IT security startups are bringing technologies such as Big Data, predictive analytics and machine learning to the front lines of the cyber war. While most security analytics tools are marketed as adjuncts to existing security infrastructure, that could change as organizations explore their options and test drive these new tools.
So far, reports are impressive. One hundred percent of organizations that deployed only security analytics experienced a reduction in false alerts or improved actionable alerts, compared to 60 percent of organizations that deployed traditional SIEM tools, according to Enterprise Management Management Associates.
While each security analytics solution varies slightly by what it brings to the table, EMA broadly places these tools into one of three forms: anomaly detection, user behavior analytics and predictive analytics — or some combination of the three.
To help you sort your options, here are seven new security analytics solutions.
7 Hot Security Analytics Startups
Novetta Cyber Analytics: Helps Security Analysts Query Raw Pocket Capture Data
Novetta developed its cyber analytics for the U.S. Department of Defense, which needed a faster way to identify and stop network threats, including APTs (advanced persistent threats). The tool allows analysts to query raw pocket capture data at petabyte scale in seconds, rather than days, according to the company.
• Built-in tagging so analysts can share their thoughts on network activity
• Open APIs to connect with your current security infrastructure and workflows
• Includes more than 100 pre-built analytical queries
Implementation: Novetta supplements existing security tools, using an open API to draw data from current SIEM, ID and other security solutions. It operates on-premise on commodity hardware.
Use Case Brag: DoD analysts were capable of handling only four or five incidents per shift. After adopting Novetta Cyber Analytics, each analyst handles 30 times more incidents each shift, according to Novetta’s DoD Case Study.
Niara Security Intelligence: Behavioral Analytics Detects Internal Attacks
Niara’s behavior analytics platform is built on Cloudera’s distribution of Hadoop, so it can analyze data from any source, including your existing security solutions, network and DNS traffic. Niara uses machine learning to detect changes that indicate an advanced attack from within the network.
• Niara’s Entity360s creates an activity profile based on network “entities,” which includes hosts, IPs and users
• Retains historical information
• Behavioral analytics modules can be customized
Implementation: Niara can be used as a standalone product, or you can use its open APIs to analyze data from your current security infrastructure. It can be deployed in the cloud or on-premise.
Use Case Brag: A leading energy company deployed Niara to protect its technology for carbon-free power generation.
Cytegic: Executive Analytics Tool for Compliance and Planning
Rather than addressing immediate security threats, Cytegic focuses on the big picture. It’s essentially a set of three executive dashboards that allow CISOs and other high-level security leaders to analyze external threat trends that might affect the network, as well as assess their security posture.
Cytegic’s solution includes three specific analytics modules:
• Dynamic Trend Analysis uses external threat data from open online sources and cyber feeds to create actionable cyber forecasts.
• The Cyber Maturity Assessment uses aggregate data and data from your own security controls to measure your controls against industry best practices collected from a variety of industry sources and regulations, including NIST, ISACA, PCI DSS, and ISO 27001. It then rates your cyber security maturity level and offers recommendations for improvements.
• Cybersecurity Decision Support System dashboard evaluates your real-time security readiness and allows you to run “what if” scenarios against your security systems.
Implementation: Cytegic runs on-premise with existing cyber security solutions.
Use Case Brag: A bank CISO used the Cybersecurity Decision Support System to identify configuration and deployment problems with the organization’s security controls. The CISO was then able to use Cybersecurity Decision Support System’s recommendations to create a prioritized work plan and secure funding without an expensive security audit. Within three months, the compliance issues were resolved.
Sumo Logic: Security Analytics-as-a-Service
Sumo Logic began as a cloud-native log management and analytics service that leveraged machine learning. In 2014, it incorporated security monitoring into its solution. It uses advanced machine learning and predictive analytics to uncover unknown security issues and generate actionable alerts. The dashboard and reporting tools allow security analysts to drill down on correlated events and individual attacks for forensics. Thanks to a partnership with Anomaly announced earlier this year, the tool incorporates machine-readable threat intelligence.
