Избраните от Gartner Inc. за 2014 г. най иновативни доставчици на специализирани решения / продукти за сигурност / разузнаване.
Cool Vendors in Security Intelligence,
2014
2 May 2014 ID:G00262592
Analyst(s): Ray
Wagner, Neil MacDonald, Joseph Feiman, Avivah
Litan, Ruggero Contu, Eric Ouellet, Peter Firstbrook
This year's Cool Vendors in
security intelligence offer innovative, forward-thinking solution sets designed
to address emerging and newly identified security challenges. CISOs and other
security professionals can use this research to consider new vendors in the
security intelligence space.
Overview
Key Findings
·
Security intelligence products are maturing, but face
competition from other consolidating security markets.
·
The Cool Vendors in this year's report span contextual
analytics; predictive software; risk analytics and visualization; shared,
anonymous intelligence services; a unique, cloud access security broker; and an
IP and URL reputation service that monitors the darknet.
Recommendations
CISOs and other security
professionals:
·
Evaluate adoption of security intelligence principles based on
breaking security silos and bolstering interaction between various security
technologies and contextual analytics.
·
Evaluate the new directions of security products and services
when considering these Cool Vendors. However, recognize that these offerings
are not appropriate for all enterprises or implementations — they are likely to
be more suitable for Type A Gartner clients (technologically sophisticated
early adopters) than for more risk-averse Type B or Type C clients.
Analysis
This research does not
constitute an exhaustive list of vendors in any given technology area, but
rather is designed to highlight interesting, new and innovative vendors,
products and services. Gartner disclaims all warranties, express or implied,
with respect to this research, including any warranties of merchantability or
fitness for a particular purpose.
What You Need to Know
This is the second year for
Cool Vendors in security intelligence. In 2014, vendors featured in this report
are expanding monitoring from multiple monitoring sources to develop risk
metrics based on tracked deviations. They are providing more intelligent visual
platforms for discovering risk in IT-operational technology (OT) environments,
and are allowing organizations to share threat intelligence information in a
trusted, collaborative environment while remaining anonymous.
In addition, vendors are
using cloud-delivery models to offer these security intelligence services,
which may help ease implementation and save time and effort. For chief
information security officers (CISOs) concerned about the cloud, cloud access
security brokers are monitoring the gaps between cloud users and cloud services
with semantic-aware anomaly detection. Reputational services that closely
monitor the vast security underworld with a focus on known hackers are
expanding.
These innovative vendors
are on the cutting edge, and may not necessarily be market-proven or have
long-term viability as startups and early ventures.
Bay Dynamics
Analysis by Avivah
Litan, Joseph Feiman and Eric Ouellet
Why Cool: Bay
Dynamics makes existing security monitoring systems more intelligent by using
contextual data, and by adding behavioral risk scoring to the subsequent alerts
to take the "noise" out of monitoring applications, as well as to
reduce high false-positive rates. The firm's Risk Fabric application goes a
step further, correlating the alerts and information from disparate monitoring
systems, giving an enterprise the ability to summarize and prioritize the most
important security events of the day. Bay Dynamics characterizes the security
posture of the enterprise with its risk metrics, tracking deviations from these
metrics and warning security teams. Bay Dynamics uses predictive analytics to
advise enterprises on potential breaches in defenses.
Bay Dynamics got a
jump-start through an OEM partnership with Symantec, which resells the firm's
IT Analytics package that enhances several Symantec security offerings,
including the Symantec Data Loss Prevention (DLP) application. Bay Dynamics
baselines the DLP-related behavior of employees and various workgroups in an
organizational hierarchy. It then analyzes incoming DLP events against the
employee's baseline profile, and against the profile of workgroups the employee
reports to (for example, a cost center or a regional division). Customers
validate that Bay Dynamics has taken the noise out of DLP alerting systems, and
has prioritized alerts they need to attend to and individuals they need to
investigate. One customer employed 35 staff to monitor 135,000 DLP alerts a day
prior to installing Bay Dynamics, and has reduced that to five staff monitoring
8,000 higher priority alerts a day.
Bay Dynamics is far along
with its Risk Fabric application, and has an impressive user interface that digests,
summarizes and highlights important security events of the day in a news
format. Current customers using them for enhancing Symantec's DLP system are
actively investigating this module. Bay Dynamics does not use security
information and event management (SIEM) data to perform behavioral contextual
analysis. It only performs this analysis with DLP data (and, potentially, with
Web gateway solutions and other user-centric data sources) to provide analysis.
