017

2 ER’S
UY
B IDE
GU

HOW MUCH CAN TOP TEN TOP

YOU GET? INFLUENCERS INNOVATORS
Our information security The most influential people SC’s guide to the
salary survey sheds light in cyber-security in Europe most innovative vendors
on the state of play over the past year of last year based on
in terms of hiring and our own lab testing of
remuneration new launches
 TOMORROW’S SOLUTIONS BUYER’S GUIDE 2017
Vulnerability and Threat Management

W
Editorial
VP, EDITORIAL
Illena Armstrong
elcome to the SC by its broad capabilities for
illena.armstrong@haymarketmedia.com
Do more with the Skybox® Security Suite EDITOR-IN-CHIEF
Media UK Buyer’s vulnerability and threat
Tony Morbin Guide 2017, management and risk and policy
tonymorbin@haymarket.com
DEPUTY EDITOR produced in association with management, declaring it one of the
• Comprehensive attack surface visualization across Tom Reeve
tom.reeve@haymarket.com Skybox® Security. most versatile and flexible products
physical, virtual and cloud networks VULNERABILITY
REPORTER
CONTROL Max Metzger On behalf of that they’ve seen.
• Continuous threat–centric vulnerability intelligence max.metzger@haymarket.com
Skybox Security, We hope that
ONLINE COMMUNITY MANAGER
from the Skybox® Research Lab Roi Perez we are delighted reviews like this
roi.perez@haymarket.com
• Context–aware vulnerability prioritization TECHNOLOGY EDITOR to share with you and others will shed
Peter Stephenson
Production SC’s independent- light on solutions
ART DIRECTOR
Michael Strong ly assessed top ready to help you
michael.strong@haymarketmedia.com
THREAT
PRODUCTION EDITOR
innovators in overcome challenges
MANAGER Danielle Correa
danielle.correa@haymarketmedia.com
information security no matter the age or
PRODUCTION ASSISTANT products 2017, tested maturity of your pro-
Jamie Whittington
jamie.whittington@haymarket.com in SC’s own labs by gramme—whether
Events
EVENTS COORDINATOR SC technology editor you’re struggling with
Sophia Edie
sophia.edie@haymarket.com Peter Stephenson, former CISO of fundamental issues such as visibil-
List Rental
Alex Foley Norwich Defence University, and ity or resource shortages, or you’re
+44 (0)20 8267 4964
HORIZON his team. looking for advanced tactics and
Back Issues
John Denton
+44 (0)1733 38 51 70
This publication features a selec- gaining strategic intelligence.
Advertising tion of the entrants considered to Of course, the Buyer’s Guide isn’t
VP, PUBLISHER
David Steifman be the most innovative. The full list just about products, but people
david.steifman@haymarketmedia.com
DIRECTOR, GLOBAL SALES of products tested in each category too. For that reason the guide also
Dennis Koster
+001 646 638 6019 can be found at includes both SC’s Salary Survey
dennis.koster@haymarketmedia.com
ACCOUNT DIRECTOR www.scmagazineuk.com. – to provide an indicator of remu-
Mar tin Hallett
+44 (0) 20 8267 8280 And in a special product high- neration levels across the industry
mar tin.hallett@haymarket.com
Marketing
light, we are proud to feature the in a variety of roles and vertical
MARKETING DIRECTOR
Karen Koza
original independent SC reports on sectors – as well as SC’s Top Ten
karen.koza@haymarketmedia.com
the Skybox® Security Suite as they influencers for the past year, rang-
Publishing
PUBLISHING MANAGER appeared in SC Magazine UK in ing from legislators and activists to
Gary Budd
CHIEF EXECUTIVE June and November 2016. Prior to researchers.
Kevin Costello
How to contact us:
production of this Buyer’s Guide, Gidi Cohen
SC Media UK, Haymarket Management Group, Bridge
House, 69 London Road, Twickenham, TW1 3SP, UK the SC labs examined the Skybox CEO and Founder
www.skyboxsecurity.com TELEPHONE: +44 (0)20 8267 8016
PRESS RELEASES: tom.reeve@haymarket.com Security Suite and were impressed Skybox Security

Evolve and see what you’re missing. Published by Haymarket Media Group, Bridge House, 69 London Road, Twickenham, TW1 3SP, UK. No part of this publication may
be reproduced in whole or in part, or stored in a retrieval system, or transmitted in any form, without written permission of the publisher.
All material published in SC Media™ is copyright © Haymarket Business Media. The views expressed by contributors and

Enable more accurate vulnerability prioritization using multiple correspondents are their own; responsibility for the contents of the magazine rests solely with the editor. All rights reserved. All
trademarks are acknowledged as the property of their respective owners. While every care is taken, the publishers cannot be held
Haymarket is certified by BSI to
environmental standard ISO14001

factors to assess criticality. Give security teams the insight to

legally responsible for any errors in articles or listings, nor can they be held legally responsible for any injury and/or damage to persons
or property from any use or operation of any methods, products, instruction or ideas contained in the material published herein.

focus on imminent and potential threats.

3
Vulnerability and Threat Management | Security Policy Management | Attack Surface Visibility SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 Industry Innovators

2017 Salary survey:

How much
few weeks of the year,” he says.
Phillipson adds that he hasn’t
seen a noticeable change

can you get?

in salaries yet, but predicts
that as his clients are more
frequently competing for the
same candidates, we will see
“an increase in compensation
and an increase in demand for
SC has interviewed some of the leading recruitment firms contractors”.
in the sector for its IT security salary survey which sheds light He adds that over the last
on the state of play in terms of hiring and remuneration. year, and judging by the
Read on to see if you are getting your dues amount of hires his firm’s
key clients made year on

T
here has never been a better
time to work in the IT security
business. Primarily because the
threats are growing ever bigger
with data breaches, nation state hackers
and ransomware. It is of little surprise that
organisations of all sizes are in need of IT
security professionals. But filling those roles
is becoming more and more difficult for
employers.
Our IT security salary survey has
revealed that salaries for infosec
professionals have risen over the last
twelve months by around six percent.
Karla Jobling, director at recruitment
firm Beecher Madden says that demand
is increasing as more companies build
cyber-teams to fight ever more data
breaches and other security incidents.
“Demand is part of the reason for the
increase in salaries but the other factor is
a focus on the quality of candidates. Many
companies who already have cyber-de-
fence teams will now pay a premium, but
only for the best people,” she says.
She adds that demand has increased
over the last year and consulting firms are
still growing and end-user companies are
building out their teams. “Vendors are also
still in growth mode and have a variety of
opportunities available,” she adds.
Glyn Phillipson, head of cyber-secu-
rity and payments technology at Nicoll
Curtin, a global FinTech and Change
recruitment agency, says that demand
for cyber-security professionals has been
constant over the last twelve months
when many of his firm’s clients were
doing little to no hiring elsewhere.
“Q4 is normally a quiet time for
hiring, but there was a constant demand
until Christmas and even in the first
year, there has been a large
increase in requirements
and “interestingly a swing
back to the UK from
offshore locations”.
Skills shortage
Martin Ewings, director of
regional sales and specialist
markets at IT recruitment
firm Experis UK & Ireland,
believes that demand is at
“an all-time high”. He adds
that recent research revealed
that the most sought-after
skills in this area are CISSP
(Certified Information
Systems Security
Professional), SIEM
(Security Information
and Event Management),
IAM (Identity Access

4 5
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 2017 Salary survey

Management), ArcSight, penetration testers lack of available talent, employers are Qualifications and the ability to apply book-learning to real
and biometrics. having to show flexibility on years of getting into the industry world situations are even more important.
“However, there is an increasing experience, qualifications and industry The shortage may be pushing up salaries Security never stays still so everyone must
shortage of talent with these skills – just exposure, according to Phillipson. He adds in the short term, but qualifications will be learn on the job, with the best people being
103,000 people worldwide hold a CISSP, that “ideally, an employer will require a important, even at entry level, says Jobling. able to keep up to date technically whilst
one of the main cyber-security certifica- certain level of certification and education “Having taken a qualification shows applying that acquired knowledge to the
tions,” says Ewings. but compromises are being made.” their dedication to this career path and business risks in the organisation(s) they
Business are having a tough time filling Darren Anstee, chief security technologist these candidates are getting jobs ahead work within,” he adds.
IT security roles and thus, says Ewings, at Arbor Networks, says that while there is of candidates without qualifications. The infosec industry continues to
businesses are willing to pay more to bring a shortage of security professionals and this At a more senior level, experience is attract young people into the fold.
in the right people with will apply upward pressure more important than Jobling said that for
the right skill sets and on salaries, what must be qualifications, although someone getting into
experience. He points taken into account here we are seeing some cyber-security now, at
to research carried out is that most organisations companies make a CISSP school, university or
by his firm that revealed are not in the business of mandatory,” she says. post-grad level could set
that the average salary ‘security’ and “thus paying But Ewings says that themselves up for a great
for permanent IT higher rates for expertise infosec isn’t always about career. “Girls should also
security professionals outside of whatever their having the right qualifica- consider cyber-security
now stands at £58,003, core business happens to tions. as a career more than
up 7.95 percent on last be is not something they “Talent can come in they do. The roles are
year’s figures. He says really want to do”. many forms, and it’s varied, not just technical
that IT security day rates “Many organisations, important for businesses and the industry really
are also on the rise – up if they can, will opt for to look for individuals does want to have some
Darren Anstee, Martin Ewings,
4.98 percent year-on-year chief security technologist, managed security services with the aptitude and director of regional sales and diversity,” she says.
(£443 on average), as Arbor Networks rather than scaling up their enthusiasm to learn new specialist markets, Phillipson says that
Experis UK & Ireland
many companies turn to own teams if this works for skills, and then give IT security is a rapidly
short-term contractor support to help plug them from a cost / risk perspective,” he says. them the relevant training and freedom to growing and ever more important part
the gaps. Jobling says the shortage of trained experiment with new technologies. This of all business now. “For young people
Phillipson says that there are more people has been pushing up salaries but will help businesses to not only mitigate considering a career, IT Security will
requirements for skilled individuals than this “cannot increase forever”. Indeed, it the risks today but also future-proof their continue to provide interesting and well
there are people available. “Qualifications has to tail off, but perhaps not just yet. organisations,” he says. compensated opportunities,” he says.
seem less important as, given the high “What we saw towards the end of Anstee says that qualifications are
demand, employers are having to be more 2016, was an increase in the amount of important as they let hiring organisations Increasing professionalisation
flexible, but real life experience in cyber-se- candidates being offered sponsorship. know whether a candidate should have the and new roles
curity remains a ‘must’ for blue chip Companies are going to start looking into right skills and background knowledge to While the debate continues over how
companies,” he adds. different ways to attract the talent they fulfil a role. important qualifications are to having a job
Given the high demand and apparent require,” she says. “However, practical experience and in the IT security industry, Anstee says that

6 7
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017 2017 Salary survey

SC’s Information Security Salary Survey 2017

All private sector All public sector Banking Health Retail Government Manufacturing
Security/Data Analyst
Junior 35000 25000 35000 35000 35000 25000 25000
Mid range 47000 35000 55000 47000 50000 35000 35000
Senior/large org 60000 50000 65000 60000 60000 50000 50000
CISO
Small org 90000 80000 250000 90000 90000 75000 75000
Medium org 110000 80000 110000 110000 85000 90000
Large org 180000 95000 500000 180000 180000 90000 125000
IT Security Manager
Small org 55000 40000 75000 55000 55000 40000 40000
Medium org 65000 50000 81000 65000 65000 47500 50000
Large org 75000 55000 85000 75000 75000 55000 60000
IT Security Officer
Small org 45000 35000 45000 45000 35000 35000 35000
Medium org 55000 40000 58000 55000 40000 40000 40000
Large org 65000 47000 70000 65000 50000 47000 50000
Penetration Tester
Junior 40000 42000
Mid range 57000 55000
Senior 67000 85000
Security Consultant
Junior 46300
Mid range 63900
Senior 83800
IT Security Architect
Junior 65600 57000 65000 65000 65000 65000
Mid range 80000 70000 85000 85000 73000 80000
Senior 100300 79000 110000 110000 80000 90000

*How the data was collated: The data in the chart has been compiled by interviewing various information security
recruitment agencies as well as deriving data from multiple job websites (including SC Jobs).

