Roundup: conversations with innovators.
By The CyberWire Staff
Mar 1, 2017

Roundup: conversations with innovators.

While at RSA 2017 we spoke to a number of companies, and we've recounted what we learned in our other coverage. But we also wanted to present a roundup of some of the more interesting and innovative start-ups we caught up with before, during, and after RSA. Here are some firms worth your attention.

FourV Systems: cyber risk estimation translated for business decision-makers.

FourV is in the business of risk management. They take data, drive a common information model, and use that to present at risk index. As Casey Corcoran, their Vice President of Product Marketing, explained to us, they've adopted a channel-first strategy, offering a new capability, GreySpark, that translates cyber risk into terms easily comprehensible to non-technical decision-makers. They use the Cyber Defense Matrix, bringing customers to architectural maturity, then to automation and orchestration. Corcoran stressed the importance of maturity. If you have blocks in the Matrix blank, your maximum score is capped.

FourV continues to refine its ways of assessing the value of an enterprise's assets. They're not determining cyber value-at-risk per se, but their approach lets customers tag the value of their assets. FourV is also moving toward ways of giving customers the ability to segment their enterprise.

GreySpark can be used in the cloud, but, Corcoran pointed out, they can also deliver the capability on premise to satisfy customers who'd prefer to keep their systems in-house.

Morphisec: a moving target is harder (maybe next-to-impossible) to hit.

Morphisec promises a "foundational change in security." "You cannot attack what you cannot find," Omri Dotan, the company's Chief Business Officer, told the CyberWire. He argues that current approaches to security are implicated in the familiar problems of asymmetric warfare: a predictable defense is opposed by an unpredictable offense, much to the defender's disadvantage. The long detection times and the incremental addition of security represent an approach that Dotan says "simply doesn't work." 

Morphisec seeks to take advantage of unpredictability, and to give the asymmetric advantage of unpredictability to the defender. They use polymorphism to hide the target from attackers by creating new memory structures randomly to conceal the target inside the memory space. Any code that tries to access the original memory structure—unaware of the changes—is recognizable as malicious by default.

Dotan says Morphisec's product is very slim code with a negligible effect on the machine it's defending. It doesn't replace traditional anti-virus; instead, it focuses on in-memory attacks. "Morphisec plus AV equals the winning stack," as he put it.

Currently backed by venture investments from GE, Deutsche Telekom, and JVP Partners, Morphisec intends to expand into mobile devices. They also see potential for expansion in the Internet-of-things. Both mobile and IoT security are attractive markets because, as Dotan says, Morphisec's solution "consumes zero battery."

Ntrepid: most bad things arrive via the browser, so why not start with a clean browser every time?

Recognizing that 90% of novel exploits arrive through browsers, Ntrepid's Passages seeks to secure that particular avenue of approach from bad actors. "Look at how things actually come into your network. No other app is as complicated as a browser. No wonder it gets attacked," said the company's Lance Cottrell.

Cottrell would like people to begin thinking of critical infrastructure as "existential infrastructure" since the Internet has now become so pervasive. Passages offers both a secure, isolated browser and a degree of useful obscurity. "So we VPN our traffic to the cloud. That gives you misattribution," Cottrell says, which enables you to hide yourself from a targeted attacker. "There's always a fingerprint, and we're not giving you an alias, but we are reducing your signature, because everyone who uses Passages shares the same fingerprint."

One advantage Passages brings to defense against silent malware is that "Passages screams 'I'm a virtual machine,'" thereby deterring such malware from executing.

Early adopters have been in the government, and among pockets of people who desire non-attribution: fraud departments, M&A litigators, researchers who want to hang out in a hackers' forum, organizations with high-risk, high-exposure, SaaS companies (who hold so many other people's data). Ntrepid's initial market is large and medium businesses.

Passages has now moved scanning of web files from a real-time to an at-leisure process, which adds further robustness to defenses. 

Circadence: training as you game lets you train as you'd fight.

Circadence emerged from the online gaming world, President and CEO Michael Moniz told the CyberWire. They understand network optimization—the kind of thing that enables massively multiplayer gaming to work for the players—and they began to apply this to the government space, helping buffer and optimize command and control. 

Now Circadence is connecting cyber physical devices on ranges, which they look at from both an IT and an OT perspective. They're now working on moving the range environment to the cloud. There are many challenges of trust to overcome, still, and Circadence realizes that this will be a multi-year challenge, but they've already won an approximately $80 million contract for a next-generation US cyber range that can emulate to high fidelity various complex systems (including an Aegis class cruiser).

