A Savage Security Market Report
Cybersecurity AI gets a little less artificial…
Threatcare is a startup that first caught Savage Security’s attention a few years ago. We were not only taken with the concept of attack simulation, but also with founder Marcus Carey’s vision for a security product that’s as easy to use as it is effective. The average security product typically wouldn’t win any awards for user interface (UI) or user experience (UX) design, but that’s starting to change in this industry.
Fast forward to today and Threatcare is releasing the third iteration of its product, which is still almost entirely SaaS and web-based. This latest incarnation is not just a UI/UX facelift, however. The big new feature unveiled today has a name: Violet.
Threatcare was founded by Marcus Carey in 2014, employs ten and is headquartered in Austin, Texas. Carey went through Mach37’s cybersecurity accelerator program as part of the Fall 2014 group of ‘cohort’ companies. The product launched the following summer and later rebranded as Threatcare. As Threatcare, the company also went through the Techstars Austin accelerator program in early 2017. The product strategy has consistently been a subscription-based SaaS approach.
One of several advisers is ex-Tenable founder, Ron Gula, who is also an investor. Both previously-mentioned accelerators offer a modest amount of funding, and shortly after completing the thirteen-week Techstars program, Threatcare completed a seed round. This round was lead by Firebrand Ventures, with Gula Tech Adventures and Don Douglas (Geekdom Fund) also participating.
Identifying the Problem
Threatcare and the larger threat simulation market came about to create an efficient, safe way to validate security controls. The all-too-common problem is that security products are often implemented or configured incorrectly. By simulating a variety of tactics and techniques used by attackers, threat simulation makes it possible to test both basic functionality and efficacy in a safe manner.
Other use cases include the ability to train security staff — run some simulations, then ask staff to search for the results. Incident responders, threat hunters and other security analysts need opportunities that aren’t actual incidents to practice their craft and get to know how to use their tools.
Why hasn’t this been solved yet?
Security technology moves so quickly, the industry hasn’t taken the time to ask the question, “how do we know this works?” This market is the equivalent of a programmer’s debugger. It provides the means to safely and consistently find the issues in our security controls.
Exploit frameworks like Metasploit simulate attacks, right? Well, no — not really. The exploits and payloads in Metasploit are the real deal, not a simulation. Unfortunately, the real deal is often disruptive, carrying a chance it might crash a service rather than simply execute remote code. As such, most organizations typically aren’t comfortable with these exploits and payloads being used on production systems.
In contrast, threat simulations simulate these events in ways that should set off alarms in security monitoring products, but are harmless to production systems, as they stop short of executing any exploit or payload. Malicious executables are neutered and can’t be executed. Sensitive data exfiltrated isn’t actual customer or employee data.
Threatcare is a SaaS product sold in tiers. The tiers and pricing have changed with the Violet release, as the focus is now less on Threatcare being a threat simulation platform and more on Violet developing as security/SOC analyst automation that essentially functions as staff augmentation (i.e. do more with less staff).
The On-Demand tier is targeted towards those that need a tool like Threatcare temporarily, like for acquisition due diligence, for example. Acquirers need the ability to quickly determine how much work a potential target might require to bring up to corporate standards. As we saw in the Verizon/Yahoo case, lackluster security or evidence of a breach will have an impact on acquisition price. This tier adds API use, notifications (e.g. email, SMS) and orchestration in addition to a license that allows commercial use.
The Enterprise tier adds everything in Threatcare’s toolbox, including playbooks, scheduling functionality, reporting, segmenting Threatcare testing using ‘environments’, agent-based bots that move beyond browser limitations.
The embedded script feature is an interesting one — place an embedded script on a company intranet site or other common employee ‘waterhole’ website, and the script can run simulations from that employee’s browser.
The most obvious use case for threat simulations is testing security controls to ensure they actually work. Not just once, but on a regular basis or even continuously. We separate this testing into functional testing (i.e. is it turned on and functioning) and performance (i.e. how well does it work?). Functional testing should be performed after every change control request that impacts security controls.
Another use case is training analysts. A threat simulation platform can be configured to simulate a threat, challenging an analyst to find and report the threat. The analyst learns to use security tools more efficiently and more importantly, keep them sharp.
As previously mentioned, acquirers may use a threat simulation product to assess the state of a target’s security program.
Finally, one of the clearest use cases to us, it seems, is for integrators and managed service providers to use these products to validate that their work was done correctly and to the customer’s satisfaction.
Virtual Assistants: Evolution, not revolution
In 2015, the Amazon Echo was a beta product, and in infancy. Pushing the (then, modest) limits of the device didn’t take much. What does this have to do with cybersecurity and ThreatCare?
Well, one of the biggest problems facing enterprise security today concerns skill sets and staffing. Part of the problem is a lack of qualified staff, sure. Another issue, however, are the skills and labor necessary to run, use and maintain the plethora of security products owned by the average enterprise. We often joke (we’re not joking) with vendors that they need to put the ‘requirements’ on the box.
We’re really not joking — one of the most common factors that caused SIEM deployments to fail were underestimates of the labor necessary to implement and maintain a corporate-wide log management system. Of course, if a SIEM vendor came in and said, “you’re going to need at least three more people to use this properly”, they wouldn’t have sold as much product. I’ve heard from sources in the SIEM market that vendors did eventually start helping customers size projects a few years back, ensuring the human capital necessary to succeed would be available.
