Security Operations is a data & analytics game, and always has been. There is no shortage of security signal in today’s technology environments. The challenge is in assembling and harnessing the right distributed data and making it accessible to operators in a way that helps them make better decisions, faster.

From alert-driven investigations to proactive threat hunting to incident response — security operations teams require easy access to the right data to protect their organizations and improve security outcomes.There are real consequences to the humans at the end of our security data pipelines, the OODA loop they go through, and their speed of analysis when we have TOO MUCH data, TOO LITTLE data, and/or DUPLICATIVE data.  

Query was purpose-built to help security teams leverage data to get better security outcomes. Query is a Federated Search solution that enables analysts, threat hunters, and incident responders to access, use, and get answers from security-relevant data, wherever it is stored. 

Background

Over the last twenty years, the industry has moved from dependence on centralized logging of noisy netflow, winevt, and syslog data on hosts to logging double the telemetry from appliances – only to then go back and log both! We also now have higher fidelity signal from dozens of best-of-breed point tools designed to secure endpoints, data, email, cloud infrastructure, SaaS apps, identities, and more. We’ve seen the emergence of an alphabet soup of “next generation” security platforms and products like XDR, MDR, SOAR, CSPM, CNAPP, CWPP, CIEM, XSIAM..,the list goes on, yet the challenges remain. The canonical approach of centralizing all of that signal in a Security Information and Event Management (SIEM) system for visibility and analysis is no longer viable. 

Our customers were faced with:

  • Ever-increasing data volumes, ingestion & storage costs; 
  • Data pipelines that are brittle, expensive and painful to maintain; 
  • A lack of access to security-relevant data in IT & line of business apps; and 
  • Dozens of tools that just don’t talk to each other. 

As a result of all of the above “innovation”, Gartner quadrant-chasing, and pursuit of market differentiation, the data challenge a security analyst faces has only gotten harder: how do I get to answers quickly?

The reality is that security data is everywhere, and it’s becoming increasingly difficult to harness it all to protect organizations from threats. Analysts need to access dozens of security, IT, and line of business apps; each with their own schema, syntax, and presentation of data. Administrator-level knowledge across all these systems is required to piece together the story of what happened and decide where & how to respond. It’s frustrating, time-consuming, and there’s a high risk that something critical will be missed

Asking analysts to become experts in 15 more tools, to know where terabytes — sometimes petabytes — of data is located, and its relative importance to the business is unrealistic; extending the time it takes to analyze, decide, and act to resolve real cyber incidents.

After working with dozens of enterprise CISOs, SOC teams, threat hunters, and security architects, the solution requirements to this problem became increasingly clear…

  • It should enable access to ANY security-relevant data source – including from systems traditionally not owned by security teams — like ERP, HRIS, IT and line of business apps;
  • It should reduce or eliminate the need for long, risky, high-cost data pipelining projects; and
  • It should empower analysts and threat hunters with a console to search, analyze, and get answers from that data without having to learn a new syntax or pivot across dozens of browser tabs.
  • The analyst, threat hunter, or incident responder should be able to answer their most time (and threat) sensitive questions — fast.

…And that’s exactly what we’ve built.

Unlike SIEM, XDR, and most all security operations products, Query doesn’t require centralization or bulk ingestion of your data. Instead, Query serves as a gateway to distributed, security-relevant data located across the enterprise and enables operators to search and get answers in a single console with normalized views across sources.

Where We’re Headed

Our product vision is to provide customers with a solution to enable the most effective, efficient and flexible approach to SecDataOps. Our goal is to be your source for authoritative data that helps you make better decisions, faster.

We’ve designed Query to provide customers with access & answers from all security-relevant data, choice & flexibility in your security data architecture, decision enablement capabilities, and control over costs; more importantly, to do it all fast!

query product vision focus areas

Access & Answers

To ensure the best possible security outcomes, your team needs access and answers from all of the security-relevant data across your organization. We’ve built and invested in maintaining API connectors with the leading providers of security tools across all the major categories including SIEM & Log Management, Endpoint, Identity, Threat Intelligence, Email Security, Mobile Device Management, IT Service Management, Cloud Infrastructure, and Data Lakes. Query’s connector framework is flexible and enables us to add new sources quickly. Going forward, our focus includes:

  • Expanding connector coverage to additional security technologies used by our customers and prospects;
  • Enhancing our connector framework, making it even simpler to add new sources while expanding the breadth & depth of available data inside of Query; and
  • Enabling you to connect to more security-relevant data from contextual sources like ERP, HR and Line of Business Apps

Choice & Flexibility

A number of large security players you likely already use are pursuing platform strategies and expanding capabilities into storage and log management. If you’re a CISO, it can feel like you’re locked-in and stuck in Henry Ford’s world where “the customer can have a car painted any color that he wants, so long as it is black.” If you’re an analyst, every day can feel like Groundhog Day as you begin the usual grind of pivots and browser tab bingo.

