Beruflich Dokumente
Kultur Dokumente
2 ER’S
UY
B IDE
GU
W
Editorial
VP, EDITORIAL
Illena Armstrong
elcome to the SC by its broad capabilities for
illena.armstrong@haymarketmedia.com
Do more with the Skybox® Security Suite EDITOR-IN-CHIEF
Media UK Buyer’s vulnerability and threat
Tony Morbin Guide 2017, management and risk and policy
tonymorbin@haymarket.com
DEPUTY EDITOR produced in association with management, declaring it one of the
• Comprehensive attack surface visualization across Tom Reeve
tom.reeve@haymarket.com Skybox® Security. most versatile and flexible products
physical, virtual and cloud networks VULNERABILITY
REPORTER
CONTROL Max Metzger On behalf of that they’ve seen.
• Continuous threat–centric vulnerability intelligence max.metzger@haymarket.com
Skybox Security, We hope that
ONLINE COMMUNITY MANAGER
from the Skybox® Research Lab Roi Perez we are delighted reviews like this
roi.perez@haymarket.com
• Context–aware vulnerability prioritization TECHNOLOGY EDITOR to share with you and others will shed
Peter Stephenson
Production SC’s independent- light on solutions
ART DIRECTOR
Michael Strong ly assessed top ready to help you
michael.strong@haymarketmedia.com
THREAT
PRODUCTION EDITOR
innovators in overcome challenges
MANAGER Danielle Correa
danielle.correa@haymarketmedia.com
information security no matter the age or
PRODUCTION ASSISTANT products 2017, tested maturity of your pro-
Jamie Whittington
jamie.whittington@haymarket.com in SC’s own labs by gramme—whether
Events
EVENTS COORDINATOR SC technology editor you’re struggling with
Sophia Edie
sophia.edie@haymarket.com Peter Stephenson, former CISO of fundamental issues such as visibil-
List Rental
Alex Foley Norwich Defence University, and ity or resource shortages, or you’re
+44 (0)20 8267 4964
HORIZON his team. looking for advanced tactics and
Back Issues
John Denton
+44 (0)1733 38 51 70
This publication features a selec- gaining strategic intelligence.
Advertising tion of the entrants considered to Of course, the Buyer’s Guide isn’t
VP, PUBLISHER
David Steifman be the most innovative. The full list just about products, but people
david.steifman@haymarketmedia.com
DIRECTOR, GLOBAL SALES of products tested in each category too. For that reason the guide also
Dennis Koster
+001 646 638 6019 can be found at includes both SC’s Salary Survey
dennis.koster@haymarketmedia.com
ACCOUNT DIRECTOR www.scmagazineuk.com. – to provide an indicator of remu-
Mar tin Hallett
+44 (0) 20 8267 8280 And in a special product high- neration levels across the industry
mar tin.hallett@haymarket.com
Marketing
light, we are proud to feature the in a variety of roles and vertical
MARKETING DIRECTOR
Karen Koza
original independent SC reports on sectors – as well as SC’s Top Ten
karen.koza@haymarketmedia.com
the Skybox® Security Suite as they influencers for the past year, rang-
Publishing
PUBLISHING MANAGER appeared in SC Magazine UK in ing from legislators and activists to
Gary Budd
CHIEF EXECUTIVE June and November 2016. Prior to researchers.
Kevin Costello
How to contact us:
production of this Buyer’s Guide, Gidi Cohen
SC Media UK, Haymarket Management Group, Bridge
House, 69 London Road, Twickenham, TW1 3SP, UK the SC labs examined the Skybox CEO and Founder
www.skyboxsecurity.com TELEPHONE: +44 (0)20 8267 8016
PRESS RELEASES: tom.reeve@haymarket.com Security Suite and were impressed Skybox Security
Evolve and see what you’re missing. Published by Haymarket Media Group, Bridge House, 69 London Road, Twickenham, TW1 3SP, UK. No part of this publication may
be reproduced in whole or in part, or stored in a retrieval system, or transmitted in any form, without written permission of the publisher.
All material published in SC Media™ is copyright © Haymarket Business Media. The views expressed by contributors and
Enable more accurate vulnerability prioritization using multiple correspondents are their own; responsibility for the contents of the magazine rests solely with the editor. All rights reserved. All
trademarks are acknowledged as the property of their respective owners. While every care is taken, the publishers cannot be held
Haymarket is certified by BSI to
environmental standard ISO14001
T
year, there has been a large
here has never been a better a focus on the quality of candidates. Many increase in requirements
time to work in the IT security companies who already have cyber-de- and “interestingly a swing
business. Primarily because the fence teams will now pay a premium, but back to the UK from
threats are growing ever bigger only for the best people,” she says. offshore locations”.
with data breaches, nation state hackers She adds that demand has increased
and ransomware. It is of little surprise that over the last year and consulting firms are Skills shortage
organisations of all sizes are in need of IT still growing and end-user companies are Martin Ewings, director of
security professionals. But filling those roles building out their teams. “Vendors are also regional sales and specialist
is becoming more and more difficult for still in growth mode and have a variety of markets at IT recruitment
employers. opportunities available,” she adds. firm Experis UK & Ireland,
Our IT security salary survey has Glyn Phillipson, head of cyber-secu- believes that demand is at
revealed that salaries for infosec rity and payments technology at Nicoll “an all-time high”. He adds
professionals have risen over the last Curtin, a global FinTech and Change that recent research revealed
twelve months by around six percent. recruitment agency, says that demand that the most sought-after
Karla Jobling, director at recruitment for cyber-security professionals has been skills in this area are CISSP
firm Beecher Madden says that demand constant over the last twelve months (Certified Information
is increasing as more companies build when many of his firm’s clients were Systems Security
cyber-teams to fight ever more data doing little to no hiring elsewhere. Professional), SIEM
breaches and other security incidents. “Q4 is normally a quiet time for (Security Information
“Demand is part of the reason for the hiring, but there was a constant demand and Event Management),
increase in salaries but the other factor is until Christmas and even in the first IAM (Identity Access
4 5
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 2017 Salary survey
Management), ArcSight, penetration testers lack of available talent, employers are Qualifications and the ability to apply book-learning to real
and biometrics. having to show flexibility on years of getting into the industry world situations are even more important.
“However, there is an increasing experience, qualifications and industry The shortage may be pushing up salaries Security never stays still so everyone must
shortage of talent with these skills – just exposure, according to Phillipson. He adds in the short term, but qualifications will be learn on the job, with the best people being
103,000 people worldwide hold a CISSP, that “ideally, an employer will require a important, even at entry level, says Jobling. able to keep up to date technically whilst
one of the main cyber-security certifica- certain level of certification and education “Having taken a qualification shows applying that acquired knowledge to the
tions,” says Ewings. but compromises are being made.” their dedication to this career path and business risks in the organisation(s) they
Business are having a tough time filling Darren Anstee, chief security technologist these candidates are getting jobs ahead work within,” he adds.
IT security roles and thus, says Ewings, at Arbor Networks, says that while there is of candidates without qualifications. The infosec industry continues to
businesses are willing to pay more to bring a shortage of security professionals and this At a more senior level, experience is attract young people into the fold.
in the right people with will apply upward pressure more important than Jobling said that for
the right skill sets and on salaries, what must be qualifications, although someone getting into
experience. He points taken into account here we are seeing some cyber-security now, at
to research carried out is that most organisations companies make a CISSP school, university or
by his firm that revealed are not in the business of mandatory,” she says. post-grad level could set
that the average salary ‘security’ and “thus paying But Ewings says that themselves up for a great
for permanent IT higher rates for expertise infosec isn’t always about career. “Girls should also
security professionals outside of whatever their having the right qualifica- consider cyber-security
now stands at £58,003, core business happens to tions. as a career more than
up 7.95 percent on last be is not something they “Talent can come in they do. The roles are
year’s figures. He says really want to do”. many forms, and it’s varied, not just technical
that IT security day rates “Many organisations, important for businesses and the industry really
are also on the rise – up if they can, will opt for to look for individuals does want to have some
Darren Anstee, Martin Ewings,
4.98 percent year-on-year chief security technologist, managed security services with the aptitude and director of regional sales and diversity,” she says.
