Industry Innovators 2016: Next-generation security monitoring and analytics
This is a fairly large section, in part because this is the core emerging marketplace in data protection currently – and for the foreseeable future. The Innovators who have cleared the pathway toward using sophisticated data analytics, machine learning and Big Data are the ones who will define the genre and what it really means to be “next-generation.” Unfortunately, that is a term fraught with hype to the point where, like “Big Data” it is in danger of losing its meaning almost before there was a chance to establish it.
Here we are very specific about what we mean by these terms. Next-generation must have some form of advanced algorithmic analysis and machine learning and must be able to work in the context of Big Data. Big Data we define strictly to include IBM's four Vs: Velocity, Variety, Volume and Veracity. Each of the Innovators we look at this year do, in fact, fit our description. Unfortunately, we are not quite “there” yet globally with next-generation and we may, perhaps, be forgiven if a tool that we class as next-gen has taken only baby steps along the road to maturity.
We have five Innovators in this category this year and they are different in many ways and alike in many. While some may consider themselves competitors, we can say with confidence that, cost not being an object (these tools can get a bit pricey), we could justify one of each in our lab or SOC.
One of our Innovators performs threat hunting on the wire (dynamic), one on the platform (static), and two are analytic activity monitors on steroids that watch everything in the range of their sensors then analyse and display/alert. The displays of these two are dramatically different and they each have individual strengths. In many ways, they overlap, but in many ways they augment each other. Finally, we have one that is, for us, anyway, at the top rung of the “emerging technology” ladder in that it out-honeypots any honeypot we have ever seen.
All things said, we think that this may be the most exciting assembling of Innovators for this year. To watch and use these tools is to see the future unfolding on your screen. You will see – with all of these products – things going on in your enterprise of which you never dreamed.
Vendor Acuity SolutionsFlagship product BluVector
Price Starts at £148,800 for a 1Gbps 2U hardware appliance with a one-year subscription.
Innovation Dedicated threat hunting on the wire.
Greatest strength Creativity and understanding how threats enter and impact the enterprise.
Acuity Solutions is the creator of BluVector, a real time, network-based, cyber hunting platform. Based on government sponsored research recently made available to the commercial market, it is purpose built to empower the cyber hunter and is particularly adept at identifying zero-day threats by quickly deploying constant analytics at large scale.
Because BluVector uses dynamic – on the wire – analysis, we asked why the data stream was better than static analysis on devices. It turns out that there are two problems that need solving: how to advance the organisation's approach to advanced threats and how to radically simplify the organisation's approach. Being on the network allows the organisation to be proactive. It also takes into account investments that the organisation has made already. The result is that they are enabled to be more proactive than they have been before. The objective of BluVector is to be proactive rather than retrospective.
Cyber hunting takes place on many different perspectives through the enterprise. Acuity believes that you have to look at everything within the enterprise. But looking at the datastream has some tactical advantages. So, they created a network hunting platform. This Innovator's perspective is that packets don't lie. BluVector needs to provide an objective observation point and the datastream is the most objective source. That means that BluVector is not impacted by the malware author's “tricks” for obfuscation.
Their traction in the market is a result of reaching profitability very quickly: Acuity is only a year old. They believe that this rapid growth proves the value of the technology. Their goal is not to compete with existing infrastructure, but to add value to what is there already. That means integrating in such a way that 1+1=3, enabling customers to orchestrate what they have already to be effective. BluVector integrates with several third-party tools, such as threat intelligence, sandbox and SIEM. BluVector intends to change the cyber defender's workflow. That, then, will provide a highly competent starting point for hunting.
Vendor Illusive NetworksFlagship product Illusive
Price £47 per user per year tiered volume pricing.
Innovation Took deception from honeynets to fully transparent deception networks.
Greatest strength Transparent to the adversary forensic-level monitoring, data capture and analysis through a deception layer over the entire enterprise.
When is a honeypot not a honeypot? The answer to that – when it's the entire enterprise – is the key to this Innovator's success. In the last couple of years, we have begun to make a distinction between honeypot/honeynets and deception networks. Unlike a honeypot – just a set of devices set up to appear like a real network to induce an adversary to attack – a deception network is all or part of the actual enterprise that is instrumented and protected such that the adversary is allowed to engage and the engagement is captured forensically but does no harm. The benefit is that the adversary does not know that he is being tracked and manipulated.
This is a rather simplistic description. In reality there are lots of flavours of honeypots and deception networks, but for a 100,000-foot view it will do. It also is a pretty good description of what Illusive Networks does. This Innovator uses what it terms “Deceptions Everywhere Technology" to neutralises targeted attacks and advanced persistent threats by creating a deceptive layer across the entire network. This provides an endless source of false information, disrupting and detecting advanced attacks with real-time forensics and without disruption to business.
What makes this Innovator unique? After all, we have had honeypots for a long time. However Illusive believes that the honeypot concept is not scalable and is expensive to operate. How are they unique from other deception nets? Others are trying to improve the honeypots by using virtual machines as honeypots. Taking a very different approach, Illusive makes every endpoint part of the deception. The company does it without agents so the deception itself is protected from reversing by the adversary. The adversary must try everything because he doesn't know what is good and what is not.
Some important features of the Illusive deception network include Attacker View, a sophisticated technology that exposes hidden cyberattack paths, enabling a view of the attacker's lateral movement; Wire Transfer Guard detects targeted attacks against global wire transfer banking systems; and Advanced Ransomware Guard, which blocks ransomware activity at the source host before it gains a foothold in the network.
The company has, essentially, reinvented deception technology. It takes the perspective of the attacker not the malware. Malware is not the issue. The issue is the attacker behind the malware.
Vendor ProtectWise Flagship
Product The ProtectWise GridPrice The ProtectWise Grid is a subscription service. Pricing is tiered and based on the amount of network traffic ingested and the length of time network data is retained for retrospection.
Innovation A kill chain approach to detecting and analysing events within the range of its sensors and making those events visible immediately along with the analytics necessary for a deeper dive into the event.
Greatest strength The heads-up display is completely unique. Rather than minimising the capabilities of ProtectWise to a “pretty face,” the display is designed to draw immediate attention to events that need attention and facilitates efficient hunting and remediation.
During Super Bowl 50 we used an early version of ProtectWise with excellent results. The product provides a pervasive view of the network, incorporating analytics and an interesting, eye-catching interface that enables threat hunting and incident response. The tool is deployed using network sensors on critical segments of the enterprise. These segments are monitored for their network connectivity between parts of the enterprise or the enterprise and the internet. The sensors optimise collected data and ship it to the Visualiser in the cloud where it is analysed and displayed on a heads-up display rather than the usual dashboard. This unique display is eye-catching and attracts the analyst's attention to important events occurring on the enterprise. The company has branded its tool set the ProtectWise Grid.
This is the second year we've looked at this Innovator and over the intervening year the company has transitioned to full production and heavy marketing. ProtectWise now has a crystalised vision of how its disruption is going to come together. When asked about differentiators, reps told us that the company is bringing a utility model to the market through its cloud. This allows organisations to transition the siloed servers in the security stack to the company's model, thus allowing, in addition to real-time analysis, retrospection.
Integration with third-party tools combines network visibility with the endpoint through integration with such vendors as Carbon Black. To accomplish this, the tool has a very integration-friendly API. This facilitates feeding a suite of indicators including in-house research, best-of-breed threat indicators and customers' bring-your-own-intelligence.
Called context fusion, these combine an intelligence bucket made up of forensic, workflow and remediation buckets. Improved depth of analysis results from expanded machine learning, a TCP library and open-ended enquiry that supports hunting. The tool scales well and data searches are very fast over Big Data. This is, most certainly, a next-generation tool for context-based, real-time threat hunting on the wire. With the heads-up display, network operations centre engineers are presented with a quick way to identify events on the enterprise and begin the analysis and response necessary to protect the network.