Circadence saw that earlier ranges wouldn't scale: first, there's a shortage of available (who are therefore very expensive to hire), and second, it's difficult to replicate adversaries realistically and economically. Circadence has embraced artificial intelligence (AI) technologies to address these two issues. They use Watson (augmented with their own technology) on the instructional side. Their goal is to field a persistent autonomous AI on the instructor side. On the adversary side, Circadence ingests the tactics, techniques, and procedures of their best red teams, and then reinjects those back into the game.

They currently run nine missions in their gamified training experience, and they can introduce new tools into that environment (with a drag-and-drop process). Their AI not only does OPFOR and instruction, but it also does "white-teaming"—umpiring—and so can also be used to assess security team performance.

They're studying machine learning, capturing cyber workflows to build intelligent agents to help support people while they're on the job. Their approach to redressing the shortage of labor in the industry is to create a generation of cyber professionals and equip them with AI wingmen.

Cryptzone: the software-defined perimeter is user-centric security.

Cryptzone's research lies in the area of applying the software-defined perimeter to the cloud, in the form of infrastructure-as-a-service. Jason Garbis, Vice President of Products, talked us through their approach. "The software-defined perimeter is user-centric security," he said. They're seeing a shift toward identity-centric security in which the perimeter is effectively individualized to the particular user. Their research addresses, principally, five use cases: secure access by developers in the cloud, secure access by administrators in the cloud, secure access by business users in the cloud, access management across multiple cloud environments, and controlling the management plane across accounts.

The advantage of the software-defined perimeter in Garbis's view is that it's identity-centric and dynamic. It lets teams provide security in the ways business users need it to be managed. Dynamic and user-centric policies have given organizations difficulties, but the software-defined perimeter helps obviate these by providing a uniform way of enforcing policies. Cryptzone's solution integrates with an enterprise's identity management systems, and are able to connect various identity and access management systems.

Cryptzone's customer verticals include financial services, but also manufacturing, government, and consumer companies. They see themselves as moving the equation in favor of the defender, bringing down the cost of security for complex infrastructure.

Nuix: pulling realtime data from endpoints, and returning value.

Stuart Clarke, Nuix's CTO Cybersecurity, sees his company's technology as game-changing. They take real-time data from endpoints, streaming them back to an analytics engine. They pull value from data in the form of well-understood user activity. The data they collect depend upon the user and the scenario. Nuix's agent is small, driven by a rules set. They detect not only behavioral signs of malign behavior (like the inside fraudster coming in on a weekend and taking screenshots) but also deliver intelligence about what installed software is up to. They bring to light, Clarke says, analysis packs that deliver significant information an enterprise would otherwise have been likely to miss.

There's a training period unique to each Nuix client—"we help them tell it better"—and the Nuix solution can be used with any kind of data. Their agent can be trained to a regulatory environment. It was used in investigating the Panama Papers breach by the ICIJ. Clarke sees normalization of disparate data sources as Nuix's differentiator, which is how they've attracted customers from law enforcement, telecoms, finance, and government agencies.

Nehemiah Security: quantifying cyber effects in a rigorous range environment.

Todd Bramblett, Nehemiah's President, characterized what his firm is offering as a marriage between cyber security and business software. He explained that Nehemiah offers continuous visibility at the top, and at the bottom a kernel-level defense. They work at the endpoint, in the EPP/EDR space, from detection to remediation, where they seek to enable their customers to know, manage, and protect their assets.

Nehemiah offers risk quantification, and they're working to make this a rigorous for cyber planners as they hold it to be, currently, for kinetic planners. This aspiration is understandable, perhaps, given Nehemiah's early involvement with the offensive side of cyber. Since 2009 they've operated an automated range to test offense and defense, Bramblett said. They map assets to missions, run the missions against test networks, and then score the results.

The company uses its range to develop actuarial data that otherwise wouldn't exist. They also enable assessment of the effect of changes in environments (including big changes, like the recently emerging threat of ALSR bypass). They clone the network, configure the attack, and collect the data.

Denim Group: if you're developing an app, then bake security in, because bolting it on is, how you say? Suboptimal.

"There's a big focus on dev ops, but we don't want to give up gains in app security," Denim Group's John Dickson said. "It's vitally important to review source code throughout the process." Many, probably most, would agree with the sentiment, but the Denim Group is actively working to close the gap between dev ops and app sec. Their space is in the dev ops world. They've seen that companies are better at collecting bugs than they are at fixing bugs, and that developers need to work security from the start. "Bake in the scanning to free up the sharp people to work," Dickson said. "Automate so the three or four (badly outnumbered) security people can be there from the start. Part of app sec is to make sure that you've at least taken care of the obvious stuff."

