Businesses are increasingly concerned about targeted attacks, fueled in part by threats uncovered by FireEye, its services arm Mandiant and other firms that showcase sophisticated cyberespionage attacks.
CounterTack is among a group of emerging security vendors that claim to address advanced threat detection and response at the endpoint. The Waltham, Mass.-based security company unveiled a new channel program this week, hoping to attract partners to sell its Sentinel platform into clients that have the skilled IT talent on staff who can manage big data analytics.
Sentinel combines data collected by its endpoint behavioral monitoring agents with other threat intelligence data to identify subtle endpoint changes that could signify an attack. The agents embed themselves deep into the Windows operating system kernel to observe file and process behaviors on desktops, laptops and servers. The information is sent to an on-premise Cloudera Enterprise-based analysis cluster for threat detection.
CounterTack is attempting to attract a limited number of resellers with technical expertise with its CyberPath Channel Program. The company recently reached an agreement with Forsythe Technologies' SOS Security subsidiary and is working on deals with Accuvant and FishNet Security. Executives said they also have a team aggressively pursuing managed service providers.
Authorized partners under the new program will have access to deal registration and free training with no up-front revenue commitments, said Mike Deskewies, director of channel sales at CounterTack. The company is committed to providing free training as well as funding joint marketing campaigns with early partners. Field sales and technical support personnel will work with partners on all the engagements, he said.
"We are going to fund a lot of the marketing and demand generation with the partners," Deskewies said. "We believe this is a large, emerging market that needs radical change from a solution approach."
The platform is akin to having a forensics honeypot capability, said Nick Peaster, managing director at Sussex, U.K.-based security systems integrator Preventia Ltd., an early CounterTack partner. FireEye, Palo Alto Networks and others have increased the ability to detect network threats, but correlating endpoint measurements with data at the gateway and external intelligence feeds can improve an incident responder's understanding of the extent of a detected threat, he said. Incident responders can then rapidly cut off an attack before sensitive data is accessed, Peaster said.
"Right now, the correlation is lacking and most people are looking at network activity with no substance behind a triggered alert," Peaster said. "People want to know what the attack is and whether it is relevant, whether the server is indeed compromised and if it was taken or not."
CounterTack competes with other endpoint security vendors, including Carbon Black, acquired by Bit9, Cybereason, CrowdStrike and RSA ECAT. A firm that comes close to CounterTack may be 21CT, an emerging vendor that has created LYNXeon network behavior and analysis and visualization software. It applies analytics to uncover relationship patterns, but aims the results of the analysis to digital forensics investigators who document the scope of an attack. 21CT, which recently became a member of Cisco-Sourcefire's technical partner program, said its goal brings security a step closer to predictive analytics. Hanover, Md.-based Hexis Cyber Solutions also recently announced a new channel program for its platform, which combines endpoint and network analysis to detect advanced threats.
Big data Hadoop implementations designed to crunch security system data with external threat intelligence feeds and other unstructured behavioral marks is still in the early stages, according to industry analysts. Many of the projects that involve big data analytics are being driven by the need for improved business intelligence and not necessarily the need for better security.
Security teams need tools and processes to sharpen how to analyze and take action on alerts, said John Kindervag, vice president and principal analyst at Forrester Research Inc. A significant number of false positives combined with a growing number of alerts make it difficult for teams to reduce the noise-to-signal ratio, Kindervag said. Kindervag and Forrester analyst Rick Holland predict a gradual shift from threat detection to new data protection and prevention capabilities.
"You don't have to necessarily get to the point to predict the next attack; you have to know whether to stop something because it isn't good," Kindervag said. "Unfortunately, it is easier said than done for most organizations."
PUBLISHED JUNE 3, 2014