In today’s data intensive world, companies large and small are dealing with data in new ways. For example, millions of connected Internet of Things (IoT) devices are transmitting tons of data every day. And the shift to deploying apps via containers is changing software’s relationship to infrastructure.
This, in turn, is creating the potential for vulnerabilities that need to be secured.
“The need is there and it’s being fulfilled, but it’s not being fulfilled by the big boys anymore,” says Edward Haletky, principle analyst and managing director at TVP Strategy. “Legacy solutions are not keeping up and may not mitigate newer attacks, which are getting more robust.”
Because legacy systems are unable to keep up, there’s been an uptick in startups launching in the security space. We can’t list all of them. But with the RSA Conference happening this week in San Francisco, this is a good time to highlight nine we think are worth watching.
This startup, whose founders include former Nuage Networks’ CTO Dmitri Stiliadis, claims to take a very simple approach to container security. Aporeto uses a white-list approach, which is becoming more common in security. Instead of trying to block certain actions or hackers, an operator specifies which actions are permitted, and everything else gets blocked by default. Aporeto’s project Trireme applies this concept by making containers identify themselves to one another.
For example, if a service requires that Container A communicate with Container B, then Trireme inserts an encrypted signature into Container A’s metadata as it’s created. When Container B starts receiving packets, Trireme recognizes the signature from Container A and would validate if the communication is within policy boundaries. Because Containers A and B won’t talk to anything else, that’s supposed to remove either containers as an entry point.
In a nutshell, what Trireme does is move the acts of authentication and authorization into the application and acts as a gatekeeper in front of each container. This idea reduces container security to label-checking. Aporeto has integrated with Kubernetes and Docker so it can insert labels accordingly. The company was founded in 2015.
Formerly known as Scalock, container security company Aqua supports and secures containers from Docker, CoreOS, Microsoft, and VMware. Aqua’s Container Security Platform is able to track a container’s status throughout its lifecycle.
In addition to checking containers for vulnerabilities and policy compliance, Aqua also makes sure that they stay within security policy of containerized applications. The platform can be deployed in data centers or in public clouds like Amazon Web Services (AWS) and Microsoft Azure.
Aqua was founded in 2015 and is based in San-Francisco with an office in Rama Gan, Israel. It has raised $13.5 million from TLV Partners, Microsoft Ventures, and cyber security investor Shlomo Kramer.
Attivo’s ThreatMatrix incident response platform does real-time detection in data center, cloud, and IoT environments.
Like many other incident response startups, Attivo assumes that there is already an attacker inside the network. It uses lures within endpoints, servers, and applications across the network to trick hackers into revealing themselves. It’s designed to detect and defend against bots, Advanced Persistent Threats (APTs), stolen credentials, and ransomware attacks.
ThreatMatrix uses bait (bots) in order to attract attackers and harmful bots that are already in your network. The longer an attacker interacts with the bot, the longer ThreatMatrix is able to collect information about the attacker and find a fix for the user.
Attivo’s detection engine then captures the data and analyzes the attacker’s IP addresses, methods, and actions, which can be viewed and exported in different formats through a dashboard.
The startup was founded in 2011.
SecBI uses machine learning to gather information during attacks including affected users, domains, and assets. This idea of using machine learning to collect data is not uncommon among incident response startups.
Specifically, SecBI analyzes large amounts of incoming and outgoing log data from network security gateways to detect threats using clustering algorithms. These algorithms are able to review all of the data, piecing together clusters of suspicious activity into single incidents and provide a narrative of the attack.
SecBI’s machine learning technology is designed for security analysts who receive a summarized incident alert based on one or many events. As new evidence comes to light, SecBI automatically updates each incident to ensure that users always use the most recent information.
SecBI was founded in 2014.
Founded in 2013, SourceClear’s open source platform works to integrate automated security checks into developer workflows before they ship code.
SourceClear’s platform is equipped with a variety of developer tools and is complimented by open source libraries containing information about open source vulnerabilities and security policies. Developers are able to pick a library they want to work off of and find a place in the code that is relevant to what they are working on, and the platform automatically scans for vulnerabilities.
SourceClear’s technology must have a reliable call graph in order to weed out the false positives with machine learning. A call graph is a debugging aid that a developer would use when trying to figure out why a particular line of code is failing. It figures out every possible way of looking at the code and traces it back to the open source library where it was found, enabling developers to see beyond false positives.
This incident response startup focuses on the operations side of network security, piggy-backing on networking and security monitoring systems that are already in place to present information in a way that’s more useful to the human eyes — namely response teams.
Siemplify’s security platform, ThreatNexus, amasses data from different security tools and models it all in the same language, creating a graphic visualization of the network. It uses the information to detect breaches and provide analytics.
ThreatNexus essentially automates the investigation process and digesting of information before it is presented to analysts.
Siemplify has raised $14 million since its launch in February 2016.
This Seattle, Washington-based security startup is on a mission to provide security for IoT. Tempered’s identity-defined network (IDN) fabric works with the host identity protocol to make an IP address function as a device’s identity.
This helps create encrypted identity-based overlay networks that keep the network traffic secure between IoT endpoints.
IDN fabric can be deployed on top of any IP network and requires few changes to the underlying network, reducing the need for complex firewall rules, VLANs, VPN policies, and key management.
Tempered was founded in 2012.
Twistlock was founded in 2015 and claims to offer the first security suite for containers that checks containers while they are still in development. It also watches containers in production to make sure their behavior stays within policy guidelines.
To do this, developers push new code into images through existing continuous integration (CI) pipeline, CI tools call Twistlock and pass along the new image IDs, which Twistlock scans and returns to the CI process to check for differences.
Because containers aren’t necessarily meant to live long and don’t get updated repeatedly like a virtual machine (VM) might, they can be more simple to secure (depending on how many of them there are).
Incident response startup Vectra is applying machine learning to extract large amounts of data from the network, distilling that information, and doing something useful with it. It is among the new wave of security companies trying to detect attacks in progress.
To do this Vectra keeps a watch and gathers data based on everything in the network, keeping a real-time record of the activity. From there, it is able to limit that activity to a small number of anomalies to hand-off to analysts. Based off what actions are taken, any behavior that is out of the norm can be flagged as a sign of trouble.
Vectra was founded in 2011 and started by focusing on campus networks. It recently expanded its reach into the data center and public cloud.