The good guys are floundering when it comes to disrupting cyberattacks. The FireEye 2014 report declared that 229 days is the average time it takes IT-security teams to discover the company’s network has been breached. Another troubling statistic for beleaguered IT-security staff is that the 2015 Damballa/Ponemon Institute report noted the average enterprise receives 17,000 malware alerts weekly from their IT-security products, though a mere 19% of the alerts are deemed reliable.
Time for a change in tactics
For a while now, there has been talk of changing tactics to protect an enterprise’s network perimeter. Instead of relying on the familiar firewall/IPS/IDS shield, why not grab the bad guys in the act using real-time traffic analysis to distinguish normal internal network activity from bad-guy activity? Cuvepia Inc., a South Korean computer-security company, agrees.
Seok Chul, Kwon, Cuvepia CEO and advisory board member for South Korea’s cyberwarfare command, along with his team at Cuvepia have parlayed the above requirements into a viable security platform called KWON-GA Behavior Monitoring. “The solution detects and displays in real-time whether inside systems are secure or not. KWON-GA also monitors if any ports are open for connections to the outside and if any malware is operating inside the system,” as stated on the Cuvepia website.
In addition, KWON-GA has the capability to:
- Trace and record all malicious intrusions (back to the origin if possible);
- Save digital-forensic information in real-time; and
- Operate in stealth mode.
The KWON-GA platform consists of a Cuvepia appliance and agent programs installed on workstations and servers. The platform is controlled and configured via a web dashboard similar to the one shown below.
Here are some examples of how KWON-GA prevents malicious activity from occurring inside an organization’s network:
- Files can be transferred between KWON-GA protected computers and then opened, but not between KWON-GA protected computers and unknown computers.
- Hard drives removed from KWON-GA protected computers are unreadable in other implements.
- KWON-GA protected files cannot be reverse-engineered.
- Data can be sent via the authorized email system, but not using personal email, messenger, or FTP applications.
- Files and directories are hidden from remote attackers.
- KWON-GA disallows memory hacking, preventing attackers from ascertaining user activity.
CEO Kwon told tech-media outlets that KWON-GA logs all activity on a network, separating the traffic into allowed and unallowed. If certain negative conditions (configured by the company) are met, KWON-GA sounds an alarm. The security team can then decide what steps to take. Some options Kwon mentioned are observing the attack to determine weaknesses in the company’s defenses, breaking the attacker’s connection, or even tricking the bad guys into stealing meaningless files.
Pricing is steep
“Installing Cuvepia’s cheapest monitoring product on 1,000 computers for a year costs 450 million won ($410,000),” writes AP’s Youkyung Lee. “That is many times the cost of installing antivirus software though the cost drops significantly after the first year.”
Kwon added that executives should consider cybersecurity as an investment, and not a cost.
New, but battle-tested
As of this writing, I was unable to find any third-party reviews of KWON-GA. Nara Lee of Cuvepia wrote that these organizations are currently using the KWON-GA monitoring platform: online and mobile payment innovator Mobilians, South Korean government office Gyeong-Gi, and South Korea’s Military National Department (Cyber Command).