(£443 on average), as Arbor Networks rather than scaling up their enthusiasm to learn new specialist markets, Phillipson says that
Experis UK & Ireland
many companies turn to own teams if this works for skills, and then give IT security is a rapidly
short-term contractor support to help plug them from a cost / risk perspective,” he says. them the relevant training and freedom to growing and ever more important part
the gaps. Jobling says the shortage of trained experiment with new technologies. This of all business now. “For young people
Phillipson says that there are more people has been pushing up salaries but will help businesses to not only mitigate considering a career, IT Security will
requirements for skilled individuals than this “cannot increase forever”. Indeed, it the risks today but also future-proof their continue to provide interesting and well
there are people available. “Qualifications has to tail off, but perhaps not just yet. organisations,” he says. compensated opportunities,” he says.
seem less important as, given the high “What we saw towards the end of Anstee says that qualifications are
demand, employers are having to be more 2016, was an increase in the amount of important as they let hiring organisations Increasing professionalisation
flexible, but real life experience in cyber-se- candidates being offered sponsorship. know whether a candidate should have the and new roles
curity remains a ‘must’ for blue chip Companies are going to start looking into right skills and background knowledge to While the debate continues over how
companies,” he adds. different ways to attract the talent they fulfil a role. important qualifications are to having a job
Given the high demand and apparent require,” she says. “However, practical experience and in the IT security industry, Anstee says that
6 7
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 2017 Salary survey
All private sector All public sector Banking Health Retail Government Manufacturing
Security/Data Analyst
Junior 35000 25000 35000 35000 35000 25000 25000
Mid range 47000 35000 55000 47000 50000 35000 35000
Senior/large org 60000 50000 65000 60000 60000 50000 50000
CISO
Small org 90000 80000 250000 90000 90000 75000 75000
Medium org 110000 80000 110000 110000 85000 90000
Large org 180000 95000 500000 180000 180000 90000 125000
IT Security Manager
Small org 55000 40000 75000 55000 55000 40000 40000
Medium org 65000 50000 81000 65000 65000 47500 50000
Large org 75000 55000 85000 75000 75000 55000 60000
IT Security Officer
Small org 45000 35000 45000 45000 35000 35000 35000
Medium org 55000 40000 58000 55000 40000 40000 40000
Large org 65000 47000 70000 65000 50000 47000 50000
Penetration Tester
Junior 40000 42000
Mid range 57000 55000
Senior 67000 85000
Security Consultant
Junior 46300
Mid range 63900
Senior 83800
IT Security Architect
Junior 65600 57000 65000 65000 65000 65000
Mid range 80000 70000 85000 85000 73000 80000
Senior 100300 79000 110000 110000 80000 90000
*How the data was collated: The data in the chart has been compiled by interviewing various information security
recruitment agencies as well as deriving data from multiple job websites (including SC Jobs).
8 9
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 2017 Salary survey
qualifications aren’t the be all and end all want an IAM specialist and becoming an says that 2017 is going to be a pivotal year started. “2016 was a challenging year for
– “experience is still a bigger driving factor expert in one area will see you progress for the UK economy as it appears to head IT recruitment in finance. I am sure Brexit
in salary expectation.” and earn more money. “However, if your out of the EU door. played a part in this but we saw no effect
Jobling thinks we are still at the long-term goal is to become a CISO “The decisions the government makes on demand for IT security professionals,”
beginning of an increasing professional- or director, then variety is going to be now on the implementation of Brexit will he adds.
isation of the industry important as you need affect our ability to attract the talent we
affecting wage demands. to demonstrate your need to grow,” he says. Final package
“Companies are making business acumen as well as “The impact will be felt immediately The job market for infosec professionals
cyber-security a priority technical understanding.” as talent will not come to the UK if they still looks very good, which means that
and those companies that Anstee says that infosec know they will have to salaries and career
have established teams, are professionals need to be leave within two years. mobility will also be
seeing value. As a result, able to understand the We urge the government good. The IT security
they are looking for better risks that their organisation to continue to ensure professional can almost
qualified individuals with faces as well as applying we have access to skilled name their price in the
a proven track record. people, process and people, particularly current market. For
These people are being technology to keep those in sectors where we’re employers, the right
paid a premium. So, it is risks at an acceptable level already struggling to find incentives have to be in
not an obvious correlation, without putting (business) the talent we need.” place to attract the top
but related to how barriers in place. While there have been talent; it’s a seller’s market
security is evolving within Karla Jobling, “One key skill is the concerns that Brexit could out there so professionals
director,
organisations as well,” she Beecher Madden ability to absorb technical put a stopper on hiring should ensure they have
says. information and make it and salaries, Jobling the skills and knowledge
Jobling adds that over the last few years relevant to non-technical personnel, so says that the proposed in order to get the most
new specialism have appeared such as that they understand the value of a control departure from the EU Glyn Phillipson, lucrative opportunities.
mobile and cloud security due to technolo- and don’t simply see it as a barrier,” he has so far only resulted in head of cyber-security and payments Salaries are also being
technology, Nicoll Curtin
gy evolving. “The same is true for security says. a short pause on hiring in increased by new fields
within the IoT. Roles such as cyber-aware- some organisations. such as cloud, mobile and IoT security,
ness didn’t really exist then either. It is a Brexit and Infosec “Once the result came in but demand meaning infosec professionals have the
result of companies taking cyber-security A report by resourcing company BPS World is as strong as ever. Candidates relocating chance to spread their wings and earn more.
seriously and understanding the need to has warned that one of the main challenges to the UK have been a little more hesitant In the end though, money isn’t
educate their business.” facing employers in the UK in 2017 will be but are still considering the UK as a place everything if you don’t like your job.
the impact of Brexit on the ability to attract to work. Of course, this could change There comes a point where money
Continued career success talent, particularly in the high-value digital, in the next 12 months as we learn more becomes less important and being happy
Staying up to date and having a specialism technical and engineering industries where about what Brexit really means,” she says. doing what you love pays in different
is key if you want to have continued recruiters are already struggling with severe Phillipson says that it is too soon to say if ways. Not everyone wants to be a CISO.
career success in IT security, according skills shortages. Brexit is having, or will have an effect, on Luckily, there are plenty of roles out there
to Jobling. She says that companies might Simon Conington, founder of BPS World infosec salaries as the process simply hasn’t to suit all infosec professionals.
10 11
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017
NSA leaker Edward Snowden and is bound campaigner on both issues. In his role as
SC’s Top Ten
Influencers
to have many ripple effects well into 2017 vice-chair of the European Parliament
and beyond. Committee for Civil Liberties, Albrecht
brought forward the case to crack down on
Brian Krebs, internet giants such as WhatsApp, Skype
security blogger, KrebsonSecurity.com
and other online messaging services safe-
I
t could be argued that security blogger guarding for not taking users’ privacy with
2016
Brian Krebs is responsible for alerting the enough seriousness. The move followed the
information security industry about the news that Facebook was to share user data
Mirai botnet. While Europol takedown between Whatsapp and Facebook in order
DD4BC, a gang offering DDoS-as-a-service, to better target advertising at users. The Eu-
Krebs blogged about another ropean Commission plans to publish a draft
such gang from Israel, vDOS law on data privacy that aims to ensure
which got caught because of instant message and internet-voice-call
Any list of the most influential people in cyber-security is going to be a silly security vulnerability services face similar security and privacy
disagreed with by most - because, in this industry some of the best work in its website which revealed rules to those governing SMS text messages,
going on will - for operational security reasons - remain unsung. So, with Brian Krebs their identities. In retaliation, mobile calls and landline calls.
apologies to the unknown heroes, here’s SC Media UK’s list of the ‘most gangs blasted Krebs’ website
influential’ people in cyber-security 2016, chosen for the impact that they with a record-busting 620Gbps attack. Troy Hunt,
have had on the information security industry Akamai which was protecting Krebs at the web operator, haveibeenpwned.com
P
time, dropped the blogger due to “finan- assword-sleuth Troy Hunt, who op-
cial reasons”, which prompted a further, erates the website haveibeenpwned.
