“We will offer a cloud-independent analysis service.”

LogPoint has just raised $ 30 million in a second round of funding for a total of $ 42 million. The publisher intends to use this new money to strengthen its presence across the Atlantic, but also to turn the cloud according to an approach that relates to the edge computing trend. Above all, however, without having to forego a particularly flexible and predictable business model or product approach that enabled him to obtain EAL3 + certification.

Continuation of the article below

LeMagIT: Against the background of the trend towards automation and orchestration, interest in the integration of SIEM in EDR and threat information is growing. How do you position yourself in this context?

Jesper Zerlang: I think it’s an essential foundation to focus on SIEM and be really good there before you can integrate with other tools. Two years ago we thought the same thing about behavior analysis (UEBA). Today we have our own UEBA module.

Indeed, the next naturally occurring discussion concerns automation and orchestration (SOAR). There we are sure which direction we want to go: integration with the best, but we believe that the functions intended for first-level analysts must be provided natively by SIEM and thus by LogPoint. Because we believe that we can prepare the data much better for a SOAR solution.

In addition, it is now likely that half of the SOAR technology stack is being used to clean up the data provided by SIEM. We believe there is a need to fix this at the source. And we believe that we offer a better data structure than our competitors. Indeed, this can simplify the integration between LogPoint and a third party SOAR tool without competing with their editors. We have a great relationship with Swimlane, DFLabs, Demisto and even Phantom – despite being bought out by Splunk.

Let’s not forget that SOAR is a young field. It should be able to be integrated into the tools of Managed Security Service Providers (MSSP), but also into solutions that were developed in-house by large companies. Including a very complete set of APIs that we have developed.

This also applies to integration in EDR tools – even in XDR [en intégrant le réseau] or threat intelligence. And of course we support STIX, TAXII – but also OpenIoC and MISP.

LeMagIT: Are you reacting to the start of Azure Sentinel and Chronicle Backstory by using the cloud? Do they overshadow you?

Jesper Zerlang: In the USA there seems to be greater interest in these offers than in Europe. Microsoft is pushing Sentinel in particular to its customers, Google and Backstory to its own. But we also have integrations with Sentinel.

The main contribution of a cloud solution is to accelerate the deployment and expansion of the covered perimeter. We would like to use an edge computing approach for this. Of course, we can already deploy LogPoint internally or under AWS. The point here, however, is to ensure local recording and provide analyzes and cloud storage – encrypted and secure.

It is very different from an approach like that of Splunk or Sumo Logic, which in fact consists of on-premise logic deported to the cloud. And we’re going to be putting a significant portion of the investment we just received into building that cloud over the next 6 to 8 quarters.

In the end, we will offer a cloud-independent analytics service that is open to other SIEMs, Elasticsearch, Splunk, etc. From the end of next year it will be possible to use our solution without having to replace the SIEM. This corresponds in particular to the requirements of MSSPs.

LeMagIT: The ELK stack in particular has long been valued for creating alternatives to SIEM. Elastic understood this and adjusted its investments and offerings accordingly …

Jesper Zerlang: That’s true, but the details require a lot of manual work and maintenance. So they don’t offer a real alternative to SIEM yet – although they will because they have a very good tech stack. But where they’ll fight like Splunk is the EAL3 + certification, by the way: They only offer one application; it is not inherently safe. Conversely, we offer a complete, robust solution.

This is important for law enforcement agencies, critical infrastructure operators, and healthcare providers. I wouldn’t be surprised if the European Union required EAL3 + certification for certain security products within a few years. And you can’t expect that by deploying just one software layer of the entire stack.

LeMagIT: Pricing is a recurring topic in the SIEM area. How do you rate this topic?

Jesper Zerlang: This is precisely one of the strengths: We calculate logs at the source. When you have a thousand servers, you pay for a thousand servers no matter how much log volume they send and how often. We believe that companies want fixed and transparent prices. In our case it is even monthly: an MSSP can pay for 2000 servers per month; If he loses a client and drops to 500 servers in the next month, he only pays for it.

And that’s important because SIEM has typically only covered the most critical assets in the past. But today we have a lot more to cover, especially when it comes to GDPR: their telephony, their factories, etc.