The focus here is on monitoring and analytics. We have arbitrarily designated products that use advanced algorithms, machine learning or other form of AI (such as neural nets), pull in external threat feeds as part of their data gathering and often use cloud technology to aggregate and correlate data from a large number of global sensors.

The innovators in this group certainly meet those criteria. There are four and each one has a somewhat different focus. What we found interesting is just how disparate the focus was at first glance. Deeper inspection showed us that, besides the next generation criteria, each tool had a clear strength in common: threat hunting. However, simple as that sounds, the nature of the threat hunt was different in some cases.

For example, one innovator focuses on the enterprise while other focus on what is coming at the enterprise and leaving the enterprise. For all of that, all four of these products are very competent threat hunters, each in its own way.

Returning to the next generation criteria, here is where we saw a lot of innovation. On the surface, each of these tools uses machine learning, for example. However, if that is as far as you want to take it, you’ll just be touching the tip of the iceberg. More and more we are seeing PhD data scientists in these fast-moving innovators. And that is no surprise. Developing the algorithms that can handle big data – and we mean really big – is the focus here. This isn’t drinking from a firehose… it’s drinking from Niagara Falls as you go over with a big hole in your barrel.

We saw an increasing emphasis on Bro, the security monitoring language and, as an aside, learning a bit of Bro can be a big help to threat hunters. Bro is a well-thought-out scripting language that focuses completely on security monitoring and logging. Part of its attractiveness is that it is open source so we see variants of Bro popping up in very sophisticated next generation monitoring tools.

The bottom line here is that this is an emerging category that may end up subsuming several other categories over time as the focus for network security pros turns more and more to threat hunting. The products we see from these innovators already are calling the tune for what we should be expecting from next generation monitoring tools. 

BluVector

Company Name BluVector
Flagship Product in this Category: BluVector
Flagship Product cost Starting at $1,000/mo 
Web https:// bluvector.io
Innovation Analysis of the incoming data stream to identify malicious code before it enters the enterprise
Greatest Strength Persistence and vision to see a need, develop a response to it and keep innovating along the way and going forward.

Last year we characterized BluVector as an on-the-wire hunting tool. The idea was that by being on the wire a measure of proactive hunting occurs before the malicious traffic even gets inside the enterprise and starts to do its damage. It turns out that in its current incarnation it is somewhat more than that. In fact, the company – and BluVector spun out of its prior owners to become fully independent this past year – describes the tool as, among other things, a next generation intrusion detection system. We think that is something of an oversimplification. It certainly does that but as a proactive hunting tool is where BluVector excels.

Over the past year this innovator has done some interesting things. For example, it has developed what it calls a speculative execution engine for zero-data malware detection. This consists of high speed emulation where it examines the scripting code/language of suspected malware and enumerates possible malicious activity. Doing this at wire speeds is quite an accomplishment. To do this the company has invested 8 years in training its patented, machine learning-based detection and intelligent decision support engines to enable security analysts to find, confirm, and contain the newest and most sophisticated threats.

The company has added new engines for several other rule sets and third-party threat intelligence feeds. This all is part of creating a next generation network intrusion detection system with new analytics paradigms such as Yara and suricata, giving better visibility across the entire attack life cycle. Over the past year 90% of this innovator’s efforts have focused on expanding on core competencies such as fast detection. BluVector also has focused on simplifying use for mid-markets and managed services providers. The company now has a virtual machine (for VMWare ESXi 6.0 and above) with cloud-based management that leaves data on customer’s premises.

The company is growing and adding employees regularly now that it has spun off as an independent company. We see this as the starting point for new ways to view malicious behavior coming at the enterprise. More than a next gen NIDS, BluVector is the next generation of threat hunting tools that hunt the threat before it can enter the enterprise.  

ProtectWise, The ProtectWise Grid


Company Name

ProtectWise

Flagship Product in this Category:

The ProtectWise Grid

Flagship Product cost

See the innovator – Pricing is tiered and based on the amount of network traffic ingested and the length of time network data is retained for retrospection.

Web

https://www.protectwise.com

Innovation

Immersive security that allows analysts to see the potentially malicious activity on the network from inside the enterprise using creative visualization.

We first came across this innovator when we took them with us to monitor security for Superbowl 50. We were intrigued by the tool’s unique heads-up display and we found that it was very effective in the environment where we deployed. That noted, we started watching them a bit closer and last year we made them part of the innovators class of 2016.

This is a unique hunting tool that gathers data from sensors that you place strategically in your enterprise. The sensors report to the cloud where the analytics are done and the results displayed in their heads-up display which is kill-chain oriented.

This is a very rapidly-growing company. There are around 100 employees and there are hundreds of sensors deployed world-wide. The system stores over 100 billion records collected from the sensors. Over the past year ProtectWise has really been burning up the innovation scene. For example, although the company focuses upon the network, there is a move afoot to add endpoint detection and the company is one of three launch partners for the new PaloAlto detection framework.

