Getting access to the right data in security operations has been too hard for too long. The latest release of Query fixes that by putting access to all of your security-relevant data and powerful search capability directly in the hands of anyone needing answers from security data.

Accessing the right data is a fundamental ingredient for success in security operations. Whether it’s traditional syslog, higher fidelity information from modern security controls, or contextual information to aid in analysis — security teams leverage data to observe, orient, decide, and act. Improved visibility is a familiar refrain from CISOs and their teams when asked about their strategic priorities, and there are a number of obstacles to achieving it. Our latest release furthers our mission to deliver access to all the data a security team needs.

We designed Query to deliver the desired outcomes we’ve heard from dozens of security teams:

  • Complete visibility into all security-relevant data;
  • Choice & control in where to store data;
  • Faster, more efficient investigations; and 
  • Reduced cost of security operations

It’s All About the Data…

It turns out that Marc Andreesen was right about the explosion of technology and data when he wrote Why Software is Eating the World in August 2011. Nearly twelve years later, everything in our lives runs on software and is delivered as an online service. The result has been a massive expansion in the volume of systems and data for security teams to defend and protect.

As technology has advanced & evolved, our industry has responded with an increasing number of security controls & tools to address an expanding attack surface; all of which produce more security data to process and consume. Many are starting to argue that we’ve reached a point of diminishing returns with tool rationalization & consolidation projects making a frequent appearance on the roadmaps of many security organizations. It’s not an unreasonable argument, given that a quick Google search for “too many security tools” yields around  1,000,000,000 results.

Nearly every B2B and B2C process or service is now enabled by technology. Cloud and mobile apps have taken data & transactions far outside the traditional hardened network perimeter. Security capabilities are increasingly embedded in line-of-business applications and there is a maturing “secure-by-design and -default” movement upon us. This is driving security teams to need access to security-relevant data stored in non-security systems — something often easier said than done.

The canonical approach has been to centralize security data in security information and event management (SIEM) products, or more recently, in data lake technologies where it can be correlated, searched, and analyzed. Centralizing security data has become so ingrained in our approach that we just shrug our shoulders and run headlong into the costs of data ingestion & storage, the insanity of duplicating data (and paying for it), and the technical challenges involved in pipelining and normalizing it all so that it is ready for use.

As an industry, we have a number of problems to address:

  1. We have an ever-increasing number of things to protect;
  2. Those things produce more security data to process and use; and
  3. We have security-relevant data in non-security places.

All of these challenges combine to make security operations inefficient and more costly. Walk by the virtual desk of your favorite SOC analyst or incident responder and you’re likely to see a couple dozen tabs open in their browser. Many are for accessing tools that contain data that can’t or won’t make its way into a SIEM or data lake. Others are Google searches or ChatGPT looking for guidance on how to construct queries in a language or syntax they’re not familiar with. There will be Slack messages to colleagues in IT or other business units begging for help in getting a bit of contextual information that will help confirm or refute their investigation hypothesis. You’ll see them working across these tabs as they pivot their questions and the data they are looking for in the course of an investigation. Their toil & burnout is real, it’s costing companies real money, and it’s getting in the way of the security outcomes you’re aiming for.

We Believe There’s a Better Way

We believe that you don’t have to centralize more data for the sake of security operations; or at the very least, you don’t have to centralize all of it. Too many SIEM projects take far longer than planned, cost far more than budgeted, or even worse, fail. 

We believe that being forced into making a tradeoff between cost and access to the right data shouldn’t be a thing in our industry. We believe security teams deserve to spend their time and expertise deciding and acting, and not on the gymnastics currently required to get the data needed to efficiently conduct and close an investigation. These beliefs are the inspiration for our latest release which doubles down on Query’s federated search capabilities. 

Here’s How It Works

A single, intelligent search bar

Most investigations start with a single piece of data — a user name, suspicious IP address, file hash, etc. — and a question: what do my systems know about this? Query makes it simple to build your search with no arcane syntax to worry about. Just tell us what you’re looking for and where, and Query does the heavy lifting. Under the hood, our Query engine plans your search, translates it to any syntax required, executes the search, and then normalizes, joins, and filters the results. Unlike other federated search products that perform simple text-based search or screen-scraping, Query delivers rich results directly from the source of truth across all of your connected data sources.

A growing list of pre-built connections 

We’ve built API connections to leading products across a broad range of categories – including Splunk, Microsoft Defender, Carbon Black, Crowdstrike, Active Directory & Azure AD, Okta, ZScaler, VirusTotal, Recorded Future to name a few – and we’re adding more every week. Our goal is to deliver access to ALL of your data, wherever it is stored, including security relevant data in non-security systems. Query handles schema mapping for static platforms and includes a dynamic schema capability to make it easy to address those that may be unique or customized by clients. Pre-built, productized integrations get you out of the business of using shared accounts. Most connections take just a minute or two to establish and are a one-and-done affair, making it easy to add new sources as your technology environment changes and evolves.

Pivot quickly to answer the next question

While every search starts with a single question, the answer to one question always leads to another. More often than not, one of those questions will require data that is traditionally not easy to access. Using Query makes it easy to pivot your search in whatever direction it needs to go without hopping across browser tabs, and you can always come back to recent & saved searches. Pivoting is a part of life in security operations. Query makes it simple so you can stay in your flow.

Visualize data relationships and unlock the story

What happened? Then, what happened next? What do we know about an account, domain, file or host? Are any of these things related? Questions like these are common in security investigations. The graph view in the Query platform allows analysts to see the relationships across data, pivot, and go deeper into contextual sources to develop and unlock the story in an investigation. 

Secure by Design

Query is a security product built by security experts, for security experts. We’ve thought through our threat model and designed Query to be resilient against attacker tactics without the need for additional configuration and hardening. We’ve taken a cutting edge approach in engineering our solution for secret storage, and we’ve taken least permissive access to an obsessive degree of granularity. Multiple options to support single-sign-on and MFA are included, and we’ll never ask you to pay more to use them. You can learn more about our approach to security & compliance here including requesting access to our SOC 2 report — just email your request to security@query.ai

We’re Just Getting Started

Query federated search enables security teams to break free of tradeoffs between cost and access. It makes it easier to get investigations, threat hunting, and incident response work done. It removes elements of the job that result in the toil and burnout that analysts currently face on a daily basis. We’re proud of the product we’ve built, and we’re just getting started. Future planned capabilities include plug-ins and apps for the leading security operations platforms, clever ways to enable collaboration across teams, more integrations with the products you already use, a workbench to facilitate investigations & reduce the administrative burden on analysts to near-zero, and more.

Ready. Set. Go Query!

Visibility and access to data is the lifeblood of security operations. It won’t solve every security problem under the sun, but it is a foundational need that has been too hard to achieve for too long. We’d love to share what we’ve built. If your work has you involved with security operations workflows, SIEMs, data lakes, or security architecture, there’s a good chance we can help. Check out a 2 minute demo video or schedule your onboarding here.