Startup Profile: Seculert Prioritizes Response Over Prevention

Seculert's security service starts with the assumption that attackers have infiltrated your organization.

Rather than join the legion of products and services that seek to prevent intrusions, Seculert aims to detect and verify quickly that attackers inside your network are sending outbound communications. Organizations can then plug the holes and, presumably, limit damages.

The company's existence is a telling, and perhaps distressing, indictment of the state of enterprise security.

Seculert is a cloud service built on Amazon's AWS and S3 platforms. The service works by understanding how malware communicates with command-and-control systems and exfiltrates data.

Seculert collects threat intelligence from across the Internet, and it executes thousands of malware samples in sandboxes to see how the malware behaves and to identify the methods it uses to communicate.

Seculert claims it has more than 20 million profiles of unique threats.

Seculert combines this intelligence with customer log data to look for evidence that malware is actually present on the corporate network and sending communications.

[Join us at Interop Las Vegas for the hands-on workshop Go Hack Yourself: Offensive Security Tools for Enterprise Defenders.]

Customers send their outbound HTTP logs from firewalls and security proxies such as BlueCoat and Websense to Seculert for analysis.

CEO Dudi Matot says the company plans to add other protocols, but at present Seculert only analyzes HTTP logs.

Malware validation
Rather than flood customers with alerts and warnings, Matot says, the company aims to provide validated results. It combines automation and human analysis to determine if indications of malicious activity rise to the level of a live and active threat.

When potentially malicious activity reaches a certain threshold, the customer is alerted.

"Priority 1 is what we call malware that's on the network and exfiltrating data," Matot says. "The customer must take action. We call that 100% validated."

Seculert's alerts are limited to the information it gets from the HTTP logs. This information includes IP source and destination addresses, device type, time and date, the amount of data being sent, and other details.

There are a variety of security and operational products that analyze logs and other data sources to identify malicious activity. These include security information and event management (SIEM) products and network behavioral anomaly detectors. The knock against these systems is that they can overwhelm operators with information, and they sometimes require significant effort to investigate warnings.

Another class of products, data leak prevention (DLP) systems, are designed specifically to spot exfiltration of sensitive data. On the downside, rule sets and fingerprint databases must be consistently maintained and updated, and DLP systems can create false positives by flagging legitimate information sharing.

Seculert differentiates itself from all these products by correlating known malware behavior and communication techniques with actual customer traffic to identify suspicious activity, potentially providing a high degree of certainty that a response is required.

However, its use of only HTTP leaves it blind to other communication channels. And the company must stay abreast of new malware and changing communication paths to keep its information relevant.

Product: Seculert

Principals: Dudi Matot, co-founder and CEO; Aviv Raff, co-founder and CTO; Alex Milstein, co-founder and COO

DNA: Matot spent 10 years at Check Point Software Technologies. Raff helped establish the FraudAction Research Lab at RSA and was a senior security researcher at Finjan.

Founded: 2010

Funding: $15.9 million

Investors: YL Ventures, Norwest Venture Partners, Sequoia Capital

Headquarters: Petach Tikva, Israel; Santa Clara, Calif.

Early Customers: Undisclosed

Competition: SIEM and network behavioral anomaly products, data leak prevention systems

Pricing: Annual subscription that ranges from $50,000 to $500,000

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.