Sqrrl Selected as Distinguished Vendor in Security Analytics by TAG Cyber

Sqrrl Selected as Distinguished Vendor in Security Analytics by TAG Cyber

Edward Amoroso (formed CISO at AT&T) published his first annual report on critical security controls, and Sqrrl was selected as the only distinguished vendor in the Security Analytics space. You can download the full report here.

An excerpt of the report is below.

Security Analytics Providers

The security analytics vendors selected for this category have all demonstrated a commitment to providing advanced platforms and tools to mine large sets of collected data for evidence of cyber attacks or vulnerabilities. Unlike network security analysis or intrusion detection, the vendors listed below are more focused on the mining of large collected data sets in frameworks such as Hadoop. It is not uncommon for many of the vendors listed below to find their products operating in parallel with a competing offer on the same collected enterprise data. CISO teams reviewing the lists below should include vendors in the SIEM, IPS, and Network Monitoring sections of this report, since so many similarities exist between the various disciplines – enough so, that some analysts choose to combine the three categories into one “security analytics” grouping.

Security Annual Distinguished Security Analytics Providers

Sqrrl – I’ve been familiar with the Sqrrl team for some time, having followed the progress of principals Adam Fuchs and Ely Kahn as they made the transition from National Security in Washington to Silicon Valley start-up. Technical discussions with Adam and Ely during the past few months were especially helpful to me in sorting out, and better understanding this complex area of enterprise cyber security. The simplicity and power of the Sqrrl toolset in assisting the analyst/hunter helped me to focus on the salient aspects of security analytics for enterprise security. Thanks to members of the Sqrrl team for their fine support of this research.

Security Analytics Overview

Analytic Components – Security analytics involves data ingest, processing, and analysis to derive actionable intelligence – similar to Big Data Analytics.

Improved Methods – Techniques and methods for security analytics have become more effective and accurate in recent years.

Continued Growth – The market for security analytic products and services will grow considerably in the coming years.

The vital cyber protection task generally referred to as security analysis causes considerable confusion amongst security vendors, CISO teams, venture capital investors, and industry observers. The problem is that because so many different techniques, tools, and processes align with this term in their marketing and training materials, it becomes almost impossible for anyone to create a taxonomy that is useful. The popularity of business intelligence-driven Big Data analytics in most enterprise environments also creates some confusion.

Regarding confusion in the cyber security community about analysis, note that the enterprise SIEM, for example, can be viewed as supporting the security analysis task. Similarly, traditional enterprise log management tools can be viewed as supporting security analysis. Network monitoring tools capturing packets at line speed refer to their processing function as security analysis. Even anti-fraud and intrusion prevention systems for enterprise Web services are described as supporting security analysis by enterprise teams. So the term has become sufficiently generic as to be no longer useful.

Nevertheless, the task of ingesting and analyzing data for the purpose of generating “close to real time” actionable intelligence is so important to enterprise protection that we must attempt to create some semblance of order in how we view the market and the attendant tasks for a CISO team. As such, the following observations can be made about this new category of cyber security we will refer to collectively as security analytics:

  • Data Ingest – Security analytics always relies on either an embedded or separately managed process for collecting security-relevant data. Enterprise CISO teams can be opportunistic about this process using whatever means are available or desired. Granted, many new security analytic tools will come with their own means for collecting data, but this might be redundant with other existing collection methods. Relevant data include application and activity logs, system audit trails, network flow information, and other metadata that could contain evidence of potential or currently active cyber attacks.
  • Data Repository – Security analytics generally involves tools, techniques, and algorithms that operate on large repositories (often Hadoop-based) of stored, ingested data. This separates the off-line, non-real time security analysis task from the on-line, on-the-fly, network monitoring tools that attempt to report and make mitigation decisions at line speed.
  • Human Analysts – The security analytic process involves tools that will be used by a human being to derive intelligence. Certainly many automated tools and processes such as intrusion prevention systems will describe their operation as being enabled by security analytic techniques. But our reference here is strict in the sense that we describe security analytics as being done by human analysts. It is common in the security marketplace today to refer to the process of deriving intelligence as hunting. The hunter cannot work in true real time, in the strictest sense, but must derive intelligence in as “close to real time” as is possible. Some observers differentiate Big Data analytics from security analytics by this “close to real time” goal.
  • Analysis Results – The primary purpose of security analytics is for human beings to create actionable intelligence from available data. The idea is that on first glance, the data exposes very little, but with deeper study, the analyst can derive useful causality, relations, and interpretations that will help manage risk. Without clearly actionable results, the hunting task seems a mere academic exercise.


The security analytic task involves a series of monitored sessions as might be represented in a group of captured logs. These sessions on first glance do not expose anything of note; rather they look to be the usual sort of step-by-step progression of computing activity with nothing looking particularly out of the ordinary in the individual session log views.

