NOTE: This is the second part of a three-part series exploring the Security Analytics market.  Read Part 1 and Part 3.

In Part I of this report, we explored the fundamentals of the Security Analytics market and technologies within that market.  In this part, we will delve deeper into those technologies and assess how they work and the importance of threat intelligence to them.  Lastly, we will consider the rapid innovation within this market and explore the concept of Campaigns and how they affect information security.

The Importance of Threat Intelligence

On the Gartner blog recently, esteemed analyst Anton Chuvakin proclaimed that Threat Intelligence (TI) is not signatures!.  In his examples, if you are merely getting a list of bad IP addresses, this is not true TI (or security analytics for that matter).

Consider Chuvakin’s comparison of signatures to TI:

  • Signatures (whether NIDS or anti-malware) are meant to match or not match, while TI content is much more multi-purpose and nuanced
  • Signatures are meant to detect (NIDS) or prevent (NIPS, AV), while TI may also be used to triage, qualify, contextualize or simply enlighten and prepare
  • Signatures are only consumed by machines, while humans are known to look at threat intel content.
  • While you can cook NIDS sigs out of TI data, many of the NIDS sigs are descriptive (e.g. match this shellcode), while TI is historical (e.g. this IP was known to be bad to somebody) or, occasionally, predictive (e.g. this email may be used to phish you).

In the early 2000s, there was a similar debate with IDS products.  When deep packet inspection or protocol analysis emerged, signature became a bad word, equated with the static pattern matching of anti-virus products.  Protocol analysis was nuanced and special, while signatures were dumb and flat.

The word signature, in the minds of many customers, is equated with old, outdated, and static technologies.  Marketing people have done a good job devaluing this word, while promoting their own jargon to define their signatures as entirely unique and special.  In reality, everything has signatures, but not all signatures are created equal.

Signature is merely a generic term for the rules that govern how a security control analyzes data (which could be packet data, log data, system behavior, malware behavior, etc.)  TI is data that helps improve the quality of this analysis.  For example, if you know that a particular combination of file hashes is a common tactic for malware distribution, then the system can look for that combination.

As such, TI is really just the information that goes into building a signature.   Chuvakin is correct that TI is not signatures, but TI does lead to signatures.  It is this process of taking TI and transforming it into some action or decision that is at the heart of all SA technologies.  As such, signatures are a defining component of SA.  However, most of the SA companies are loathe to use the actual word signature.  Most of them call their “signatures” threat intelligence.  Which is why the whole issue is so confusing, leading to Chuvakin’s attempt at clarification.

Such is the confounding world of security marketing.  Regardless of what an SA product calls their special sauce, they all consume TI and use it to season their signatures to help better identify threats.

Data Analysis Platforms

Data Analyzers (DA) are a class of security analytic technologies that, in simple terms, consumes data and analyze it.  The data they most often consume is either raw network packet capture data or log data from the multitude of sources inside an environment.  Products like BlueCoat Solara and RSA Security Analytics are essentially gigantic data stores of packet and log data, with analytical tools built on-top of them.  The idea is that these products can automate the analysis and help you pick through data quicker and with better appreciation for the context of the data.  Furthermore, in an incident response situation, these products can corroborate findings and provide insight into what an attacker actually did.

DA is really just the next generation of SIEM products.  They warehouse data, contextualize it with TI and give you the ability to pick through the data in a more efficient manner than a SIEM.  If you suspect there is an attack, you can logon to a console and go looking at data streams.  Some of them have some very novel tools to follow streams and parse packet data.

The usefulness of these products is entirely dependent upon the team using them and their ability to process the insights these products generate.  DA platforms, like their SIEM relatives, suffer from the same problem: they demand an extremely skilled user to make them useful.  For a large enterprise, willing to invest in the effort, products like Solara and RSA SA can greatly enhance security responsiveness.  During an attack, full packet captures are very beneficial to the triage and incident response process.  However, these technologies are extremely limited in how much data they can store. In practical application, they can only handle a few weeks worth of storage.  The amount of storage necessary increases significantly if you have a noisy or high volume network.

The price for these products is extremely steep.  The minimum entry point for a decent sized RSA SA implementation is in the neighborhood of $250,000.  BlueCoat Solara is less expensive, but still rather pricy.  You also have to put these appliances wherever you want to capture data, which is really expensive for large, geographically diverse networks.

