This is one of our new categories. It was a lot of fun to do. While at first blush there may appear to be some redundancy in these Innovators, the fact is that, although there is a bit of overlap, they are very different in their approach and end goal. If cost is not an object, you really could benefit by having all three in your SOC. Certainly I would.
The approaches that each of these Innovators takes is focused on a specific way of viewing the security monitoring and analytics problem.
The approaches that each of these Innovators takes is focused on a specific way of viewing the security monitoring and analytics problem. For example, one of the products focuses on the kill chain. One focuses on taking a deep dive into what is happening on your network. And the third is the nearly perfect threat-hunter’s tool. Taken together – and with the addition of a couple of cloud-specific tools if that is your particular poison – these applications make skilled analysts superlative and average analysts very good. That sounds like a dream SOC to us.
The question that comes up when we use terms such as “next generation” is, what exactly do we mean? In this case, we are carving out the parameters of the next generation as including techniques such as sophisticated analytic algorithms, machine learning and heavy, cloud-based analysis allowing very lightweight agents on the enterprise. All three of these Innovators exhibit these characteristics.
While there are lots of uses for the cloud – reasonable or not (some are pure marketing while some really have a purpose) – the use of the cloud to perform heavy analytics is probably the best we can think of from a purely technical perspective. Heavy analytics take lots of computing power (easy to get in a cloud environment) and scads of storage (exactly what the cloud was made for). Another huge benefit is the pervasiveness of access allowing rapid and efficient data collection and dissemination from/to anywhere in the world. Next-generation security tools are very heavy cloud users.
So, with all that in mind, here are three Innovators that are, to use the vernacular, the tip of the security analytics spear.
Flagship product PacketSled Cloud
Cost Varies based on observed traffic and forensic retention. Small instances can start at $1K per month.
Innovation Large-scale integration of all types of relevant data that can assist in managing attacks in a cloud environment.
Greatest strength Understanding of the types of analytics needed to address complex attack tactics, techniques and procedures and making those analytics available to less skilled users. Long-term data storage allowing retrospective analysis of past events in light of new information.
PacketSled is a cloud-based, real-time breach detection and network forensics vendor. The company’s product is focused on finding complex attacks at all layers of the network stack and providing forensic evidence of advanced attacks. It aggregates intelligence about threat actors and builds correlated attack chain models that can be leveraged across a large-scale datastore.
The company was started because the founders perceived serious gaps in the information security marketplace. These included packet capture for forensic analysis, scalability and usability. They believed that everyone needs the ability to dive into the problem, realizing at the same time that smaller companies can’t afford the tools and specialists necessary to achieve good results in complicated situations. Their solution was to develop a cloud platform so that any size company can engage potential attacks at the enterprise level. One of the Innovators in the company told us, “Everybody should have the ability to protect themselves from the bad guys and benefit from the technology.” For larger companies, they would have to buy a large system and manage it. That can be difficult. For a small company, it likely would be prohibitive. As are many security vendors, PacketSled is looking at the Internet of Things, “because the only truth is in the packet.”
The cloud model lowers the cost of digital forensic incident response. Traditional technology, this Innovator believes, does not enable everybody.
PacketSled uses a correlated attack model, meaning an information model with ad hoc queries, lots of data and no limitations on what they can search. They also have a new behavioral model in development.
This Innovator sees visualization as an important part of a major problem: a very limited number of people are cybersecurity experts. Many of the people doing incident response, forensics, security operations center analysis and so on may not have deep knowledge and experience. Giving them advanced tools that do much of the heavy lifting gives these people important enablers and strong experience that can result in training for their futures. Also, in managing security incidents, speed counts. PacketSled provides easy, fast understanding that allows analysts to pick useful information out of the noise. More of that will come when PacketSled introduces their behavioral modeling.
Flagship product ProtectWise Cloud Network DVR
Cost Pricing depends on capacity and the length of the retention period (1-month, 3-month, 6-month or 1-year) and starts at $40,000 annually. There is no charge for sensors.
Innovation Today’s best user-friendly UI.
