Company Name


Flagship Product in this Category:


Flagship Product cost

Starting at $25,000


https:// www.sqrrl.com


Sophisticate hunt-based threat analytics

Greatest Strength

Technical superiority and the vision to define the mechanism of threat hunting as part of the incident response vernacular.

We started looking at Sqrrl over the past couple of years and became convinced that it continued to belong in Innovators issue after watching it in a real production threat hunt. This is a threat hunter's dream for several reasons. First it “thinks” about the data moving on the enterprise between nodes/endpoints. This, clearly helps sort out the huge number of endpoint communications. Managing that much data is more than a human can do efficiently so it's Sqrrl to the rescue.

The second benefit we found is that Sqrrl encourages thorough logging. We saw instances where an enterprise that looked as if it was logging correctly and retain logs efficiently but, in reality, there was very little useful historical data because the combination of missing logs and less than optimum retention periods hurt the hunt significantly. The good news was that these deficiencies were pointed out so clearly that remediation was straightforward. Sqrrl, in this case, helped the customer execute its policies suitably.

This is a heavily-sophisticated tool set all stitched neatly together in a comprehensive threat hunting and analysis tool. The tool performs several functions under the covers including user and entity behavior analysis, adversarial behavior indicators intended to identify tactics, techniques and procedures (TTPs), and graph analytics. The tool uses machine learning, behavioral baselining, and peer group analysis.

Some of the areas of innovation addressed over the past year included both continuing to advance the analytics and, perhaps more important, making adjustments to allow fuller interactive participation by the user. Anew area of interest was DNS analytics and C&C identification. Talking to a lot of hunters and organizations demonstrated some difficulty in getting the capability in place. The problem seemed to be how to get started so Sqrrl addressed that this past year.

The innovator developed the ability to open up the analytics to enable easier hypothesis formulation that takes more advantage of analytics. This creates triggers, improves data-driven hunting and intelligence-driven hunting. The company spent time exploring entity behavior which allows the tool to form a picture of risk based upon evidence generated by triggers. This makes things simple so that you can build your hunt hypothesis in the UI which simplifies access to data by lots of network receivers such as BRO and threat intel feeds.