With a security analytic tool, non-obvious relationships emerge that can lead to actionable insights. For the event log example shown in the figure above, a security analytic tool might detect the subtle time-progression of a related series of steps across different sessions. Evidence of enterprise East-West traffic traversal, referred to as lateral movement, is determined in this manner. Advanced persistent threats (APTs) have almost always included some form of lateral movement across the enterprise.

Traditional cyber security tools have done a poor job detecting the presence of APTs moving laterally across the enterprise. In many cases, APTs have existed within corporate networks for months or even years. Enterprise security has therefore become increasingly dependent on modern security analytics tools as a means for identifying advanced threats via hunting techniques.

The enterprise architecture of most security analytics deployments can be decomposed into two major components – enterprise data repositories and security analysis tools – both accessible and utilized by the human security hunting analysts, who are often located in a security operations center (SOC). This human performed, tool supported hunting task is intended to produce actionable intelligence from both enterprise ingress data feeds, and external, all-source ingress data feeds. Both the data collected and the intelligence generated can be viewed as local to the enterprise as well as externally relevant to all sources.

Many existing security algorithms and tools for analytics will require change to account for more holistic, less uniform data from all sources. The types of algorithms and analysis techniques inherent in modern enterprise security analytics include the following:

  • Traditional Signature Analysis – While it is common to refer to signature-based systems as useless, this is greatly exaggerated. Signatures such as IP address, domain name, file name, and attack procedure remain highly useful to the security analyst. In spite of the aversion to signature-based methods by pundits and investors, the use of signatures remains absolutely essential to proper detection of cyber security threats.
  • Behavioral Analysis Based on Profiles – Most new security analytic solutions, including professional services, tend to emphasis behavioral analysis using profiles. The idea is that some computing attribute is established as a baseline profile and deviations create alerts. When this technique is applied to applications, it is sometimes referred to as watermarking. Behavioral techniques look for “changes from normal,” such as a resource becoming too popular, less popular, more busy, less busy, and so on.
  • User Behavioral Analysis (UBA) – A special case of the behavior analysis approach focuses on human user behaviors as the basis for comparisons between observed and expected traces. Behavioral analytics usually depend on statistics and machine learning to detect anomalies in collected corporate data. Enterprise CISO teams must be careful not to drive their employees to shadow IT solutions if the UBA is too aggressive. Staff members who believe that their every point-and-click will be monitored for anomalies will be soon motivated to shift to unmonitored private use of cloud services for greater privacy (e.g., Gmail, Box storage, Facebook).
  • Forensic Component Investigation – Enterprise security analytic solutions will always include the need to support forensics during or after an incident. While forensics tools are considered a separate area in the CISO toolkit, the enterprise security analysis platform, tools, and capabilities provide important complementary support for the forensics process, often helping to unravel how a given attack might have occurred across the enterprise perimeter.
  • Attack Breakdown and Analysis – Enterprise security analytics should account for and support the breakdown and analysis of any attack, especially ones that have been recently discovered in the wild in environments similar to the target enterprise. CISO teams will take note that most marketing approaches by security analytic vendors will involve detailed breakdown of how their tool would have stopped some famous attack. This must be taken with a grain of salt, because after-the-fact analysis and breakdown is fundamentally different than proactive prevention.
  • Vulnerability Investigation and Cross Reference – Enterprise security analytic solutions should account for and support investigation of vulnerabilities including cross-referencing their footprint with corporate enterprise inventories. This is a challenge because few security analytic tools allow for easy integration (even if APIs are present) with identity and access management, enterprise directory, and other IT systems.

All enterprise security analytics solutions include one or more of these types of analysis approaches. Behavioral analytics, in particular, has become a growing area for cyber security vendors and is increasingly referenced in compliance and regulatory requirements. Managed security service providers are also increasingly focused on providing enterprise security analytics support through partnership with a technology vendor as part of their offerings to enterprise and government customers.

The future market and usage prospects for security analytics are influenced by two trends moving in opposite directions. First, the organizational concept of a traditional enterprise behind a perimeter is rapidly becoming less acceptable to CISO teams, especially in small and medium sized businesses. As such, the conventional, on-premise deployment of an enterprise security analytics tool will evolve over time into more virtual, cloud-based solutions.

Correspondingly, however, the need for security analytics to be performed on enterprise data distributed across applications, systems, cloud, and mobility will increase significantly. As such, the market and usage of distributed, virtual security analytics products and services, including managed services, will grow in the coming years. This trend will result in an overall growing need for enterprise security analytics, in spite of any enterprise architectural changes away from the perimeter.

Analytics CISO teams should not be confused by the steep decline predicted for traditional, on-premise tools. This does not imply a reduced need for security analytics, but rather underscores the significant shift to all-source, virtual analytics that can blend ingested data from public and hybrid cloud sources into intelligence that can be used locally as well as shared within trusted communities. Security analytics providers should thus be required, during any source selection process, to explain their technology roadmap to support virtualization in the data center and SDN in the wide area network.