We’ve invested in a data model designed to accommodate change, flexibility, and extensibility in your security data architecture. Query normalizes and correlates data from any connected source. You’re never locked-in to a provider when swapping out sources is simple. You can choose to store and access data in cost effective cloud storage or modern data lake technologies. We’ve made mapping data from these dynamic sources easier through our configure schema feature, and we’ll carry this forward in our focus which includes: 

  • Continued expansion of the Query Data Model to increase the breadth and depth of available data sources, types, & attributes;
  • Enhancing our configure schema capabilities to include:
    • Templatizing & sharing data mappings to accelerate data onboarding;
    • Investing in improving the administrator user experience; and
    • Providing a guided experience and automated, recommended mappings for dynamic data sources.

We will continue to invest in the Query Data Model and empowering engineers, architects, and administrators with choice, flexibility, and a powerful user experience in how they map data for presentation to end users inside of Query. 

Decision Enablement

What good is access to all the data if you can’t act on it quickly?  We’ve made it our mission to enable users to easily search & use data to investigate, hunt for threats, respond to incidents, and support audit and compliance programs quickly. Customers can access their data through Query’s web app, directly through our API, or with our Splunk App available in Splunkbase. 

We’re investing in Query’s web app to expand its utility and enable specific security operations tasks. Today, it is a single place for customers to search and get answers from distributed security data. Our Query Builder is designed to enable users to build broad or targeted searches to support a variety of investigation and threat hunting use cases. It is simple enough for frontline analysts and powerful enough for more senior engineers. Query’s Summary Insights Dashboards deliver a single, consolidated view of all the issues & alerts across your environment. Users can dive into any issue, entity, or event of interest to begin an investigation. We’re building on this momentum with a focus on:

  • Enhancing and expanding views of search results – giving users more powerful filtering capabilities to bring the right data elements into view to enable a faster path through an investigation;
  • Adding configurable dashboards to ensure the most relevant insights are front & center based upon a user’s role and interests;
  • Enabling deep, federated joins that stitch together results from multiple data sources to reduce pivots and make it faster and easier to increase the speed of analysis;
  • Enhancing the capabilities of our Splunk App to enable customers to bring even more distributed data sources to the power of the Splunk UI without increasing their costs; and
  • Integrating an LLM Service to summarize search results and guide analysts to reduce the time required to triage incidents.

Our decision support roadmap also includes launching a Curated Investigation Workbench and Detection & Analytics capabilities. 

Control Over Costs

Security data volumes are constantly increasing.  Duplicating, pipelining, and centralizing data for use in security operations is becoming a cost prohibitive strategy that is no longer feasible or effective – the ROI is just no longer there. It requires long, costly engineering projects to deploy, staff to maintain the pipelines, you never really get ALL the data you need in that one central location, and good luck if you want to swap out vendors down the line — you’re likely headed for a costly rinse and repeat / multi-quarter / multi-million dollar project again. 

Query enables a different approach to security data architecture and operations. You can leave data at the source — avoiding duplication, pipelining and ingestion — or you can choose to move it to fit-for-purpose, cost-effective storage and still have all the access you need without your team having to acquire PhD’s in data engineering. Query serves as a data fabric across all your sources, or what Gartner would call a Cybersecurity Mesh Architecture. Query puts you in control of when, how, and where to store data, including leaving it at the source. 

We’ve established straight-forward pricing that includes a quick start package for 5 users & 5 data sources for $5k / month and enterprise pricing that is not based upon the volume of queries run, volume of data searched, or worse, some proprietary formula nobody understands. We want to ensure you never have to choose to reduce your security coverage because of the cost of Query. We’re committed to continuing to provide customers with significant financial ROI and our focus includes: 

  • Expansion of our technology partnerships to accommodate customer architecture choices; 
  • Enhancing our capabilities that reduce or eliminate the need for ETL and pipelining work; and
  • Continuing to innovate in our pricing model to provide customers with fairness, predictability in cost, and real financial ROI.

What’s Next?

With Federated Search as our foundation, our mission remains focused on enabling the core jobs to be done in security operations through better use of data. You can expect us to sharpen the tools we already provide and expand deeper into detections & analytics, add curated views and experiences for investigations & threat hunting, and address your additional needs in the area of governance, risk & compliance — all with a focus on enabling a faster path to answers and your desired outcomes. 

We’ll continue to be relentless in partnering with customers to put tools in your hands that make the jobs of security operations teams easier and better security outcomes possible. Query is committed to building a solution that serves as the connective tissue between systems that gets the right information in front of the right people without all the cruft and cost typically involved in security data engineering.

We’re in the midst of massive change in the security industry with large, established players expanding capabilities and pursuing platform strategies, rapid adoption of new storage and analytics options backed by cloud-based infrastructure, a continued explosion of SaaS applications and innovative early stage companies like Query challenging long-held assumptions. As we pursue our growth initiatives, we will never stop working to expand the capabilities you need to improve your security operations. 

Query is a team of creative builders with decades of security operations experience that believes the best ideas come from outside of our virtual building. We hope you’ll keep the conversations going and hold us accountable in helping to make the use of data your most powerful weapon in protecting and defending your organization from security threats.

Let’s disrupt the status quo, together.