8 9
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017
qualifications aren’t the be all and end all
– “experience is still a bigger driving factor
in salary expectation.”
Jobling thinks we are still at the
beginning of an increasing professional-
isation of the industry
affecting wage demands.
“Companies are making
cyber-security a priority
and those companies that
have established teams, are
seeing value. As a result,
they are looking for better
qualified individuals with
a proven track record.
These people are being
paid a premium. So, it is
not an obvious correlation,
but related to how
security is evolving within
organisations as well,” she Beecher Madden
says.
Jobling adds that over the last few years
new specialism have appeared such as
mobile and cloud security due to technolo-
gy evolving. “The same is true for security
within the IoT. Roles such as cyber-aware-
ness didn’t really exist then either. It is a
result of companies taking cyber-security
seriously and understanding the need to
educate their business.”
Continued career success
Staying up to date and having a specialism
is key if you want to have continued
career success in IT security, according
to Jobling. She says that companies might
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
want an IAM specialist and becoming an
expert in one area will see you progress
and earn more money. “However, if your
long-term goal is to become a CISO
or director, then variety is going to be
important as you need
to demonstrate your
business acumen as well as
technical understanding.”
Anstee says that infosec
professionals need to be
able to understand the
risks that their organisation
faces as well as applying
people, process and
technology to keep those
risks at an acceptable level
without putting (business)
barriers in place.
Karla Jobling, “One key skill is the
director,
ability to absorb technical
information and make it
relevant to non-technical personnel, so
that they understand the value of a control
and don’t simply see it as a barrier,” he
says.
Brexit and Infosec
A report by resourcing company BPS World
has warned that one of the main challenges
facing employers in the UK in 2017 will be
the impact of Brexit on the ability to attract
talent, particularly in the high-value digital,
technical and engineering industries where
recruiters are already struggling with severe
skills shortages.
Simon Conington, founder of BPS World
10
2017 Salary survey
says that 2017 is going to be a pivotal year started. “2016 was a challenging year for
for the UK economy as it appears to head IT recruitment in finance. I am sure Brexit
out of the EU door. played a part in this but we saw no effect
“The decisions the government makes on demand for IT security professionals,”
now on the implementation of Brexit will he adds.
affect our ability to attract the talent we
need to grow,” he says. Final package
“The impact will be felt immediately The job market for infosec professionals
as talent will not come to the UK if they still looks very good, which means that
know they will have to salaries and career
leave within two years. mobility will also be
We urge the government good. The IT security
to continue to ensure professional can almost
we have access to skilled name their price in the
people, particularly current market. For
in sectors where we’re employers, the right
already struggling to find incentives have to be in
the talent we need.” place to attract the top
While there have been talent; it’s a seller’s market
concerns that Brexit could out there so professionals
put a stopper on hiring should ensure they have
and salaries, Jobling the skills and knowledge
says that the proposed in order to get the most
departure from the EU Glyn Phillipson, lucrative opportunities.
has so far only resulted in head of cyber-security and payments Salaries are also being
technology, Nicoll Curtin
a short pause on hiring in increased by new fields
some organisations. such as cloud, mobile and IoT security,
“Once the result came in but demand meaning infosec professionals have the
is as strong as ever. Candidates relocating chance to spread their wings and earn more.
to the UK have been a little more hesitant In the end though, money isn’t
but are still considering the UK as a place everything if you don’t like your job.
to work. Of course, this could change There comes a point where money
in the next 12 months as we learn more becomes less important and being happy
about what Brexit really means,” she says. doing what you love pays in different
Phillipson says that it is too soon to say if ways. Not everyone wants to be a CISO.
Brexit is having, or will have an effect, on Luckily, there are plenty of roles out there
infosec salaries as the process simply hasn’t to suit all infosec professionals.
11
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017

NSA leaker Edward Snowden and is bound campaigner on both issues. In his role as
SC’s Top Ten

Influencers
to have many ripple effects well into 2017 vice-chair of the European Parliament
and beyond. Committee for Civil Liberties, Albrecht
brought forward the case to crack down on
Brian Krebs, internet giants such as WhatsApp, Skype
security blogger, KrebsonSecurity.com
and other online messaging services safe-

I
t could be argued that security blogger guarding for not taking users’ privacy with

2016
Brian Krebs is responsible for alerting the
information security industry about the
Mirai botnet. While Europol takedown
DD4BC, a gang offering DDoS-as-a-service,
Krebs blogged about another
such gang from Israel, vDOS
which got caught because of
Any list of the most influential people in cyber-security is going to be a silly security vulnerability
disagreed with by most - because, in this industry some of the best work in its website which revealed
going on will - for operational security reasons - remain unsung. So, with Brian Krebs their identities. In retaliation,
apologies to the unknown heroes, here’s SC Media UK’s list of the ‘most gangs blasted Krebs’ website
influential’ people in cyber-security 2016, chosen for the impact that they with a record-busting 620Gbps attack.
have had on the information security industry Akamai which was protecting Krebs at the
enough seriousness. The move followed the
news that Facebook was to share user data
between Whatsapp and Facebook in order
to better target advertising at users. The Eu-
ropean Commission plans to publish a draft
law on data privacy that aims to ensure
instant message and internet-voice-call
services face similar security and privacy
rules to those governing SMS text messages,
mobile calls and landline calls.
Troy Hunt,
web operator, haveibeenpwned.com

P
time, dropped the blogger due to “finan- assword-sleuth Troy Hunt, who op-
cial reasons”, which prompted a further, erates the website haveibeenpwned.
Ian Levy, Theresa May, even larger, 1.1Tbps attack on French web com (and blogs at troyhunt.com), has
technical director, UK Prime Minister
hosting company OVH. As it transpired, had yet another busy year of notifying

2016
National Cyber Security Centre
will forever be re- the same botnet was responsible for both people to the effects of data breaches and

I
an Levy, the new National Cyber Secu-
rity Centre’s technical director, grabbed
many headlines in 2016, as the govern-
ment and its new cyber-command centre
in the centre of London was established
to become the new public facing body for
tackling cyber-security issues. It has set the
tone for how we speak about data breaches,
educate the public and businesses about
the many cyber-threats they now face and
membered as the year
where Theresa May,
the UK’s Prime Minister, went about imple-
menting the Investigatory Powers Bill which
she had been responsible for introducing as
Home Secretary. The bill is widely known as
the ‘Snoopers’ Charter’ as it legitimises some
existing data gathering practices previously
declared illegal and heraldis in new spying
powers which many view as invasive; it has
attacks. A mere week or so later, the same
still unnamed botnet attacked Dyn, a DNS
provider which supplies services to some
of the major websites on the internet such
as Spotify and Reddit. Causing mass-hyste-
ria, user ‘Anna-Senpai’ released the source
code to the Mirai botnet on HackForums.
Jan Philipp Albrecht,
German Green MEP
getting the message out that
password-reuse, a cause of
many mishaps online, is still
very much a serious issue.
Hunt deserves praise as his
Troy Hunt aim isn’t simply to compile
a long list of passwords,
but with every breach he blogs about,
affecting the likes of companies like the
Red Cross, Michael Page, PayAsUGym,

how to go about solving them. Levy has set
about cutting the FUD that surrounds the
industry and getting down to the business
of boosting cyber-protection.
been criticised by many for requirements
such as encryption backdoors. It has been
described as “the most invasive surveillance
law introduced by a western democracy” by
T
he issue of data protection and
privacy took many headlines in 2016,
and Jan Philipp Albrecht, German
Green MEP has remained a prominent
Dropbox, Bluesnap and others,he looks
to educate about the need for improved
behaviour from both businesses and
users themselves. Hunt is a consultant

