21CT's LYNXeon brings intelligence to security analytics for data of all sizes

Transcription

1 21CT's LYNXeon brings intelligence to security analytics for data of all sizes Analyst: Wendy Nather 8 Jun, 2012 There's a big difference between analytics and reporting. Reporting shows you the data that's there; analytics generates new information out of the existing data, and can create new data to feed back into the system. Stricter definitions of analytics require mathematical processes or statistical models, as opposed to simply inferring conclusions from reported data. They also describe actions such as forecasting, optimization, predictive modeling and simulation. Visualization is a key element of analytics, since good visualization can facilitate the discovery of new information, and mediocre visualization can lock the user into the limited viewpoint of the product (pie charts, anyone?). Putting hot trend words together can create a phrase hotter than the sum of its parts, the latest example being 'big data security analytics.' And as we have described, not every security vendor that has been around for a decade can suddenly rebrand its product as 'big data' or even 'analytics.' But if the product has been designed for analytics from the ground up, and has been using disparate sources of data at very large volumes, it's a different story. This is the story of 21CT's LYNXeon intelligence analytics and visualization platform. The 451 Take As we have said, traditional security data is no longer the only relevant data for enterprise security. Simply handling large volumes of data at great speed is not enough; the differentiators are in support for data variety and exploration, among other factors. 21CT came from the defense and intelligence communities with an analytics platform that already promoted data agnosticism, underpinned by proprietary algorithms for complex graph pattern analysis. The company needs to avoid being trapped in the SIEM category; even within the Copyright The 451 Group 1

2 security market, it should be touting its support for what we call 'total data,' and bring security intelligence that much closer to business intelligence. Its field of real competitors for this particular market is still small, but fierce and a lot of aspirants to big data security analytics are capable of joining them, if they ever get off the network and OS layers. Context Based in Austin, Texas, 21CT (formerly known as 21st Century Technologies) was founded in 1999 by two MIT scientists (who are no longer involved with the company). The company is led by CEO Irene Williams, who has been driving the growth of LYNXeon as well as its R&D and custom application development lines of business since Frederick Chang, former director of research at the NSA, joined 21CT in March 2012 as its president and COO. In June 2010, the company announced its acquisition of NetflowData, a cyber-security consulting firm with four employees, based in Maryland. 21CT has roughly 80 employees, with half of those in the DC area and the other half in Austin. It is self-funded and has been cash-flow positive since its founding. 21CT holds six patents in areas ranging from 'intelligent intrusion detection system utilizing enhanced graph-matching of network activity with context data' and 'social network aware pattern detection' to 'tactical and strategic attack detection and prediction.' The earliest of these was filed in March 2006 and the latest was granted in November Thirteen more patent applications have been filed. Technology The heart of 21CT's technology is its LYNXeon platform, which is intended to support its use by a team of analysts. Originally these were mostly defense and intelligence analysts, developing network and social connection information out of data such as electronic communication records, geospatial data, training and conference events, financial transactions and more. LYNXeon uses sophisticated graph pattern analysis to help identify and visualize relationships and sequences of connections that are non-obvious and that could not have been uncovered by a known set of queries. Although the product comes with a large set of pre-generated queries (known as the LYNXeon Analytic Catalog), a user can customize, import or construct any type of query using 21CT's copyrighted Pattern Query Language. Copyright The 451 Group 2

3 Since LYNXeon handles any kind of structured data input, its strength lies in the ability to bring very disparate sources together and mathematically discover connections among them. The user interface displays these relationships in any number of ways: as a network, a graph, a chart (and you can even, if you must, export it as an Excel spreadsheet). An analyst working with the platform can create queries, work with subsets of the resulting data, export the final constellation as another saved query (analytic), map out a time series, annotate elements in the visualization, and share the results with others in the workgroup. And because 21CT has been working all this time with national defense agencies, it is used to processing millions or billions of data elements per query with low latency. Currently, the types of analyses being performed with LYNXeon tend to be very threat-centric: finding terrorists, detecting fraud and uncovering network-based attacks. A security analyst might run a query to detect a combination of behaviors or events using as inputs IP addresses, port ranges, GPS coordinates, NetFlow data, identity stores, application logs, badge access records and database query logs. The analyst might then identify a common sequence of events within a particular timeframe, add or remove constraints within the query, and play with the resulting net to see what other associations appear, either directly or within a number of degrees of separation. The LYNXeon system is geared toward intelligence communities and large enterprises, where a typical deal might run into the hundreds of thousands of dollars or more. However, 21CT also offers tiered pricing for smaller data scales. A trimmed-down version of the tool, called LYNXeon Wildcat, in beta, is also available. This edition is configured for a single user on a desktop, with a simplified user interface and feature set, and includes free NetFlow traffic analytics. The enterprise version, by contrast, requires a Linux-based server with a recommended four quad-cores, 64GB of RAM and minimum 2TB of internal disk, depending on data-retention requirements. Strategy Because of its roots in the intelligence world, 21CT has clientele ranging from the US Army and US Air Force to 'if we told you,...' It was not a big step to go from one type of intelligence to another within the same market, so cyber-security is one of 21CT's big pushes, along with fraud detection for banking and criminal tracking for law enforcement. And because of its initial use cases for intrusion detection within IT security, LYNXeon has often been lumped in with the SIEM tools. However, this view is terribly narrow, given that the platform's engine was designed to be data agnostic. By data agnostic, we don't mean 'any kind of computer-based log or security tool output' we mean 'high school honor rolls, plus changes in the McDonald's menu, plus auto insurance rates Copyright The 451 Group 3

