When the hackers behind the Target breach uploaded their malware to the company’s servers, detection software reportedly spotted the activity and alerted the security team. And then — nothing happened.
Security teams are often so inundated by alarms and alerts that it’s easy to miss something huge amid the noise. The problem has spawned a bevy of security startups, including Ziften, an Austin, Texas-based firm that is fresh off a $24 million Series C, and which on Tuesday released the latest version of its endpoint detection software.
“People are drowning in alerts, and a lot of those alerts are false positives,” says Josh Applebaum, Ziften director of product marketing. “Part of what we do is help people home in on those significant alerts.”
Ziften’s endpoint detection and response service monitors and logs all activity on a corporate network using agent software on endpoint devices. (“But we don’t like to call it that; we call it a collector,” says Applebaum.) The monitoring service can be deployed either as a virtual machine inside the company’s firewall or as a cloud-based service. Roughly 70 percent of Ziften’s customers opting for the cloud, says Applebaum.
The newest release, v4.5, adds an integration with the National Vulnerabilities Database, allowing a real-time view of any unpatched applications running on the network.
Founded in 2010, Ziften has 50 employees and a base of roughly 40 paying customers, including media giants Gannet, USA Today, and Cox Communications. A channel sales agreement with IBM has helped the company gain customer inroads.
Last week, Ziften announced $24 million in funding led by Spring Mountain Capital, bringing the company’s total funding to $35.3 million.
The market for endpoint detection — which Gartner estimates will hit $400 million next year — is heating up, with recent entrants including CrowdStrike, Tanium, and Carbon Black. FireEye, the malware detection firm whose security alert the Target team reportedly missed, has also launched an endpoint service called Mandiant.
The approach could quickly overtake anti-virus as the primary approach to endpoint defense.
“I don’t believe anti-virus is dead quite yet, but what we used to think of as AV in the past is dead,” says Applebaum. “Endpoint blocking is necessary, but not sufficient. No matter how great your security solution, you will be compromised, and you need to detect that and respond.”