Blog

Welcome to Anomali!

Hugh Njemanze
February 29, 2016
Table of contents
<p>By now we hope you’ve heard that we’ve changed our name to <strong><a href="http://www.anomali.com">Anomali </a></strong>from ThreatStream. I’d like to offer a few words as to why we made the change and why it's important. Simply put, we are exploring and solving new problems. In 2013 we saw there was a problem with managing the growing amount of threat data. Open source data, proprietary data from commercial threat intelligence providers, data generated by the ISACs, and data from academic and governmental institutions have contributed to an explosion of threat data. This led us to create the market leading threat intelligence platform known as ThreatStream. As of this month, we’ve collected and curated nearly 100 million indicators of compromise (IOCs) from this variety of data sources and we list almost 30 million IOCs as “active” in our systems. Active means that they are seen in the wild as still in use. When we went back and measured the IOC growth rates over the last eighteen months, we were astonished by the exponential growth. We expect this trend to continue. Threat intelligence data is the new big data challenge for security.</p><p>The increasing data volumes have caused this data to be more valued by threat analysts and less by SOC and incident response personnel. While more data means more exploration and potential insight, handing the operations team tens of millions of anything and asking them to do something operational with it in real time is a non-starter. Security operations needs to know which specific IOCs they should be concerned about at any given moment. To do this, threat intelligence platform vendors built integrations with the SIEM. When the modern SIEM was first deployed, it was never imagined that in addition to processing and correlating over a billion events per day from security and network logs (in a typical large enterprise network), that it would then also have to match every single one of those events against tens of millions of IOCs.  The SIEM has plenty of work to do just with the first part of that last sentence (correlating events), even without being completely blindsided by the second part (matching IOCs), which is what has happened over the last three years.</p><p>We assert that threat intelligence platforms of the future must:</p><ul><li>Be able to provide IOCs that are actionable, relevant and specific to your organization. This means proactively reducing the stew of IOCs down to those that the SIEM, other security tools and your security team need to respond to at a given point in time rather than dumping the entire intelligence feed into tools that weren’t designed for that and hoping they don’t choke.</li><li>Be able to continuously perform retrospective analysis over at least a years worth of forensic data to match newly classified threat intelligence IOCs against activity seen on your network far beyond a 200+ day potential adversary dwell time.</li><li>Be the hub of an intelligence-driven security operations center (Gartner calls this the ISOC).</li></ul><p>Anomali’s two new products, Harmony Breach Analytics and Anomali Reports, announced today do exactly that. We will examine your logs, compare them to our vast threat intelligence IOC library, and tell you (and your existing tools) in real-time if we suspect a data breach. The existing tools can then use this information to enable detection and response workflows that are already in place at your organization, minus the back breaking work they are currently saddled with of also analyzing millions of unrelated IOCs.</p><p>As we look at some of the largest data breaches, we noticed that many had their start in a small or medium business that had a supplier or services relationship with the larger organization. Also, many of these smaller companies didn’t have a security staff and likely couldn’t have afforded threat intelligence data or a SIEM. These smaller organizations may have customer lists or intellectual property that are prized by adversaries or can be an attacker stepping stone to larger organizations. For these organizations we offer a SaaS based data breach detection service called Anomali Reports. The customer simply signs up for the low cost service with a credit card. The service reviews the customer’s data in the Anomali cloud and produces a report containing IOC matches. The service features end-to-end encryption.</p><p>We have renamed our company from ThreatStream to Anomali because threat streaming now represents just ONE of the ways in which we make Threat Intelligence practical for protecting our customers' networks. Our new name, Anomali, reflects our ongoing mission to help our customers detect and address anomalous or undesirable behavior on their networks.</p>
Hugh Njemanze

Hugh Njemanze is the President of Anomali. Hugh has an illustrious 30-year career in the enterprise software industry. Hugh co-founded ArcSight in May 2000 and served as CTO as well as Executive Vice President of Research and Development. He led product development, information technology deployment, and product research at ArcSight, and expanded these responsibilities to lead all engineering and R&D efforts for HP’s Enterprise Security Products group, the organization that ArcSight became part of post-acquisition. Prior to joining ArcSight, Hugh worked as the CTO at Verity, where he led product development, and before that he was at Apple in software engineering, where he was one of the key architects behind the Data Access Language (DAL). Hugh is a CISSP and holds a B.S. in computer science from Purdue University.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

February 29, 2016
-
Hugh Njemanze
,

Welcome to Anomali!