Ian Levy, Theresa May, even larger, 1.1Tbps attack on French web com (and blogs at troyhunt.com), has
technical director, UK Prime Minister
hosting company OVH. As it transpired, had yet another busy year of notifying
2016
National Cyber Security Centre
will forever be re- the same botnet was responsible for both people to the effects of data breaches and
I
an Levy, the new National Cyber Secu- membered as the year attacks. A mere week or so later, the same getting the message out that
rity Centre’s technical director, grabbed where Theresa May, still unnamed botnet attacked Dyn, a DNS password-reuse, a cause of
many headlines in 2016, as the govern- the UK’s Prime Minister, went about imple- provider which supplies services to some many mishaps online, is still
ment and its new cyber-command centre menting the Investigatory Powers Bill which of the major websites on the internet such very much a serious issue.
in the centre of London was established she had been responsible for introducing as as Spotify and Reddit. Causing mass-hyste- Hunt deserves praise as his
to become the new public facing body for Home Secretary. The bill is widely known as ria, user ‘Anna-Senpai’ released the source Troy Hunt aim isn’t simply to compile
tackling cyber-security issues. It has set the the ‘Snoopers’ Charter’ as it legitimises some code to the Mirai botnet on HackForums. a long list of passwords,
tone for how we speak about data breaches, existing data gathering practices previously but with every breach he blogs about,
educate the public and businesses about declared illegal and heraldis in new spying Jan Philipp Albrecht, affecting the likes of companies like the
the many cyber-threats they now face and powers which many view as invasive; it has German Green MEP Red Cross, Michael Page, PayAsUGym,
T
how to go about solving them. Levy has set been criticised by many for requirements he issue of data protection and Dropbox, Bluesnap and others,he looks
about cutting the FUD that surrounds the such as encryption backdoors. It has been privacy took many headlines in 2016, to educate about the need for improved
industry and getting down to the business described as “the most invasive surveillance and Jan Philipp Albrecht, German behaviour from both businesses and
of boosting cyber-protection. law introduced by a western democracy” by Green MEP has remained a prominent users themselves. Hunt is a consultant
12 13
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Influencers
who advocates a “get the basics right” to Dutch National Police who are cracking tic pact. The lawsuit filed by Digital Rights by the UK’s National Crime Agency and
businesses who are looking to protect their variants of the malware, and releasing Ireland (DRI), a digital rights nonprofit, is involved law enforcement officials from
users’ data. ransomware decryption tools on its challenging the efficacy of the protections eight different countries including the US,
website. The website has had its fair share promised by Privacy Shield. It claims Georgia, Lithuania, Bulgaria and Ukraine.
Johannes Ullrich, of successes, with over 6,000 being saved that the agreement, which replaced the Also taking part were representatives from
dean of research, SANS Technology Institute
from having to pay the ransom to the longstanding Safe Harbour deal, is still Europol’s Joint Cyber Action Taskforce
H
ighlighting the scale of problem criminals. As a result, even inadequate in protecting citizens’ data and (J-CAT).
of unprotected Internet of Things more decryption tools have privacy. Earlier this year, Schrems said he
devices in 2016, SANS dean been added to thinks the proposed solutions to safeguard Stephanie Daman,
CEO, Cyber Security Challenge UK
of research Johannes Ullrich showed nomoreransom.org, joining the privacy of European citizens have
R
that exploits TR-064 and TR-069 were the eight tools already evolved, and asserted that the culture of ather than just talking about the
almost certainly the cause of an outage Raj Samani available free of charge to privacy in Europe needs rebooting. information security industry skills
that hit Deutsche Telekom customers. It victims. Both the private shortage Stephanie Daman, CEO
was discovered that the sector and law enforcement are stepping Rob Wainwright, of Cyber Security Challenge UK is at the
routers were used as part up efforts to fight the cyber-criminals who director, Europol forefront of those trying to
U
of a botnet. In a Facebook are using ransomware to deprive their nder the leadership of Rob rectify the problem. The
update, officials with the victims of large amounts of money. Wainwright, director of Europol, Cyber Security Challenge
German ISP said 900,000 the law enforcement agency has had hosted another final of
Johannes customers are vulnerable Max Schrems, a busy year. Earlier in the year, Wainwright its Masterclass in early
Ullrich to the attacks until they Austrian lawyer, author, privacy advocate wrote an opinion piece November, and the winner,
A
Stephanie
are rebooted and installed ustrian lawyer Max Schrems is for SC which saw him Daman 18-year-old Ben Jackson
an emergency patch. The Shodan search still fighting his case against social predict an upwards trend from Sussex, is also the
engine shows that 41 million devices leave media giant Facebook, and in in cyber-crime. He wrote, competition’s youngest entrant in its six
port 7547 open, while about five million 2016 the Irish Data Commissioner kicked “The relentless growth of year runtime. The folks at Cyber Security
expose TR-064 services to the outside Max Schrems’ latest Facebook complaint Rob illicit cyber-criminal markets Challenge UK have also been involved
world. up to the Court of Justice of the EU. Wainwright remains a real and significant in an initiative dubbed Qufaro, which is
The move followed the collapse of the threat to our collective opening a new cyber-academy for Britain’s
Raj Samani, Safe Harbour agreement after a Court security in Europe.” Although arguably brightest cyber-security talent at Bletch-
EMEA CTO, Intel Security of Justice of the EU ruling in favour of a somewhat self-fullfilling prophecy, the ley Park, the former site of the Enigma
A
s the threat of ransomware Schrems in 2015 after the court had found agency has taken down multiple gangs code-cracking mission undertaken by
continues to rise, Raj Samani, that data held in America would not be such as DD4BC, the Avalanche crime British security services. Alastair MacWil-
EMEA CTO of Intel Security, has held in the same level of data protection platform, been a founding member of the son, chair of Qufaro and the Institute of
played an important role in what seems to as it would in Europe. Privacy Shield was nomoreransom.org initiative, signed several Information Security Professionals said:
be leading a crusade to defeating it. 2016 also found to be inadequate, and due to MoUs, various ATM gangs operating “Qufaro will make it easier for budding
saw the launch of NoMoreRansom.org, a Germany-based lawsuit, it continues to throughout Eastern Europe and they professionals to grow their cyber-security
a non-profit collaboration between Intel face its fair share of legal challenges and even had time to work with the NCA and skills at every stage of their journey, and
Security, Kaspersky Lab, Europol and the critiques that could derail the trans-Atlan- FBI on the Silver Shadow exercise run contribute more to the sector.”
14 15
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017
SC
Media reviews more resulted in some powerful innovations. It
products than we could was a year when we asked our Innovators
cover in this guide, so we what drives them and we heard that it was
have focused on those we saw as the the competition more than ever before.
leading innovators over the past year, with So, what good is all of this to you, the
the rest of the reviews available on consumer? Among other things, it means
www.scmagazineuk.com. A couple of that you have some excellent choices
our returnees have undergone name and they are not all from the big players.
changes or have been A long-standing trend is that
acquired/merged with other our Innovators are more likely
companies, so convergence is to be small fry using stealthy
alive and well, too. In spite of techniques to get the sale – and
that, innovation is certainly data scientists, along with
alive and well this year. their engineers, to develop the
One of the things that product. A poster child for this
we look for each year is is a one-person company that is
what drives innovation. in its second year on our list and
First, the consumers, under the innovations in the product
a lot of pressure from the this year are many and excellent.
adversary, are demanding more and Not only that, but the product sells. To see
more features. Many of those features a creative developer who also runs a solid
are intended to speed up the security business and is a crafty marketer is really
process or automate much of it completely. to see the heart and soul of innovation.
Vendors are responding with ever more Our Innovators are selected for
complex algorithms, machine learning and their original technology, their creative
competent management of Big Data. go-to-market strategies and their ingenious
The second driver are the vendors ways of managing their organisations and
themselves. Never in all of the years that resources to the best advantage. We have
we’ve been reviewing computing and watched several of our Innovators over the
security products have we seen such years go on to be acquired by one of the
contentious competition between vendors. bigger companies, but this year mergers of
This was a year when a half of a star rating approximate equals were more common.
could make the difference between losing As we look forward to economic growth,
a sale to a competitor. Competition is a we can see that our industry is poised to
good thing, though, and it certainly has help fuel that growth. -Peter Stephenson
16
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Product Spotlight
Skybox Security Suite - 1st June 2016 Skybox Security Suite - 1st Nov 2016
W S
e have watched these folks almost from based largely on data flows. kybox Security Suite is many things besides vulner- launched we had the ability to launch the demo model,
their inception and we always have been We view the ability to do attack simulation as one ability management and, perhaps, that is a major which we proceeded to do. Going through the model
impressed. Their mission is a rather of the significant indicators of a next-generation tool. strength. Many of the modules interact in such a it was plain that we were using a very powerful system.
grand one: manage the security on the enterprise’s Just because an asset is exhibiting vulnerabilities does manner that the overall management of vulnerabilities - However, there was a lot about it that we could not test.
entire threat surface. To do this, they break down not mean that it deserves immediate attention. It may particularly analytics - is enhanced significantly. However, For example, the specification shows that the tool sup-
their tool’s functionality into vulnerability and threat be a low priority asset where a high priority asset we were a bit disappointed with our evaluation. Every- ports a huge number of third-party products, but we had
management. Within these broad categories there are needs attention now. This form of triaging is critical to thing that we were presented was no way to test that.
individual modules that work seeing where your risks actually pre-done. It was a lot like walking The dashboard is what one
together to accomplish the vari- lie. through slideware. would expect and it has a lot of op-
ous tasks required to protect the You can perform firewall There is a lot to like about this tions. Everything is under four main
attack surface. This is one of the assurance using the Skybox product. It is extremely feature-rich. tabs: summary (the landing page),
very few products that we have configuration analysis or you can However, that comes at a price. discovery centre, analysis centre
seen that takes this comprehen- add in your checks using simple Configuration and management and remediation centre. The dis-
sive approach. It is integrated regex commands. The tool helps are not easy. It takes time and covery centre is the starting point.
with nearly 100 third-party security tools and has its you perform cleanup on rule sets, in many cases elim- a good understanding of one’s environment and the Everything in the enterprise should be discovered and
own built-in vulnerability intelligence feed. inating redundant rules. Workflows are the heart of Skybox infrastructure to get the most out of the tool. displayed here. The analytics centre shows details and
While Skybox, like many similar products, does not any of the types of tools that we looked at this month. Vulnerability control is one of several aspects, including metrics about vulnerabilities and exposures with good
do its own network discovery, the tool can consume Without a good workflow management capability, ChangeManager, FirewallAssurance, NetworkAssurance graphics and drill downs while the remediation centre
topology maps in a number of formats. changes don’t get made and problems don’t get iden- and ThreatManager. All of these work together to give helps admins track remediation against SLAs.
