Cyphort Launches a New Advanced Threat Defense Platform
With no relenting in the growth of malware and advanced persistent threat (APT) activity, its good to see new vendors enter the advanced threat defense space. Cyphort is the latest entry to the advanced threat, or malware, defense market niche pioneered by FireEye and Damballa, who were soon joined by joined by IPS vendors (Check Point and Palo Alto) and endpoint protection vendors (McAfee and Trend Micro). And that’s not all. It’s a busy landscape populated with a number of approaches, some centered around a virtualization or emulation “sandbox” like FireEye, others centered around network analysis like Damballa and even a few centered around security information and event management (SIEM) like Hexis Cyber Solutions covered here in December. Most have multiple moving parts facilitating malware detection, analysis, remediation and response.
Source: Cyphort, Inc.
So where does Cyphort fit and how is it different? The figure above helps answer that question. Going left to right, Cyphort provides:
- Distributed collection sensors to “collect suspect malware data” from network, web and email traffic
- Multi-method analysis including a sandbox some analytics both on-prem and in the cloud. Analysis also incorporates both global context (or threat intelligence) and local context on assets and identity.
- Integrated mitigation endpoint infection verification and a capability to deploy malware mitigation rules to third party perimeter devices. Like other vendors in the space, Cyphort has found it expedient to confirm that endpoints targeted by malware found on the network by a sandbox actually infected something before generating a potential false positive alert.
Cyphort’s focus on updating heterogeneous perimeter devices rather than providing its own inline appliance to do the blocking and tackling is a bit unusual. Most competitors provide an appliance-based solution that can be deployed inline or out of band to block suspect traffic or generate alerts. True, many customers want to avoid yet another “bump in the wire” from an appliance; these customers may like the approach of automated network remediation with third parties – but only if the experience is smooth and reliable enough in their unique production configuration.
Besides the partnership approach to mitigation, Cyphort’s software-based deployment is also a differentiator. Customers can deploy either a turnkey OS onto commodity hardware, or a virtual machine (VM) image for VMware. This allows sensors to be deployed across the enterprise – within data centers and out to branch offices – as well as along the perimeter. Combined with bandwidth-based pricing (rather than per-appliance or per-channel pricing) the software deployment may provide a less expensive solution with broader coverage than some of the others.
Cyhport can also perform sandboxing analysis for multiple operating systems and verify infections on endpoints to reduce false positive alerts. Coupled with the ability to integrate with Active Directory to contextualize risk and prioritize or organize alerts based on security group memberships or other information on machine assets, these features also make Cyphort a potentially strong entrant to the category.