AWS Partner Network (APN) Blog

Anomali Launches Differentiated Cloud-Native XDR SaaS Solution with Support from AWS SaaS Factory

By Ranjith Raman, Sr. Partner Solutions Architect – AWS
By Oded Rosenmann, Global Practice Lead, SaaS Partners – AWS


Organizations are increasingly looking for new ways to defend themselves against cyber threats, fraud, and ransomware attacks. Many enterprises and government agencies turn to cyber security solutions that provide efficient and effective detection and response capabilities to proactively prevent attackers from breaching their networks and applications.

To help organizations overcome these challenges, Anomali, a leader in intelligence-driven cybersecurity solutions, recently launched its cloud-native extended detection and response (XDR) solution, The Anomali Platform.

Building upon its leadership position in the cyber threat intelligence space, The Anomali Platform provides customers with a new dimension of security visibility across all log telemetry from endpoints to the cloud. It provides precision detection and optimized response capabilities that extend across the entire security infrastructure.

With the support of AWS SaaS Factory, Anomali has built The Anomali Platform as a software-as-a-services (SaaS) solution that helps improve organizational efficiencies. It provides security teams with the tools and insights needed to detect relevant threats, make informed decisions, and respond effectively.

“The AWS SaaS Factory team was instrumental in helping us identify appropriate service options aligned with our enterprise customer requirements,” said Mark Alba, Chief Product Officer at Anomali. “Working with the team, we saved months of engineering efforts to build a powerful platform that meets our current needs and allows us to scale.”

The cloud-native XDR solution is fueled by big data management, machine learning, and a large repository of global intelligence. With the new SaaS model, The Anomali Platform can be easily integrated with existing security infrastructures, enabling CIOs, CISOs, and other business leaders to optimize their overall security investments and create more efficient and effective detection and response programs that proactively address advanced cyber threats.

The AWS SaaS Factory team spoke with Mark Alba, Chief Product Officer at Anomali, to learn more about Anomali Cloud-Native XDR SaaS, the value its new solution brings to customers, and the key lessons learned from the journey to SaaS on AWS.

Check out the new Anomali Cloud-Native XDR SaaS solution >>

Q&A with Anomali

AWS SaaS Factory: Could you share a bit about your background and role at Anomali?

Mark Alba: I’m the Chief Product Officer at Anomali. I’ve been with Anomali since April 2020 and am responsible for product management, user experience, threat research, and technology incubator functions.

My background includes over 20 years of experience building, managing, and marketing disruptive products and services. I brought to market the security industry’s first fully integrated appliance firewall, leading the integration of global threat intelligence into perimeter security technologies and introducing advanced analytics in support of cyber security operations.

I’ve also led product efforts in both startup and large enterprise organizations, including Check Point Technologies, Security Focus, Symantec, and Hewlett Packard Enterprise.

SaaS Factory: What products and solutions has Anomali previously built on AWS?

Mark: Anomali has made its mark delivering threat intelligence powered detection and response solutions with its ThreatStream, Match, and Lens components of The Anomali Platform.

ThreatStream and Lens are both cloud-native solutions built on the AWS platform. The ThreatStream component of The Anomali Platform offers threat intelligence management that automates the collection and processing of raw data and transforms it into actionable threat intelligence for security teams.

The Lens component of the platform is a powerful natural language processing (NLP) engine that helps operationalize threat intelligence by automatically scanning digital content (webpages, PDF’s, Office 365 files) to identify relevant threats.

SaaS Factory: Can you talk about the Anomali Cloud-Native XDR SaaS solution you recently launched on AWS?

Mark: What we’ve done is move our Match offering to the cloud as part of The Anomali Platform, combining our threat intelligence management capabilities with our threat detection capabilities to create a cloud-native XDR solution.

In short, by moving Match to the cloud, we have unlocked our capability to ingest telemetry from any telemetry source and correlate it with our global repository of threat intelligence to deliver highly performant threat detection.

