For the 12th year, the RSA Conference kicked off with the Innovation Sandbox, a contest in which ten hot startups each get three minutes to try to blow the socks off a panel of judges. And just as he does each year, conference program Chairman Hugh Thompson kicked things off with a clever — and highly applicable — anecdote.
This year's story went something like this: Thompson was about 10 minutes into a flight from San Francisco to London a few years ago when something whizzed by his head and hit a woman in front of him. A moment later, the captain announced to the cabin that a bird had gotten stuck on the flight. After getting a number of laughable suggestions from passengers (including one to shoot the bird, and another to open a window), the crew, having consulted the airline's official zoologist (who knew?), turned off all the cabin lights, save those in one open lavatory that would serve as a trap. The tactic worked, and the bird was contained.
When Thompson later met with a security professional and relayed the story, the person's immediate response was to remark at how easy it would be to get a robotic bird armed with explosives onto a plane undetected. That was Thompson's first reaction, as well: That the bird had exposed a weakness, one that had fallen through the cracks.
The point is this: Today's organizations have a lot of cracks, and often times employees find themselves in similarly unexpected situations, with no idea what the right course of action might be.
The “VC Outlook On Cybersecurity for 2017” Panel
Along those lines, during a venture capital panel prior to the startup presentations, Bob Ackerman, founder and managing director of Allegis Capital, reminded everyone that humans represent the biggest weakness of all.
"It's hard to defend against stupid," Ackerman said. "You can have state of the art technology, but the human element is the unknown."
And with the cloud, mobile and the Internet of Things ramping up complexity and exponentially increasing the number of end points, a new generation of startups is looking to shore up that weakness.
"What we need in this space is an injection of innovation that lets (employees) make those choices in a secure, hygienic way," Thompson said.
2017 Innovation Sandbox Contest
This year's lineup of startups didn't disappoint, each promising to provide some form of relief to an information security world weary from an ever-expanding universe of threats. Here's a quick look at each of their pitches:
- Veriflow promises to reduce the 84 percent of breaches that are caused by human factors by enabling continuous formal verification of networks. CTO Brighten Godfrey said Veriflow's ability to create network-wide predictive models, define network-wide content, and do millisecond verifications to monitor real-time processes "is going to be a game changer for every network in every enterprise."
- In trying to make better use of the dizzying pace of threat data, Uplevel Security contextualizes alerts, applying graph intelligence and machine learning to augment those alerts with historical data. Said Elisabeth Maida, CTO and co-founder: "Organizations are literally throwing away their most valuable asset."
- RedLock's automated cloud infrastructure security solution leverages machine learning and external data feeds to connect dots across cloud APIs, lift "signals" from noise to quantify risk, and formulate responses. With average cloud workloads lasting just 127 minutes, and some of RedLock's customers running through 10,000 workloads a day, any help extracting actionable data could prove critical. "It's humanly impossible for a security team to keep up with that pace of change," said CEO and founder Varun Badhwar.
- You could almost feel the chill going through the room when GreatHorn CEO and co-founder Kevin O'Brien painted a scenario in which an executive waiting for a flight gets what appears to be an official email asking about employee W-2s. The exec innocently sends the files, boards his flight, and in the process begins a breach that costs his company $4 million, while striking a blow both to his career and his company's reputation. GreatHorn attempts to address this problem by tapping machine learning and social graph analytics to deliver automated policy to detect threats and eliminate risks. "Find a CSO in the room, ask them about their anti-phishing measures and whether they're working," said O'Brien. "The answer is no."
- The idea behind Contrast Security is quite straight-forward: Provide continuous application security at scale, telling app teams where there are vulnerabilities and how to address them. It's an area that Jeff Williams, CTO and co-founder, believes has been woefully shortchanged. "When we build complex things like airplanes or nuclear power plants, we build all sorts of security into them," says Williams. "But when it comes to software, we're flying blind."
- So much of the world's critical infrastructure, and the networks that support it, aren't IP-based, rendering traditional IP security products obsolete. By enabling communication and monitoring of both IP and non-IP devices in real time, Claroty hopes to help engineers and IT security staff work together on shoring up weaknesses. "We make the invisible industrial networks visible, down to the i/o level," said Co-Founder Galina Antova.
- As the founder of Check Point Software, Shlomo Kramer has spent more than a quarter-century watching IT complexity grow far faster than network security. With his new company, Cato Networks, he hopes a five-in-one tool that lets companies manage their entire network from a single cloud-based console will help them take back their networks. "We're making network security simple again," Kramer said. "There is definitely a reason that the network is the most backward part of the IT world today."
- The complex data encryption landscape needs simplification, and Baffle hopes its encryption service is the answer. By encrypting data end-to-end during SQL operations, whether that data is resting or in process, the company hopes to lift the limitations on what encryption can protect. "The customer is always in control of the key," said CEO and co-founder Ameesh Divatia. "We want the application to always have access to the data."
- Unfortunately for Baffle, it had the enviable task of going up against EN/VEIL, which also has attempted to preserve encryption throughout the data lifecycle. Using massive parallelism and a homomorphic encryption engine, EN/VEIL's technology enables data to be processed while encrypted, and Ellison Anne Williams, CEO and founder, said it's all API-based, and can run over any kind of data or process. "We never expose the operation, the results, or the data itself," said Williams.
The promise of heterogeneous, end-to-end encryption was enough to earn EN/VEIL a spot in the final two, but it was going to be hard to beat the promise presented by Innovation Sandbox's eventual winner, UnifyID. Calling itself an "implicit authentication platform," UnifyID is attempting to completely rethink authentication in both the online and physical worlds by combining machine learning and the plethora of devices around us to match our bodies, and more specifically the way we move, to our identities. While the solution is revolutionary and seemingly complicated, the idea behind it couldn't be simpler.
"We believe the best way to authenticate yourself is to be yourself," said John Whaley, CEO and founder.
Whaley's presentation provided compelling evidence: He was seemingly more down to earth (and thus more "himself") than any other presenter, and as a result, UnifyID was "authenticated" as the hottest security startup around.
That is, until a new champion is crowned next year.