TungNM4 | February 28, 2017
How did Cyradar idea come out? (e.g. cybersecurity needs…..)
The idea of developing CyRadar came to us quite accidentally. Initially, everything started from my studies of sophisticated attacks targeting organizations and enterprises in Vietnam. In the analysis, I happened to be able to trace a group of criminal specializing in writing malicious code. They created different malicious files to bypass the anti-virus software but share a network infrastructure including several servers to control or collect data from the infected computers. I also noticed that the proportion of infrastructure reusing for malicious crime is very high.
So instead of scanning all the files to find malware as a traditional solution, I would approach by analyzing network connections, to detect attacks sooner. We would rely on the analysis of large data sets to build one “malicious map” indicating the “danger zone” that all malicious code in this world is connected to. At the same time we would base on an analysis of the network connection to detect abnormal and malicious acts.
I shared this idea with friends who were doing some system administrators in large enterprises and asked if they wanted to trial a new solution like this or not. Fortunately, some agreed. I along with 2 others focused on developing a trial version of the product in 4 weeks. Fortunately for us that the trial impressed the customers, so they agreed to expand the scope of testing larger than originally planned. After further completion of the product, we also successfully tested at another enterprise.
Finally, after seeing the market potential, we officially started this project named CyRadar, with the first product: CyRadar Advanced Threat Prevention System.
Why Cyradar ? (key benefit, selling-point, competitive feature…)
In nearly 30 years of development, antivirus (AV) providers find nearly no ways to change the war with those writing malicious code. An objective factor here is that malicious code is written in a proactive way, as the attacker always set the goal to avoid being discovered by the protected software. However, the most important thing deciding the lost is that the software itself currently experiencing restrictions on technology issues: only use signature-based or behavior-based to detect malicious code.
In fact, most of the APT (Advanced Persistent Threat) attacks were successful despite the network of businesses have antivirus software installed with latest updates from well-known brands. Even the security firm Kaspersky, in 2015 also became a victim of APT.
Aware of that, our solution CyRadar will focus on solving the biggest problem at the moment; this is the ability to detect early threats from malicious code. CyRadar use new technologies such as big data analysis and anomaly detection to avoid following the same failure path through using regulations and identifying patterns. We also aim to develop technology to detect attack without depending on each user’s awareness.
One important milestone leading to the establishment of CyRadar is our 2nd trial. At that time, the customer decided to run in parallel our product and a famous global solution. The result for us is very positive, with some emerging malware we were able to detect, while other solutions were not. This helps us not only see the potential of the market, but also have more confidence towards foreign products to continue to develop our own.
What are technologies behind Cyradar? (Machine Learning, Analytics, Graph, Malware analysis….)
Developed by an information security research team at FPT Technology Department, CyRadar is a solution running on a separate device and is placed in the network of businesses / organizations, specializing in the analysis of network traffic to detect advanced attacks. CyRadar does not use agents installed on the machine nor any regulations or signatures to detect the attacks.
CyRadar uses the below technologies:
Malware Graph: – a pattern-registered technology.
The idea stemmed from a terrorism detection research on mobile networks: If you call the criminals, you would be a criminal. When put into the field of network monitoring, if a computer is connected to the “danger zone”, the computer will be in an area that needs tighter examination than other computers. This “Danger zone” is what we call the Malware Graph. This is a graph-form database developed based on the analysis of tens of millions of malicious code has appeared, from which we localize the domains, servers and cybercrime groups in the world. From there, we connect these malicious components into a giant graph called malware graph.
Based on the fact that criminal groups have been automating many steps to implement new attacks in which many malicious domain names were born. CyRadar monitors all domains created in real time to instantly detect which domain name is being used for negative purposes. From that we know about the attack even when it has not happened.
Sandbox: Automatically analyzes the binary files on CyRadar Cloud.
We built a fully automated environment to check suspicious files which are put into the enterprise network. These files can overcome traditional anti-virus softwares, but with a system of assessing the negative behavior of CyRadar, we can easily find the new attack using malicious code.
Anomaly Detection: Applying the detection of unusual behavior on the network to prevent attacks.
By monitoring network intelligently, CyRadar can discovered the unusual behavior happening in the organization’s network earlier. These unusual changes of connection to strange IP address or changes in bandwidth, connection frequency, connection time, etc. will be recorded by CyRadar to show network attacks behind.
Currently, CyRadar has been tested in a number of organizations and is highly appreciated by Mobifone, MoMo, VietNamNet, FPT Telecom, VTC Intercom and some government agencies.
How does Cyradar contribute to the cybersecurity in the trend of digital transformation?
From the “Malware Graph” technology, we have built a platform to analyze and detect new attacks (CyRadar Threat Intelligence Platform). This platform can be put to many different applications for both businesses and personal users. At the start of CyRadar, we decided to start by targeting the enterprise segment with CyRadar Advanced Threat Prevention System. However, besides that, we are constantly looking for opportunities to protect individual users.
We are taking the first steps towards protecting the security of mobile devices. Currently on smartphones there are many different products need protection: protection when browsing, avoid losing money for electronic payment applications, etc. If you own one app specializing in security, it still cannot protect all other applications. Besides, if only because we have strengths in security that we build our own browser, own electronic wallet or own operating system, this is not feasible. Therefore, my approach is very clear, that is to focus on what you are best at. Currently we have partnered with some mobile app development company and integrate CyRadar security part into their products to protect users.
CyRadar also aimed at innovation trends in the modern working environment of enterprises as the number of personal devices brought into the enterprise is very diverse, and IoT and BYOD trend is increasing. We seek opportunities to cooperate with Internet service and telecom service providers to offer service packages for security to protect users right from the networks.