Israeli cybersecurity company TrackerDetect operates in the field of application, detection and Response (ADR), offering a solution that monitors On-Prem or SaaS application usage in order to detect internal threats, fraud such as embezzlement, and more.
So, how does the product work? Well, the company developed a patented application log analysis engine. The organization is responsible for collecting the logs. The engine, TrackerIQ, reads the log files from all the applications it wants to monitor on the various platforms. The TrackerIQ product connects to the repositories where all the logs are kept, and analyzes the data history; once this process is completed, you get loads of application user profiles divided into clusters.
Once the logs are clustered, TrackerIQ operates continuously to enable detection of anomalies within the organization. "The power of our solution lies within our ability to connect the dots," explains Doron Hendler, CEO and co-founding partner of the company. Hendler's partners are CTO David Movshovitz and Chief Architect Adi Degani.
"We know how to look at application usage by dissecting a bunch of activities that make up an action. In one of the pilots we ran with an insurance company in Israel, they gave us their application logs for the last two years, and we were able to recognize 30 unusual events," says Hendler.
"Amongst those anomalies, six were connected to a former employee who had been fired for fraud . The company knew about the fraud, but had no idea that this former employee had done a "test run" two months prior to the fraud and had transferred one shekel to check if it would work and if anyone would notice. Our engine found it on its own, based entirely on the analysis of the employee's activities using the application."
"Our model analyzes the user’s activities, the order in which they are done and the time between each action. Based on this information the engine creates behavioral groups. Once we have the behavioral profiles, we compare all the sequences of the activities with the application using two criteria – the user’s history and his behavioral group. If we discover an anomaly, we flag it."
“We are an ADR solution; we don’t need to know where the application works or who created it. As long as we have access to the logs, we know how to analyze them. Other detection systems work according to set rules, like playbooks written ahead of time. They don’t provide answers for the questions that arise regarding what a user did with a certain application, or what business process he tried to exploit. We know how to make that connection. It takes approximately three weeks to analyze an application."
How does the company know that its product is effective, namely that it discovers all the anomalies by an employee using the application? Well, Hendler explains, at the time of purchase, the organization requests a check of the events that occurred during a certain period. "We locate the events, and they verify our findings, or they ask us to find specific events that occurred, and we find them," Hendler tells us.
TrackerDetect is not the first or only company to provide internal threat detection. There have been several Israeli companies that have tried and failed, mainly due to employee privacy issues, especially in Europe and the U.S. where there are privacy regulations that can cost companies a lot of money.
What has privacy got to do with it? Well, most systems of this genre collect data based on the employee's behavior. Besides the technical data found in the logs of the systems the employee used, there is also data in the access layer, HR systems and more. In order to detect an internal threat, you need to connect the dots – and lots of them. The company, for example, looks at all the sequences of action by the user, including active-directory connections to the organization in order to determine if the actions were done from home or from the office.
With TrackerDetect, the system tokenizes the user's details. The data is collected under serial numbers that do not reveal the employee's identity. If a manager within the organization wants to know who the employee is, he or she will need to get the required permissions. This mechanism allows the company to work within the EU under the GDPR regulations without any concerns. "One of our larger clients from the very beginning is a major financial group in Italy called Poste Italiane with over 120,000 users," says Hendler.
The Challenge: False Alarms
The system knows how to monitor actions in every application in an organization, as well as those of all the applications together. In other words, every layer of the company's applications can be monitored. "Every application has its own business logic that creates many behavioral profiles. For every application, TrackerIQ automatically creates many profiles. However, there need to be a small number of warnings - sufficient and precise," says Hendler.
"In a certain organization with 52,000 employees that works with Office 365, we found between 7-12 warnings per week. At least one of them was a real warning. Someone did something against the protocol. In one instance an employee deleted a collective policy from an insurance company. How would the company even realize it without our engine? There are no solutions for companies today to monitor application procedures."
The company's solution has been adopted by the four largest banks in Israel and two large insurance companies (negotiations are underway with two more). The company has clients in Italy and negotiating with potential U.S. clients in the real estate field. The business logic is based on the fact that the companies can save on analyst and SOC salaries. "An analyst knows how to analyze an average of between two and four events a day. Our system enables analysis of 10-15 events per day. This means that the organization does not need to recruit additional analysts to analyze more events”, says Hendler.
“We assume that the more events you analyze, the more you can discover potential damage at early stages and therefore save the organization money. TrackerIQ also enables learning from events that have occurred. In the future, the analyst will know how to handle a similar or an identical event and get advice on what to do. The system is also used to save knowledge in an SOC. Our goal is to connect the SOAR systems in order to enforce the findings."
Discovering lateral movement
"Recently we were asked if we can analyze the access layer logs. Since the entire organization uses SSO system, this means that if you have the username and a password, you can access several applications and move laterally on the network. If we monitor all the organization's applications, we can recognize specific user anomalies in several places and send warnings about lateral movement. This solution is already in place with two of our clients."
So, what is the company planning for the future? Well, Hendler explains that since the beginning of the Covid-19 pandemic, there have been requests for the solution in SaaS format (it is currently only available for On-Prem/Cloud) so it can be available globally for MSSP/MDR providers and the SME market. Right now, there is an Alpha solution that will be available towards the end of this year. "Our dream is to have a black box where you can upload your logs and receive answers. There are no security solutions like ours anywhere in the world," Hendler concludes.