By Paul M. Shomo
SAN FRANCISCO—At last week’s RSA Conference in the Moscone Center here, a talented group of entrepreneurs battled on stage in a “Shark Tank”-style competition. Ten finalists performed three-minute presentations and survived three minutes of intense Q&A, all hoping to be named the best of the best by the titans of cybersecurity venture capital.
Pay attention: The trends in this pipeline of incubation will affect us for years to come.
This year brought a colorful field of entrepreneurs, including a DARPA competition winner, an iconic game developer and a former Innovation Sandbox finalist who made it back to the finals yet again, but with his latest startup.
Privacy and Compliance Vendor SECURITI.ai Wins!
Before the winner was announced, the consensus was that these were the strongest competitors yet. The judges emphasized the difficulty of picking only one, but SECURITI.ai ultimately took the crown.
A leader in AI-powered PrivacyOps, SECURITI.ai automates privacy compliance with “people data graphs” and robotic automation. SECURITI.ai enables enterprises to take control of data rights, comply with regulations and build trust with customers.
Everyone was a winner. History has shown that finalists are all showered with funding, and many will be acquired. These 10 finalists represent the future of cybersecurity and center around three trends.
Trend 1: Organizations Have Many SaaS Assets That Need Defending
Ninety-nine percent of cloud security failures through 2025 will be the customer’s fault, according to Gartner Research. Several finalists represented a new category of cloud security posture management (CSPM) and focused on securing an organization’s many SaaS assets.
- Obsidian Security’s founders were former CTOs of Carbon Black and Cylance. Their latest venture delivers cloud detection and response across many SaaS assets. It leverages APIs for visibility into applications, users and data. The result is advanced threat detection, breach remediation and SaaS hardening.
Their connection to Cylance was interesting because Cylance’s file heuristics were one of AI/ML’s biggest success stories. Obsidian leadership sounded more like veteran data scientists than buzzword merchants. They embraced a variety of approaches and spoke about building AI/ML’s foundation with curated data sets.
- AppOmni was the youngest finalist, having been founded in 2018. AppOmni secures SaaS solutions by providing visibility and uses API scanning, security controls and configuration settings.
Perhaps the first contentious moment was when judges goaded AppOmni into saying why they believed themselves superior to Obsidian Security. AppOmni retorted that the market demands protection, not just a “breach notification solution.”
Trend 2: Everyone Is Developing Code; It’s Now the Largest Attack Surface
Even the most analog-heavy companies have become software companies. Everyone builds customer portals, apps and APIs, and automation is changing the workforce. Cybersecurity has “shifted left” to secure this code.
- Blu Bracket’s founders made history by returning to the finals with a second startup. Their latest venture focuses on preventing code theft. Heavy on Git technology, Blue Bracket discovers a customer’s code locally and across the web, rates risk and blocks egress points. It’s kind of like a data loss prevention (DLP) technology for code.
- ForAllSecure’s next-generation fuzzing technology previously won the DARPA Cyber Grand Challenge competition. Fuzzing solutions generate inputs to locate vulnerabilities, but ForAllSecure adds CPU emulation to analyze the executable code being fuzzed. This approach detects more vulnerabilities and allows testing in-house code as well as third-party executables. In demand by governments, ForAllSecure claimed their results are “so actionable, they’re often deemed classified.”
- Tala Security has built one of the first client-side Web Application Firewalls (WAFs). Its educational pitch highlighted the web’s least-protected attack surface: the browser runtime environment. JavaScript powers the modern web, and Tala explained that 60% of JavaScript executing in the browser originates from third-party tags.
This third-party code is usually included by marketing teams without oversight, and compromised JavaScript can steal sensitive data from within the browser. The browser has runtime controls, but they’re not well-understood by developers. Tala’s engine analyzes web application code and leverages these controls to block client-side attacks.
- Sqreen: Sqreen is an application security platform that protects, observes and tests software. As opposed to static code analysis products, Sqreen is a Runtime Application Self Protection (RASP) product that deploys alongside vulnerable applications. Its “security mesh” technology combines RASP and WAF functionality to analyze the full context of attacks on web applications.
Trend 3: The Human Element
The theme of RSA Conference 2020 was the human element. SECURITI.ai took the crown by servicing the human need for privacy. The remaining finalists centered around both the human as an attack surface and aiding analysts with backlogged vulnerabilities.
- Elevate Security had this year’s only female founder and an all-female board. A security awareness training startup, Elevate focuses on affecting employees’ behaviors through feedback. Elevate scores employee risk based on their actions, reporting trends and even providing options to rate employees against their peers. At the core of their approach are behavioral science techniques used to nudge people into better habits.
Elevate provides a novel approach to a hot category; the judges’ only concern was the market size.
- INKY Technology founder Dave Baggett was one of the original co-developers of the iconic gaming franchise Crash Bandicoot. INKY Technology renders email, then uses AI-based computer vision to see its apparent origin as humans do. Its technology analyzes this alongside hidden metadata to reveal when an email is actually a phish.
Cybersecurity is an arms race where countermeasures represent a continual cat and mouse game. Perhaps because they were initially judge-shamed for being too nice, the panel threw INKY a ringer during the Q&A. So what happens when bad actors change their attack vector?
- Vulcan Cyber is a vulnerability detection, remediation and orchestration platform. After receiving on-stage praise for their Star Trek-themed name, one judge became cynical. Would a market with billions of daily security alerts want to hear about more vulnerabilities?
Yet Vulcan Cyber does more than detect vulnerabilities; it focuses on reducing the human burden. Most of the industry’s vulnerabilities aren’t actionable or interesting. Vulcan’s core IP is a vulnerability database that not only prioritizes risk but has millions of orchestration solutions and even provides scripts.
Conclusion
Innovation Sandbox delivered yet again. Here’s where conference attendees can cut through all the noise and see where cybersecurity is heading.
Companies have turned their data over to SaaS vendors, and increasingly an organization’s business value sits in its own codebase. Innovation Sandbox highlighted novel approaches to defend both attack surfaces.
Paul Shomo is an occasional contributor to eWEEK and an independent analyst. He was one of the engineering and product leaders behind the forensics and incident response product, EnCase.