Skybox aggregates more than 20 threat and tified. Skybox has an excellent change management a broad picture of the state of the enterprise from a risk This appears to be a powerful set of capabilities and it
vulnerability feeds. Additionally, you can identify workflow. The ability to see the network topology and perspective. VulnerabilityControl and ThreatManager certainly is priced right given its feature set. The website
threat origins unique to your organisation. understand how it is supposed to be working, lets are part of the vulnerabilities and threats part of the is very good with the resources one would expect. One
We were impressed by its internal vulnerability Skybox identify a compromised asset and then pivot platform, while the rest are classed as the security policy interesting piece is its end of life policy. This is something
detection system. It is completely passive and uses the off of it to see likely paths that the intruder could have management piece. most vendors ignore - until users receive an email that
Skybox vulnerability dictionary. The tool contains two taken. Finally, the Horizon dashboard - an add-in that The vulnerability management functionality uses says their version is being fazed out so they’d better buy
separate ticketing systems - one for change manage- is provided at no extra cost - shows indicators of expo- passive scanning. In other words, quoting from the user the latest. There are several levels of support from basic
ment and one for vulnerability management. sure on a cool dashboard that quickly calls attention to guide, it uses “scanless deduction of vulnerabilities and no cost to full premium support (at a cost, of course) and
Skybox collectors gather information from switches, any problems that Horizon sees. attack simulation.” The jury is still out somewhat on the professional services.
firewalls, routers and scanners. These data are fed to effectiveness of passive vulnerability assessment. There
the Skybox server where management consoles can certainly are advantages in terms of disruptiveness,
see and manipulate the data. The system is agentless Vendor Skybox Security safety (since certain kinds of attacks that would bring Vendor Skybox Security
and it has APIs for integrating with third-party sys- Flagship product Skybox Security Suite the system down never need be used) and the ability to Flagship product Security Suite
tems. It deploys as an appliance or a virtual appliance Price Base price £7,500 scan 24/7, but, as well, there are questions about missing Price £7,878
on-premises. Web skyboxsecurity.com vulnerabilities. Web skyboxsecurity.com
When we looked at Skybox, we dropped into a Description This tool manages the security on the We ran the Skybox installer in our VMware environ- Description Very good functionality with solid control
network topology map that was well-annotated and enterprise’s entire threat surface. ment with no trouble at all. When we were set up and over its functions.
18 19
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
T T
his is – or can be – a very broad category. based vulnerability assessment and human his really is a Swiss Army knife of cyber-forensic the updates. One does not expect to see, all on the same
This year we looked the landscape over pen testing. We were quite pleased with the tools. It is designed from the ground up to per- tool kit, such things as downloading of YouTube videos,
pretty closely and we saw a lot of the same outcome of that test so we brought them in form a complete digital forensic investigation. It Cisco Web Classifications standard for categorisation of
things we’ve seen in previous years. Most vulner- this year – innovative because of the way they looks at the computer, mobile devic- URLs, access to Google Map, along
ability assessment (VA) and penetration testing approach the problem more than what they do es, the internet, social media sites, with parsing of latitude and longitude.
tools look pretty much like they did for the past (although that’s pretty cool as well). the works. Not only is IXTK (Inter- Another interesting function is
few years. And, while they certainly are effective, Analysis and testing can, as you see, take a lot net Examiner Toolkit) complete as its ability to build a dictionary of
they showed no particular innovation. of different forms. There are a lot of tools that any we’ve seen, the company takes internet search terms derived from
Then we moved on to forensic tools, a peren- do the routine tests and some do those tests on the position that new forensic exam- recovered cache and history files. Of
steroids – Metasploit and Core iners might not be fully comfortable course, we see the usual functions
20 21
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
T I
o our mind, this company epitomises what is nothing really new. There may be a few new vectors, ntel 471 is an actor-centric cyberthreat intelligence ed alerting, grouping and increased searchability. This
we mean by an ideal mix of next-generation but basic attack families change more slowly. collection capability, headquartered in the USA. gives users a window into the network underground
techniques and the use of the human brain. They try to make comprehensive collections of They are focused on closed source intelligence without needing to go into the dark web themselves.
On its website HightTech Bridge says its ImmuniWeb possible scenarios. This really is not particularly hard collection of financially motivated cyber-criminals Going forward and ever innovating, the company
“combines the power of Machine Learning and the because of relatively static state of attack types or fami- and hacktivists. They have teams across the globe is adding mass human translations from Russian. One
genius of human brain” That, in lies. But the problem that is more who are on the ground in can’t rely on machine trans-
our view, is what computing is likely is new vulnerabilities intro- Eastern Europe, Asia and lation because of slang.
all about. Let the computer do duced by developers/customers as Latin America. Although Clients can make specific
what it does well and the human they update their web apps. some companies offer raw requests, but then the
do what it does well. Immu- This Innovator tries to share indicators or feeds as threat translation is retained so it’s
niWeb performs vulnerability knowledge with specialised intelligence (“bits and search once and distribute
assessment with or without the groups and talk to partners and bytes”), in order to shine many. The translation team
aid of the customer and then customers to gain as much threat a light on the adversary’s will begin tagging content
hands its results off to analysts at intelligence as possible. That business process Intel 471 and putting into groups.
HighTech Bridge. kind of sharing, of course, is focuses on the individual threat actors and groups that Expanding tagging goes beyond just reports.
From the business perspective, HighTech Bridge most useful because not everyone knows everything pose a threat to the target organisation and sector. One creative innovation is that Intel 471 is an intel-
is equally innovative. This Innovator’s approach is to as we all realise. We interacted with this vendor on Intel 471 provides proactive visibility into threat actors ligence company by intelligence people and that drives
provide access to their machine learning portal 24/7. a live production test and the results were excellent. and their TTPs (tactics, techniques and procedures), how they hire. They are beginning to do integration
Their delivery method is unique – unlimited customer But they were nothing like we expected or had experi- planning, marketplaces and communication networks. with other companies/platforms, etc. One of their se-
access. On the technical side, they apply machine enced before. That’s innovation in this business. The tool is delivered through an online portal that crets of success is overcoming barriers to entry. They see
learning and neural networks. provides information reports, full text searching, alert- that as a differentiator. They have an intelligence-driven
This allows them to provide penetration testing ing, monitoring actors across forums/marketplaces model. Essentially, this Innovator has taken a govern-
but with far less human interaction than is needed for Vendor High-Tech Bridge and social network analysis. The format is one consis- ment-style intel operation and made it commercial.
typical complete pen tests. They can employ human Flagship product ImmuniWeb tent with and familiar to intelligence professionals.
pen testing techniques in part by machine learning. Of Price £392 per assessment (on-demand packages); There also is an API that allows automated queries
course, humans need to be involved due to business £785 per month (24/7 continuous packages). by alias/handle, IP address, email address, etc., that Vendor Silobreaker
and legal requirements and the complexity of security Web htbridge.com/immuniweb can be fed to third -party threat intelligence platform Flagship product Intel 471
testing. That means the machine does the grunt work Innovation Hybrid automated and manual web integrations, including Maltego. Price Contact company.
while the human, with the help of the next-generation vulnerability assessment and penetration testing using The top use case for Intel 471’s intelligence col- Web intel471.com
computing power, does the thinking. next-generation computing techniques. lection is supporting threat intelligence teams with Innovation Actor-centric cyber-intelligence gathering
Staying current always has struck us as a challenge Greatest strength Speed and ease with which they intelligence collection and data in order to support the and reporting in the same way that a government intel-
in penetration testing and vulnerability assessment. conduct their testing coupled with accuracy and superior creation of timely and relevant finished intelligence ligence service would using live intelligence researchers
However, this Innovator takes the approach that there support. products for your organisation. and analysts in the field.
