Cobrador: On guard

Like the rest of us, Cobrador cofounder, CTO, and acting CEO Ofer Akerman (“I hope to find a replacement soon, so I can concentrate on technology”) wonders how it is that the rate of break-ins and work stoppages is outstripping the technologies designed to prevent them.

Akerman compares the penetrating of an organization’s security layer to recent terrorist attacks. The moment the perimeter fence or roadblock is penetrated, all that remains is to wonder where exactly the blow will fall. Cyber terrorists don’t accidentally blow themselves up the way ordinary terrorists do. As with combating ordinary terrorists, however, the war begins with intelligence gathering.

Akerman says, ”Current security software fights against things that are known. In the case of a new security break-in, there is a period of several weeks or months in which the security organizations issue warnings about the new hole in the fence, but security can still be penetrated.” If one of the security companies does update its product, it usually spells out what is different about the new version. Anyone reading the new version’s update page will know the weak points of the previous version and can immediately use them to plan more break-ins.

Akerman says the idea is to employ intelligence methods to anticipate the attack before it takes place. This is done through monitoring the enterprise’s internal and external systems and identifying suspicious operations as a “pre-break-in.” One of the most common ways of gaining access to a network is to plant a Trojan horse in a laptop computer belonging to a company employee that gets set it off when the employee hooks up to the enterprise’s network. This takes advantage of employee’s authorization to send and receive information through the Internet. The Trojan horse sends an item of information from the network to the horse’s owner somewhere in cyberspace.

Most security applications solve most problems, but Akerman says the investment in security sometimes exceeds the investment in an organization’s work. Furthermore, Akerman asserts, most, if not all, of the programs warn of a break-in after it has taken place, not in real time. Akerman: “You can’t expect the enterprise’s security man to waste several hours every morning in going over the list of the previous night’s operations just to update it to include attempted break-ins. He’ll ignore it after a month.”

Between Check Point and Finjan

”Our systems sets up a reporting, warning, and defense layer from the user’s PC to the firewall. For example, take a security break-in at the user’s station. Say that one of the enterprise’s employees uses a previous version of ICQ that doesn’t get along with the firewall, and decides on his own to disable the firewall. Some companies, like Israeli company Finjan, run a kind of sandbox on the user’s computer, which checks the application before allowing him to use it. This solution may be logical, but the sandbox creates a load on the computer and interferes with regular work. We believe the load created by the examination and monitoring process should be divided between several points. A sort of hierarchy should be set up, with each point reporting to the next point, without creating an overload.

”Those points constitute the smart agents, which have little volume and no interface. The agent can report to the system any change in the computer, even if the computer leaves the enterprise’s premises and returns, as in the example of a laptop. At the next level, that of the enterprise’s servers, sits another agent. At the third level, there is another component. This is a hardware product called a Bouncer, which is actually the first product that our company plans to market in the near future.”

Akerman says that in contrast with other hardware-based security products, the Bouncer has no IP address, and therefore cannot be identified from outside, which prevents a direct attack on it. The Bouncer is designed to prevent seemingly legitimate information from reaching undesirable hands. Akerman: “Some applications send out information that's liable to be useful for attacks against you, without your knowledge or authorization. For example, the IIS server announces that it is that kind of server and what version it is. Anyone going to the Microsoft web site and reading the announcements about security revisions for that server series can find its weak point.

”The Bouncer also collects information about attempts to scan the system from outside, in order to analyze the source of the attempts, discover the addresses from which these scans are coming and the real addresses, and combine this information with the future defense system of the agents scattered around the system. In contrast to firewall, it can also absorb information from the header of packets reaching the system.”

In the penetration detection field, Cobrador is competing head to head against CA, Internet Security Systems, and Snort (although the latter may sound like something originating with the nose, it is the name of a group dealing in security based on open source architecture). Akerman asserts, however, that in contrast to his highly regarded competitors, his solution not only gives a alert of a break-in, but is also able to repair the breach.

How will you handle companies that employ user behavior analysis to identify undesirable activity within the enterprise, for example, a user spending a lot of time in directory with sensitive documents?

Akerman: ”Those companies use statistical behavioral analysis. I know that model. We even did research to neutralize this identification model. You can sniff things out in smaller groups, maybe from different places, spread over 24 hours. In short, it’s possible to work with these systems.”

Assume someone has managed to take over my computer and use me as a zombie that follows orders, accesses documents for which I have authorization - all the while not arousing the system’s suspicion.

”Here I take pride in my system, which is constructed of defense layers. The layer on that user’s computer may not suspect anything is amiss, but the moment the server layer detects it, regardless of the user’s authorization level, it sounds the alarm.”

The network manager installs the agents by sending an e-mail message through the system. If you’re worried about security problems in ActiveX and Java, relax – the code is written in Assembler. The Bouncer will also be offered for sale as a stand-alone component, although Akerman says the combination with smart agents makes for a better security system. The price of the basic system, which can handle 50 users, is $8,500. The next step will be to 250 or more users.

Two beta trials are currently being conducted, one with German communications corporation Harman International Industries (Xetra:872136.DE) and the other with Israeli company Magic Software Enterprises (Nasdaq: MGIC), where Akerman used to work. Cooperation with an Israeli Internet provider is being discussed.

Published by Israel's Business Arena on February 25, 2002