- Uri May
- August 3, 2020
Neil Hughes, the author of The Tech Talks Daily podcast, wanted to learn more about the hot emerging category of Extended Threat Detection and Response (XDR). His curiosity led him to Hunters.
Hear Uri May, Hunters' CEO & Co-Founder explain XDR and Hunters’ approach to it.
Today’s topic is Extended threat Detection and Response, which you may have seen abbreviated to XDR and it is a huge emerging hot category at the moment. And a company called Hunters has become the first autonomous threat hunting solution that is also a pure-play, vendor-agnostic, XDR startup that has been noted in a Gartner report (subscription needed) and even been featured on the front page of TechCrunch recently. And for CrowdStrike users, Hunters also extends threat detection beyond the endpoint and enables XDR capabilities. So I wanted to find out more about this subject, and hopefully we can all learn a thing or two together today. So buckle up, and hold on tight as I beam your ears all the way to Tel Aviv in the startup nation of Israel, so we can speak with Hunters.
N: A massive warm welcome to the show. Can you tell the listeners a little about who you are and what you do?
U: My name is Uri May. I’m the CEO and Co-Founder of an Israeli cybersecurity company called Hunters and I’m really excited to be here.
N: I’m excited to get you on because Extended threat Detection and Response, ‘XDR’, is an emerging hot category at the moment. And what I always try and do on this podcast, is bringing in some of these hot topics and try and put them in a language that everyone can understand. Can you set the scene and tell the listeners a little bit more about exactly what it is?
U: Yes, absolutely. XDR is basically the industry answer to the gap we currently have between security products. Most of the environments customer have today encompass a high number of single point solutions that monitor different parts of the attack surface. Basically, they all lack the ability to see through all of it. XDR is that connective tissue between all of those single point solutions.
N: Can you tell me a little bit more about how XDR has gone on to emerge as this almost next-gen successor to endpoint detection and response, security information and event management solutions? It seems like there’s this whole journey here, isn’t it?
U: Yeah, so I think the EDR vendors brought a game changing technology to fight endpoint threats. Nowadays, bigger parts of the organization and attack surfaces are basically outside the endpoint. We’re talking about SaaS application, cloud environments, mobile devices, IoT, etc. Basically, we want to take the their approach and expand it, into all attack surfaces. Regarding SIEM technologies, they are doing what they should be doing, which is basically log collection and aggregation. They also have some security analytics capabilities. But those mostly require a really high level of expertise and experience from the operators and the people at the SOC. With the expansion in attack surfaces that we mentioned earlier, and the sophistication level of attackers, we can’t assume that users would have the ability to do all of that customization and, and all of the finishes and workflow analysis on their own. So they’re kind of looking at the windows. And 60 of those windows can generate more of out-of-the-box value for various security analytics use cases.
N: So as someone that’s working right in the heart of this industry, what is it that you think is different about XDR? And what does it do? What does it bring to the IT security stack that we’ve not had until now?
U: Yeah, so an impactful XDR, should have a significant delta, on top of all of the underlying products: the endpoint, the network products, cloud and identity, etc. And that delta is measurable, in detection accuracy, which is, “let’s detect more using all of that data and with more accuracy”, meaning less noise and faster, and therefore response should be faster, and have higher situational awareness to the incidents that we’re responding to, requiring the highest level of security operators. But usually nowadays, that’s not the case. And so yeah, I think that for both detection and response, meaning, detection accuracy, and response efficiency, XDR can definitely impact.
N: And from what I’ve been reading, I believe that XDR finds the signals that are legitimate threats, but most importantly, while filtering out all the noise, but can you expand on that just to help people listening, understand just what a game changer it can be?
U: XDR is all about deepening the integration with underlaying sensor layers. So when we’re talking about the threat that is currently missed, it’s mostly because we can’t effectively connect the dots. And when we either rely on humans or limited benign correlation as currently done, the implication of XDR would be taking that correlation to the next level. The goal is to take those weak signals that are almost impossible to monitor when you’re looking just at them, and correlate a bunch of them together to generate a high confidence incident. This would also lower the stream of alerts because the probability of each of them happening independently is really high, but the probability of them happening specifically around the same entities and around the same identity is way lower. So yeah, that’s the case we’re trying to make around detection accuracy and the ability to detect more threats without the noise that is sometimes created with those more elusive kinds of signals.
N: Now, you’ve perfectly set the scene there. I think it’s a great opportunity to introduce what you are doing with Hunters, which I believe is the first autonomous threat hunting solution. And is a pure play vendor agnostic XDR startup that has been noted in a recent Gartner report. But can you tell me a little bit more about exactly what it is that makes Hunters so unique in this space at the moment?
U: So I think that it comprises of three main different aspects: The first, is the expertise and knowledge that we bring into the table around how attackers operate in different attack surfaces. One of the biggest things that are important to us is to engineer that expertise and understanding into the technology and to the market. The second thing is the level of automation. The idea behind Hunters is to generate as high level value as possible, without requiring more talented analysts or more human brainpower in general.
The third thing is our ability to integrate into a big variety of products across categories. This is without the need to deploy any agents, sensors or scanners in our customers’ environment.
N: And one of the things that put you on my radar is finally spent a huge couple of weeks for you because just a few weeks ago, you were on the front of TechCrunch travelling you had a $15 million series A funding. So can you tell me a little bit more about that? It must have been a crazy time.