With this single cloud-native platform approach, customers will have the ability to leverage common platform capabilities through a single sign-on (SSO) experience. Shared cloud capabilities include:

  • High-performance indicator correlation at a rate of 190 trillion correlated threat events per second (EPS).
  • Appliance and cloud-to-cloud-based ingestion of any security control telemetry.
  • Global intel management across open, commercial, and proprietary sources.
  • STIX/TAXII for bi-directional intelligence exchange between TAXII source and clients.
  • Interactive, simplified dashboards for visualization of indicators of compromise (IOC).
  • Global intelligence feed optimizer and scoring.
  • OOTB appliance and API integration for response orchestration with security tools.
  • Vulnerability enrichment aligning global threats with potential org impact.

SaaS Factory: Who are your customers and what are some of the key customer benefits?

Mark: Anomali serves global B2B enterprise businesses as well as large public sector organizations, ISACs, service providers, and Global 1,000 customers.

By correlating the world’s largest repository of global actor, technique, and indicator intelligence with our infinite detection capabilities, we deliver a one-of-a-kind extended detection and response solution that continuously detects threats and prevents attacks before they happen.

Key benefits for our customers include:

  • Increased threat visibility and insights into emerging threats and the actors behind them, to respond quickly.
  • Actionable intelligence to understand the impact and root cause to respond effectively to threats and minimize the damage.
  • Precision detection and increased situational awareness to cut through the noise to analyze and validate relevant threats and enable decisive response.

SaaS Factory: What were your primary business motivations for building Anomali Cloud-Native XDR as a SaaS deployment model?

Mark: There are a lot of benefits to offering security solutions as a service. It’s flexible, easily accessible, resilient, has cost advantages, and is hands-off for our customers. We can manage all the technical issues and tedious tasks like installing, managing, and updating our software—meaning customers don’t need to lean on their in-house IT expertise and can focus on what they do best.

SaaS Factory: Can you share key areas you addressed when moving to a SaaS model and how the AWS SaaS Factory team supported these efforts?

Mark: The AWS SaaS Factory team was instrumental in helping us identify appropriate service options aligned with our enterprise customer requirements. We needed to have an experience that is lightning fast and can ingest information at great scale to effectively help our customers close security gaps. So, scale and performance were essential for seizing the opportunity to move beyond our previous on-premises deployments.

We also focused on refining our long-term approach. We needed to ensure our technical requirements were met while also managing our costs. This helped us ensure customer needs will be met while enabling competitive pricing.

The AWS SaaS Factory team helped us engineer a powerful platform to serve our current needs today and future needs as we scale. We were able to marry a combination of service options, cost, and performance that will grow as our business does.

SaaS Factory: How is Anomali leveraging AWS services and which services are key?

Mark: We’re using AWS services in a couple of ways, pushing data to Amazon GuardDuty and pulling data from VPC flow logs and Amazon Route 53.

The Anomali Platform uses Amazon GuardDuty for IOC matching, collecting telemetry data and intelligence from AWS, and then correlating it with our own IOCs and threat data to generate alerts.

We also collect telemetry for our cloud-XDR solution by ingesting data from VPC flow logs and DNS query into The Anomali Platform and correlating it with our threat intel data and threat models to obtain rich context on billions of IOCs.

SaaS Factory: What are some of the challenges you faced with tenant and data isolation, and how did SaaS Factory content and workshops help address them?

Mark: AWS SaaS Factory conducted technical workshops on tenant isolation models (silo, pool, bridge), SaaS identity and onboarding, running multi-tenant workloads, and data isolation and partitioning models. SaaS Factory also facilitated several specialist conversations by bringing experts in topics on storage, data analytics, and machine learning.

About AWS SaaS Factory

AWS SaaS Factory helps organizations at any stage of the SaaS journey. Whether looking to build new products, migrate existing applications, or optimize SaaS solutions on AWS, we can help. Visit the AWS SaaS Factory Insights Hub to discover more technical and business content and best practices.

SaaS builders are encouraged to reach out to their account representative to inquire about engagement models and to work with the AWS SaaS Factory team.

Sign up to stay informed about the latest SaaS on AWS news, resources, and events.