The Intel 471 platform is solid. The idea is to make Greatest strength Ease and speed of access to cyber
the platform the de facto tool for actor-centric threat underground actor-centric data that we would have
intelligence. Over the past year this Innovator has add- trouble getting anywhere else.
22 23
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
C
yber-threat analysis and intelligence The methods for collecting data range from data on the web. By providing powerful tools and visu- use Maltego (which we do), we can apply the Silo-
has become a staple of next-generation screen scraping – the main source for open alisations that analyse data from hundreds of thousands breaker API and add the power of that link analyser
security tools. However, as a group by source – and human intelligence – humint – of open sources, Silobreaker and all of the other tools for
itself it contains some of our most noteworthy which requires boots on the ground in the un- enables monitoring and inves- which it accepts APIs.
Innovators. In fact, it is not uncommon for these derground forums. This is the main source for tigating threats, compromises, Recently, this Innovator
tools to provide the threat feeds that actors, instabilities, geopolitical added such new topics as ac-
drive tools that incorporate threat intel- developments or any other topic, tors, malware, email domain
ligence in their products. Over the past
two or three years as these tools have
“...its value comes incident or event. Analysts save vulnerability and expanded
24 25
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
26 27
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
SentinelOne Cylance
S T
entinalOne unifies prevention, detection it.” In that spirit, the company offers up to £788 per his is one of our perennial favorites and an SC happened. It was in there. Cylance identified and
and response in a single platform driven by endpoint to £788,000 per organisation for the cost of Lab Approved tool. It also is the pure-play quarantined it. Not really a big deal unless you take
machine learning and intelligent automation. remediation of a successful ransomware attack. We anti-malware product that isn’t. Because most into account that the compile date on the ransomware
SentinelOne EPP (Endpoint Protection Platform) is found this offer extraordinary, if, perhaps, a bit risky. of what the product does is malware-centric on the was only two days prior.
intended to prevent attacks and detect What makes this claim less risky? endpoint, the appearance is that of an anti-malware Cylance has spent a significant portion of the last
malicious behaviour across multiple Clearly the company is comfortable product. Not taking into account the direction the year thinking about what visibility means. Nobody
vectors; rapidly eliminate threats with with its technology. That comfort, tools has been moving, that could not stops all threats, so what options do
automated, policy-driven response they told us, comes from heavy use be further from the truth. they have. First thrust is make it so you
capabilities; and adapt their defences of machine learning and no reliance For example, Cylance was the first don’t have to investigate everything.
against cyber-attacks. on signatures. To that end, they’ve company to apply artificial intelligence, The second is, what do you need to
This was SentinalOne’s second ap- made big advancements in their be- algorithmic science and machine learn- know? That’s not just malware. So,
pearance in our Innovators issue. Over havioural-based engine. The system ing to cyber-security and improved they are building a technology platform
the past year, the company showed its consists of two layers: static and the way companies, governments and called Optics. This allows pre- and
ingenuity by adding new features to protect the end- then behavioural. Both layers are based on machine end-users proactively solve the world’s most difficult post-event info. It acts like a flight data recorder that
point from the management side, as well as platforms learning. The tool is very focused on preventing false security problems. Using a predictive analysis process, collects interesting information. This helps understand
supported, and added Linux to its agents. The tool sits positives. There are over 12,000 malicious malware Cylance quickly and accurately identifies what is safe the scope of the threat and where their scope of con-
out of band on the server so there is almost no perfor- indicators in its knowledge base. and what is a threat, not just what is in a blacklist or trol needs adjustment. It maintains a record of what
mance impact. Also, over the past year, SentinalOne Over the past couple of years, SentinalOne has whitelist. By coupling sophisticated math and machine actually happened so you can go back in a forensically
became HIPAA and PCI-DSS certified. Finally, the focused on the management interface and supporting learning with a unique understanding of a hacker’s men- interesting depth to find out what happened.
company added new features that allow administrators significant scalability. tality, Cylance provides the technology and services to be
to group endpoints for applying policies resulting in truly predictive and preventive against advanced threats.
an improvement in scalability. They now are able to include their data science in Vendor Cylance
Often – usually, in fact – our Innovators don’t Vendor SentinelOne the tool in such a way as to allow detection and inter- Flagship product CylancePROTECT
restrict their innovation to their technology. We also Flagship product SentinelOne EPP (Endpoint Protec- diction of non-malware-based threats, such as manual Price Call for pricing. One- and three-year subscriptions
see creativity in go-to-market and business strategies. tion Platform) or machine hacking. In testing, we had inadvertently available per endpoint.
One of the things that this Innovator has done in that Price £51/endpoint device (one-year licence). downloaded a new ransomware to a lab computer. Web cylance.com
regard we found extremely creative: the company now Web sentinelone.com Before we could click on it to get rid of it, we noticed Innovation Artificial intelligence for malware analysis.
offers a cyber-security guarantee that largely targets Innovation While it is clear that the technology is that it no longer was on the desktop. One look in the Greatest strength Its predictive nature that does not
ransomware. SentinalOne claims to be particularly innovative, one cannot help but admire the company’s CylancePROTECT quarantine showed us what had require any explicit knowledge of a particular threat.
good at protecting against ransomware. guarantee of effectiveness against ransomware.
The company believes nobody offers financial Greatest strength A creative go-to-market strategy
backing for what they sell. “If your product is as good that is complementary to and every bit as good as the
as you say,” this Innovator points out, “guarantee technology.
28 29
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
T
his is a fairly large section, in part because We have five Innovators in this category this research recently made available to the commercial cation.
this is the core emerging marketplace in year and they are different in many ways and market, it is purpose built to empower the cyber Their traction in the market is a result of reaching
data protection currently – and for the alike in many. While some may consider them- hunter and is particularly adept at identifying ze- profitability very quickly: Acuity is only a year old.
foreseeable future. The Innovators who have selves competitors, we can say with confidence ro-day threats by quickly deploying They believe that this rapid growth
cleared the pathway toward using sophisticated that, cost not being an object (these tools can constant analytics at large scale. proves the value of the technology.
data analytics, machine learning and Big Data get a bit pricey), we could justify one of each in Because BluVector uses dynamic Their goal is not to compete with
are the ones who will define the genre and what our lab or SOC. – on the wire – analysis, we asked existing infrastructure, but to add
it really means to be “next-generation.” Unfor- One of our Innovators performs threat hunt- why the data stream was better than value to what is there already. That
tunately, that is ing on the wire static analysis on devices. It turns means integrating in such a way
a term fraught
with hype
“To watch and use these (dynamic), one
on the plat-
out that there are two problems
that need solving: how to advance
that 1+1=3, enabling customers to
orchestrate what they have already
to the point
where, like
tools is to see the future form (static),
and two are
the organisation’s approach to advanced threats and to be effective. BluVector integrates with several
30 31
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
W P
hen is a honeypot not a honeypot? The the honeypots by using virtual machines as honeypots. reviously we used an early version of Pro- research, best-of-breed threat indicators and custom-
answer to that – when it’s the entire en- Taking a very different approach, Illusive makes every tectWise with excellent results. The product ers’ bring-your-own-intelligence.
terprise – is the key to this Innovator’s endpoint part of the deception. provides a pervasive view of the network, Called context fusion, these combine an intelligence
success. In the last couple of years, we have begun to The company does it without agents so the decep- incorporating analytics and an bucket made up of forensic,
make a distinction between honeypot/honeynets and tion itself is protected from reversing by the adversary. interesting, eye-catching inter- workflow and remediation
deception networks. Unlike a honeypot – just a set of The adversary must try everything because he doesn’t face that enables threat hunting buckets. Improved depth of
devices set up to appear know what is good and and incident response. The analysis results from expanded
like a real network to what is not. tool is deployed using network machine learning, a TCP library
induce an adversary to Some important sensors on critical segments of and open-ended enquiry that
attack – a deception features of the Illusive the enterprise. These segments supports hunting. The tool scales
network is all or part deception network are monitored for their network connectivity between well and data searches are very fast over Big Data.
of the actual enterprise include Attacker View, parts of the enterprise or the enterprise and the in- This is, most certainly, a next-generation tool for con-
that is instrumented a sophisticated technol- ternet. The sensors optimise collected data and ship text-based, real-time threat hunting on the wire. With
and protected such that ogy that exposes hid- it to the Visualiser in the cloud where it is analysed the heads-up display, network operations centre engi-
the adversary is allowed den cyber-attack paths, and displayed on a heads-up display rather than the neers are presented with a quick way to identify events
to engage and the en- enabling a view of the usual dashboard. This unique display is eye-catching on the enterprise and begin the analysis and response
gagement is captured forensically but does no harm. attacker’s lateral movement; Wire Transfer Guard and attracts the analyst’s attention to important events necessary to protect the network.
