This company’s different approach to security shines a light on hidden malware within your organization
Beer Sheva-based SecBI announced on Tuesday the close of their Series A funding round, bringing in $5 million in new capital.
Taking part in the round were new investors Orange Digital Ventures, Connecticut Innovations, Amichai Shulman, along with previous backers Jerusalem Venture Partners (JVP).
Co-founded in 2014 by CTO Alex Vaystikh and VP BD and Customer Success Doron Davidson, the company has developed a log-based behavioral analysis cyber solution that gives analysts a fuller picture of threats to their organization.
Davidson tells Geektime that the impetus for starting SecBI came from the time when he worked at RSA. As part of his work, he noticed that organizations were being breached despite putting in place numerous security solutions. When his teams were helping his customers deal with these break-ins, he says that they noticed that the companies already had significant amounts of data within the organization prior to the breach that had someone been able to connect the dots, they should have been able to figure out that something malicious was afoot.
He and his CTO Alex decided that this was a problem that they could solve.
While he had support from RSA for his idea, he understood that if he wanted to push this venture, he would have to pursue this outside the company. He says that JVP believed in the idea, and they joined their portfolio at the JVP Cyber Labs in what is fast becoming the cyber capital of Israel, the southern city of Beer Sheva.
Davidson says, “We’re changing the way that you look at the detection of advanced cyber attacks, including APTs. We’re looking specifically at attacks that are utilizing distributed architectures and are changing all the time, either in their IPs, domains and so on. We have seen in the past year that it’s not only limited to one area of the kill chain but rather on the delivery of the malware, the propagation and communication with the command and control as well as the exfiltration of data.”
He says that the reason for their approach comes from his experience of seeing situations where clients believed that they had mitigated an attack when in fact it had just changed its activities and was still hiding below the surface, waiting for a new opportunity to cause more damage.
While the malware may have disguised itself to be unrecognizable to the security information and event management (SIEM) systems at the SOC, it is still communicating with its controllers, even if through different avenues. He says that if you are able to connect all of the different kinds of communication together, then you can show that they are still a part of the same attack and properly mitigate the threat. Their product can then provide the client with what he calls a full story, starting with the infiltration, and moving onto the propagation and communication with the command and control, and finally with the exfiltration of data.
They used unsupervised machine learning to find similarities within the data and detect malware even as it puts on new masks to hide itself. This means avoiding the micro perspective of anomalies in the behavior from a single user, but expanding their view to seek out similar behaviors on an organization level. They cluster groups of data over time of all the organization’s data, and then look at the clusters to indicate that they might be connected with the incident. That means that if there is an alert for one of the entities within the cluster, then they will zoom out to take a look at the others in that group. They can then identify which members of the cluster are likely to be affected, even if malware has not been detected there.
The challenge that they are trying to overcome is that since alerts only pop up when a predefined rule set by the organization is broken, analysts miss on massive amounts of data that could help give them a better picture of what is going on in their organization. He says that in his experience, the alerts only represent 10% of incidents going on inside a network, with other crucial information not being picked up from the other logs. However, he explains that this does not mean that the security team will have to comb through the rest of the logs since their technology is able to assess which systems are likely to have been affected, thus narrowing down the overall search to the relevant material.
While they are already working with a number of organizations, the funding from this round will be directed at launching their product to the market and growing their sales and marketing efforts in North America and Europe.
Beer Sheva: The cyber capital of Israel
In deciding on where to base their company, Davidson says that the legendary figure Dr. Orna Berry —who had opened up EMC’s operations in Beer Sheva in 2011 — told him that if he wanted to open a cyber security company, then he would have to do it in the southern city, insistent that this was the place for new innovations in this space to flourish.
In Beer Sheva, he says that he has a number of opportunities to grow his company that he might not have had if he had decided to set up shop in the startup hub of Tel Aviv.
When CISOs come as a part of delegations like this did in June for Cyber Week in Tel Aviv, they now make a day long stop down in Beer Sheva. “Instead of having to fight with 300 startups to get a meeting with the CISOs from companies like SAP, Comcast, and others which I would have had to work for months to arrange, I only need to compete with six or seven others,” he tells Geektime.
He also points to the atmosphere of collaboration with large enterprises like EMC and Lockheed Martin that are also in the two building complexes, situated across the bridge from Ben Gurion University of the Negev. Solidifying the cyber concentration, the Israeli Defense Forces intends to establish a new center a stone’s throw away from SecBI’s offices at the Cyber Labs, which will become the new home for the military’s elite technology units.
There are challenges though when it comes to experienced manpower, since he has to compete with the big corporates that he currently collaborates with. On the other hand, he says that he can take advantage of the fresh faced graduates from the university that are seeking new opportunities in the growing ecosystem in the south.