February 29, 2016
-
Hugh Njemanze
,

Welcome to Anomali!

<p>By now we hope you’ve heard that we’ve changed our name to <strong><a href="http://www.anomali.com">Anomali </a></strong>from ThreatStream. I’d like to offer a few words as to why we made the change and why it's important. Simply put, we are exploring and solving new problems. In 2013 we saw there was a problem with managing the growing amount of threat data. Open source data, proprietary data from commercial threat intelligence providers, data generated by the ISACs, and data from academic and governmental institutions have contributed to an explosion of threat data. This led us to create the market leading threat intelligence platform known as ThreatStream. As of this month, we’ve collected and curated nearly 100 million indicators of compromise (IOCs) from this variety of data sources and we list almost 30 million IOCs as “active” in our systems. Active means that they are seen in the wild as still in use. When we went back and measured the IOC growth rates over the last eighteen months, we were astonished by the exponential growth. We expect this trend to continue. Threat intelligence data is the new big data challenge for security.</p><p>The increasing data volumes have caused this data to be more valued by threat analysts and less by SOC and incident response personnel. While more data means more exploration and potential insight, handing the operations team tens of millions of anything and asking them to do something operational with it in real time is a non-starter. Security operations needs to know which specific IOCs they should be concerned about at any given moment. To do this, threat intelligence platform vendors built integrations with the SIEM. When the modern SIEM was first deployed, it was never imagined that in addition to processing and correlating over a billion events per day from security and network logs (in a typical large enterprise network), that it would then also have to match every single one of those events against tens of millions of IOCs.  The SIEM has plenty of work to do just with the first part of that last sentence (correlating events), even without being completely blindsided by the second part (matching IOCs), which is what has happened over the last three years.</p><p>We assert that threat intelligence platforms of the future must:</p><ul><li>Be able to provide IOCs that are actionable, relevant and specific to your organization. This means proactively reducing the stew of IOCs down to those that the SIEM, other security tools and your security team need to respond to at a given point in time rather than dumping the entire intelligence feed into tools that weren’t designed for that and hoping they don’t choke.</li><li>Be able to continuously perform retrospective analysis over at least a years worth of forensic data to match newly classified threat intelligence IOCs against activity seen on your network far beyond a 200+ day potential adversary dwell time.</li><li>Be the hub of an intelligence-driven security operations center (Gartner calls this the ISOC).</li></ul><p>Anomali’s two new products, Harmony Breach Analytics and Anomali Reports, announced today do exactly that. We will examine your logs, compare them to our vast threat intelligence IOC library, and tell you (and your existing tools) in real-time if we suspect a data breach. The existing tools can then use this information to enable detection and response workflows that are already in place at your organization, minus the back breaking work they are currently saddled with of also analyzing millions of unrelated IOCs.</p><p>As we look at some of the largest data breaches, we noticed that many had their start in a small or medium business that had a supplier or services relationship with the larger organization. Also, many of these smaller companies didn’t have a security staff and likely couldn’t have afforded threat intelligence data or a SIEM. These smaller organizations may have customer lists or intellectual property that are prized by adversaries or can be an attacker stepping stone to larger organizations. For these organizations we offer a SaaS based data breach detection service called Anomali Reports. The customer simply signs up for the low cost service with a credit card. The service reviews the customer’s data in the Anomali cloud and produces a report containing IOC matches. The service features end-to-end encryption.</p><p>We have renamed our company from ThreatStream to Anomali because threat streaming now represents just ONE of the ways in which we make Threat Intelligence practical for protecting our customers' networks. Our new name, Anomali, reflects our ongoing mission to help our customers detect and address anomalous or undesirable behavior on their networks.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.