Auspex Labs Inc.: the Beginning
Graphic from the original Auspex Labs Inc. website.
An increasing amount of cybersecurity work is being performed by search engine-based systems, which index and correlate vast amounts of data fed into them. While these systems are adept at identifying specific issues for forensic analysis post-event, they often underperform in detecting attacks or breaches in real-time.
Two particular experiences highlighted the need for a novel approach to cybersecurity. The first involved a large organization relying heavily on a search engine-based cybersecurity system. The main challenge was the extended duration required to index data, resulting in analyses of events that occurred months prior. By optimizing the system and incorporating high-end hardware, I managed to reduce the indexing time from months to weeks, which pleased the organization. However, I found the outcome less than satisfactory.
In another case, a different organization transitioned from distributed to centralized security teams while maintaining local search engine-based systems in branch offices. The IT staff, inheriting these systems, lacked understanding and enthusiasm for managing them. Despite a monthly review requirement, they were uncertain about what to look for. Although I developed specific queries and interfaces to aid them, the engagement left me feeling unfulfilled.
Over the years, personal information leaks from government, credit reporting agencies, and health insurance breaches have become all too common. My investigations into these incidents revealed that the average detection time exceeded 200 days, without significant improvement in detection rates over the last decade.
To tackle these issues, I developed Auspex Observatory™. Unlike traditional methods that rely on indexing, Auspex Observatory™ focuses on classifying and cataloging data, breaking it down into tokens and relationships. This approach enables the system to ingest security data in real-time. Furthermore, the user interface of Auspex Observatory™ is designed to enable anyone to perform threat hunting without needing specialized training.
