14 top providers for data security systems
Kenna Security, Arcadia Data, Symantec and Awake Security are among the leading providers of AI and ML software for vulnerability management, security monitoring, endpoint and network security, according to Aite Group.
About these vendors
Global research and consulting firm Aite Group has released a new study on “The Titans of AI and the ML Arms Race in Cybersecurity.” Authored by Aite analyst Alissa Knight, the report looks at 14 leading vendors that are using artificial intelligence and machine learning algorithms in their data security products. The vendors are divided into four groups.
Vulnerability management vendors
“This section introduces Kenna Security, which is applying ML models to vulnerability data to make vulnerability scanning and penetration test reports more actionable by helping customers prioritize their remediation efforts according to the predictability of a vulnerability being weaponized,” the report says.
“Delivered as a SaaS model, the product integrates with customer vulnerability scanners through built-in native connectors,” the report says. “The product combines scan data with what’s in the customer’s configuration management database and asset management system with threat/exploit intelligence and makes predictions determining the most likely attack vector that needs remediation and the key assets those kill chains lead to.”
Security monitoring vendors
In this section the report reviews two vendors that “uniquely apply ML models to network monitoring and host telemetry in order to reduce the noise that security analysts have to sift through to find the signal in SOC monitoring environments.”
Arcadia Data and Apache Spot
“Arcadia Data is a single window into large data lakes that leverages the ML models within Apache Spot to find the relevant threat data,” the report says. “Arcadia Data features search-based business intelligence, which contains a natural language query parser so users can ask it questions such as “which IP is the most traffic coming from”—very much like Google for queries on large data sets.”
“NLighten is a revolutionary new approach to cybersecurity that leverages multiple ML models and AI to deliver a unique, fully managed platform that provides full life cycle incident detection service,” the report says. “Cybraics detects unknown, advanced, and insider threats that legacy signature-based detection systems miss, and it is delivered as a fully managed service.”
Endpoint security vendors
“Due to a lack of participation by the other endpoint vendors, only two vendors are profiled in this section,” the report says. “However, we describe in sufficient fidelity what decision-makers should expect from endpoint ML solutions in respect to platform support, architecture, and detection and response capabilities.”
“S1 performs detection in three separate stages: Before execution (static AI), during execution (behavioral AI), and post-execution,” the report explains. “In the before execution phase, S1 uses Random Forest models to analyze weaponized documents, malicious images, and executables, extracting features from the files to return one of three verdicts: benign, suspicious, or malicious.”
“Symantec’s endpoint security product suite includes SEP, its original flagship anti-virus product, and Symantec Endpoint Detection and Response (EDR),” the report explains. “SEP is deployed across workstations and servers as well as cloud assets. SEP agents maintain connectivity to the central SEP Manager, which is where policy, configuration, and administration is performed.”
Network security vendors
For the network security control category, the report reviews nine separate ML-powered solutions. “None of these solutions relies on signature-based legacy IDS alone. ML solutions in this category continuously look at traffic patterns and user behavior and create alerts on the descriptive features they see in the traffic. Because of the differences in how these vendors apply ML, these solutions are evaluated differently from the vulnerability management, endpoint, and monitoring ML-powered solutions later in this report.”
“The product can be delivered as ‘product-as-a-service’ whereby Awake’s team can perform threat hunting and monitoring as a managed service,” the report says. “Awake Maintenance Cloud automatically monitors hardware and software health and performs maintenance across systems. Awake Neurons can be deployed as a physical or virtual appliance. The Awake Cortex is deployed as a physical appliance or in a private cloud.”
“Cequence only focuses on the threat from bots using 20 supervised models and two unsupervised models, applying Bayes’ theorem for analysis of various probabilities of misclassification,” the report says. “The product was developed to address many different types of automated bot attacks, including account takeover, in which tools use credential stuffing to hijack logins into web applications, and the creation of fake accounts.”
“StealthWatch is a network threat detection system that uses an analytics pipeline, including rules, statistical methods, and supervised and unsupervised learning to analyze network telemetry information to identify malicious behavior on the network,” the report says. “StealthWatch can be deployed as a physical or virtual appliance, or as a SaaS model.”
“Darktrace is a network-based ML solution that is designed as a client-server model,” the report says. “It performs detection using multiple layers: more than 60 competing algorithms at one layer and a smart-thresholding Bayesian layer above those, which determines the algorithm to listen to at any given moment.”
“ExtraHop uses all unsupervised models and does not augment detection with IDS signatures,” the report explains. “ExtraHop does support custom triggers that can serve as signatures and also provides rules that detect specific attack behaviors and activities, which augment the ML to identify known threats.”
“KineticFuse uses a combination of IDS signatures and neural network models,” the report says. “The company places a 1U hardware sensor or a VM (ThreatWarrior) on the network, hanging it off a SPAN port or TAP. The sensor captures the packets, performs checks against its database of signature feeds, such as Emerging Threats, and runs anything that doesn’t match against one unsupervised model.”
“Shape Security sits in front of a web app or API, interdicting all ingress traffic from web browsers or mobile apps to determine if traffic is originating from a human or automated tool or process, passing only legitimate traffic on to the destination server,” the report says. “Shape Security effectively proxies all ingress traffic, separating the good traffic from the bad.”
“The company’s flagship product, Cognito, uses zero signatures/patterns to perform detection, instead leveraging a combination of both supervised and unsupervised models looking specifically for reconnaissance, lateral movement, and data exfiltration activities in the phases of the MITRE ATT&CK model,” the report says.