When we require answers online, search engines are instantly available to pore over reams of data to provide us with a synthesized response.
Enterprises are demanding similar immediacy, relevancy, and ease of use for getting information on their security telemetry. While the problem is easy to see, the solution has, so far, been elusive due to fragmented security data, heterogeneous data stores, as well as the disparate formats in which security data resides across these pods.
Query saw this as an opportunity to tie those pods together, positioning itself as the search engine for security data in complex data environments. Cisco Investments is excited to welcome them as another key investment from our Global AI Investment Fund, announced earlier this year.
The Volume of Data
“Data growth is just exploding,” says Matt Eberhart, CEO of Query. “Our customers report that, on average, they're seeing a 40% year-over-year increase in the amount of security-relevant data in their environments.”
Traditional approaches for managing security data hinged on gathering data from multiple sources to a centralized location or data lake, cleansing and normalizing the data, and subsequently performing security tasks such as threat hunting, investigation, response, etc. But this causes problems of its own, as this approach is costly, and very time consuming.
“Security teams are finding that they need answers from a lot more data than what’s in their central systems to protect and defend their company,” Eberhart explains. “They might need identity or asset data, or data that is in cloud systems and hard to reach. Traditional approaches that rely on always moving and centralizing data are not scaling, leaving teams with incomplete answers.”
The federated search platform utilizes Artificial Intelligence to help security teams get the data-driven answers they need, from data located across their environments. By connecting them to all their data sources, including cloud systems, security tools, data lakes, and IT platforms, Query helps security analysts, threat hunters and incident responders use data to make better decisions.
Bringing the Pieces Together Through AI
Query federated search is a search and analytics solution that delivers immediate answers from distributed data wherever it is stored. Users can access Query directly or through a plugin app for Splunk. A simple yet powerful interface makes it easy to search once across all connected data sources, receiving normalized results that can be used together to form a complete answer. Ultimately, users gain access to the precise data they need.
“In security, it's rarely just one question that you're trying to answer. The answer to one question leads to another question, which leads to the next question,” Eberhart says. “It might start with, ‘We identified a threat, now what assets are being targeted? Was the threat contained? If not, what do we know about the asset? What users are associated with it? Who are they? What system and networking activity do we need to investigate?’ You peel back the onion, it goes on and on. The data is there, it is just not readily accessible. We help security teams turn their data into an advantage, so they can get the answers they need faster.”
Query enables teams to put data previously stranded in distributed platforms, and tools, to work as needed. Query is built to be simple enough for entry level users and capable enough for advanced team members that have complex questions requiring data from dozens of siloed data sources.
Perhaps most impressive is Query’s early adoption of the Open Cybersecurity Schema Framework (OCSF), an industry framework that provides structure for security data. This allows Query to take content from different data structures and reconcile it for data inquiries, acting like a universal translator for different data models.
OCSF is an open-source community to which Cisco is a contributor. Our investment in Query will help propagate OCSF efforts further in the security industry.
“Users of Query don’t need to understand and translate between all the different data formats and search languages for each system,” Eberhart says. “Imagine trying to have one conversation with a dozen different people that all speak different languages. Not only do you need to speak to them in their language, but you also need to understand what they are saying back to you and use all the information together. Query uses OCSF at the time of the search to translate and return one set of normalized results.”
Focusing on the Future
With a focus always on addressing user challenges and needs, Query is setting itself up to be the search engine of security: a user-friendly tool that delivers answers, and broadly supports the other tools that users need.
“We support over 40 different integrations today,” Eberhart exclaims. “Query delivers the consolidated view of security relevant data and alerts that teams need, without all the data engineering gymnastics and high costs typically required to achieve it.”
Looking toward the future, Query aims to continue adding integrations based on customer needs, while anticipating customer data needs, ultimately ensuring that users have the right information at their fingertips, whenever they need it. Just as consumers can search for nearby coffee, SOC analysts across the globe will ‘Query’ for security relevant data in their environments with as much ease. Both the vision and technology are that elegant and intuitive.