12 13
SC • Buyer’s Guide 2017 • www.scmagazineuk.com SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017
who advocates a “get the basics right” to
businesses who are looking to protect their
users’ data.
Johannes Ullrich,
dean of research, SANS Technology Institute
H
ighlighting the scale of problem
of unprotected Internet of Things
devices in 2016, SANS dean
of research Johannes Ullrich showed
that exploits TR-064 and TR-069 were
almost certainly the cause of an outage
that hit Deutsche Telekom customers. It
was discovered that the
routers were used as part
of a botnet. In a Facebook
update, officials with the
German ISP said 900,000
Johannes customers are vulnerable
Ullrich to the attacks until they
are rebooted and installed
an emergency patch. The Shodan search
engine shows that 41 million devices leave
port 7547 open, while about five million
expose TR-064 services to the outside
world.
Raj Samani,
EMEA CTO, Intel Security
A
s the threat of ransomware
continues to rise, Raj Samani,
EMEA CTO of Intel Security, has
played an important role in what seems to
be leading a crusade to defeating it. 2016
saw the launch of NoMoreRansom.org,
a non-profit collaboration between Intel
Security, Kaspersky Lab, Europol and the
14
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Dutch National Police who are cracking
variants of the malware, and releasing
ransomware decryption tools on its
website. The website has had its fair share
of successes, with over 6,000 being saved
from having to pay the ransom to the
criminals. As a result, even
more decryption tools have
been added to
nomoreransom.org, joining
the eight tools already
Raj Samani available free of charge to
victims. Both the private
sector and law enforcement are stepping
up efforts to fight the cyber-criminals who
are using ransomware to deprive their
victims of large amounts of money.
Max Schrems,
Austrian lawyer, author, privacy advocate
A
ustrian lawyer Max Schrems is
still fighting his case against social
media giant Facebook, and in
2016 the Irish Data Commissioner kicked
Max Schrems’ latest Facebook complaint
up to the Court of Justice of the EU.
The move followed the collapse of the
Safe Harbour agreement after a Court
of Justice of the EU ruling in favour of
Schrems in 2015 after the court had found
that data held in America would not be
held in the same level of data protection
as it would in Europe. Privacy Shield was
also found to be inadequate, and due to
a Germany-based lawsuit, it continues to
face its fair share of legal challenges and
critiques that could derail the trans-Atlan-
tic pact. The lawsuit filed by Digital Rights
Ireland (DRI), a digital rights nonprofit, is
challenging the efficacy of the protections
promised by Privacy Shield. It claims
that the agreement, which replaced the
longstanding Safe Harbour deal, is still
inadequate in protecting citizens’ data and
privacy. Earlier this year, Schrems said he
thinks the proposed solutions to safeguard
the privacy of European citizens have
R
evolved, and asserted that the culture of
privacy in Europe needs rebooting.
Rob Wainwright,
director, Europol
U
nder the leadership of Rob
Wainwright, director of Europol,
the law enforcement agency has had
a busy year. Earlier in the year, Wainwright
wrote an opinion piece
for SC which saw him
predict an upwards trend
in cyber-crime. He wrote,
“The relentless growth of
Rob illicit cyber-criminal markets
Wainwright remains a real and significant
threat to our collective
security in Europe.” Although arguably
a somewhat self-fullfilling prophecy, the
agency has taken down multiple gangs
such as DD4BC, the Avalanche crime
platform, been a founding member of the
nomoreransom.org initiative, signed several
MoUs, various ATM gangs operating
throughout Eastern Europe and they
even had time to work with the NCA and
FBI on the Silver Shadow exercise run
15
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Influencers
by the UK’s National Crime Agency and
involved law enforcement officials from
eight different countries including the US,
Georgia, Lithuania, Bulgaria and Ukraine.
Also taking part were representatives from
Europol’s Joint Cyber Action Taskforce
(J-CAT).
Stephanie Daman,
CEO, Cyber Security Challenge UK
ather than just talking about the
information security industry skills
shortage Stephanie Daman, CEO
of Cyber Security Challenge UK is at the
forefront of those trying to
rectify the problem. The
Cyber Security Challenge
hosted another final of
its Masterclass in early
November, and the winner,
Stephanie
Daman 18-year-old Ben Jackson
from Sussex, is also the
competition’s youngest entrant in its six
year runtime. The folks at Cyber Security
Challenge UK have also been involved
in an initiative dubbed Qufaro, which is
opening a new cyber-academy for Britain’s
brightest cyber-security talent at Bletch-
ley Park, the former site of the Enigma
code-cracking mission undertaken by
British security services. Alastair MacWil-
son, chair of Qufaro and the Institute of
Information Security Professionals said:
“Qufaro will make it easier for budding
professionals to grow their cyber-security
skills at every stage of their journey, and
contribute more to the sector.”
Buyer’s Guide 2017
SC
Media reviews more
products than we could
cover in this guide, so we
have focused on those we saw as the
leading innovators over the past year, with
the rest of the reviews available on
www.scmagazineuk.com. A couple of
our returnees have undergone name
changes or have been
acquired/merged with other
companies, so convergence is
alive and well, too. In spite of
that, innovation is certainly
alive and well this year.
One of the things that
we look for each year is
what drives innovation.
First, the consumers, under
a lot of pressure from the
adversary, are demanding more and
more features. Many of those features
are intended to speed up the security
process or automate much of it completely.
Vendors are responding with ever more
complex algorithms, machine learning and
competent management of Big Data.
The second driver are the vendors
themselves. Never in all of the years that
we’ve been reviewing computing and
security products have we seen such
contentious competition between vendors.
This was a year when a half of a star rating
could make the difference between losing
a sale to a competitor. Competition is a
good thing, though, and it certainly has
16
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
resulted in some powerful innovations. It
was a year when we asked our Innovators
what drives them and we heard that it was
the competition more than ever before.
So, what good is all of this to you, the
consumer? Among other things, it means
that you have some excellent choices
and they are not all from the big players.
A long-standing trend is that
our Innovators are more likely
to be small fry using stealthy
techniques to get the sale – and
data scientists, along with
their engineers, to develop the
product. A poster child for this
is a one-person company that is
in its second year on our list and
the innovations in the product
this year are many and excellent.
Not only that, but the product sells. To see
a creative developer who also runs a solid
business and is a crafty marketer is really
to see the heart and soul of innovation.
Our Innovators are selected for
their original technology, their creative
go-to-market strategies and their ingenious
ways of managing their organisations and
resources to the best advantage. We have
watched several of our Innovators over the
years go on to be acquired by one of the
bigger companies, but this year mergers of
approximate equals were more common.
As we look forward to economic growth,
we can see that our industry is poised to
help fuel that growth. -Peter Stephenson
Buyer’s Guide 2017
Skybox Security Suite - 1st June 2016
W S
e have watched these folks almost from
their inception and we always have been
impressed. Their mission is a rather
grand one: manage the security on the enterprise’s
entire threat surface. To do this, they break down
their tool’s functionality into vulnerability and threat
management. Within these broad categories there are
individual modules that work
together to accomplish the vari-
ous tasks required to protect the
attack surface. This is one of the
very few products that we have
seen that takes this comprehen-
sive approach. It is integrated
with nearly 100 third-party security tools and has its
own built-in vulnerability intelligence feed.
While Skybox, like many similar products, does not
do its own network discovery, the tool can consume
topology maps in a number of formats.
Skybox aggregates more than 20 threat and
vulnerability feeds. Additionally, you can identify
threat origins unique to your organisation.
We were impressed by its internal vulnerability
detection system. It is completely passive and uses the
Skybox vulnerability dictionary. The tool contains two
separate ticketing systems - one for change manage-
ment and one for vulnerability management.
Skybox collectors gather information from switches,
firewalls, routers and scanners. These data are fed to
the Skybox server where management consoles can
see and manipulate the data. The system is agentless
and it has APIs for integrating with third-party sys-
tems. It deploys as an appliance or a virtual appliance
on-premises.
When we looked at Skybox, we dropped into a
network topology map that was well-annotated and
18
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
based largely on data flows.
We view the ability to do attack simulation as one
of the significant indicators of a next-generation tool.
Just because an asset is exhibiting vulnerabilities does
not mean that it deserves immediate attention. It may
be a low priority asset where a high priority asset
needs attention now. This form of triaging is critical to
seeing where your risks actually
lie.
You can perform firewall
assurance using the Skybox
configuration analysis or you can
add in your checks using simple
regex commands. The tool helps
you perform cleanup on rule sets, in many cases elim-
inating redundant rules. Workflows are the heart of
any of the types of tools that we looked at this month.
Without a good workflow management capability,
changes don’t get made and problems don’t get iden-
tified. Skybox has an excellent change management
workflow. The ability to see the network topology and
understand how it is supposed to be working, lets
Skybox identify a compromised asset and then pivot
off of it to see likely paths that the intruder could have
taken. Finally, the Horizon dashboard - an add-in that
is provided at no extra cost - shows indicators of expo-
sure on a cool dashboard that quickly calls attention to
any problems that Horizon sees.
Vendor Skybox Security
Flagship product Skybox Security Suite
Price Base price £7,500
Web skyboxsecurity.com
Description This tool manages the security on the
enterprise’s entire threat surface.
Skybox Security Suite - 1st Nov 2016
kybox Security Suite is many things besides vulner-
ability management and, perhaps, that is a major
strength. Many of the modules interact in such a
manner that the overall management of vulnerabilities -
particularly analytics - is enhanced significantly. However,
we were a bit disappointed with our evaluation. Every-
thing that we were presented was
pre-done. It was a lot like walking
through slideware.
There is a lot to like about this
product. It is extremely feature-rich.
However, that comes at a price.
Configuration and management
are not easy. It takes time and
a good understanding of one’s environment and the
Skybox infrastructure to get the most out of the tool.
Vulnerability control is one of several aspects, including
ChangeManager, FirewallAssurance, NetworkAssurance
and ThreatManager. All of these work together to give
a broad picture of the state of the enterprise from a risk
perspective. VulnerabilityControl and ThreatManager
are part of the vulnerabilities and threats part of the
platform, while the rest are classed as the security policy
management piece.
The vulnerability management functionality uses
passive scanning. In other words, quoting from the user
guide, it uses “scanless deduction of vulnerabilities and
attack simulation.” The jury is still out somewhat on the
effectiveness of passive vulnerability assessment. There
certainly are advantages in terms of disruptiveness,
safety (since certain kinds of attacks that would bring
the system down never need be used) and the ability to
scan 24/7, but, as well, there are questions about missing
vulnerabilities.
We ran the Skybox installer in our VMware environ-
ment with no trouble at all. When we were set up and
19
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Product Spotlight
launched we had the ability to launch the demo model,
which we proceeded to do. Going through the model
it was plain that we were using a very powerful system.
However, there was a lot about it that we could not test.
For example, the specification shows that the tool sup-
ports a huge number of third-party products, but we had
no way to test that.
The dashboard is what one
would expect and it has a lot of op-
tions. Everything is under four main
tabs: summary (the landing page),
discovery centre, analysis centre
and remediation centre. The dis-
covery centre is the starting point.
Everything in the enterprise should be discovered and
displayed here. The analytics centre shows details and
metrics about vulnerabilities and exposures with good
graphics and drill downs while the remediation centre
helps admins track remediation against SLAs.
This appears to be a powerful set of capabilities and it
certainly is priced right given its feature set. The website
is very good with the resources one would expect. One
interesting piece is its end of life policy. This is something
most vendors ignore - until users receive an email that
says their version is being fazed out so they’d better buy
the latest. There are several levels of support from basic
no cost to full premium support (at a cost, of course) and
professional services.
Vendor Skybox Security
Flagship product Security Suite
Price £7,878
Web skyboxsecurity.com
Description Very good functionality with solid control
over its functions.
Buyer’s Guide 2017
Analysis and testing
T T
his is – or can be – a very broad category.
This year we looked the landscape over
pretty closely and we saw a lot of the same
things we’ve seen in previous years. Most vulner-
ability assessment (VA) and penetration testing
tools look pretty much like they did for the past
few years. And, while they certainly are effective,
they showed no particular innovation.
Then we moved on to forensic tools, a peren-
“Analysis and testing can,
as you see, take a lot of
different forms”
nial favourite of ours. Same story there. Nothing
jumped out at us until we dug a bit deeper and
came up with our Innovator for this year. Going
back to the vulnerability assessment, we looked
at some point solutions to single problems.
How about web VA?
Vulnerability assessment and penetration of
websites is not particularly unheard of so we
didn’t expect much until we remembered that
we had tested a unique combination of cloud-
20
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
based vulnerability assessment and human
pen testing. We were quite pleased with the
outcome of that test so we brought them in
this year – innovative because of the way they
approach the problem more than what they do
(although that’s pretty cool as well).
Analysis and testing can, as you see, take a lot
of different forms. There are a lot of tools that
do the routine tests and some do those tests on
steroids – Metasploit and Core
Security come to mind in the area
of pen testing for example – but
we look for original thinking not
just mass appeal. That brought
us to the two products we review
this year.
Another issue we came up with
was the notion of innovation, not just in the
products, but in the company and the go-to-
market strategy. If you are a new and/or small
company, you are fighting the big dogs and you
need to be crafty. In the case of the products we
selected, that part of the innovation picture was
a real deal-maker for us. These two companies
certainly are crafty in getting their products in
front of potential customers. So, with all of that
in mind, let’s dive into testing and analysis.
SiQuest
his really is a Swiss Army knife of cyber-forensic
tools. It is designed from the ground up to per-
form a complete digital forensic investigation. It
looks at the computer, mobile devic-
es, the internet, social media sites,