Although ProtectWise provides intelligence from various providers, it has developed the concept of “bring your own intelligence.” Instead of just ProtectWise intelligence, the company invites customers to add any white or black list of their own. An example is ingestion of Snort signatures and IDS rules. Additionally, the company has expanded past the enterprise to the cloud offering automated detection and response in cloud-based environments and industrial control systems. This innovator can put lightweight edge sensors so customers don’t need full-size appliances.

ProtectWise sees that the market is continuously evolving and the company is able to benefit from its form factor: they use microservices. This innovator is developing continuously, pushing new code on a daily basis focusing on network telemetry. In that regard, the company is adding to its already creative UI by adding a “grid tab” in the near future. This tab will display virtual cityscapes of the monitored enterprise making rapid spotting of malicious activity even easier than the current heads-up display (which it will augment rather than replace). Their notion of “immersive security” keeps them, they believe, on the bleeding of visualization. ProtectWise recently launched a companion research site at http://401trg.pw. 

PacketSled


Company Name

PacketSled

Flagship Product in this Category:

PacketSled platform

Flagship Product cost

Cloud packages start at $25,000 per year and range based on consumption and retention. Partners should contact PacketSled directly for on- premise packages; and for IR and MssP pricing.

Web

https:// packetsled.com

Innovation

Strong application of advanced analytics, machine learning and flexibility with a powerful query language.

Greatest Strength

Vision and very strong technology along with a clear understanding of what the people who use the tool(s) really need to do their jobs.

Last year we introduced Packetsled as one of the tools we use in the Labs. Packetsled has some distinct advantages for us as we analyze activity against our honeynet and our deception network. Probably the biggest for us is the combination of an excellent query language and the ability to create alerting chains of events based upon IoCs very easily using IRES (Incident Response Expert System). We have several of the customized alerts and they have worked well for us, particularly since we deployed a TOR relay node. Using Packetsled we can learn a lot about a particular data stream. We also have used the customizing capability to create unique tests that we want to apply during an experiment. While you may not be experimenting as we do in the Labs, you may have repeated attacks that you want to trigger off. This lets you do that very easily.

This innovator has built the tool around Bro, the cyber security language and intrusion detection monitor. We like that because we can extract Bro logs and use them as part of our analysis. However, probably a better reason for liking Bro is that, even though it is open source, it is fairly standardized and reliable.

Visualizations are very straightforward and there is a lot of drill-down. This year there has been more emphasis on the kill-chain and we have found that quite useful. In addition to the sensor deployed at the Labs, we have had the opportunity to work with a deployment at a small financial institution where five sensors are deployed. It is a core tool for the security team there.

Earlier this year the innovator deployed a specialized version of the tool aimed at incident responders. This is a lightweight sensor package that is easy to deploy and have running in minutes. The available forensics is excellent and we have had fine results using the tool in conjunction with such typical techniques as log analysis. 

Sqrrl

Company Name

Sqrrl

Flagship Product in this Category:

Sqrrl

Flagship Product cost

Starting at $25,000

Web

https:// www.sqrrl.com

Innovation

Sophisticate hunt-based threat analytics

Greatest Strength

Technical superiority and the vision to define the mechanism of threat hunting as part of the incident response vernacular.

We started looking at Sqrrl over the past couple of years and became convinced that it continued to belong in Innovators issue after watching it in a real production threat hunt. This is a threat hunter’s dream for several reasons. First it “thinks” about the data moving on the enterprise between nodes/endpoints. This, clearly helps sort out the huge number of endpoint communications. Managing that much data is more than a human can do efficiently so it’s Sqrrl to the rescue.

The second benefit we found is that Sqrrl encourages thorough logging. We saw instances where an enterprise that looked as if it was logging correctly and retain logs efficiently but, in reality, there was very little useful historical data because the combination of missing logs and less than optimum retention periods hurt the hunt significantly. The good news was that these deficiencies were pointed out so clearly that remediation was straightforward. Sqrrl, in this case, helped the customer execute its policies suitably.

This is a heavily-sophisticated tool set all stitched neatly together in a comprehensive threat hunting and analysis tool. The tool performs several functions under the covers including user and entity behavior analysis, adversarial behavior indicators intended to identify tactics, techniques and procedures (TTPs), and graph analytics. The tool uses machine learning, behavioral baselining, and peer group analysis.

Some of the areas of innovation addressed over the past year included both continuing to advance the analytics and, perhaps more important, making adjustments to allow fuller interactive participation by the user. Anew area of interest was DNS analytics and C&C identification. Talking to a lot of hunters and organizations demonstrated some difficulty in getting the capability in place. The problem seemed to be how to get started so Sqrrl addressed that this past year.

The innovator developed the ability to open up the analytics to enable easier hypothesis formulation that takes more advantage of analytics. This creates triggers, improves data-driven hunting and intelligence-driven hunting. The company spent time exploring entity behavior which allows the tool to form a picture of risk based upon evidence generated by triggers. This makes things simple so that you can build your hunt hypothesis in the UI which simplifies access to data by lots of network receivers such as BRO and threat intel feeds.