This is the exciting part, right? Well, yes and no. We are certainly excited about Violet’s potential, but would also advise cautious optimism. For anyone used to Alexa, Siri or Google Home, understand that the inaugural installment of Violet isn’t going to be on that level. The good news is that Violet doesn’t need to answer nearly as broad a vocabulary as any mainstream virtual assistant. Regardless, the fact that Threatcare is bold enough to take a shot at something like this is refreshing.
We’d love to see more security companies produce products that prioritize usability and make the most of modern UI/UX technology. We don’t need yet another skeleton of a web interface wrapped around another parser, regex or REST API. As a lack of skilled talent becomes more and more of an issue, we need security products to make up these shortcomings with efficiency, usability and automation in their products.
The next steps toward creating a ‘virtual’ security analyst are challenging, but not impossible. Violet will eventually need to be able to distinguish the difference between Equifax.com and Equ1fax.com though (1337-speak parsers exist), which could be tricky for a semantic interface.
Violet, run a WHOIS on Equifax dot com with a one.
A human knows the preceding statement means running the following command, but Violet needs to be able to parse such language reliably.
Violet is also not convenient to use… yet. Currently, you have to go to the page for Violet and click to enable the microphone when you need to ask questions. It wouldn’t take much effort to get it to the point where a dedicated ‘listener’ interface is created, so that the SOC analyst won’t have to pull up the Violet webpage and enable the microphone. In this iteration, Violet feels more like a demonstration than a production tool, but that’s fine — Threatcare’s interface is already leaps and bounds beyond typical usability standards for this market (“first, use pip to install these 37 python libraries…”).
Furthermore, Violet will need to learn a lot more than how to run threat simulations on command. To fulfill the goal of augmenting staff through automation, Violet needs to learn how to scan assets, search logs and perform other common security analyst tasks. None of this dampens our enthusiasm much, because everything currently missing from Violet has already been done by either a consumer product or security product. These new features should be relatively simple to add.
Will analysts actually want to use Violet though? Yes, we think so, especially when Violet becomes 1) 100% hands free (like an Amazon Echo) and 2) includes more common investigative functions. Threatcare’s already headed in the right direction, having added some DNS and WHOIS functions recently. Anything that saves the analyst from opening extra tabs or having to delegate to another analyst can start adding up to significant time savings.
The bottom line here is that Threatcare is a startup, and as such, isn’t just looking for customers. Startups are also looking for partners willing to give feedback and suggestions that will make its products better. Threatcare’s customers¹ get to help mold Violet into something more closely resembling a virtual analyst, and that’s an exciting prospect.
Threatcare’s primary pure play competition is AttackIQ, Safebreach and Verodin. All three take a more comprehensive, agent-based approach to threat simulation. ‘Comprehensive’ means that these vendors’ products can simulate events between multiple points within the corporate network, testing internal segmentation, firewalls and access controls. The added complexity of this approach, however, means that none of these solutions can be put into use simply by logging into a website.
With the addition of Threatcare’s bots, the gap between competitors begins to narrow. However, the introduction of Violet could widen it again if this technology takes the company down a different path.
We’re keeping the competition section light, as we’re currently working on a buyer’s guide for this market — keep an eye out for that report later this fall.
There is a lot of room in the market for four threat simulation vendors to expand exponentially for years to come. We were already excited about threat simulation and the addition of virtual assistants makes this small market even more intriguing.
The next step is likely to be increased automation and orchestration. Also, as Threatcare continues to pull back more and more information from scans and/or calls, there will be calls for more robust interface to explore, analyze and manipulate all this data. Asset discovery, inventory and management could also be very interesting and useful when correlated with threat simulation data. Savage Security included (see Full Disclosure below)
Threatcare is a client, but was not compensated for this post. Savage Security was not commissioned to write this piece. Threatcare was, however, given an opportunity to perform a fact check of this piece prior to publication.
Savage Security has occasionally tested Threatcare’s product off and on since October 2015, but has not received payment in exchange for this advice. Savage Security has received a consulting license of Threatcare’s product in exchange for marketing services. This piece is not intended to be one of these marketing services, and Savage Security takes care to leave personal opinion out of analysis pieces. We use this consulting license to help assess the efficacy of our enterprise clients’ security controls. Pay for play has had a detrimental impact on this industry, and we respect our clients too much to risk adding to that problem.
A Savage Security employee sports a Threatcare sticker on one of their laptops. Hey, we said full disclosure, right?
About Savage Security
Savage Security is a cybersecurity research and consulting firm, founded by industry experts with over 30 years of combined experience. We are trusted advisers for our customers, whether providing market services to improve their products, or building defensive strategies to secure their environments.
Interested in any of our consulting, market or subscription services? Drop us an email (info at SavageSec dot com) or go old school and give us a call at (844) 572–8243.
Our website and brochures go into more detail on how Savage Security can help you with your security needs or research project.
Violet: Threatcare’s virtual assistant for security tasks was originally published in Savage Security Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
This is a Security Bloggers Network syndicated blog post authored by Adrian Sanabria. Read the original post at: Savage Security Blog - Medium