Cyber 2.0 Operates on Two different Layers

Full Detection of active malicious and unauthorized software within the organization
(including those who have not been detected by other defense systems)

Complete Blocking of malicious or unauthorized software within the organization network.
(Other defense systems do not provide complete blocking of detected malware)

Full Detection - Software inventory

  • As a result, the system maps every activity on the computer
  • It creates 3 distinct inventory lists:
       Inventory of every software installed on each computer
       Inventory of active software
       Active software that go out to the network
  • Software components’ network behavior – software, its version and what it actually did and when
  • Analysis of all attacks, real-time and past
    (Forensic View)

Full Detection - Reverse Tracking

Reverse Tracking - what separates Cyber 2.0 from the competition:

  • Malicious software (1) activates a chain of legitimate software (2+3+4), that eventually gives a seemingly legitimate command. For example, commanding Outlook to send a competing company an email including the organization’s strategic plan
  • Since the command was sent by a legitimate software, cybersecurity systems inspecting Outlook, will not detect the malware
  • Cyber 2.0 tracks the chain all the way back, using Reverse Tracking Technology, and blocks Outlook from going out to the network

This fundamental difference enables Cyber 2.0 to expose all malicious activities that were not
revealed by any of the other defense system, already deployed in the organization

Full Detection - How does reverse tracking work

  • Every process that loads- is recorded
  • Every Dll or library file that loads- is recorded
  • Any access of a process to another process- is recorded
  • When a process is activated, the system creates MD5 and SHA signature

Full Detection - What does the organization need to do

  • The organization indicates which software is authorized to enter the network (legitimate software)
  • This list is comprised of no more than a few dozen software (accounting, Office, Acrobat, browser)
  • Any software that was not specifically authorized or that is unknown, will be treated as illegitimate
  • This is not the familiar White List; It is an automatic creation and management of a Dynamic List

Complete Blocking - of Unauthorized Software (Chaos Engine)

  • Legitimate/Authorized software – Outgoing traffic is scrambled, incoming traffic is descrambled
  • Malicious/unauthorized software – Outgoing traffic is not scrambled, incoming traffic is descrambled, and therefore blocked
  • Using a dedicated Gateway, the system may be deployed between the network and various other networks, as well as not supported network devices

Complete Blocking - The Power of Reversal
(or: the logic behind scrambling authorized traffic, while leaving unauthorized traffic as is)

  • In case the system is successfully breached or deactivated, no outgoing traffic will be scrambled (whether authorized or unauthorized), and therefore blocked by the receiving side
  • In case the system is successfully bypassed, no outgoing traffic will be scrambled, and therefore blocked by the receiving side
  • In case a malware was added to the authorized-software list, the Chaos Engine will issue outbound software a completely different set of ports, causing them to be blocked by the receiving side
  • Any attempt to masquerade or unlawfully execute any process will be detected by Reverse Tracking Technology, and blocked by the Chaos Engine

The Chaos Engine blocks any attempt to penetrate or bypass the system

Cyber 2.0 Deployment Process

  • 1. POC - We install the system on 20 computers, in monitor mode only (without blocking)
    Within a week we present a detailed report of all active malicious software within the organization’s network (that have not been detected by any other defense system already deployed)

  • 2. Monitor Mode - Gradual deployment across the organization in monitor mode, while identifying legitimate software, and removing unauthorized software. The process is repeated until there are no more alerts (all legitimate software was approved, and non-legitimate removed)

  • 3. Defense Mode - Gradual transition across the organization into full defense mode. This step is based on the customer’s needs, and may be achieved using different methods, such as:
  •   Automatic approval of all existing software, authorizing the system to block only new malicious software, until transition to full defense mode is complete
  •   Critical systems in defense mode, while the rest of the organization is in monitor mode. Gradual transition of all other systems to defense mode

Full Deployment takes no more than a few weeks (Pace of deployment to be determined by each organization)