Securosis Guide: Attack of the (Analytics) Clones


This post is part of a multi-part series about the Securosis Guide to the RSA Conference (download the RSAC-G PDF). Please scroll to the bottom for links to other posts in the series.


Opening Crawl...

"There is unrest in IT security. Thousand of malicious events pass undetected each day, and have overwhelmed the limited capabilities of SIEM to protect the enterprise. These attackers and rogue insiders, motivated by profit and revenge, continue to steal data without fear of detection. In an effort to stem the tide, dozens of companies have created an ARMY OF ANALYTICS TOOLS to assist the overwhelmed SIEM ... they are The Analytics Clones.

 End Crawl.

As you wander the halls of Moscone center, you'll be wondering how and where all these little firms offering 'advanced' threat analytics and security insights came from. As if overnight, we got dozens of options to assess threats 'at scale'. To be honest, it really doesn't take that long to strap a visualization plug-in atop a Hadoop cluster and runs basic queries against it. It's a grass-roots solution to a very real security problem.

A lot of security folks are pissed off that their SIEMs don't detect many types of malware or can't discern common attack patterns. There is plenty of event data to be mined, but a lack of storage volume, data types and processing capabilities to take advantage is missing. Or it was until Hadoop and Cassandra and the few dozen analytics modules popped up in the open source community. It did not take much to repurpose code used to chart star clusters or customer analytics into security monitoring of event data.  

One of our primary reasons for adopting a Star Wars meme for this years RSA pre-conference blog series was specifically this group of companies we have been calling a Clone Army for some time now. And from the outside they really all do look alike. A 'big data' cluster for ingestion and analytics. Maybe some cloud-based services to leverage data from multiple sources. Topped off with a shiny animated visualization engine to impress people with big checkbooks and 'Voila!'—a whole new security sub-market appeared.

As a potential buyer how do you differentiate one from the other? We're not sure. Clone troopers get tattoos and call call themselves familial names like 'Hevy' and 'Fives' so they can tell themselves apart, but we don't even think Commander Codey could find the real thing from an imposter here. The analytics firms try to differentiate by saying stuff like 'Malware and cyberthreat detection via our patent-pending intelli-smart active-passive dynamic big data analytics and class-leading expert knowledge combined with deep meta-semantic behavioral science—in the cloud—stopping disgruntled rogue hack-fraudsters in their tracks. Especially when they wear black ski masks.' Actually, I made that last bit up. The rest of it is real. All of it.

The aggressive attempts at differentiation fail; because when it comes down to it, they still all look and act alike. It will be another couple years before the mature the technology into a minimum set of functions needed by enterprises. Right now, they are much like your garden variety Stormtroopers that don't seem to be able to hit anything. And it's not just me that noticed this, right? 25 billion laser bolts security events and little to show for it. And that's where things get interesting, as we saw a very real 'rebel alliance', as it were, formed by many large enterprises who grew frustrated built their own analytics tools from scratch. The clone army simply didn't deliver what companies wanted, and they still lack much of the enterprise customization and integration capabilities needed. That's right, the [pew pew pew] laser maps user interfaces only get you so far; sooner or later you need to conjure up the stolen data plans.

And who is funding all these firms? It must be some deep-pocketed inter-galactic banking clan who were Jedi mind-tricked during their diligence process. For example, if you're investing in a startup, surely you checked out the competition and stumbled across 25 or so of them in the field (yes, at least that many—I've set up a dedicated Hadoop cluster to track them)? Oddly, competition is often considered as a sign there is a real market, but this case the competition is ridiculous. Just a handful will ever make money before early financing runs out; even a Muun-ian will be heading for the exits if they realized their investment will not pay out, and force-choking your investors into a mezzanine round is not an option.

— Adrian Lane

Check out the complete series: Introduction
Theme posts: Threat Intelligence & Bothan SpiesR2DevOpsEscape from Cloud CityThe Beginning of the End(point) for the EmpireTraining Security JediAttack of the (Analytics) Clones
Deep Dives: All Threats, All the Time...Data Security Deep DiveCloud Security Deep Dive

Posted on February 19, 2016

Securosis Team

by Securosis Team


USA 2016

← View more Blogs

This document was retrieved from on Tue, 25 Oct 2016 15:05:12 -0400.
© 2016 EMC Corporation. All rights reserved.