News

3/5/2019
11:00 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Axonius' 'Unsexy' Tool Wins RSAC Innovation Sandbox

Judges award top honor to new company solving an old, unsolved problem: asset discovery and management.

RSA CONFERENCE 2019 – San Francisco – Axonius, a company solving the "unsexy" topic of asset discovery and management, was awarded top honors at the RSAC Innovation Sandbox Contest here Monday, beating out solutions for edgier problems including firmware vulnerabilities and API attacks.

Axonius narrowly beat out second-place honoree Duality, an end-to-end homomorphic encryption solution that enables collaborative data analysis in low-trust situations. 

The Innovation Sandbox recognizes emerging security companies with creative, marketable solutions to big challenges. The 10 finalists chosen this year also covered identity management, cloud security ops automation, API security, and more.

"We fought long and hard to get to the top 10 this year," said Niloofar Howe, tech investor, entrepreneur, and one of the Sandbox judges. "It really was hard, but I think it is an incredible group."

After all finalists made three-minute pitches and endured interrogation by a panel of judges, Axonius rose to the top (despite the fact its CMO, Nathan Burke, had to fill in for its CEO, Dean Sysmun, whose flight to San Francisco was delayed).

Companies were judged on the problem they were trying to solve, the originality and soundness of their intellectual property, their go-to-market strategy, their team, the impact the solution was likely to have, and how well the product had already been validated by the market. The judges were Howe; Patrick Heim, operating partner and CISO of ClearSky; Richard Seiersen, CISO, author, and adviser; Asheem Chandna, partner at Greylock Partners; and Shlomo Kramer, CEO of Cato Networks and founder of multiple security firms.  

The judges praised runner-up Duality for the way it enabled collaborative data analytics projects in cases where widescale trust among the parties was impossible to achieve. Speaking from his own experience as a CISO in both financial services and healthcare, Seirsen said that "in both cases, to be able to have privacy-protected analysis is really the holy grail." Pharmaceutical companies, hospitals, and insurance companies, for example, might be able to gain insights from one another’s data, but it could not be shared without addressing privacy concerns.

Judges praised Axonius for solving a fundamental, widespread, long-standing problem that for some reason has not been solved.

"I’ve lived the pain of never having a straight answer around assets," said Heim, who has been CISO for companies with over 200,000 users said. "We never know how many servers there are, virtual machines, endpoint devices. ...

"Before we worry about solving problems – you know, ninjas chasing us with APTs and zero-days, basically – there are some basic things you need to solve first," Heim said. "Axonius really resonated very, very strongly with me because finally I can put a checkbox into one of these problems that's been around for 20, 30 years, and basically say, 'This has potential for solving it, and it leverages my existing security infrastructure investments by pooling it all together, versus having to deploy more agents."

In an interview with Dark Reading, Axonius' Burke said, "The last thing we want to say is, 'You have yet another dashboard, another solution you've got to manage.'" Therefore, Axonius integrates with other security products, so the asset management information it gathers could be used by another company's orchestration product, for example. 

If Axonius can "kill one of these really old problems," it frees up companies' security resources for other responsibilities, Burke said. "You could really use people better and not spend your time on boring stuff," he said, and thanked the judges "for taking an unsexy thing and making it a winner."

The other eight Innovation Sandbox finalists were:

• Wirewheel: A cloud-based data privacy and protection platform that can "translate your technical stack into something your privacy program can use." Wirewheel is trying to tackle the data privacy problem at scale by partnering with infrastructure-as-a-service providers like AWS.

• ShiftLleft: A continuous application security platform that both finds vulnerabilities so you can fix them and protects the application against the vulnerabilities you decide not to fix. It uses a combination of static code analysis (code property graphs) and application instrumentation.

• Salt Security: Discovers API vulnerabilities and attacks. Salt uses an AI-based behavioral protection model that learns how an organization's APIs work and can therefore – without much customer configuration – determine what's normal, what's abnormal, and what's malicious.

• Eclypsium: Firmware security company that detects firmware vulnerabilities and compromises (like Meltdown and Spectre) and protects devices from tampering throughout the OEM supply chain. 

• {disruptOps}: Automates security operations for the cloud. Helps cloud users set and reach security benchmarks quickly (like finding and deactivating stale identity access keys).

• CloudKnox: Manages identity privileges across hybrid cloud and multiplatform cloud environments. Uses a "privilege creep index" and a "Just Enough Privileges controller" to ensure that identities have only the privileges they need, when they need them. Head of product Balaji Parimi told judges that CloudKnox might replace whatever product an organization is currently using to mitigate insider threats. 

• Capsule8: Provides security for production Linux systems without taking a toll on operations. API-first, fully extensible, operating outside the Linux kernel, Capsule8 stops attacks like kernel exploits and container escapes in real time, without the performance impacts.   

• Arkose Labs: Low-friction fraud and abuse prevention tool, backed by PayPal, that helps prevent attacks like account takeover and carding.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10091
PUBLISHED: 2019-03-21
AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow XSS.
CVE-2018-10093
PUBLISHED: 2019-03-21
AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow Remote Code Execution.
CVE-2017-2659
PUBLISHED: 2019-03-21
It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
CVE-2017-16231
PUBLISHED: 2019-03-21
** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of st...
CVE-2017-16232
PUBLISHED: 2019-03-21
** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue.