Real-Time Endpoint Threat Detection and Response

Big Data from Our Point of View

Posted by Amir Szekely    Apr 8, 2014 2:33:00 PM

The words Big Data get thrown around a lot these days.  Large players in the security space have been using the term to talk about their ability to collect huge amounts of data at scale because of their cloud infrastructures.  This raises concerns for enterprise companies who do not in fact, want to have their critical information assets sent to an off-premise cloud, where they don't control how its stored or secured.


At CounterTack we also talk about Big Data, but unlike the majority of other security organizations, we leverage Big Data technology in a unique way.  Our ability to collect data on behaviors across thousands of endpoints is one way we leverage this Big Data approach.

Where we differentiate ourselves is that all of our data collection is located on-premise, allowing our customers to have complete control over where their information is being stored.  Data storage will continue to be one of the biggest concerns facing the market right now because data never stops coming in.

Here's a quick look behind the curtain at an example of CounterTack's work with Hadoop, where our goal is to consistently push the envelope in terms of improving speed and performance of our CounterTack Sentinel endpoint threat detection and response platform. There are many processes that we implement, and many challenges we solve daily - some big and some small. Here's an interesting issue I came across that I wanted to share.

I had a problem where HDFS would fill up really fast on my small test cluster. Using hdfs dfs -du I was able to track it down to the MapReduce staging directory under /user/root/.staging. For some reason, it wasn’t always deleting some old job directories. I wasn’t sure why this kept happening on multiple clusters, but I had to come up with a quick workaround.

I created a small Python script that lists all staging directories and removes any of them not belonging to a currently running job. The script runs from cron and I can now use my cluster without worrying it’s going to run out of space.

This script is pretty slow and it’s probably possible to make it way faster with Snakebite or even some Java code. That being said, for daily or even hourly clean-up, this script is good enough.

Read More

True Analytics with Context Are a Game-Changer in Security

Posted by Tom Bain    Apr 1, 2014 2:44:00 PM

Analytics are an incredibly powerful source of information that can help teams drill down into often obscure or hard-to-analyze information, and make sense of data they wouldn’t normally have collected and organized. 

In security, its becoming more important to manage information so teams can review, digest and react to prioritized data sets that might map to areas of expertise across the team, certain types of attacks or even responsibilities such as network vs. applications. 

Read More

Topics: APT

RSA 2014: Looking for True Innovation in Endpoint Security?

Posted by Tom Bain    Feb 25, 2014 12:58:00 PM

RSA is here. It’s all about the latest and greatest security technologies, big personalities, networking, education. But really, it’s about opportunity and innovation.

Global attackers have afforded us that opportunity, and have put organizations in such a state of continuous compromise that now more than ever, it’s time for companies to re-think traditional security models.

Read More

Topics: cybersecurity, Sentinel, endpoint security, CounterTack, threat detection

Show Us the Way CryptoLocker!

Posted by Sean Bodmer    Nov 22, 2013 3:38:00 PM

Ransomware is a class of crimeware that locks down an infected system by preventing user’s access to their data stored locally or via accessible shared network drives. Access is only sometimes restored to the victim after a sum of money is transferred to a digitally remote blackmailer.

CryptoLocker is one of the latest variants in this family surfacing over the last few months has recently made some noise across the industry. Ransomware is one of the busiest (and most annoying) threats of 2013, and is experiencing another comeback tour so we decided it’s time to take a peek under the hood of the latest variant’s campaign to see what the author team is up to as of late and how different is the actual threat compared to the evasion techniques.

Read More

Topics: Cyber Crime, Cyber Security, malware, Cyber Attack, APT, cybersecurity, malware infection, malware analysis, Scout, Sentinel, endpoint security, CounterTack, Breaches, Zero-day Attack, in-progress attacks, Sean Bodmer

You Don't Need to Break Your Toys Because They 'Don't Work'

Posted by Tom Bain    Jul 12, 2013 10:26:00 AM

Sometimes you can equate certain situations to others, i.e., actions you may take in your professional life might mimic actions you took as a child. 

Read More

Topics: cybersecurity, Tom Bain, malware infection, malware analysis, Scout, Sentinel, automated security intelligence, automated security, endpoint security, CounterTack

Reducing 'Attack Dwell Time' is Critical in Limiting an Attacker's Effectiveness

Posted by Jim Ishikawa    May 24, 2013 9:54:00 AM

Last week, the New York Times reported that just three months after hackers working for the Chinese People’s Liberation Army went dark, they’re back at it again, targeting countless American companies and government agencies. The group is responsible for many high profile breaches – from Coca-Cola to RSA to Lockheed Martin.  While many of us were not surprised by this recent resurgence of attacks, it is very troubling to note that “the victims were many of the same ones the unit had attacked before.”

So they’re back in.  What’s the problem?  I don’t think it’s for lack of trying.  Certainly among our enterprise customers, everyone is heavily invested in the latest advanced threat tools and sophisticated security analysis and incident response teams.  And I don’t think it’s because the Chinese have better attack tools. Our research indicates that their weapons are generally no more (or less) sophisticated than those of other criminal enterprises around the world. 

Read More

Topics: cybersecurity, Dwell time, threat detection

Gartner’s Top Security Trends and Takeaways: Intelligence Top of Mind and Honeypots on the Horizon

Posted by Nate Buell    May 20, 2013 1:04:00 PM

Last week, Gartner presented their Top Security Trends and Takeaways for 2013 that was led by Earl Perkins, Research VP. Perkins took a comprehensive look at the shifting challenges and opportunities within the cybersecurity field.

Read More

Topics: Cyber Defense, Honeypot, Gartner

New Stealth Agent and Enhanced Analysis Engine in Scout 4

Posted by Nate Buell    May 8, 2013 9:10:00 AM

Read More

Topics: Honeynets

CounterTack News Bulletin – May 6, 2013

Posted by Nate Buell    May 6, 2013 11:00:00 AM

What We’re Reading this Week

There are numerous options out there for enterprises looking to boost their cyber defenses – from downloadable freeware to seemingly impenetrable premium solutions, the array of options can seem endless. Though useful and important, nothing will keep today’s motivated cyber attackers from getting through. By now, many organizations have accepted this sobering truth, and have shifted their focus from keeping attackers OUT, to finding out what they are doing once they get IN. What motivates them? And how are they going to try to get what they’re after? We’ll examine this, and other topics that caught our attention this week, in today’s news bulletin.

Read More

Topics: Cyber Security, Cyber Attack

The Pitfalls Behind and Ahead: Part 2

Posted by Sean Bodmer    Apr 25, 2013 1:25:00 PM

The Pitfalls Behind and Ahead: Part 2

Read More

Topics: Cyber Security, Detection Gap

Blog covers topics related to detecting and monitoring in-progress cyber attacks for IT security operations teams.

Subscribe to Email Updates