Critical Watch aims to reduce countermeasure deployment pain by doing it all for you Analyst: Javvad Malik 6 Sep, 2012 Critical Watch offers Active Countermeasure Intelligence, a combination of risk intelligence and active mitigation. Targeting a partner strategy through licensing and OEM agreements, it aims to unify elements of risk and map them to the most effective countermeasures. The 451 Take The Active Countermeasure Intelligence Platform may initially appear as another IT GRC (governance, risk and compliance) product. While similarities exist, Critical Watch expands on the functionality typically provided. Integrating with a vendor SIEM, it is built to analyze and correlate vulnerabilities that span across network, application, data and Web layers. Furthermore, it takes the bold step of tuning security devices to provide mitigation. We can think of the product as being half GRC and half IPS. Pursuing a route to market through indirect channels, licensing and OEM agreements, it allows for vendors to enhance their existing offerings. Being modular in design aids in its appeal to partners, and has enabled Critical Watch to avoid going head-on into the crowded market against GRC and analytics vendors. If Critical Watch can continue to provide enhanced functionality at a price point that prohibits companies from developing their own variants, it should maintain a solid position. Context Dallas-based Critical Watch was founded in 2000 by Eva Bunker and Nelson Bunker, who serve as Copyright 2012 - The 451 Group 1
architects. Both have 15 years of experience in technology and security. The company is self-funded and claims to remain profitable, with the ability to sustain itself for the foreseeable future. Although employee numbers and revenue are confidential, we believe that its SaaS model, which has grown across all the usual verticals of healthcare, finance, education, government, e-commerce, technology and manufacturing, has allowed the company to remain profitable. Products One of the challenges plaguing organizations is having the relevant information to hand in order to make effective risk decisions. This can leave security and risk practitioners having to make decisions based on incomplete information, or recommending solutions that may not be the most practical for the organization. This is not an easy gap to fill; enterprises are notoriously complex, with most having difficulty keeping an up-to-date inventory of all assets and controls deployed. This is where Critical Watch is trying to ease the pain by integrating with an organization's exiting SIEM and analyzing the information in order to make intelligent risk decisions. The initial product brought to the market by Critical Watch was its vulnerability management offering, FusionVM. In 2008 the company released FusionVM Profile Validator, designed specifically to be integrated with HP TippingPoint IPS. This mapped vulnerabilities to IPS signature settings and automated the deployment of IPS changes. With the Active Countermeasure Intelligence (ACI) Platform, risk collection agents can interact with various third-party-vendor risk tools in an organization's environment to gather information about vulnerabilities, software weaknesses, malware in the network, endpoints, applications, Web properties and other components. All of this information is fed into the newly developed ACI Recommendation Engine through a family of risk-input APIs. The ACI Recommendation Engine can connect to countermeasures using control agents and design a mitigation plan. Using policy-driven workflow, the ACI Platform can then mitigate the risks by directing the countermeasure controllers to execute specific remedies that can be customized depending on an individual client's risk appetite. In a nutshell, it's an IPS overlay that allows customers to make more informed decisions on how to dial up and dial down blocking and prevention. The thought of having an intelligent device gather data and make changes to live security controls may have some security practitioners screaming Skynet and running for the hills. Critical Watch claims that this is a capability that many clients welcome, allowing them to rapidly address potential vulnerabilities in a short time. What really interests us about the product is the fact that it works across the different layers. A vulnerability may exist in the Web layer, but the most Copyright 2012 - The 451 Group 2
appropriate countermeasures may exist within the network layer, or in the data layer. Knowing how disparate different support teams can be within some organizations, this adds a degree of cohesiveness to overall operations that has generally been lacking. This intelligence can lead to better risk decisions, and as a result the value lies in an increased ability to orchestrate the security process from detection through to mitigation. In addition to the Recommendation Engine, Critical Watch has also launched Basecamp Labs, a dedicated research team to identify and evaluate vulnerabilities and develop countermeasures. You would be right in thinking this sounds a lot like IBM's X-Force. But where X-Force develops countermeasures specifically for IBM products, Critical Watch takes the ambitious approach to be vendor-neutral, developing countermeasures for all supported products, which should keep the eight-strong team busy. However, we feel Critical Watch will need to convince customers of the benefit Basecamp can provide over existing feeds and sources. Strategy Critical Watch does not sell to end customers, opting to sell through indirect channels, licensing and OEM agreements. We believe this approach will provide dividends in the long run, since rather than going head-to-head with the likes of established SIEM vendors, it has sought to develop an offering that would be complementary, providing an active element that doesn't typically exist. Making it relatively easy for OEM partners to license their technology, it has developed its product in a modular fashion, allowing each component to be licensed individually. So if a vendor only wanted to utilize the Recommendation Engine for use with their own products, they could do so. So far this strategy is working as claimed by an extensive, yet undisclosed, partner list. Going forward, the question is: will Critical Watch generate more revenue by continuing to license its modules, or will the whole package make sense as an acquisition by a larger entity? As long as Critical Watch can continue to provide enhanced functionality at a price point that prohibits companies from developing their own variants, it should remain in a strong position to pursue either path, but it will have to fight off an ever-increasing range of competitors. Competition Critical Watch feels as though it operates in a distinct manner and, therefore, doesn't compete with vendors like IBM X-Force or SIEM vendors such as HP ArcSight, Q1 Labs, RSA (EMC), Symantec, LogLogic, NitroSecurity, eiqnetworks, LogRhythm, TrustWare, TriGeo, Tenable Network Security, Splunk, Tripwire, AlienVault and others, since its products complement the vendor offerings by Copyright 2012 - The 451 Group 3
providing a level of analytics that is otherwise unavailable, making it more useful for complex customers who may have traditionally struggled with effective risk management. However, Critical Watch will have to continually battle actual and perceived competition against a variety of IT, enterprise and financial GRC product offerings, as well as SIEM providers who delve into the security analytic and intelligence space, such as 21CT, Alert Logic, Click Security, LockPath, Palantir Technologies, Pervasive Software, the Packetloop platform, Red Lambda and SenSage. There are several vendors jumping on the security analytics and intelligence bandwagon. Critical Watch will need to work to differentiate its offering from others. SWOT Analysis Strengths Weaknesses By linking data across the network, data, application and Web layers, Critical Watch provides a level of analytics on top of vanilla SIEM, which makes it much more useful for complex customers who may have traditionally struggled with effective security risk management. Perhaps the biggest challenge Critical Watch faces is convincing enough vendors that they can add functionality to their products and bring value to their clients for less cost and effort than it would take to develop themselves. Otherwise, SIEM vendors may develop the capabilities in-house. Opportunities Threats In an attempt to move up the ladder, SIEM vendors may look to acquire Critical Watch to enhance their presentation and reporting layers to replicate EMC/RSA's Archer acquisition. There are many GRC players out there, and confusion between IT GRC, enterprise GRC and financial GRC products, as well as SIEM products and analytics providers, continues to muddy the waters. Critical Watch and other players will need to fend off encroaching competitors and educate customers accordingly. Copyright 2012 - The 451 Group 4
Reproduced by permission of The 451 Group; 2011. This report was originally published within 451 Research s Market Insight Service. For additional information on 451 Research or to apply for trial access, go to: www.451research.com Copyright 2012 - The 451 Group 5