The terms “machine learning”, “threat detection” and “data analytics” are used fairly ubiquitously these days, and this week a company launched offering a “new approach to conventional threat detection and management”.
The focus of Seceon is to detect and stop both recognized and unknown threats when they happen, instead of days, weeks or months later. The concept is based around seeing threats clearly and quickly, stopping threats from inflicting extensive damage through containment, and using behavioral threat detection modeling and machine learning to better understand attacks.
Working on an annual subscription basis for any size enterprise, Seceon’s Open Threat Manager (OTM) platform provides real-time visibility into enterprise activity through its intuitive interface. It provides holistic threat detection based on how devices, users, behaviors, processes and policies interact, and delivering automated elimination and containment of threats.
It sounds promising, but part of me felt a tinge of deja-vu, as I felt I am hearing this all over again but from a new name. I spoke with Co-Founder and Chief Strategy Officer Gary Southwell, who said that the focus was on speed of detection and containment. He talked of the ambition to build an advanced management platform to combine machine learning and data analytics collection in order to gain visibility that you can use to utilize as a baseline to detect threats within your environment.
“We built a sophisticated platform to ingest data and put in data modelling that is assisted by machine learning, and correlate that with abnormal behavior to determine credible threats,” he said.
The company launched in 2014 and began deploying the product in late 2015, before funding came in early 2016. Southwell acknowledged that there is not the time in the modern enterprise to create rules and filters, and a better approach was needed.
“Within the application we can detect what matters and do it in plain English to determine what the threat is, who the actor is and what you can do about it,” he said. “You can go into network devices, turn ports off and isolate devices so you don’t leak any data.
“Data is coming from systems, applications and resources within an organization, and from applications running in one place. We pull in from other security products as everyone has a web application firewall, and also from SIEMs, and we generate our own threat feeds to provide additional information.”
The message is very much about pulling in massive amounts of information and producing something better at the other end, and Southwell acknowledged that with a SIEM you do not see the threat, but instead with the Docker technology you learn where the attacker comes in from, and where they come in from and if you see something going on that is unusual, this creates threat indicator and raise an alert.
“We collect by how you communicate; it could be a subnet, or a logical group name, but it helps you understand what is going on and provides an effective way to see what is going on,” he said. “You get to the alert screen and the correlation engine pulls together data to determine what a real threat is.
“It can be deployed as you want, we operate as a subscription model and deploy across the cloud or virtual machines, and spread across virtual machines with devices.”
The area of threat detection is becoming crowded, and this was acknowledged by Andrew Kellett, principal analyst at Ovum said that there are many vendors out there offering better and faster threat detection services, with goals to prioritize and deal with the threats that matter and need immediate attention.
Kellett said that most of this is now pretty standard, and most claim to be able to do it, but as Seceon focus on providing more relevant threat information, the ability to prioritize and drill down into the details of the prioritized threats.
This is a popular area as Kellett said, and something that he expected to increase as the battle to detect attacks and attackers in a more efficient timescale increases. The time to detect is a challenge, as Verizon has stated in its Data Breach Investigations Report it can take can be weeks or months, so improving that is key and any efforts made by Seceon enables better drilling down into data in real time, t help with both detection and investigation.
Seceon is one company putting its lot into the side of time and rapid detection, I expect more will appear in the coming months.