Translate

четвъртък, 31 юли 2014 г.

Иновативни решения / продукти за сигурност / разузнаване


Избраните от Gartner Inc. за 2014 г.  най иновативни доставчици на специализирани решения / продукти  за  сигурност / разузнаване.



Cool Vendors in Security Intelligence, 2014

2 May 2014 ID:G00262592
Analyst(s): Ray Wagner, Neil MacDonald, Joseph Feiman, Avivah Litan, Ruggero Contu, Eric Ouellet, Peter Firstbrook

This year's Cool Vendors in security intelligence offer innovative, forward-thinking solution sets designed to address emerging and newly identified security challenges. CISOs and other security professionals can use this research to consider new vendors in the security intelligence space.

Overview

Key Findings

·         Security intelligence products are maturing, but face competition from other consolidating security markets.
·         The Cool Vendors in this year's report span contextual analytics; predictive software; risk analytics and visualization; shared, anonymous intelligence services; a unique, cloud access security broker; and an IP and URL reputation service that monitors the darknet.
Recommendations
CISOs and other security professionals:
·         Evaluate adoption of security intelligence principles based on breaking security silos and bolstering interaction between various security technologies and contextual analytics.
·         Evaluate the new directions of security products and services when considering these Cool Vendors. However, recognize that these offerings are not appropriate for all enterprises or implementations — they are likely to be more suitable for Type A Gartner clients (technologically sophisticated early adopters) than for more risk-averse Type B or Type C clients.


Analysis

This research does not constitute an exhaustive list of vendors in any given technology area, but rather is designed to highlight interesting, new and innovative vendors, products and services. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

What You Need to Know

This is the second year for Cool Vendors in security intelligence. In 2014, vendors featured in this report are expanding monitoring from multiple monitoring sources to develop risk metrics based on tracked deviations. They are providing more intelligent visual platforms for discovering risk in IT-operational technology (OT) environments, and are allowing organizations to share threat intelligence information in a trusted, collaborative environment while remaining anonymous.
In addition, vendors are using cloud-delivery models to offer these security intelligence services, which may help ease implementation and save time and effort. For chief information security officers (CISOs) concerned about the cloud, cloud access security brokers are monitoring the gaps between cloud users and cloud services with semantic-aware anomaly detection. Reputational services that closely monitor the vast security underworld with a focus on known hackers are expanding.
These innovative vendors are on the cutting edge, and may not necessarily be market-proven or have long-term viability as startups and early ventures.

Bay Dynamics
San Francisco, California (www.baydynamics.com)
Analysis by Avivah Litan, Joseph Feiman and Eric Ouellet

Why Cool: Bay Dynamics makes existing security monitoring systems more intelligent by using contextual data, and by adding behavioral risk scoring to the subsequent alerts to take the "noise" out of monitoring applications, as well as to reduce high false-positive rates. The firm's Risk Fabric application goes a step further, correlating the alerts and information from disparate monitoring systems, giving an enterprise the ability to summarize and prioritize the most important security events of the day. Bay Dynamics characterizes the security posture of the enterprise with its risk metrics, tracking deviations from these metrics and warning security teams. Bay Dynamics uses predictive analytics to advise enterprises on potential breaches in defenses.
Bay Dynamics got a jump-start through an OEM partnership with Symantec, which resells the firm's IT Analytics package that enhances several Symantec security offerings, including the Symantec Data Loss Prevention (DLP) application. Bay Dynamics baselines the DLP-related behavior of employees and various workgroups in an organizational hierarchy. It then analyzes incoming DLP events against the employee's baseline profile, and against the profile of workgroups the employee reports to (for example, a cost center or a regional division). Customers validate that Bay Dynamics has taken the noise out of DLP alerting systems, and has prioritized alerts they need to attend to and individuals they need to investigate. One customer employed 35 staff to monitor 135,000 DLP alerts a day prior to installing Bay Dynamics, and has reduced that to five staff monitoring 8,000 higher priority alerts a day.
Bay Dynamics is far along with its Risk Fabric application, and has an impressive user interface that digests, summarizes and highlights important security events of the day in a news format. Current customers using them for enhancing Symantec's DLP system are actively investigating this module. Bay Dynamics does not use security information and event management (SIEM) data to perform behavioral contextual analysis. It only performs this analysis with DLP data (and, potentially, with Web gateway solutions and other user-centric data sources) to provide analysis. This makes it a good fit as a complement or alternative to SIEM.

