News, news analysis, and commentary on the latest trends in cybersecurity technology.

Identity Eclipses Malware Detection at RSAC Startup Competition

All 10 finalists in the Innovation Sandbox were focused on identity, rather than security's mainstay for the last 20 years: malware detection.

Paul Shomo, Cybersecurity Analyst

June 22, 2021

4 Min Read
Hand on keyboard with images of multiple people and identities.

At the recent RSA Conference, malware detection got the cold shoulder among the 10 Innovation Sandbox finalists, illustrating how differently security looks after the pandemic cloud migration. It also indicates the investor community may consider malware a lower priority.

RSAC's Innovation Sandbox is a Shark Tank-like competition for cybersecurity startups, where entrepreneurs present dueling pitches to a panel of investors. SecDevOps startup Apiiro took the top prize with its single pane of glass for reporting threats and automating review, testing, and remediation. A second SecDevOps startup, Wabbi, also touted a broad risk management approach and boasted this year's only female founder.

The scramble to secure the new cloud infrastructure dominated the competition, which led to some controversy. Finalists were announced in April, a month before historic ransomware attacks against American oil and the global food supply chain. In light of this awkward timing, one wonders if the judges regret not allowing a malware detection startup into the finals.

Malware is the digital spear disrupting and damaging infrastructure. Yet there's an underlying truth about malware's diminishing role in the cloud that these judges know all too well.

Installing native software agents across the cloud to remotely control it has been an industry failure. Cloud VMs, containers, and their IP addresses may be recreated up to thousands of times per hour, creating a brutally ephemeral environment. Malware's difficulties in the cloud are quite analogous to the agent problem. Like software agents, malware must install natively across the cloud and maintain connectivity for command and control.

Compounding the problem, the public cloud and serverless technologies often lack a true runtime environment, allowing the installation of agents or malware.

Furthermore, malware spreads itself by discovering and infecting adjacent systems. Consider how few lateral movement opportunities there are in the cloud, as a Fortune 500 company's assets span disparate cloud vendors, segmented and ephemeral networks, and software-as-a-service (SaaS) apps.

For all these reasons, vendors embrace "agentless" approaches, controlling the cloud via APIs, now a favorite of hackers as well. Along with APIs, the human interface shell (think command line or the Web browser) are the only ways to reliably access cloud components.

Both API and shell access require authentication through the identity layer produced by secure access service edge (SASE) zero-trust products. Finalist Axis Security is a good example. From its cloud, it authenticates users, even from unmanaged devices, brokering a secure session to a company's many cloud components. In true zero-trust fashion, Axis monitors and continuously reauthorizes accounts throughout a session, as long as they remain compliant and well behaved.

One can see why after years of defending Azure, Microsoft CISO Bret Arsenault told me in 2019, "Hackers don't break in, they log in," and to defend the cloud he says, "Identity is the new perimeter."

Yinon Costica, co-founder and VP of products at Wiz, another finalist, pointed out that identity is even more than a perimeter. "Identity is the new vehicle in order to get from one place to the other," he said.

After the SASE identity layer is pierced and credentials are stolen, Costica described hacking the cloud through the eyes of threat actors, "I get a shell on a machine that's running in a cloud environment somewhere. Now I can use [Amazon Web Services] APIs. I can use a role that's assigned to the machine. I can scan the filesystem for secrets," he said. "I don't need any malware."

Instead of malware, Wiz focuses on identities, the secrets they access, the networks they touch, and vulnerabilities. In its Innovation Sandbox pitch, Wiz claimed 10% of the Fortune 500 purchased its product within its first six months of sales.

A competitor, Deduce, provides identity intelligence to spot risky logins. Finalist Strata migrates legacy applications to the identity layer, abstracting away details with orchestration.

The advertising tech industry also made a mark on Innovation Sandbox. Often dubbed "surveillance capitalism" by privacy advocates, ad tech produces sophisticated human intelligence. Startup Abnormal Security brings seasoned ad tech experts to email security. It believes providers such as Microsoft or Google already have excellent email threat detection, and focuses its behavioral analytics on the most advanced attacks.

Innovation Sandbox's final three competitors secure emerging DataOps. This new attack surface is arising as data vendors such as Snowflake migrate information to specialized data clouds. Open Raven identifies and classifies data. Satori is a low-latency gateway that masks sensitive information before forwarding it. Cape Privacy helps organizations share data with outside AI experts, something Cape accomplishes by exposing an encrypted version of data that hides secrets but still preserves usefulness.

The malware vs. identity debate illustrates why Innovation Sandbox is a favorite among trend watchers. For years to come, malware will continue compromising endpoints, as well as the Internet of Things and operational technology (OT) devices. Malware is still king for ransom and disruption, and for these reasons, 2021's choice of finalists was controversial.

In 2021, Innovation Sandbox was also a teaching moment. Malware can still be used against specific targets in the cloud. Yet the cloud is heterogeneous, ephemeral, and a peculiar runtime environment. All of which are eroding malware's reign as the universal hacking tool. With the SASE identity layer, increasingly hackers don't break in, they log in.

About the Author

Paul Shomo

Cybersecurity Analyst

Paul Shomo is an experienced analyst focusing on emerging cybersecurity and early-growth startups. A prescient forecaster, Paul is featured in Dark Reading, CSO Online, eWeek, and the Genealogy of Cybersecurity podcast. A patent holder and engineering leader behind EnCase, Paul was a founding pioneer of DFIR and enterprise forensics from 2006 to 2015. Paul was also a former kernel developer for Wind River Systems.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights