LightCyber‘s Magna product uses machine learning to build a fuller picture of how a network should look, and pinpoint real anomalies that can indicate a breach
Short staffed and inundated with mountains of alerts, managing an enterprise’s security can feel like a Herculean task.
Continuing their mission to reduce the thousands of alerts that hit an IT professional’s desk every day, allowing them to focus on the highest priority threats, the Ramat Gan and Los Altos-based behavior analytics team at LightCyber announced on Wednesday the close of their Series B funding round, adding $20 million to their war chest.
Leading the round are investors Shlomo Kramer and Access Industries through their Israeli presence Claltech. Previous investors from their $10.5 million September 2014 Series A round Battery Ventures, Glilot Capital Partners, and Amplify Partners also took part.
Co-founded in 2012 by Chief Product Officer Giora Engel and CTO Michael Mumcuoglu, LightCyber‘s Magna product uses machine learning to collect massive amounts of data from a company’s network, endpoints, as well as user profiles to build a fuller picture of how a network should look, and pinpoint real anomalies that can indicate a breach.
Moving forward, the company has told Geektime that this round will be used to expand global sales and marketing, as well as working on developing the product with more hires in R&D, noting that they have tripled the R&D team since their last round.
Shifting from prevention to protection
Speaking with IT professionals, one of the biggest challenges that they face today is finding ways for their teams to keep up with the ever-rising number of alerts being sent to them from the variety of detection tools monitoring their system’s security.
LightCyber’s CEO Gonen Fink tells Geektime that the industry has seen a sizable shift in recent years, moving away from the focus on preventing breaches to the assumption that attackers are already in the system.
“Protection and prevention isn’t enough,” he explains. “There needs to be an increased focus on detection after a breach happens,” he says, adding that the budgets are there to bring in the necessary protections.
He notes that there is also an increasing feeling that companies are responsible for protecting their customers’ data, and that detecting breaches is an important part of showing that they are taking the issue seriously.
“Finally after so many years, people are figuring out that the current systems aren’t enough, including those of Check Point and everyone else,” says Fink who worked for many years at the cyber security leader. “Up until two or three years ago, even those who were aware of the limitations were ready to deal with what they had. But all the hacks of the past few years that we can’t keep going on the same path. At any given moment, your network is likely to be breached. Until three years ago, this wasn’t the assumption.”
He says that the issue of exposure is not being glossed over in the same way that it used to be, and that it is becoming more of a priority for company leadership teams, who are concerned that they could become the next public victim of an attack.
Making molehills out of mountains
The problem with the emphasis on detection comes when IT teams are unable to cut through the noise of non-malignant alerts to find the real attacks, due in large part to their inability to really track actions across their systems.
Executive Vice President Jason Matlof tells Geektime that, “The biggest challenge is providing accurate visibility into the operational behavior of attackers who are already active on your network, and have circumvented the threat prevention infrastructure. A real focus is on accurate focus visibility is what’s needed.”
Matlof says that, “The more data that you feed into the learning process, the more accurate you will be in the alerts that you produce.” He says that their focus is on giving their clients effective, actionable alerts that save time.
The company believes that by starting at the network and endpoints, it gives them a better picture than just looking through logs. “If all you want to do is track a user, then the log user system is fine, but not useful for dealing with attacks,” Matlof explains, adding that, “There’s no logs for many systems in a network, so they can’t be tracked by log only based systems.”
This approach appears to be paying off for LightCyber as well as their clients. According to a report from LightCyber that polled their customers in Q1 of 2016, they found that clients received an average of 1.1 alerts per thousand endpoints per day.
Compared with the thousands of alerts that they were facing with the log focused providers, this marks a significant shift in how IT teams can utilize their resources.
If a threat is found within the network, either from an outside attack, or in some cases an insider, their product has integrations with Check Point, Palo Alto Networks, and Microsoft Active Directory that allow IT teams to remediate issues with a click.
Facing off against limited resources, companies need solutions that can cut through the noise. LightCyber’s machine learning approach of taking in massive amounts of data from different sources to create the most accurate picture is a part of a movement to change how companies manage their security.
A number of other companies have entered the user and entity behavior analytics (UEBA) space, recognizing the potential for impressive growth across the market. Newcomer Preempt, another California/Israeli venture, has recently launched their product in the UEBA space that comes with a dynamic firewall to challenge users with a Two Step Verification if their legitimacy is called into question. The Valley’s Vectra Networks and Darktrace from the UK are also big name competitors to keep an eye on.
Will LightCyber’s solution make some mistakes? Yes. Are some alerts going to come through that might not be legitimate? Of course, because nothing is perfect.
But if they are cutting down the number of alerts for an enterprise’s IT team to the single digits, a far cry from the thousands that are produced with most of the other detection-based products, then this is a solution that every enterprise must integrate.