innovation-1014x487

I’m excited to announce that today we’ve officially launched enSilo, a cyber-security startup dealing with today’s state of advanced targeted threats. With a few hundred cyber-security startups worldwide, and hundreds of other corporate security vendors, undoubtedly the question on everyone’s mind is: “Another cyber-security startup… Haven’t we already saturated this market?”
The quick answer is – definitely not. There’s no need to even look at breach statistics from 2014. 2015 has, unfortunately, already supplied us with just too many security events – and their painful consequences.

The lengthier explanation begins awhile back…

Why I left the best job ever (in security speak, that is)

Prior to founding enSilo, I headed Akamai’s security strategy. At the time I joined Akamai, the company was at a pivotal stage – looking to expand their offering through security solutions. I joined to lead and execute the Security vision, also working on scouting and M&As.

Through this position, I had the privilege to meet hundreds (yes, hundreds!) of security companies – from tiny boot-strapped startups to large players in the field. It seemed like a heaven of security solutions. In parallel to researching the security market landscape, I was following the threat landscape. Things weren’t bright. In fact, they looked bad. Very bad. And getting worse.

The contrast was mind-blowing – while solutions to combat threats were flourishing, detection rates were decreasing. The more I came across this disparate situation, the more I tried to understand it. Analyzing the vendors’ offerings, it occurred to me that all the solutions out there were focused on dealing with a certain problem – combatting the threats as they enter or while residing in the network.

Perhaps our definition of the problem, i.e. the need to prevent and detect threats, was wrong at its core?

This thought was challenging - I didn’t even know what the problem was exactly in order to define it. But it was obvious to me that addressing it would require a different way of thinking. I loved my position, the Akamai team and their offering– their whole concept is enablement in a technological era - however, I realized that working on a solution would require my full attention and resources.

I replaced my corporate jacket with my startup jeans.

Adventures from my security soul-searching

To this security soul-searching journey, I asked Udi and Tomer, two of my other co-founders to join me. For those in the ultra techie space – you might have already come across them, their passion is Operating Systems (OS) and malware research. The two were researchers at the cyber-security unit at Rafael Defense Systems. In fact, Udi had spearheaded the unit’s direction and served as its CTO.

After a few meetings together, we realized that we needed to start our conversation with a clean slate. We set aside technological barriers and deliberated at lengths on the ideal characteristics of a solution in face of the persistent and stealthy nature of advanced cyber-attacks.

This is the list we came up with:

Characteristic #1: Prevention
Yes, I know that I said we cannot prevent the attacks. I strongly stand by what I say. However, I do fervently believe in prevention – it won’t help us if the horses had already left the barn. More so, even the security market has demonstrated that any security solution that emerged as providing detection, matured and migrated to a prevention-mode solution (see IDS/ IPS, Out-of-Line vs inline deployments, etc). However, this point made me realize what was the question that we needed to ask: where do you actually place the barn doors?

Characteristic #2: Accurate

There are two aspects to accuracy.

The first relates to the Big Data and behavioral analysis trends of the past few years. I’ve seen so many solutions based on these trends that I can’t even count them. These solutions include a single word that shouts out so loud that you can even hear it when covering your head with a blanket: noise. As much as we would like to think that we are creatures of habit, there are still circumstances for which we act differently. That deviation, no matter how slight, will fire off dozens of anomaly alerts. Setting the baseline less stringent leaves any advanced persistent attacker rejoicing at the opportunity to remain uncovered. The ideal solution must be accurate – alerts should not lead security teams to a wild-goose chase.

The second relates to forensics. The amount of time and resources that goes into forensics is incredible. Last year I received a firsthand look at the work of emergency response teams while they were investigating a mega-breach at one of the major retailers. The team was frustrated, short-staffed and sleep-deprived, racing against time in an attempt to find convicting evidence of the threat required to build the whole attack picture. They were looking for needles in a haystack. Undoubtedly, an ideal solution requires pinpointing forensics teams to the actual needle.

Characteristic #3: Real-time

To be fair, there are solutions out there that are accurate. The problem was that they analyzed the threats after the damage was already done. No good. If we’re looking for a preventive solution, it has to be in real-time.

Characteristic #4: Autonomous

An ideal solution cannot be an add-on to an existing technology. An add-on is only that – a feature. The solution has to stand within itself. Complementary? Yes. A feature? No.

Exfiltration prevention, say what?

The first characteristic stumped us. What on earth are we supposed to prevent?

We looked at security models that breached organizations had in place and compared them against the attackers’ activity. That’s when the simplest of thoughts came to us.

The attackers definition of success is not the same as our definition of failure. Attackers only succeed when they actually steal data. Then why are we defining failure already when attackers infiltrate the network – even if they haven’t stolen data?

Eureka! We realized immediately what needs prevention: the actual act of exfiltration.

We were excited. Now that we knew what the problem was, we could focus on the technological solution.

The solution actually came much quicker than we thought. Tomer’s and Udi’s research revealed that any malware, at some point within its lifecycle, will violate a typical OS method. Combining that OS-related activity together with the respective actual outbound communication request, ultimately exposes that it is malware that is communicating outbound. That means that when data is exfiltrated, the communication with the drop servers (where the threat actor places the stolen data) can be revealed.

Wow. This revelation was ground-breaking. Heck, it even worked for old unsupported OSes such as Windows XP since these machines contained a subset of current Windows OS versions. In fact, all the puzzle pieces fell into place:

  • The fact that we combined and correlated OS activity of a communicating entity with its outbound communication request to expose malwares made this solution, inherently, accurate.
  • We were looking at communication channels – as they were occurring. There’s no more real-time than placing anti-exfiltration controls at this point.
  • This solution stood on its own. We didn’t need to rely on other existing solutions to work it out.

No cliché here: it really does come down to people

To ensure our validity and create a product that not only delivers what it promises, but is easy to operate and friendly to work with, we worked with nearly a dozen design partners.

The feedback from our partners was invaluable and I’m humble at their patience and readiness to help – always available for an impromptu call, a lengthy meeting and withstanding our constant nagging.

I’m proud to say that many of our design partners have now become paying customers. However, our cooperation and collaboration doesn’t allow me to call them customers – they’re still our partners.

Our investors, Carmel Ventures, have been utmost amazing. They believed in us when enSilo was just a concept – having invested in enSilo a very generous seed round prior to our product development. But Carmel didn’t just open the checkbook for us. What they’ve given us is more than we could’ve ever asked for. From office space for the first few months as we took off ground to vital guidance and meetings we could have only wished for were we had done it on our own.

The startup road we’ve taken is not going to be easy. I’m completely aware that we’ll encounter road bumps, obstacles and creatures that I can’t yet even anticipate. That said, enSilo has got an amazing team. I have full confidence that we’ll succeed, and it will all be due to the members of this team. All are experts in their field, from security to operating systems, networks and user experience. Good luck to us all!

 

Learn More about Exfiltration Prevention