Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Connect Directly

Axonius' 'Unsexy' Tool Wins RSAC Innovation Sandbox

Judges award top honor to new company solving an old, unsolved problem: asset discovery and management.

RSA CONFERENCE 2019 – San Francisco – Axonius, a company solving the "unsexy" topic of asset discovery and management, was awarded top honors at the RSAC Innovation Sandbox Contest here Monday, beating out solutions for edgier problems including firmware vulnerabilities and API attacks.

Axonius narrowly beat out second-place honoree Duality, an end-to-end homomorphic encryption solution that enables collaborative data analysis in low-trust situations. 

The Innovation Sandbox recognizes emerging security companies with creative, marketable solutions to big challenges. The 10 finalists chosen this year also covered identity management, cloud security ops automation, API security, and more.

"We fought long and hard to get to the top 10 this year," said Niloofar Howe, tech investor, entrepreneur, and one of the Sandbox judges. "It really was hard, but I think it is an incredible group."

After all finalists made three-minute pitches and endured interrogation by a panel of judges, Axonius rose to the top (despite the fact its CMO, Nathan Burke, had to fill in for its CEO, Dean Sysmun, whose flight to San Francisco was delayed).

Companies were judged on the problem they were trying to solve, the originality and soundness of their intellectual property, their go-to-market strategy, their team, the impact the solution was likely to have, and how well the product had already been validated by the market. The judges were Howe; Patrick Heim, operating partner and CISO of ClearSky; Richard Seiersen, CISO, author, and adviser; Asheem Chandna, partner at Greylock Partners; and Shlomo Kramer, CEO of Cato Networks and founder of multiple security firms.  

The judges praised runner-up Duality for the way it enabled collaborative data analytics projects in cases where widescale trust among the parties was impossible to achieve. Speaking from his own experience as a CISO in both financial services and healthcare, Seirsen said that "in both cases, to be able to have privacy-protected analysis is really the holy grail." Pharmaceutical companies, hospitals, and insurance companies, for example, might be able to gain insights from one another’s data, but it could not be shared without addressing privacy concerns.

Judges praised Axonius for solving a fundamental, widespread, long-standing problem that for some reason has not been solved.

"I’ve lived the pain of never having a straight answer around assets," said Heim, who has been CISO for companies with over 200,000 users said. "We never know how many servers there are, virtual machines, endpoint devices. ...

"Before we worry about solving problems – you know, ninjas chasing us with APTs and zero-days, basically – there are some basic things you need to solve first," Heim said. "Axonius really resonated very, very strongly with me because finally I can put a checkbox into one of these problems that's been around for 20, 30 years, and basically say, 'This has potential for solving it, and it leverages my existing security infrastructure investments by pooling it all together, versus having to deploy more agents."

In an interview with Dark Reading, Axonius' Burke said, "The last thing we want to say is, 'You have yet another dashboard, another solution you've got to manage.'" Therefore, Axonius integrates with other security products, so the asset management information it gathers could be used by another company's orchestration product, for example. 

If Axonius can "kill one of these really old problems," it frees up companies' security resources for other responsibilities, Burke said. "You could really use people better and not spend your time on boring stuff," he said, and thanked the judges "for taking an unsexy thing and making it a winner."

The other eight Innovation Sandbox finalists were:

• Wirewheel: A cloud-based data privacy and protection platform that can "translate your technical stack into something your privacy program can use." Wirewheel is trying to tackle the data privacy problem at scale by partnering with infrastructure-as-a-service providers like AWS.

• ShiftLleft: A continuous application security platform that both finds vulnerabilities so you can fix them and protects the application against the vulnerabilities you decide not to fix. It uses a combination of static code analysis (code property graphs) and application instrumentation.

• Salt Security: Discovers API vulnerabilities and attacks. Salt uses an AI-based behavioral protection model that learns how an organization's APIs work and can therefore – without much customer configuration – determine what's normal, what's abnormal, and what's malicious.

• Eclypsium: Firmware security company that detects firmware vulnerabilities and compromises (like Meltdown and Spectre) and protects devices from tampering throughout the OEM supply chain. 

• {disruptOps}: Automates security operations for the cloud. Helps cloud users set and reach security benchmarks quickly (like finding and deactivating stale identity access keys).

• CloudKnox: Manages identity privileges across hybrid cloud and multiplatform cloud environments. Uses a "privilege creep index" and a "Just Enough Privileges controller" to ensure that identities have only the privileges they need, when they need them. Head of product Balaji Parimi told judges that CloudKnox might replace whatever product an organization is currently using to mitigate insider threats. 

• Capsule8: Provides security for production Linux systems without taking a toll on operations. API-first, fully extensible, operating outside the Linux kernel, Capsule8 stops attacks like kernel exploits and container escapes in real time, without the performance impacts.   

• Arkose Labs: Low-friction fraud and abuse prevention tool, backed by PayPal, that helps prevent attacks like account takeover and carding.




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...