This makes it a good fit as a complement or alternative to SIEM.
Challenges: Bay
Dynamics is not yet proven with DLP solutions other than Symantec's, although
it says it has that capability out of the box. Its flagship Risk Fabric
application is new to the market, officially launching in 2013, although Bay
Dynamics says it has been in production at its largest customer for over two
years.
Other larger security
vendors with domain expertise in DLP, network security, advanced threat
protection and security intelligence are already starting to expand their
offerings to provide canned intelligence that correlates alerts across systems
after injecting them with more contextual information. As such, Bay Dynamics is
likely to face stiff competition from incumbent vendors. Bay Dynamics is
generally not known to Gartner clients, and will have a tough time getting
recognition in a crowded consolidating security market.
Who Should Care: Security
organizations that are inundated with noisy security monitoring systems —
including DLP systems, intrusion prevention systems (IPSs), endpoint protection
platforms (EPPs) and SIEM applications — that generate too many false positives
and alerts that are not adequately prioritized should evaluate Bay Dynamics
software. CIOs and CISOs who want to further understand the main security
events in their organizations by intelligently correlating existing monitoring
system alerts should consider Risk Fabric from Bay Dynamics.
Brinqa
Analysis by Neil
MacDonald
Why Cool: Brinqa
provides an IT operational and security risk analytics platform, designed to
provide business decision makers the insight needed to achieve their business
goals using risk as a guide. The Java-based, NoSQL-powered platform within
Brinqa is extensible and customizable by customers, and supports visualization
of data for exploration. Its engine supports the use of context data (such as
location and reputation) into its analytics and correlation engine to enable
risk-based prioritization of output. Brinqa's platform is integrated within
several security vendors' platforms, such as Tripwire, HP, Veracode, Rapid7,
Qualys and IBM (Brinqa can run natively on z/OS) to provide risk analytics and
decision-making dashboards.
More interestingly, Brinqa
is used by several organizations (including multiple banks worldwide and a
U.S.-based insurer) to power their own in-house-developed risk analytics
platform (or risk data mart) where the risks are then analyzed, prioritized and
presented via a dashboard across IT and OT risks. Delivery in mid-2014 of a
cloud-based as a service offering will simplify deployment.
Challenges: A
significant challenge to Brinqa is that most organizations' level of maturity
in how IT risk is modeled and managed is still relatively low. Many
organizations do not yet use a structured approach to IT- and OT-related risk.
Most resort to spreadsheets to perform basic prioritization. Brinqa provides
some out-of-the-box risk models, but the full power of the platform really
requires customization and integration. Brinqa customers can use connectors to
a variety of enterprise data sources and advanced analytics configuration
resources (typically only available in Type A organizations), or from Brinqa's
system integration partners.
Small to midsize
organizations will likely consume Brinqa as an OEM system where the integration
and analytics have already been pretuned for the specific use case — such as
with IBM, HP or Veracode's application security testing dashboard to show
application security risk — or as a cloud offering. Brinqa will also need to
differentiate from other enterprise governance, risk and compliance (GRC)
vendors bringing risk dashboards to market.
Who Should Care: The
Brinqa platform will appeal to larger, Type A IT security organizations looking
for an extensible risk analytics platform, complete with visualization
capabilities, that can be customized and tuned to provide IT and business
decision makers with dashboards of risk-based alternatives when making
IT-related decisions specific to their roles.
IID
Analysis by Ruggero
Contu
Why Cool: IID's
ActiveTrust platform is a cloud-based service that enables organizations to
share threat intelligence across defined circles of trust. Every member
organization that decides to join is prescreened, and has to agree to stringent
confidentiality controls for the protection of sensitive information. What
makes this provider particularly cool is the ability to connect organizations
to collaborate, yet to customize filters for critical security intelligence
information — and to perform this sharing anonymously. Sharing anonymously is
an important aspect, as threat intelligence data is very sensitive information,
and many organizations are likely to show interest in such data if linked to
the source organization.
The company also has a
social media tool called ActiveTrust Hub, which links trusted peers across
industry vertical silos. IID also offers a threat intelligence service to its
members, leveraging the ActiveTrust engine data feeds to bring some level of
remediation.
Challenges: While
the ability to share information anonymously can help dispel some concerns, the
collaborative nature of IID's business may find some organizations to be
unwilling to share threat intelligence data, preferring competing threat
intelligence services that do not involve sensitive data. IID is U.S.-based and
mainly operates in North America, so it may be challenged to expand in other
regions, given some countries' concerns of covert monitoring by U.S. security
agencies.
