CyberBit,
the cyber technology company established by Elbit Systems under the
direction of Adi Dar, implements in cyberspace a proven military
concept: prompt loop closure to contain cyber events. For some time now,
the cyber technology industry has been discussing the need to
operationalize the cybersecurity process. The idea here is that a
company that accomplished that objective on the battlefield would be
able to accomplish it in cyberspace, too.
"CyberBit implements a holistic cybersecurity concept,
based on four primary elements: intelligence gathering, data analysis,
command & control and an enforcement capability," explains Adi Dar,
CyberBit's CEO. "Elbit Systems have been involved in cyber technology
for more than 15 years. It began with the acquisition of Elron Telesoft
in 2001 and the establishment of Elbit's ISTAR Division, and evolved in
April 2015 into CyberBit. Back then, they did not call it cyber
technology, but the foundations had been cast years ago.
"The establishment of CyberBit followed a management
decision to offer Elbit Systems' cyber technology capabilities to the
civilian market, too, and to leverage Elbit Systems' cyber technology
assets for that end. In the civilian world, you must operate
differently. You need unsupervised freedom of operation, you have to
develop a brand, stay innovative and respond promptly. In the
defense/security world, Elbit is a solid brand, but that does not help
if you want to sell a cybersecurity solution to a bank, an insurance
company or a retail chain.
"For this reason, CyberBit is made up of two sub-units –
one sells products to the HLS world and the other to the civilian world.
The company that sells to the civilian world is unsupervised and its
employees do not have to undergo a security vetting process. It uses a
separate IT network and is run like any other cyber technology company
around the world."
"One of the moves we made was the acquisition, in July
2015, of the cyber technology division of the NICE Company," explains
Dar. "This move had matured three months after the establishment of
CyberBit. The idea was to acquire the assets of the NICE Company in the
field of intelligence gathering, combine them with Elbit's knowledge
management and C3 capabilities, and combine all of that with the assets
of the 4C Company Elbit had acquired back in 2011."
One of the solutions CyberBit offers belongs in the EDR
(Endpoint Detection & Response) category. It is a client installed
in a core-level workstation/server, under the operating system. It
"sees" and records a lot of the processes taking place in the computer.
The data from all of the clients throughout the organization are
collected by a Big Data system, and used to run algorithms that search
for patterns indicating a cyberattack.
"Each workstation produces dozens of megabytes per day,"
explains Dar. "If the organization has 100,000 workstations, it will
amount to a lot of data that should be managed and analyzed every day.
Not many companies in this field can accomplish that on such a scale.
"The ability to analyze the data from all of the
workstations in the network makes it possible to identify a pinpoint
attack against a specific workstation, and mainly to identify attacks
where the attacker moves laterally through the network. Pursuant to the
identification stage, the client may be issued with an enforcement
command to kill processes in that workstation. In this way, the threat
is contained very quickly. The combination of a client at the core level
and Big Data capabilities gives us an advantage in the market."
Along with collection of intelligence from the clients
fitted to the organization's workstations and servers, CyberBit offers
legitimate intelligence gathering solutions, which include Open Source
Intelligence (OSInt) and intelligence gathering capabilities for
stationary or mobile communication networks, including satellite
communication networks. "Combining all of these activities enables us to
provide a systemic intelligence gathering solution – from the
organization and from the outside environment. This improves the
organization's ability to identify cyberattacks," says Dar.
Another solution is a SOC (Security Operations Center)
management system: a system for managing the organizational
cybersecurity operations center, intended to provide transparency into
the organization's networks. The SOC should effectively manage the
response to cyberattacks.
"This product enables automation of the SOC procedures,"
explains Dar. "These centers are normally manned by people just starting
out in the world of cyber technology. They come to work there for a
short period of time, hone their professional skills and leave.
Moreover, major organizations deploy multiple SOCs at various locations
around the world, so as to avoid overtime pay. It is known as 'Follow
the Sun'. When the sun sets over one country, it rises over another
country, and the management of the SOC follows the sun.
"If you combine these two elements vis-Ã -vis the fact that a
high-quality cyberattack against an organization can last months, you
will realize that without automation of the SOC procedures, the
organization will not be equipped to cope effectively with such an
attack. At this point, Elbit's experience in the C3 world comes into the
picture. In the end, you are talking about numerous sensors that
produce logs, and you need an application with a rules engine to provide
the analysts at the SOC with a scale of priorities."
Another field of activity in which CyberBit is involved is
cybersecurity for SCADA (Supervisory Control and Data Acquisition)
infrastructures. These are assets the 4C Company had brought into Elbit
Systems. "In SCADA networks, we perform passive monitoring along with
the ability to stop inline attacks," says Dar. "The OT system world is
simpler than the IT world as it has a finite number of protocols. It is a
more structured world. At the same time, since the Stuxnet worm was
identified and the electrical infrastructure of the Ukraine was attacked
in December 2015, there has been more understanding of the significance
of the threat. This is the reason why many countries are developing
regulation in the field of SCADA security."
Replacing Anti-Virus Software
According to Dar, one of the threats that currently
challenges the industry is ransomware. "This is a threat that compels
you to resort to real-time blocking, even before the encryption, but it
is very difficult to catch before the encryption. If you catch it after
the encryption, you will have no guarantee about being able to save the
information – and that is a fairly complex challenge.
"Ransomware changed the demands of the clients, and now
they want response – not just detection. It is nice if you managed to
detect it, but what will the organization do with it? And in order to
respond, you need a client on the computer. That leads to a war over the
clients. I had a meeting with an information security manager of a
bank, who told me that they have nine clients on the computer. The
battle today is over the 'real estate' in the workstation or server.
Ransomware can damage a large number of end stations, and even servers.
We know how to contain the infected devices so as to prevent the threat
from spreading. According to some of the estimates in the market, this
technology will replace anti-virus software."
Unlike the defense industry, which has a well-defined and
relatively 'niche type' target market, with
civilian cybersecurity solutions the market is endless. Private clients,
SMBs or major clients in every country around the world already need or
will need cybersecurity solutions.
"There will be no escaping the transfer of cybersecurity
solutions to the cloud," says Dar. "If I could place the EDR in the
cloud, while at the same time installing it in all of the client's
devices, I would have solved a major percentage of the client's
problems. One must understand that smaller organizations do not have an
information security team or an SOC. Cybersecurity for SMBs (Small to
Medium Businesses) must be provided through their cloud information
security service provider or MSSP (Managed Security Service Provider). I
am referring to cybersecurity services for organizations with a
personnel of 100-150 employees or less that cannot afford to finance
more expensive solutions.
"CyberBit is not there yet, but we understand that this is
the right direction. We can see a trend of transition to the cloud,
although the truly sensitive information as well as the client of the
EDR are not being transferred to the cloud yet. That will take time.
Soon we will have to make a decision as to whether we want to remain a
provider of technology exclusively, or provide cloud services as well.
"It is important to note that CyberBit does not compete
against defense/security industries that offer cyber technology
products, but against civilian cyber technology companies. For a
defense/security industry it is inconceivable to provide cloud services
to SMBs. For us it is a very realistic question. It is a part of our
future. Elbit Systems established CyberBit in order to develop a
civilian cyber technology industry, and the future of that industry is
in the cloud and in mass-produced solutions, like anti-virus software.
That's where the money is."