Respond Software is trying to solve a difficult infosec problem: how to sift through all of the information that pours into a security operations center (SoC) to find the threats that a human should pay attention to.
The company has developed software that it says emulates the decision-making process of an experienced security analyst. Using information from intrusion detection/prevention systems, firewalls, and vulnerability assessment tools, Respond says its software can prioritize incidents and assign the probability of a compromise.
The goal of the software is to provide high-quality notifications, with information to justify a notification’s priority, to human analysts who can then follow up, either by conducting a deeper investigation or responding to the incident.
Mike Armistead, co-founder and CEO, likens the software to a hospital triage unit, where the most critical cases are identified and treated immediately.
Armistead argues that SoCs are difficult to staff, and that the volume of information can overwhelm human operators. He positions Respond as an option to augment a SoC team and automate frontline analysis.
“The gap between the volume of data and the number of people you need is too big,” said Armistead in an interview. Respond Software aims to close that gap.
SIEM vendors have been working on this problem for a long time. What differentiates Respond? While SIEM vendors are adding analytics capabilities to improve early breach detection, SIEM products traditionally have been driven by event correlation based on rulesets that need to be maintained and updated, and to respond to user-generated queries.
By contrast, Respond attempts to be more proactive. Rather than relying on customers to write rules and queries, Respond has developed its own data modeling techniques to bring incidents to analysts’ attention.
In my briefing with Respond, Armistead described the modeling technology as artificial intelligence. It’s clear that the next generation of security tools and products are going to embrace terms such as AI and machine learning.
That’s because the industry is desperate for more automated and accurate analysis of logs, alerts, events, behaviors, flows, triggers and all the other instrumentable data that can be gathered in the service of attack detection and threat analysis.
However, just because we’re desperate for it doesn’t mean it’s arrived. As a potential customer I would be very cautious about such claims and what they really mean in terms of the efficacy of the product.
In terms of deployment, Respond offers either a full cloud option hosted in AWS, in which customers send security information to Respond for processing; or a hybrid option, in which Respond deploys some software on premises.
In either case, Respond encrypts customer data, and tokenizes sensitive information such as IP addresses so that if the data is compromised, it can’t be tied back to actual IPs.
Respond Software is targeting organizations such as service providers and large enterprises that operate their own SoCs, as well as MSPs that offer managed security services.
The startup’s co-founders are CEO Mike Armistead, VP of product strategy Chris Calvert, and VP of engineering Robert Hips. The company has raised $12 million in a Series A round from CRV and Foundation Capital.
Before co-founding Respond, Mike Armistead ran HPE’s ArcSight group for about 18 months, after HPE acquired his previous startup, Fortify.