the works. Not only is IXTK (Inter-
net Examiner Toolkit) complete as
any we’ve seen, the company takes
the position that new forensic exam-
iners might not be fully comfortable
with a new tool beyond the tool set
on which they learned.
One thing we found surprising
is that this Innovator, in order to
provide up-and-coming forensic practitioners with new
skills, has an Academic Training Partner programme
and software licencing at no additional cost. A single
one-time hardware cost is the only requirement (e.g.,
dongle) for classroom and individual instructor licenc-
ing. The minimal cost includes certification, which
students can take with them into the workplace at no
additional cost. This will help SiQuest develop a base
of practitioners who are trained and certified on the
tool kit.
When we looked at the updates to IXTK over the
past year we found them remarkable for several reasons.
First, there are a lot of them. Given that this is a very
small company with limited resources, we found that the
productivity of the development team exceeds produc-
tivity that we’ve seen in far larger companies. The sec-
ond thing that was a pleasant surprise was the nature of
21
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Industry Innovators
the updates. One does not expect to see, all on the same
tool kit, such things as downloading of YouTube videos,
Cisco Web Classifications standard for categorisation of
URLs, access to Google Map, along
with parsing of latitude and longitude.
Another interesting function is
its ability to build a dictionary of
internet search terms derived from
recovered cache and history files. Of
course, we see the usual functions
that one would expect, such as pars-
ing of Kik Messenger. But we also
found that this Innovator has added
user-defined proxy server settings
configuration for IXTK’s built-in Chromium browser
(to hide your IP address) for covert online investi-
gations. That’s a really nice feature for doing online
investigations. Overall, we were pleased at how this
product has progressed and amazed that, for its size,
SiQuest has been surprisingly effective in its go-to-
market strategy.
Vendor SiQuest
Flagship product IXTK (Internet Examiner Toolkit)
Price £1,175
Web siquest.com
Innovation Building a forensic tool set that covers all
aspects of an internet-based investigation all in a single,
well-constructed and presented toolkit.
Greatest strength Breadth of coverage for an inter-
net-based investigation.
Buyer’s Guide 2017
HighTech Bridge
T I
o our mind, this company epitomises what
we mean by an ideal mix of next-generation
techniques and the use of the human brain.
On its website HightTech Bridge says its ImmuniWeb
“combines the power of Machine Learning and the
genius of human brain” That, in
our view, is what computing is
all about. Let the computer do
what it does well and the human
do what it does well. Immu-
niWeb performs vulnerability
assessment with or without the
aid of the customer and then
hands its results off to analysts at
HighTech Bridge.
From the business perspective, HighTech Bridge
is equally innovative. This Innovator’s approach is to
provide access to their machine learning portal 24/7.
Their delivery method is unique – unlimited customer
access. On the technical side, they apply machine
learning and neural networks.
This allows them to provide penetration testing
but with far less human interaction than is needed for
typical complete pen tests. They can employ human
pen testing techniques in part by machine learning. Of
course, humans need to be involved due to business
and legal requirements and the complexity of security
testing. That means the machine does the grunt work
while the human, with the help of the next-generation
computing power, does the thinking.
Staying current always has struck us as a challenge
in penetration testing and vulnerability assessment.
However, this Innovator takes the approach that there
22
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
is nothing really new. There may be a few new vectors,
but basic attack families change more slowly.
They try to make comprehensive collections of
possible scenarios. This really is not particularly hard
because of relatively static state of attack types or fami-
lies. But the problem that is more
likely is new vulnerabilities intro-
duced by developers/customers as
they update their web apps.
This Innovator tries to share
knowledge with specialised
groups and talk to partners and
customers to gain as much threat
intelligence as possible. That
kind of sharing, of course, is
most useful because not everyone knows everything
as we all realise. We interacted with this vendor on
a live production test and the results were excellent.
But they were nothing like we expected or had experi-
enced before. That’s innovation in this business.
Vendor High-Tech Bridge
Flagship product ImmuniWeb
Price £392 per assessment (on-demand packages);
£785 per month (24/7 continuous packages).
Web htbridge.com/immuniweb
Innovation Hybrid automated and manual web
vulnerability assessment and penetration testing using
next-generation computing techniques.
Greatest strength Speed and ease with which they
conduct their testing coupled with accuracy and superior
support.
Intel 471
ntel 471 is an actor-centric cyberthreat intelligence
collection capability, headquartered in the USA.
They are focused on closed source intelligence
collection of financially motivated cyber-criminals
and hacktivists. They have teams across the globe
who are on the ground in
Eastern Europe, Asia and
Latin America. Although
some companies offer raw
indicators or feeds as threat
intelligence (“bits and
bytes”), in order to shine
a light on the adversary’s
business process Intel 471
focuses on the individual threat actors and groups that
pose a threat to the target organisation and sector.
Intel 471 provides proactive visibility into threat actors
and their TTPs (tactics, techniques and procedures),
planning, marketplaces and communication networks.
The tool is delivered through an online portal that
provides information reports, full text searching, alert-
ing, monitoring actors across forums/marketplaces
and social network analysis. The format is one consis-
tent with and familiar to intelligence professionals.
There also is an API that allows automated queries
by alias/handle, IP address, email address, etc., that
can be fed to third -party threat intelligence platform
integrations, including Maltego.
The top use case for Intel 471’s intelligence col-
lection is supporting threat intelligence teams with
intelligence collection and data in order to support the
creation of timely and relevant finished intelligence
products for your organisation.
The Intel 471 platform is solid. The idea is to make
the platform the de facto tool for actor-centric threat
intelligence. Over the past year this Innovator has add-
23
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Industry Innovators
ed alerting, grouping and increased searchability. This
gives users a window into the network underground
without needing to go into the dark web themselves.
Going forward and ever innovating, the company
is adding mass human translations from Russian. One
can’t rely on machine trans-
lation because of slang.
Clients can make specific
requests, but then the
translation is retained so it’s
search once and distribute
many. The translation team
will begin tagging content
and putting into groups.
Expanding tagging goes beyond just reports.
One creative innovation is that Intel 471 is an intel-
ligence company by intelligence people and that drives
how they hire. They are beginning to do integration
with other companies/platforms, etc. One of their se-
crets of success is overcoming barriers to entry. They see
that as a differentiator. They have an intelligence-driven
model. Essentially, this Innovator has taken a govern-
ment-style intel operation and made it commercial.
Vendor Silobreaker
Flagship product Intel 471
Price Contact company.
Web intel471.com
Innovation Actor-centric cyber-intelligence gathering
and reporting in the same way that a government intel-
ligence service would using live intelligence researchers
and analysts in the field.
Greatest strength Ease and speed of access to cyber
underground actor-centric data that we would have
trouble getting anywhere else.
Buyer’s Guide 2017
Cyber-threat analysis
and intelligence
C
yber-threat analysis and intelligence
has become a staple of next-generation
security tools. However, as a group by
itself it contains some of our most noteworthy
Innovators. In fact, it is not uncommon for these
tools to provide the threat feeds that
drive tools that incorporate threat intel-
ligence in their products. Over the past
two or three years as these tools have
“...its value comes
from its content”
evolved we find that they are coalescing
into a couple of types.
First, there are what we call the bits
and bytes tools. These pass digital data in a
more or less structured format. An example of
these tools would be products that analyse mal-
ware using next-generation techniques and then
pass those data to other tools to be incorporated
into their analysis along with other threat feeds.
The second type usually is more unstructured
in its data types. In reality, it is usually a mix with
both structured and unstructured data. Howev-
er, its value comes from its content, which almost
always is predominantly unstructured. These
data come from a variety of sources that fit into
two major categories: open and closed source.
Two of our Innovators in this section include one
of each – open and closed source.
24
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
The methods for collecting data range from
screen scraping – the main source for open
source – and human intelligence – humint –
which requires boots on the ground in the un-
derground forums. This is the main source for
closed source data. As one of our Innovators ex-
plained, for open source it’s all about the data,
but for closed source it’s all about the access.
The bits and bytes folks pretty much all have
APIs that allow connection directly into their
analysis engines. One of the more popular uses
for this is Maltego, an internet link analyser
that is free for the community edition and com-
mercial for corporate use. These APIs allow
Maltego to incorporate the source’s data in its
analysis. Interestingly, there also are APIs for
the two free-form tools, which we assessed this
year. And, not surprisingly, they both can feed
Maltego – among many other analysis tools.
Silobreaker
S
ilobreaker is an open source intelligence service
that helps security and intelligence professionals
derive context from the overwhelming amount of
data on the web. By providing powerful tools and visu-
alisations that analyse data from hundreds of thousands
of open sources, Silobreaker
enables monitoring and inves-
tigating threats, compromises,
actors, instabilities, geopolitical
developments or any other topic,
incident or event. Analysts save
time by working more efficiently
through large data-sets and im-
prove their expertise, knowledge and decision-making
by examining and interpreting the data more easily.
We have been using Silobreaker in SC Labs for
some time and the biggest benefit we see is context.
We are able to spin up – in about five minutes – a
dashboard that can perform, on an ongoing basis,
searches at many levels of depth. In addition, the actu-
al content returned by the searches is good, but not as
good as the tool’s visualisation capabilities. There are a
number ways that one can visualise the collected data.
So, in addition to developing a sense of context from
the raw data, there are several ways to visualise the
relationships between actors, organisations and events
called out in the raw data scraped from news sources,
social media, reports and other sources.
For example, if we looked for information on the
2016 election we would get all of the stories, tweets,
Facebook postings and analysis and we also would get
the relationships of all of the people involved in the
election – to the election itself and to each other. We
25
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Industry Innovators
could view them as a network of interconnected links,
a heat list that shows what is trending at the moment
on the internet, or any of several other formats. If we
use Maltego (which we do), we can apply the Silo-
breaker API and add the power of that link analyser
and all of the other tools for
which it accepts APIs.
Recently, this Innovator
added such new topics as ac-
tors, malware, email domain
vulnerability and expanded
social media sites. They also
have added Pastebin expanded
import. However, they also have refined their filters
here because Pastebin is very big and has pastes of all
kinds. Now analysts can download data in CSV format
for additional processing. In addition to its current
languages, Silobreaker has added Italian and users can
get the assistance of a Silobreaker analyst provided by
the Response service – sort of, as their website puts it,
“an analyst for hire” when you need some additional
expert help.
Vendor Intel 471
Flagship product Silobreaker Online
Price From £29,500 per year.
Web silobreaker.com
Innovation Generally available open source intelligence
services with easy access by analysts.
Greatest strength Huge knowledgebase of actors,
events, hacking groups, web locations being scanned and
collected constantly.
Buyer’s Guide 2017
Uplevel Security
U A
plevel Security is a two-year-old company.
There is plenty of noise in the market so
they take a creative approach. When they
looked at threat intelligence from a strategic level they
kept coming back to response. When you take a data
scientist and an IT expert
and tell them to go start a
threat intelligence company
you end up with proactive
analysis using graph theory
and machine learning. The
next task was to infuse
threat intelligence into every phase of investigation and
response, especially response. So they built on top some
basic elements they saw as missing.
That started with a case management system. It is
structured so the data became available going forward.
Threat intelligence is housed within the same system
as the response system so as to have threat intelligence
management. From the start Uplevel was able to
automate some repetitive processes using workflow
orchestration. This allows users to identify malicious
activity. Then they built an analytical engine on top of
the case management system. The analytical engine
builds a graph that represents all historical informa-
tion and provides a context between the elements.
Alerts are transformed into a mini-graph and merged
into the overall graph to see historical associations.
This allows the fusing of an organisation’s event data
with the threat intelligence. That lets users run alerts
over current activity and over historical data.
Uplevel has focused on the technology so as not
to be a “me-too” vendor in this market space. They
know of no organisation that really is happy with
26
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
their ticketing system, so, clearly case management is
very important to customers and that became its core
building block. Case management is difficult when
the analysis becomes complicated, especially when
it involves multiple analysts. It is more important,
however, when performing
incident response.
The Incident Response
Platform enables enterprise
security teams to improve
operational efficiency and
respond to cyber-attacks
faster and more accurately by automating critical
response processes. Uplevel focuses on how security
teams actually operate and provides automation where
it is needed most – the ingestion and dissection of
threat intelligence and attack data, the surfacing of
relationships across attacks, the handling of estab-
lished workflows and the identification of repetitive
workflows for suggested automation.
Both cloud and on-premises (AMI, VM) deploy-
ment options are available.
Vendor Uplevel Security
Flagship product Uplevel
Price Price starts at £15,700/month.
Web uplevelsecurity.com
Innovation Building from a core case management
system out through the analytics to the incident response
capability.
Greatest strength End-to-end case management
along with a really unique analytics engine using graph
theory.
Industry Innovators
Data Protection
t the risk of sounding like a stuck record, for some additional horsepower. Often, that
it’s all about the data. Job one of the comes in the form of heuristics. Heuristics learn
