LightCyber provides us with a behavioural attack detection tool. The LightCyber appliance connects to tap or span port - optimally at a point that can see all network traffic into and out of the core - and monitors passively. It is particularly interested in traffic to and from users and servers, users and the internet, and traffic to domain controllers, DHCP servers and DNS servers. It can monitor endpoints agentlessly on demand.
This is a tool that performs behavioural analysis of flows on the network and can interoperate with most of the key devices, such as firewalls and SIEMS that one finds on large networks. LightCyber divides the attack timeline into three parts: the intrusion pre-attempt, the active attack and the cleanup or incident response phase. The two ends are well covered with firewalls, IDS/IPSs and SIEMs. It's the middle - or active attack phase - where Magna operates. This attack phase can last months or, as we have seen recently, years. More important, this is where the attacker exposes him or herself to analysis.
During that attack phase, the intruder is communicating with C&C servers, performing various kinds of reconnaissance, moving laterally through the network, and attempting to exfiltrate data. All of those functions have unique behaviour associated with them. Magna analyses that behaviour, draws conclusions and acts accordingly.
At a glance
What it does Behavioural attack detection.
What we liked Detailed, graphical drilldown for analysis of suspicious or malicious events.
Magna does something that is becoming increasingly available but is very hard to do accurately and use correctly: establish a behavioural baseline. Instead of focusing on known bad - as many firewalls and SIEMs do - Magna focuses on what is good: the baseline. Anything that diverges from the baseline is suspicious and enough of that behaviour is an alert. LightCyber claims that this approach eliminates false positives and catches zero-days. Our view is that this is quite likely. However, we did not have time for an extended analysis. What we saw certainly was consistent with that claim.
Architecturally, Magna is not particularly difficult to deploy or manage. It uses a typical sensor called the MagnaProbe, on-demand endpoint access, and the MagnaCloud, with which it communicates using the MagnaMaster. The MagnaMaster also communicates with devices with which Magna cooperates. The MagnaDetectors connect through a tap or span port.
Visually, the dashboard is spartan. It is broken down such that potential or actual malicious activity jumps out at you which we found refreshing. While trending is important, when a breach is occurring, identifying and stopping it is top priority, with forensic analysis next. After the dust settles we can look at the stats.
The drilldown is impressive. What may be even more impressive is that when you drill down you can see the malicious behaviour in detail including a map of what was involved, where it came from and what it did. This all is displayed with clean icons and shows details in an easy-to-read format. When you're chasing a bad guy through your network, speed counts. Simple, graphical displays really help.
Relative to drilldown, we really liked the depth of analysis. In one attack we were able to see all of the involved computers, the applications, the protocols involved, a summary of the suspect behaviour and a raft of other details that would aid in blocking and analysing the attack. If there is an actual breach discovered, remediation in the form of malicious file termination, port closures and so on occurs rapidly. By cooperating with firewalls, the offending address can be blocked, and while IP blocking is not a good long-term strategy, it is great triage.
Another interesting aspect of Magna is that it profiles behaviour across users, endpoints and networks. This really is in-depth profiling and it is one reason that we find the "no false positives" claim credible. In our experience, profiling all three in a single product is extremely rare if not non-existent.
The LightCyber Magna appliance is reasonably priced. There is full support with the subscription license. We found that LightCyber has gone to a lot of trouble to provide white papers, case studies and videos. Support is solid and available through the web portal. If you are looking for a companion to your firewall or SIEM, this is a very good product to consider. It is solid in its deployment, sports a straightforward architecture and is priced reasonably. We especially like the detail - and ease of interpretation - in the extensive analytic drilldowns.