CyberSight: Overview

CyberSight

CyberSight Professional is a new type of security software solution. It is an intrusion and abuse prevention system, designed specifically to protect your organisation by combatting the new generations of threats and computer abuse, that often bypass or
compromise conventional security measures.

  • Company data - protection of valuable assets such as IPR's and blueprints
  • Fraud - alert against hacking tools, including the never-before-seen
  • Abuse - notification of costly misuse of company system resources
  • Audit - perpetual inventory of hardware and software
  • Compliance - recognition of illegal and pirated software
  • Obscenity - detection of pornographic material, generating no false positives
  • Data protection - control of confidential customer records
  • Policy - automatic enforcement of corporate and IT policy
  • Forensic - rigorous audit trail for evidential use
  • Security - 0 day exploit detection, 250 million item archive capability

Compliancy

Monitor and prevent unauthorised applications or files existing or executing in your network. Manages users who abuse systems and networks. Generates the audit and forensics needed to address issues.

Return on investment

The second you install CyberSight you start saving money. It will:

  • Reduce license costs by identifying unused or little used software
  • Remove pirated software to reduce liability
  • Retire a range of existing technologies
  • Identify theft
  • Protect confidential material
  • Track stolen equipment -laptops, PC's or components
  • Instant asset register
  • Instant software audit

Understand usage

Understand how your network is being used

  • Most commonly used software
  • Storage analysis
  • Costing report of system usage
  • Profiling systems usage by systems or departments
  • Reporting on network usage
  • Identify network and systems abuse

Active -- not reactive

The importance of taking action against a potential problem before it becomes a reaction to a current problem is something that Cryptic Software are very keen to stress. More and more of our customers are installing CyberSightâ„¢ because they would rather be made aware of the problem when it has been eliminated, not when it has caused irreparable damage

Forensics

CyberSight tracks everything:

  • Newly installed software
  • Keys typed by end users including passwords
  • Desktop screen shots as events occur
  • Real time stealth remote viewing
  • Recording windows sessions
  • Photographic evidence from web cams
  • Network usage
  • Application CPU usage
  • Printed document tracking
  • Software execution time by CPU usage and time
  • File access trails

Piracy

Detect and remove pirated software, MP3 files, DIVX (XVID) pirate movies. Detect and remove the tools, downloaders and P2P software used to flood your networks.

Footprint

The CyberSight remote agent is small enough to fit on a floppy disk and uses on average 0.05% of the monitored machine's CPU. Using automated deployment of a stealthy agent deploying CyberSight can be achieved on large networks in minutes.

Comprehensive

It's capable of detecting over 250 million threats with no overhead on your managed systems. It covers over 320 categories of threat.

Some other features

  • Systems management
  • Off line encryption
  • Remote administration
  • Real time backup
  • Software auditing concurrency
  • Hardware audit and monitoring
  • Software deployment
  • Automatic software patching

CyberSight Version 7 White Paper: Version 1.4

Overview

Note: This document describes a limited subset of CyberSight functionality and is not intended for evaluation purposes.

Background

Dave Duke is the founder of Cryptic Software and principle developer of CyberSight. Dave has worked for many years for various blue chip companies and government organisations.

Because the environments he worked in tended to place security at a fairly high level he became extremely interested in the implementation of security strategies. It soon became obvious to Dave that there were significant drawbacks with available security architectures.

Over a period of several years Dave heavily researched security with an emphasis on malicious attacks and the means of obtaining the tools used to carry them out. To his surprise he discovered major flaws in the methodologies of market leading security products that were being used to detect hacking or other types of malicious attack.

It was also apparent that organizations needed to purchase multiple products to achieve even a modest, barely acceptable, level of security. These products were all very different in configuration and approach. They frequently became a burden to administration and support teams and were unpopular with users due to their impact on performance.

Dave elected to design a new security product based upon a completely different architecture.

Product Criteria

Analysis of Problems and Our Solutions

The product itself had to be hidden and secure

Our research showed that there were two areas of concern with current security technologies; the first was that end users were terminating the defense technology due to frustration with degraded performance, a hard lesson that even Microsoft have learned from. The second, and more recent, is that attackers now specifically target, attack, terminate, and sometimes emulate, the security product itself without the users awareness. This is a potentially disastrous scenario as system defenses appear to be functional when, in reality, there may be no security functionality at all.

