Articles / File-Level Arms for the Threat Hunter

on 08 Aug 2018

I’ve been thinking today about the unusual journey of a small company originally called Shbang! (They eventually changed their name to the now-familiar TippingPoint.) After fiddling around briefly with browsing appliances, co-founder John McHale decided in 2002 to focus on Internet security. This was a good call, because three years later, 3Com bought the growing IPS shop for $442M. When HP then gobbled up 3Com in 2010 for $2.7B, TippingPoint found its new home.

Now, I remember back in 2015 finding it strange – for two reasons – that HP would sell off TippingPoint to TrendMicro for $300M. The first reason was that HP was not getting out of the security business – so they must have been bearish on IPS or TippingPoint or both. But the second and bigger reason I found this sale strange was that 300 (on my calculator) is a smaller number than 442. (Maybe the axiom that you can’t lose money buying security companies is not an axiom.)

Anyway, if you are wondering who might have been riding along during this fun journey, then meet here the principals of a new cyber security start-up called InQuest. Pedram Amini, in particular, serves as co-founder and CTO of the company, and he was kind enough to spend two separate sessions with me, explaining his solution offering. And as former TippingPoint experts during the formative 3Com years, the InQuest team has considerable experience in cyber.

“What we do, in a nutshell,” Pedram explained to me, “is support the threat hunter in the modern SOC, and we do this from top-to-bottom. That is, we ingest network data directly, with the ability to dial up to 20Gbps capacity. And then we help the hunter basically put that data through the ringer. The core of this analysis is something we call deep file inspection or DFI, and it supports the hunt process with an automated risk score based on relevant factors.”

Since I’d been hearing so many proposals in the past few months on SOC analysis tools for hunters, I wanted to understand what made the InQuest solution unique. With his answer, Pedram’s lineage to IPS was certainly clear, because he talked about making things actionable for hunters: “We are focused on generating intelligence from raw data,” Pedram explained, “and how we do this in our engine is extremely effective.”

Here is basically what the InQuest engine does: First, the platform uses Collector devices, which you can purchase as software or hardware, to ingest and analyze raw data into artifacts. A Manager device controls the overall process and coordinates with other enterprise systems such as your SIEM. The Collector-discovered artifacts include hashes, IPs, URLs, headers, and of course, files. And it is the analysis of files that forms the basis for the InQuest value proposition.

“We use advanced heuristics, machine learning, multiple AV integrations, and various sandbox integrations,” Pedram said. “And we maintain a team of experts that we call InQuest Labs, which coordinates the generation of file reputation scoring based on all-source intelligence. We also support local integration of cyber threat intelligence feeds by our customers, to further improve the accuracy of the file interpretations by hunters in the SOC.”

I must say that Pedram and his team exhibit many of the personal characteristics I like to see in a budding cyber analysis company: First, they trace their collective career lineage back to technology programs that I admire. This includes the original “zero-day initiative,” which Pedram founded. Second, the founders are Black Hat Conference-type guys, which highlights their deep technical chops in both offensive and defensive tactic.

But third, and this is perhaps the most interesting characteristic of the InQuest team, is that they are most definitely not prone to fits of hyperbolic marketing. When I first discovered their original website, it read like a data sheet, rather than one of the slick experiences you find from Sand Hill Road-funded shops. (InQuest boot-straps its funding.) I’m so glad to see that this fine company has upgraded its site with some right-brained help.

Look, let’s be honest, the commercial road to supporting the threat hunter in the SOC with a growing, financially sound offering is not easy. There is much competition, for instance, from the likes of (gulp) AWS, with its recent acquisition of Sqrrl. So, this is no cakewalk for InQuest. But I must admit that I’m betting on them to succeed and grow. These are techies on a mission, and dozens of SOC customers have apparently bought into the platform already.

Perhaps you should have a look at their (revamped) web site, and then give a call over to Pedram (and his partner Mike, if you find him anywhere on the Internet – and I’ve tried to no avail). I think you will enjoy the discussion with this interesting little tech company. And if you are threat hunter, then this platform from InQuest might include exactly the type of file-oriented, security analytic arms that you’ve been looking for.