Where I left off in my first entry about the RSA Expo was suggesting that “Threat Hunting” seemed to be arising as a new approach to protecting the enterprise from cyber-threats. Threat Hunting is predicated on the fact that the perimeter is crumbling and attackers are getting more sophisticated, so you can expect Advanced persistent Threats (APTs) to be in progress on your network, and you should find them before the steal something important. “EndGame” sponsored this nice little “Hunter’s Handbook”; I picked up a hard copy at the show. It talks about the process of hunting, and what technologies you might use to support it. Other vendors staking out positions in this space include Sqrrl and Digital Guardian.
Digital Guardian’s primary offering is in the “Data Loss Prevention (DLP)” sub-segment. They define DLP as “a system that performs real-time scanning of data at rest and in motion, evaluates that data against existing policy definitions, identifies policy violations and automatically enforces some type of pre-defined remediation actions such as alerting users and administrators, quarantining suspicious files, encrypting data or blocking traffic outright.”
If you want to learn about DLP, visit their information page, where you can read their primer on DLP and download the Gartner report on the DLP segment. Other vendors in this segment are ForcePoint and GTP Technologies. For the record, we don’t have relationships with any companies in either of these cyber-security sub-segments, and I am trying to figure out how to think of them versus offerings in other subsegments. It gets rather confusing with the overlapping business values they all provide. I can see that the DLP folks are already starting to talk about Threat Hunting, and I expect there will be more of that.
To an extent, I can see these folks logically competing with the AI based threat identification products, like Anomali, Deep Instinct and DarkTrace (we are a partner of theirs), since these folks promise to identify APTs in process. I can also see where incident response automation will bleed over into both Threat Hunting and DLP. Ultimately, manual threat hunting is not going to cut it. It’s going to come down to your AI based APT identification platform vs. your adversary’s AI based attack. Some chess game that is going to be. In the meantime, we would love to talk with you about your specific situation and see if we can come up with a defense strategy that makes sense for you.