Finding a Needle in a Data Haystack

Query is a federated search platform for security data.

Datos Insights’ quarterly fintech spotlight report showcases products and services that offer unique or innovative solutions to solve cybersecurity issues. Our advisor team selects the vendors included in these reports, and this quarter, I selected Query.AI, Inc. (Query) as my spotlight vendor. Query’s product is designed to find hidden security information. Those who follow me know I cover the security orchestration, automation, and response (SOAR) space. Although I see SOAR as essential to security operations (SecOps), it lacks true data mining capabilities to unleash the hidden threat intelligence CISOs sorely need.   

Query, founded in 2018, is a private, 20-employee cybersecurity software company focused on developing a federated search platform for security data. The company focuses its solution on the midsized to large enterprise market unsatisfied with security information and event management (SIEM) and SOAR search capabilities. Based in Atlanta, Georgia, the company has raised US$19.6 million in seed and series A funding from investors, including ClearSky, SYN Ventures, and DNX Ventures.

Finding data relevant to security and potential incidents is problematic for security operations teams. The nature of breaches and threats is spread across organizations—on servers, endpoints, in the cloud, in many applications and tools—and each must be investigated one at a time, which is time-consuming and leads to a triaging process that is inconsistent from analyst to analyst and makes for incomplete, erroneous results.

Where data is gathered in SIEMs, endpoint detection and response (EDR) systems, etc., data storage is expensive and not real-time, driving storage costs and rearchitecture projects. Overall, the status quo severely lacks visibility and significantly inhibits the choice and control of data and architecture, increasing operations costs and poor performance.

Why Query Unlocks Key Security Data SOARs Keep Hidden

Query is a federated search platform for security data that allows security professionals to quickly search their environment from a single search window for real-time IP addresses, hashes, or other data points to support security investigations, threat hunting, and incident response. It produces results from security and non-security sources, providing a broad context for analysis, including visualizations showing how data from many sources are linked.

The platform provides detailed data from the source, normalized and contextualized so it is ready for analysts to work with. The data is presented graphically to demonstrate relationships and support quick and easy understanding. Query manages the API integrations, allowing new data sources to be onboarded in minutes and immediately searchable, thus freeing up architects to access data where it resides or move it to lower-cost storage solutions.

Query’s platform addresses a problem many organizations report, where critical security data centralized in a SIEM represents less than 1% of the relevant data available across their enterprise. It falls directly or adjacently into several cybersecurity market categories, including security investigations, SIEM, SOAR, threat hunting, and extended detection and response (XDR), owing mainly to the need for organizations to extract meaningful security information from disparate data sources.

With one search bar, users can simultaneously search current and archived security data, delivering answers from security data wherever it is stored. Implementation is straightforward—on average, the platform is used within less than an hour. Pricing starts at five seats for five integrations for US$5,000 per month, although most enterprises choose an enterprise-wide license.

Datos Insights believes that Query is an ideal SecOps tool that unleashes the data insights promised but never delivered by many other security tools. It enables the emerging DataSecOps trend that seeks to empower security operations with enterprise-wide data and collaboration. Query’s solution accesses both current and historical data to retrieve actionable data hiding in plain sight that can be used to uncover indicators of compromise and previously unseen threat patterns. SecOps personnel can be data-blind by not having access to critical data when investigating and responding to critical security issues. Query knows where valuable data is located and makes it available to the cybersecurity staff who need it most.

If you suffer from the frustration of not finding critical security data and are tired of sifting through reams of SIEM data, check out Query’s product. I would also love to hear how you have overcome SIEM data fatigue. Contact me here to share your data query experiences.