SS8 Networks Inc., a company whose clients until now have mainly been limited to telecommunications firms, intelligence agencies and law enforcement organizations, is bringing its breach detection technology to enterprises with a platform that uses a “time machine” approach to sniff out intrusions by comparing patterns to a vast database of past activity. The company is betting that its deep understanding of communications flows and years of experience tracking criminal suspects will give it a unique edge in pinpointing cyber criminals.

The company is tackling a new approach to security driven by the reality that attackers often lurk inside breached servers for a long time while slowly siphoning away valuable data. Verizon’s 2016 Data Breach Impact Report found that data breaches often go undetected for months and that virtually no organization of any size has evaded penetration so far. These new realities have caused many Chief Information Security Officers to reevaluate their approach to security and move toward a strategy of containment rather than prevention. “No one, including CISOs, can control threats to their organization — they can only be aware and be prepared for their arrival,” wrote Gartner Inc. in a recent report.

SS8’s approach is to scrutinize historical records and match them with current patterns in near-real-time. “We can look at packet patterns and apply analytics to create high-definition records that become the Cliff Notes of the communications,” said Faizel Lahkani, president of SS8. “That is the key ingredient in how we protect infrastructures.”

The SS8 BreachDetect is described as a “time machine” that generates and stores months or years’ worth of records from all communications flows. Those are analyzed continuously against past, current and future network activity to find unidentified breaches. Each client’s records are kept confidential, though SS8 will use “anonymized” data from multiple clients in some situations.

The technology uses a set of lightweight sensors to generate unique records. A learning analytics engine analyzes, learns and matches high-definition records data with user, device and threat intelligence information and points out patterns that have historical precedent in indicating a threat.

As Lakhani described it, “What if I could wind back the clock and use that knowledge against something that occurred months ago? It’s exactly the same model intelligence agencies use with terrorists.” As an example, he cited a computer that suddenly initiates long outgoing FTP sessions that break from its usual behavior. “It’s totally normal to get patches and upgrades, but when it starts sending files things become serious,” he said.

SS8 has raised $40.5 million in funding, led by Kleiner Perkins Caufield & Byers, Intel Capital Corp. and Goldman Sachs Group Inc. The company has been around since 1994 – and raised it last funding round in 2010, according to CrunchBase – but has been a quiet player due to its focused and secretive client base. SS8 claims to supply six of the world’s largest intelligence agencies with technologies to understand criminal activity from packet analysis.

The security analytics service will be delivered on a software-as-a-service model at $1,200 per 100 megabit-per-second traffic stream. Each month of stored history costs $400.

Image by Steve Jurvetson via Flickr CC