CyberSight was designed specifically to combat these problems. Firstly CyberSight monitoring agents that are deployed to client systems are a mere 700kb and typically utilise less 0.05% of the host's processor power, about the same as Notepad.

Having provided a low resource agent that the user will not notice we then had to protect the agent itself against attack. This is done via our patented "Gemini" process. Once the client agent has been executed it divides into two distinct processes, each securing and monitoring the execution of the other, because of this any attempt to terminate either one are reported as attack events. The two agents also monitor their respective start-up processes for tampering or attempts to remove them.

Secondly, CyberSight's agent has the ability to hide itself. The CyberSight agent can be given any name and installed anywhere; more importantly it can communicate via any port using non-predictable random encryption techniques.

A third plus is CyberSight's invisibility to attackers port scanning techniques; a port scan directed at a CyberSight agent will reveal nothing. Unlike most products the CyberSight agent does not have a "listener", this adds to CyberSight's stealth ability. "If you cannot see it, you cannot attack it". Through simple configuration options it is possible to restrict the local system being monitored from seeing any communication sockets.

Resource usage and network traffic on client machines had to be acceptable

Many security applications in use today are frequently compromised by end-users terminating them due to their impact on local system performance. CyberSight was designed with a completely different architectural approach to threat analysis and a key feature of this is the agents low demand on system resources.

Another concern was the requirement of most security applications to regularly update large threat databases to many server and client machines. This frequently impacted on the network, local and general system performance.

 

CyberSight addresses these concerns:

Whereas the majority of existing security products download large threat databases to client machines, CyberSight does not. Recognising the shortcomings of this approach, CyberSight turns current security architecture on its head by storing its large threat archive on a central CyberSight server.

On initial installation CyberSight's remote client agents create a unique fingerprint for every file on their system in real-time and then update a central virtual image repository on the CyberSight server.

The client is then constantly scanned and compared against the servers extensive threat archive (over 500,000 threats at present). The rational behind this approach is that there is NO requirement to locally process threats on client machines and NO large database that has to be deployed and/or maintained on a day-to-day basis in order to provide security on remote machines.

Whilst this architecture provides for the instant scanning of thousands of systems without the performance and updating problems experienced with current technologies we recognised that there was still a minor area of vulnerability.

There are certain "business critical threats" that can wipe out a system in seconds; most security applications are powerless against such threats but CyberSight's client agents are aware of these "high level" threats and intercept them directly without recourse to the CyberSight server. In order to do this the CyberSight agent holds a small dataset within each 714 Kb agent.

Each client and server in the network had to be monitored

Cryptic Software closely examined several security products that monitored server usage, external network traffic, or just local network traffic. In each case we found that each area required dedicated software that was specific to the platform it was deployed on. We saw this as a limiting factor, both to widespread deployment of the application and to any physical changes (hardware and software) to the network client/server configuration.

Accordingly, CyberSight was designed to run on every Microsoft operating system from Windows 95 onward, including all service patched versions of Windows 95, Windows 98, Windows ME, Windows 2000, Windows NT 351, Windows NT4 and Windows XP.

Engine needed to be able to detect tens of millions of threats not just thousands

One of the most concerning aspects of many legacy security technologies was the limited capacity of their detection engines. Most were in the hundreds, some in the thousands, whilst threats are in tens of thousands.

The Internet is a big place and the number of threats is growing daily at a staggering rate. It follows that identifying storing and comparing threats can start to compromise not only the effectiveness of existing products but also the performance of the host systems.

CyberSight's threat database will handle 250,000,000 threats without any degradation of client or server performance.

CyberSight's threat database is sub-divided into 320 categories covering 13 severities which are as follows:

Severity 1.
Direct hacking tools and utilities that are a threat to corporate data

Severity 2.
Direct attack tools and utilities that are a threat to corporate systems/networks and other security products

Severity 3.
Password cracking tools that are a threat to corporate confidentiality and access control

Severity 4.
Fraud and espionage tools and indicators which indicate evidence of attempted fraud or espionage

Severity 5.
Enumeration tools, tools which scan remote systems to find "backdoors"

Severity 6.
Unauthorised monitoring tools, tools which spy on user or system activity

Severity 7.
Hardware events, events generated by changing hardware e.g. theft of memory

Severity 8.
Unauthorised applications or utilities

Severity 9.
Piracy or copyright theft indicators

Severity 10.
Unauthorised use of cryptography, tools used to hide corporate material or questionable files

Severity 11.
Systems abuse and tools indicators

Severity 12.
Subversive material, documents containing dubious instructions

Severity 13.
Games and game emulators, time and resource abuse

End users can set-up new threat levels or modify existing classifications to suit individual requirements.