Who Should Care: CISOs
and IT security managers looking to improve visibility of threat intelligence,
particularly relating to their vertical industry peers, should consider IID.
Netskope
Analysis by Neil MacDonald
and Peter Firstbrook
Why Cool: Netskope
is a cloud access security broker (CASB) that can monitor the interactions
between cloud users and the cloud service itself — helping to bridge major
network, data and user security blind spots between cloud usage, mobile devices
and other user-controlled endpoints where the enterprise is not able to assert
controls (see "The Growing Importance of Cloud Access Security
Brokers").
Netskope inserts itself
into mobile/remote and on-premises cloud interactions with a transparent
forward or explicit (SAML-enabled) proxy, so that the content and interactions
in sanctioned and unsanctioned cloud applications can be analyzed for security
(including logging, auditing and DLP). Additionally, Netskope has a
sophisticated set of real-time, granular policy controls, as well as
context-aware and semantic-aware anomaly detection capabilities that can help
spot and stop fraudulent use of enterprise cloud services. By monitoring
firewall and proxy logs, Netskope also provides enterprises ongoing visibility
into the inventory of cloud services used — and identifies their associated
risk using its rating database of more than 4,500 cloud services.
Challenges: A
large number of solutions are appearing to target the same cloud
interaction-gap need, creating a very competitive environment. Many secure Web
gateway vendors are already in use by most organizations, and could provide a
similar service to Netskope (and other CASB vendors providers) if they focused
more on this use case. Netskope has announced, but has not yet delivered,
encryption capabilities to protect data at rest in cloud applications. It is
beginning to offer its services beyond the North American market into Europe as
a cloud-based service (there is no on-premises offering).
The DLP engine is not
integrated with other enterprise DLP solutions, creating a new island of DLP
policy and reporting. Getting in the path of cloud services usage requires some
configuration, either by DNS modification, by PAC file modification or by
integration with the cloud authentication and process (which may not work for
all cloud services). Initial pricing is a bit steep, so Netskope and other CASB
vendors will be challenged to provide concrete ROI.
Who Should Care: Large
enterprise information security and compliance organizations that want to get
visibility into their enterprise's usage of cloud services (and the risk
associated with these services) — as well as visibility into sensitive data
usage monitoring and anomalous usage patterns — are good candidates for Netskope.
Norse
Analysis by Neil
MacDonald
Why Cool: Norse
delivers a cloud-based Internet Protocol (IP) and URL reputation service that
delivers machine-readable threat intelligence from its cloud-based
infrastructure, deployed worldwide in 140 data centers in 40 countries. By
actively monitoring the darknet, such as hacker networks, Tor networks and
hacker bulletin boards, Norse is able to determine with high assurance the
reputation ratings of IP addresses and URLs it observes. It actively processes
and analyzes over 130TB of data each day, storing metadata and context in its
6.2PB database. From this threat intelligence data, Norse sells three primary
offerings:
·
A high-assurance IP and URL reputation services to enterprises
(primarily financial services institutions) for the programmatic, real-time
risk rating of transactions (with an SLA response time of 10 milliseconds)
using a SaaS pricing model
·
A dynamically updated contextual block list of high-risk IPs
to be used within SIEM and other security solutions
·
A service where Norse actively monitors the darknet for IP
addresses and URLs owned by an enterprise to gain an outside-in view of
compromise
Challenges: Many
security vendors' research labs are now actively researching hacker networks to
detect attacks and techniques earlier in development, and, based on this, are
providing their own source of IP and URL reputation services. Thus, this type
of service risks being commoditized and delivered as a standard part of
advanced threat protection platforms. In addition, carriers and content
delivery networks with a large number of points of presence could develop early
monitoring services. While Norse has broad visibility, it does not yet have
visibility into every country with Internet capabilities. Finally, while some
providers focus on scoring of both "good" and "bad" URL and
IP reputations, Norse focuses exclusively on hackers and on hacker infrastructure.
Who Should Care: Any
enterprise performing transactions of value over the public Internet should
consider a transaction-scoring reputation service such as Norse, in order to
perform a real-time evaluation of the transaction request. Norse's monitoring
services will be of interest to information security professionals looking for
an outside-in monitoring service for indications of compromise as an additional
layer of defense in a defense-in-depth strategy.