This is a tough category because today just about every product that we consider next generation claims to perform threat analysis and intelligence gathering or, at least, ingestion. We like those products because they say something very important about the evolution of the marketspace. However, for our purposes here we considered only those products whose primary function was threat analysis and/or Intelligence gathering and dissemination.
On the other hand, from our perspective, it is one of the most fascinating group in the bunch. It certainly has evolved faster than any other. What also is interesting is the variety of approaches these innovators take. This year we have four incumbents. Each one covers a different part of the threat intelligence gathering landscape and, in fact, a different part of the threatscape itself. One – one of our favorites – is a woman-owned and operated outfit that really puts the lie to the old saw about women cannot make it in tech. Their approach is different from any we've seen.
Threat intelligence can be carved into several pieces. First, there is closed source intelligence. This focuses on access to people. Second, we have open source intelligence which usually focuses on access to information. Another approach is digital intelligence. This comes largely from threat streams generated by tools that are sensing some element of the threatscape such as malware, phishing, or some such. For closed source we need boots in the street – both physical and virtual boots. That is how we get access to people. The intelligence analysts in this field have extensive penetration into the forums where the bad guys operate. They also have access to many of the actors themselves.
Open source largely is screen craping and meticulous collection, curation, cataloging and cross-correlating data. Finally, digital intelligence takes a huge number of globally-positioned sensors that constantly are gathering data and shipping it to a central source for curation and analysis. We have a good cross-section of players this year and two of them have been with us for some time. One is in its second year and one is new and certainly bears watching. In any event, this is a hotly growing category and it will be interesting to see how it evolves. There is a good possibility with this one that over the next three years or so it will be subsumed by another (or several other) category.
Intel 471 Company Name | Intel 471 Inc. |
Flagship Product in this Category: | Platinum - Cybercriminal Intelligence Collection |
Flagship Product cost | $165,000 |
Web | https://www.intel471.com |
Innovation | Actor-centric cyber threat intelligence |
Greatest Strength | Strong use of human intelligence (HumInt) rather than depending upon screen scraping alone to gather information. Strong presence in cybercrime hot spots around the world. Excellent, well-trained team of cyber intelligence analysts. |
We us a combination of open source, closed source and our own first-hand research. Using Intel 471 along with our own sources provides seeds that let us develop bread crumbs of info that can lead us to bigger things. In that regard we have seen no better tool for mining the underground.
Over the past year, while deepening their cataloging of the underground, the company has begun the task of mapping by specialty (payment card dump shops, ransomware developers, etc.) and collecting their mappings in to watcher groups shared by the company with its customers. Currently there are over 1,400 such groups. We follow several that apply specifically to our research in the Labs. These watcher groups intend to answer questions such as, “What are the 150 actors about whom I should worry in my environment?”
Additionally, we have seen several special reports on particular actors that are of real concern (no script kiddies need apply). These are 1-2 pagers that go into a fair bit of depth and reference the rest of the information in this innovator's database that can add depth and context.
Finally, recognizing that most of their customers are English-speakers, they have developed a translation team that does routine translation as well as custom translation on demand. As one would expect of our innovators, Intel 471 is growing and we expect to continue to see big things from them in the future.
Silobreaker
|
Silobreaker has a huge database, it's true, but how it uses those data probably is the real innovation. Of course, the data sets are extensively indexed. However, the numerous ways that you can extract the data, merge/compare/analyze it and the several user interface options give you real access to the data and its real underlying meaning in the context what you are searching for. In addition to the traditional column format where stories simply are played out one at a time, there also is a networks UI that shows your search terms relationships to other important information. There are hot spots that focus attention and there are several different ways of searching.
Silobreaker works closely with third party providers and has an API that works for such other tools as Maltego. We use Maltego extensively in the Labs and the ability to connect to it through an API is priceless when we are dealing with a lot of data for which we need to see external relationships. One area that is bearing fruit is gathering data from the computer underground through the cooperation of third party partners. This lets Silobreaker work with these providers to add their analytics and investigative bridges to cover both OSINT and closed source. Another export is from Silobreaker to Splunk and the innovator expects more such alliances over time. The tool now can ingest email and there is expanded PasteBin import and data may be imported from a csv file. Finally, this year has brought the ability to use two-factor authentication.Uplevel Security, System of intelligence for security operations
|
The product has done well. But these innovators recognize that in a fast-moving market where AI is becoming watchword, they need to do things that give them a marketing edge to go along with their technical edge. So, over the past year they have worked on exposing and providing visibility into the graph analysis to help users understand what the underlying algorithms mean. This allows the user to augment the underlying algorithms with their own information that reflects the organization's actual environment. Along with that comes fine tuning of the visualization so that the tool actually becomes a search engine for the analyst. They are focused on addressing how the user uses graphs to narrow the visualization to being increasingly useful.
This requires close collaboration with users, which tend toward larger organization. By this close collaboration the innovator learns how their customers and potential customers use – or want to use – the product. Two areas that their customers told them they want more of was improving data ingestion, and improving self-service so that the user gets fast results but does not require deep understanding. Both of these have been added to the roadmap and this clearly demonstrates how this innovator continues to grow and excel. This is not trivial technology but the goal is to make it as easy for the user as possible since most analysts are not data scientists. The company does its own inside sales with the stated purpose of making sure that they continue to stay close to the potential users.
SecBI
|
The company is three and a half years old and was born out of the RSA breach some years back. During that breach the founders of SecBI realized that the attacker used multiple techniques in parallel to achieve persistence. If the victim had the data a few weeks into the attack, it never would have persisted. However, that poses a serious problem because no human can have wide enough visibility across the network, especially when the enterprise is quite large.
To succeed, they needed to collect and disseminate attack data rapidly. So, to address this gap, the founders built a tool to automate the investigation stage of responding to an incident. They assumed that the data were collected, however, that poses the problem of having too much information. The need was to assemble information that is relevant to the investigation, separating it from the avalanche of information that is not useful.
Their solution was to use cluster analysis. This is a technique that seeks hidden structures and patterns. It requires sophisticated algorithms and the product applies unsupervised cluster analysis using machine learning to perimeter data and communications. A cluster describes the unique communications between two points – everything that is needed for the investigation is within a cluster so there is no need for more data.
Simply, this technique takes a cluster, looks for IoCs and sends the results to the analyst. Users upload logs to the cloud - they are a SaaS system - for analysis. The process is completely automated and completely software (no hardware). It can analyze months of data in a few hours. This is one of the most creative approaches to breach analysis that we've seen and certainly deserves its spot in this year's class of innovators.