Challenges: Bay Dynamics is not yet proven with DLP solutions other than Symantec's, although it says it has that capability out of the box. Its flagship Risk Fabric application is new to the market, officially launching in 2013, although Bay Dynamics says it has been in production at its largest customer for over two years.
Other larger security vendors with domain expertise in DLP, network security, advanced threat protection and security intelligence are already starting to expand their offerings to provide canned intelligence that correlates alerts across systems after injecting them with more contextual information. As such, Bay Dynamics is likely to face stiff competition from incumbent vendors. Bay Dynamics is generally not known to Gartner clients, and will have a tough time getting recognition in a crowded consolidating security market.

Who Should Care: Security organizations that are inundated with noisy security monitoring systems — including DLP systems, intrusion prevention systems (IPSs), endpoint protection platforms (EPPs) and SIEM applications — that generate too many false positives and alerts that are not adequately prioritized should evaluate Bay Dynamics software. CIOs and CISOs who want to further understand the main security events in their organizations by intelligently correlating existing monitoring system alerts should consider Risk Fabric from Bay Dynamics.

Brinqa
Austin, Texas (brinqa.com)
Analysis by Neil MacDonald

Why Cool: Brinqa provides an IT operational and security risk analytics platform, designed to provide business decision makers the insight needed to achieve their business goals using risk as a guide. The Java-based, NoSQL-powered platform within Brinqa is extensible and customizable by customers, and supports visualization of data for exploration. Its engine supports the use of context data (such as location and reputation) into its analytics and correlation engine to enable risk-based prioritization of output. Brinqa's platform is integrated within several security vendors' platforms, such as Tripwire, HP, Veracode, Rapid7, Qualys and IBM (Brinqa can run natively on z/OS) to provide risk analytics and decision-making dashboards.
More interestingly, Brinqa is used by several organizations (including multiple banks worldwide and a U.S.-based insurer) to power their own in-house-developed risk analytics platform (or risk data mart) where the risks are then analyzed, prioritized and presented via a dashboard across IT and OT risks. Delivery in mid-2014 of a cloud-based as a service offering will simplify deployment.

Challenges: A significant challenge to Brinqa is that most organizations' level of maturity in how IT risk is modeled and managed is still relatively low. Many organizations do not yet use a structured approach to IT- and OT-related risk. Most resort to spreadsheets to perform basic prioritization. Brinqa provides some out-of-the-box risk models, but the full power of the platform really requires customization and integration. Brinqa customers can use connectors to a variety of enterprise data sources and advanced analytics configuration resources (typically only available in Type A organizations), or from Brinqa's system integration partners.
Small to midsize organizations will likely consume Brinqa as an OEM system where the integration and analytics have already been pretuned for the specific use case — such as with IBM, HP or Veracode's application security testing dashboard to show application security risk — or as a cloud offering. Brinqa will also need to differentiate from other enterprise governance, risk and compliance (GRC) vendors bringing risk dashboards to market.

Who Should Care: The Brinqa platform will appeal to larger, Type A IT security organizations looking for an extensible risk analytics platform, complete with visualization capabilities, that can be customized and tuned to provide IT and business decision makers with dashboards of risk-based alternatives when making IT-related decisions specific to their roles.

IID
Tacoma, Washington (internetidentity.com)
Analysis by Ruggero Contu

Why Cool: IID's ActiveTrust platform is a cloud-based service that enables organizations to share threat intelligence across defined circles of trust. Every member organization that decides to join is prescreened, and has to agree to stringent confidentiality controls for the protection of sensitive information. What makes this provider particularly cool is the ability to connect organizations to collaborate, yet to customize filters for critical security intelligence information — and to perform this sharing anonymously. Sharing anonymously is an important aspect, as threat intelligence data is very sensitive information, and many organizations are likely to show interest in such data if linked to the source organization.
The company also has a social media tool called ActiveTrust Hub, which links trusted peers across industry vertical silos. IID also offers a threat intelligence service to its members, leveraging the ActiveTrust engine data feeds to bring some level of remediation.

Challenges: While the ability to share information anonymously can help dispel some concerns, the collaborative nature of IID's business may find some organizations to be unwilling to share threat intelligence data, preferring competing threat intelligence services that do not involve sensitive data. IID is U.S.-based and mainly operates in North America, so it may be challenged to expand in other regions, given some countries' concerns of covert monitoring by U.S. security agencies.

