Cybersecurity firms make a lot of claims, but the reality is that most enterprises are not as protected as they think. Mariano Nunez, founder and CEO of Onapsis, is tackling this problem from a different angle. He said that his firm is able to analyze a company’s security risks/vulnerabilities and provide an “unbiased perspective on what that risk means” for the enterprise.
“Maybe we know that because of your specific configuration or specific context, only 10 of [the vulnerabilities] are actually very critical and are the low-hanging fruit,” said Nunez. “We know that 100% security is impossible. From that perspective we help people prioritize and really only apply patches that they need to apply.”
Nunez shared these and other details with Richard Stiennon at the 2016 RSA Conference in San Francisco.
“We are really specialized and focused on business applications because they are very complex,” he said. “You’re talking about proprietary protocols, complex architectures that are dated or started in the ‘80s, as well as newer platforms like SAP HANA, which was released only a few years ago.”
Onapsis tries to simplify the process of understanding the threat model associated with these protocols.
“You really need to put a lot of effort in understanding how this is implemented and customized and deployed in real customer implementations,” Nunez added. “Anyone can look at a system in a lab and try to understand the threats to that system. What’s challenging – and where we have a lot of expertise – is understanding how these systems are run in a real life environment and what are the critical threats in those environments.”
In comparing the patch cycles for SAP and Oracle, Nunez said that he thinks that SAP is doing a better job.
“SAP is really improving in a lot of ways,” he said. “They’re improving the security patches, they’re [offering] more secure software out of the gate, and also releasing patches. But the main problem lies in people being able to digest those patches. The patch comes out, there is a known vulnerability that’s been exploited, and we have customers that we know are never going to apply the security patch. There is really a big window of exposure to both known and unknown vulnerabilities because of that. It’s mission-critical; sometimes people have fear of disruption and won’t apply the patch.”