There has not been a huge amount of security technology from the huge country that is Australia, but I recently had the opportunity to meet an established company looking to make a name in the UK.
Previously just known as Tier-3 with a the product named Huntsman, they have now rebranded as “Tier-3 Huntsman” and having formed in 1999 and been in the UK since 2004, I met with head of product management Piers Wilson and head of EMEA Mairead Keaney to understand their offering better.
Keaney explained that the company was formed when the CEO teamed up with security team after spotted a gap in the security market on “how do you detect something if you don’t know about it”.
Wilson said that the company started with the requirement to monitor networks and platforms for the whole stack in real time to look for anonymous patterns and activity that didn’t fit the known attack formations.
“That requirement moves out the typical security aware attack detections and the concept came from that requirement,” he said. “If you are doing that kind of detection, there are some things that happen – make sure the engine code is optimised as it is of limited use to spot stuff when it is two weeks old, so you have to analyse and detect immediately. Then you end up with this massive database of stuff which you have correlated and you can do all the SIEM stuff and control status and do an activity pattern check.”
The company recently released its Huntsman Analyst Portal solution to deliver real-time Automated Threat Resolution Management (ATRM) capability. The company said that the Portal collates and analyses all the relevant threat information available to the enterprise, automatically determining the context of a threat and verifying its severity.
The Huntsman Analyst Portal automatically investigates and validates the severity of threats in real-time, before collating all the information necessary in a forensic case file for investigation.
“A critical part of the security function’s role is giving confidence to stakeholders that security operations are functioning as they should,” said CEO Peter Woollacott. “By making understanding and resolving threats simpler and quicker, we have made it easy for teams to translate them into business risks for prioritisation and remediation. Automated, intelligent and swift responses are crucial to defending against an increasingly fluid cyber-security threat landscape.”
I asked Wilson about how he feels about the state of the SIEM landscape, with so many of the major vendors acquired by the likes of HP, IBM and Intel. He said that he felt it had been covered from a data storage point of view, so Tier-3 Huntsman was doing correlation so that it can analyse data to see what is normal, analyse data and then detect the outliers, anomalies and patterns that are not normal, and flag them through the alerting system.
“The SIEM marketplace is very mature from large vendors to log management and it has grown up from the need to gather data, and only in the last five years have vendors tried to retro-fit security into what the SIEM is doing,” he said.
“This is taking detection as a start point than an end game; tracking the process to resolution and it is looking to detect something to be in a position where you know the situation and how to contain it if it is malicious and trigger actions on it. It is looking at the outcomes of security response than the technical challenge of finding something interesting.”
The company has admitted that the issue of false positives can be a problem, especially as an administrator has to be able to deal with alerts in a workflow process but as your technology is configured to get better and better at detecting things, you make the analyst’s job even harder as there is more stuff to plough through, Wilson said, so some alerts are real and need investigating, while some will be significant from one point of view and some will be false positives.
He said: “So what we have built is an engine that can handle that detection that lets people make those decisions more quickly and make that analysis process from detection to resolution as efficient as possible. So when you get an alert or report or something that needs attention, you don’t have to go to something for data or look for what it does, so we assemble the case file before the analyst figures out what they want to find out.
“If we can save one minute per person per report per customer, that adds up to a significant saving. It is about optimising the process but making it repeatable to get to the stage where you know what it means it is a more assured process for data gathering.”
Piers Wilson and Mairead Keaney from Tier-3 Huntsman were talking to Dan Raywood