Prelert Aiming To Make Its Mark In Advanced Security Analytics

A new crop of emerging advanced security analytics vendors are promising to exceed security and information event management platforms and provide the visibility and context that incident responders need to investigate the riskiest threats to the network.

Framingham, Mass.-based Prelert is selling an analytics platform that can correlate information from a variety of systems and ties to Hadoop, Splunk and other data stores to uncover anomalies that could signal a serious threat. The company is expected to reveal a second round of investment funding this week to expand its engineering and field sales teams.

Prelert is recruiting partners that have professional services capabilities and managed security services providers looking to bolster their threat detection capabilities. About half of the company's sales are tied to its Splunk integration, where one-third of its customers use it to churn through gobs of machine-generated data and provide what potentially would be tens of thousands of security alerts to a handful for investigators. It also can pull in data from legacy SIEM systems to reduce alerts to a manageable level.

[Related: Hexis, Others Put Security Response On Autopilot]

The company has 110 implementations and executives told CRN that they are looking to build out their partner base to gain traction in the U.S. market. In addition to being a native application on Splunk, the company has an application program interface that can be used by cloud service providers or SaaS security vendors, which can embed the engine into their security services. Alert Logic uses Prelert's analytics engine in its SaaS-based offering. Buyers are either the security architect or the chief security officers within the organization or the operations group, which uses it for application availability, the company said.

Prelert is in a race against other emerging security analytics companies, namely Scuronix, 21CT, Bay Dynamics, Fortscale, and Narus, a subsidiary of Boeing, said David Monahan, a research director at Boulder, Colo.-based Enterprise Management Associates.

"They're doing data mining; they will sit on top of that log repository and chew the data up," Monahan said. "The more systems you have to throw data into it, the greater value you are going to get out of it."

The market for more powerful security analytics is growing in financial services where large banks scour outbound data to uncover potential breach activity. The long line of retail data breaches and news about targeted attacks have prompted increased security spending, leading organizations in multiple sectors to evaluate security analytics platforms, Monahan said. Defense industry giants also use the technology because some of the more powerful platforms can churn through terabytes of data and examine millions of data points a minute. The market for the technology is only about three years old, he said.

It can take years to build out expertise and hire people who can review security data and pull relevant information out of a massive number of events, said Dan Wilson, co-founder and executive vice president of partner solutions at Accuvant, in a recent interview with CRN at the annual Intel Security Focus conference, Security analytics was a big discussion at the conference among managed security service providers with strong security and incident response practices.

"Managed services is becoming a huge opportunity because more and more someone is buying a next-generation firewall solution but they don't have the budget to get the people to go and manage it," Wilson said. "In the past clients would come and say this is exactly what we need, but now there's all this noise and different threats and they need to take a step back and assess what is in place. It's a great opportunity for the channel but it takes a great deal of understanding of the business and strong and experienced people."

NEXT: RSA, Blue Coat Building Out Security Analytics Platforms

Vendors are trying to attract attention by carving out a specialty in a small part of data correlation, said Amit Yoran, who was elevated to president of RSA Security last week, which put a stake in the ground around security analytics following the company's acquisition of NetWitness in 2011, a company Yoran founded and led. Nipping at its heals is Sunnyvale, Calif.-based Blue Coat Systems, which acquired Solera Networks last year and is attempting to integrate its portfolio into a cohesive platform. IBM is also integrating its QRadar SIEM and creating analytics that tie into big data repositories.

RSA's Yoran is working with executive chairman Art Coviello to integrate the Bedford, Mass.-based company's product portfolio and create a "unified analytics platform." Yoran said interest in security analytics has grown significantly since the integration project began. RSA is now feeding the monitoring appliance host data, vulnerability data, net flow, and threat intelligence feeds to speed up detection of so-called advanced threats to contain a threat before data is stolen.

"These people are looking for pervasive visibility, the advanced analytics and most importantly the prioritization of security activity," Yoran said. "Not only are we collecting all the logs and alerts to gain visibility, but we also have the governance and organizational risk management practices in the mix to make all the information more meaningful."

Hexis Cyber Solutions, a subsidiary of Hanover, Md.-based KEYW Holding Corp., is trying to differentiate its platform by specializing in automated response and remediation capabilities. Hexis launched a formal channel program in February and is attracting solution providers with networking practices that specialize in selling and delivering FireEye, Palo Alto Networks and Cisco-Sourcefire appliances.

Organizations are looking to gain control of incident response capabilities at a time when there's a severe skill shortage of security professionals and digital forensics investigators, said Dewayne Adams, chief technology officer at Patriot Technologies, a Frederick, Md.-based solution provider and Hexis partner. While organizations aren't necessarily going to embrace full automation out of fear that endpoint systems and applications could be disrupted, the machine-guided mode reduces incident response to a tier-one level administrator, Adams said.

"There's some real monetary value to be gained out of reducing the time and effort it takes to investigate these alerts that are just piling up from all of these appliances in the environment," Adams said.

PUBLISHED NOV. 3, 2014