Veramine, Inc. is structured around development of endpoint threat detection software to automate collection of all security-relevant events, detection of commodity and advanced attackers, flexible search of collected data, and rapid response to detected attacks. Involving several ex-Mircosoft personnel, the Veramine platform provides advanced capabilities to network defenders to detect and respond to malicious activities on the network. THsi involves use of three software components: (1) Sensor - A set of intelligent kernel and user-mode services that instrument the operating system to collect security-relevant events. (2) Pipeline - Data from the sensors are collected, aggregated, contextualized, and analyzed in a pipeline. The analysis engine uses a combination of heuristics and machine learning algorithms to automatically detect malicious activities. (3) Portal - Users control/manage the sensors and search over all collected data. The platform's capabilities can be categorized into four categories: * Collection - sensors collect and contextualize data from the all hosts on the network. Data includes processes, files, network, user logon/off, disk encryption state, and more. * Detection - data from the sensors are continuously analyzed in the background using a variety of heuristics and machine learning algorithms to identify anomalous behavior. Analysts can supplement the system with their own detection algorithms. * Response - depending on the analyst's needs, the platform can terminate processes or collect more specific data from systems on the network in response to certain behaviors. * Discovery - analysts can search over all collected data for reactive, retrospective, or proactive purposes. When combined with the contextualized data, analysts can rapidly perform hypothesis testing to detect unknown attacks. A key factor in system design is that all data are contextualized: all collected events have granular information associated with them. For example, given a network connection, system can pinpoint the machine, user, and process that initiated it. This context information is valuable because it increases the fidelity of machine learning algorithms. In addition to detecting malicious activities, platform also helps businesses with compliance and energy usage. BitLocker usage is automatically detected along with sleep modes, screensaver and screen lock activities, antivirus installations and other standard compliance requirements.