<p>By now we hope you’ve heard that we’ve changed our name to <strong><a href="http://www.anomali.com">Anomali </a></strong>from ThreatStream. I’d like to offer a few words as to why we made the change and why it's important. Simply put, we are exploring and solving new problems. In 2013 we saw there was a problem with managing the growing amount of threat data. Open source data, proprietary data from commercial threat intelligence providers, data generated by the ISACs, and data from academic and governmental institutions have contributed to an explosion of threat data. This led us to create the market leading threat intelligence platform known as ThreatStream. As of this month, we’ve collected and curated nearly 100 million indicators of compromise (IOCs) from this variety of data sources and we list almost 30 million IOCs as “active” in our systems. Active means that they are seen in the wild as still in use. When we went back and measured the IOC growth rates over the last eighteen months, we were astonished by the exponential growth. We expect this trend to continue. Threat intelligence data is the new big data challenge for security.</p><p>The increasing data volumes have caused this data to be more valued by threat analysts and less by SOC and incident response personnel. While more data means more exploration and potential insight, handing the operations team tens of millions of anything and asking them to do something operational with it in real time is a non-starter. Security operations needs to know which specific IOCs they should be concerned about at any given moment. To do this, threat intelligence platform vendors built integrations with the SIEM. When the modern SIEM was first deployed, it was never imagined that in addition to processing and correlating over a billion events per day from security and network logs (in a typical large enterprise network), that it would then also have to match every single one of those events against tens of millions of IOCs.  The SIEM has plenty of work to do just with the first part of that last sentence (correlating events), even without being completely blindsided by the second part (matching IOCs), which is what has happened over the last three years.</p><p>We assert that threat intelligence platforms of the future must:</p><ul><li>Be able to provide IOCs that are actionable, relevant and specific to your organization. This means proactively reducing the stew of IOCs down to those that the SIEM, other security tools and your security team need to respond to at a given point in time rather than dumping the entire intelligence feed into tools that weren’t designed for that and hoping they don’t choke.</li><li>Be able to continuously perform retrospective analysis over at least a years worth of forensic data to match newly classified threat intelligence IOCs against activity seen on your network far beyond a 200+ day potential adversary dwell time.</li><li>Be the hub of an intelligence-driven security operations center (Gartner calls this the ISOC).</li></ul><p>Anomali’s two new products, Harmony Breach Analytics and Anomali Reports, announced today do exactly that. We will examine your logs, compare them to our vast threat intelligence IOC library, and tell you (and your existing tools) in real-time if we suspect a data breach. The existing tools can then use this information to enable detection and response workflows that are already in place at your organization, minus the back breaking work they are currently saddled with of also analyzing millions of unrelated IOCs.</p><p>As we look at some of the largest data breaches, we noticed that many had their start in a small or medium business that had a supplier or services relationship with the larger organization. Also, many of these smaller companies didn’t have a security staff and likely couldn’t have afforded threat intelligence data or a SIEM. These smaller organizations may have customer lists or intellectual property that are prized by adversaries or can be an attacker stepping stone to larger organizations. For these organizations we offer a SaaS based data breach detection service called Anomali Reports. The customer simply signs up for the low cost service with a credit card. The service reviews the customer’s data in the Anomali cloud and produces a report containing IOC matches. The service features end-to-end encryption.</p><p>We have renamed our company from ThreatStream to Anomali because threat streaming now represents just ONE of the ways in which we make Threat Intelligence practical for protecting our customers' networks. Our new name, Anomali, reflects our ongoing mission to help our customers detect and address anomalous or undesirable behavior on their networks.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.