Training big data's eye on cybersecurity threats

The data explosion is upon us. Big data analytics is supposed to help us sift through it all. Can it also help keep enterprise hackers at bay? We talk to the founders of Seculert.
Written by Andrew Nusca, Contributor

"Data is the new oil."

So goes a refrain that has seen a surge of popularity in recent months. For us technology types, data has always been core to our way of life, but only in the last few years has its value been so transparent. Nevermind the components of your smartphone, or the infrastructure of your region's electricity grid, or a Silicon Valley startup's proposed business model -- it's the data that holds the biggest potential profitability, they say.

(Try saying that as you sit in a house without electricity, watching the charge on your smartphone deplete before your eyes. But I digress.)

For decades, data has greased (oiled? ha!) the wheels of corporate operations. Now, "big data" -- that nebulous concept that involves the computational organization and analysis of massive and complex datasets to unearth new and valuable insights -- promises to accelerate the process.

Here's the catch: as data proliferate, so do the opportunities to exploit them. The interconnected nature of a data-driven world serves as both a positive and a pitfall of epic proportions.

If you think about it, it's the kind of problem for which you would want to apply a big data solution. Yes, you read that right -- use big data to protect big data. (Your mind ought to be reeling right now at the Inception-like mental acrobatics I just applied.)

Seculert is an Israeli security startup that aims to use big data analytics to uncover corporate cyberthreats. In late October, it introduced a proprietary engine -- "Seculert Sense" -- that uses Amazon Elastic MapReduce to collect and analyze terabytes of data collected from live botnets, malware and log files that its customers upload to the the cloud. The results are delivered to via a secure web-based dashboard.

The idea: speed up threat detection, make defenses more nimble in how they adapt to changing threats and address the enterprise's increasing activity outside the company network.

I spoke with founders Aviv Raff and Dudi Matot to find out more.

ZD: How did Seculert come about?

DM: The company started in 2010, but we were watching the market for some time before.

If we go back to the beginning of 2000, through 2003 and 2004, malware was targeting financial consumers. Scanners and denial-of-service were used by botnets around 2006. By 2009 and 2010, there was a shift into targeting enterprises. Google was among the first to say it was targeted, by the Chinese, at that time. And they weren't alone -- 70 other companies were targeted, too, including most of the security vendors.

Most traditional security vendors provide their customers with policy- or signature-based solutions -- they provide the tool, and the customer configures. You cross your fingers and hope that everything's OK.

Now we're seeing techniques where [hackers] are trying to hack into the enterprise and acquire proprietary information. We're trying to provide information to pinpoint breaches where the system doesn't catch them.

Most enterprises today have been compromised and they don't know it. They're still relying on old technologies and concepts that no longer work.

Thanks to the cloud and all these technologies, such as big data, we can take terabytes of data, process it and correlate it with very sophisticated code in a distributed way, over 50 instances, and get sophisticated analytics.

ZD: Your company puts a lot of emphasis on how security needs to reach beyond the corporate network. I imagine the bring-your-own-device trend has accelerated this need.

AR: Employees are connecting remotely -- from home, while traveling, using mobile devices, often their own. This has created some challenges for the traditional approach -- you can only control what belongs to you. Our product can determine compromised devices externally.

You also don't have to worry about hardware, storage and so forth. If you need to scale up, that's not an issue -- you can scale from one month of logs to one year's worth in an hour.

DM: Many applications and other assets are moving to the cloud. More employees are working remotely and externally. The fact that you secure the network doesn't do any good. You need to run sophisticated detection on limited devices -- this is easier with the cloud. You don't need to manage and maintain all these boxes.

Most of the vendors provide you with an appliance that provides good enterprise network coverage -- a gateway or something. Check Point, Palo Alto Networks, et cetera. But none of them are protecting your remote employees. You're hoping that they have antivirus or won't do something stupid. IT is moving, but there's not much security. It's much looser than it used to be.

AR: Enterprises understand that they have limited visibility into what's going on. We're trying to help them see what's going on outside of the organization and identify advanced malware that might get around what they already have in place. You've probably spent a million dollars on this; we're positioning Seculert as an addition to what you already have. A complementary service.

ZD: So how do you prove it and drum up business? Fear of the unknown? Startups are built around solutions to problems, but if enterprises don't know they have a problem...

AR: Organizations know the statistics on how many [companies] are compromised without knowing it. They'll tell us, "We've been told that we were probably comprised, but we don't know."

DM: We have a free trial. Enterprises can assign keywords and we can correlate that with our database, from the information we harvest. If we find those keywords, it means we've been able to find assets that belong to your enterprise that we've intercepted, acting as a member of a botnet. That's Seculert Echo.

We also allow companies to share with us their internal logs, so that we can identify an attack vector against them. Once a vector has been used on A, it's often used on B. That's Seculert Sense.

ZD: I presume that the more customers you have, the better the insights.

DM: Yeah, absolutely.

ZD: Why offer your services independently, and not integrated with an existing cybersecurity company? I mean, if you're complementary and all, it seems like a logical fit.

DM: Then we'd be vendor-centric.

ZD: So the financial benefits of being vendor-agnostic are better than striking a deal with a single vendor to take a crack at their customer base?

DM: Yes.

Editorial standards