For armored car service Dunbar, protecting its clients’ money is more than just building secure physical structures and deploying armored trucks with armed guards. It’s also about protecting the digital infrastructure and cyber assets that support those operations.

Those of you who live in and around certain cities may have seen the Dunbar name, emblazoned on the side of bright red armored trucks. The Dunbar security company, which created the Cyphon program, got its start in physical security, transporting money from local businesses and banks to secure holding facilities, and sometimes into the federal banking system. The company is very good at its job in the physical security world, and the idea for Cyphon was to extend Dunbar’s protection-as-a-service model into cyber security.

Protecting money for clients is more than just building secure physical structures and deploying armored trucks with armed guards. It’s also about protecting the digital infrastructure and cyber assets that support those operations. And, as Dunbar officials explained, a lot of that collected money eventually becomes digital, part of the federal banking system. Because not every bank robber wields a shotgun and a mask, and, in fact, some of the most successful bank robbers, especially recently, have been completely cyber-focused, the company needed a powerful tool to help address, investigate and respond to cyber threats made against it. That is why Cyphon was first created, to be used internally by the company to protect its assets. After that, rolling it out as service to clients easily fit into their protection-as-a-service model.

At its core, Cyphon is an advanced SIEM, able to collect events from its own assets as well as from other programs. It does this from a cloud interface, which means that customers using the Cyphon service don’t need to provide and maintain a dedicated connection into their networks, or allow Dunbar free access to roam their networks. Instead, events are either collected inside a client’s cloud, or on-premises by client machines, and then sent into the Cyphon cloud for examination and remediation.

Customers do need to allow the cyber security analysts working with Cyphon to access their network to remediate problems, but that only happens when a problem needs to be fixed, machines need to be quarantined, or things like firewall settings need to be changed. Everything that the Cyphon teams do on a client network is transparent and fully auditable. Customers get to see the same, full interface that the teams at Dunbar are working with inside the Security Operations Center, just without the ability to perform tasks like assigning specific analysts to different problems. So, it’s basically like administrator, but read-only, access.

Pricing for Cyphon is based on the number of monitored endpoints and hosts, or the number of gigabytes per day that are processed if logfile review is made a part of the managed service. There is no additional charge for interactions with the client, such as when internal teams need to have a phone conversation with the experts working on Cyphon.

Since it got its start in the world of physical protection, the Cyphon program is unique in that it can collect events from some assets that are not normally part of a managed service, or even most cybersecurity programs. For example, it can fully implement the use of cameras as an additional threat feed. At its most basic level, this can be something like a camera sensing movement late at night when nobody is supposed to be in the building. But advanced controls allow for logging other events too, like a user who is supposed to be on vacation suddenly logging into a local terminal. The camera system can find and record that interaction, alerting the customer that someone might be stealing an employee’s identity or credentials while they are away, and showing who is doing it on video.

Cyphon also, uniquely, has a social media monitoring component, which, like the camera interface, can be tightly configured. This can scan for any threats made or information dispersed involving the protected company. Users can even geofence certain areas and trigger alerts in the Cyphon system if, for example, a tweet is made from within that area.

Beyond those two unique areas, Cyphon can pull data in from all the usual sources, including alerts from other SIEM programs, network IDS alerts, endpoint agents, packet capture, firewall activity, vulnerability scanners, internet of things (IoT) events, threat feeds, DLP platforms and anything else already running within the customer environment. Cyphon can set up its own monitoring agents if a customer is starting from zero, or work with almost any other security program that has already been installed.

The main Cyphon interface is extremely clean and helpfully throttles and compiles events for users. During the testing, a single attack triggered multiple indicators from several different programs and sources, but Cyphon easily consolidated them all back down into a single incident. If a user is running Cyphon as a service, then they may not see too much of the interface, since the teams at Dunbar would be working cybersecurity on their behalf, but they still have complete access to the main dashboard in terms of visibility.

Cyphon Main Interface

When running as a service, the main Cyphon interface provides complete transparency into operations, proving that remote teams are doing their jobs, and helping less experienced internal analysts learn how to mitigate advanced threats.

Cyphon first generates a trouble ticket from any incident, letting clients know that the program has detected something. Ticket notifications can be sent by a variety of means, but most of the time use e-mail. At that point, customers can head over to the Dunbar portal to get more information, or to initiate a call between their internal security teams and contracted ones at Dunbar. Or they can just sit back and let the contracted teams work on the problem. Dunbar encourages interaction, however, so clients can be as involved or as hands-off as they wish.

Cyphon HelpDesk Portal

John Breeden/IDG Unlike many managed services, the one offered through Cyphon puts a lot of emphasis on client interactions. Every event is ticketed. If the client wants, they can use that number to begin an online or phone-based dialog between their internal security teams and those working remotely through Cyphon.

As with any other SOC, there are a lot of tools available to analysts to fix problems, including quarantining infected systems, changing firewall and security rules and even wiping and disinfecting compromised assets. Everything that contracted teams do is visible to clients, recorded and updated through the trouble ticket system and is fully auditable in reports after the fact. The level of interactivity and transparency offered by Cyphon could be a real asset to a company that, for example, has a lot of junior cyber analysts, but a dearth of top-level experts. Being able to follow along and see what was done, as well as asking about why actions were taken, would be a great way to improve the skills of internal teams.

Cyphon work or check jobs

John Breeden/IDG Within the past few months, Cyphon has started to be offered as an internal security tool as well as a service. The main interface works the same in either case, just in observer mode when running as a service, or with full access to the tool if being used internally.

Deploying cyber security as a service makes sense for a lot of organizations, which is likely why Gartner named it as a rising category in security. Most companies don’t focus on cybersecurity. Their core mission is to sell bicycles or bananas or whatever. But running a business without good cybersecurity is a recipe for disaster. So why not contract that function out to the experts, who can handle that function with both speed and accuracy?