Startup Seceon has joined a growing number of firms focused on quickly analyzing behaviors on corporate networks to identify and prioritize threats that ought to be dealt with, cutting down on the manual work required to spot and stop attacks.
In addition to identifying intrusions, the company’s Open Threat Management (OTM) platform can also automatically block suspect behaviors using scripts to other devices on the network.
The company competes against a number of others including Damballa, LightCyber and Vectra as well as vendors with broader portfolios such as Carbon Black, Black Ensilo, Fireeye, Guidance, Promisec, Resolution1 Security, and Tanium.
Unlike some of these OTM supports automatic responses to block identified threats.
The platform consists of a server that gathers traffic flow information from network devices but also Active Directory information, DNS, DHCP, other security gear such as firewalls and SEIMs and deduplicated threat intelligence from 60 third-party suppliers.
Its analytic engine sorts through the data using behavior-based threat modeling that is informed by machine learning. It’s looking for evidence of malicious behavior such as scanning machine-to-machine or a set of credentials being used from multiple machines and different locations.
The output reduces the number of alerts that analysts need to sort through by several orders of magnitude, says. An enterprise might wind up getting five to 10 per day.
Analyzing data from a wide range of sources and distilling the results greatly reduces the urgent workload of analysts, says David Monahan, an analyst at Enterprise Management Associates. As a result OTM can become a force multiplier, he says, enabling a smaller staff to provide better coverage by focusing their efforts. It might even free up people to do more big-picture work, he says.
The company claims more than 31 customers in the process of deploying OTM and a dozen running it live. One of those is SeaChange, a video-delivery service provider whose director of IT, Jim Godschall, says the platform helps sort through log data used to detect threats more quickly than live security analysts could.
The systems he had in place generate a lot of data and “We get a lot of logs and a lot of alerts,” he says. OTM helps answer the question, “How do we find the recurring onesy-twosy events that we would never see?” he says.
He says the platform helps stretch the capabilities of his limited IT staff by reducing the number of alerts that have to be checked out manually.
Godschall says in the months it’s been in place OTM hasn’t found threats, but has been useful. For example, a firewall was dropping traffic from one of the company’s labs every day about the same time as it tried to hit a certain IP address. “It turned out to be a misconfiguration but it could have been malware,” he says.
Sign up for Computerworld eNewsletters.