U: Yeah, so raising money is never easy. Raising money during a worldwide pandemic is, at least in my experience, very hard, but we’re very lucky to have new amazing backing from USVP and M12, which is Microsoft’s venture arm, and also from Okta Ventures, which truly believe in Hunters. A lot is put into the development of our tech and product, and we also take early steps in our go-to-market. We already have a decent number of customers, most of them in the US, that we’re happy to serve and help them control their environment and detect and respond better to attacks.
N: And I’m curious just for any startup founders that might be listening out there when something like that happens to you as a as a founder And you’ve got the $15 million series A funding, and you’re on the front page of TechCrunch. You did it. Did you get a lot of renewed interest and a lot of engagement from an article like that?
U: Yeah, absolutely. So I think that’s always the goal behind a funding PR: It’s not just about the announcement, but about customer engagement and interaction. Like you articulated Neil, and sometimes it’s raising the interest of potential partners. I definitely think that specifically customers are looking for stability, and big funding rounds usually mean stability. I can say just from my experience, selling enterprise software to US companies, one of the things that concerns them is the volatility around startups. “We’re deploying this Israeli product in our network now, but what would happen next year? Are they here to stay? Do they a significant amount of funding? Top-tier VCs really help establish that maturity. And that’s the ability that customers are looking for.
N: Can you tell me a little bit more about how Hunters grants those XDR capabilities that we were talking about a few moments ago using AI for autonomous threat hunting? Because again, it feels like a big moment here, but can you tell me a little bit more about them?
U: Yeah, so AI is being used in the platform in two main areas: First of all, we have a scoring system that is able to take those low fidelity signals that we extract from the data, as well as detections that other vendors are generating, and basically automatically extract more features around those signals and then score them basing on confidence and level of maliciousness.
The second part is our proprietary graph where all of those signals from the detection stage are getting loaded into, as well as the entities that we extracted, the relationships, and the organizational context that customers are loading into that graph. All of that knowledge is represented via computers that run machine learning algorithms on them, force them automatically, and find those back stories that we mentioned earlier. I think that the combination between our scoring system and that unique graph technology that we built is a very strong infrastructure that allows us, and in the future also our customers and partners, to encode our/their understanding of how attackers operate in different environments into something that is truly scalable. Hunters is machine-led, can work on petabytes of data. That’s what we believe is required to answer the biggest problem in cybersecurity, which is detection and response.
N: And what is it that they think or why is it that you think that a vendor-agnostic approach is so essential to success in something like this?
U: In cybersecurity today, there’s a bunch of solution categories: You have endpoint, secure web gateways, email protection systems, cloud infrastructure and cloud workload protections, NDRs, NTAs, and firewalls, and all of those market categories have really interesting technologies behind them, provided by different vendors. From our perspective, we want access to as much data as possible to build the best stories that we can and uncover the biggest amount of threats that we can. We talked about it earlier when we talked about that delta. The other thing is, in most cases customers have already defined their own best-of-breed stack. They know the environment and they made concise choices about the products that they onboarded. So when you have a single vendor dominating your stack, you basically limit yourself to the type of data sets that your products cover. Most of the times committing to a single vendor requires the customer to reshape their entire security technology stack, deploy agents, change big parts of their physical environments, and then also sometimes even compromise the secrecy. So both of those reasons combined, are the drivers behind our vendor- agnostic approach to XDR.
N: And finally, just to help anyone listening, understand how it would work in their world in their workplace, is there any way you can share a use case or something out there that would just help people understanding how it would work in their world?
U: Absolutely. Onboarding Hunters is very straightforward. And because we don’t have any scanner or agent, we don’t change the environment in any way. You open up Hunters' portal and connect data flows. These flows can come directly from the vendors that we integrate with, but they can also come from other centralized data sources like data lakes. We have a really nice integration with Snowflake and also with SIEM products and data centralization products. Once those data flows are connected, we immediately start analyzing existing detections to populate the graph, and like we said earlier, eventually generate attack stories that get pushed straight into the customer’s existing workflow. So Hunters doesn’t require a lot of deployment, we’re walking a lot of them creating an experience from POC that has a very short time-to-value. We think that it’s critical in in in our world today to be able to demonstrate the value easily.
Like with any detection, sometimes there’s nothing in the environment when you’re testing it out. So we also have have a really unique simulations and tests that we can run with our customers to demonstrate the unique capability around detection and response that you can get out of Hunters.
The most interesting use case that we’ll get into covering is the correlation and the connection between the enterprise network, meaning the secure web gateways in boxes, the endpoints, the firewalls, and basically, enterprise cloud environment and production environment that runs on a cloud infrastructure as a service, and containers, and what not. That combination of enterprise and cloud is really interesting. And, and that’s one of the gaps that we’re now trying to close to our ability to correlate those attack surfaces together. It generates some really nice results that customers comment on.
Another thing that accompanies that is the move into public clouds and offloading of more and more computing there so that, from a security perspective, not all of the teams have that knowledge about the cloud. So getting that TD&R knowledge from a vendor makes a lot of sense.
N: And for anyone listening, and would like to find out more information about the world of Extended threat Detection and Response and equally all the work that you’re doing at Hunters, what’s the best way of finding you guys online, joining your community or even sending a question to a member of your team? What’s the best way of doing that?
U: Make sure to follow us on LinkedIn and Twitter where we always post interesting stuff. You can always reach out directly to me or visit our website and request for more information or even set up a demo call. We’d love to jump on a live action call.