Closing the Loop in Cyberspace

CyberBit, the cyber technology company established by Elbit Systems under the direction of Adi Dar, implements in cyberspace a proven military concept: prompt loop closure to contain cyber events. For some time now, the cyber technology industry has been discussing the need to operationalize the cybersecurity process. The idea here is that a company that accomplished that objective on the battlefield would be able to accomplish it in cyberspace, too.

"CyberBit implements a holistic cybersecurity concept, based on four primary elements: intelligence gathering, data analysis, command & control and an enforcement capability," explains Adi Dar, CyberBit's CEO. "Elbit Systems have been involved in cyber technology for more than 15 years. It began with the acquisition of Elron Telesoft in 2001 and the establishment of Elbit's ISTAR Division, and evolved in April 2015 into CyberBit. Back then, they did not call it cyber technology, but the foundations had been cast years ago.

"The establishment of CyberBit followed a management decision to offer Elbit Systems' cyber technology capabilities to the civilian market, too, and to leverage Elbit Systems' cyber technology assets for that end. In the civilian world, you must operate differently. You need unsupervised freedom of operation, you have to develop a brand, stay innovative and respond promptly. In the defense/security world, Elbit is a solid brand, but that does not help if you want to sell a cybersecurity solution to a bank, an insurance company or a retail chain.

"For this reason, CyberBit is made up of two sub-units – one sells products to the HLS world and the other to the civilian world. The company that sells to the civilian world is unsupervised and its employees do not have to undergo a security vetting process. It uses a separate IT network and is run like any other cyber technology company around the world."

"One of the moves we made was the acquisition, in July 2015, of the cyber technology division of the NICE Company," explains Dar. "This move had matured three months after the establishment of CyberBit. The idea was to acquire the assets of the NICE Company in the field of intelligence gathering, combine them with Elbit's knowledge management and C3 capabilities, and combine all of that with the assets of the 4C Company Elbit had acquired back in 2011."

One of the solutions CyberBit offers belongs in the EDR (Endpoint Detection & Response) category. It is a client installed in a core-level workstation/server, under the operating system. It "sees" and records a lot of the processes taking place in the computer. The data from all of the clients throughout the organization are collected by a Big Data system, and used to run algorithms that search for patterns indicating a cyberattack.

"Each workstation produces dozens of megabytes per day," explains Dar. "If the organization has 100,000 workstations, it will amount to a lot of data that should be managed and analyzed every day. Not many companies in this field can accomplish that on such a scale.

"The ability to analyze the data from all of the workstations in the network makes it possible to identify a pinpoint attack against a specific workstation, and mainly to identify attacks where the attacker moves laterally through the network. Pursuant to the identification stage, the client may be issued with an enforcement command to kill processes in that workstation. In this way, the threat is contained very quickly. The combination of a client at the core level and Big Data capabilities gives us an advantage in the market."

Along with collection of intelligence from the clients fitted to the organization's workstations and servers, CyberBit offers legitimate intelligence gathering solutions, which include Open Source Intelligence (OSInt) and intelligence gathering capabilities for stationary or mobile communication networks, including satellite communication networks. "Combining all of these activities enables us to provide a systemic intelligence gathering solution – from the organization and from the outside environment. This improves the organization's ability to identify cyberattacks," says Dar.

Another solution is a SOC (Security Operations Center) management system: a system for managing the organizational cybersecurity operations center, intended to provide transparency into the organization's networks. The SOC should effectively manage the response to cyberattacks.

"This product enables automation of the SOC procedures," explains Dar. "These centers are normally manned by people just starting out in the world of cyber technology. They come to work there for a short period of time, hone their professional skills and leave. Moreover, major organizations deploy multiple SOCs at various locations around the world, so as to avoid overtime pay. It is known as 'Follow the Sun'. When the sun sets over one country, it rises over another country, and the management of the SOC follows the sun.

"If you combine these two elements vis-à-vis the fact that a high-quality cyberattack against an organization can last months, you will realize that without automation of the SOC procedures, the organization will not be equipped to cope effectively with such an attack. At this point, Elbit's experience in the C3 world comes into the picture. In the end, you are talking about numerous sensors that produce logs, and you need an application with a rules engine to provide the analysts at the SOC with a scale of priorities."

Another field of activity in which CyberBit is involved is cybersecurity for SCADA (Supervisory Control and Data Acquisition) infrastructures. These are assets the 4C Company had brought into Elbit Systems. "In SCADA networks, we perform passive monitoring along with the ability to stop inline attacks," says Dar. "The OT system world is simpler than the IT world as it has a finite number of protocols. It is a more structured world. At the same time, since the Stuxnet worm was identified and the electrical infrastructure of the Ukraine was attacked in December 2015, there has been more understanding of the significance of the threat. This is the reason why many countries are developing regulation in the field of SCADA security."

Replacing Anti-Virus Software

According to Dar, one of the threats that currently challenges the industry is ransomware. "This is a threat that compels you to resort to real-time blocking, even before the encryption, but it is very difficult to catch before the encryption. If you catch it after the encryption, you will have no guarantee about being able to save the information – and that is a fairly complex challenge.

"Ransomware changed the demands of the clients, and now they want response – not just detection. It is nice if you managed to detect it, but what will the organization do with it? And in order to respond, you need a client on the computer. That leads to a war over the clients. I had a meeting with an information security manager of a bank, who told me that they have nine clients on the computer. The battle today is over the 'real estate' in the workstation or server. Ransomware can damage a large number of end stations, and even servers. We know how to contain the infected devices so as to prevent the threat from spreading. According to some of the estimates in the market, this technology will replace anti-virus software."

Unlike the defense industry, which has a well-defined and relatively 'niche type' target market, with civilian cybersecurity solutions the market is endless. Private clients, SMBs or major clients in every country around the world already need or will need cybersecurity solutions.

"There will be no escaping the transfer of cybersecurity solutions to the cloud," says Dar. "If I could place the EDR in the cloud, while at the same time installing it in all of the client's devices, I would have solved a major percentage of the client's problems. One must understand that smaller organizations do not have an information security team or an SOC. Cybersecurity for SMBs (Small to Medium Businesses) must be provided through their cloud information security service provider or MSSP (Managed Security Service Provider). I am referring to cybersecurity services for organizations with a personnel of 100-150 employees or less that cannot afford to finance more expensive solutions.

"CyberBit is not there yet, but we understand that this is the right direction. We can see a trend of transition to the cloud, although the truly sensitive information as well as the client of the EDR are not being transferred to the cloud yet. That will take time. Soon we will have to make a decision as to whether we want to remain a provider of technology exclusively, or provide cloud services as well.

"It is important to note that CyberBit does not compete against defense/security industries that offer cyber technology products, but against civilian cyber technology companies. For a defense/security industry it is inconceivable to provide cloud services to SMBs. For us it is a very realistic question. It is a part of our future. Elbit Systems established CyberBit in order to develop a civilian cyber technology industry, and the future of that industry is in the cloud and in mass-produced solutions, like anti-virus software. That's where the money is."