Anomoli's CEO explains his company's new products, new focus and new name and why streaming threats isn't enough anymore.
Hugh Njemanze joined security vendor ThreatStream in July 2014 with the goal of helping reinvent the market for security information and event management, or SIEM, that he helped create with ArcSight.
Njemanze was previously a co-founder and former CEO of ArcSight, which HP acquired for $1.5 billion in 2010. The executive is now renaming, reinventing and rebranding ThreatStream as Anomali in a move to further match the evolving needs of the enterprise security market.
"SIEMs are designed to capture high volumes of activity, up to a billion or more events per day," Njemanze said. "The challenge is having the ability to not only process all those events, but to then compare them to over 70 million indicators of compromise."
ThreatStream's initial approach when it entered the market is technology that provides filtering and customization options, such that organizations could examine a subset of indicators of compromise, or IOCs, Njemanze explained. As such, the original ThreatStream product, called Optic, only provided visibility into a subset of all available IOCs.
"So it was possible and even likely that an organization could have missed something they might have wanted to respond to," Njemanze said. "The real challenge is making sure you're looking at all the right IOCs without choking systems that weren't designed to be IOC processors."
ThreatStream is now rebranding itself as Anomali, bringing not just a new name, but new products and a new approach to handling the information security deluge. The new Anomali Reports product is a software-as-a-service (SaaS) platform in which customers upload their logs, and Anomali does the matching against all the threat intelligence for IOCs that the company has available. The enterprise then gets insight and reports into potential security risks and incidents in their environment.
With Anomali Reports, Njemanze's hope is that the service will have broader appeal than the Threatstream Optic product, which is focused on Fortune 1000 organizations that have a security operations center in place. Njemanze explained that the Anomali Reports product is aimed at organizations that don't want to build a full security operations center and just want to upload their logs and get an answer about risk.
Anomali also has a new product aimed at larger organizations, as well, which is called Harmony Breach Analytics.
"Harmony Breach Analytics is a product that an organization can deploy next to a SIEM that offloads the problem of matching IOC to events," Njemanze explained. "Harmony then returns to the SIEM the correct subset of IOCs [needed to] do incident response."
The Harmony Breach Analytics product is available for on-premises deployment or in a cloud-based software-as-a-service (SaaS) model. Overall, the key emphasis with the new Anomali products is to help organizations reduce the time it takes to detect a possible breach.
The ThreatStream name did a good job of explaining what the first-generation product was able to do, Njemanze said. That is, it has ability to stream threat intelligence directly into SIEMs. However, Anomali's two new threat intelligence products work with SIEM data going into the threat intelligence engine.
"I thought we should come up with a name that more accurately describes what we do," Njemanze said. "So I thought Anomali is a good way to understand what a customer wants to do, which is to find anomalies in their organization and deal with them."
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist