Sqrrl is a threat hunting tool that for practical purposes initiated the threat hunting market if not the technique itself. Certainly, there can be little doubt that the company automated the threat hunting process. We have been using Sqrrl in one way or another over the course of the past year in a production environment. In the coming year we anticipate deploying it in our deception network for use supporting the Threat Hunter Blog (which will resurface after the first of 2018) after we update our threat intelligence research environment.
Recently we had the opportunity to deploy Sqrrl in an actual production threat hunt where it was doubtful that an intrusion, in fact, had occurred. Although the testing is still going on, currently we have seen no indicators of an actual breach. That is one of the strengths of Sqrrl: extremely low false positive rate. If it says that there is nothing there, then that likely is the case.
However, Sqrrl is dependent upon extensive logging in the enterprise. While that is not much of a problem post-deployment (because you will set up your logging to ensure that you get the most out of Sqrrl as part of the deployment), retrospective – pre-deployment – looks may suffer for lack of initial logging. If we were to characterize Sqrrl in the simplest of terms we would call it the most powerful, intelligent link analyzer we've seen.
Sqrrl's job is to consume all types of log data and draw conclusions about threats present in the enterprise. There is just about no log type the product cannot consume and, as a result, a massive amount of detail is available about the relationships of devices, users, processes, network transactions, etc.. To accomplish this, the tool uses advanced machine learning, sophisticated algorithms, big data processing using Apache Accumulo and Hadoop, and graph theory to develop behavior graphs.
The first step in running an initial Sqrrl hunt is to teach Sqrrl the kinds of logs on your enterprise. Once you have done that the tool creates – with a little help from Sqrrl engineers and data scientists – the set of models for your environment. While the product comes with its own model, you – or Sqrrl – can create additional ones. However, the formats of the logs in your enterprise need to be taught to Sqrrl's standard model to prepare it for understanding a baseline of your network. Going forward, as it hunts with you, the model evolves and becomes more familiar with your environment. This log format ingestion process took a couple of days of working with the Sqrrl team.
Using Sqrrl is intuitive and with practice you can become quite proficient at looking for obscure indicators. Even so, Sqrrl provides a bit of “as you go” training which in our case took about an hour. From that point on, analysts who never had seen the product were up and hunting. We like Sqrrl for its advanced hunting skills, ease of use, easy deployment in a virtualized environment, and excellent support from the Sqrrl team.
Product: Sqrrl Enterprise
Price: Starting at $25,000
What it does: The cyber threat hunting tool.