There is an increasing trend today toward focusing on such next-generation functionality as machine learning, Big Data analytics and behavioral analysis. This month's First Look does all of that very effectively. Of course the quality of such a system is in the algorithms and Seceon has done that part very well at a reasonable price.
The product consists of three parts: the Control and Collection Engine (CCE), the Analytics and Policy Engine (APE), and the GUI. The CCE can take data in a lot of formats or none at all. The data is consumed by the CCE, which figures out at what it is looking. IT then handles the data appropriately recognizing, for example, the difference between flow data and unstructured data. Each instance of the CCE is embodied in a virtual machine that watches its network segment, collects data, parses it and sends it on to the APE for analysis against policies. The product is context dependent. In other words, it looks specifically for events that do not make sense in the context of what it has learned about a particular device that it is watching.
Product Open Threat Management Platform
Price Monthly Subscription: $6 per protected endpoint, $40 per server.
What it does Threat detection and management.
What we liked Proactive – predictive – approach to threat management.
The bottom line This is one smart cookie. It uses a behavioral model and machine learning to deliver closed look analytics allowing predictive analytics.
While it is extracting data from various devices, it also is extracting data from intelligence feeds and other enrichment data. This not only assists the machine-learning process, it also ensures that what it is seeing is taken in the context of what it has learned about particular devices and the various threat feeds that it is seeing. The CCE can collect flow data, data from VMs, applications, virtual firewalls and so on. The APE is in the cloud. We should emphasize that Seceon has no cloud, so the “cloud” in this case either is a public cloud, such as AWS, or a private cloud. The CCE forwards what it has to the APE where the analysis takes place. All processing is done in environments controlled by the user, so no data leaves the user's environment.
The GUI is very straightforward. Anyone who ever has administered a security management console will be very comfortable. When we first connected, we were taken to the Executive dashboard page. Drill down from here is what you'd expect from a first class product of this type.
We then examined the policy engine. Again, it was easy to add and edit policies. In fact, the entire deployment process can take as little as 15 minutes. One of the things that simplifies – and speeds up – deployment is the asset addition process. First, the tool performs an initial discovery across the enterprise. Next, you can edit and add as you see fit. But, the fact is, the system is watching the enterprise while you do that.
The Threat Management Platform monitors communications and there is a page that admins can go to as a sanity check, looking for communications that don't make sense. Of course you can import black/block lists as well as create your own.
One of the strengths of this system is visualization. You have heard us talk about the importance of visualization in the past. The Seceon tool starts with a chord diagram – a circular graph that traces sources and destinations. You can see assets and connections. From either of these diagrams you can drill down.
The drill-down give a lot of detailed information. For example, when a device is involved in an event that is described by a threat indicator, it is reported with sufficient log detail to trace the event. Top alerts show details, including severity, a description of the alert, source and target devices, and, if available, user names. Not only can events be reported and logged, the involved devices can be shut down.
There are some other niceties. For example, the system runs in near real time since it is a streaming platform that can handle 150 million events per second. This lets you respond rapidly since alerts are not hours after the event. It also lets you create reports on the fly. So, when the CEO is on his or her way to a board meeting where it is likely that the board will want to know about the current state of security, you can spin up a report quickly.
The website largely is a marketing site, but there is a customer portal. Support requirements are minimal. However, Seceon can provide integration services if necessary. Pricing is attractive, especially given what the system can do.