This is a tough category because today just about every product that we consider next generation claims to perform threat analysis and intelligence gathering or, at least, ingestion. We like those products because they say something very important about the evolution of the marketspace. However, for our purposes here we considered only those products whose primary function was threat analysis and/or Intelligence gathering and dissemination.

On the other hand, from our perspective, it is one of the most fascinating group in the bunch. It certainly has evolved faster than any other. What also is interesting is the variety of approaches these innovators take. This year we have four incumbents. Each one covers a different part of the threat intelligence gathering landscape and, in fact, a different part of the threatscape itself. One – one of our favorites – is a woman-owned and operated outfit that really puts the lie to the old saw about women cannot make it in tech. Their approach is different from any we’ve seen.

Threat intelligence can be carved into several pieces. First, there is closed source intelligence. This focuses on access to people. Second, we have open source intelligence which usually focuses on access to information. Another approach is digital intelligence. This comes largely from threat streams generated by tools that are sensing some element of the threatscape such as malware, phishing, or some such. For closed source we need boots in the street – both physical and virtual boots. That is how we get access to people. The intelligence analysts in this field have extensive penetration into the forums where the bad guys operate. They also have access to many of the actors themselves.

Open source largely is screen craping and meticulous collection, curation, cataloging and cross-correlating data. Finally, digital intelligence takes a huge number of globally-positioned sensors that constantly are gathering data and shipping it to a central source for curation and analysis. We have a good cross-section of players this year and two of them have been with us for some time. One is in its second year and one is new and certainly bears watching. In any event, this is a hotly growing category and it will be interesting to see how it evolves. There is a good possibility with this one that over the next three years or so it will be subsumed by another (or several other) category. 

Intel 471

Company Name

Intel 471 Inc.

Flagship Product in this Category:

Platinum – Cybercriminal Intelligence Collection

Flagship Product cost

$165,000      

Web

http://www.intel471.com

Innovation

Actor-centric cyber threat intelligence

Greatest Strength

Strong use of human intelligence (HumInt) rather than depending upon screen scraping alone to gather information. Strong presence in cybercrime hot spots around the world. Excellent, well-trained team of cyber intelligence analysts.

We have followed Intel 471 for several years and it has been an SC Lab Approved product for about three years. During that time, it has become our go-to tool for closed-source intelligence in the computer underground. Intel 471 is designed around actor-centric intelligence and the analysts take a decidedly intelligence-focused view of the threatscape rather than a technology-centric view. The innovator’s intelligence analysts mostly come from an intelligence background and the company has boots on the street in the major centers of cybercrime around the world. They also are omni-present in underground forums and marketplaces, mining first-hand information and developing relationships.

We us a combination of open source, closed source and our own first-hand research. Using Intel 471 along with our own sources provides seeds that let us develop bread crumbs of info that can lead us to bigger things. In that regard we have seen no better tool for mining the underground.

Over the past year, while deepening their cataloging of the underground, the company has begun the task of mapping by specialty (payment card dump shops, ransomware developers, etc.) and collecting their mappings in to watcher groups shared by the company with its customers. Currently there are over 1,400 such groups. We follow several that apply specifically to our research in the Labs. These watcher groups intend to answer questions such as, “What are the 150 actors about whom I should worry in my environment?”

Additionally, we have seen several special reports on particular actors that are of real concern (no script kiddies need apply). These are 1-2 pagers that go into a fair bit of depth and reference the rest of the information in this innovator’s database that can add depth and context.

Finally, recognizing that most of their customers are English-speakers, they have developed a translation team that does routine translation as well as custom translation on demand. As one would expect of our innovators, Intel 471 is growing and we expect to continue to see big things from them in the future. 

Silobreaker

Company Name

Silobreaker Ltd

Flagship Product in this Category:

Silobreaker

Flagship Product cost

Get the details from Silobreaker.      

Web

http:// www.silobreaker.com

Innovation

A deep and comprehensive approach to open source intelligence gathering along with one of the best UIs we’ve seen.

Greatest Strength

Cross-correlation of OSINT data and multiple ways to analyze.

 

If Intel 471 is our go-to tool for closed source intelligence, Silobreaker has been our favorite in the Labs for open source intelligence (OSINT). In closed source we are concerned with depth of penetration into the computer underworld. With OSINT, we are concerned with breadth of coverage over the entire Internet and that, increasingly, includes the underground. Silobreaker does an excellent job of achieving that breadth by tracking in the millions of web pages and the tens of thousands of actors and hacker groups. Over the past couple of years this innovator has broadened its reach to allow lookups on such technical parameters as IP address, domain, hash, and so on.