Dickson offered his take on industry trends. He offered one piece of advice for the dev sec community: account takeover involves manipulation of custom logic and authorization rules. That's the hard problem they should work on.

And he backed up his comment that he sees too many companies chasing too little money by wearing what was hands-down the most pleasantly disarming t-shirt we saw at RSA. It said, "Has no purchase authority." (It's sad to relate that he confessed the message didn't seem to be getting across. But we at least didn't try to sell him anything, so at least some of us are reading, Mr. Dickson.)

Swirlds: taking distributed consensus mainstream (and it's faster than blockchain).

Swirlds founder and CEO Mance Harmon described his company's use of hashgraph, a distributed consensus algorithm that they believe offers some distinct advantages over the more familiar blockchain. "If you think of blockchain as a replicated database, each miner has a full copy of that database," Harmon said. "The problem is that proof of work is cumbersome—seven transactions a second is about as good as it gets, and that's too slow."

Hashgraph, in contrast, achieves about 100,000 transactions a second, with subsecond confidence. The two latencies are confidence and mathematical proof-of-solution. There's no need for a central server, which offers great throughput. Hashgraph ensures the community comes to agreement globally, then writes it to the local instance of the SQL database.

Use cases include massively multiplayer online games (like World of Warcraft), healthcare, and identity management. Any vertical in which people want to share information and control who can see it is a potential market. In the database world, this provides high availability. Now the average app developer can address the same issues blockchain users do. This development, Harmon believes, has enabled Swirlds to take distributed consensus mainstream.

Zimperium: in-app protection for iOS and Android users.

The CyberWire has spoken with Zimperium at earlier RSAs, and we were able to get an update on the company's growth and prospects from Scott King. Zimperium's in-app protection is now being provided by Telstra, Deutsche Telekom, Airtel, and Smartone.

The company has recently been in the news for their purchase of n-day exploits. We asked them about this. "We use them to train the detection module," Kind said. 

The research team at Z Labs has continued its iOS and Android vulnerability research. There's no need for the customer to update their app. Zimperium isn't looking for causes or signatures—they're simply looking for the malign effect, and how to remediate it.

Virtru: data can be shared with confidence when data are self-protecting.

The CyberWire caught up with Virtru's CTO, Will Ackerly. "Our big emphasis this year is really about encryption and data protection," he said. "We've been moving into new markets really aggressively across different cloud platforms to protect people's data really wherever it may travel."

Having the right kinds of key management, and providing transparency for the user (particularly during collaboration) are important advantages of Virtru's approach. Security that imposes an excessive burden is likely to be bypassed, or at best endured. But Virtru's solution affords protection without creating friction in a collaboration environment.

"We've seen sort of a huge uptick in demand for privacy right," Ackerly said. "So we're now up over 5000 customers, to include some really interesting use cases." Among the more interested parties are members of the news media, and from organizations who operate internationally. "We've got a lot of interest from companies overseas," he noted. "They want to make sure that no matter what where their data is—whether it's in the United States, whether it's in their country or anywhere else—they can rely on the technology to protect them."

BioCatch: "less friction, less fraud," once they get to know you (and that takes just 7 minutes).

BioCatch's Vice President of Marketing, Frances Zelazny, talked to us about her company's ability to detect fraudulent behavior online. Their solution looks at multiple dimensions of how people interact with their devices. These can include such things as how you toggle, how you linger, hand tremors, scrolling patterns, the pressure you use on your device, and so on. They collect some five hundred behavioral parameters, and then choose the twenty that are most distinctive to a particular user. Once a user is profiled, it's possible to detect fraudulent behavior online—criminals attempting to impersonate someone, for example, will be betrayed by their inability to perfectly mimic their mark's behavior. The solution also can prevent account takeover by detecting attempted fraud in realtime.

Zelazny sees BioCatch's approach as particularly valuable because it's frictionless, having essentially no effect on the user experience. "Everything is passive. Even enrollment is passive," she said. So are the invisible behavioral challenges the system puts in place to verify the user's identity. Adding layers of traditional authentication adversely affects the user experience, but "behavioral biometrics doesn't touch the user experience at all."

The customers are businesses who need to limit online fraud. Online businesses like banks and e-commerce sites can adopt BioCatch easily and simply. The solution is cloud-based, and BioCatch gives the customer an API and some script to incorporate into their website. Zelazny says their customers have seen considerable success in fraud reduction: one customer reports that fraud had dropped essentially to zero on a channel where it had once been prevalent.