Small client footprint, CPU friendly

CyberSight achieved this by ignoring the standard approach of most security applications, that is "application + data" on each client/server, and developing its own patented architecture.

Most threats that security applications detect do not have to be acted upon within a few milliseconds, a second or so will do. Some, like network "sniffers" only detect the threat when it is active, which is perhaps a little later than would be ideal.

CyberSight's architecture enables it to detect threats as they hit the local disk or processor, typically before they have the chance to execute.

The CyberSight client agent keeps a central database up-to-date utilising a Cryptic Software developed mathematical formula for each file on the client/server machine. This updating is done in real-time and because of this the central CyberSight server knows exactly what is on every machine at any time.

Therefore when a new threat is added to the CyberSight server it can be matched instantly against all files in the network. Because of this there is no need to remotely scan the network; this is why CyberSight's performance is unaffected by the number of systems that are protected.

Response to a threat is instant, even if a machine is switched off; in fact threats can easily be identified even if they were on a laptop on a plane anywhere in the world.

More importantly, no data updates need to be deployed to the clients, therefore eliminating the need to maintain hundreds of remote databases which themselves could be attacked and which can and often does, cause significant network traffic.

By definition CyberSight is a host based "data-lite agent" security product.

Data-lite agents are our remote agents that neither download nor store vast threat repositories to enable threat detection.

The CyberSight agent is extremely compact and bloat-less. Cryptic Software has achieved this by using assembler language to build the agents thus ensuring excellent performance and enabling the agent to be extremely compact.

CyberSight's agents typically run at 0.05% CPU utilisation (similar to NotePad).

Detection of "0 Day" exploits/vulnerabilities (threats not yet identified)

Another significant drawback of existing security applications is their inability to detect what Cryptic Software terms as "0 days exploits". These are threats which have recently been written and that the security industry is unaware of.

Typically these threats go undetected until a user has noticed a problem, a security company has been advised and an antidote has been produced and made available to their users.

Protection against these threats has then to be downloaded at or by each individual client before protection can be assumed.

The time interval between the release of a new threat, its discovery, formulating an antidote and making this available can be significant and, as most threats can multiply exponentially, it is possible that tens of thousands of systems could be infected before a "cure" is available.

Cryptic Software addresses the issue of unknown threats utilising CyberSight's patented "Capability Detection" module.

CyberSight's unique Capability Detection module utilises various rules to establish the potential threat posed by any new (unknown) executable files.

Some of the "capabilities" that may form part of an executable threat may include:

  • Talk IP - communicate over networks
  • Grab keystrokes - typically used to steal passwords
  • Encryption libraries - used to covertly hide or send data
  • Video capture - tools that grab screenshots or web cam footage
  • MAPI - executables which can send data through email
  • Internal compression capabilities
  • Hidden denial of service capabilities
  • Password cracking capabilities
  • Network interface capabilities
  • Remote procedure capabilities
  • Audio compression capabilities
  • Command shell capabilities

Therefore if any new executable has (some of) the above capabilities or if any existing executable should change and inherit one of capabilities above, there should be cause for concern. A text file that has encryption capability is most likely to be a threat!

These capabilities, and others, are generically detected by CyberSight's Capability Detection module, even if they have been disguised or hidden. Because of this the executable can be immediately recognised as a potential threat even though it is not known to the CyberSight threat database.

Moral - If it walks like a duck, quacks like a duck and swims like a duck - it probably is a duck.

Limitation of false positives

Another drawback with existing detection methods is false positives, the alerting of an issue that is unfounded. After all, there is little point in managing thousands of machines if the information presented is inaccurate. This is time wasting and leads to the possibility of overlooking the real threats.

CyberSight addresses this issue not by guessing but by using our patented Shape Technology and complex mathematical formulae to minimise the chance of false positives.