• Monitors Amazon Web Services, Microsoft Office 365, Salesforce.com and Google Apps
• Supports cloud-based data sources such as AWS CloudTrail, Akamai Cloud Monitor and on-premise sources such as Cisco ASA, Sourcefire, Snort, OSSEC and Hyperguard
• Recently secured CSA STAR certification by the Cloud Security Alliance
• Is certified with ISO 27001, PCI DSS, HIPAA-HITECH and SOC 2 Type 2
Implementation: Built on top of AWS infrastructure, Sumo Logic runs in the cloud.
Use Case Brags: Sumo Logic allows IT to monitor user access and configuration changes across all AWS and on-premise workloads, so it’s used to generate an audit trail for security and industry regulation compliance. More than 700 customers have deployed SumoLogic.
Kentik: Big Data Analytics Platform for Network Traffic
Kentik (formerly CloudHelix) is another cloud-based Big Data platform customized for security, but it’s designed to run fast queries on raw network traffic flows. Kentik Detect collects full-resolution network data (NetFlow, SNMP, BGP), then sends it to the cloud. The raw data is kept for at least 90 days. Network ops workers can then use the Kentik Data Engine to run real-time analysis, including anomaly detection, forensics reports and infrastructure optimization.
• No limit on devices that can be configured to send data to Kentik Detect
• Can run analysis on billions of rows of network data and handle terabit-scale data flows
• Detects DDoS attacks
• Can encrypt data in transit
Implementation: Kentik is primarily offered as a cloud service, though it can be provisioned to run on a private cluster within a customer’s data center.
Use Case Brag: Yelp used Kentik to provide real-time insights into its traffic, which exceeds gigabits per second, according to Cloud Computing Today. The site also reports that Box.com uses Kentik to perform geography-specific analysis on network traffic to respond to problems before they escalate.
Panaseer: Security Data Lake with Reporting Tools
Panaseer targets the executive suite with strategic metrics and visualization tools that let you explore how well your security infrastructure is protecting the enterprise. Its security analytics model uses raw data from your network and incorporates external data to provide you with an assessment of your infrastructure that you can literally take to the board. It incorporates visualization tools such as entire relationships, time series, scatter graph, box plots and so on.
• Platform includes Panaseer Security Data Lake so you can store your network’s raw data
• Automatic enrichment of data around potential security events, including both internal data and • external reference threat data from sources such as WhoIS data and Alexa
• Ability to create your own automations as automated run books or macros
Implementation: Paneseer is deployed on-premise and built on Hadoop using Apache Spark for the processing engine. The company is working on a cloud-based option.
Use Case Brag: Panaseer CEO Nik Whitfield was among the leading UK cyber security innovators who joined UK Prime Minister David Cameron in Washington, D.C., where they discussed cyber security with counterparts from U.S. government and industries. Panaseer is quiet about its clients, but its site notes that the company has several major UK financial services customers and clients in New York City. The company sites running “what if” attack scenarios as one possible use case.
TaaSERA: Security Analytics Based on Stanford Research Institute Research
Research funded by the U.S. Army and conducted at the Stanford Research Institute underpins TaaSERA’s cybersecurity and AWARE family of security analytics products. The company spent five years working jointly with SRI International to develop its patented technology. TaaSERA’s behavior analytics solution learns your network, identifying trends over time. That reduces false positives, but it also creates an evidence chain and provides real-time alerts when an attack launches from within your network before data is stolen.
• Identifies internal malware attacks (e.g., APT) after launch but before data is stolen
• Uncovers evidence of well-designed attacks that “hide their tracks”
• Includes console that customizes the alert threshold used to generate alerts from modeling scores
• Integrates with existing security tools
Implementation: TaaSERA offers three appliances designed for commercial, mid-size enterprises or academic cyber security research. NetTrust uses network sensors that are installed as physical or virtual (software) appliances.
Use Case Brag: TaaSERA’s NetTrust detected previously undetected malware attacks within minutes when installed on a regional health care provider’s systems — including overseas attacks on a customer database containing protected health care information. The company was able to resolve the attacks and now uses TaaSERA to maintain compliance with HIPAA Meaningful Use 42 CFR, part 495, and 45 CFR, parts 164 and 170.