The idea of empow intrigued Safety Detectives’ Aviva Zacks, so when Founder and CEO Avi Chesla agreed to an interview, she got ready. She asked him about empow’s technologies and how they work to stop cyberattacks.
Safety Detectives: What motivated you to start empow?
Avi Chesla: The main idea behind empow started almost seven years ago when I was at another company called Radware, where I was CTO. We were dealing a lot with the cybersecurity space, developing different types of solutions on the network and the endpoint level. We experienced some significant change in the market when we saw that more and more cybersecurity companies were bringing into the market new security tools to protect and prevent various attacks. The frequency of attacks and the volume of data was increasing all the time. The complaints that we heard from the Chief Security Officers of the organization and the security operations center teams is that the main challenge is not the lack of tools or lack of security technologies. That issue is how to get much more value from these tools.
Most, if not all, of these security solutions and technologies are typically integrated as silos in the organization. There is no real relationship between the different solutions and products. And that makes it very hard for them to conduct a security operation that can effectively detect and prioritize the threats because they were overwhelmed by the number of security events and alerts that they need to handle.
That was the reason that we decided to create the company and our inspiration was to solve this issue. We wanted to get more value from all the security tools and data sources that they were investing in by creating an abstract security layer and language that knows how to classify all the data that is coming from these silos. This will help transform them into one security language, which will allow them to prioritize the real threats and detect threats that can be missed by the point solutions much more efficiently. When you have different data sources and advanced attacks, each one of these solutions provides clues about only part of the story of the attack but not the end-to-end attack story. They need to have a way to quickly classify all these data sources and identify common malicious intent which needs to be prioritized, and not based on these individual events, but based on all these events together.
We created empow in order to help these organizations turn what they have into what they need. They already have all the security tools and technologies; they made the investment, now, they need a layer that sits on top of all these tools and the data and identifies if there are attack stories based on all these clues that these solutions provide.
In the last five, six years, we have seen a trend in the cybersecurity market that focuses on a solution that addresses exactly these challenges that come in the form of next-generation security information event management and next-generation SIEM.
Recently, at least in the last year, the market talked about XDR which is the extended detection and response platform that is trying to solve the same issue. We have solutions that allow us to solve this fundamental problem of too many tools, too much data, they need to manage it effectively in order to derive value.
SD: Can you give me a quick overview of the process of how you stop cyberattacks?
AC: We understood that in order to create this abstract intelligent layer on top of all these tools, we would first of all need to have an infrastructure or technology that can collect all types of feeds and logs from the protected network. And when referring to the types of data that need to be collected, this is also something that we are seeing more and more in the market. Customers expect to collect everything, not only security alerts coming from security tools but also activity logs that represent user activities, user account activities in the organization as well as network traffic activities. Because you cannot rely only on the security tools to detect anomalies and the facts. Some of them are unknown or some of them are not covered by the security tools that the organization has.
This is the first stage in the process: We created a log digestion layer that collects all types of data—including alerts, user activity logs, network traffic logs, activity logs—threat intelligence which is a very important part of the data that is needed in order to understand if there are threats or not, if they are real or not, and provides context to the threat.
After collecting all the data, the second stage in the process is data classification. Most of these data sources and products provide a different nature of data representation—different languages that need to be classified into one common terminology. In that second stage of the process, we scan all the data that we collect in real-time and automatically classify these pieces of data into what we call attack behaviors or potential attack behaviors categories. The classification process is done by three main algorithms. One is based on AI natural language processing algorithms that know how to read the natural data that exists in logs and in threat information and threat intelligence information and automatically categorize the data into one or more potential attack behaviors.
We use NLP in order to classify security alert and threat intelligent information related to this. The other two algorithms are behavioral-based analysis technologies that know how to collect user activity inside the organization, create baselines of the normal traffic patterns and know how to flag or identify anomalies that might represent potential attack behavior as well. We classify these types of logs using behavioral technology into potential attack behaviors, and we do something very similar to network traffic activities as well. We collect the network traffic logs and we establish the baseline of a normal pattern of behavior within the organization and this technology knows how to identify if there is a deviation from the normal patterns that might represent malicious activities.
The second stage of the process is the normalization of all the logs and the data feeds that we get into one language of attack. And in order to use a language that is known by the cybersecurity experts and the organization, we use the terminology of the MITRE ATT&CKTM framework. The MITRE ATT&CKTM framework established a language that includes predictable attack techniques and attack tactics that can be associated with any kind of log if the log represents a malicious activity. So that layer translates all these various logs coming from different data sources through data classification, converting different types of languages into one language of attacks.
The next step of the process is to correlate the data. We provide the words or sentences that describe the potential attack behavior against the organization, an application, or the user. In order to prioritize the real attacks, you need to identify if there is a story here because an attack is not just one technique or one step. Most attacks include multiple steps and some sequence that when it’s executed it puts the organization at risk.
In order to build that story on top of all this classified data, we use cause and effect analytics. This is a technology that knows how to take classified logs—the words that we have translated the logs into—and identify if there are relationships between them. This means that someone is persistently trying to get inside the organization, trying to make the compromised identities or machine hosts inside the organization, trying to collect data that he is not supposed to, and obviously trying to make some impact like ransomware or leaking the data outside of the organization. This cause and effect algorithm knows how to identify if there are activities that represent a real attack, and based on that the system, prioritize what we call these attack stories above all the other logs that do not seem relevant. Maybe they are noise. Maybe they are false positives.
These three stages happen automatically. Our end-users, the security analysts, and the SOC team do not need to configure or create manual alerts and correlation rules. They don’t need to know how to translate each log into potential attack behavior and how to translate all these various attack behaviors into an attack story because this requires a lot of expertise, time, and maintenance, and in the end, it’s a very reactive approach that takes too much time to detect and respond. We automatically do that for them using our technology.
SD: What do you feel are the worst cyberthreats today?
AC: In the last two years, the methods that have been developed around different types of ransomware attacks have become very challenging and threatening. In the market today, there are very sophisticated methods to be able to get ransomware and malware into the organization in different ways as well as spreading malware within the organization after penetrating it.
This is being done using automation techniques that the attackers have developed. They know how to identify these users and data points in the organization that are more sensitive. They use AI methods to classify the data in the organization and identify the privileged accounts, where the data is more sensitive. They are able to develop automatic ways to spread the malware into these various points within the organization.
Today it’s about taking the data, not only encrypting it but taking control of it and threatening the user or the organization that if they will not pay, or they will just release that data to some third party. We believe that ransomware is one of the major threats today.
The other vectors of attacks that are high risk for organizations today are attacks that try to compromise user identities via different types of spear phishing techniques. This is nothing new, but it is something that also developed into the main vectors of successful attacks in organizations when we ask an organization what their top priority is, they want to have full coverage which means visibility and detection capabilities around social engineering, phishing, and spear-phishing attacks.