#RSAC Innovation Sandbox Crowns Latest and Greatest New Vendors

The annual Innovation Sandbox final was held in San Francisco on the opening day of the 2020 RSAC Conference.

As the conference faced the reality of the global healthcare scare and the constant threats and challenges that confront security companies and departments, this event featured the top ten companies that were chosen to present in front of a panel of judges to vie for the illustrious Most Innovative Startup prize.

Described by program committee chair Hugh Thompson as “an industry where innovation is essential,” the event has been won by numerous companies in the past, some of which have gone on to major acquisition.

"An industry where innovation is essential"

The finalists were judged by Asheem Chandna, partner at Greylock Partners; Scott Darling, president of Dell Technologies Capital; Dorit Dor, vice president, products at Check Point Software Technologies; Patrick Heim, operating partner and CISO at ClearSky; and security entrepreneur and researcher Paul Kocher.

First up was Vulcan Cyber CEO and co-founder Yaniv Bar Dayan. The company is in the vulnerability management space, and stressed a message of it being simpler to solve such problems. He said that more technology means more lists, and more teams and tools, and more processes and more resources. All of which amounts to less time to remediate vulnerabilities.

He said that the tool is built for ameliorating vulnerabilities, finding and fixing them using automation techniques. Agentless, it only runs on APIs, and also offered is a library of patches, solutions, and controls to enable easier remediation.

The concept is interesting, but we see this as a part of the market that has a lot of vendors in it already, and others are trying to offer the full package already.

"The web runs on clients and often via JavaScript"

Next up was Tala, presented by founder and CEO Aanand Krishnan. Its focus is on JavaScript, as 60% of its code reportedly comes from third parties, and the majority of security departments have no sight of its use, which can make the applications it powers vulnerable.

A strong focus for the company was the Magecart attacks, where incidents were successful, as the “web runs on clients and often via JavaScript.”

Krishnan said that controls are taken, automation is built on the end, and controls are added at scale for an SaaS-based technology. He said that most companies don’t know what is running on their websites, so “we can detect and block attacks and tell them what code is running.”

This is an interesting concept, as we have seen this problem consistently happening, and to put the focus solely on JavaScript could be a case of putting all of the eggs in one basket, but a very troublesome basket at least.

Next up was Sqreen, presented by co-founder and CEO JB Aviat. He said that the average process crosses 35 systems, so what you need to do is move beyond the application level and use a security mesh to understand relationships across business, APIs, and services.

He said that Sqreen is about how one service communicates with another, as it can monitor 500 points of instrumentation.

The company is led by former red teamers at Apple, and the focus on application security may prove popular, as we have not seen others talk about RASP or using a security mesh.

The fourth company up was Security.AI, presented by CEO Rehan Jalil. He focused heavily on privacy, saying this is a basic human right, and the concept seems to be around how data is mapped to different users, and where you can and need to apply controls and have a real-time inventory of such connections.

The focus is on having “consent and privacy operations in one place,” and this strong focus on data protection could put them ahead with the judges.

Next up was Obsidian, led by co-founder and CTO Ben Johnson. Johnson was a former CEO of Carbon Black and, along with former colleagues from competitor Cylance, formed this company “to tackle SaaS.” He said that SaaS is driving agility but cannot be slowed down, and the company's focus is on stopping compromise, finding insiders, and responding and fixing issues by using “threat detection and machine learning across every user.”

Its concept of using SaaS to defend SaaS is interesting, and judges did ask questions on how problems can be remediated in this product, but the concept is good, as it is focused on working with popular SaaS applications.

At the halfway point, and next up was Inky. Presented by CEO and founder Dave Baggett, this company is a previous winner of the Infosecurity North America Best New Vendor award. The company operates in the phishing defense space, and said that it is able to “see what is invisible,” including hidden text and headers, and essentially how phishers bypass human and common detection.

That is a crowded space, and it’s interesting that this company is still being deemed a new vendor, and that there is a niche for them among some more established brands and multiple email security vendors.

Next up was ForAllSecure, presented by CEO and co-founder Dr David Brumley. This company seems to have emerged from Carnegie Mellon University, and participated in DEFCON’s AI capture the flag a few years ago with the Mayhem concept, which is now its product.

He said that the vulnerability is found and allows you to focus on the day job instead of detection. Again, they were not especially clear on what the company or product actually does apart from some element of vulnerability detection.

Next was Elevate Security, presented by CEO and co-founder Masha Sedova. She was sadly the only female presenter today, hopefully an issue this industry and conference can resolve in time. The focus here is on the human factor, as it uses “social proof and scores” of employee behavior to achieve visibility into user behavior, and to identify users' strengths and weaknesses by behavior.

This then allows a company to give tailored training and resources based on the employee's behavior, as well as work this into a company’s security culture rating. The behaviors are based on 12 factors of the Verizon DBIR. I like this concept as it is different, while the theory of monitoring can also divide people.

"Source code is everywhere, and it is often the next front of cyber"

The penultimate presenter was Ajay Arora, founder, president, and COO of Blubracket. A former CEO of Innovation Sandbox alumni Vera, Arora focused on how source code is everywhere and is often “the next front of cyber” as the world runs on code—so we need to make it safe.

He made the point that you cannot secure what you cannot see, and visibility is required to be able to classify code and enforce policies, and if you can verify where code is coming from you are a step ahead. This is an interesting idea, again with a focus on code security, but the company’s experience may prove valuable.

The final presenter was AppOmni CEO and co-founder Brendan O’Connor. We concluded with another company focusing on application security, as well as on who has access and securing across environments. He said that this is not about looking at endpoints, but rather SaaS and perspective of what is “happening somewhere else.” Essentially, what is happening inside the cloud.

The company has deployed OAuth for connectivity, and O'Connor made the point that it is better to have prevention than breach notification. It was a good way to round the presentations off, and continued the theme of application security and secure code.

The winner was announced as Security.AI, with the judges citing the company’s efforts to bring an interesting story and team structure. Congratulations to them, they are 2020’s Most Innovative Startup.

What’s Hot on Infosecurity Magazine?