security stack at any enterprise, whether so the families become the focus at some point,
hardware- or software-defined, is to protect the rather than the million-plus individual kinds of
data. A big piece of that happens at the endpoint. malware.
This can take a couple of forms: traditional – or In our view, in order to stay ahead of the
traditional-like – endpoint protection and an- adversary, even heuristics is not sufficient.
ti-malware protection. Some form of advanced machine learning and
Traditional endpoint protection is a sort of su- advanced detection algorithms are the order
perset of anti-malware. All attacks don’t involve of the day. Both of our Innovators in this space
malware. There are varying estimates of what take advantage of next-generation techniques
percentage of attacks are malware-based and such as these.
which are not. However, regardless
of the method of ingress, it is likely
that malware will, at some point,
“...all endpoint
play a role in a major data breach. protection products
And there are issues – such as those
related exclusively to malware, such need to address malware
as ransomware – and those that
may or may not use malware as the
in some form or other”
delivery mechanism, such as denial
of service. One of our Innovators is focused on malware.
So, the bottom line is that all endpoint pro- However, recognising the roles that other forms
tection products need to address malware in of attack play in the threatscape these folks are
some form or other. We are of the opinion that beginning to apply their sophistication to iden-
signature-based anti-malware is nearly useless tifying and interdicting those types of attacks.
by itself. First, there are so many strains of mal- Our other Innovator is so sure of itself that it
ware – families – that building signatures for offers a form of insurance against certain kinds
all of them is nearly impossible. Even if it were of malware infestations that they don’t, for some
possible, it is a daunting job for such a product reason, catch.
to scan an enterprise efficiently. So, that argues
27
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Buyer’s Guide 2017
SentinelOne
S T
entinalOne unifies prevention, detection
and response in a single platform driven by
machine learning and intelligent automation.
SentinelOne EPP (Endpoint Protection Platform) is
intended to prevent attacks and detect
malicious behaviour across multiple
vectors; rapidly eliminate threats with
automated, policy-driven response
capabilities; and adapt their defences
against cyber-attacks.
This was SentinalOne’s second ap-
pearance in our Innovators issue. Over
the past year, the company showed its
ingenuity by adding new features to protect the end-
point from the management side, as well as platforms
supported, and added Linux to its agents. The tool sits
out of band on the server so there is almost no perfor-
mance impact. Also, over the past year, SentinalOne
became HIPAA and PCI-DSS certified. Finally, the
company added new features that allow administrators
to group endpoints for applying policies resulting in
an improvement in scalability.
Often – usually, in fact – our Innovators don’t
restrict their innovation to their technology. We also
see creativity in go-to-market and business strategies.
One of the things that this Innovator has done in that
regard we found extremely creative: the company now
offers a cyber-security guarantee that largely targets
ransomware. SentinalOne claims to be particularly
good at protecting against ransomware.
The company believes nobody offers financial
backing for what they sell. “If your product is as good
as you say,” this Innovator points out, “guarantee
28
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
it.” In that spirit, the company offers up to £788 per
endpoint to £788,000 per organisation for the cost of
remediation of a successful ransomware attack. We
found this offer extraordinary, if, perhaps, a bit risky.
What makes this claim less risky?
Clearly the company is comfortable
with its technology. That comfort,
they told us, comes from heavy use
of machine learning and no reliance
on signatures. To that end, they’ve
made big advancements in their be-
havioural-based engine. The system
consists of two layers: static and
then behavioural. Both layers are based on machine
learning. The tool is very focused on preventing false
positives. There are over 12,000 malicious malware
indicators in its knowledge base.
Over the past couple of years, SentinalOne has
focused on the management interface and supporting
significant scalability.
Vendor SentinelOne
Flagship product SentinelOne EPP (Endpoint Protec-
tion Platform)
Price £51/endpoint device (one-year licence).
Web sentinelone.com
Innovation While it is clear that the technology is
innovative, one cannot help but admire the company’s
guarantee of effectiveness against ransomware.
Greatest strength A creative go-to-market strategy
that is complementary to and every bit as good as the
technology.
Cylance
his is one of our perennial favorites and an SC
Lab Approved tool. It also is the pure-play
anti-malware product that isn’t. Because most
of what the product does is malware-centric on the
endpoint, the appearance is that of an anti-malware
product. Not taking into account the direction the
tools has been moving, that could not
be further from the truth.
For example, Cylance was the first
company to apply artificial intelligence,
algorithmic science and machine learn-
ing to cyber-security and improved
the way companies, governments and
end-users proactively solve the world’s most difficult
security problems. Using a predictive analysis process,
Cylance quickly and accurately identifies what is safe
and what is a threat, not just what is in a blacklist or
whitelist. By coupling sophisticated math and machine
learning with a unique understanding of a hacker’s men-
tality, Cylance provides the technology and services to be
truly predictive and preventive against advanced threats.
They now are able to include their data science in
the tool in such a way as to allow detection and inter-
diction of non-malware-based threats, such as manual
or machine hacking. In testing, we had inadvertently
downloaded a new ransomware to a lab computer.
Before we could click on it to get rid of it, we noticed
that it no longer was on the desktop. One look in the
CylancePROTECT quarantine showed us what had
29
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Industry Innovators
happened. It was in there. Cylance identified and
quarantined it. Not really a big deal unless you take
into account that the compile date on the ransomware
was only two days prior.
Cylance has spent a significant portion of the last
year thinking about what visibility means. Nobody
stops all threats, so what options do
they have. First thrust is make it so you
don’t have to investigate everything.
The second is, what do you need to
know? That’s not just malware. So,
they are building a technology platform
called Optics. This allows pre- and
post-event info. It acts like a flight data recorder that
collects interesting information. This helps understand
the scope of the threat and where their scope of con-
trol needs adjustment. It maintains a record of what
actually happened so you can go back in a forensically
interesting depth to find out what happened.
Vendor Cylance
Flagship product CylancePROTECT
Price Call for pricing. One- and three-year subscriptions
available per endpoint.
Web cylance.com
Innovation Artificial intelligence for malware analysis.
Greatest strength Its predictive nature that does not
require any explicit knowledge of a particular threat.
Buyer’s Guide 2017
Next-generation security
monitoring and analytics
T
his is a fairly large section, in part because
this is the core emerging marketplace in
data protection currently – and for the
foreseeable future. The Innovators who have
cleared the pathway toward using sophisticated
data analytics, machine learning and Big Data
are the ones who will define the genre and what
it really means to be “next-generation.” Unfor-
tunately, that is
a term fraught
with hype
“To watch and use these
to the point
where, like
tools is to see the future
unfolding on your screen”
“Big Data” it
is in danger of
losing its meaning almost before there was a
chance to establish it.
Here we are very specific about what we
mean by these terms. Next-generation must
have some form of advanced algorithmic anal-
ysis and machine learning and must be able
to work in the context of Big Data. Big Data
we define strictly to include IBM’s four Vs:
Velocity, Variety, Volume and Veracity. Each of
the Innovators we look at this year do, in fact,
fit our description. Unfortunately, we are not
quite “there” yet globally with next-generation
and we may, perhaps, be forgiven if a tool that
we class as next-gen has taken only baby steps
along the road to maturity.
30
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
We have five Innovators in this category this
year and they are different in many ways and
alike in many. While some may consider them-
selves competitors, we can say with confidence
that, cost not being an object (these tools can
get a bit pricey), we could justify one of each in
our lab or SOC.
One of our Innovators performs threat hunt-
ing on the wire
(dynamic), one
on the plat-
form (static),
and two are
analytic activity
monitors on
steroids that watch everything in the range of
their sensors then analyse and display/alert. The
displays of these two are dramatically different
and they each have individual strengths. In
many ways, they overlap, but in many ways they
augment each other. Finally, we have one that is,
for us, anyway, at the top rung of the “emerging
technology” ladder in that it out-honeypots any
honeypot we have ever seen.
All things said, we think that this may be the
most exciting assembling of Innovators for this
year. To watch and use these tools is to see the
future unfolding on your screen. You will see –
with all of these products – things going on in
your enterprise of which you never dreamed.
Acuity Solutions
A
cuity Solutions is the creator of BluVector,
a real time, network-based, cyber hunting
platform. Based on government sponsored
research recently made available to the commercial
market, it is purpose built to empower the cyber
hunter and is particularly adept at identifying ze-
ro-day threats by quickly deploying
constant analytics at large scale.
Because BluVector uses dynamic
– on the wire – analysis, we asked
why the data stream was better than
static analysis on devices. It turns
out that there are two problems
that need solving: how to advance
the organisation’s approach to advanced threats and
how to radically simplify the organisation’s approach.
Being on the network allows the organisation to be
proactive. It also takes into account investments that
the organisation has made already. The result is that
they are enabled to be more proactive than they have
been before. The objective of BluVector is to be pro-
active rather than retrospective.
Cyber hunting takes place on many different per-
spectives through the enterprise. Acuity believes that
you have to look at everything within the enterprise.
But looking at the datastream has some tactical
advantages. So, they created a network hunting plat-
form. This Innovator’s perspective is that packets
don’t lie. BluVector needs to provide an objective
31
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Industry Innovators
observation point and the datastream is the most
objective source. That means that BluVector is not
impacted by the malware author’s “tricks” for obfus-
cation.
Their traction in the market is a result of reaching
profitability very quickly: Acuity is only a year old.
They believe that this rapid growth
proves the value of the technology.
Their goal is not to compete with
existing infrastructure, but to add
value to what is there already. That
means integrating in such a way
that 1+1=3, enabling customers to
orchestrate what they have already
to be effective. BluVector integrates with several
third-party tools, such as threat intelligence, sandbox
and SIEM. BluVector intends to change the cyber
defender’s workflow. That, then, will provide a highly
competent starting point for hunting.
Vendor Acuity Solutions
Flagship product BluVector
Price Starts at £148,800 for a 1Gbps 2U hardware
appliance with a one-year subscription.
Web bluvectorcyber.com
Innovation Dedicated threat hunting on the wire.
Greatest strength Creativity and understanding how
threats enter and impact the enterprise.
Buyer’s Guide 2017
Illusive Networks
W P
hen is a honeypot not a honeypot? The
answer to that – when it’s the entire en-
terprise – is the key to this Innovator’s
success. In the last couple of years, we have begun to
make a distinction between honeypot/honeynets and
deception networks. Unlike a honeypot – just a set of
devices set up to appear
like a real network to
induce an adversary to
attack – a deception
network is all or part
of the actual enterprise
that is instrumented
and protected such that
the adversary is allowed
to engage and the en-
gagement is captured forensically but does no harm.
The benefit is that the adversary does not know that
he is being tracked and manipulated.
This is a rather simplistic description. In reality
there are lots of flavours of honeypots and deception
networks, but for a 100,000-foot view it will do. It also
is a pretty good description of what Illusive Networks
does. This Innovator uses what it terms “Deceptions
Everywhere Technology” to neutralises targeted at-
tacks and advanced persistent threats by creating a de-
ceptive layer across the entire network. This provides
an endless source of false information, disrupting and
detecting advanced attacks with real-time forensics
and without disruption to business.
What makes this Innovator unique? After all, we
have had honeypots for a long time. However Illusive
believes that the honeypot concept is not scalable and
is expensive to operate. How are they unique from
other deception nets? Others are trying to improve
32
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
the honeypots by using virtual machines as honeypots.
Taking a very different approach, Illusive makes every
endpoint part of the deception.
The company does it without agents so the decep-
tion itself is protected from reversing by the adversary.
The adversary must try everything because he doesn’t
know what is good and
what is not.
Some important
features of the Illusive
deception network
include Attacker View,
a sophisticated technol-
ogy that exposes hid-
den cyber-attack paths,
enabling a view of the
attacker’s lateral movement; Wire Transfer Guard
detects targeted attacks against global wire transfer
banking systems; and Advanced Ransomware Guard,
which blocks ransomware activity at the source host
before it gains a foothold in the network.
The company has, essentially, reinvented deception
technology. It takes the perspective of the attacker not
the malware. Malware is not the issue. The issue is the
attacker behind the malware.
Vendor Illusive Networks
Flagship product Illusive
Price £47 per user per year tiered volume pricing.
Web illusivenetworks.com
Innovation Took deception from honeynets to fully
transparent deception networks.
Greatest strength Took deception from honeynets to
fully transparent deception networks.
ProtectWise
reviously we used an early version of Pro-
tectWise with excellent results. The product
provides a pervasive view of the network,
incorporating analytics and an
interesting, eye-catching inter-
face that enables threat hunting
and incident response. The
tool is deployed using network
sensors on critical segments of
the enterprise. These segments
are monitored for their network connectivity between
parts of the enterprise or the enterprise and the in-
ternet. The sensors optimise collected data and ship
it to the Visualiser in the cloud where it is analysed
and displayed on a heads-up display rather than the
usual dashboard. This unique display is eye-catching
and attracts the analyst’s attention to important events
occurring on the enterprise. The company has brand-
ed its tool set the ProtectWise Grid.
This is the second year we’ve looked at this Inno-
vator and over the intervening year the company has
transitioned to full production and heavy marketing.
ProtectWise now has a crystalised vision of how its
disruption is going to come together. When asked
about differentiators, reps told us that the company
is bringing a utility model to the market through its
