Supporting the Hunt: An Interview with Ely Kahn of Sqrrl

By now, I’m sure you’re read about the exciting acquisition of Sqrrl by Amazon Web Services ( I was truly pleased to see this nice development, because with the enterprise winds clearly shifting in the direction of massively increased use of public cloud, adding a wonderful tech company like Sqrrl to the AWS mix seems like great news for our entire industry.

Just a few months ago, I had the awesome privilege to sit down with Ely Kahn, Co-Founder of the Company, and Vice President of Business Development. I wanted to learn more from Ely about the technical approach being taken at Sqrrl. It’s fun to go through the interview now, considering the recent announcement. And it’s exciting to ponder how the Sqrrl team’s original focus on proactive hunting of threats using data science, advanced search, and visualization techniques, will introduce fundamental new advances for AWS in the coming years. Below is a summary of my conversation:

EA: Ely, can we start with you helping me understand the basic mission of the threat hunter?

EK: The mission of a cyber threat hunter is threefold. First and foremost, hunters are focused on finding hidden threats that have evaded detection by their existing cyber defenses. Second, and perhaps more subtly, expert hunters should be focused on taking newly discovered patterns and TTPs and building new ways to automatically detect those patterns. Finally, hunters should be great mentors. They are working on the cutting-edge of cyber security and should hence transfer their knowledge to more junior analysts and incident responders.

EA: Can you comment on how analytics has evolved to support modern enterprise security?

EK: We have entered the age of machine learning and Big Data, and the combination of these two trends has triggered the creation of waves of new companies, including Sqrrl, who seek to apply these capabilities to more accurately detect anomalies in vast piles of cybersecurity data. With Big Data technologies, such as Hadoop, massive amounts of data can be processed much more cost effectively and on a timely basis. Machine learning algorithms reduce false positive and false negative alarm rates by continuously adapting to the data and organizational environment.

EA: What background is required for an individual to become an effective threat hunter?

EK: The so-called unicorn threat hunter has skillsets that cut across data science, threat intelligence, network security, endpoint security, incident response, and Big Data (i.e., distributed computing). There are probably less than one hundred people in the world with this magical skillset. For this reason, we developed a Threat Hunting Platform that brings together these capabilities and lowers the bar on the skillsets needed for hunting.

EA: Can you help us understand the balance between human skill and automation in the detection of subtle attacks?

EK: We are seeing some vendors talk about “fully automating the hunt.” We think this is a fallacy and an example of cyber security marketers creating confusion in many people’s minds. If you fully automate a hunt, it is no longer a hunt. It is a SIEM, firewall, or IDS rule. Hunts will always be driven by humans, but a Threat Hunting Platform should simplify the hunt as much as possible through the usage of advanced analytics, visualizations, and playbooks.

EA: What trends are you seeing in the types of threats being detecting in the modern SOC?

EK: SOCs are getting hit from all angles, including “low and slow” attacks seeking to exfiltrate data, and “shock and awe” attacks such as ransomware. The key trend across these different types of cyber attacks is around the commoditization of malware. Adversaries are quickly taking malware, repackaging it, and extending it. No longer do you need to be an expert malware developer to pull off an advanced attack. You just need to know where to go to license it.