Why Cybereason beats network packet capture

So last week I wrote about why Cybereason beats a SIEM solution. In a past life, I was heavily involved in the network packet capture space - this is another tool we often see folks looking to deploy and ask why we’re different.

Network packet capture tools sit and watch network links, capture everything that’s going on and look to a) isolate malicious traffic and b) provide session reconstruction to help you understand exactly what happened on the network.

Now compared to SIEMs, most network tools are waaaay more useful - but SIEM really is a low bar to beat. Even network packet capture tools have four main problems, though:

It’s cost prohibitive to monitor everywhere. A network link of 10 megabits per second (mbps) - a fraction of my home Internet connection - produces 1TB of data per day. So a multi-gigabit environment where you keep data around for a couple of weeks would mean *massive* hardware requirements, plus all the power and cooling that goes with that. Plus, data volume that gigundous need to be stored close to where it’s captured. The upshot is that companies only monitor “ingress/egress points” to their network (whatever that means...see my next point), so no visibility into lateral movement, privilege escalation or anything inside the network.
True network analysis is very processor intensive and tough on the analyst. Outside the packet header, most raw network data is binary junk. Extracting truly meaningful data out of a network session takes a huge amount of processing power. Multiply that exponentially if the data is encrypted - provided you even have the keys to decrypt. More analysis means more hardware, higher cost. Plus once you’ve extracted the meaning, presenting it in a way that’s consumable by anyone but a highly experienced L3 analyst is beyond the vast majority of tools out there today.
Networks don’t give you the visibility they used to. It used to be that employees in the office accessed applications in the datacenter. However, today, the sales rep in Starbucks accessing Salesforce.com or Office365 never touches your corporate network. The massive rise in workers accessing SaaS or cloud applications means that by monitoring the network you’re only getting a fraction of what you need to see. It’s getting worse too. Many companies these days just provision remote offices with a bog-standard Internet connection and treat employees in those offices like mobile workers. Also, threats looking to exfiltrate data now use machines that move on and off the network to make sure they never go through an ingress/egress point.
Networks are filthy places, so prioritizing what to go after is really hard. Unless you have awesome network hygiene (and very few people do) your network is likely rife with all manner of pond life. Distinguishing between what’s truly harmful to the business versus what’s merely annoying takes a huge amount of knowledge about network topology. Also, pulling together all stages of an attack can be a tedious affair, manually correlating activities from across the network.

True, some tools will only capture “metadata” about network traffic to cut down on infrastructure costs, but lose visibility into what’s going on - especially as bad network traffic continues to look more and more like legitimate traffic. Others will use “machine learning” to isolate malicious traffic - although as we saw with Microsoft’s Tay bot, using these techniques to find anomalous activity and can be fraught with difficulty.

So with a network tool, you spend a lot of money on infrastructure, and you need an army of L3 analysts to make sense of it. At the same time, you don’t get to see lateral movement, and you don’t get visibility into remote employees. In contrast, with Cybereason, you get:

Visibility everywhere. Cybereason’s Endpoint Sensors monitor – in real time – every process, every connection, every user on every endpoint across the enterprise, whether it’s a server at your corporate headquarters or a laptop in a coffee shop accessing a SaaS application. This gives you an unparalleled understanding of everything that’s going on across your environment.
Easy deployment - even in a BYOD environment. Cybereason’s Endpoint Sensor runs in user space, eliminating the risk of causing a “blue screen”. This means that you can deploy it everywhere - including on contractors’ machines and BYOD devices - without worrying about Cybereason conflicting with some other software a BYOD user has installed.
Zero on-premises server footprint - unless you want it. Most of Cybereason’s customers deploy in the cloud, eliminating the need for data center space, power, cooling, and other provisioning costs. Other customers deploy on-premises, depending on their preference.
Automatic detection of previously unknown threats. Cybereason’s Hunting Engine collects all the data from endpoint sensors, and uses a purpose-built, in memory graph to identify threats. The Hunting Engine analyzes in real time, and uses machine learning and statistical and behavioral analytics to get unparalleled detection of all elements of an attack, especially those threats that have never been seen before.
Automatically presents all aspects of a malicious operation (or Malop). Cybereason automatically pulls together all attack context associated with a malicious operation, and visualizes the data for an analyst - even a relatively junior one. Cybereason also comes preconfigured with behavioral models so you can get value immediately when you roll out the sensor.
Automated response. Network capture tools are passive. However, with Cybereason, once you identify a threat you can automatically shut it down, prevent it from spreading elsewhere, isolate it, and perform full-blown remote forensics on the machine.