Before NASA launches a spacecraft or Intel puts a new chip into fabrication, an industrial process known as "formal verification" is necessary to guarantee that everything will work as it should. Security startup Veriflow, which emerged from stealth mode today, aims to bring formal verification to network security.
Veriflow is launching with a $2.9 million seed funding round, which included the participation of New Enterprise Associates, the National Science Foundation and the U.S. Department of Defense.
"We mathematically validate network-wide policies by predicting all possible data flows before it happens," Brighten Godfrey, CTO at Veriflow, told eWEEK.
The Veriflow technology is deployed as a virtual appliance, either on premises or in the cloud, and collects information for each device in a given network. Veriflow has a deep understanding of the dataplane, which is the lowest level that defines a device's state and includes attributes such as access control lists (ACLs) and content addressable memory (CAM) tables, which helps enable forwarding in a network, Godfrey explained. With the understanding of all the devices in a network, Veriflow's technology builds a network-wide predictive model data flow.
"Fundamentally, we have to anticipate everything that could happen on a network, and there is literally an astronomical number of possible packets that could be injected into a network," Godfrey said. "There is no way you can simulate that, so instead, we do mathematical, algorithmic reasoning about the distinct behaviors that could occur."
By understanding the full network, it's possible to uncover potential misconfigurations and vulnerabilities in network security policies, Godfrey said.
The idea of testing a network to identify performance and configuration issues is certainly not a new one, with vendors, including Ixia and Spirent, both in the business of testing networks.
Veriflow is different from other approaches because it's not about testing packet delivery but rather is about mathematical verification of the entire network, he said.
A key use case for Veriflow is to help mitigate the risk of breaches, and one way to do this is through network segmentation, which provides isolated areas of access, Godfrey said.
In large, complex networks, it's often challenging to segment a network properly for security, Godfrey noted. One piece that Veriflow can test, for example, is whether there is public IP access to the management virtual local area network, or VLAN, in an organization. Veriflow can also be used to verify mathematically that firewall rules and access control lists are set up properly to reduce potential breach exposure risks.
In the event of a breach, security teams will need to be able to quarantine a potentially infected machine quickly. With Veriflow, the security team could get an immediate answer to the question of how to quarantine the infected machine properly to limit the risk for further damage, Godfrey said.
In many breaches, the attacker first gains access to compromised credentials or uses some form of reverse proxy shell to attack a network internally, but even in those cases, Veriflow can help limit risks, Godfrey said. "Veriflow will tell you that the network access control is such that it is possible for segmented network data to leak out if there is a connection outbound."
The next steps for Veriflow are to continue to advance the technology and raise additional funding to help push the company forward.
"Our strategy now is to gain a few more customers and close out on some more trials," Jim Brear, president and CEO of Veriflow, told eWEEK. "Our next step is to do a Series A round of funding in the late summer, and that will give us the ability to scale and evolve our road map."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.