Who Should Care: CISOs and IT security managers looking to improve visibility of threat intelligence, particularly relating to their vertical industry peers, should consider IID.

Netskope
Los Altos, California (www.netskope.com)
Analysis by Neil MacDonald and Peter Firstbrook

Why Cool: Netskope is a cloud access security broker (CASB) that can monitor the interactions between cloud users and the cloud service itself — helping to bridge major network, data and user security blind spots between cloud usage, mobile devices and other user-controlled endpoints where the enterprise is not able to assert controls (see "The Growing Importance of Cloud Access Security Brokers").
Netskope inserts itself into mobile/remote and on-premises cloud interactions with a transparent forward or explicit (SAML-enabled) proxy, so that the content and interactions in sanctioned and unsanctioned cloud applications can be analyzed for security (including logging, auditing and DLP). Additionally, Netskope has a sophisticated set of real-time, granular policy controls, as well as context-aware and semantic-aware anomaly detection capabilities that can help spot and stop fraudulent use of enterprise cloud services. By monitoring firewall and proxy logs, Netskope also provides enterprises ongoing visibility into the inventory of cloud services used — and identifies their associated risk using its rating database of more than 4,500 cloud services.

Challenges: A large number of solutions are appearing to target the same cloud interaction-gap need, creating a very competitive environment. Many secure Web gateway vendors are already in use by most organizations, and could provide a similar service to Netskope (and other CASB vendors providers) if they focused more on this use case. Netskope has announced, but has not yet delivered, encryption capabilities to protect data at rest in cloud applications. It is beginning to offer its services beyond the North American market into Europe as a cloud-based service (there is no on-premises offering).
The DLP engine is not integrated with other enterprise DLP solutions, creating a new island of DLP policy and reporting. Getting in the path of cloud services usage requires some configuration, either by DNS modification, by PAC file modification or by integration with the cloud authentication and process (which may not work for all cloud services). Initial pricing is a bit steep, so Netskope and other CASB vendors will be challenged to provide concrete ROI.

Who Should Care: Large enterprise information security and compliance organizations that want to get visibility into their enterprise's usage of cloud services (and the risk associated with these services) — as well as visibility into sensitive data usage monitoring and anomalous usage patterns — are good candidates for Netskope.

Norse
San Mateo, California (www.norse-corp.com)
Analysis by Neil MacDonald

Why Cool: Norse delivers a cloud-based Internet Protocol (IP) and URL reputation service that delivers machine-readable threat intelligence from its cloud-based infrastructure, deployed worldwide in 140 data centers in 40 countries. By actively monitoring the darknet, such as hacker networks, Tor networks and hacker bulletin boards, Norse is able to determine with high assurance the reputation ratings of IP addresses and URLs it observes. It actively processes and analyzes over 130TB of data each day, storing metadata and context in its 6.2PB database. From this threat intelligence data, Norse sells three primary offerings:
·         A high-assurance IP and URL reputation services to enterprises (primarily financial services institutions) for the programmatic, real-time risk rating of transactions (with an SLA response time of 10 milliseconds) using a SaaS pricing model
·         A dynamically updated contextual block list of high-risk IPs to be used within SIEM and other security solutions
·         A service where Norse actively monitors the darknet for IP addresses and URLs owned by an enterprise to gain an outside-in view of compromise

Challenges: Many security vendors' research labs are now actively researching hacker networks to detect attacks and techniques earlier in development, and, based on this, are providing their own source of IP and URL reputation services. Thus, this type of service risks being commoditized and delivered as a standard part of advanced threat protection platforms. In addition, carriers and content delivery networks with a large number of points of presence could develop early monitoring services. While Norse has broad visibility, it does not yet have visibility into every country with Internet capabilities. Finally, while some providers focus on scoring of both "good" and "bad" URL and IP reputations, Norse focuses exclusively on hackers and on hacker infrastructure.

Who Should Care: Any enterprise performing transactions of value over the public Internet should consider a transaction-scoring reputation service such as Norse, in order to perform a real-time evaluation of the transaction request. Norse's monitoring services will be of interest to information security professionals looking for an outside-in monitoring service for indications of compromise as an additional layer of defense in a defense-in-depth strategy.


Няма коментари:

Публикуване на коментар