Threat Intel from Amsterdam

For me, 2003 was the year of the worm. I remember being uneasy about how to obtain proper context about SQL/Slammer, Blaster, Nachi, and the like. Luckily, I had access to my friend and colleague Brian Rexroad of AT&T. Brian was, and still is, best in the business at most things cyber, including analysis – and I watched as he explained to our community how intelligence can provide useful contextual insight into attacks such as worms.

One of Brian’s public examples involved showing how to interpret drops in network or system traffic. For example, if network traffic happened to drop unusually one day, then you might become alarmed. If, however, you had proper external intelligence – perhaps you realized this was happening on Christmas Eve – then you could easily explain the drop. It’s a simple, but powerful example of using intelligence to determine the context of an attack.

The importance of threat intelligence for cyber decision-making was front-and-center while meeting last week with Amsterdam-based EclecticIQ. Founded in 2014 by former iSIGHT executives, EclecticIQ currently serves the threat intelligence needs for a growing base of European organizations. They have now begun to build their business in the US – which, of course, caught my attention – and the team was kind enough to share with me their story:

“We provide customers with multi-source intelligence, with emphasis on the threat analyst,” explained Michael Seguinot, who is the company’s North America Channel Manager. “Our platform is standards-based with support for STIX/TAXII, and integrates with popular enterprise security platforms. The capability supports threat hunting, attack prevention, risk analysis, and other analytic functions in the modern security operations center (SOC).”

The EclecticIQ Threat Intelligence Platform (TIP) supports intelligence from the expected sources, including vendors, open sources, and any industry collectives the SOC team might participate in. Collaborative SOC workflow function automated is supported in the platform, and the platform establishes open connectivity through published APIs and SDKs. Support for open source projects such as OpenTAXII is also included.

The company also offers the EclecticIQ Fusion Center, which includes a bundled threat intelligence package, presumably for more focused needs, perhaps on a more limited budget. Various pre-packaged bundles are included such as for critical infrastructure or financial crime settings. Delivery include many types of formats to make it easier for a SOC team to ingest and use the Fusion Center capability.

I asked about how the company emerged from iSIGHT, and I learned quite a bit about the two founders – Joep Gommers and Raymon van der Velde. Both have many years of experience in this important area, starting at pioneering iSIGHT (which was sold to FireEye for $200M in 2016). It should be no surprise that they attracted a large Series B investment round in late 2017, resulting in doubling the team size and expansion to additional regions.

Certainly, a business risk that EclecticIQ faces is the increasing level of competition in this area. Many options now exist for enterprise teams to obtain high-quality intelligence for their SOC operations. But many options exist for a reason – that is, security hunt and analysis teams truly benefit from this type of support. So, despite the competition, demand is likely to increase, and this should bode well for capable teams such as EclecticIQ.

If you are in the market for a high-quality threat intelligence platform with connectors to the systems already existing in your enterprise, then you would be wise to be in touch with the EclecticIQ team. Ask them to show you their solution, and ask for information about the many unique areas of R&D they support, including for the open source community. I suspect you’ll find the discussion useful.

As always, please share what you learn.