cloud. This allows organisations to transition the
siloed servers in the security stack to the company’s
model, thus allowing, in addition to real-time analysis,
retrospection.
Integration with third-party tools combines network
visibility with the endpoint through integration with
such vendors as Carbon Black. To accomplish this,
the tool has a very integration-friendly API. This facil-
itates feeding a suite of indicators including in-house
33
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Industry Innovators
research, best-of-breed threat indicators and custom-
ers’ bring-your-own-intelligence.
Called context fusion, these combine an intelligence
bucket made up of forensic,
workflow and remediation
buckets. Improved depth of
analysis results from expanded
machine learning, a TCP library
and open-ended enquiry that
supports hunting. The tool scales
well and data searches are very fast over Big Data.
This is, most certainly, a next-generation tool for con-
text-based, real-time threat hunting on the wire. With
the heads-up display, network operations centre engi-
neers are presented with a quick way to identify events
on the enterprise and begin the analysis and response
necessary to protect the network.
Vendor ProtectWise Flagship
Flagship product The ProtectWise Grid
Price The ProtectWise Grid is a subscription service.
Pricing is tiered and based on the amount of network
traffic ingested and the length of time network data is
retained for retrospection.
Web protectwise.com
Innovation A kill chain approach to detecting and ana-
lysing events within the range of its sensors and making
those events visible immediately along with the analytics
necessary for a deeper dive into the event.
Greatest strength The heads-up display is completely
unique. Rather than minimising the capabilities of Pro-
tectWise to a “pretty face,” the display is designed to
draw immediate attention to events that need attention
and facilitates efficient hunting and remediation.
Buyer’s Guide 2017
PacketSled
P W
acketSled is, usually, a SaaS tool but there is an
on-premises version as well. We especially like
the support feature that consists of clicking a
button on the desktop to open a chat session with an
engineer. We never have seen that level of support
response in any of the prod-
ucts we have reviewed and it
provides a real benefit both
to new users and experienced
users with a difficult problem.
Another feature that we like
is the query language that lets
users focus in on issues that
may be related to an event in the enterprise. The core
that supports that query language is Bro, the network
analysis framework. The queries are simplicity them-
selves to write, but if you don’t quite have the knack
of Bro yet, the query manager has an autocomplete
function to help you along.
PacketSled has multiple screens, each with a par-
ticular function. The main screen is the overview and
it shows a comprehensive picture of sensor activity.
From this screen, users also can open cases set up in
the Investigator screen. It is on the Investigator screen
where users can initiate queries that can be in the
Bro-like query language, which resembles regular ex-
pressions. Additionally, there are automated captures
that look specifically for such things as suspected com-
mand-and-control servers accessing (or being accessed
by) your enterprise.
But the system is not limited to pre-packaged
indicators. You can set your own kill chains. For ex-
ample, you might be looking for SSH probes where
34
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
the attacker is trying to guess passwords coming from
a particular geographic location. Once you set that
up, you can designate the alert level. Overall, this is
a very complete package. It not only provides alerts
that users can customise, it is an analyst’s tool that we
could not function on our honeynet
without.
What’s coming? More and deeper
analytics of course. You never can
have enough of that. Also, enrich-
ment, such as full export and import
of Stix profiles – a particular hot
button for us – and more visuali-
sations. With all of that, this Innovator is carving its
place in the marketspace in high style.
Vendor PacketSled
Flagship product PacketSled
Price Pricing is consumption based.
Web packetsled.com
Innovation Applying advanced analytics to threat
hunting and evolving an analyst’s tool into an analyst’s
tool that also has very strong monitoring, detection, case
management and alerting functions.
Greatest strength Strong analytics and versatility.
PacketSled is, usually, a SaaS tool but there is an on-prem-
ises version as well. We especially like the support feature
that consists of clicking a button on the desktop to open
a chat session with an engineer. We never have seen
that level of support response in any of the products we
have reviewed and it provides a real benefit both to new
users and experienced users with a difficult problem.
Sqrrl
hile this Innovator didn’t exactly coin
the term “threat hunting,” it certainly
has given it form and substance. By
developing its Threat Hunting Reference Model, Sqrrl
has taken the first step to formalising the threat hunt-
ing process. Since it has
built its product around
this model, it has an excel-
lent start on a commanding
place in the market. Many
of the Sqrrl team are sci-
entists from NSA so, as
one would expect, the technology and data science is
sound. The model is unusual in that it has begun to
define the threat hunting process and it has come from
a relatively unknown – at the time it was introduced
– company.
Models such as these generally are viewed as
self-serving marketing hype. Having spent much of
our time in threat hunting, we can attest that such
definitely is not the case here. The model – which
includes a maturity model – is solid as a threat hunting
framework and it makes a lot of sense to those of us
who have been doing the steps in the model for some
time.
Sqrrl installs on a Hadoop cluster and can be hard-
ware or cloud-based. This is Sqrrl’s second year in our
Innovators issue and over that year it has been busy
continuing its innovation. The company has added
new functionality since last time we looked at it. They
have improved their built-in analytics to provide addi-
tional observation as to where to take the hunt. And,
35
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Industry Innovators
are continuing to expand on views of adversarial be-
haviors to determine which users, user accounts, etc.,
are at risk based on observation.
Further, there is a new focus on workflow. Sqrrl
sees hunting as a collaborative activity so it is adding
ways for analysts to tag and
annotate for other analysts.
The developers are spend-
ing more time in the DNS
space, leveraging DNS for
tunneling, command and
control, etc. The adversary
is using DNS so defenders must understand what they
are doing, how to identify their actions and defend
against it. This tool is purpose-built for threat hunting.
As the company that is building its future on the
concept of threat hunting, our obvious question for
them was, “How’s this threat hunting thing working
for you in the marketplace?” The answer was unequiv-
ocal: “Extremely well. Threat hunting is more than
indicator search. It includes sophisticated analytics
and visualisation. We’re beginning to see budgets
assigned to hunting.”
Vendor Sqrrl
Flagship product Sqrrl Threat Hunting Platform
Price Starting at £19,700.
Web sqrrl.com
Innovation A formalised approach to threat hunting.
Greatest strength A solid product built in support of
a structured framework for threat hunting.
Buyer’s Guide 2017
Perimeter Defence
I T
t’s pretty hard to defend what isn’t there. We
won’t go so far as to imply that the perimeter
is gone – yet. However, the fact is that there
always will be a perimeter. What it will look like
– well, that may be something else entirely. We
have written before that protecting the data is
“The perimeter is not
just the network edge as
defined by a firewall”
the key reason that we have information securi-
ty. It would be pretty pointless to protect some-
thing that did not need protecting. However,
the data on our networks today is pretty much
the crown jewel of the organisation and needs
serious protection on lots of levels.
So, we put it behind a firewall and call that
the perimeter. That is, until we put some or all
of it in the cloud or give mobile device access to
that – presumably protected – data. Then there
is the issue of inviting the adversary into the
network by succumbing to phishing or drive-
by attacks. Now we have, whether we meant
to or not, significantly redefined the perimeter.
In fact, it might be said that there almost is no
36
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
perimeter. For example, when a bank puts up a
customer portal for an online banking system, it
reaches back into the network for the backend
data storage.
But does this mean that we have scrapped the
perimeter? Our Innovator in this section cer-
tainly doesn’t think so. There are
issues that have clear perimeter
functionality without being pe-
rimeters. For example, if you set
access by VPN only, you’ve moved
the perimeter out to the endpoint
on the VPN. If you encrypt access
to servers by internal endpoints,
you’ve moved the perimeter to the endpoints.
And, if you provide access to an SaaS application
over the internet, to where you’ve moved the
perimeter is debatable. You might consider the
SaaS application the perimeter, or you might
consider the front-end back on the enterprise to
be the perimeter. In any event, the perimeter is
not just the network edge as defined by a firewall
(though it might be that as well).
There are multiple protocols, operating envi-
ronments and applications, as well as physical
and logical locations, for the data you want to
protect. All of that poses a serious challenge for
the reason we have a perimeter in the first place:
To protect the data.
Cyber adAPT
his Innovator concentrates on the mobile
device as the putative perimeter of the enter-
prise, regardless of where the data actually
resides. The company takes the position that the
traditional network perimeter is moving out to the
mobile endpoints. This trend is collapsing the network
core to be the hub
between endpoint
hosts; data cen-
tres, which are
also being pushed out to the cloud; and outsourced
services and applications. The “network core” is
quickly becoming nothing more than a data crossroads
linking mobile devices with cloud-based applications
and storage.
The problem it is solving is how to secure confi-
dential data on every mobile device as the endpoint
becomes less traditional. This firm believes that the
current paradigm of mobile device management
(MDM) does not give a lot of security options, such as
split tunneling in BYOD. Through their acquisition of
MobileActive Defense (MAD) the company can now
merge data protection with remediation. This allows
application of threat intelligence to MDM. If a device
is exhibiting dodgy viour, this tool can compare to a
baseline and then quarantine. A major benefit is the
reduced threat intelligence/remediation cycle.
With that in mind, Cyber adAPT has introduced its
Secure Device Management (SDM) server. This is a
centrally managed enterprise-grade system designed to
extend security functions to corporate and personally
owned mobile devices and Windows desktops.
SDM features six distinct functionalities: IPsec
VPN concentrator, stateful inspection firewall,
37
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Industry Innovators
security-enhanced MDM, PKI/ certificate authenti-
cation, content filter, intrusion prevention/anti-virus,
and containerisation (application wrapping) and
mobile threat detection. All traffic to and from mobile
devices is routed through a secure 256-bit, certifi-
cate-authenticated IPsec VPN connection. As the
network becomes
more porous and
sensors more
vulnerable, the
tool will extend detection/protection framework out
to IoT without being a slave to protocols.
We found this Innovator interesting partly because
we have been watching MAD for some time and we are
not surprised at this merger. From the perspective of
functionality, it makes perfect sense. But, the merger is
not limited by the functionality. This Innovator clearly
has a view of the future. The next step, of course, is IoT.
Cyber adAPT takes the position that IoT is little more
than mobile devices all over again. That’s a pretty big
bite to chew, but we’re betting on these folks, especially
with the heritage of MAD in their DNA.
Vendor Cyber adapt
Flagship product Secure Device Management
Price Beginning at £7 per device per month with licens-
ing models that support the SMB to global enterprises
Web cyberadapt.com
Innovation Addressing the security of the perimeter
wherever it happens to lie.
Greatest strength Vision. These folks, to paraphrase
Pogo, have seen the future and it is them. Merging with
MAD and their view of the IoT are examples.
Buyer’s Guide 2017
Risk and policy management
R M
isk and policy management is a necessary
evil (common misconception: while it
is necessary it does not need to be evil).
The problem with risk and policy management
that makes it seem evil is that it
can be very tedious. We looked
at several risk and policy man-
agement products and we found
“It’s really a ‘kinder
and gentler’ GRC”
that, no matter how well the
product processes data and gives
users everything needed to man-
age risk and tweak (or develop) policy, the big
gotcha is getting source data into the system.
For example, a tool that does not do auto-dis-
covery (or consume data from a tool that does
on an ongoing basis) is pretty useless, especially
in a large enterprise where assets are changing
constantly. To our amazement, there were several
products at which we looked that were deficient
in that regard. Our Innovator this year is not one
of them.
There are several elements to consider in a
product of this type. Let’s go back to first princi-
ples: Risk is a combination – however you chose
to characterise it mathematically – of threat, vul-
nerability and impact. To lower risk, we need to
address one or all of these three elements. To that
end we need to know everything we can about
them. That means, first and foremost, knowing
that they exist on our enterprise and what they
38
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
are (host, operating system, applications, com-
munications, etc.).
Then we need to track vulnerabilities in these
assets. We cannot trust a once-per-year pen test
either. We’re talking about ongoing vulnera-
bility testing, automated and feeding the risk
calculation. Then we need threats. That means
threat intelligence services and threat documen-
tation. Finally, we need to wrap all of that up,
do whatever risk calculations are in order and
package the results for their intended audience.
We would like to automate as much of that as
we can, but we certainly want to automate the
workflow.
Our sole entry in this category this year does
all of that and a lot more. And, in order to dispel
some of that resident evil, the company has an
aspect called the GRC Journey that helps work
new GRC (governance, risk, compliance) ana-
lysts through the long and necessarily complex
process of deploying a useful GRC system in
their enterprise. It’s really a “kinder and gentler”
GRC.
MetricStream
etricStream is a provider of enterprise-wide
governance, risk, compliance (GRC) and
quality management applications. The com-
pany is innovative because it believes that it needs to
be. GRC didn’t exist as a regulatory issue when the
firm was created. As well, it is not a point problem
or a technology problem. GRC
requires mindset changes and it
requires technology changes to
bring GRC to life. That means,
according to this Innovator,
relentless innovation is required
in all forms. The charge is to
educate, win hearts and minds,
address the issues and meet a host of other challenges.
According to MetricStream, unless it is a real problem,
it is not worth tackling.
Driving product innovation is owing to about 300
people in cross-disciplines. There is a lot of focus on
coming up with products out of left field in addition
to traditional approaches. Innovation is part of the
DNA of the origination. The culture at this Innovator
fosters the attitude of “I can tackle any problem.”
The team has a scheme that allows funding across all
groups for research. That encourages innovation. The
big picture for this Innovator includes: help customers
drive business from a hybrid cloud availability. The
important idea here is “drive business.”
