What does your networks behavior reveal about security


Summary: SS8 uses recursive analytics to model network behavior from the app to the endpoint. If anomalies are detected and threhsholds are reached, alerts are issued. The company supports the largest telcos and government intelligence agencies today among other highy secure entities. Transcript below:


Mike Matchett:                  Hi. I'm Mike Matchett with Small World Big Data, and I'm here today with Tony Thompson, the VP and general manager of SS8, and we're talking about the role of security, the networks, and what they're offering to use the network to improve the security of corporations and enterprises.

                                                      Welcome, Tony.

Tony Thompson:                Hey. Thanks for having me.

Mike Matchett:                  Yeah, so just in a thumbnail, tell me about SS8, how you guys got into the security business and what you're doing for your customers.

Tony Thompson:                Yeah. SS8 is a really interesting company. The company has been around almost 20 years now, and it started out in this area of extracting intelligence from networks in communications for the purpose of suspect hunting and terrorist hunting, if you will, and we work with eight of the largest telecommunication providers, six of the largest intelligence agencies in the world, and what we've done really over the last three to four years is take that expertise and build a solution for enterprises and organizations to say, "How do I find a device of interest in my environment that may be compromised?" and we do that by looking at network communications over time, scoring behaviors on the network over time and associating those behaviors with particular devices in the environment.

Mike Matchett:                  I love the combination of this kind of hunting down the suspect device and identifying its behavior, profiling and stuff, all the stuff we see in all these TV crime shows all day long, and now we're applying that to our networks, which is kind of fun, so tell me a little bit about the smarts here, the machine learning bits, the IP that you guys really bring to the table, because you're not just capturing network traffic and you're not just summarizing it up. You're doing something much more intelligent.

Tony Thompson:                Absolutely, and so it starts with this idea of recursive analytics, and what I mean by that is we're continuously rewinding the network and scoring behaviors on the network over time and associating those behaviors with specific devices so that, if I see a device that may be beaconing one day and the next day it starts communicating with a site that's known to be a distributor of adware or malware and then, later on, we see that device starts sending a file to a destination, we're scoring each of those behaviors and, when that scoring reaches a threshold, boom, we light up on our display a tile, an alert in our system that says, "Here is a device that needs to be investigated, potentially remediated off the network."

                                                      The way in which we do this, there's really three core components. It's very simple. We have a very powerful sensor based technology that sits passively on the network. We're extracting information all the way up to the app layer. We send that information into the analytics engine, which can be stored in the cloud or on prem, and then the last component is discovery, which is just how you visualize the information, and we've done a very straightforward workflow that allows an analyst to really understand what's happening in the network without having to sift through log data.

Mike Matchett:                  We were talking a little bit earlier. You're not a SIM. You're not trying to do that for ... that endpoint alerting and re-plow fields that have already been planted with lots of different people out there, but, I mean, the argument you're making to folks is that the network really not only is this the glue and the fluid that holds everything together, but it's the first place to really start to identify bad behavior because you're seeing everything going on and, as you were saying, scoring over time, allows you to build up a profile of a developing threat well before an actual endpoint threat might be identified by a different kind of tool. Is that right?

Tony Thompson:                That's a hundred percent right. When you think about how these advanced attacks are working today, it's they're coming in over the network. They're trying to find vulnerable machines. They're trying to siphon data out over the network, and the network really is I think, as you pointed out, it's a source of [truth 00:04:07] and it is the fastest way to really uncover vulnerable spots in the environment where you have vulnerable machines.

                                                      Now, we're not going to go deep inside the endpoint specifically, but we're going to get you to that endpoint or that asset in the environment that may be compromised, and it is about really piecing together those behaviors because, the advanced threats, they hide. They encrypt themselves. They move from machine to machine, and you may never know about ... I mean, if you read about the breach of the day or the breach of the week that's in the news, these things happen months and months ago, so it is about history and time that needs to be understood, and it really ... That all comes back to the network for the speed and accuracy with understanding what's happening in the environment.

Mike Matchett:                  I know this is not a field for new people to come along and just be able to apply a lot of expertise and experience. You guys mentioned you have 20, 30 years of doing this kind of telecommunications forensics and looking at large network situations and large, massive data for stuff, which you then really bring back to the solution now that you're putting on the table and saying, "We can apply that and find bad behaviors of all kinds based on our expertise that we baked into our tools," right? This is now saying, "Let's take what we've learned at the hugest of scales and bring it to the enterprises who might want to benefit from this knowledge."

Tony Thompson:                Absolutely. Yeah, absolutely. We're taking a lot of that expertise and how you'd hunt for the ... You think about how terrorist activity behaves today, right? It's like they're hiding. They hide over time so that an attack can actually happen.

                                                      It's the same thing with the threat actor in a cyber environment where they're trying to siphon out data out of the environment. They're going to brute force attack servers. They're going to find different ways of getting into machines. They're going to lurk over time, and it really is our understanding of how that behavior works is what we've pumped into our solution and into the technology and combined with this idea of very powerful enrichment.

                                                      What I mean by that is the ability to complement the information and the algorithms that we've built into our system, the machine learning components, and enrich that with additional details like user ID, Web reputation information, sources of known threat intelligence like from a threat feed, so we're really very capable in being able to not only provide our own alerting and algorithms, but being able to also enrich that data, that network information with a variety of sources of other data that could be very valuable in providing more accuracy for detection.

Mike Matchett:                  I mean, it sounds like if somebody's putting together their ultimate [sock 00:06:36] and they want to make sure that the other tools they have really have the context and the earlier warning and sort of the best perspectives on things that you guys should be a great fit into just about any of those environments, right? You should be-

Tony Thompson:                Absolutely. I think one great example of that is the SIM, right? You look at how the SIM has evolved over the years, and one thing that the SIM has done is it's been a great source for aggregating security information from a lot of different sources. What the SIM is not great at is getting you speed of detection and pointing you specifically to something in the environment that is compromised based on a series of things happening over time, and so that's one area where we've invested in partnering with folks like McAfee and others where we can ingest our data into the SIM and give more context around alerting.

Mike Matchett:                  Yeah, I mean, so earlier, faster and more context. I mean, it's all good. Where can someone find out more about this if they're interested?

Tony Thompson:                The easiest way is ss8.com, our website. They can follow us on Twitter @ss8. We put a lot of information there as well, but reach out to us. We'd love to share more information. We do a free risk assessment for folks that are interested in kicking the tires on the technology, so we'd love to hear from anybody who's interested.

Mike Matchett:                  Awesome. Awesome. Thanks, Tony, for coming in today and talking to us, and I hope to talk to you again soon.

Tony Thompson:                Thank you, Mike. I appreciate it.

Mike Matchett:                  All right, thanks.