Enterprises have long invested in technologies designed to detect attacks in production environments in the form of intrusion detection or prevention devices.
But those devices are failing.
Attacks, especially those leveraging zero-days or novel tactics, often go unnoticed for a long time while critical data and operations are compromised or disrupted. We have had many such examples of late.
Part of the problem is that security devices generate a large volume of alerts and events. This can range from hundreds to sometimes tens of thousands of events per day. When an analyst is presented with the raw events, she may need to search for additional evidence (e.g., pulling additional logs from endpoints), filter events by specific users (e.g., looking up Active Directory), compare information with threat feeds, and stitch together network and endpoint events. These are tasks that involve an extensive amount of manual work today. Taken together with the number of alerts, timely detection becomes an insurmountable challenge.
Capsule8 was founded on a simple premise — Having analysts process raw alerts and logs is the wrong approach to attack detection and response.
Instead, Capsule8’s big idea is rooted in the concept of detection engineering — attack analysis and detection is treated as an engineering problem rather than an ad hoc human exhaustion exercise.
But what does that mean really? Alex Maestretti’s wonderful post on this topic laid out four principal areas for detection engineering:
- Data sources: Only collect data that is relevant and meaningful — those that are justified by “a quantitative reduction in risk to the organization.” Capsule8 engineered layers that perform “fast data” detection — only collect and act upon data that is relevant, rather than the traditional “big data” treatment to the detection problem.
- Event pipeline: Instead of trying to normalize disparate data sources, create reusable templates, modules for each data source and scalable plumbing. To that end, Capsule8 has created one of the most innovative distributed data collection and telemetry processing infrastructure to support automated workflows and internet-scale computing.
- Correlation Engine: This is a critical piece of detection engineering — every possible automation and correlation should be fired before a human is brought to the loop (if at all). If a human is engaged, he or she should only get information with the “right context” and “right set of options.” This is the only way to scale up detection and also the only way to hopefully engage non-security personnel in security operations tasks — think developers fix security flaws on the spot when given the right information and tools. Capsule8’s team spent a tremendous amount of effort in developing creative signal processing and stochastic methods, precisely aimed to produce high quality and high-signal insight that is meaningful to analysts and developers. This makes real-time, automated analysis and response possible.
- Response orchestration. To the extent possible, response actions should be automated via orchestration mechanisms. The actions should be documented and tracked consistently to measure response efficacy. Recently, a slew of SOC orchestration plays has emerged on the market. It remains to be seen whether Capsule8’s role is to integrate with these mechanisms or perhaps its innovative treatment to security detection may change the nature of security orchestration altogether.
I would add one more to Alex’s four areas of detection engineering:
- Intelligent investigation: Capsule8’s brilliant use of distributed computing allows it to store forensics data with very little storage and operational overhead. With that, you can perform just-in-time detection as well as historical investigations with high-quality forensics data.
Detection engineering has been practiced at companies like Netflix, Lyft, Square and a few others. The benefit of such an approach is immediate: Capsule8’s customers are able to detect and disrupt exploits and attacks as they are happening, in real time.
Lyft, the San Francisco-based ride-sharing company, is a Capsule8 customer. James Addison, Security lead at Lyft, said: “Capsule8’s architecture and detection capabilities are impressive… “ and it “aligns perfectly with the need for a low-overhead, real-time alerting solution which evolves as attackers do.”
Capsule8 is also a perfect example of a solution that is architected to fit both the modern orchestrated as well as legacy environments. Even though the adoption of cloud-native technology like microservices and containers is growing fast, much of the world is still operating with traditional Virtual Machines. Supporting detection engineering on a variety of platforms, including VMs, containers, bare metal, and serverless, is important to many security organizations. When CISOs tell me they have hundreds of container engines but tens of thousands of VMs, I know that Capsule8 is targeting the right problem environment.
I started working with the Capsule8 founders almost a year ago. But my relationship with founder/CEO John Viega went all the way back to when we were both Computer Science students at the University of Virginia. John was one of those students who were always playing with the latest scripting tools and languages, ahead of anyone else in the class. Years later when we reconnected, John was a CTO at McAfee. I remember Dave Marcus told me that “Viega was one of the best security minds that I know.” I am glad that our common interests in security and cloud-native technologies brought us together. When Rain was formed, we became an investor in the company.
Since then, Capsule8 has assembled an elite, dedicated team of security researchers with expertise in reverse engineering and exploitation. They recruited top talent from Google, Apple, Square, FireEye, and McAfee. Research and content produced by this team directly feed the Capsule8 product. Those of us in the security field know how difficult it is to find anyone who truly understands exploits, let alone a team of them.
Today, security detection and response is one of the fastest-growing segments in the security market, topping 30% of year-over-year growth, according to Gartner. The potential for value creation in this market is tremendous, given the rapid increase in demand.
Capsule8’s potential is immense, but even more impressive is its singular focus on delivering results for customers. Early adopter customers are seeing KPIs outperformed with regular repeatability; new and exciting use cases are emerging on a daily basis.
Above all this, however, I am most excited about what Capsule8 can do for organizations below the “security poverty line.” Few security products serve that market, yet those organizations also have critical data and applications — think a law firm or a boutique investment bank handling high-value mergers and acquisitions.
Detection engineering, while helping security operations minimize the need for human power, can ultimately eliminate the requirement for a traditional Security Operations Center (SOC). The biggest winners in this are going to be those with scarce IT resources. Changing the security proficiency of these organizations without throwing humans at the problem will have a tremendous social and economic impact down the line. We are glad that Capsule8 is the company that is at the front line of this change.
Originally published at https://www.raincapital.vc on August 2, 2018.