Greatest strength Analytics, leverage of the cloud and retrospective analysis capability baked into the architecture.
This Innovator takes a bit of a different approach to threat analysis. Unlike most other tools of its type, ProtectWise follows the kill chain very closely. The heads-up display (called the Visualizer) – certainly one of the most dramatic we have seen – was designed explicitly to focus the analyst’s attention on each step of the kill chain so that he or she can see exactly how far an attack attempt has progressed. Then with that information in hand, there are a wide variety of drill-downs that can give the analyst deep insight into the attack and its progress, source, targets, etc. The Visualizer can be leveraged for real-time situational awareness or as a forensic workbench for incident response teams and analysts.
One of the company’s founders certainly goes back a long way in the security business. He started the BugTrac list which morphed into Security Focus and was eventually acquired by Symantec. After a variety of other successful startups he worked at McAfee as CTO and then began to think about a next-generation platform that could leverage the cloud. ProtectWise was founded in 2013.
This Innovator leverages a cloud-based DVR (detection-visibility-response) and stores data for a long time. The goal is to have a retention period longer than the breach discovery period. The company believes that today a SIEM does not have a memory for the network. Their retention model does real time analysis and also provides a “time machine” to give a fully automated retrospective analytic detection platform. In the words of ProtectWise, “The network doesn’t lie.”
Under the covers, the tool performs what the company refers to as “network shattering,” meaning that it dissects netflows using deep-packet inspection on more than 6,000 types of protocols and applications. This is correlated with threat analysis from threat feeds and cross-installation data to cull information from threats at large and threats detected within their user base.
The biggest challenge, according to this Innovator, is the human factor. There are not enough people who can interpret SIEMs and, at the same time, there is a need to be proactive in hunting for the adversary and responding. Because one cannot depend on automation 100 percent, the human will never be displaced. To address that challenge, the company built a unique presentation layer, calling in Jake Sargent from Digital Domain in Hollywood, who did the CGI for the movie TRON: Legacy, to create the Visualizer and its dramatic heads-up display.
Flagship product Sqrrl Enterprise
Innovation The company’s approach of packaging a lot of pieces together to make coherent data accessible to users and being able to visualize that information as it occurs.
Greatest strength Superb application of Big Data analytics.
Probably no organization in the private sector has done more to bring the topic of threat hunting to the fore than this company with the funny name. While the term “threat hunting” is not a new one – and, in fact, is a staple of the intelligence community – Sqrrl has codified it and developed a complete methodology around the concept. This concept includes a maturity model and a threat hunting loop: create a hypothesis, investigate with tools and techniques, uncover new patterns and TTPs, and inform and enrich with analytics. This hunting loop is a solid embodiment of the scientific process applied in forensic science.
Interestingly, Sqrrl describes the hunting process as proactive. The company defines hunting as “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.”
The idea is that by going on “hunting trips” on an ongoing basis – the tool automates the process – you will uncover indicators before they fire, preventing damage to the enterprise. This is a pretty good idea…if it works. And, as Sqrrl has demonstrated repeatedly, it does.
In order for an organization to use threat hunting effectively, there is a learning curve. Hunting is a pretty new concept for most organizations so it is natural that they would go through a maturing process. To help measure progress in that regard, Sqrrl has developed a threat hunting maturity model consisting of five levels:
- Level 0 – Initial
- Level 1 – Minimal
- Level 2 – Procedural
- Level 3 – Innovative
- Level 4 – Leading. A full discussion of this model is on the company’s website.
The Sqrrl architecture depends on sophisticated algorithms and massive, scalable Big Data analytics. The data store sits on an Apache Hadoop cluster and is scalable into the petabytes of data. This means that users can feed the system massive amounts of data that it can ingest and process in a short time. Data can be fed using the bulk load API and it usually consists of various logs of activity throughout the enterprise. Using a form of link analysis, the Sqrrl engine analyzes the data – goes hunting – and delivers an analysis of suspicious activity or artifacts on the network and its devices.
Oh, and the funny name? Think of the Secret Squirrel cartoon character of the mid-1960s.