In his previous role, co-founder NeSmith was CEO of Blue Coat Systems, the Web proxy company. Its investors are Lightspeed Venture Partners and Redpoint. The company has raised $27.2 million to date, including a $20 million series B round. The company was co-founded by Brian NeSmith and Kim Tremblay in 2012. Organizations considering Arctic Wolf will have to determine if the service strikes the right balance of automation and personalization. To my mind, the real value of this service is the human insight, but that value could be diluted by spreading each engineer’s attention across a wide swath of customers. Second, if security engineers are working with as many as 35 customers at a time, it seems reasonable to ask just how familiar engineers will become with each customer’s security and operational quirks. That said, there are two questions for potential customers: First, just how good are Arctic Wolf’s SIEM capabilities? An analytics system riddled with false positives or false negatives may be able to churn through large amounts of data, but to little positive effect. By offering both a SIEM service and some human insight, customers can essentially rent the benefits of log monitoring and analysis. NeSmith said the company’s ideal customer is an organization with a full-time IT team, but no dedicated security professional. Humans, by contrast, can apply insight, context, and experience to smaller data sets to distinguish malicious activity from anomalous behavior. Torrents of log data can overwhelm a human operator’s ability to organize, correlate, and analyze events from disparate sources these tasks are better suited for machines. Drew’s ViewĪrctic Wolf is taking the right approach by combining automation with human insight to tackle incident and event management. As mentioned, the service currently uses Amazon S3, and plans to start using Glacier for cold storage. It typically stores logs for 90 days, though customers can pay an incremental cost for longer-term storage. The service charges from $3 to $8 per user per month. “In some cases we think we can get up to 45 customers,” said NeSmith. NeSmith said one security engineer could work with 30 to 35 customers, and review from 300 to 1,000 incidents per day. Note that security engineers will serve multiple customers there is no one-to-one engineer/customer ratio. Incident response falls to the customer.Įach customer is assigned a primary and backup engineer, so that engineers can become familiar with the customers’ environments. However, the service doesn’t provide on-site event management or remediation-just the analysis and monitoring. If a problem is detected, the engineer alerts the customer. “Our system improves the productivity of the security engineer.” “We’ve built a system to better utilize the security engineer,” said NeSmith. By combining machine analysis with human insight, Arctic Wolf believes it can eliminate much of the noise generated by normal operations, allowing trained engineers to focus on a limited set of problematic alerts. “Then we read that out of S3, do preprocessing to set it up for our machine analytics, and then that output will flow into Elastic Search infrastructure where the engineers do that work.” Scaling The EngineerĪll the analytics tools feed into an incident console, which is where the human security engineer comes into play. “As we take in data, we store the log natively,” said co-founder and CEO Brian NeSwith. The company says it has 5 or 6 different engines to analyze logs, some of which are home-grown and others custom-built. The sensor data is encrypted, compressed, and shipped to Arctic Wolf’s analytics systems, which are hosted on Amazon’s AWS. The service can also use firewall, server, and Active Directory logs to provide additional context. A sensor deployed at the customer’s Internet edge collects flows and HTTP and DNS logs, and runs a built-in IDS. The service, AWN Cyber-SOC, gathers data from a customer’s premises for both automated analysis and review by a security engineer. Startup Arctic Wolf Networks is launching a Security Operations Center (SOC) service that combines security information and event management (SIEM) with human analysts who help customers identify relevant security issues.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |