When football fans checked their email and uploaded photos from Super Bowl 50 this year, the Denver-based security software startup ProtectWise was monitoring traffic from Levi’s Stadium in Santa Clara, California, for potential threats.
“We were invited by Norwich University’s computer security program to participate with the Santa Clara Police Department as part of their security architecture for the Super Bowl,” says ProtectWise cofounder and CEO Scott Chasin.
Unlike other security companies, ProtectWise generally doesn’t provide hardware devices to attach to a network, or cumbersome software that can slow down individual computers by scanning files and network traffic. Instead, it provides lightweight software “sensors” that simply upload compressed network traffic from customer machines to its private cloud for analysis and monitoring.
“We have a very lightweight software sensor that acts like a virtual camera,” Chasin says. “Essentially, we take that recording, compress it, optimize it, and replay it in real time or near real time for our platform in the cloud.”
That approach let ProtectWise get up and running “in minutes” at the Super Bowl, where the company’s software monitored about nine terabytes of data transfer to about 17 million different websites, Chasin says. He can’t reveal too much about what the software discovered at the Super Bowl, other than that it found about 19 potential threats amid all that network data.
But in other cases, ProtectWise’s software has been able to spot malware infections and hacking attempts—and use archived traffic history data to trace them back to their origins and determine which machines were compromised when. If a machine is spotted communicating with a malware command-and-control server, for instance, ProtectWise can replay prior data to determine how and when the machine was first infected.
“Today’s attacks are extremely complex, and they happen over a really long period of time,” says Chasin.
A February report from security firm Mandiant found that in one set of security breaches, it took companies a median time of 146 days to realize they’ve been compromised. ProtectWise can store data for weeks, months, or longer, in order to replay for further analysis in the event of a security issue. Customers pay varying fees depending on how much data they wish to store and for how long, with ProtectWise’s cloud-based approach meaning they don’t need to allocate their own servers to store the data or worry about keeping it safe.
And as the company learns of new kinds of attacks from published reports or its own research, it can automatically scan for them in its customers’ recorded internet traffic, notifying them if, for instance, it’s discovered their employees have been sending data to a known phishing site.
“We have many examples of retrospection,” Chasin says. “They run the gamut from what you would think would be more traditional malware whose existence wasn’t known previously to zero-day vulnerabilities, where we only learned about them recently, but in fact they’re used in breaches historically, to ransomware phishing attacks that weren’t discovered until a retrospective scan had taken place.”
And network data is generally enough to catch most attacks, even if they come in through other channels like compromised USB keys, since they’ll ultimately involve someone trying to remotely control machines, extract data, or something else relying on the internet, he says.
“We like to say the network doesn’t lie,” he says. “It’s our true north.”