Posted on

Onapsis Identifies Risk From an Unbiased Perspective

Onapsis founder

Onapsis founderCybersecurity firms make a lot of claims, but the reality is that most enterprises are not as protected as they think. Mariano Nunez, founder and CEO of Onapsis, is tackling this problem from a different angle. He said that his firm is able to analyze a company’s security risks/vulnerabilities and provide an “unbiased perspective on what that risk means” for the enterprise.

“Maybe we know that because of your specific configuration or specific context, only 10 of [the vulnerabilities] are actually very critical and are the low-hanging fruit,” said Nunez. “We know that 100% security is impossible. From that perspective we help people prioritize and really only apply patches that they need to apply.”

Nunez shared these and other details with Richard Stiennon at the 2016 RSA Conference in San Francisco.

“We are really specialized and focused on business applications because they are very complex,” he said. “You’re talking about proprietary protocols, complex architectures that are dated or started in the ‘80s, as well as newer platforms like SAP HANA, which was released only a few years ago.”

Onapsis tries to simplify the process of understanding the threat model associated with these protocols.

“You really need to put a lot of effort in understanding how this is implemented and customized and deployed in real customer implementations,” Nunez added. “Anyone can look at a system in a lab and try to understand the threats to that system. What’s challenging – and where we have a lot of expertise – is understanding how these systems are run in a real life environment and what are the critical threats in those environments.”

In comparing the patch cycles for SAP and Oracle, Nunez said that he thinks that SAP is doing a better job.

“SAP is really improving in a lot of ways,” he said. “They’re improving the security patches, they’re [offering] more secure software out of the gate, and also releasing patches. But the main problem lies in people being able to digest those patches. The patch comes out, there is a known vulnerability that’s been exploited, and we have customers that we know are never going to apply the security patch. There is really a big window of exposure to both known and unknown vulnerabilities because of that. It’s mission-critical; sometimes people have fear of disruption and won’t apply the patch.”

Posted on

Vidder’s Junaid Islam Explains How its Software Defined Perimeter Prevents Malicious Attacks

Screen Shot 2016-04-27 at 9.24.42 AM
Hackers are no longer limited in what they can accomplish. The world has transformed from an in-office corporate structure to a flexible environment that allows individuals to work for companies that are thousands of miles away. This is great for enterprises and for employees, but it has opened the door to new vulnerabilities.

“This is really challenging the existing security model,” said Junaid Islam, founder and CTO of Vidder. “One of the downsides of this new business environment is more cyber attacks. It’s so easy for hackers to get to you because there are so many ways to do it. They could go right after an employee working at home, using a home PC. They could go after a contractor.”

Vidder wanted to create a new security architecture that addressed the problems brought on by the evolving business world.

“Traditionally, security really came in the form of boxes,” said Islam, who spoke to Richard Stiennon at the 2016 RSA Conference in San Francisco. “You used to buy a box that did some security function. That was great when all your computers were in a single place and you could use a box to protect them. But now your assets are everywhere. You might have, still, applications in your datacenter. But you might have something in a cloud, so we developed a security solution based on a new concept called a Software Defined Perimeter.”

Software Defined Perimeter (SDP) allows enterprises to protect their assets wherever they are: in a datacenter, in the cloud, etc.

“We allow you as a company to have a consistent level of security across all of your assets…by having a set of checks that are performed for everybody,” he said. “The key is we do it super fast. When you want to sign in as a user, the first thing we do is check your device and see if your device is known by us. If it’s known, then you go to the next step.”

Then Vidder asks the user to sign in to see if his or her credentials are correct.

“The next thing we do is figure out what you are supposed to do in the company,” Islam continued. “Are you an executive? Are you a contractor? And then the final step is we create access for you. We use the term ‘precision access.’ This very simple mechanism is actually quite powerful. Instead of hackers being able to pretend to be you and access everything, the worst-case scenario is the hacker can only see what you can see.”

As a result, Islam said that Vidder “really changes the threat landscape by many orders of magnitude.”

Posted on

CloudPassage Makes it Easy to Adopt Dynamic Computing

Amrit Williams

CloudPassage Amrit Williams

Few companies have the time to worry about things outside their core businesses. This presents a distinct challenge whenever new technologies are introduced, especially as they relate to security and the rising threat of malicious actors. CloudPassage, an agile security platform for data centers, private clouds and public clouds, strives to eliminate that hassle.

“We can demo very quickly,” said Amrit Williams, CTO of CloudPassage. “It’s very easy for us to deploy. We can have somebody up and running in the afternoon and they could get a sense of how the system is looking.”

CloudPassage seeks customers that have some type of cloud initiative in place, whether it’s a shift to the public cloud or previous experience in private cloud environments.

“Most organizations are trying to understand how they can adopt this dynamic compute in one form or another,” said Williams, interviewed by Richard Stiennon in the above video. “Most companies have some type of initiative that they can get involved in, so we can show them the level of visibility and control that we can give them as they adopt the cloud.”

Enterprises are Taking Notice

CloudPassage’s Halo product (which provides protection and compliance for critical business assets) has been battle-tested by a number of leading enterprises, including eBay, Salesforce, Adobe and Capital One. They’re not the only firms that have taken notice.

“I was quite surprised when I looked back at the new customers over the past year,” said Williams. “It was very much spread across every industry. We were seeing folks in healthcare, insurance and financial services.”

Those firms were really dedicated to investing in a secure and better-protected cloud environment.

Cloud Infrastructure vs. Public Cloud

Williams said that he thinks there is a difference between the cloud infrastructure itself and the public cloud that providers protect, along with the workloads that could be compromised.

“They all have a shared responsibility model, where security is a shared responsibility between the organization adopting the cloud and public cloud providers,” Williams explained. “It’s not that you’re seeing big breaches of Amazon or Google. What you do see is people that are able to exploit companies that do take advantage of the cloud if they’re not securing their own environments properly.”

One company had to completely shut down because its keys were compromised.

“They had to put out a note within a couple days of this happening, saying, ‘We can’t recover from this,’” said Williams, who has worked hard to ensure that doesn’t happen to other firms. “Since our founding in 2010, CloudPassage has been focused on purpose building a security platform to address dynamic compute environments. It auto-scales, it can be delivered on-demand and it can work with micro services and architectures.”