Dark Reading News Desk: Anomali Talks Threat Intelligence & Info Sharing

Welcome back to Dark Reading News Desk.

This is Michael Krieger, and with me today is Hugh Njemanze, CEO of Anomali.

Hugh, so tell me, what is it that you introduced here at the show?

We introduced STAXX 2.0.

STAXX itself is a product that we launched in November as a 1.0, and so we've been very, very aggressive in putting development resources on that.

And we're launching And there are major enhancements in it.

Key among them are the fact that it enables bi-directional sharing of threat intelligence between organizations and the communities they are part of, which could be ISACs, ISAOs.

And it allows them to both receive intelligence and to contribute intelligence.

So what is the reasoning behind offering STAXX, which is a free product, as I understand, for threat intel?

So the idea is to make it more easy.

People essentially often have told us that they would like to share information.

Appropriate tools that make it essentially a low enough bar for companies to actually do it are scarce.

We've actually heard that, not just from commercial enterprises, but also from large government agencies.

And we saw a vacuum in the space for actually enabling people to easily do that.

And we thought making it free would helpfully accelerate cultural adoption of the habit of sharing threat intelligence beyond just talking about doing it.

Everybody agrees it's a good thing.

Not many people are doing it.

And we thought if we make the threshold very painless, it will hopefully encourage the kind of activity that helps everybody's security posture.

And that's good for everybody and ultimately good for us, too.

Is there a particular unmet need that this really addresses?

Yes, there is.

Anomali provides commercial tools, such as ThreatStream, that essentially bridge the gap between having the intelligence and connecting it to your SOC, your software security centers.

But from having somebody that's willing to provide you with information and having it under management downloaded to your organization and available to deploy, and that has been a gap.

So where's the innovation in STAXX?

Well, some key elements would be the fact that the product-- there have been tools that have been available before, some of them for free.

Some of them temporarily for free for two or three months and then pay.

But none of them have been enterprise-class robust.

And it seems like a simple thing, but this is the key feedback we've received that this is the first enterprise-ready tool.

That makes sense, because everything else we make is commercial, large enterprise, government agency, and costs money.

And we've built on the same core technology and IP that we have and provided a tool that's at that same level.

We're just not charging for it.

And so I would say that's one of the core differentiators.

The other is that it's explicitly conceived to not only allow people to download information, but to allow them to contribute it back.

And I think that's the part that people have commented that is hard to do.

Is there a particular pain point that this addresses?

The way I like to look at threat intelligence overall is there are many different techniques people use to detect adversaries.

One of them is to monitor activity and deduce from the activity or the behaviors what's going on.

And I guess I would say, actually, the way I think of threat intelligence is as the second most important technique.

Now, there could be a dozen other techniques, and it's hard to say which one of them is the first most important technique.

But threat intelligence is the second most important, no matter which one is the first most important.

And the reason for that is because let's say you were dealing with-- I'm making an analogy here-- airport security, and you're monitoring for people who have weapons concealed in their luggage, et cetera.

When you identify somebody like that, you pull them out of the line for further questioning.

So let's say that's a fairly effective system.

Maybe it catches 50%, 70%, 90%.

That would be great.

But if you only did that, you'd be missing a huge opportunity.

And the opportunity that you'd be missing is the opportunity of keeping track of who you pulled out of line yesterday and whether they really were carrying a weapon.

Or somebody who used a weapon somewhere else, not even at an airport.

And so threat intelligence gives you that list of people that have already been detected through any method.

So it doesn't matter which of the 12 other methods are effective.

What matters is actually being able to leverage that information in the future so that if somebody's going through security without a gun but they're a known bad guy, we can pull them out of the line.

And threat intelligence allows us to do that on a network.

So let me ask, how does this compare against other products in this category?

Or is there anything like this out there now?

There is no other company that covers the scope that we cover with our three core products, which is ThreatStream, Anomali Enterprise-- which we're also launching a major update today, 2.0.

We launched the first version at the last RSA-- and ThreatStream.

We've had double- and triple-digit downloads daily since we launched.

We have over 1,000 installs now.

And for us, that's a scale that when you're dealing with enterprise, you're thinking maybe-- well, we're glad that we have almost 200 subscribing customers.

But 1,000 new users in two months, that's new territory for us.

Absolutely.

So you commissioned a study with Ponemon Institute on the state of threat intelligence and found that 70%, roughly, of security professionals say it's extremely important, but another 70% say that they're not handling it very well.

How do you reconcile that?

I think it's fairly easy to reconcile.

And as with many things in the security landscape-- and also in health.

People know exercise is good.

They don't all do it.

I fall into that category.

And I think what's happening is the appreciation and understanding of the benefits of threat intelligence are outpacing the execution.

For us, that's been a good thing.

Because it used to be we were evangelizing what is threat intelligence, so why does it matter.

And at this point, we've gone from evangelizing to having inbound inquiries.

And people come to us knowing what they want.

And they want to know who has the best solution to meet their needs, which means the conversation starts out already further down the field than when we were trying to explain why we were even talking to them.

So let me ask you.

You were the founder of ArcSight, which created the whole security incident event management world.

How does this compare to the SIEM market?

They're very complementary, actually.

So SIEMs are focused on capturing activity information, typically by collecting logs from all the different devices on your network, and they analyze that to figure out what are people doing.

So if we go back to my airport analogy, then SIEMs are like the scanners and the people that are looking at the x-rays of your luggage and so forth.

And what we're doing is providing that no-fly list so that the guy who's operating the scanners also has something else to watch out for and can be much more effective.

Our sweet spot is we sell into organizations that are large enough to have SIEMs and teams operating them, and we augment the effectiveness of those tools.

We're also starting to see organizations that are building defenses alongside of their SIEM.

In other words, not connecting the tools together, but they have a team who is a dedicated threat practice.

And so we're getting great traction there also.

Thank you so much, Hugh Njamenze, CEO of Anomali.

It's a pleasure.

Thank you for joining us.