How Cybereason detects APTs in real time

May 20, 2016 | 1 minute read

Whenever I talk to potential customers, without fail, they ask how Cybereason can detect advanced persistent threats in real time. They claim the technology required to perform this task doesn't exist, or think we use a different definition of real time.

Cybereason doesn't send security incident updates in intervals of 15 or 30 minutes. Honestly, there's no asterisk next to real time. Real-time detection of APTs is very possible and in this blog post I'll explain how we do it.

Cybereason continuously collects data from endpoints and performs statistical analysis on the server to enable real-time or near real-time detection of attacks. Once the platform determines that a malicious operation is underway, the incident is immediately reported. There's no delay.

Our unique data collection mechanism and in-memory graph technology makes this possible. The in-memory graph, which we have patents on, allows us to track the state of an endpoint and report only what has changed. This means there's less data for the in-memory graph to process, allowing Cybereason to quickly provide details on the detected incident.

Additionally, we developed a proprietary database technology that enables this real-time, in-memory graph technology and statistical analysis in near real time. We found that Hadoop, Cassandra and similar database programs are not designed to handle the tasks associated with real-time quantification. So, we built our own.

Lital Asher-Dotan
About the Author

Lital Asher-Dotan

Lital is a Marketing Team Leader, Storyteller, Technology Marketing Expert. She joined Cybereason as the first marketing hire and built a full marketing department. Specializing in brand building, product marketing, communication and content. Passionate about building ROI-driven marketing teams.