CyberWolf- Machine Learning Cybersecurity
In the summer of 2001, two cybersecurity experts toiled through the night to disassemble and analyze the inner workings of a new, fast-spreading computer worm. Once infected with the worm, a computer would generate a random list of Internet Protocol (IP) addresses — a unique identifier for every machine on a network — and probed each to keep spreading to as many computers as possible.
The malicious program was dubbed Code Red after the highly caffeinated type of Mountain Dew they guzzled to keep themselves awake. In less than 14 hours, more than 359,000 computers were infected.
Code Red had even hit computers at the Department of Homeland Security's Federal Emergency Management Agency (FEMA) — but they had a secret weapon against such attacks. The agency had installed intelligent, automated security management software called CyberWolf that was able to detect traces of the worm in advance.
The software, created by Falls Church, VA-based Mountain Wave Inc., would sift through and prioritize the millions of network events reported on a daily basis in order to identify potential threats.
In the case of Code Red, CyberWolf was monitoring FEMA's firewall logs when it alerted to something strange. A firewall is a commonly-used network security system that acts as a barrier between a trusted, secure internal network and the Wild West of the internet.
“We saw signatures of Code Red way ahead of time because we thought it was a very odd piece of data in the firewall,” said Juanita Koilpillai, Mountain Wave co-founder and former Chief Executive Officer. “We put in rules to block these signatures and notified [our collaborator, the Air Force Research Lab] about what we saw.”
Such early detection can help prevent further damage and spread of viruses like Code Red, which cost an estimated $2.75 billion in clean-up costs and lost productivity. The worm ended up creating a virtual traffic jam, even turning its attention specifically to one of the White House's web servers in an attempt to overload and crash it.
As long as hackers come up with new viruses to wreak havoc on the web, companies like Mountain Wave will be around to help organizations beef up their virtual defenses. Its three biggest clients were all large government organizations in need of top-notch protection: the Army Computer Emergency Response Team, FEMA, and the Navy Marine Corp.
In 2002, internet security giant Symantec Corp. acquired the company for $20 million, plundering the best parts out of CyberWolf and integrating them into its own security information management product.
Originally hailing from India, Koilpillai applied her extensive background in computer science and mathematics to develop software for a handful of Virginia-based companies after coming to the U.S. In the mid-90's, she started brainstorming ideas for her own cybersecurity product when a friend suggested she apply for small business grants from the Department of Defense.
“I was a software engineer for several companies before I started my own,” she recalls. “I was a rebel within a larger organization, so that's when my friend said, 'Juanita, you should start your own business.'”
And just like that, her venture Mountain Wave — started out of her and her husband's basement — was born. In 1997, she won her first small business grant through the Defense Advanced Research Projects Agency (DARPA) and quit her job. More funding followed, including an Air Force Small Business Innovative Research (SBIR) award in 2000.
“Without the Air Force SBIR, there's no way I as a woman and a person of color would have been taken seriously, and had a chance to develop what I wanted to develop," said Koilpillai. In total, Mountain Wave raised about $3.9 million in funding through small business grants.
For a large network, CyberWolf provided a way to pare down the firehose of information coming in from firewall logs, antivirus software, and other security applications. The automated, attack-sensing software gave organizations a way to respond to attacks as they are happening.
“These protections that you put in place — they're all trying to tell you something, but having staff watch the logs all day is a very daunting task,” said former Mountain Wave lead engineer Paul Swinton. “So it's great to have a tool like CyberWolf, since in that big stack of hay, there's some very valuable needles.”
A job that would normally require dozens of security analysts could be replaced by CyberWolf technology, plus a handful of people to respond to alerts. Also, instead of being a one-size-fits-all software, it could be tuned and tweaked to each organization's needs.
For instance, let's say a security application alerts an analyst that there were three failed login attempts in a row. The scenario could be as harmless as a user forgetting a password, but if the firewall log also showed that a computer from outside the network was trying to access the machine, it might mean something more dangerous.
“One isolated incident is enough to be worried about, but if you can discover the attack pattern, then that gives you more information,” explains Swinton, who now works for Symantec.
CyberWolf had the ability to process all these disparate events and pass them through a set of rules — which could be rewritten by experts at the organization — to determine whether they were threats. Say, the combination of three failed login attempts plus an erratic firewall log meant the IT person would be notified, all while it was still happening.
“There's other products that didn't do it in real-time,” he said. “Other versions continuously scanned over the events in a database, whereas our technology did it on the fly.”
After selling the company, Koilpillai didn't lose the entrepreneurship bug. While working as a Senior Program Director for Symantec, she found herself missing the pioneering spirit of a start-up company. So only two years later, she left to found her current venture, Waverley Labs. The Waterford, VA-based cyber risk management company recently won a project with the Department of Homeland Security to secure applications in the cloud.
Koilpillai even rounded up her former Mountain Wave colleagues together to work on projects for Waverley Labs.
“We're back together again, and want to build something new,” said Koilpillai. “I'm a creative person who is always doing things out of the box, and life is too short.”