Bricata CEO John Trauth discusses how Bricata is helping the world’s largest organizations secure their networks by delivering the most complete network detection and response (NDR) capabilities available.
1) What was your original vision for Bricata?
JT: The goal was to increase network visibility and eliminate the blind spots that exist in every company. My vision was to give security teams all the information they need about what is happening on their networks within a single platform.
Security analysts are constantly being hit with a lot of noise. In other words, many alerts without any context. Bricata was designed specifically to deliver immediate context about what triggered an alert, where and why it took place, and what happened before and after the alert was triggered.
The initial release of Bricata’s software combined advanced intrusion detection capabilities, using Suricata signatures, with full PCAP data to provide context. The information was presented in a user friendly management console that allowed analysts to access all of the data in a single view, eliminating what many of our customers call swivel chair analysis.
2) How has your vision for Bricata changed or expanded over time?
JT: We’ve added network metadata from Zeek and advanced malware detection, and made it easy to export information from Bricata to SIEM, SOAR and other tools, such as EDR platforms. In addition, we’ve continued to focus on making the platform the easiest to use and enhanced our analytics to provide the advanced capabilities needed for proactive threat hunting of unknown threats.
In the future you’ll see even more machine learning and artificial intelligence capabilities to support the analyst, not replace them like many other offerings claim to do.
3) What is most unique about Bricata?
JT: I like to say we deliver explainability — something everyone wants and no one else provides. Explainability is what attracts customers to Bricata. With our product, organizations can reduce dwell times by detecting threats automatically, shortening incident response times and remediating problems faster and more efficiently.
Our main focus is on empowering analysts. We’re simplifying their jobs by providing them with reliable information and tools all within the same application. With Bricata, SOC and threat hunting teams can realize huge efficiency gains because they’re automatically detecting bad things as they happen and, more importantly, getting immediate visibility and context about why an alert was triggered and what happened both before and after the alert occurred. We’re the only one who does this today in a single software-based product.
4) The security market has many definitions for visibility. What does visibility mean to Bricata?
JT: Visibility is comprised of at least three components:
- Flexible deployment options for sensors. Bricata sensors can be installed anywhere on your network instantly. Our sensors are software-based and do not require expensive proprietary hardware appliances. We’ve simplified our licensing methodology to make it more affordable. We charge based on the average (not peak) aggregated throughput analyzed by the sensor grid, instead of more complex models that calculate the number of users, devices or even IP addresses. Our approach allows organizations to deploy many more servers for a fraction of the cost of competitive products.
- Easy access to all of the available data for context, not just what a detection engine or ML model defines as important. For alerts, all of the network metadata, PCAP and file content related to the event is automatically summarized and made available in a single view at the click of a button. However, many of our customers leverage Bricata to identify suspicious and malicious activity at the earliest stages of the kill chain itself by using our more proactive workflows, starting in our Metadata view to group and sort huge volumes (and time periods) of network history.
- The ability to quickly review and edit all signatures and scripts. Analysts can see what triggered an alert and why and, if needed, adjust or customize signatures or scripts to make them more effective for an organization. In other words, instead of jamming a square peg into a round hole, with Bricata you can customize our product to fit your environment. Our data tuning and automatic tagging features, which have been in production for over a year, take things one step further by simplifying the process of customizing detections and automatically tagging events, both in the Bricata platform and other ecosystem tools such as SIEMs.
5) The new Bricata website introduces a new company tagline: Now You Know. Why does Now You Know resonate with you and why did you choose it?
JT: Now You Know helps define the comprehensive detection, 360-degree network visibility and context that Bricata provides. We’re delivering clarity and understanding about what is happening on a network and why so security teams can quickly take appropriate action. Bricata extracts all of the network information in real time and makes it available through our management console or seamlessly integrates it into a SIEM, EDR, SOAR or other security tool.
Bricata customers tend to be large organizations in highly regulated industries or government agencies with sophisticated security teams and well-developed security playbooks. Yet, despite the security and prevention and protection applications these organizations already have in place, they still have vulnerabilities that Bricata’s advanced NDR capabilities are helping them address.
6) Anything else you’d like to add?
JT: One of our biggest growth areas in 2020 has been with Managed Security Service Providers (MSSPs). Many small to mid-size companies want more in-depth and proactive security response solutions and are looking for Managed Detection and Response (MDR) subscriptions from MSSPs to help them better protect their environments and rapidly respond when incidents unfold. MDR offerings enable MSSPs to evolve their customer engagements from basic blocking and tackling to broader and more sticky relationships.
MDR opens up a new market for us with partners like MegaPlanIT and Bantam Technologies. The comprehensive network visibility we deliver, which is critical for effective detection and response, is one of the reasons for our success with MSSPs. The second is that we are one of the few solutions (if not the only one) to offer multi-tenancy capabilities MSSPs need to easily serve many customers within their environment.
John Trauth is CEO, President and Co-founder of Bricata and leads the company’s strategic direction and growth. He has more than 25 years of demonstrated success in driving market expansion, revenue growth and operational excellence at large established companies such as BEA, Oracle, IBM and Tektronix, and at smaller companies such as Cybertap, QMS, Enterworks and Merlin International. Prior to founding Bricata, John served as President of Cybertap (acquired by IBM) and Merlin International.