ESG's Jon Oltsik talks with CEO Hugh Njemanze of Anomali about SOAPA, and Anomali's related capabilities. This is Part 1
Read the related ESG Blog(s):
Jon: Welcome to a remote version of our SOAPA video series. And you can tell we're remote because I'm working from home, and you can see my cat, Jezebel, back there. So I'm here with Hugh Njemanze, the CEO of Anomali. Welcome, Hugh.
Hugh: Thank you.
Jon: SOAPA is all about addressing the complexity of security operations technologies, but we just recently did some research, and 63% of the security professionals we surveyed said that security operations is more difficult today than it was two years ago. Is that consistent with what you're seeing? And if so, why is it so complex?
Hugh: It is pretty consistent with what we're seeing. And I think it's not so much that the complexity is rising, specifically recently, it's more that people's understanding of the breadth of tools that are required is evolving. And so I think organizations are discovering gaps in their coverage in terms of practices.
Jon: Two of the top challenges we saw were that there was alert fatigue and that security operations teams couldn't keep up with all of the emerging threats. So, how does Anomali deal with those kinds of things?
Hugh: The first challenge is the sheer volume of threat intel that is being made available and that people are acquiring has grown to be, essentially, a very big data problem. It can't really be solved by just filtering out the majority of the feeds that you have, because that defeats the purpose of acquiring varied and interesting feeds in the first place.
What you really want is you want to feed what are the interesting matches into your SIMs rather than have the SIM try to ingest a multimillion-item evolving threat indicator database. So we provide tools, essentially, to both use machine learning to reduce the number of false positives and also to do actual matching on the threat intel and then hand hits to the downstream tools.
Jon: Okay. And here's another thing everyone says to me is we have to do a better job at operationalizing threat intelligence. Can you explain what that means and how you do it?
Hugh: Yes. So it's not enough to just subscribe to a source of intelligence that needs to actually get deployed in real-time into tools that can leverage it and take advantage of it. Those tools should also be programmed with, essentially, scripts that can make use of the intel and trigger the right alerts when the right matches happen.
So essentially, it goes all the way from having a good program for ingesting and getting the intel to the right place to also responding once you do have the hits. That sort of turnaround between when sightings first happen and when they have been handled or removed from the flow is a very good indicator of how well somebody has operationalized their intel program.
Jon: You think of threat intelligence analysis and you think of experience skillsets, people who have come from the intelligence agencies, for example, is that true with Anomali, or can, you know, someone with more pedestrian or not as much experience get benefit out of Anomali?
Hugh: You kind of have to know who the players are. You have to know how they've evolved. So obviously, if you have 10 years of experience doing this, you're going to have a large vocabulary, you're going to have context for everything you see in the news. So that can be daunting for someone, even if they're very smart, that, you know, only has a couple of years of experience in the field. One thing that Anomali has done very specifically targeted at this is we released seven months ago a tool called Anomali Lens.
Anomali Lens will read the same documents you're reading so that if you're looking at a threat bulletin, a threat intel bulletin, any kind of research online, something that you would see on a website or even in the interface of one of the commercial security tools, it basically will extract information from the document simultaneously while you're reading it.
It could be a 100-page document, so this is not a screen scraper. And it summarizes, "Here's all the malicious actors that have been referenced. Here's other synonyms for them. Here's their theaters of operation. Here's who they tend to target," and also, do your own defenses know about this specific threat? So in other words, if you're subscribing to five different intel feeds, how many of them are aware of this specific threat?
So this is a very powerful tool for experienced people because it lets them do in minutes what they would have to do by clicking on maybe 100 URLs and doing Google searches on them, but it also lets a new person essentially cut straight to the chase, get sort of the Wikipedia info of everything they're looking at, and then switch their attention to how are we going to deal with this.
Jon: This is great stuff, Hugh. Can you hang around for part two?
Hugh: Absolutely. My pleasure.
Jon: All right. We'll be back with part two of our SOAPA video series, with Hugh, from Anomali.