RSA roundup: 5 security vendors CISOs need to be aware of

The madness known as the RSA Security Conference took place last week in San Francisco. The event featured somewhere in the neighborhood of 1,000 vendors and over 40,000 users, making it by far the largest security conference. I put myself in the shoes of the security professionals who were attending to seek out new solution providers that can help them protect their businesses better.  

The challenge for today’s CISOs and other decision makers is that there are far too many small vendors for you to stop by each booth and get a good idea of what they do and how they can help. I met with as many as I could, and based on my conversations, here are the five companies that security professionals probably don’t know but are worth looking at.

A couple of notes: These are in alphabetic order so as to avoid any kind of ranking.  They’re different enough that it would be hard for me to say one is better than the other. Also, I understand the show was filled with lots of small vendors that might claim to have a similar or even better solution. If that’s the case, I either didn’t meet with them or they didn’t leave me with that opinion.

5 cybersecurity organizations fighting the good fight 

Balbix

Balbix calls themselves a “predictive breach risk platform.” Its BreachControl product continually collects information from its smart sensors that get deployed at strategic points and monitor networks, devices, and applications. These are quick to deploy and come in physical or virtual form factor.

Balbix applies machine learning to the information and displays the information in a Risk Dashboard where the assets will be colored red, yellow, or green. The security team can use this information to prioritize which asset is the most critical and then drill down on why it’s showing the color it is and take steps to correct the issue. Security professionals are often overwhelmed by the enormity of protecting the organization, and Balbix provides a way to prioritizes what’s critical and what’s not.

Corelight

Corelight uses network information to help security professionals find incidents faster.The company’s sensors plug into network packet brokers, gather data, and analyze the data in its Bro network security monitor.

When alerts are triggered in a SIEM, the typical response is to look through massive amounts of PCAP files or NetFlow records. Bro provides an alternative by providing rich information, including logs for things such as capture loss, dhcp, dns, files, ftp, ssl and dozens more.

Corelight complements signature-based tools and is ideal for use cases such as filtering out false positives, generation and aggregation of indications of compromise, and visibility into rouge application deployments. One of the most interesting things about Bro is that the company has made it available through an open-source option and developed a community that has developed a number of use cases for it.

Cyber Threat Alliance

As the name suggests, the Cyber Threat Alliance (CTA) isn’t a single company. Rather, it’s an agreement between a group of security vendors to share security intelligence. It’s very common for threat actors to share scripts, data, and other information to wreak havoc on their targets faster. And the idea behind the alliance is to fight fire with fire by sharing information between the good guys.

In 2015, Fortinet, McAfee, Palo Alto Networks, Cisco, Check Point, and Symantec founded the alliance. Since then the following vendors have joined: InSights, Juniper Networks, NTT Security, Rapid7, RSA, Saint Security, SK Infosec, Sophos, Radware, ReversingLabs, and Telefonica’s ElevenPaths.

It’s good to see almost all of the big name security vendors joing the CTA to show it has some teeth to it. The work the CTA is doing is extremely important and provides each of its members a much greater set of data to work with. I urge security decision makers to make CTA membership part of their RFP process in hopes that other vendors join the alliance.

Pluribus Networks

Pluribus is best known as a software-defined networking (SDN) vendor, but its solution can be used to secure company networks, as well. In fact, many businesses are trying to bridge the gap between security and networking, and Pluribus can be the bridge that brings them together.

Through the use of its virtual probes and network programmability, a secure overlay can be created for the security team to use without disrupting the physical underlay. Pluribus can be used to establish a set of rules to automate a number of processes that would take action on anomalistic traffic. The following is an example:

• Establish baseline at various dates and times
• Detect deviations from the baseline using ongoing analytics
• Invoke native rules or automate the passing of the traffic to intrusion detection systems for further analysis
• Automatically block traffic using network segmentation

Pluribus is an excellent example of why SDNs matter beyond saving money on hardware. By decoupling the control and data planes, traffic can be analyzed and action taken automatically. Network managers can obviously use this to speed up configuration changes, and security professionals can leverage it for faster identification and remediation of threats.

Varonis

Varonis is a data security platform that helps secure files and email servers from insider attacks and cyber threats. The company analyzes the behavior of users and machines that access data, alerts on things that are not normal, and enforces a least privilege model. Data security isn’t the most exciting topic, but it’s the source of most data breaches.

Setting permissions for file and directory access is impossible to do manually, and Varonis automates this to ensure there are no gaps to protect a company’s most important asset — the data.

The implementation of Varonis starts with an analysis of who touches every file or email to understand the baseline and establish a least privilege environment. This means users only have access to the files they need instead of everything, which is quite common. Then, if a user tries to do something they shouldn’t, such as access the accounting server, the action is denied and flagged.

Attacks from the inside are far more common than those through the perimeter, and Varonis ensures that the impact of these types of breaches is minimized by preventing users from accessing things they should not.    

Note: Of the vendors mentioned above, Cisco, Fortinet, Palo Alto Networks, and Juniper are clients of ZK Research