MetricStream never forgets that it is dealing with
business risk and so protecting the business is its driv-
ing goal. In order to do that this Innovator must make
GRC accessible for the customers. It does this in sev-
eral ways. First is cloud. The MetricStream team see
39
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Industry Innovators
more of their customers moving to their cloud from
on-premises deployments. Their cloud offerings have
no co-mingled data and that is innovative, as anyone
who has used a cloud-based service knows. The phi-
losophy here is: be simple, pervasive and deliver on
the hybrid cloud.
This Innovator is addressing
five critical aspects of GRC: (1)
User experience (redesigned the
front end completely with new
visualisations – API-driven); (2)
Configurability (how to make
the operating environment adapt
to your needs and be persistent);
(3) Mobility (can open on any mobile device); (4)
Reporting and analytics (visualisation: seeing and
understanding your data – how do you understand the
data); (5) Architecture (make sure that the technology
is relevant and does not use old technology – relevant
for customers five years from now).
Vendor MetricStream
Flagship product MetricStream GRC Platform and
GRC Apps & Solutions
Price MetricStream App pricing is based on the number
of application modules and number of users.
Web metricstream.com
Innovation Adding a solid technology to the human as-
pects of GRC and making the GRC process manageable.
Greatest strength Involvement with the GRC com-
munity, the customer community and the culture that
drives them relentlessly toward innovation.
Buyer’s Guide 2017
Security infrastructure
T T
his is a tough category to define because it
changes as the underlying infrastructure
changes. We have gone from mainframes
to large-scale Unix to hardware-defined data cen-
tres, to software-defined data centres to the cloud.
To a certain degree, all of these are present today
and, in addition, we have hybrids that include
two or more of these paradigms. Along with the
changes to the underlying architectures the secu-
rity stack protecting them needs to evolve.
In this issue’s Security Infrastructure section,
“...they all seek to
address the fundamental
CIA requirements of its
target infrastructure”
we have focused on large-scale enterprise re-
source planning (ERP) security, remote session
security and industrial control systems (ICS)/
IoT/hybrid security. These different products
take different approaches, but they all seek to
address the fundamental CIA requirements of its
target infrastructure. One thing that is notable is
that the application layer is as likely to be includ-
ed directly in the security stack as not. This is a
fundamental shift in that rather than deploying
40
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
security for the network infrastructure and
separate security for the application layer, these
products – especially when it comes to defending
an ERP system – take a completely integrated
seven-layer approach.
The reason, more or less obviously, is that
applications are so tightly interwoven with the
hardware and communications architecture that
it is difficult to address, effectively, the network
model in layers. We are reaching an all-or-noth-
ing world when it comes to deploying a security
infrastructure. For example, ERP
systems are anywhere from two
to more layers thick. They usually
contain at least a database layer
and a processing layer. They may
use a web interface or have a
third, discreet, visualisation layer.
Access to any of the outer layers
by an attacker can spell access to
the backend data if the infrastructure security
is not in place and effective. In fact, if the user
interface is web-based, that implies a web server
somewhere. Web servers can be notoriously un-
secure if not protected properly so compromise
of the web server can mean a free ride inside.
The three Innovators we have selected this year
really show that an effective, seven-layer type of
deployment – while not trivial – is doable. You
just need to be, well, innovative.
Onapsis
he Onapsis Security Platform (OSP) is a SAP
security tool that combines vulnerability, com-
pliance, detection and response capabilities
that traditional security solutions do not provide in
this environment. Through continuous monitoring,
OSP provides a near real-time
preventative, detective and
corrective approach for se-
curing SAP systems and ap-
plications. It can be deployed
on-premise or in a private,
public or hybrid cloud en-
vironment. The product supports SAP NetWeaver,
ABAP, J2EE, HANA, mobile and BusinessObjects
platforms.
The platform integrates with network security, se-
curity management, SIEMs and workflows, as well as
cloud providers. Specific alarms can be sent and auto-
matic response actions can be triggered. The Platform
also enables secure migration to cloud environments
by seamlessly integrating into private, public or hybrid
deployments.
Over the past year, Onapsis has begun to address
ERP platforms other than SAP. The next product will
address Oracle, for example. This Innovator also has
developed a new product platform. What was largely
a Windows desktop-based scanner now is an enter-
prise-grade platform that can be deployed on-premises
or in the cloud. This new iteration also supports detec-
tion and response. It can identify exploit efforts or at-
tempts at accessing information without authorisation.
An important capability is its ability to feed SIEMs
and ticketing platforms. In that regard, the tool can
41
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Industry Innovators
apply virtual patches. It scans automatically and can,
if configured, push patches. For Onapsis this has been
a year of change: increasing the number of employees,
receiving investment and moving to a new facility.
Additionally, the company now supports the cloud
and is a founding member of
the Cloud Security Alliance
(CSA).
Developing threat intelli-
gence on SAP-specific exploits
has been a differentiator. Its
innovation stretches to vertical
expansion with new modules, such as risk calculations.
This Innovator is continuously investing in vulnerability
research. Because it is dealing with business risk instead
of just technology risk, it has been able to develop
reliable metrics and is seeing interest in the audit com-
munity as a result.
We see Onapsis as an Innovator that started with
a good idea and a niche market – SAP – in which it
became dominant and has begun to apply its innova-
tive approaches to moving into the entire ERP market
where it is similarly likely to dominate.
Vendor Onapsis
Flagship product Onapsis Security Platform
Price £47,313 per production SID.
Web onapsis.com
Innovation A security stack dedicated to SAP.
Greatest strength Being able to expand its offering
to meet market needs and move into the ERP market
space as a whole.
Buyer’s Guide 2017
TSFactory
TS
Factory is a software development com-
pany focused on remote session mon-
itoring and recording. This Innovator
embraces the idea that the cloud is here
to stay. It also believes that security tools
for the cloud and remote access tend to
lag behind and are always trying to catch
up. The solution, says this Innovator, is
to provide the security and auditing tools
that can help customers feel safe. With
this in mind, they are moving more into
the auditing area and also are moving
toward gateway appliances.
As part of its go-to-market strategy,
the company is partnering with large
cloud providers with unique challenges to face. That
lets them tailor products to the market and help cloud
providers overcome those challenges. One of TSFac-
tory’s strongest innovations is that it is able to re-tool
rapidly to meet new challenges. The company is able
to do these changes in 24-48 hours because they are
lightweight and can make changes in hours rather than
months. To meet that challenge, though, this Inno-
vator had to update its architecture to support rapid
change. This is almost unprecedented fast turnaround.
That is innovative, for certain, but how scalable is it?
Very, because one change usually can propagate wide-
ly in the customer base.
This almost is as if TSFactory had a captive team
of market researchers feeding it new requirements
based not on a perceived need but on real, actual
requirements. If one cloud provider has a particular
problem, many do. That means that a fix for one is
extensible to many others. That approach offers real
42
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
economies of scale. The company also worked aggres-
sively with cloud providers to meet their needs; for
example, updating licensing to fit the cloud provider
paradigm.
Performance is a big challenge as past
tools are too slow for real-time auditing.
Another major challenge is data reliabil-
ity. Obviously, one can’t afford lost data.
Dropped packets are an example of one
way to lose data. This is not just an issue
of ramping up wire speeds, there are lots
of other factors that contribute to per-
formance-related data loss. That means
that this Innovator is constantly trying
to accommodate faster standards. For
one, it changed up its databases and used multi-stage
buffering.
This has made a big difference in performance
without depending on driving up wire and interface
speeds. They intercept all traffic so nothing can get
around them. Since they are in-line, they use buffering
that allows them to approach real-time analysis.
Vendor TSFactory
Flagship product RecordTS
Price £1,021
Web tsfactory.com
Innovation Building a system to monitor remote ses-
sions in the cloud based explicitly on the stated require-
ments of large cloud providers and extending that to its
entire market.
Greatest strength Ability to turn on a dime to meet
customer challenges.
Tempered Networks
M
any years ago, there was a theory roaming
around the info sec community that all we
had to do was encrypt everything and we’d
be safe. No need for any other protections… just en-
cryption and all would be right with the digital world.
That never materialised – until
now. The fact is that at the time
that theory was proposed the
way forward to deploy it was
still shrouded in mystery. The
key, as it turns out, is identity
defined networking (IDN), and this Innovator has
built a business around it.
Identity-defined networking effectively brings iden-
tity to the network and endpoints and allows central
management of these identities in a dynamic and scal-
able way. An IDN is an encrypted overlay network that
transcends traditional segregation mechanisms, such as
VLANs, VPNs, MPLS, and addressing schemes.
Well, it’s not quite that simple, but close. The key,
as one would expect, is encryption. The assets are
identified cryptographically and only certain assets
are allowed to communicate with them. By defining
the communication groups, you define a collection of
IDNs. If an asset – or an intruder – is not in a particu-
lar IDN, it cannot communicate with any of the assets
in the IDN. Additionally, communication is via a spe-
cial protocol called host identity protocol (HIP). All
communication is based on cryptographic exchange
prior to data transfer.
This Innovator overcomes the problem of updating
43
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Industry Innovators
access control lists (ACLs), etc., by using host identity
protocol to assign a unique host identity to each asset
on the network. This makes it very hard to penetrate.
It completely defeats phishing because the user’s ac-
cess to certain assets is restricted by his asset’s allowed
access. A phisher can’t spoof
because he doesn’t have access.
Because this is completely soft-
ware-based, deployment takes
seconds instead of weeks per
device and it’s verifiable and
easily auditable. IDNs dramatically reduce the attack
surface by reducing lateral movement.
Tempered Networks has a host intrusion prevention
(HIP) client for Windows and is working on Mac
and Linux clients. The HIP switches are proxies for
devices that cannot protect themselves. This Innovator
also has the HIP chip that can be embedded in IoT
devices. A staffer at this Innovator told us that getting
the market to adopt HIP, more than selling products,
is a primary driver.
Vendor Tempered Networks
Flagship product Identity-defined Networking
Price £19,711
Web temperednetworks.com
Innovation Identity-defined networks.
Greatest strength Ability to apply IDNs in just about
any network environment from industrial control sys-
tems to IoT and back-office LANs.
Buyer’s Guide 2017
Virtualisation and
cloud-based security
T
hese are two sides of the same coin. On
one side, we have security for the virtual,
or software-defined, data centre. On the
other, we have security for cloud-based systems.
The two are the same but different. They are
the same in that they both work in a virtualised
environment. They are different in that they
have somewhat different challenges to address.
In a local software-defined data centre there
is complete
control and the “...the clear future of
the data centre is in the
systems that
get spun up are
directly under
the control of
virtual – whether private,
the administra-
tor. Anything
public or hybrid clouds”
that happens
in the local environment can be managed and
investigated. The organisation owns the data
centre and, although it might be considered to be
a private cloud, it is a closely contained one.
In a public cloud, the administrator does not
have complete control. Because it is a shared
environment, the cloud operator keeps a level of
control that the administrator in a localised data
centre would retain. That means that security at
the level one would expect in a self-contained
environment is not, natively, present in a public
cloud. Moreover, the ability to investigate a
44
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
breach in a public cloud is severely limited by
contractual constraints. The solution to this set of
challenges is the virtual network equivalent of a
software wrapper. You wrap the virtual environ-
ment in the public cloud in a layer of protection
and administration that, effectively, cuts off the
virtual enterprise from those virtual enterprises
sharing the same cloud infrastructure.
Our two Innovators in this section address
the two sides
of the virtual
security coin.
One focuses
on the soft-
ware-defined
data centre
while the other
concentrates
on the enterprise in the cloud. However, one
trend that we are seeing more and more – and
this certainly applies to our two Innovators – is
microsegmentation. This allows highly granular
control of security functionality and highly gran-
ular management of virtual assets.
This is an interesting and emerging group be-
cause the clear future of the data centre is in the
virtual – whether private, public or hybrid clouds
– and we need a reliable way to protect the data
residing in these environments.
GuardiCore
G
uardiCore was founded with the vision that
security for the data centre needs to not only
be able to keep up with the rate of constant
change, but also be able to close the gap between
traditional security technology
and a sophisticated threat
actor’s ingenuity. In order to
address that ingenuity, inno-
vators need to be equally – or,
perhaps, a bit more – inge-
nious. The GuardiCore Centra
Platform provides a single,
scalable platform that covers five elements of effective
data centre security: visibility, micro-segmentation,
breach detection, automated analysis and response.
This Innovator starts by mixing the right people
with a set of tough problems to solve. On the product
side, the company has innovated by building a unique,
highly converged platform within the data centre. It
combines visibility, both in real time and historically;
microsegmentation of the infrastructure, by devel-
oping policy with very high resolution; continuous
monitoring for breaches and quick reporting of the
breach, using deception, reputation, lateral movement
detection and semantic analysis to determine forensic
details of the breach – all automated of course. Part
of this Innovator’s philosophy that we really liked is:
Create a resilient network that assumes a compromise
and learn how to live with it.
(HIP). All communication is based on cryptograph-
ic exchange prior to data transfer.
The company has combined multiple capabilities
in the security space into a single product. This allows
the tool to be deployed across hybrid infrastructures.
45
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Industry Innovators
Questions of scale require innovation for analysis and
