AI infosec startup DeepTempo finds evidence of cyber security incidents by using deep learning to check log data and has launched its Tempo app to do this by running natively in Snowflake.
It has just emerged from stealth and its founding CEO is Evan Powell. Tempo uses a large language model, LogLM, that can identify incidents and work with admin staff on fixing them.
The Tempo app’s agentless LogLM detects anomalies in network traffic and provides additional context such as similar attack patterns from the MITRE ATT&CK matrix, potentially impacted entities, and other information needed by security operations teams for triage and response. DeepTempo claims customers get faster detection of attack indicators – including new and evolving threats – and can optimize security spend by running the DeepTempo software on their existing security data lakes.
Powell stated: “Attackers are using AI and collaboration to surpass defenders in innovation. Our mission at DeepTempo is to return the initiative to the defenders. By making available our AI-driven security solution as a Snowflake Native App, we are able to leverage Snowflake’s high availability and disaster recovery along with their security reviews and controls. Our Tempo software is available with immediate availability to the thousands of Snowflake customers.”
A Tempo blog explains: “Built and pre-trained with the assistance of a major global financial institution, Tempo has demonstrated a unique blend of accuracy and practicality, with false positive and false negative rates lower than one percent after adaptation to a new user’s domain. Tempo has been initially optimized to work with Netflow data and DeepTempo is recruiting users with similar logs such as VPC Flow logs as design partners.
“Tempo can identify subtle deviations from normal behavior, including longer-duration attacks that might slip past traditional signature-based systems. This capability is particularly valuable in the face of innovative attackers, as Tempo doesn’t need to keep track of specific attack patterns. Instead, it simply recognizes when activities deviate from the norm, triggering detection for any threat that emerges.”
Tempo is claimed to save money “by enabling organizations to keep more of their logs within Snowflake and use their SIEMs primarily for incident response rather than log storage … In one case study involving a large financial institution, projected savings reached several million dollars, representing up to 45 percent of their existing SIEM spending. These savings stem from the ability to use Snowflake as the system of record instead of pushing NetFlow and VPC flow logs into a separate SIEM.”
DeepTempo actually uses software technology from another startup, Skidaway, co-founded by CEO Evan Powell and CTO Brennan Lodge. Lodge has a cyber security, data management, and financial services background, gained from working at JP Morgan Chase, the Federal Reserve Bank of New York, Bloomberg, and Goldman Sachs.
Powell has been the founding CEO for several acquired startups: Clarus Systems, DDN-acquired Nexenta, Brocade-bought StackStorm, and Kubernetes-focused and DataCore-acquired MayaData.
Skidaway has developed the deep learning Log Language Model (LogLM) software to detect cyber security incidents by analyzing and filtering raw log data that is used by DeepTempo in its Tempo app. The LogLM software can run on-premises in any Kubernetes-based workload management system, or in a data lake, like the Tempo Snowflake native app, for example, and can scale to handle petabytes of log data.
This incident detection is done without sending the raw data to SIEM (Security Information and Event Management) systems.
LogLM is a generalized log analysis tool to detect anomalies and support troubleshooting. Skidaway claims existing log analysis tools are task-specific and need task-specific data sets with specialized log label pairs for each task. LogLM has an instruction-based framework that can interpret and respond to user instructions by generalizing across multiple log analysis tasks.
Eric Zietlow, the DevRel leader and platform lead at Skidaway, spent time at Powell’s MayaData startup.
DeepTempo’s Tempo is available in preview mode and is the first native app for cyber security in the Snowflake Marketplace. Find out more about using Tempo inside Snowflake here.
Bootnote
A Cornell University software engineering paper on LogLM: From Task-based to Instruction-based Automated Log Analysis, discusses automatic log analysis and how to transform log label pairs from multiple tasks and domains into a unified format of instruction response pairs. The abstract reads: “Experimentally, LogLM outperforms existing approaches across five log analysis capabilities, and exhibits strong generalization abilities on complex instructions and unseen tasks.”