Most security products utilise a form of HASH KEY to identify a known threat. Cryptic Software believe this methodology to be flawed; the first and most obvious problem is that any change, no matter how insignificant, will cause the threat to become transparent to HASH KEY detection techniques.

Developers of attack products are wise to this and most modern threats regularly change their executable (altering a single bit is all that is required) to avoid detection by the Hash Key technique.

Cryptic Software have addressed this issue by developing a proprietary key generation technique that, unlike the HASH KEY, produces a key that is not based on the accumulation of all the data in the file.

This proprietary technique can continue to identify threats even after they have changed.

Real time scanning not scheduled

Some of the products we examined worked on a schedule basis, often scanning a network or hosts overnight to minimise their impact on system performance during office hours.

The impact of security applications have on performance is a major concern, particularly if the organization operates 24-7. For example virus checkers, or any host based file-monitoring system that plugs in at the device driver level, generates lag (slowing down of the system).

Take the example of the operating system requesting access to a file, access to the requested file is blocked whilst the security product scans and confirms the files validity, the security product then releases access of the file back to the operating system.

In nearly every case the file could not be a threat until it was executed, so the functional level of the system has been degraded for no reason, this is the reason so many virus checkers are disabled by the end user.

CyberSight addresses this issue by processing the file at the same time as the operating system then terminating its execution at run time. This method ensures that CyberSight does not cause any degradation of client performance. CyberSight is not bound into the o/s kernel so as not to cause systems instability

It is well known that many existing detection products are the direct cause of system instability because they conflict with the operating system. The best-known result of this is the common "blue screen of death" crashes that are most frequently caused by detection software interfering or failing to interface with normal operating system processes. CyberSight has been designed to work "above" the operating system and therefore the potential for conflict is eliminated.

CyberSight is portable across all M/S platforms with the same executable software including Windows 95, 98, ME, 2000, NT 351, NT4, XP utilising the same single 712k executable, thereby eliminating the need for multiple deployment files and ensuring transparency of function regardless of platform.

Easy to deploy -- just one small executable

Another problem using mainstream security products is deployment and version control. With CyberSight the same 712k program agent monitors both client and server devices.

Once the initial installation is complete all agents can be updated from the central CyberSight server with just a few mouse clicks.

Remember no data needs to be held at the client - just the CyberSight agent.

Out of the box results - no initial configuration required

With CyberSight you obtain results instantly.

The CyberSight server is loaded with a standard install shield set-up program. Once installed CyberSight agent creation is just a mouse click away.

Basically an agent executable is created with a single mouse click, set your server's IP address and CyberSight protection is all but instant. Run the 712k agent program on clients and within seconds every file is monitored for over 500,000 known threats and, more importantly, protected as much as possible from the unknown threats, which by their anonymity are far more dangerous.

All threats discovered are reported as "events" to a single screen and can be automatically forwarded to supervisory users via emails or third party operations products, subject to pre-defined threat profiles.

CyberSight includes a host of additional options, even supporting its own scripting language that can be used to enable administrators to globally request data or control remote agents.

For example a script could be written which retrieves every registry file, or XLS file over the network at night.

Complete defense not perimeter or just network based detection

Security should cover the widest possible area of exposure. Typical coverage provided by legacy security products is as follows:

  • Monitoring of log files
  • Monitoring of network traffic for known signatures
  • Monitoring of executable files typically using a hash key
  • Monitoring of email for viruses or pornography at the perimeter
  • Monitoring of web sites accessed
  • Monitoring of web / email based malicious code

The obvious flaw in the above methodologies is the lack of coverage of threats that can come from anywhere. CyberSight addresses this by examining file and processor usage (the lowest common denominator where a threat can reside) thus detecting threats from any source that may include:

  • PDAs
  • CDs
  • Floppy
  • USB
  • Serial
  • Watches
  • Chat programs
  • FTP or stealthy derivatives
  • File leeching software (Kazaa, Napster) clones
  • Unseen hacking tools which support file transfer

To do this CyberSight utilises multiple techniques and is not reliant on one methodology, as relying on one technique for threat detection can be disastrous; this is why most organizations have had to implement multiple products to gain as much protection as possible, a costly exercise.