4 over the past two years, and Broadway actors that have also bought clarinets.' If there were a chance to pull analytics out of the facetious risk equation 'peanut butter times jet engine equals shiny,' this would be it. We see applicability for this platform far beyond threat-centric models, and although it could prove very useful for security threat intelligence, it shouldn't stop there. A tool this flexible has the potential to bridge the IT layers with the business layers, so that the intelligence gathered is more meaningful to the C-suite no matter what the business is. And while we're talking about bringing security intelligence closer to business intelligence, we should look at the 451 vision, not of big data, but of total data: Total Data = (volume +/- variety +/- velocity) + (totality +/- exploration +/- dependency +/- frequency) In this view, data and analytics are not just about the size, but about the variety of sources, frequency of use, and how much the nature of the data-query results determines the schema, rather than the other way around. LYNXeon is tooled for data exploration, not just data mining or event alerting. We have seen many examples of defense-grade security moving into the private sector, starting with those customers most likely to be targeted and who have the budgets and expertise to afford analytics. This kind of market expansion comes with its own set of challenges, particularly in adapting the security product to the capabilities of less-disciplined organizations. 21CT might choose to focus on geographic expansion rather than moving into market segments that won't appreciate its features. That said, we could still see a home for LYNXeon in areas where the data is complex and highly contextual, such as in healthcare, or in critical infrastructure and manufacturing, where it could tie security elements more closely to operational data. And data-heavy operational environments, such as those within cloud and hosting-provider infrastructures, could also benefit from this level of analytics. Either way, though, we would urge 21CT to slip the surly bonds of SIEM and market its analytics platform with its broader intelligence capabilities, particularly above the traditional network layer. Competition Since we're looking at 21CT through the security lens, we'll stay with the competitive field among security vendors, even though the company could take on BI aspirations as well. One of the first rivals that comes to mind is Red Lambda, with its Neural Foam AI engine; it works with both Copyright The 451 Group 4

5 structured and unstructured data, and is backed by the company's proprietary, high-performance MetaGrid computing platform. (We would actually be interested in seeing what the two companies could create in synergy.) Another close competitor is Palantir Technologies, which plays in the same verticals (intelligence, law enforcement, antifraud, cyber-security) and has a very strong UI and visualization display. IBM's i2 Intelligence Analysis software, just announced last month, leans more toward the intelligence, antifraud and law-enforcement communities. Many other vendors that specifically market using the keywords 'big data,' 'security' and (often) 'analytics' together include Pervasive Software, the Packetloop platform, Splunk, Click Security, SenSage and more. However, most of these still focus on the network and operating system layers, and focus on real-time intelligence rather than predictive analytics, or serve up predefined analytics with less support for exploration. RSA NetWitness has beautiful visualization, for example, but it's limited to what comes out of network traffic. Yes, there is a very long list of additional vendors that focus on SIEM, risk analysis, intrusion detection and threat intelligence, and to a greater or lesser extent, they could be said to compete with 21CT. For the sake of brevity, though, we are not including those vendors that only claim support for big data in that they can handle a lot of data, particularly if they limit themselves to network-layer security. In the spirit of total data, they should at least be promoting a new offering that addresses increased scalability and speed requirements, while at the same time offering analytics (as opposed to reporting) and ideally stepping out of the narrow log and network security courtyard. A key point we have made is that 'traditional security data is no longer the only relevant data for enterprise data security.' To be considered competitive with the likes of 21CT, Palantir and Red Lamba, vendors need to think creatively beyond the security data, and into the broader world of intelligence. On the other side, we wouldn't advise 21CT to go up against SIEM vendors that offer sensors, collection mechanisms, log management, forensics or alerting. Enterprises still need these functions, and LYNXeon would be supplementary to them. We believe the use cases are far enough apart that they can coexist. SWOT Analysis Strengths Weaknesses Copyright The 451 Group 5

6 21CT's strength is in its patented algorithms that support its graph pattern analysis. Since it has been with the big players all this time, it already knows its way around big data (and more importantly, total data). Its Pattern Query Language offers fine-grained control for the serious analyst. The LYNXeon graphical user interface could use some more work to catch up to its closest competitors, which have a wider variety of data visualization and interaction techniques. Opportunities Threats The company has the opportunity to skip the SIEM stage and expand into broader realms of security intelligence, as well as lend its analytics to business-layer data. This could increase the number of receptive verticals. Rightly or wrongly, there's a large group of vendors jumping on the big data, security and analytics bandwagons. 21CT needs to differentiate itself clearly to pass them by in the security market. Copyright The 451 Group 6

7 Reproduced by permission of The 451 Group; This report was originally published within 451 Research s Market Insight Service. For additional information on 451 Research or to apply for trial access, go to: Copyright The 451 Group 7