Israeli military techies cook up security alerts software
Threat information as visual story lines
Lessons from building the threat intelligence platform for the Israeli Defence Force form the technical foundations of a new security startup called Siemplify.
Siemplify’s tech is designed to contextualise threat alerts from the disparate array of security technologies on enterprise networks (anti-malware, intrusion detection systems, firewalls and more). Its platform acts as a central hub linking an organisation’s existing security, threat intelligence and risk management tools, including Splunk and other popular (security information and event management systems) SIEMs, before consolidating and correlating alerts.
Visualisation and modelling tools are then used to present prioritised threat information as visual story lines, helping analysts to identify the root causes of security problems. The security operations platform is positioned as a means for banks, large enterprises and governments to identify and resolve malware and hacker attacks far more quickly.
Amos Stern, Siemplify chief exec, led the cybersecurity department in charge of building the threat investigation platform for the Israel Defence Forces. Stern served in the IDF for nine years between 2003 to 2012 before working in the private sector for three years, working on sales and business development with Elbit Systems. Other senior execs also come from the same background in the IDF, which began producing security startup hits beginning with Check Point back in the '80s, back when Stock Aitken and Waterman were churning out hit records.
Siemplify is seeking to apply methodologies gained from military intelligence - such as real-time graph analysis, machine learning and Big Data - to cybersecurity. Incidents are prioritised according to a threat score by the platform, which provides triage, ticketing and case management functionality.
Military intelligence techniques applied to sort security alerts
Military systems are not dramatically different from enterprise systems but they do tend to be a few steps ahead, according to Stern. For example, virtualisation technology was standard in the IDF as long ago as 2005. Militaries tends to be early adopters of “bleeding edge” new tech while enterprises are more conservative, according to Stern, who added that the gap was nonetheless closing.
Stern built threat investigation systems as well as leading on emergency cyberthreat response while serving with the IDF in what he describes as a defensive capacity. Stern told El Reg that many of the problems enterprises face have already been solved in the arena of military intelligence.
“The problem is not detection per se but discerning the threats hidden in the noise of thousands of alerts generated by the disparate security monitoring systems,” Stern explained. “This makes it impossible to see the broader attack chain and identify root cause quickly.”
The Siemplify Threat Analysis Platform is designed to automatically correlates security alerts, identifies and prioritises incidents, before graphically depicting the complete threat chain. Conventional SIEM collect alerts but lack the ability to add context that Siemplify offers, according to Stern. Big Data analytics built into Siemplify “empower analysts”, according to Stern.
“You need noise reduction because you are generating a lot of alerts,” Stern told El Reg. “Some of the banks we’ve worked with have 50 different controls that create many different silos.”
“Siemplify can aggregate and prioritise information, as well as providing a timeline,” he added.
Stern told El Reg: “Intel analysts using this platform don’t need to be technical. For example they wouldn’t need to write or program a query.”
Investors affiliated to Intel, Red Hat, Rackspace and others have put $4m into the startup. Early adopters include some of Israel’s largest banks, telecom and pharmaceutical firms. Pilots are under way at Fortune 50 companies in consumer packaged goods and financial services, said the founders. ®