Extracting signal from noise for data-driven incident response
We’re excited to share news of our investment in Uplevel Security, alongside First Round Capital and Aspect Ventures. During my time at Forrester Research, I spent years working with organizations on their security programs and investments and advising startups and vendors on market opportunities. One of the biggest problems I encountered was the high saturation of the security market and the confusion it caused for practitioners, vendors, and investors alike. When we got to know Uplevel’s founder and CEO Liz Maida, we were immediately blown away by her vision for security operations because of its differentiated value and pragmatic approach to incident response. After conversations with security leaders in our network, we soon saw that Uplevel’s solution aligns directly with the needs of CISOs and their security operations teams across industries. We’re thrilled for what Uplevel has accomplished so far, and look forward to the journey ahead together.
We first met Liz at one of our curated Enterprise CTO dinners where we bring together the top technical leaders from New York’s leading enterprise tech startups. Liz immediately added value to the group, sharing her management and deep technical experience as an early engineering leader for Akamai’s security business. With all of the traffic that Akamai sees as a content delivery network, Liz cut her teeth doing massive scale data analytics with graph theory to identify malicious network behavior. Her core expertise in graph data structure and analytics combined with her experience in security and management is a background few possess.
Problems for security professionals are well known: attacks are increasing, legacy tools aren’t keeping up, there’s a shortage of security talent, there’s an overwhelming number of security products, and teams are inundated with alert and security data. While there is clear value in better orchestration and automation for incident response, working faster doesn’t help if you’re working on the wrong problems. Instead, we’ve found that CISOs want their teams to leverage data to work smarter.
There are hurdles to being a data-driven security team. We found that the main challenges are that:
- Legacy SIEMs require complex correlation rules. The overly manual process of querying and understanding outputs from SIEMs is onerous. Security teams must compile long lists of complicated, modified rules or enlist expert analysts in order to get any meaningful results. Due to this, there is a resource challenge to tune and maintain a system in an enterprise environment that is increasingly dynamic yet under attack.
- Insights aren’t always captured. SOC teams struggle with documenting and using their own internal data from previous investigations, flipping back and forth between different analytics and case management tools. Details from past incidents tend to either become tribal knowledge, lost in back and forth emails, or stuck in an improvised intranet. Non-standardized processes begets repetitive work and also misses security information that would have been otherwise helpful for a subsequent investigation or risk assessment.
- More data adds overhead. As data volumes grow, so does the dreaded “Splunk tax.” In an effort to combat this, security pros experiment with new ways to capture and analyze their security information, most often by hobbling together something of their own. At the same time, security leaders are wary to bring in new technology that will add friction to their environment and want a security architecture that is flexible enough to support future state enterprise requirements. As organizations think through their move to the cloud, creating a unifying layer that connects siloed data sources becomes paramount.
What makes us ecstatic about Uplevel is their approach to incident response enables security operations teams to finally be data-driven. Their solution ingests alerts from organizations’ disjointed security investments, such as SIEMs and log managers, threat intelligence feeds and platforms, and other security systems of record, to paint a detailed picture of what’s happening in an organization, identify the root of attacks, and initiate the best response.
With Uplevel, security teams can:
- Learn from the past and present. The most relevant threat intelligence that organizations can leverage is the intelligence that they collect on their own internal investigations. Uplevel’s application of graph theory helps security operations teams tie together their historical incident data with external threat intelligence sources and security logs to accelerate the discovery of current or past events that matter most to the enterprise.
- Respond efficiently to threats. Uplevel’s UX is slick and intuitive. It can’t be overstated how important design and visualization are to understanding and working with complex data. Instead of just initiating playbooks, Uplevel’s UI adapts the IR workflow to the specific threats that are facing your enterprise based off of previous investigation patterns and suggests the appropriate actions to take.
- Centralize and standardize security data. When switching SIEM solutions or integrating in new data feeds, Uplevel can correlate events across platforms without requiring knowledge of the underlying data model. Their forward thinking approach to security in a hybrid and cloud-native world provides architecture versatility and eliminates a large amount of engineering effort.
It’s refreshing to support a team like Uplevel who pragmatically think through “what can we do to make humans work best?” Making use of internal threat intelligence and coordinating a quick response across teams has been a longstanding challenge in the security community. What is even more exciting is looking at what’s next. Going forward, with the ability to share learnings and analytic methods across organizations, Uplevel can help show that events aren’t always isolated, and that enterprises aren’t islands.