Candidates for engineering roles on our team often ask us whether they need a background in security. The answer is: Definitely not. Many attackers themselves are software engineers, rather than hackers or security experts, and that expertise isn’t required to be a Cybereason Defender, either. To help explain why, we asked Team Lead for Anti-Malware and Kernel Engines Dani Koretsky to share an inside look at some of the development work that makes Cybereason possible.
Imagine you check your email and see a message from your CEO about a new and urgent project with instructions in an attachment. You might be tempted to open it immediately, rather than risk slowing things down. But too often, what appears to be a time-sensitive message from a colleague or even an innocuous download from a seemingly trustworthy website is the prelude to an attack.
On an unprotected device, any file you open can start running various operations—some legitimate, some not. While you’re looking at an Excel spreadsheet, it might be running a hidden macro and spreading from your machine to others in your company’s network such as your colleague’s computers, a router, or even a server in the cloud. If the malicious file is ransomware, it will start encrypting as many files as it can, effectively taking your network hostage.
And while traditional antivirus software can catch most known malware strains, they offer little to no protection against unknown variants. Most solutions simply scan files and decide whether to block them, after which their work is done. I like to think of it as a wooden fence around your home—it might deter many would-be intruders, but someone who really wants to can usually get through. This is where you’d better start thinking of an advanced “home alarm system” in addition to the nice fence around your home.
Cybereason is different in a couple of ways. We stop attacks before they start (more on that below), but we also built our platform on the foundational principle that a simple “fence” is not enough. Beyond blocking malicious executables, the Cybereason XDR Platform also detects the earliest stages of an attack based on Indicators of Behavior–chains of behavior that can surface an attack before a threat actor can establish persistence on a target network.
Cybereason delivers next-generation solutions that leverage cutting-edge AI and machine learning algorithms that work together as layered defense for real-time prevention, detection and response. Where legacy security products fail to stop unknown attack techniques, the Cybereason XDR Platform identifies indicators that a file is malicious whether or not it’s ever been seen before.
Should a simple flashlight app contain 10,000 lines of code? Is there a Dropbox URL that could be used for command and control (C2) in a crafted message about a colleague’s trip abroad? Can otherwise “normal activity” on a network be an indicator of an attack when the behaviors are chained in a particular sequence?
The Cybereason XDR Platform quickly detects chains of behavior that are either rare or present a strategic advantage to an attacker, providing analysts with the tools they need to mitigate attacks before they cause damage.
Customers see disparate events correlated across user identities, devices, applications suites and cloud workloads with rich context from root cause: where an attack started, exactly what happened in the attack sequence, and multiple points in the ill chain where the attack can be arrested. Through our intuitive user interface, analysts can trace suspicious activity all the way back to a compromised endpoint, isolate the device, and leverage automated or one-click remediation to end the attack.
Making it Work
As you might imagine, building and implementing a platform like Cybereason is a complex engineering challenge. Our software runs on customers’ devices as well as our own—including a wide range of hardware and operating systems running an even wider range of other applications. Therefore, our platform must be not only extremely reliable but also lightweight, highly efficient and non-intrusive.
Because security is an ever-evolving field, our team also focuses on opportunities to “future-proof” the platform. For engineers, a background in security isn’t necessarily required; Cybereason has a full team of expert researchers who develop new ways to protect against emerging threats. But we do build the system into which those are added, and we can’t release a different version for every new approach an attacker might take.
Instead, we work with data scientists who train AI/ML models that can predict and detect new iterations of malicious TTPs, and build in logic that allows our security researchers to update specifics without writing a single line of code. This is one of the reasons I have so much fun working at Cybereason: the opportunity to design something that will be highly effective not just for weeks, but for a good few years.
Of course, that doesn’t mean we get bored—on the contrary. With every advance in technology—whether it’s more connections between services in the cloud or just a new release of the software our customers use—comes potential vulnerabilities, and there is no shortage of interesting projects on our to-do list.
The Cybereason partnership with Google Cloud is just one example; by connecting our powerful backend analysis to telemetry from not only endpoints and executable files but to cloud-based deployments and applications, Cybereason can identify suspicious activity even more quickly.
In the cyber security space, there is no end to the surprises—and there is always something new to do, but I believe that with high quality engineering, few people can help solve many problems for the years to come.
Cybereason is one of the fastest-growing cybersecurity companies in the world, and was recently named to three Built in Boston’s Best Places to Work lists for 2022: Boston Best Places to Work, Boston Best Paying Companies, and Boston Best Large Companies to Work For. Explore our careers site to learn more about Cybereason’s company culture and open positions.
Dani Koretsky is an experienced engineer working in our endpoint security group. He leads teams of engineers working on Windows Kernel and cross-platform prevention capabilities in the Cybereason XDR Platform. He has over 15 years of experience with software and cyber security product engineering.