Silobreaker has a huge database, it’s true, but how it uses those data probably is the real innovation. Of course, the data sets are extensively indexed. However, the numerous ways that you can extract the data, merge/compare/analyze it and the several user interface options give you real access to the data and its real underlying meaning in the context what you are searching for. In addition to the traditional column format where stories simply are played out one at a time, there also is a networks UI that shows your search terms relationships to other important information. There are hot spots that focus attention and there are several different ways of searching.

Silobreaker works closely with third party providers and has an API that works for such other tools as Maltego. We use Maltego extensively in the Labs and the ability to connect to it through an API is priceless when we are dealing with a lot of data for which we need to see external relationships. One area that is bearing fruit is gathering data from the computer underground through the cooperation of third party partners. This lets Silobreaker work with these providers to add their analytics and investigative bridges to cover both OSINT and closed source. Another export is from Silobreaker to Splunk and the innovator expects more such alliances over time. The tool now can ingest email and there is expanded PasteBin import and data may be imported from a csv file. Finally, this year has brought the ability to use two-factor authentication. 

Uplevel Security, System of intelligence for security operations

 

Company Name

Uplevel Security

Flagship Product in this Category:

System of intelligence for security operations

Flagship Product cost

Starting at $150,000         

Web

http:// www.uplevelsecurity.com

Innovation

Application of graph theory to incident response

Greatest Strength

Managing a complex tool for the user by ensuring that the algorithms are as transparent as possible and the UI gives the user a straightforward way to use the product without it feeling complicated but still giving excellent results.

 Uplevel Security’s System of intelligence for security operations is an adaptive system that uses graph theory and machine learning. The tool ingests and contextualizes security data, retaining historical security data to discover hidden threats and track patterns that can predict how attacks may happen in the future. It can ingest data from any SIEM or security device. They were the first such product that we found last year to use graph theory. Last year we reported that this innovator began by focusing on case management for incident responders, building the analytics on top of that.

The product has done well. But these innovators recognize that in a fast-moving market where AI is becoming watchword, they need to do things that give them a marketing edge to go along with their technical edge. So, over the past year they have worked on exposing and providing visibility into the graph analysis to help users understand what the underlying algorithms mean. This allows the user to augment the underlying algorithms with their own information that reflects the organization’s actual environment. Along with that comes fine tuning of the visualization so that the tool actually becomes a search engine for the analyst. They are focused on addressing how the user uses graphs to narrow the visualization to being increasingly useful.

This requires close collaboration with users, which tend toward larger organization. By this close collaboration the innovator learns how their customers and potential customers use – or want to use – the product. Two areas that their customers told them they want more of was improving data ingestion, and improving self-service so that the user gets fast results but does not require deep understanding. Both of these have been added to the roadmap and this clearly demonstrates how this innovator continues to grow and excel. This is not trivial technology but the goal is to make it as easy for the user as possible since most analysts are not data scientists. The company does its own inside sales with the stated purpose of making sure that they continue to stay close to the potential users. 



SecBI 


  

Company Name

SecBI

Flagship Product in this Category:

SecBI

Flagship Product cost

Web

http:// www.secbi.com

Innovation

Application of cluster analysis to incident response

 Price   Starting at $50,000

Greatest Strength

Applying a very sophisticated analysis tool to proactively discover hidden attack vectors within a breached enterprise preventing persistence and doing it in a way that is manageable by incident responders.

SecBI is a threat detection system that addresses all affected users, domains, assets etc. in a cyber-attack by building a security decision support system. The system ingests log data from network security gateways, and applies clustering and detection algorithms to detect threats. SecBI’s machine learning technology analyzes every piece of incoming and outgoing log data and then clusters related forensic evidence into a single incident providing a narrative of the attack.

The company is three and a half years old and was born out of the RSA breach some years back. During that breach the founders of SecBI realized that the attacker used multiple techniques in parallel to achieve persistence. If the victim had the data a few weeks into the attack, it never would have persisted. However, that poses a serious problem because no human can have wide enough visibility across the network, especially when the enterprise is quite large.

To succeed, they needed to collect and disseminate attack data rapidly. So, to address this gap, the founders built a tool to automate the investigation stage of responding to an incident. They assumed that the data were collected, however, that poses the problem of having too much information. The need was to assemble information that is relevant to the investigation, separating it from the avalanche of information that is not useful.

Their solution was to use cluster analysis. This is a technique that seeks hidden structures and patterns. It requires sophisticated algorithms and the product applies unsupervised cluster analysis using machine learning to perimeter data and communications. A cluster describes the unique communications between two points – everything that is needed for the investigation is within a cluster so there is no need for more data.

Simply, this technique takes a cluster, looks for IoCs and sends the results to the analyst. Users upload logs to the cloud – they are a SaaS system – for analysis. The process is completely automated and completely software (no hardware). It can analyze months of data in a few hours. This is one of the most creative approaches to breach analysis that we’ve seen and certainly deserves its spot in this year’s class of innovators.