The benefit is that the adversary does not know that detects targeted attacks against global wire transfer occurring on the enterprise. The company has brand-
he is being tracked and manipulated. banking systems; and Advanced Ransomware Guard, ed its tool set the ProtectWise Grid.
This is a rather simplistic description. In reality which blocks ransomware activity at the source host This is the second year we’ve looked at this Inno- Vendor ProtectWise Flagship
there are lots of flavours of honeypots and deception before it gains a foothold in the network. vator and over the intervening year the company has Flagship product The ProtectWise Grid
networks, but for a 100,000-foot view it will do. It also The company has, essentially, reinvented deception transitioned to full production and heavy marketing. Price The ProtectWise Grid is a subscription service.
is a pretty good description of what Illusive Networks technology. It takes the perspective of the attacker not ProtectWise now has a crystalised vision of how its Pricing is tiered and based on the amount of network
does. This Innovator uses what it terms “Deceptions the malware. Malware is not the issue. The issue is the disruption is going to come together. When asked traffic ingested and the length of time network data is
Everywhere Technology” to neutralises targeted at- attacker behind the malware. about differentiators, reps told us that the company retained for retrospection.
tacks and advanced persistent threats by creating a de- is bringing a utility model to the market through its Web protectwise.com
ceptive layer across the entire network. This provides cloud. This allows organisations to transition the Innovation A kill chain approach to detecting and ana-
an endless source of false information, disrupting and Vendor Illusive Networks siloed servers in the security stack to the company’s lysing events within the range of its sensors and making
detecting advanced attacks with real-time forensics Flagship product Illusive model, thus allowing, in addition to real-time analysis, those events visible immediately along with the analytics
and without disruption to business. Price £47 per user per year tiered volume pricing. retrospection. necessary for a deeper dive into the event.
What makes this Innovator unique? After all, we Web illusivenetworks.com Integration with third-party tools combines network Greatest strength The heads-up display is completely
have had honeypots for a long time. However Illusive Innovation Took deception from honeynets to fully visibility with the endpoint through integration with unique. Rather than minimising the capabilities of Pro-
believes that the honeypot concept is not scalable and transparent deception networks. such vendors as Carbon Black. To accomplish this, tectWise to a “pretty face,” the display is designed to
is expensive to operate. How are they unique from Greatest strength Took deception from honeynets to the tool has a very integration-friendly API. This facil- draw immediate attention to events that need attention
other deception nets? Others are trying to improve fully transparent deception networks. itates feeding a suite of indicators including in-house and facilitates efficient hunting and remediation.
32 33
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
PacketSled Sqrrl
P W
acketSled is, usually, a SaaS tool but there is an the attacker is trying to guess passwords coming from hile this Innovator didn’t exactly coin are continuing to expand on views of adversarial be-
on-premises version as well. We especially like a particular geographic location. Once you set that the term “threat hunting,” it certainly haviors to determine which users, user accounts, etc.,
the support feature that consists of clicking a up, you can designate the alert level. Overall, this is has given it form and substance. By are at risk based on observation.
button on the desktop to open a chat session with an a very complete package. It not only provides alerts developing its Threat Hunting Reference Model, Sqrrl Further, there is a new focus on workflow. Sqrrl
engineer. We never have seen that level of support that users can customise, it is an analyst’s tool that we has taken the first step to formalising the threat hunt- sees hunting as a collaborative activity so it is adding
response in any of the prod- could not function on our honeynet ing process. Since it has ways for analysts to tag and
ucts we have reviewed and it without. built its product around annotate for other analysts.
provides a real benefit both What’s coming? More and deeper this model, it has an excel- The developers are spend-
to new users and experienced analytics of course. You never can lent start on a commanding ing more time in the DNS
users with a difficult problem. have enough of that. Also, enrich- place in the market. Many space, leveraging DNS for
Another feature that we like ment, such as full export and import of the Sqrrl team are sci- tunneling, command and
is the query language that lets of Stix profiles – a particular hot entists from NSA so, as control, etc. The adversary
users focus in on issues that button for us – and more visuali- one would expect, the technology and data science is is using DNS so defenders must understand what they
may be related to an event in the enterprise. The core sations. With all of that, this Innovator is carving its sound. The model is unusual in that it has begun to are doing, how to identify their actions and defend
that supports that query language is Bro, the network place in the marketspace in high style. define the threat hunting process and it has come from against it. This tool is purpose-built for threat hunting.
analysis framework. The queries are simplicity them- a relatively unknown – at the time it was introduced As the company that is building its future on the
selves to write, but if you don’t quite have the knack – company. concept of threat hunting, our obvious question for
of Bro yet, the query manager has an autocomplete Vendor PacketSled Models such as these generally are viewed as them was, “How’s this threat hunting thing working
function to help you along. Flagship product PacketSled self-serving marketing hype. Having spent much of for you in the marketplace?” The answer was unequiv-
PacketSled has multiple screens, each with a par- Price Pricing is consumption based. our time in threat hunting, we can attest that such ocal: “Extremely well. Threat hunting is more than
ticular function. The main screen is the overview and Web packetsled.com definitely is not the case here. The model – which indicator search. It includes sophisticated analytics
it shows a comprehensive picture of sensor activity. Innovation Applying advanced analytics to threat includes a maturity model – is solid as a threat hunting and visualisation. We’re beginning to see budgets
From this screen, users also can open cases set up in hunting and evolving an analyst’s tool into an analyst’s framework and it makes a lot of sense to those of us assigned to hunting.”
the Investigator screen. It is on the Investigator screen tool that also has very strong monitoring, detection, case who have been doing the steps in the model for some
where users can initiate queries that can be in the management and alerting functions. time.
Bro-like query language, which resembles regular ex- Greatest strength Strong analytics and versatility. Sqrrl installs on a Hadoop cluster and can be hard- Vendor Sqrrl
pressions. Additionally, there are automated captures PacketSled is, usually, a SaaS tool but there is an on-prem- ware or cloud-based. This is Sqrrl’s second year in our Flagship product Sqrrl Threat Hunting Platform
that look specifically for such things as suspected com- ises version as well. We especially like the support feature Innovators issue and over that year it has been busy Price Starting at £19,700.
mand-and-control servers accessing (or being accessed that consists of clicking a button on the desktop to open continuing its innovation. The company has added Web sqrrl.com
by) your enterprise. a chat session with an engineer. We never have seen new functionality since last time we looked at it. They Innovation A formalised approach to threat hunting.
But the system is not limited to pre-packaged that level of support response in any of the products we have improved their built-in analytics to provide addi- Greatest strength A solid product built in support of
indicators. You can set your own kill chains. For ex- have reviewed and it provides a real benefit both to new tional observation as to where to take the hunt. And, a structured framework for threat hunting.
ample, you might be looking for SSH probes where users and experienced users with a difficult problem.
34 35
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
I T
t’s pretty hard to defend what isn’t there. We perimeter. For example, when a bank puts up a his Innovator concentrates on the mobile security-enhanced MDM, PKI/ certificate authenti-
won’t go so far as to imply that the perimeter customer portal for an online banking system, it device as the putative perimeter of the enter- cation, content filter, intrusion prevention/anti-virus,
is gone – yet. However, the fact is that there reaches back into the network for the backend prise, regardless of where the data actually and containerisation (application wrapping) and
always will be a perimeter. What it will look like data storage. resides. The company takes the position that the mobile threat detection. All traffic to and from mobile
– well, that may be something else entirely. We But does this mean that we have scrapped the traditional network perimeter is moving out to the devices is routed through a secure 256-bit, certifi-
have written before that protecting the data is perimeter? Our Innovator in this section cer- mobile endpoints. This trend is collapsing the network cate-authenticated IPsec VPN connection. As the
tainly doesn’t think so. There are core to be the hub network becomes
issues that have clear perimeter between endpoint more porous and
“The perimeter is not functionality without being pe- hosts; data cen- sensors more
36 37
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
R M
isk and policy management is a necessary are (host, operating system, applications, com- etricStream is a provider of enterprise-wide more of their customers moving to their cloud from
evil (common misconception: while it munications, etc.). governance, risk, compliance (GRC) and on-premises deployments. Their cloud offerings have
is necessary it does not need to be evil). Then we need to track vulnerabilities in these quality management applications. The com- no co-mingled data and that is innovative, as anyone
The problem with risk and policy management assets. We cannot trust a once-per-year pen test pany is innovative because it believes that it needs to who has used a cloud-based service knows. The phi-
that makes it seem evil is that it be. GRC didn’t exist as a regulatory issue when the losophy here is: be simple, pervasive and deliver on
can be very tedious. We looked firm was created. As well, it is not a point problem the hybrid cloud.
