As usual, the Innovation Sandbox, in which ten of the most interesting security start-ups competed for recognition, was the opening event at the RSA Conference. Most Innovation Sandbox finalists have, over the years, compiled impressive records in the market. Success has by no means been confined to each year's sole winner.
This year's Sandbox, featuring a new partnership with business information platform Crunchbase, selected the customary ten finalists from a very large applicant pool. On Monday, April 16th, the companies each received three minutes in which to make their case. The RSA Conference's program chair, Dr. Hugh Thompson, served as master of ceremonies.
StackRox: application-level security.
First up was StackRox, represented by CTO and co-founder Ali Golshan, who said, "Security must be built like apps," that is, it must be form-factor agnostic. StackRox argues that you must understand risk at the application level. They abstract all the building blocks, enabling users to leverage whatever is best for their business model. StackRox's Adversarial Intent Model, an essential component of their risk management solution, lies at the core of their offering.
The judges had some questions. What about market readiness—is StackRox ahead of market demand? Golshan sees a market in transition: they're in a longer cycle, even as the market for their offering is in its infancy.
The judges also asked if StackRox saw risk in cloud companies building security into their services? Yes, Golshan acknowledged, but he was confident that at the application level of the stack third-party providers would always have a place.
With respect to the familiar false alarm problem, StackRox sees that as an advantage for their offering: they lower the risk of taking action on a false positive.
ShieldX Networks: protecting virtualized and cloud operations.
Dr. Ratinder Paul Singh Ahuja represented ShieldX. Their product is Aperio (from the Greek for the boundless, the infinite, especially as described in the cosmology of the pre-Socratic philosopher Anaximander). ShieldX's solution discovers assets, applies policies to define security intent in logical groups, orchestrates microservices, and then consolidates microsegmentation behind a single pane of glass. ShieldX thinks every enterprise in the cloud should be their customer.
ShieldX sees its innovation in detection as lying in Aperio's abiltiy to detect and identify pivots, in real time.
ReFirm Labs: a firmware security solution.
ReFirm Labs was represented by CEO Terry Dunlap. They offer a firmware security solution. Dunlap led with an account of how a Fortune 100 customer used ReFirm's product to find hard-coded backdoor accounts through which the customer's data were moving to a foreign IP address. ReFirm's Centrifuge Platform reveals crypto keys, password hashes, public vulnerabilities, and potential zero-days, all in one comprehensive report. It proactively warns of new vulnerabilities' potential impact. The solution has obvious implications for supply chain security.
The judges wanted to know how ReFirm's business was likely to be affected by coming government regulation, and the growing tendency for manufacturers to standardize on certain chips. Dunlap pointed out that "even with regulation mandating practices, sloppy coding will always present a threat."
On disclosure, Dunlap said that ReFirm worked directly with manufacturers and vendors to get them to issue a patch. He closed by saying that, while firmware upgrades are often neglected, firmware security is a serious challenge: "We know that this is a nation-state-level threat."
Hysolate: reinventing the endpoint.
Hysolate asked what seemingly disparate customers have in common—and the answer is that it seems to be air-gaps. To fix endpoints, they argued, we must move to software-defined endpoints. Every organization and user has different interests. Define those interests and plug them into the endpoint.
The judges, pointing out that usability will be a great challenge, asked about the storage layer. Hysolate said that their solution has been tested in use for the last several year, and that they're confident they've successfully addressed the storage layer.
Fortanix: runtime encryption to protect data in use.
Represented by executive Anbuj Kumar, Fortanix presented its approach to protecting data in use with runtime encryption. They enable applications to run inside secure enclaves, with a secure envelope that travels with the application wherever the application moves. Thus Fortanix enables customers to run applications without compromising privacy. Intel, Equinix, and IBM Cloud are among the company's partners.
The judges asked if there were performance trade-offs involved in using Fortanix's solution. Kumar replied that their multi-platform solutions help obviate this, and that "our APIs are better, and often faster."
The judges also asked how they could trust a platform that seemed to be "the holy grail." How much has it been tested under fire? Kumar averted to Fortanix's partners, who've used and verified their security product.
CyberGRX: third-party cyber risk management.
CEO Fred Kneip spoke for CyberGRX, which offers third-party cyber risk management. Third-party exposure is a major risk, and still a largely unmanaged one. Are your third-parties applying the fundamentals? Too many aren't. On average one-hundred-eighty-one vendors access a business's networks each week. Kneip said that CyberGRX has a growing community. The model has been validation with strong participation. Analytics "make this sexy." They're able to categorize attack paths by industry. One major advantage of their solution is that it would replace vendor assessment questionnaires, and this alone represents one massive inefficiency done away with.
BlueVector: self-adapting algorithms.
BluVector has found a large market for its algorithms, which the company says have made its customers 400% more efficient. The company developed its algorithms over ten years, and a large development team is working to further improve them. Their detection engines enable them to stand out, as do their behavioral analysis engines.
The judges noted that many companies are sitting on large amounts of threat data. "What are you doing to stand up to the noise?" BluVector answered that it was "a frothy market," but that you can stand out from the noise "if you build a product that somebody values, surround it with smart people, and build good customer relationships."
BigID: privacy for the individual's data.
BigID's "big idea is that privacy matters." It's hard to achieve privacy, the company pointed out, as anyone who's watched Mark Zuckerberg's recent appearances before Congress and elsewhere knows. "You've got to figure out whose data you have, and see the data in context." This involves correlating data with people. GDPR makes privacy urgent for companies worldwide. BigID automates this challenge, with more than thirty patents around the problem. Their solution gives their customers actionable insights.
The judges asked how analyzing data within an organization helps businesses make good decisions. In answer, BigID said they help them understand what data they have. "Knowing your data is the first step. To support data subject rights, you must correlate data with persons."
Awake Security: extracting and organizing knowledge about the threat.
Awake Security's CEO Callahan began by asking, "You'll hear that the attacker is evolving, but you don't hear as often that your security is forcing them to change. How do you find attackers who blend in?" Awake turns data into action to extract and organize knowledge, with precise answers in a simple interface. DetectIQ and EntityIQ provide this actionable knowledge.
The judges asked if these weren't just feature sets. Callahan said that Awake had built custom data queries at scale, "with a huge amount of IP," and that this would be very difficult to replicate. They've detected corporate espionage, spearphishing, hardware implants, and so on. They're interested in all attacks, not just persistent attacks. Most attacks are complex.
Acalvio: an advanced deception solution.
Acalvio described Engage, an advanced detection solution that provides autonomous deception for security at enterprise scale, cost effectively. Deception farms use decoys in which the puppet and puppet master are separate. It's fluid deception, that creates deceptions just-in-time. It can morph deception into something the attacker is expecting. Their decoys are truly autonomous.
The judges asked about deployment complexity and false positives. They also asked if Acalvio wasn't late to market. To that second question they answered no—in fact they have profited from earlier mistakes in that market. They create decoys in deception farms far away from the production environment. They have an SDN switch between the environments and can control how much blowback they want to permit, which serves to limit the effect of false positives.
Young, but clearly well-funded.
After the presentations the judges went into their deliberations and the audience converged on the ten finalists for the Sandbox's meet-and-greet phase as they waited for the judges to return. An observation heard on the floor was that these ten companies, while still young start-ups, have already clearly attracted significant venture investment.
The winner: BigID.
The judges returned to announce the two finalists, BigID and Fortanix. The judges liked the market topicality of BigID's privacy solution. They liked Fortanix's ability to provide a trusted enclave within the cloud.
The winner was BigID, singled out for its "tremendous market opportunity" and ability to address the challenges of privacy.