It is difficult to make a cyber-security product stand out. There is no missile, aircraft or radome to photograph or build a model of, the threat it has been designed to mitigate does not exist in the physical world, and successful deployment simply means an enterprise can carry on doing its normal day-to-day business. Often, a series of apocalyptic scenarios is outlined in an attempt to literally “scare up” business. The technique is so common it is disparagingly referred to by the acronym FUD – fear, uncertainty, doubt.

So in the world of cyber product launches, Airbus Defense and Space's Keelback Net, which is making its airshow debut in Paris – is swimming against the tide. It's named after a snake, and the physical device that sits at its heart has been painted a vivid green. Instead of trying to solicit business by doom-laden prophesies of information-technology disasters, the company is patiently outlining how its combination of new technology, managed service and institutional knowledge can help enterprises detect, understand and mitigate so-called advanced persistent threats (APTs).

“At the moment we're not actually selling this sensor – the sensor comes with a managed service solution,” says Matt Bennett, the company's cyber-security incident-response team lead. “Our customers get our innovative technology, combined with our expertise.”

The green box is the Keelback Net sensor, and it is deployed at strategic points on a customer's network. Each box has six ports, meaning it can monitor the network at six locations. Larger enterprises will need more sensors; smaller ones may not need to use all six ports. When the sensor detects an incident that appears unusual, an alert is sent to one of Airbus's Cyber Defense Centers for analysis and response. The company currently runs three such facilities: in Newport, UK; Elancourt, France; and Munich, Germany. Incident-response teams analyze threat information on tools such as Airbus's Cymerius hypervisor software.

“Some of our competitors will be selling boxes that do signature-based intrusion detection; others have sensors that detect and analyze malware,” says Bennett. “What we've done is combine them, but also introduce some of our new and innovative technology into that offering. That gives the unique capability that we're able to view incidents on the network through a few different lenses, or from a few different angles. This helps with context, helps with validation, helps with qualification of incidents – which obviously then enables a more effective response to take place once something's been detected.”

Airbus stresses Keelback Net's capability at flagging “weak signals,” which Bennett defines as “an indication of a threat, using data analysis and clustering techniques to identify something which, if looked at in isolation, might not mean anything, but in context could prove valuable in building up a picture of what's going on.” The sensor spends a great deal of its time, like a full-motion video camera on a UAV over a compound in Afghanistan, building up a “pattern of life” for the network, so that algorithms and analysts can learn what is normal and thus more easily spot anomalies.

But the problem with signature-based detection methods is that they will only spot attacks that have been seen before. So while Keelback Net benefits from constantly updated experience and Airbus's custom rule sets, a large part of the system is geared around detecting intrusions after they have happened, analyzing what took place, and building understanding of the developing situation. 

According to security vendor FireEye, the average length of time an APT lurks on a corporate network before it's detected currently stands at 205 days. It is unlikely a business would be able to afford to store network traffic for long enough to permit forensic examination today of a threat that began seven months ago. Keelback Net gets around this problem with its Metadata Analysis Engine.

“That enables us to store that historic data, but also extract the core components for longer-term retention,” Bennett explains. “It gives us a unique back-tracking capability. We're able to look at all the bits of the puzzle, analyze and interpret, and actually see what happened, without needing to store the actual data.”

The company also leverages its custom sandboxing technologies into the overall Keelback Net offering.

“These days, attackers often build malware that can determine whether they're in a sandbox or not," Bennett says. "If you use very common technologies, once the malware is sandboxed it will stop its functionality. Our own sandboxing technology is closed-source, so that gives us multiple opportunities to execute the malware and extract what we need from it.”