Editor’s note: Siemplify today announced the availability of a new orchestration module for its ThreatNexus™ security operations platform, fulfilling the demand for a complete end-to-end solution for security operations centers (SOCs). ThreatNexus is the industry’s first security operations platform to fully unify the diverse security tools used in organizations, providing SOCs with a comprehensive platform for security operations and incident response, from case management and analytics to hunting, intelligence, automation and reporting.
I spoke with Amos Stern, Siemplify’s CEO and co-founder, about the platform’s benefits and how it impacts security in the Internet of Things.
Besides being the first end-to-end solution for security operations centers, how does the ThreatNexus platform change the security tools landscape?
Amos Stern: The current landscape is mostly patches of tools. Historically, companies acquired point solutions and had a best-of-breed kind of architecture. Detection systems evolved, and new technology vectors were introduced such as mobile devices, the Internet of Things and cloud. So companies needed to buy a mobile security solution and a cloud security solution. But there is no silver bullet that can protect organizations, so many organizations now have 50 or even 70 different security tools, each focused on a different aspect of the organization. While this was a feasible architecture when organizations had only a firewall and antivirus solution, this is becoming a very unfeasible situation to manage.
How does the platform enable responding to security incidents?
Amos Stern: The weakest link today is not the ability to detect attacks but, rather, what happens in the security operations center after the detection and whether the security teams monitoring alerts respond to events in a timely manner.
The mindset also changed. Instead of thinking “How are we going to stop a breach?” organizations now ask “How do we find out fast if we have been breached?” A lot of detection systems issue alerts about something that is happening. But security teams are primarily comprised of entry-level analysts that are inundated, monitoring millions of logs for security alerts. It’s hard for them to realize what’s actually happening and what is the important thing to do in response.
With ThreatNexus, the security data from disparate tools converges into a centralized place where it can then be processed manually and also automatically in order to help reach a conclusion and to initiate a response. The orchestration engine enables a full range of automation capabilities including a playbook to standardize incident management processes, validation of an incident prior to opening it or complete automation of incident response.
Our system helps bring the return on investment (ROI) from all the disparate tools you have. When the data comes into our system, we can make sense of it. For instance, it looks for the context and then tells you things like “This alert on the mobile device is part of a larger attack.” It enables prioritizing the incidents and helps understand how to initiate action.
Can you give me an example of benefits realized by a company using your solution?
Amos Stern: I’ll give you an example of a big bank we’ve been working with. In their security operations, they had many sources of alerts and security sensors issuing alerts. They told us that by using our system, they cut down the number of incidents that they need to deal with by around 80 percent. And they were able to cut in half the time it takes them to actually respond.
So by using your product, companies will not only enhance their security capabilities, but they’ll save money.
Amos Stern: Yes. The two value drivers are, first, being able to do more with the same amount of human power and use the human power for more interesting things. Second, organizations save money from the actual breaches because they can find the breaches and resolve them much faster.
Do you think this platform will help in eliminating the fears that organizations currently have around security in the Internet of Things?
Amos Stern: The problem with the IoT is the number of devices that will be introduced to the networks – multiply the number that exists right now tenfold. I mentioned the weakest link earlier. Today the work for a security team is very manual and time-consuming with analyzing the security data. They are already burdened. So if you double the number of end points that they need to monitor, it will be even worse. ThreatNexus makes the weakest link more efficient. Our platform puts the data from end points in mobile devices or the Internet of Things into the bigger context and helps the analysts get to the root cause of the attacks.
Beyond the issues resulting from so many disparate security tools, is there a weakness in the tools themselves?
Amos Stern: Every customer I talk to about their pain point says the tools need to evolve so they actually do something with the alerts and not just have alerts. People think that if there is a detection or an alert, a breach is being prevented. But that’s not the case. It just means that there’s an alert being given among thousands of other alerts.
All the detection tools used in security operations centers are really old. Tools launched in 2000 are still used today; there has not been any progress in that space until now.
Why has there been a gap of a decade of not evolving solutions in this space?
Amos Stern: It’s a natural progression. There wouldn’t be a need to evolve the operations side of things before having good detection systems. Ten or 15 years ago mostly end points, antivirus, firewalls and maybe a proxy comprised most of what was then called information security.
Now there are so many detection tools plus new vectors that need to be covered such as the IoT, mobile and cloud (and there always will be new vectors), that the alert load in the security operations center is now up to hundreds and thousands a day. It’s a natural progression to now focus on that. Gartner has opened a new category for this, and they forecast having a new magic quadrant for this area in two years.
What are the pricing and deployment models for your platform?
Amos Stern: It’s paid for on a yearly license. The server is either deployed on premises or in a hybrid or private cloud environment. Most of our customers today request that the software be deployed locally in their on-premises data center. While many companies want to move to the cloud, especially the midsize and big organizations that we work with, they’re still hesitant to send that sensitive information to the cloud. So we see a movement to the cloud, but so far it’s deployed mostly on premises.
We can deploy our solution in just a couple of days and it brings the entire capabilities of next-generation security software that companies need, end-to-end.
Amos Stern is CEO and co-founder of Siemplify. He brings a unique technical and business background that includes leadership of the cyber security department within the IDF Intelligence Corps as well as directing sales and business development for Elbit’s Cyber & Intelligence Division. Contact him at firstname.lastname@example.org. Follow him on Twitter, LinkedIn or Facebook.