DA products are a nice to have, but still need to mature.  They need to grow into more comprehensive platforms that can fuse intelligence, analysis and reaction into a common framework.  As of now, none of these platforms can really do anything about the attacks they find.  However, this could change when DA products begin to merge with their counterpart, BA products.

Behavior Analysis Platforms

Behavior Analyzers (BAs) are the second class of security analytic products and they encompass a diverse range of network and endpoint products that share one essential feature: they pick apart code looking for malicious behaviors.  BA technologies are a more sophisticated version of anti-virus, application whitelisting or intrusion detection products.

Network-based Behavior Analyzers (NBAs) are sandboxing products.  These products take files from the network and execute those files in virtualized “sandboxes” to detect malware-like behavior.  FireEye and Damballa are the two most well-known companies in this market, however many UTM/NGFW platforms, such as Fortinet, SourceFire (Cisco) and Palo Alto Networks, have jumped into this market as well.  BlueCoat which recently acquired Norman Shark also has this capability.

Host-based Behavior Analyzers (HBAs) are installed locally on individual servers or workstations.  They function much like their NBA siblings to analyze system-level behavior for malware-like activity.  Cylance, mentioned earlier, is an example of this technology, it has a proprietary mathematical engine that can alert to malware based on file behavior.  CounterTack is another product in this space that has a very promising concept.  They claim to have kernel-level access that can watch system functions in real-time, completely invisible to malware.  Essentially, the software is a rootkit that protects the system, which is a very innovative approach (if it works).

NBA products are sexy and expensive, but flawed in their own ways.  There is ample evidence that hackers are designing malware specifically to avoid the detection capabilities of NBA platforms.  Furthermore, none of the NBA solutions have real-time prevention capabilities.  At best, they can alert that a file may have malware.  This makes the integration of NBA into UTM/NGFW products so promising.  UTM/NGFWs can not only detect, but also block malware-like activity.

HBAs on the other hand are still very new.  There are only a handful of products in this space, such as CounterTack and Cylance (which seem oddly related with Stuart McClure involved with both companies.)  These products monitor host behavior and can, theoretically, react to malware behavior in real time.  They hold great potential for catching APT before it infects a host.

However, HBAs also have the same problem of any host-based software: management overhead.  HBAs are yet another agent running on endpoints which much be deployed, managed, maintained, updated, and tuned.  That is a lot of work, even for a large enterprise. The burden of management is what doomed host-based IPS, and it will haunt host-based behavior analyzers as well.

The Value of Campaigns

One of the emerging concepts in the SA market is the notion of Campaigns.  A Campaign is a collection of data, intelligence, incidents, events, or attacks that all share some common criteria.  Typically, Campaigns are used to track common attacker or attack tactic.  The concept of Campaigns comes from military contractors and defense related responders who use this idea to better catalog and categorize incident data.

Campaigns have the potential to be a very valuable construct and should be on the road map for any SA product.  The concept of Campaigns may solve one of the most daunting problems for security analysts: communicating security to executive leadership.

Big data is hard to comprehend.  It is equally difficult to track and build metrics around.  This infuriates executives who need to know if the investments made in security technologies are delivering any value to the organization.  The inability to communicate security concepts to management is one of the most common complaints about SIEM products.

When complex data can be categorized or stratified in some manner, it becomes easier to understand and manipulate.  Our brains work this way.  We categorize, sort, and connect information together to make it more comprehensible.

The Campaign construct provides a mechanism that can govern the communication of security information.  When attacks, breaches, and events are put into the context of a campaign, which shares common criteria, the whole construct is easier to understand.  They also are a point where metrics can be anchored.

For example, say your SA platform detects a series of attacks from a foreign country using a pattern of Java exploits.  You then see a new round of attacks a few days later against Windows servers from the same range of foreign IP addresses, and then again a few days later some additional attempts using Cisco vulnerabilities.  In time, you could coalesce these events into a single Campaign, give it a name, then track events that conform to the criteria of this Campaign.  When you explain this to management, you can show how you are tracking a campaign from XYZ country against your network and able to show what little success they are having.  This is the kind of intelligence an executive can understand and appreciate.

When evaluating SA products, see how the product can handle the concept of a Campaign.  Different vendors may use different words to embody this concept, but it can be greatly beneficial.

Crowd-Sourcing & Lessons Learned

Another critical feature that SA products need, is the ability to tweak the TI through user input.  This user input can come from crowd-sourced information or lessons learned.

The information security community has, for years, tried to encourage organizations to share and collaborate.  While there are still significant barriers from privacy and intellectual rights protection that cause companies to reject security collaboration, collaboration holds the best potential to prevent the spread of new attack tactics.  When a new APT is discovered, the more intelligence that is shared, the less useful that APT is to the attacker.  There is a point where any attack tactic becomes virtually useless, since so many security controls are aware of it and can defend against it.

For example, while collaborating with an industry peer, a bank learns that a group of attackers has stolen code to a vital financial platform.  Both organizations could use that intelligence to tweak their SA platform to monitor specifically for events that indicate exploitation of that code.  The ability to modify the TI for this intelligence makes the entire SA platform infinitely more valuable.

Unsurprisingly, SA manufacturers are resistant to implement collaboration abilities because they are a threat to sales.  Companies like Mandiant make their living on the premise that they possesses unique intelligence that allows them to identify APT better than anybody else.   Helping their customers share that intelligence, would devalue their competitive edge.  When they do share intelligence, it is because other firms have uncovered the intelligence as well.  Consequently, their intelligence has lost value, thus sharing it is no longer a threat to sales.  FireEye also uses this premise, which is why those two companies fit so nicely together.  They both share the love of not sharing.

Sharing increases the value of an SA platform immensely (to the buyer).  SA buyers should demand sharing and collaboration features, even if they are not sure about using them.  Furthermore, SA buyers should be wary of companies who horde intelligence and use that hording to promote their value.

The Future of Security Analytics

While it is true that the security analytics market is the next big thing for IT Security, it is still rather immature.  There is a lot of hype and promise, but there is equally a lot of FUD.  The value of these technologies is promising and anybody considering SA should do so with a complete appreciation for where it is going and what it can and cannot do.

The clearest trend we can expect over the next few years is the merging of DA and BA into a common platform.  At this time only BlueCoat Solara has an offering that approaches a merged DA/BA product.  They have a solid DA product with Solara, and their purchase of Norman Shark adds a solid BA platform.  Now they just need to bring it all together into something useful.  BlueCoat is at the brink of a renaissance and could be a very potent player in this market.  RSA, FireEye, and the rest are nowhere near a unified DA/BA platform.

Behavior Analyzers need better intelligence to make them useful.  This is why FireEye’s acquisition of Mandiant is significant.  Mandiant has a lot of special intelligence, which could make the FireEye detection engine more valuable.  That is if these two bright, shining stars do not let their overinflated valuations and egos go to their heads.

It is a forgone conclusion that anti-virus vendors need to do something to make their products competitive again.  Host-based BA products, like Cylance and CounterTack, if they can make a name for themselves, are ripe for acquisition from Symantec, McAfee, Trend or other AV vendors.  However, these HBA players have a tough sell to enterprise customers.  Another agent on the desktop is the kiss of death in most proof of concept evaluations.

UTM/NGFW players are also moving into the network behavior analysis space, and that is good.  Both Fortinet and Palo Alto Networks now have sandboxing add-ons for their appliances.  SourceFire/Cisco, Juniper, and CheckPoint will undoubtedly be releasing similar technologies (if they have not already).  BA features on a UTM/NGFW make perfect sense.  It is a logical deployment point and is less expensive and intrusive then stand-alone sandboxers like FireEye and Damballa.

The recent NSS report on APT detection tools has also shaken up this market rather significantly.  In April 2014, NSS labs conducted tests against FireAmp, FireEye, Fortinet, TrendMicro, AhnLabs and Fidelis platforms.  (NSS labs calls these products “Malware Detection Systems“). The results of this test sent shockwaves through the market.  FireAmp, Fidelis, Fortinet, and TrendMicro all emerged as rather clear leaders with detection rates in the high 90% range.  FireEye scored very poorly, which lead FireEye to issue scathing attacks on NSS Labs, which NSS Labs smartly rebuffed.  This test could be the beginning of the end of FireEye’s darling status in the industry.  After two years of unrestrained growth, FireEye was, for the first time, on the defensive.  Couple that with their association with the Target breach (even though FireEye was not to blame), and FireEye has lost a lot of the luster they had.  Their stock price has also taken a serious hit.

Lastly, as mentioned earlier, all SA products should have campaigns and intelligence collaboration as part of their road maps.

The SA market has plenty of room for innovation.  Cylance and CounterTack are good examples of innovative ideas that have a lot of potential.

Stay Tuned for Part III of this series, Security Analytics III: Selecting a Security Analytics Platform

Anitian – Intelligent Information Security. For more information please visit