at several risk and policy man-
agement products and we found
“It’s really a ‘kinder or a technology problem. GRC This Innovator is addressing
38 39
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
T T
his is a tough category to define because it security for the network infrastructure and he Onapsis Security Platform (OSP) is a SAP apply virtual patches. It scans automatically and can,
changes as the underlying infrastructure separate security for the application layer, these security tool that combines vulnerability, com- if configured, push patches. For Onapsis this has been
changes. We have gone from mainframes products – especially when it comes to defending pliance, detection and response capabilities a year of change: increasing the number of employees,
to large-scale Unix to hardware-defined data cen- an ERP system – take a completely integrated that traditional security solutions do not provide in receiving investment and moving to a new facility.
tres, to software-defined data centres to the cloud. seven-layer approach. this environment. Through continuous monitoring, Additionally, the company now supports the cloud
To a certain degree, all of these are present today The reason, more or less obviously, is that OSP provides a near real-time and is a founding member of
and, in addition, we have hybrids that include applications are so tightly interwoven with the preventative, detective and the Cloud Security Alliance
two or more of these paradigms. Along with the hardware and communications architecture that corrective approach for se- (CSA).
changes to the underlying architectures the secu- it is difficult to address, effectively, the network curing SAP systems and ap- Developing threat intelli-
rity stack protecting them needs to evolve. model in layers. We are reaching an all-or-noth- plications. It can be deployed gence on SAP-specific exploits
In this issue’s Security Infrastructure section, ing world when it comes to deploying a security on-premise or in a private, has been a differentiator. Its
infrastructure. For example, ERP public or hybrid cloud en- innovation stretches to vertical
40 41
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
TS M
Factory is a software development com- economies of scale. The company also worked aggres- any years ago, there was a theory roaming access control lists (ACLs), etc., by using host identity
pany focused on remote session mon- sively with cloud providers to meet their needs; for around the info sec community that all we protocol to assign a unique host identity to each asset
itoring and recording. This Innovator example, updating licensing to fit the cloud provider had to do was encrypt everything and we’d on the network. This makes it very hard to penetrate.
embraces the idea that the cloud is here paradigm. be safe. No need for any other protections… just en- It completely defeats phishing because the user’s ac-
to stay. It also believes that security tools Performance is a big challenge as past cryption and all would be right with the digital world. cess to certain assets is restricted by his asset’s allowed
for the cloud and remote access tend to tools are too slow for real-time auditing. That never materialised – until access. A phisher can’t spoof
lag behind and are always trying to catch Another major challenge is data reliabil- now. The fact is that at the time because he doesn’t have access.
up. The solution, says this Innovator, is ity. Obviously, one can’t afford lost data. that theory was proposed the Because this is completely soft-
to provide the security and auditing tools Dropped packets are an example of one way forward to deploy it was ware-based, deployment takes
that can help customers feel safe. With way to lose data. This is not just an issue still shrouded in mystery. The seconds instead of weeks per
this in mind, they are moving more into of ramping up wire speeds, there are lots key, as it turns out, is identity device and it’s verifiable and
the auditing area and also are moving of other factors that contribute to per- defined networking (IDN), and this Innovator has easily auditable. IDNs dramatically reduce the attack
toward gateway appliances. formance-related data loss. That means built a business around it. surface by reducing lateral movement.
As part of its go-to-market strategy, that this Innovator is constantly trying Identity-defined networking effectively brings iden- Tempered Networks has a host intrusion prevention
the company is partnering with large to accommodate faster standards. For tity to the network and endpoints and allows central (HIP) client for Windows and is working on Mac
cloud providers with unique challenges to face. That one, it changed up its databases and used multi-stage management of these identities in a dynamic and scal- and Linux clients. The HIP switches are proxies for
lets them tailor products to the market and help cloud buffering. able way. An IDN is an encrypted overlay network that devices that cannot protect themselves. This Innovator
providers overcome those challenges. One of TSFac- This has made a big difference in performance transcends traditional segregation mechanisms, such as also has the HIP chip that can be embedded in IoT
tory’s strongest innovations is that it is able to re-tool without depending on driving up wire and interface VLANs, VPNs, MPLS, and addressing schemes. devices. A staffer at this Innovator told us that getting
rapidly to meet new challenges. The company is able speeds. They intercept all traffic so nothing can get Well, it’s not quite that simple, but close. The key, the market to adopt HIP, more than selling products,
to do these changes in 24-48 hours because they are around them. Since they are in-line, they use buffering as one would expect, is encryption. The assets are is a primary driver.
lightweight and can make changes in hours rather than that allows them to approach real-time analysis. identified cryptographically and only certain assets
months. To meet that challenge, though, this Inno- are allowed to communicate with them. By defining
vator had to update its architecture to support rapid the communication groups, you define a collection of Vendor Tempered Networks
change. This is almost unprecedented fast turnaround. Vendor TSFactory IDNs. If an asset – or an intruder – is not in a particu- Flagship product Identity-defined Networking
That is innovative, for certain, but how scalable is it? Flagship product RecordTS lar IDN, it cannot communicate with any of the assets Price £19,711
Very, because one change usually can propagate wide- Price £1,021 in the IDN. Additionally, communication is via a spe- Web temperednetworks.com
ly in the customer base. Web tsfactory.com cial protocol called host identity protocol (HIP). All Innovation Identity-defined networks.
This almost is as if TSFactory had a captive team Innovation Building a system to monitor remote ses- communication is based on cryptographic exchange Greatest strength Ability to apply IDNs in just about
of market researchers feeding it new requirements sions in the cloud based explicitly on the stated require- prior to data transfer. any network environment from industrial control sys-
based not on a perceived need but on real, actual ments of large cloud providers and extending that to its This Innovator overcomes the problem of updating tems to IoT and back-office LANs.
requirements. If one cloud provider has a particular entire market.
problem, many do. That means that a fix for one is Greatest strength Ability to turn on a dime to meet
extensible to many others. That approach offers real customer challenges.
42 43
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators
T
hese are two sides of the same coin. On breach in a public cloud is severely limited by change, but also be able to close the gap between the industry in which it works to be innovative. It is
one side, we have security for the virtual, contractual constraints. The solution to this set of traditional security technology driven by the complexity of
or software-defined, data centre. On the challenges is the virtual network equivalent of a and a sophisticated threat the environment. Niches no
other, we have security for cloud-based systems. software wrapper. You wrap the virtual environ- actor’s ingenuity. In order to longer work. One needs a
The two are the same but different. They are ment in the public cloud in a layer of protection address that ingenuity, inno- highly connected approach.
the same in that they both work in a virtualised and administration that, effectively, cuts off the vators need to be equally – or, There are no simple solutions.
environment. They are different in that they virtual enterprise from those virtual enterprises perhaps, a bit more – inge- We liked that approach.
have somewhat different challenges to address. sharing the same cloud infrastructure. nious. The GuardiCore Centra Here is a case where the in-
In a local software-defined data centre there Our two Innovators in this section address Platform provides a single, dustry and the creativity of the
is complete the two sides scalable platform that covers five elements of effective adversary are the predominating drivers. In our expe-
control and the “...the clear future of of the virtual data centre security: visibility, micro-segmentation, rience, that is a pretty good formula for success as long
44 45
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Hall of Fame
V W
Armour describes itself on its website as being The system arbitrarily redirects devices to a decep- e expect that it is the last time for a physical and private cloud environments.
a “distributed security system that provides tion point, which allows the use of very few actual while that we will be able to use the bad Additionally, Catbird Security has increased the lev-
insight and control for multi-cloud environ- deception points and ties segmentation to deception. pun about this Innovator being in the el and depth of its analytics using its unique trust zone
ments...vArmour microsegments each application by The tool views deception as a capability of the overall Catbird seat. Bad pun or not, though, that certainly constructs. That means, among other things, looking
wrapping protection around every workload – increas- security stack rather than a standalone product. is where this Innovator is sitting now. Catbird didn’t for anomalies measured against statistical norms on
ing visibility, security and vArmour customers are invent microsegmentation, but it has built a solid busi- the systems. Catbird already has done a lot of work-
operational efficiency.” focused on protecting work- ness on the concept. This allows more fine-grained load analysis and now is adding more analytics. This is
That’s a pretty big order. loads in such industries as security management than simply placing controls at just another example of how this Innovator responds
What we found as we looked health care, financial services the perimeter. The product was designed from the to customer demand. It already has high quality of
into this Innovator is that it and government. Only 3.5 ground up for virtualised correlated data and has
does a good job of meeting that years old, the company has environments and it has a clear topological view
marketing statement. How? been shipping product for two parts: the Virtual of the virtual enterprise.