Vendor PacketSledFlagship product PacketSled
Price Pricing is consumption based.
Innovation Applying advanced analytics to threat hunting and evolving an analyst's tool into an analyst's tool that also has very strong monitoring, detection, case management and alerting functions.
Greatest strength Strong analytics and versatility.We run PacketSled in our SC Labs as part of our honeynet analysis. In fact, the analytics – attacks against the honeynet, for example – reported in the “Threat Hunter” blog come directly from our PacketSled deployment, so it is no surprise that we have a lot of experience with this Innovator. PacketSled is, usually, a SaaS tool but there is an on-premises version as well. We especially like the support feature that consists of clicking a button on the desktop to open a chat session with an engineer. We never have seen that level of support response in any of the products we have reviewed and it provides a real benefit both to new users and experienced users with a difficult problem.
Another feature that we like is the query language that lets users focus in on issues that may be related to an event in the enterprise. The core that supports that query language is Bro, the network analysis framework. The queries are simplicity themselves to write, but if you don't quite have the knack of Bro yet, the query manager has an autocomplete function to help you along.
PacketSled has multiple screens, each with a particular function. The main screen is the overview and it shows a comprehensive picture of sensor activity. From this screen, users also can open cases set up in the Investigator screen. It is on the Investigator screen where users can initiate queries that can be in the Bro-like query language, which resembles regular expressions. Additionally, there are automated captures that look specifically for such things as suspected command-and-control servers accessing (or being accessed by) your enterprise.
But the system is not limited to pre-packaged indicators. You can set your own kill chains. For example, you might be looking for SSH probes where the attacker is trying to guess passwords coming from a particular geographic location. Once you set that up, you can designate the alert level. Overall, this is a very complete package. It not only provides alerts that users can customise, it is an analyst's tool that we could not function on our honeynet without.
What's coming? More and deeper analytics of course. You never can have enough of that. Also, enrichment, such as full export and import of Stix profiles – a particular hot button for us – and more visualisations. With all of that, this Innovator is carving its place in the marketspace in high style.
Vendor SqrrlFlagship product Sqrrl Threat Hunting Platform
Price Starting at £19,700.
Innovation A formalised approach to threat hunting.
Greatest strength A solid product built in support of a structured framework for threat hunting.
While this Innovator didn't exactly coin the term “threat hunting,” it certainly has given it form and substance. By developing its Threat Hunting Reference Model, Sqrrl has taken the first step to formalising the threat hunting process. Since it has built its product around this model, it has an excellent start on a commanding place in the market. Many of the Sqrrl team are scientists from NSA so, as one would expect, the technology and data science is sound. The model is unusual in that it has begun to define the threat hunting process and it has come from a relatively unknown – at the time it was introduced – company.
Models such as these generally are viewed as self-serving marketing hype. Having spent much of our time in threat hunting, we can attest that such definitely is not the case here. The model – which includes a maturity model – is solid as a threat hunting framework and it makes a lot of sense to those of us who have been doing the steps in the model for some time.
Sqrrl installs on a Hadoop cluster and can be hardware or cloud-based. This is Sqrrl's second year in our Innovators issue and over that year it has been busy continuing its innovation. The company has added new functionality since last time we looked at it. They have improved their built-in analytics to provide additional observation as to where to take the hunt. And, are continuing to expand on views of adversarial behaviors to determine which users, user accounts, etc., are at risk based on observation.
Further, there is a new focus on workflow. Sqrrl sees hunting as a collaborative activity so it is adding ways for analysts to tag and annotate for other analysts. The developers are spending more time in the DNS space, leveraging DNS for tunneling, command and control, etc. The adversary is using DNS so defenders must understand what they are doing, how to identify their actions and defend against it. This tool is purpose-built for threat hunting.
As the company that is building its future on the concept of threat hunting, our obvious question for them was, “How's this threat hunting thing working for you in the marketplace?” The answer was unequivocal: “Extremely well. Threat hunting is more than indicator search. It includes sophisticated analytics and visualisation. We're beginning to see budgets assigned to hunting.”