You may think you already know about breach detection systems. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) have been around for some time now. However, if this is what you were thinking about when you read breach detection systems, you are looking in the wrong direction. The two are not the same thing.
While intrusion detection systems try to prevent network break-ins by outsiders, breach detection systems look for malicious software activity on the network. Breach detection is a new term for an old problem. The difference between BDS and a firewall is that breach detection operates within the network, whilst firewalls are boundary tools that try to block malware at the point of entry.
No time to read through all the details right now? Here is our list of the ten best breach detection systems:
- CrowdStrike Falcon Prevent (FREE TRIAL) A cloud-based endpoint protection platform that is termed a net generation antivirus system.
- BreachSight A cloud-based risk assessor and system breach scanner from UpGuard.
- Trend Micro Deep Discovery Detector A highly-rated threat protection hardware device that includes constant port and protocol monitoring plus software event tracking.
- Imperva Data Activity Monitoring Protects data in databases and files, on-premises and on the cloud.
- FortiSandbox A proactive advanced threat detection system that is available as an appliance, as a VM, or as a cloud-based service.
- Change Tracker Spots unauthorized alterations to a system that might correspond to an expected alteration that is part of a change management process.
- InsiderSecurity A Singapore-based threat protection monitor. Available from the cloud or for on-premises installation.
- HackWatchman A BDS from Activereach that creates a ghost device that acts as a honeypot to attract any intruders that get onto the network.
- Lastline Defender Breach protection tool for email systems, networks, cloud resources, and IoT devices.
- SpyCloud Locks down system user accounts and particularly highlights abandoned but live accounts.
The definition of BDS sounds a lot like an antivirus system. It is. However, an antivirus program checks on a single computer for known malware but a BDS watches activity on a network and throughout an IT system. A BDS can be implemented as software or as a hardware device.
The security threats detected by BDS are a little wider in behavior than the activities detected by a typical anti-malware system. The malicious software that the BDS looks for could be part of a suite of attacking software, launched manually by an intruder.
Each individual program run might seem compatible with the normal activities of the business. It might be the execution of legitimate software already resident on your system. BDS doesn’t just look at each individual process but detects combinations of programs that could be combined for malicious purposes.
The ten best breach detection systems
The definition of BDS is new and so there aren’t many suppliers for this type of system yet.
You can read more about each of these tools in the following sections.
CrowdStrike Falcon Prevent is a range of packages in four service levels: Pro, Enterprise, Premium, and Complete.
CrowdStrike markets the Falcon Prevent range as a “next-generation antivirus.” The term is accurate, but Falcon goes a lot further than just a malicious software scanner. It is a breach detection system. Falcon doesn’t just scan for known malware. It has detection systems that can catch software that is performing unexpected actions even if that program hasn’t previously been spotted and marked as malware. It is also able to detect combinations of authorized, valid software that could indicate intrusion when executed in a specific sequence.
The philosophy behind all breach detection system is not to prevent malicious software from getting on the network – edge services are supposed to do that. The purpose of these systems is to catch malware that manages to dodge firewalls and access controls.
Falcon Prevent retreats from the network all the way to its endpoints. You shouldn’t abandon firewalls and access controls, but you should use Falcon as a fallback in case those systems fail.
Although this is a cloud-based service, its protection isn’t broken if the internet gets disconnected. The Falcon Prevent software includes on-site agents that don’t cut off when they can’t reach the controller on the CrowdStrike servers.
The system includes automated protection actions and audit trails to help users understand a concerted and repeated attack vector. The audit trail is also a good source of data protection standards compliance evidence.
CrowdStrike offers a 15-day free trial of the Falcon Prevent system so you can put it through its paces and decide on its suitability for your company’s data defense strategy.
BreachSight is a very competent data breach system from UpGuard, which produces a range of security products that are ideal for online retailers.
The BreachSight system has an attractive management console that is accessible online. The whole system is delivered from the cloud so you don’t need to worry about server space to host the cybersecurity system.
The security system tackles data protection from two angles:
- Data leak vulnerability
- Credentials disclosure
The vulnerability scanner runs continuously. It alerts the data manager of any suspicious data access attempts. It will also highlight system security weaknesses that need to be closed off. The scanner looks for running processes and scans the code for the programs, looking for malicious intent.
BreachSight is able to detect when employee credentials have been disclosed. The credentials protector checks for unexpected activity and alerts the company’s systems administrator to revoke credentials that are suspected of being compromised.
The BreachSight system includes automated remediation scripts. All steps are fully documented. The records of breach detection and remediation form a valuable archive, which you will need in order to demonstrate compliance to data protection security standards.
The package of breach detection measures includes access to cybersecurity experts at the UpGuard offices. These consultants will guide your system administration team in interpreting the data raised by the application. That breach event log is even able to identify the parties responsible for the breach, enabling your company to sue for the recovery of losses or at least, to get the authorities to deal with the perpetrator.
This is an excellent breach detection system, but you will need to check it out for yourself before in order to understand how it will fit into your data protection strategy. You can get a free demo of the system over at the UpGuard website.
Trend Micro is a major antivirus brand. All AV providers are currently moving forward to provide more comprehensive cybersecurity services. Trend Micro has developed a breach detection system that will help it pull ahead of the competition.
This is an appliance that you plug into your network, much as you would a firewall. Don’t replace your boundary protection services with the Deep Discovery Inspector because this appliance’s attention is drawn toward activity within the network.
The strength of this tool lies in its ability to catch the interactions between Trojan software and its external controllers.
A very distinctive feature of attacks that breach detection systems are designed to block is that seemingly unrelated software gets manipulated to work in concert for malicious purposes. Deep Discovery Inspector aims to detect the controlling force that commands legitimate software to contribute to data breaches.
This system operates at the network level and looks for suspicious combinations of events. It covers endpoints, web and email applications and network traffic to build up threat analysis profiles. It does not use the traditional AV tactic of reference to a malware characteristic database. Thus, it is able to detect “zero-day” attacks. It reaches into applications, including email and web servers to fish out attack strategies before they have a chance to reach targets.
This is an innovative breach detection system from one of the world’s leading cybersecurity operations.
Data activity monitoring covers every type of data storage from databases to files and this suite of system security measures covers all of them.
Imperva stresses the importance of its service’s ability to prove data security standards compliance. As a systems administrator, you have two data protection priorities: protection of data and proving that you have done everything possible to protect that data. The proof is important if you need to demonstrate compliance to data security standards in order to win new business and keep your enterprise profitable.
The system monitors events that relate to data stores and reports on suspicious activity live in the console screen. The monitor pulls in live feeds from Imperva Data Risk Analytics to continuously update its remediation of attack vectors.
Imperva Data Activity Monitoring is available as on-premises software or as a cloud-based service. The company does not offer a free trial, but you can get a demo of the system to assess whether or not it meets your company’s data security needs.
Fortinet specializes in network security against incoming Internet-bound threats. The FortiSandbox is available as an appliance, as on-premises software run over a virtual machine, or as a cloud-based subscription service.
Breach detection systems start with the assumption that network access security can be defeated. The FortiSandbox strategy involves isolating new software and monitoring its reaction with the resources and services of the network. This is a quarantine approach that allows the software to function fully but establishes savepoints to enable full system rollback.
FortiSandbox interacts with all levels on your networks from firewalls and gateways over to endpoints. The package includes mitigation services as well as threat detection. This is the software equivalent of “Trust but verify.” Fortinet offers a free demo of FortiSandbox.
The latest version of Change Tracker is called Ben7 R2. 7. This tool is particularly concerned with exploits that can be slipped into system change processes. The tool is designed to enforce the demands of IT system management standards, especially ITIL.
Improvement projects are always undertaken with a positive attitude. System change is only for the better. However, while the team is working to a bright new future, others might have malicious intent and use the upgrade project as a smokescreen for an intrusion opportunity.
Change Tracker keeps an eye on exploits that might arise during a development project. It keeps control of device configurations while everyone’s attention is directed towards development. The tool looks at unauthorized configuration changes, generates an alert when one is detected and automatically rolls back to authorized configurations when any change is detected.
NNT offers a free trial of Change Tracker.
InsiderSecurity is a SaaS breach detection system based in Singapore. The service is a blend of software and human expertise because the company offers real expert analysis of threat event records that are raised on your network.
The platform offers quick breach detection and automated remediation as well as online human analysis who give security guidance. In addition to the detection of rogue software, this service monitors the activities of authorized users to detect insider attacks. Basically, any execution of software on your system gets examined for intent and the security system chains back to the originator of any malicious activity.
This online service could save you from prosecution in the event of a system breach. You can get a look at how it works by requesting a demo.
The ActiveReach breach detection system is called HackWatchman. This is a managed breach detection service, so you don’t have to sit in front of the dashboard all day. The ActiveReach staff do all of the monitoring work for you and notify you if any breaches occur.
This protection solution is unique. It identifies crucial data storing devices and mimics them. The idea is to attract hackers away from your real data storage locations towards the ghosting version created by HackWatchman.
The HackWatchman system includes physical devices that attach to monitored equipment. This reports back to the ActiveReach servers where analysts comb through event records as soon as they arrive. It takes skill to root out false positive and detect attack patterns. The Activereach strategy gives the breach detection spotting tasks to experienced cyber security specialists.
Although the use of human analysts seems to be a backward step, it gets over the problem of constant “false positive” reporting that can swamp a typical IT department. Activereach offers a free demo of the HackWatchman system.
Lastline uses AI methods in the Defender system. Despite its automated machine learning methods, Defender isn’t an off-the-shelf solution. Installation starts with a consultation. The next step is a proposal that presents a tailored solution.
The company has a large number of existing users across the globe, covering millions of user accounts. Defender buyers are scattered across North America, Europe, Asia, and Australasia.
Defender is available in specialist packages that focus on the network, on email systems, on cloud resources, and on IoT devices. The AI element of the package helps filter out false positives, so your system administration team won’t be overwhelmed by irrelevant or falsely triggered alerts.
Lastline offers a demo of its software on its website.
SpyCloud focuses on the activity of authorized accounts and makes sure that they don’t get hijacked. In these days where phishing scams are prevalent, it is difficult for any monitoring software to block malicious activities. If software gets installed by an authorized user or if a valid user account launches a series of legitimate programs, it is almost impossible for traditional AV systems to protect your system.
SpyCloud gets around the problem of deciding which running processors are valid and which have malicious intent. Rather than monitoring all events on the network, it focuses on the activities of user intent. It checks on factors such as the login location matched against the known location of the user and also spots unfeasible simultaneous access by the same account.
Data protection is becoming increasingly more difficult every day. You can’t rely solely on a firewall and traditional antivirus to prevent data disclosure or system breaches.
These days, hackers know how to trick employees into giving away their login credentials, so it isn’t enough to just look at outsider access to your system in order to protect your company’s data stores. You need more sophisticated data protection software, such as a breach detection system.