Startup Arctic Wolf Networks is launching a Security Operations Center (SOC) service that combines security information and event management (SIEM) with human analysts who help customers identify relevant security issues.
The service, AWN Cyber-SOC, gathers data from a customer’s premises for both automated analysis and review by a security engineer. A sensor deployed at the customer’s Internet edge collects flows and HTTP and DNS logs, and runs a built-in IDS. The service can also use firewall, server, and Active Directory logs to provide additional context.
The sensor data is encrypted, compressed, and shipped to Arctic Wolf’s analytics systems, which are hosted on Amazon’s AWS. The company says it has 5 or 6 different engines to analyze logs, some of which are home-grown and others custom-built.
“As we take in data, we store the log natively,” said co-founder and CEO Brian NeSwith. “Then we read that out of S3, do preprocessing to set it up for our machine analytics, and then that output will flow into Elastic Search infrastructure where the engineers do that work.”
Scaling The Engineer
All the analytics tools feed into an incident console, which is where the human security engineer comes into play. By combining machine analysis with human insight, Arctic Wolf believes it can eliminate much of the noise generated by normal operations, allowing trained engineers to focus on a limited set of problematic alerts.
“We’ve built a system to better utilize the security engineer,” said NeSmith. “Our system improves the productivity of the security engineer.”
If a problem is detected, the engineer alerts the customer. However, the service doesn’t provide on-site event management or remediation—just the analysis and monitoring. Incident response falls to the customer.
Each customer is assigned a primary and backup engineer, so that engineers can become familiar with the customers’ environments. Note that security engineers will serve multiple customers; there is no one-to-one engineer/customer ratio.
NeSmith said one security engineer could work with 30 to 35 customers, and review from 300 to 1,000 incidents per day. “In some cases we think we can get up to 45 customers,” said NeSmith.
The service charges from $3 to $8 per user per month. It typically stores logs for 90 days, though customers can pay an incremental cost for longer-term storage. As mentioned, the service currently uses Amazon S3, and plans to start using Glacier for cold storage.
Arctic Wolf is taking the right approach by combining automation with human insight to tackle incident and event management. Torrents of log data can overwhelm a human operator’s ability to organize, correlate, and analyze events from disparate sources; these tasks are better suited for machines.
Humans, by contrast, can apply insight, context, and experience to smaller data sets to distinguish malicious activity from anomalous behavior.
NeSmith said the company’s ideal customer is an organization with a full-time IT team, but no dedicated security professional. By offering both a SIEM service and some human insight, customers can essentially rent the benefits of log monitoring and analysis.
That said, there are two questions for potential customers: First, just how good are Arctic Wolf’s SIEM capabilities? An analytics system riddled with false positives or false negatives may be able to churn through large amounts of data, but to little positive effect.
Second, if security engineers are working with as many as 35 customers at a time, it seems reasonable to ask just how familiar engineers will become with each customer’s security and operational quirks.
To my mind, the real value of this service is the human insight, but that value could be diluted by spreading each engineer’s attention across a wide swath of customers.
Organizations considering Arctic Wolf will have to determine if the service strikes the right balance of automation and personalization.
About Arctic Wolf Networks
The company was co-founded by Brian NeSmith and Kim Tremblay in 2012. The company has raised $27.2 million to date, including a $20 million series B round. Its investors are Lightspeed Venture Partners and Redpoint.
In his previous role, co-founder NeSmith was CEO of Blue Coat Systems, the Web proxy company. Before Blue Coat, he was CEO of Ipsilon Networks, which made networking equipment. Ipsilon was acquired by Nokia.
Co-founder Tremblay was previously Worldwide VP of Engineering Engineering at Blue Coat. She’s also held leadership roles in the aerospace and defense industries.
The company says it has 100 customers so far.
More Startup Coverage
For more startup coverage, check out the following posts: