Startup analyzes behavior to stop malware threats

12.04.2016
Startup Seceon has joined a growing number of firms focused on quickly analyzing behaviors on corporate networks to identify and prioritize threats that ought to be dealt with, cutting down on the manual work required to spot and stop attacks.

In addition to identifying intrusions, the company’s Open Threat Management (OTM) platform can also automatically block suspect behaviors using scripts to other devices on the network.

The company competes against a number of others including Damballa, LightCyber and Vectra as well as vendors with broader portfolios such as Carbon Black, Black Ensilo, Fireeye, Guidance, Promisec, Resolution1 Security, and Tanium.

Unlike some of these OTM supports automatic responses to block identified threats.

The platform consists of a server that gathers traffic flow information from network devices but also Active Directory information, DNS, DHCP, other security gear such as firewalls and SEIMs and deduplicated threat intelligence from 60 third-party suppliers.

Its analytic engine sorts through the data using behavior-based threat modeling that is informed by machine learning. It’s looking for evidence of malicious behavior such as scanning machine-to-machine or a set of credentials being used from multiple machines and different locations.

The output reduces the number of alerts that analysts need to sort through by several orders of magnitude, says. An enterprise might wind up getting five to 10 per day.

Analyzing data from a wide range of sources and distilling the results greatly reduces the urgent workload of analysts, says David Monahan, an analyst at Enterprise Management Associates. As a result OTM can become a force multiplier, he says, enabling a smaller staff to provide better coverage by focusing their efforts. It might even free up people to do more big-picture work, he says.

The company claims more than 31 customers in the process of deploying OTM and a dozen running it live. One of those is SeaChange, a video-delivery service provider whose director of IT, Jim Godschall, says the platform helps sort through log data used to detect threats more quickly than live security analysts could.

The systems he had in place generate a lot of data and “We get a lot of logs and a lot of alerts,” he says. OTM helps answer the question, “How do we find the recurring onesy-twosy events that we would never see” he says.

He says the platform helps stretch the capabilities of his limited IT staff by reducing the number of alerts that have to be checked out manually.

Godschall says in the months it’s been in place OTM hasn’t found threats, but has been useful. For example, a firewall was dropping traffic from one of the company’s labs every day about the same time as it tried to hit a certain IP address. “It turned out to be a misconfiguration but it could have been malware,” he says.

The company hasn’t tapped into the platform’s enforcement capability where it can block malicious behavior. He’s taking a conservative approach and checking out alerts with security analysts and manually remediating. “I’m always thinking about the maturity curve,” of new products, he says, and wants to wait to verify how accurate the Seceon platform is before he decides to use auto–response. “Once I’m satisfied, the answer is yes.”

OTM uses machine learning and data analytics to find attacks and to learn what’s normal and what activity indicates attacks, says Chandra Pandey, Seceon’s CEO.

The platform includes a library of scripts of commands via APIs to various vendors' gear to intervene when an intrusion is detected. It’s a finite list of devices, but the company has started with the major vendors in each category so the scripts are as widely useful as possible.

So firewalls could block threatening connections or users that seem involved in suspicious activities could be forced to reauthenticate and have their permissions reduced via Active Directory.

Seceon was founded in January 2015 to develop a threat detection and management platform to find attacks not picked up by SIEMS, IDSs and firewalls, says Gary Southwell, the company’s CSO.

Pricing can be based on numbers of machines at $50 per month for critical assets, $500 per month for core networking devices, with discounts for volume. Or customers can pay a flat $100,000 per year for a single server instance handling as many devices as the customer wants to include.

The company is privately funded.

Pandey and Southwell have worked together for 16 years, starting at optical Ethernet vendor Internet Photonics (bought by Ciena in 2004), Juniper Networks and BTI Systems.

(www.networkworld.com)

Tim Greene

Zur Startseite