Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Paul Shomo
Paul Shomo
Connect Directly
E-Mail vvv

Identity Eclipses Malware Detection at RSAC Startup Competition

All 10 finalists in the Innovation Sandbox were focused on identity, rather than security's mainstay for the last 20 years: Malware detection.

At the recent RSA Conference, malware detection got the cold shoulder among the 10 Innovation Sandbox finalists, illustrating how differently security looks after the pandemic cloud migration. It also indicates the investor community may consider malware a lower priority.

Related Content:

2020 Changed Identity Forever; What's Next?

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Is an Attacker Living Off Your Land?

RSAC's Innovation Sandbox is a Shark Tank-like competition for cybersecurity startups, where entrepreneurs present dueling pitches to a panel of investors. SecDevOps startup Apiiro took the top prize with its single pane of glass for reporting threats and automating review, testing, and remediation. A second SecDevOps startup, Wabbi, also touted a broad risk management approach and boasted this year's only female founder. 

The scramble to secure the new cloud infrastructure dominated the competition, which led to some controversy. Finalists were announced in April, a month before historic ransomware attacks against American oil and the global food supply chain. In light of this awkward timing, one wonders if the judges regret not allowing a malware detection startup into the finals.

Malware is the digital spear disrupting and damaging infrastructure. Yet there's an underlying truth about malware's diminishing role in the cloud that these judges know all too well.

Installing native software agents across the cloud to remotely control it has been an industry failure. Cloud VMs, containers, and their IP addresses may be recreated up to thousands of times per hour, creating a brutally ephemeral environment. Malware's difficulties in the cloud are quite analogous to the agent problem. Like software agents, malware must install natively across the cloud and maintain connectivity for command and control.  

Compounding the problem, the public cloud and serverless technologies often lack a true runtime environment, allowing the installation of agents or malware.

Furthermore, malware spreads itself by discovering and infecting adjacent systems. Consider how few lateral movement opportunities there are in the cloud, as a Fortune 500 company's assets span disparate cloud vendors, segmented and ephemeral networks, and software-as-a-service (SaaS) apps.

For all these reasons, vendors embrace "agentless" approaches, controlling the cloud via APIs, now a favorite of hackers as well. Along with APIs, the human interface shell (think command line or the Web browser) are the only ways to reliably access cloud components. 

Both API and shell access require authentication through the identity layer produced by secure access service edge (SASE) zero-trust products. Finalist Axis Security is a good example. From its cloud, it authenticates users, even from unmanaged devices, brokering a secure session to a company's many cloud components. In true zero-trust fashion, Axis monitors and continuously reauthorizes accounts throughout a session, as long as they remain compliant and well behaved.

One can see why after years of defending Azure, Microsoft CISO Bret Arsenault told me in 2019, "Hackers don't break in, they log in," and to defend the cloud he says, "Identity is the new perimeter."

Yinon Costica, co-founder and VP of products at Wiz, another finalist, pointed out that identity is even more than a perimeter. "Identity is the new vehicle in order to get from one place to the other," he said.

After the SASE identity layer is pierced and credentials are stolen, Costica described hacking the cloud through the eyes of threat actors, "I get a shell on a machine that's running in a cloud environment somewhere. Now I can use [Amazon Web Services] APIs. I can use a role that's assigned to the machine. I can scan the filesystem for secrets," he said. "I don't need any malware."

Instead of malware, Wiz focuses on identities, the secrets they access, the networks they touch, and vulnerabilities. In its Innovation Sandbox pitch, Wiz claimed 10% of the Fortune 500 purchased its product within its first six months of sales.

A competitor, Deduce, provides identity intelligence to spot risky logins. Finalist Strata migrates legacy applications to the identity layer, abstracting away details with orchestration.

The advertising tech industry also made a mark on Innovation Sandbox. Often dubbed "surveillance capitalism" by privacy advocates, ad tech produces sophisticated human intelligence. Startup Abnormal Security brings seasoned ad tech experts to email security. It believes providers such as Microsoft or Google already have excellent email threat detection, and focuses its behavioral analytics on the most advanced attacks. 

Innovation Sandbox's final three competitors secure emerging DataOps. This new attack surface is arising as data vendors such as Snowflake migrate information to specialized data clouds. Open Raven identifies and classifies data. Satori is a low-latency gateway that masks sensitive information before forwarding it. Cape Privacy helps organizations share data with outside AI experts, something Cape accomplishes by exposing an encrypted version of data that hides secrets but still preserves usefulness. 

The malware vs. identity debate illustrates why Innovation Sandbox is a favorite among trend watchers. For years to come, malware will continue compromising endpoints, as well as the Internet of Things and operational technology (OT) devices. Malware is still king for ransom and disruption, and for these reasons, 2021's choice of finalists was controversial. 

In 2021, Innovation Sandbox was also a teaching moment. Malware can still be used against specific targets in the cloud. Yet the cloud is heterogeneous, ephemeral, and a peculiar runtime environment. All of which are eroding malware's reign as the universal hacking tool. With the SASE identity layer, increasingly hackers don't break in, they log in.

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...