detection across multiple terabytes of data and virtual
devices. The company views itself as being forced by
the industry in which it works to be innovative. It is
driven by the complexity of
the environment. Niches no
longer work. One needs a
highly connected approach.
There are no simple solutions.
We liked that approach.
Here is a case where the in-
dustry and the creativity of the
adversary are the predominating drivers. In our expe-
rience, that is a pretty good formula for success as long
as you recognise and respond to it. GuardiCore does
all of that. To get to that point, however, you need a
group of people passionate about security and infra-
structure with lots of experience in both the security
and IT infrastructure fields. They have that too.
Vendor GuardiCore
Flagship product GuardiCore Centra Security Plat-
form
Price £19,700
Web guardicore.com
Innovation A virtual data centre security infrastructure
that provides the protection of a similar stack in a physi-
cal data centre, but with the addition of functionality that
explicitly addresses the challenges of the software-de-
fined data centre.
Greatest strength Dedication and passion for security
coupled with extensive experience in security and IT
infrastructure.
Buyer’s Guide 2017
vArmour
V W
Armour describes itself on its website as being
a “distributed security system that provides
insight and control for multi-cloud environ-
ments...vArmour microsegments each application by
wrapping protection around every workload – increas-
ing visibility, security and
operational efficiency.”
That’s a pretty big order.
What we found as we looked
into this Innovator is that it
does a good job of meeting that
marketing statement. How?
vArmour learned some
unique and important lessons from the evolution of
the public cloud: Show value quickly, kill adjacent
product interactions by segmenting, deploy quickly,
and illustrate value. To accomplish these goals, the
company is infrastructure agnostic. That allows it to
be more flexible. This Innovator believes that security
should be as portable as the applications. So, it fo-
cused on taking out what is not necessary and making
its product more efficient and more secure.
Networks usually have been built incrementally and
that adds complexity and leaves the networks unse-
cure. This is especially true in the “multi-cloud” (pub-
lic and private) environment. So, to address that com-
plexity, vArmour has created an abstraction layer that
lets customers straddle both kinds of clouds. Built for
virtual and cloud environment, this is a purpose-built
software designed specifically for virtualised and
multi-cloud environments that uses a single logical sys-
tem consisting of multiple, autonomous sensors rather
than agents. These sensors are connected through the
vArmour Fabric, which shares information and con-
text across the system.
46
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
The system arbitrarily redirects devices to a decep-
tion point, which allows the use of very few actual
deception points and ties segmentation to deception.
The tool views deception as a capability of the overall
security stack rather than a standalone product.
vArmour customers are
focused on protecting work-
loads in such industries as
health care, financial services
and government. Only 3.5
years old, the company has
been shipping product for
two years. Shipping products
after only a year and a half of development requires
innovation and vision – both on the technical side and
on the business and marketing side. Entering a new
market struggling to find its way, as the cloud market
space, requires an immediate development of trust
and confidence on the part of prospective customers.
vArmour has done as good a job of this as it has in
developing its product which, by the way, is in its third
major release.
Vendor vArmour
Flagship product vArmour Distributed Security Sys-
tem (DSS)
Price Starting at annual subscription of £3,900 per
hypervisor for base functionality.
Web varmour.com
Innovation Multi-cloud security stack using microseg-
mentation.
Greatest strength Vision and ability to get ahead of
the market and stay there by understanding the nature
of the cloud as well as their technology.
Catbird Security
e expect that it is the last time for a
while that we will be able to use the bad
pun about this Innovator being in the
Catbird seat. Bad pun or not, though, that certainly
is where this Innovator is sitting now. Catbird didn’t
invent microsegmentation, but it has built a solid busi-
ness on the concept. This allows more fine-grained
security management than simply placing controls at
the perimeter. The product was designed from the
ground up for virtualised
environments and it has
two parts: the Virtual
Machine Appliance
(vMA) and the Control
Center (CC). Both are,
as one would expect,
virtual appliances.
The vMA installs on
the hypervisor and the CC is deployed as a separate
virtual machine. The microsegmentation allows visi-
bility at the virtual machine level. Because it has this
visibility, it can see lateral traffic across the virtual
enterprise. While it also sees traffic into and out of the
virtual environment, the lateral movement is, perhaps,
most useful to defenders. The fine-grained security
policies allowed by microsegmentation help pinpoint
possible malicious activity, potentially down to the
individual device level.
This Innovator is beginning to spread its wings into
other cloud and virtual platforms. The company was
born and raised in the virtualised private cloud but
now its customers are asking for broader coverage.
Customers want to have coverage on all platforms,
agentless where possible, but using lightweight agents
where necessary. The eventual goal is to cover virtual,
47
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Hall of Fame
physical and private cloud environments.
Additionally, Catbird Security has increased the lev-
el and depth of its analytics using its unique trust zone
constructs. That means, among other things, looking
for anomalies measured against statistical norms on
the systems. Catbird already has done a lot of work-
load analysis and now is adding more analytics. This is
just another example of how this Innovator responds
to customer demand. It already has high quality of
correlated data and has
a clear topological view
of the virtual enterprise.
The long-term goal is to
knock down the virtual
wall between the NOC
and the SOC giving
security engineers and
IT/network engineers
a complete, correlated view of the entire enterprise.
This will promote collaboration and lead to more
rapid control of security incidents.
Vendor Catbird
Flagship product Catbird Secure
Price £1,970 - £3,200 (average) per Hypervisor.
Pricing varies based on environment size, platform and
third-party integration option.
Web catbird.com
Innovation Application of microsegmentation across
the cloud and use of analytics all of which can lead to a
security environment for hybrid data centres.
Greatest strength Vision and the ability to act on it
over a sustained period.
Buyer’s Guide 2017
Good Technology
W W
e have been following Good Technol-
ogies for some time. The company’s
product mimicked the BlackBerry En-
terprise Server approach and developed the same kind
of implementation for other platforms. It also allowed
running apps behind the firewall. Now, BlackBerry has
acquired Good Technology and – excuse another bad
pun, please – that looks very good for BlackBerry. This
was one of those very nice matches where both parties
contributed to the mix. Black-
Berry has traditionally focused
on command and control while
Good Technology traditionally
has focused on containerisation
of applications.
BlackBerry has taken Good
Technology’s products and
technology and integrated
them into new releases. Of course, there are a few
Good Technology components or products that still
stand alone, but the current offering is mostly Black-
Berry. BlackBerry believes that taking the two product
lines together forms best of breed for mobile device
management and the best of breed for application
security. The new products are, as one would hope,
device agnostic. Probably the best part from the
mobile device user’s perspective is that complexity is
abstracted away from users. Such things as VPNs, that
can be so troublesome to use and keep connected,
now are handled automatically.
BlackBerry of late has focused on its software which
has a lot more applications than mere smartphones.
For example, it is being used today to track over-
48
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
the-road trucks. That is just one example of how
BlackBerry can extend its – and Good Technology’s
– innovations into a wide variety of applications and
markets. Its software also has done well in reviews so
it is pretty clear where this Innovator is headed.
For today’s enterprise, this acquisition allows Black-
Berry to provide devices and a software platform that
enables and manages security, mobility and commu-
nications between and among hardware, programs,
mobile apps and the Internet
of Things. Addressing the
Internet of Things can be a
challenge, but certainly con-
sidering the Good Technology
containerisation scheme, it
is not an impossible task.
BlackBerry has seen its share
of challenges over the years,
but it is the mark of an Innovator that it sees adversity
as an opportunity. BlackBerry clearly saw things from
that perspective and never looked back.
Vendor BlackBerry
Flagship product Good Secure EMM Suites
Price £Starting at £2 per user per month.
Web us.blackberry.com/home.html
Innovation Combining the containerisation of Good
Technology with the command and control of Black-
Berry Enterprise Server into a new and more effective
security tool.
Greatest strength Vision and persistence.
PhishMe
hen we first met PhishMe we thought
that the name was a bit curious. How-
ever, the premise behind the company
at the time was interesting so we began following it.
At the time, this Innovator was largely involved in an-
ti-phishing training. Because that threatened to become
a commodity, the company
started looking for ways to
enhance its services. That led to
offering, as part of its training,
testing in the form of crafting
phishing emails and sending
them to clients’ employees. For
those who “bit,” PhishMe then
would provide some additional
coaching. It became a sort of closed loop training. One
thing that assuredly has contributed to the company’s
success is that it can point to documented results. It has
trained millions of employees worldwide.
The company has developed its Simulator product,
which uses behavioral conditioning to train employees
how to detect and avoid phishing emails. Simulator is
provided as a cloud-based conditioning platform. The
tool generates customised phishing attacks simulating
a variety of attack techniques including spear phish-
ing, social engineering, malware and malicious attach-
ments, and advanced conversational phishing.
The Reporter lets employees, having detected a
phishing email, report it through their own chain
of command. This helps administrators block
phishing sites and lower the prevalence of phishing,
spear-phishing and whaling. It also is effective against
malware and other types of attacks that are delivered
or triggered by a phishing email. This is a pretty big
49
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
Hall of Fame
deal since a very high percentage of successful breach-
es are the result of responding to phishing.
PhishMe now has over 300 employees worldwide
and has opened several offices around the world. An
important step in its evolution, PhishMe acquired
Malcovery for its cyber intelligence-gathering capabil-
ity and folded it into PhishMe
as its intelligence arm with a
significant international fla-
vour. Triage – introduced last
year – has grown very well and
is evolving into a workbench
for analysing phishing attacks
and messages. Along the way,
this Innovator is creating new
analytic modules and automating. Meanwhile, it is
making enhancements to the Reporter and working
on a mobile edition. PhishMe continues enhancing its
natural language process to allow it to cluster similar
emails for analysis.
Vendor PhishMe
Flagship product PhishMe Simulator & Reporter
Price PhishMe Simulator is priced based on the number
of users in an organisation. Reporter is included at no
additional cost.
Web phishme.com/product-services/services/
Innovation An evolving platform for combatting phish-
ing attacks using techniques that were the forerunners
in the field.
Greatest strength Application of behavioural
conditioning along with a variety of other tools and
techniques to address phishing and its consequences.
Buyer’s Guide 2017
Pwnie Express
T
his Innovator has a very interesting history that,
perhaps, could not really have predicted where
it would end up today. The earliest Pwnie Ex-
press tools were for remote pen testing from inside the
network. Today, of course, that still exists, but there is a
lot more to the Pwnie Express
lineup. Its tools set provides
continuous monitoring and
detection, identification and
classification of wireless, wired
and Bluetooth devices. All
of this data, gathered from a
Pwnie Express sensor, feeds a
cloud-based dashboard called
Pulse. There is a lot that can be
accomplished directly from the dashboard, but users
also can access the underlying sensor operating environ-
ment for adding further capabilities or fine-tuning the
ones you’ve already deployed.
The Pwnie sensors don’t care what wireless band
you’re using. It monitors everything. The tool used
multiple sensors at Super Bowl 50 to gather wireless
data coming from over 75,000 users in the stadium. All
sensors are self-contained units that require only power
and Ethernet with internet to function. In addition to
Wi-Fi and Bluetooth (which the sensors can detect in
real-time) there also is rogue 4G detection. So, using
your data plan instead of the Wi-Fi won’t hide you from
the Pwnie. Coupled with that capability is the ability to
pass data to a SIEM, making this Innovator’s tool a full
partner in the security fabric of the organisation.
50
SC • Buyer’s Guide 2017 • www.scmagazineuk.com
TOMORROW’S SOLUTIONS
Firewall and Security Policy Management
Do more with the Skybox® Security Suite
During testing in our lab, we found the products
• Simplified multi–vendor firewall management
very easy to work with. Participating in a deployment
at a financial services organisation – across multiple • Total network visibility and control
locations – we found that deploying and tuning was • Secure, automated firewall change workflow
straightforward. The sensors come in a couple of • Comprehensive attack surface visualization FIREWALL NETWORK
versions. One is small and ASSURANCE ASSURANCE
across physical, virtual and cloud networks
simple – about the size of a
large, square hockey puck.
The other a small-footprint
desktop device. The larger –
the PwnPro – has the space
CHANGE
to add to the software in it MANAGER
HORIZON
already. On that one you can
run Metasploit, whereas on the
smaller one you only can run
OpenVAS for vulnerability testing. For remote pen-
etration testing, using the Metasploit option is a very
significant benefit.
Vendor Pwnie Express
Flagship product Pulse
Price Priced per number and type of associated hard-
ware sensors used; £79 per professional sensor per
month with full subscription.
Web pwnieexpress.com
Innovation Embedding monitoring and pen testing/
vulnerability assessment inside the network, particularly
for various types of wireless communications.
Greatest strength Ease of deployment and use, as www.skyboxsecurity.com
well as excellent coverage and broad capabilities.
Evolve and see what you’re missing.
Maintain and report on compliance across hybrid IT environments.
Ensure firewall rules and security policies support connectivity without
exposing your organization to attacks or compliance violations.
Vulnerability and Threat Management | Security Policy Management | Attack Surface Visibility
 TOMORROW’S SECURITY IS HERE
Do more with integrated security management solutions — the Skybox® Security Suite

VULNERABILITY THREAT
HORIZON
CONTROL MANAGER

FIREWALL NETWORK CHANGE

ASSURANCE ASSURANCE MANAGER

www.skyboxsecurity.com

Evolve and see what you’re missing.

Unify data from 100+ security technologies. Gain end–to–end
attack surface visibility using network modeling and attack vector
analytics. Automate the prioritization of critical exposures.

Vulnerability and Threat Management | Security Policy Management | Attack Surface Visibility