Startup analyzes behavior to stop malware threats

Open Threat Management platform prioritizes threats, cuts the number of alerts to be analyzed.

Startup Seceon has joined a growing number of firms focused on quickly analyzing behaviors on corporate networks to identify and prioritize threats that ought to be dealt with, cutting down on the manual work required to spot and stop attacks.

In addition to identifying intrusions, the company’s Open Threat Management (OTM) platform can also automatically block suspect behaviors using scripts to other devices on the network.

The company competes against a number of others including Damballa, LightCyber and Vectra as well as vendors with broader portfolios such as Carbon Black, Black Ensilo, Fireeye, Guidance, Promisec, Resolution1 Security, and Tanium.

Unlike some of these OTM supports automatic responses to block identified threats.

The platform consists of a server that gathers traffic flow information from network devices but also Active Directory information, DNS, DHCP, other security gear such as firewalls and SEIMs and deduplicated threat intelligence from 60 third-party suppliers.

Its analytic engine sorts through the data using behavior-based threat modeling that is informed by machine learning. It’s looking for evidence of malicious behavior such as scanning machine-to-machine or a set of credentials being used from multiple machines and different locations.

The output reduces the number of alerts that analysts need to sort through by several orders of magnitude, says. An enterprise might wind up getting five to 10 per day.

Analyzing data from a wide range of sources and distilling the results greatly reduces the urgent workload of analysts, says David Monahan, an analyst at Enterprise Management Associates. As a result OTM can become a force multiplier, he says, enabling a smaller staff to provide better coverage by focusing their efforts. It might even free up people to do more big-picture work, he says.

The company claims more than 31 customers in the process of deploying OTM and a dozen running it live. One of those is SeaChange, a video-delivery service provider whose director of IT, Jim Godschall, says the platform helps sort through log data used to detect threats more quickly than live security analysts could.

The systems he had in place generate a lot of data and “We get a lot of logs and a lot of alerts,” he says. OTM helps answer the question, “How do we find the recurring onesy-twosy events that we would never see?” he says.

He says the platform helps stretch the capabilities of his limited IT staff by reducing the number of alerts that have to be checked out manually.

Godschall says in the months it’s been in place OTM hasn’t found threats, but has been useful. For example, a firewall was dropping traffic from one of the company’s labs every day about the same time as it tried to hit a certain IP address. “It turned out to be a misconfiguration but it could have been malware,” he says.

The company hasn’t tapped into the platform’s enforcement capability where it can block malicious behavior. He’s taking a conservative approach and checking out alerts with security analysts and manually remediating. “I’m always thinking about the maturity curve,” of new products, he says, and wants to wait to verify how accurate the Seceon platform is before he decides to use auto–response. “Once I’m satisfied, the answer is yes.”

chandra pandey

Chandra Pandey

OTM uses machine learning and data analytics to find attacks and to learn what’s normal and what activity indicates attacks, says Chandra Pandey, Seceon’s CEO.

The platform includes a library of scripts of commands via APIs to various vendors' gear to intervene when an intrusion is detected. It’s a finite list of devices, but the company has started with the major vendors in each category so the scripts are as widely useful as possible.

So firewalls could block threatening connections or users that seem involved in suspicious activities could be forced to reauthenticate and have their permissions reduced via Active Directory.

Seceon was founded in January 2015 to develop a threat detection and management platform to find attacks not picked up by SIEMS, IDSs and firewalls, says Gary Southwell, the company’s CSO.

Pricing can be based on numbers of machines at $50 per month for critical assets, $500 per month for core networking devices, with discounts for volume. Or customers can pay a flat $100,000 per year for a single server instance handling as many devices as the customer wants to include.

The company is privately funded.

Pandey and Southwell have worked together for 16 years, starting at optical Ethernet vendor Internet Photonics (bought by Ciena in 2004), Juniper Networks and BTI Systems.

Join the CSO newsletter!

Error: Please check your email address.

More about Carbon BlackCienaCSOEnterprise Management AssociatesInternet PhotonicsJuniperPhotonics

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place