The bigger picture of behavioral analysis - a conversation with Tier-3

2007-10-26

In a break with tradition, I'm going to write about a specific company in this one, or at least a specific series of conversations. I've been talking quite a lot to the guys at Tier-3, a company specialising in software that can look for anomalies in how IT is being used. While there are many potential applications of such a capability the company has focused its efforts on looking at IT security, sucking in events from computer logs and looking out for things that don't fit with the norm. Think intrusion prevention, unauthorised access and the like.

It sounds so great in theory - and indeed, the company has recently announced wins for its HUNTSMAN product with some quite sizeable players such as Toshiba, so it must have something going for it. I still find myself feeling dubious however, not least (indeed, mostly) because whenever we do research into who's buying what in IT security, behavioral analysis software seems to come out near the bottom of the pile.

So, there appears to be a bit of a behavioral anomaly about the whole thing. If such products are recognised to be so blooming useful, why is nobody buying them? My conclusion has been that, while such security products as antivirus, firewalls and VPN are quite simple to explain and therefore cost-justify, it was always going to be harder to assemble a business case for such tools as behavioral analysis.

When I spoke to Tier-3 I put to them this position, and asked (on the back of such deals as Tosh), whether it was changing. What Peter Woollacott, CEO told me, was that it was true, but he shed a bit more light onto what made it so hard. "Anomaly detection investments are currently being driven by the value ascribed to IT/IP assets relative to cost," he said, "yet many organisations still fail to understand the value of their IP assets." In other words - if you don't know what you've got, it's difficult to work out its value, or indeed (as Peter explained), how vulnerable it is against the legions of potential threats.

It's an interesting one, not least because (according to my illustrious colleague Martin's report) the lack of asset knowledge is such an age-old problem in IT, leading to that other age-old chestnut- how can you secure your IT environment, if you don't know what you've got?

Funnily enough however, the answer to the asset management issue may well come form considering some of the desired outcomes of security - not least that mother of all reasons, the reduction of business risk. Peter used the term "return on security investment" - the ramifications of which can be seen quite clearly in more regulated environments, and are starting to be visible in other verticals. "Just as Basel II rewards better operational risk managers with lower costs of capital," commented Peter, "risk adjusted decision making is already featuring in corporate investment cases."

Understanding of IT risk requires (and therefore drives the need for) understanding of IT assets, and their vulnerabilities. Ultimately this also drives the need for products such as those from Tier-3, but its unlikely that the company can currently use this as a product pitch. Rather, organisations that are already educated on the need to manage risk for business reasons, and are acting upon it, will also want to get on top of their IT assets and what they are up to.

To take this one step further, perhaps there is no business case for behavioral analysis per se. That is, if such analysis is seen purely as a security measure, i.e. a way of working out what went wrong after the event so the hole can be plugged, it will always be difficult to justify. Alternatively, organisations that "get" such topics as risk management will be able to see behavioral analysis as a way of achieving some of the higher level goals that ensue, such as ongoing monitoring of risk levels in an already well-managed environment. In this context, anomaly spotting becomes a feature, and not an outcome.

Which is perhaps, as things should be. Companies such as Tier-3 better be in it for the long haul however, as there is still plenty educating to be done just to get some organisations off the starting blocks.