The creation of this company grew out of a Chief Information Security Officer’s and a hacker’s shared mutual frustrations
Offensive security startup SafeBreach announced the close of their Series A funding round on Tuesday, locking down $15 million in new financing.
New investors Deutsche Telekom Capital Partners, Hewlett Packard Pathfinder, and Maverick Ventures joined with Sequoia Capital and Shlomo Kramer who took part in the 2015 $4 million seed round, bringing SafeBreach to a total of $19 million raised over the course of the year.
Co-founded in 2014 by CEO Guy Bejerano and CTO Itzik Kotler, the company has developed a product that they say helps to give CISOs (chief information security officers) an inside look at how their network looks from a hacker’s perspective. They maintain offices in Tel Aviv and Sunnyvale.
Essentially, by setting up a collection of simulators both inside and outside the client’s network, sitting on potential weak spots that could be targeted by attackers, SafeBreach runs a constant series of war games against the defenses. The system is composed of a management system that organizes the war game and simulators that serve as actors – either defenders or attackers – depending on their assigned role. Each simulator tries to attack based on hackings in their knowledge base. Through the constant drills, an enterprise’s security team can figure out if their defenses are up to snuff, and what has to be improved upon.
Following the simulations, the platform provides clients with analysis reports that advise them on how to harden their systems and be better prepared for future attacks.
The simulators are located inside the network, but they do not affect any of the normal functions, allowing for constant testing without harming business continuity.
“It’s hard to know how secure a system is,” Gadi Lifshitz VP R&D and GM for the company in Israel explains to Geektime. “CISOs buy a lot of products like firewalls, but only after an attack can you know how effective the defenses are when it actually occurs. This is what SafeBreach is trying to change. Our system changes the balance between attacker and defenders, bringing the hacker’s point of view to the CISO before the attack actually occurs.”
Following the round, Lifshitz tells Geektime that they are going to hire 25 people in the coming year, half in Israel and half located in the U.S. The will direct their efforts at improving on their product, as well as growing their sales and marketing in the U.S. He says that they are already working with a few dozen customers, a number that they hope to expand with the injection of fresh capital.
Looking to create a more robust offering to their clients, SafeBreach recently stated that they were teaming up with cyber powerhouse FireEye to integrate the company’s iSight Intelligence, which should help them simulate a wider range of attacks.
How good are your defenses really?
The creation of this company is an interesting one in that it grew out of the mutual frustrations shared by a CISO and a hacker.
Before coming together, Bejerano worked for many years as a CISO and Kotler like many others had spent time in the IDF’s technology unit and had plenty of experience as a hacker. The pair saw massive inefficiencies from their respective sides of the game and thought how bringing a hacker’s perspective to the game could better prepare defenders to find holes in the walls.
The SafeBreach founders are not the only ones who feel that the security apparatus could use a good challenge.
Cyber security has exploded over the past year, with new startups popping up and getting funded on what feels like a weekly basis. While many of these companies offer innovative and effective solutions, CISOs are still far from happy. Perhaps more than unhappy, they are unsure of whether or not these expensive solutions will really hold up when faced with attacks by hackers.
Some like Timothy P. Murphy, a former deputy director of the FBI who now serves as president at Thomson Reuters Special Services, have told Geektime of their skepticism of the industry.
“The proof in the pudding is when you put them in place, are they really working?” Murphy says of vendors offering solutions in this field. “I’ve been approached by a lot of vendors who will come in and say that they do a lot of different things, but at the end of the day, they really have to prove themselves.”
“We kept hearing the same stories from CISOs. We think that we have a different story, using offensive knowledge as the basis for defense,“ says Lifshitz.
SafeBreach represents an interesting mark on the cyber security map in that they are not offering yet another product aimed at either guarding the perimeter or detecting breaches. They see the products out there and hear the claims, and are giving skeptical CISOs a way to push their defenses to their limits and find the weak points before a crisis occurs.
The only real way to prepare for battle is to go through the motions. Red teams and the practice of hiring hackers to do pen testing is nothing new. However building a system that will run these tests automatically is an important development and a step closer in the direction of taking humans out of the security equation.
While they are harnessing a massive number of attack scenarios, giving defenders a real run for their money, they are still just working with the tools at their disposal. At some point a hacker will still manage to find a new and creative way to break through some system that was not run in one of the scenarios. This is not a bug but simply a feature of the cat and mouse security game.
The fact is that most attacks are not carried out by an evil genius throwing tons of zero days at a network’s security, but by basic criminals walking through embarrassingly large gaps in the defenses. The real value of this service will shine through in exposing those weaknesses, and hopefully put smiles back on the faces of more than a few CISOs.