contact us

Wir sind für Sie da!

Kontaktieren Sie uns.

Wir werden uns so schnell wie möglich bei Ihnen melden.

Exeon Analytics AG

Grubenstrasse 12
CH-8045 Zürich

Telefon: +41 44 500 77 21

It’s a jungle out there!

Imagine that in the jungle of cyber security, your company's data is the El Dorado for your foes. How would you protect your city of gold?

By David Gugelmann, November 2019

Today I will take you on a brief expedition through the cyber security jungle.

As security analytics experts, our daily job is to improve our clients’ cyber security by detecting cyber risks and data breaches. When talking to potential customers, I often get confronted with three questions:

  1. Why are firewalls and anti-virus software not enough to protect my data?

  2. I already use a SIEM (e.g. Splunk), why should I need additional security analytics?

  3. I just did a penetration test (pentest), what do you do differently?

All very relevant questions, which I typically address with a wealth of technical explanations, but today, let me tell the story of El Dorado instead. Imagine your corporate network is the El Dorado  - the mystical city of gold somewhere hidden in the jungle. Naturally, foes are trying to get into the golden city, in the hope of never-ending wealth and glory.

Why are firewalls and anti-virus software not enough to protect my data? 

Your first line of defense are dense jungle trees surrounding the city (firewalls). The trees hide the city to people from the outside and make sure that it can only be reached via a few paths. Guards (anti-virus software and security gateways) placed along these paths check everybody trying to enter or leave the city. The guards are equipped with wanted posters of every known gold hunter. Using these posters (anti-virus and IDS signatures), they successfully keep all known gold hunters and random trespassers out.

However, there are the more sophisticated thieves. Knowing that the guards will not let known gold hunters enter, they have two options:

  1. They send a gold hunter that is not yet on the wanted listed (i.e. a new malware). The guards will let this gold hunter pass. Only once she has been identified as intruder, her face will appear on the guards wanted poster and she will be prevented from entering.

  2. Alternatively, the thieves can search the jungle for a path that was forgotten and is not properly guarded (i.e. scan the network for weaknesses). Such a path allows a thieve to enter without passing the detailed checking of a guard. In the IT world, such holes in the perimeter happen quite often, typically due to misconfigured firewalls or exposed applications with weaknesses. For example, the popular content management system, wordpress, has over 3700 identified vulnerabilities

We can conclude that sophisticated thieves will still manage to enter the city eventually. Once they are inside and there is no further protection, they can collect as much gold as they want.


I already use a SIEM (e.g. Splunk), why should I need additional security analytics?

However, there’s still hope. The gold is only lost the moment the thieves leave the city with it. To find people collecting gold and smuggling it to the outside, the king can instruct the guards to protocol everybody who enters or leaves and accesses important places. In the IT world, the system collecting such information is called SIEM system and most larger companies have such a system in place. But how to identify the thieves among all the collected information? The kings’ people could manually search and combine the events provided by the guards (security analytics) and assemble rules in a labor-intensive manner. However, if those rules are not precise, the guards will be swamped by wrong alerts, causing them the be completely overloaded. If the rules are too narrow, many of the gold hunters will not fall within them. The alternative to manual security analytics is to rely on expert detectives who observe the activities within El Dorado, adapt to the environment, learn what’s normal and then independently single out abnormal patterns among reported activities. Our machine-learning based security analytics software, ExeonTrace, is such a detective. ExeonTrace uses machine learning and big data algorithms to detect hidden cyber threats among billions of data points. Exactly as in above’s story, these data points are typically reported by existing security devices and collected by our customers' SIEM solutions.

I just did a penetration test (pentest), what do you do differently?

Let's extend the story to answer this question too: El Dorado’s king heard all the scary stories about gold hunters breaking into other cities. Wondering how secure El Dorado really is, the king hires the best warriors from a befriended tribe to storm El Dorado. They try it with force, and they try by fooling (social engineering) the people of El Dorado. Eventually they succeed. The king now knows his currently weakest link and can reinforce the city’s weakest guards. But what about the gold hunters that already managed to enter the city? While the king reinforces the protection measures against attackers entering the city, they will merrily steal the gold right under the king’s nose. If he hires the detectives for a week-long security audit (ExeonThreatReport), they would approach the problem differently. They would not analyze how to enter El Dorado from the outside, but look inside of El Dorado for adversaries and weaknesses, providing a comprehensive picture on the whole city. Thus, the ExeonThreatReport is the perfect counterpart to a traditional pentest.

We can only speculate about the king’s decisions. What one can say for sure is that he was effective. El Dorado has been shed from any major leak and remains a mystery.



Find additional articles on the topic here: 

72 billion malware attacks in 2019 so far

“Historically, the goal for most malware authors was quantity of infections and now we’re seeing attackers focus on fewer higher-value targets where they can spread laterally.” The attackers are becoming more well equipped to cut through the trees, making it paramount for companies to not only rely on their anti-virus system. Read full article 

How to camouflage an attack

Attackers can easily take on a new appearance and fool guards. This article shows you how. Read full article 

It's a jungle out there! 

Have the right soundtrack while reading: 

Schwarzweiss Aufnahme von unserem CEO Dr. David Gugelmann