean that machine.
This segment is part 4 in the series : Thought Leaders in Cyber Security: Manoj Leelanivas, CEO of Cyphort
1 2 3 4 5 6