vArmour learned some two years. Shipping products Machine Appliance The long-term goal is to
unique and important lessons from the evolution of after only a year and a half of development requires (vMA) and the Control knock down the virtual
the public cloud: Show value quickly, kill adjacent innovation and vision – both on the technical side and Center (CC). Both are, wall between the NOC
product interactions by segmenting, deploy quickly, on the business and marketing side. Entering a new as one would expect, and the SOC giving
and illustrate value. To accomplish these goals, the market struggling to find its way, as the cloud market virtual appliances. security engineers and
company is infrastructure agnostic. That allows it to space, requires an immediate development of trust The vMA installs on IT/network engineers
be more flexible. This Innovator believes that security and confidence on the part of prospective customers. the hypervisor and the CC is deployed as a separate a complete, correlated view of the entire enterprise.
should be as portable as the applications. So, it fo- vArmour has done as good a job of this as it has in virtual machine. The microsegmentation allows visi- This will promote collaboration and lead to more
cused on taking out what is not necessary and making developing its product which, by the way, is in its third bility at the virtual machine level. Because it has this rapid control of security incidents.
its product more efficient and more secure. major release. visibility, it can see lateral traffic across the virtual
Networks usually have been built incrementally and enterprise. While it also sees traffic into and out of the
that adds complexity and leaves the networks unse- virtual environment, the lateral movement is, perhaps, Vendor Catbird
cure. This is especially true in the “multi-cloud” (pub- Vendor vArmour most useful to defenders. The fine-grained security Flagship product Catbird Secure
lic and private) environment. So, to address that com- Flagship product vArmour Distributed Security Sys- policies allowed by microsegmentation help pinpoint Price £1,970 - £3,200 (average) per Hypervisor.
plexity, vArmour has created an abstraction layer that tem (DSS) possible malicious activity, potentially down to the Pricing varies based on environment size, platform and
lets customers straddle both kinds of clouds. Built for Price Starting at annual subscription of £3,900 per individual device level. third-party integration option.
virtual and cloud environment, this is a purpose-built hypervisor for base functionality. This Innovator is beginning to spread its wings into Web catbird.com
software designed specifically for virtualised and Web varmour.com other cloud and virtual platforms. The company was Innovation Application of microsegmentation across
multi-cloud environments that uses a single logical sys- Innovation Multi-cloud security stack using microseg- born and raised in the virtualised private cloud but the cloud and use of analytics all of which can lead to a
tem consisting of multiple, autonomous sensors rather mentation. now its customers are asking for broader coverage. security environment for hybrid data centres.
than agents. These sensors are connected through the Greatest strength Vision and ability to get ahead of Customers want to have coverage on all platforms, Greatest strength Vision and the ability to act on it
vArmour Fabric, which shares information and con- the market and stay there by understanding the nature agentless where possible, but using lightweight agents over a sustained period.
text across the system. of the cloud as well as their technology. where necessary. The eventual goal is to cover virtual,
46 47
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Hall of Fame
W W
e have been following Good Technol- the-road trucks. That is just one example of how hen we first met PhishMe we thought deal since a very high percentage of successful breach-
ogies for some time. The company’s BlackBerry can extend its – and Good Technology’s that the name was a bit curious. How- es are the result of responding to phishing.
product mimicked the BlackBerry En- – innovations into a wide variety of applications and ever, the premise behind the company PhishMe now has over 300 employees worldwide
terprise Server approach and developed the same kind markets. Its software also has done well in reviews so at the time was interesting so we began following it. and has opened several offices around the world. An
of implementation for other platforms. It also allowed it is pretty clear where this Innovator is headed. At the time, this Innovator was largely involved in an- important step in its evolution, PhishMe acquired
running apps behind the firewall. Now, BlackBerry has For today’s enterprise, this acquisition allows Black- ti-phishing training. Because that threatened to become Malcovery for its cyber intelligence-gathering capabil-
acquired Good Technology and – excuse another bad Berry to provide devices and a software platform that a commodity, the company ity and folded it into PhishMe
pun, please – that looks very good for BlackBerry. This enables and manages security, mobility and commu- started looking for ways to as its intelligence arm with a
was one of those very nice matches where both parties nications between and among hardware, programs, enhance its services. That led to significant international fla-
contributed to the mix. Black- mobile apps and the Internet offering, as part of its training, vour. Triage – introduced last
Berry has traditionally focused of Things. Addressing the testing in the form of crafting year – has grown very well and
on command and control while Internet of Things can be a phishing emails and sending is evolving into a workbench
Good Technology traditionally challenge, but certainly con- them to clients’ employees. For for analysing phishing attacks
has focused on containerisation sidering the Good Technology those who “bit,” PhishMe then and messages. Along the way,
of applications. containerisation scheme, it would provide some additional this Innovator is creating new
BlackBerry has taken Good is not an impossible task. coaching. It became a sort of closed loop training. One analytic modules and automating. Meanwhile, it is
Technology’s products and BlackBerry has seen its share thing that assuredly has contributed to the company’s making enhancements to the Reporter and working
technology and integrated of challenges over the years, success is that it can point to documented results. It has on a mobile edition. PhishMe continues enhancing its
them into new releases. Of course, there are a few but it is the mark of an Innovator that it sees adversity trained millions of employees worldwide. natural language process to allow it to cluster similar
Good Technology components or products that still as an opportunity. BlackBerry clearly saw things from The company has developed its Simulator product, emails for analysis.
stand alone, but the current offering is mostly Black- that perspective and never looked back. which uses behavioral conditioning to train employees
Berry. BlackBerry believes that taking the two product how to detect and avoid phishing emails. Simulator is
lines together forms best of breed for mobile device provided as a cloud-based conditioning platform. The Vendor PhishMe
management and the best of breed for application Vendor BlackBerry tool generates customised phishing attacks simulating Flagship product PhishMe Simulator & Reporter
security. The new products are, as one would hope, Flagship product Good Secure EMM Suites a variety of attack techniques including spear phish- Price PhishMe Simulator is priced based on the number
device agnostic. Probably the best part from the Price £Starting at £2 per user per month. ing, social engineering, malware and malicious attach- of users in an organisation. Reporter is included at no
mobile device user’s perspective is that complexity is Web us.blackberry.com/home.html ments, and advanced conversational phishing. additional cost.
abstracted away from users. Such things as VPNs, that Innovation Combining the containerisation of Good The Reporter lets employees, having detected a Web phishme.com/product-services/services/
can be so troublesome to use and keep connected, Technology with the command and control of Black- phishing email, report it through their own chain Innovation An evolving platform for combatting phish-
now are handled automatically. Berry Enterprise Server into a new and more effective of command. This helps administrators block ing attacks using techniques that were the forerunners
BlackBerry of late has focused on its software which security tool. phishing sites and lower the prevalence of phishing, in the field.
has a lot more applications than mere smartphones. Greatest strength Vision and persistence. spear-phishing and whaling. It also is effective against Greatest strength Application of behavioural
For example, it is being used today to track over- malware and other types of attacks that are delivered conditioning along with a variety of other tools and
or triggered by a phishing email. This is a pretty big techniques to address phishing and its consequences.
48 49
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 TOMORROW’S SOLUTIONS
Firewall and Security Policy Management
Pwnie Express
Do more with the Skybox® Security Suite
T
his Innovator has a very interesting history that, During testing in our lab, we found the products
• Simplified multi–vendor firewall management
perhaps, could not really have predicted where very easy to work with. Participating in a deployment
it would end up today. The earliest Pwnie Ex- at a financial services organisation – across multiple • Total network visibility and control
press tools were for remote pen testing from inside the locations – we found that deploying and tuning was • Secure, automated firewall change workflow
network. Today, of course, that still exists, but there is a straightforward. The sensors come in a couple of • Comprehensive attack surface visualization FIREWALL NETWORK
lot more to the Pwnie Express versions. One is small and ASSURANCE ASSURANCE
across physical, virtual and cloud networks
lineup. Its tools set provides simple – about the size of a
continuous monitoring and large, square hockey puck.
detection, identification and The other a small-footprint
classification of wireless, wired desktop device. The larger –
and Bluetooth devices. All the PwnPro – has the space
CHANGE
of this data, gathered from a to add to the software in it MANAGER
HORIZON
VULNERABILITY THREAT
HORIZON
CONTROL MANAGER
www.skyboxsecurity.com
Vulnerability and Threat Management | Security Policy Management | Attack Surface Visibility