CyberSight addresses this issue by using a patented process called "Shape Technology" this works by using multiple methodologies to detect threats, if attackers code their threat software to avoid detection e.g. fingerprinting modification, CyberSight uses multiple other techniques to discover it.

Evidence gathering not just user name and time

It is pointless knowing about a threat or infringement of corporate policy if you do not know who is responsible or how.

CyberSight has several features that enable it to address this and ensure that any offender and the offence or offences committed are fully audited.

Typically, on an non-policy event or threat being detected, the first step is a manual screen shot that includes logged on user names, this provides evidence of what the user is doing.

Secondly, an automated screen shot can be taken. Typically this would show the website, executable or email the policy infringement or threat was introduced from. For absolute proof CyberSight can, subject to local laws and legislation, take photographs or live video via web cameras to positively identify the user at the workstation at the time in question.

CyberSight is a single intergraded product not multiple different technologies; features are switched on or off according to license key. This means there are no issues with integration or the need to learn multiple products.

One simple interface significantly reduces the training required to master the technology and a background in security practice, though useful, is not mandatory for CyberSight users.

CyberSight provides comprehensive cover, not just hacking and viruses

Legacy security systems typically overlook a large range of threats, tools, utilities and files that Cryptic Software consider to be undesirable on your network.

A few of the over 320 threat categories identified by CyberSight include:

  • Abuse - tools to attack or abuse systems or networks
  • Misuse - games, DIV-x pirate movie downloading, MP3
  • Monitors - programs that record or watch a user's session
  • Compressors, encoders, encryptors to hide information
  • Crackers, tools which break passwords or steal passwords over a network
  • Credit card fraud, or phone fraud
  • Flooders (tools used to attack remote systems)
  • Disk editing or code disassemblers
  • Key loggers
  • Steganography - the ability to hide confidential information in seemingly harmless files
  • Missing or downgraded security patches

Remember, these are 320 categories; within those categories CyberSight has over 500,000 indexed threats.

Penetration of Encrypted ZIP Files

One of the commonest methods used to avoid discovery of threats, data theft or other activity contrary to policy is to zip and encrypt offending data. Typically the only method of discovering the content is to attack the zip file using "brute force" techniques. This has several drawbacks, not the least of which is the time it can take, which can be several days. Cryptic Software's CyberSight product can penetrate these files, examine and report on the content in less than half a second, regardless of password length.

CyberSight is built with RAD techniques to keep ahead of the hacker

Cryptic Software believes that another flaw with legacy security systems is the actual programming language used to build them.

Typically they are written in a 3GL that requires significant work and testing to change or amend even the smallest function. Whilst acknowledging that CyberSight includes assembler and 3GL code, the primary detection functionality is carried out utilising an extremely fast, self-administrating, relational 4GL, which provides excellent processing speed and an inherent ability to adapt for new requirements with ease.

Detection process has to be fast and efficient

CyberSight can process over 250,000,000 threat comparisons a second on a Pentium 3.1GHz, system, more importantly CyberSight places NO data processing overhead on the clients being monitored.

How can CyberSight help your organisation?

  • CyberSight can help you identify potential threats, undesirable files and system misuse/abuse.
  • The CyberSight user decides and defines what constitutes a threat to their system as requirements may alter from location to location.
  • As supplied CyberSight can identify over 540,000 threats and the list is being added to on a daily basis.
  • Users can add organisation specific tasks to the list of threats that CyberSight detects, or instruct CyberSight to ignore certain categories of threat if they are not applicable to the organisation.
  • Besides protecting the systems upon which it is installed from threat, CyberSight also protects the organisation itself.

How?

  • by protecting against accidental or deliberate software license infringement
  • by protecting confidential documents from being copied, amended or broadcast
  • by protecting against illegal software, however introduced
  • by protecting from potential hardware theft
  • by protecting against loss of corporate reputation and image caused by users downloading or storing inappropriate material

This document has focused on the security and threat protection provided by CyberSight. There are other, perhaps even more tangible benefits available to the CyberSight user.

How about the ability to provide real-time system wide hardware and software audits, including reports, at the touch of a key - with absolutely zero user action required. Simply install CyberSight and your auditing worries are over. Add hardware or software to your system, or even take it away, CyberSight will reflect the changes instantly.