eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Respond Software emerged from stealth on Aug. 16 to introduce general availability of its Respond Analyst platform along with $12 million in Series A funding. The promise of the Respond Analyst platform is to help solve the IT security staffing challenge with technology that can identify and escalate potential security threat alerts.
Respond Software is led by co-founder and CEO Mike Armistead, who co-founded security software vendor Fortify in 2003 and sold it to Hewlett Packard in 2010. Armistead worked at HP and Hewlett Packard Enterprise helping to lead the company’s Fortify and ArcSight security efforts until 2016, before moving on to start Respond Software.
“Working on ArcSight gave me a lot of experience working with Security Operation Centers (SOCs),” Armistead told eWEEK. “Looking at what the real issues and pain points were for customers, so much of it was the big shortage of people that is impacting almost every security organization.”
For Armistead and his co-founders, the impetus to create Respond Software was the realization that it is possible to build a technology platform and a business, that can help solve the challenge of IT security staffing. The Respond Analyst platform that Armistead’s company has built aims to help solve the staffing shortage by automating analysis tasks that might otherwise require humans.
“There is a shortage of people because of the demands that the high-volume of data is placing on organizations,” Armistead said.
The Respond Analyst platform is able to look at data sources used in a SOC and make a determination about risk and impact. Based on the analysis, a given event or series of events can be escalated and prioritized for a human security analyst to further investigate. Though the Respond Analyst can work together with a SIEM (Security Information and Event Management) platform like HPE ArcSight or IBM qRadar, Armistead said that a SIEM is not requirement.
“We don’t need a SIEM and for most of the engagements we’ve had so far we have gathered data directly from the organization’s existing repositories including Hadoop and Splunk,” Armistead said.
Armistead explained that the Respond Analyst platform aims to emulate the decision-making process that a security analyst would go through when sifting through data looking for incidents and items that should be reviewed. The technology that Respond Software uses isn’t what Armistead thinks of as being traditional machine learning with artificial intelligence capability. He said that Respond Software is more aligned with the computer science idea known as an Expert System.
“An Expert System uses mathematical models to embed expertise from day one into a process,” Armistead said. “So we’re not learning about how to structure analysis. We have already taught our model about how to reason through the problem set.”
He added that as additional empirical evidence is acquired, there is a feedback loop that will help to adjust the probabilities model built-into the expert system, enabling overall model to be fine tuned. Armistead explained that the Respond Analyst platform decision engine makes use of an Expert System technique known as a Bayesian belief network that is a mathematical model for understanding relationships between variables.
According to Respond Software, the Respond Analyst platform has a workload capacity that is the full-time equivalent of 26 SOC analysis. The workload capacity is based on an estimate that the average SOC analyst can process 75 events an hour. Armistead said that the estimate of the Respond Analyst platform is fairly conservative.
“What we believe the biggest benefit we give people is that we provide analysts in this constrained world where it’s hard to find security people,” Armistead said.
That said, Armistead noted that the Respond Analyst doesn’t do everything and isn’t intended to replace humans performing event analysis in SOCs.
“We’re particularly good at high-volume, low-signal types of problems like network intrusion data,” Armistead said. “By freeing up time with the high-volume stuff, the people in SOCs can become more proactive in a real way and that’s what security needs today.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.