In this interview, Alex Vaystikh, Co-founder and CTO at SecBI discusses the issues of manual investigations security teams face often and how technology can helps while also improving response times. Alex has 10 years of experience in cyber security research and development, and previously served as Principal Research Scientist at RSA’s Cross-Product Data Science team, which led RSA’s applied Machine Learning and Data Science research. Alex has published several patents and papers, and is a CISSP (Certified Information Systems Security Professional)
Tell us about your product/business and your specific role?
I am CTO and co-founder of SecBI. We have developed a unique approach to network traffic analysis that delivers automated cyber threat detection and investigation for SOCs and MSSPs. Our solution can be deployed on-premise or in the cloud, with no need for special appliances or agents. It is currently used by financial institutions, telecoms, retailers, and manufacturing enterprises worldwide.
What is the core issue your product/technology aims to address and what sets it apart from the other players in the market?
Security analysts are drowning in data, because most solutions simply search for any anomalies they can find. This generates hundreds or thousands of daily alerts that require manual correlation and investigation. In contrast, SecBI’s Autonomous Investigation technology incorporates unsupervised machine learning to (a) rapidly analyze massive amounts of log data from network security gateways and (b) cluster all related alerts, events, and logs into a single narrative and incident report that includes all related forensics evidence (e.g. affected users, domains and devices). This dramatically reduces the security team’s response time, enhances overall protection levels and saves money.
What’s the one industry, sector or role that your technology is most relevant to?
SecBI is relevant to any organization that generates intellectual property and has a significant Internet presence.
What are some of the common challenges your customers approach you with?
They are drowning in data, but are unable to hire the number of qualified security analysts that they need. Our technology helps to scale the operations team. They use SecBI almost as a prosthesis for cognitive work that the security analyst should be doing, but doesn’t have time to do.
Most of the IT functions in enterprises have today incorporated anomaly detection in their security measures. How effective is this in covering the extensive threats to enterprise data and systems? How can growing organizations ensure they are optimizing security solutions while fetching the best ROI from their deployments?
The efficacy of anomaly detection solutions is very low. It is an extremely ineffective detection solution that raises way too many flags and sends analysts chasing false positives. The best solution is to find machine learning experts and developers who understand the domains, threats and algorithms, and have them make a solution for you. But the more realistic answer is to buy from a company that has already spent many years perfecting a solution to your specific problem. SecBI is one such solution.
To ensure the best ROI from their deployments, organizations need metrics to measure how long it takes their solution to detect, understand and resolve a cyber threat. They should also measure how scalable the solution is, and decide whether it can scale with them. If it needs to be put on every single endpoint or router, it’s going to be much more difficult and time-consuming to scale than a solution that’s a virtual appliance or something like that.
With AI the go-to-technology for practically every enterprise need, how can enterprise IT teams create algorithms that make it possible to have lesser resources monitoring their security needs? How can machine learning help security analysts respond quickly and efficiently to instances of data and systems breaches?
IT teams should probably not be creating algorithms themselves. They should not be reinventing the wheel, just like IT teams should not be writing their own firewall solutions. What they should be doing is mapping the threat landscape for their organization to determine what is most important to them, how large the attack surface is, whether they have visibility into it, and what the metrics are. Once they do that, they’ll quickly realize that visibility brings with it massive amounts of data.
When the organization only has 50 employees, they can have one person going through the data day in and day out, finding interesting things and responding to them. But once the company grows behind 100-200 people, it becomes impossible to manage, so automation is a necessity. There are two ways to automate the process. The first is to write rules, but this quickly leads to the company maintaining a near-infinite number of rules. The smarter and more effective way is to use machine learning to analyze the logs and let the analysts focus on more important tasks.
Using technology to effect transformation usually starts with a transformation of beliefs and mindsets. How do you consult enterprise clients and help them make that important shift in mindset to move ahead on a particular project or implementation?
We tell them that they should go to the person in their organization who is staring at data and has a task to do, sit with him for one day and see where he spends most of his time. If he’s spending it on mindless manual tasks, the company needs to think about implementing transformative technology that will do it for him, and let him focus on making effective decisions in complex scenarios, which machines cannot do. Otherwise they’ll just end up throwing more bodies at a problem that can and should be automated.
Give us an example of an enterprise meeting a digital transformation goal through your product?
A very large organization with a huge security operations center had a sizable array of tools that they used daily 24/7 to conduct detection and response, but they were spending too much time on manual tasks. They started a POC with SecBI analyzing one type of data source, and within a few months they had assigned one of their security analysts to work with SecBI on adding additional machine learning capabilities because they saw the value so clearly.
What present or upcoming technologies you think have the maximum potential to accelerate enterprise digital transformation?
1) Most corporate services will be in the cloud. Organizations will use more and more solutions from the outside; there will be a ton of cloud services, from HR to finance to marketing and everything in between, and this will add extreme complexity and lack of visibility. Companies will need some way to monitor all of this and keep tabs on who is accessing what, what they are doing, etc.
2) The number of devices will increase too. People will work from their laptops, mobile devices and tablets from home, the office and the road, and this is going to make visibility difficult as well.
3) The devices and services will be connected in many different ways. The lack of visibility and explosion of complexity created by these relationship connections will force organizations to adopt machine learning to deal with all the aspects of not only cybersecurity, but authentication, authorization, management, spending, and more.
What’s your go to resource – websites, newsletters, any other – that you use to stay in touch with the explosive changes happening in the digital space?
People. They are the best resource. Customers and security analysts working in the field are the absolute best resource for information about what is happening, why its happening, and what the problems are.
Read a good book lately on digital transformation that you’d like to recommend to us?
“The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win” by Gene Kim, Kevin Behr and George Spafford is an entertaining book on the problems of operations in the digital world. It’s worthwhile to read.