SurfWatch Threat Analyst
Strengths: Very granular, user configurable screens targeting business users rather than cyber techs.
Weaknesses: A costly solution to the intelligence gathering and analysis problem. Also, we would like to see a less complicated deep configuration excepting the nice screen setup, of course. The lack of an ability to integrate third-party feeds we see as a drawback even with the strong intelligence gathering of SurfWatch.
Verdict: In a sensitive environment – such as a financial institution that can afford the resource – this is a very solid contender. There is a whole lot to like about it and it may be one of the most powerful tools on the market.
SurfWatch Threat Analyst collects, deconflicts/normalises and evaluates structured and unstructured threat data from a wide range of open and restricted sources. These sources can include such things as social media, news, blogs, phishing data feeds, threat and vulnerability data feeds, Dark Web markets, forums and paste sites, and data breach reports. Much of these data are unstructured and, especially from the Dark Web, these feeds are critically important threat intelligence.
Once the data are collected and processed initially, they are used to create CyberFacts. These become the basic building blocks of the system. CyberFacts are enriched by SurfWatch analysts and developed into reports. We were impressed that the company gathers much of its intelligence in the forums and underground markets by embedding live analysts in the Dark Web rather than using screen scraping only. Because they follow a model of business intelligence gathering and reporting rather than staying too close to the cyber world they are able to make their information consumable by lay people rather than simply restricting it to technologists.
The screen layouts were especially interesting because they can be set up by users with simple drag-and-drop configuration. On our screen, we saw intelligence team alerts, watch list alerts, alerts drill down to full reports, general news of cyber-intelligence interest and CyberFact alerts. In the intelligence team alerts, for example, we saw that there was a cancer centre that had suffered an attack by an actor called DarkOverlord. In our CyberFact alerts, we saw that one of our watchers - rig exploit kit - was matched against a new CyberFact.
The company has over a million CyberFacts collected, analysed and reported on over a three-year period. We found that interesting, but we were impressed when we found out that they do not consume any third-party threat feeds. Typically, we find that there are consumers and providers of threat feeds. In this case SurfWatch is both a provider and a consumer, but it is the only consumer of their CyberFacts, so we really can't think of this as a third-party threat feed.
You can integrate to third-party systems through the company's API. To do that, threat data and derived intelligence is available either through real-time data delivery via HTTP Post or can be queried up to 100 times per minute. Data are in JSON data format, and can also be delivered in STIX/TAXII formats. The API allows integration with SIEMs and other security tools, so a direct low-level interface is not necessary.
Because the screens can be set up with dashboards and widgets, there is, as one might imagine, a lot of setup required. Additionally, monthly risk reports are created by SurfWatch analysts, as well as custom reports addressing a particular issue at customer request. All of this equates to manual work and while it is a critical path to a secure enterprise, it also is costly. This is an issue that we see frequently with this type of product. The more the tool depends on human analysts, the more you can expect to pay for it. The problem is that there is no good way to get past the human issue. Human analysts are critical in most cases to collect and analyse sensitive data, such as the goings-on in an underground marketplace.
The website is solid with lots of documentation to help you evaluate the product and to help you after you sign up. There is a customer portal as well. This is how you access your account in the cloud. Support is a no-extra-cost offering that is available eight-hours-a-day/five-days-a-week and there are a couple of custom levels as well. While there is access from the website, we liked the feature that lets you "Ask the Analyst" right from the dashboard of the product. In our view, for a cloud-based product where you are online in the portal when you have a question this makes the most sense. Complicated question can be handled this way using screen sharing.