This Year’s Innovation Sandbox Theme: Taking Humans out of the Security Equation

Kicking off the RSA Conference with the Innovation Sandbox event-within-an-event has always made a lot of sense. Attendees get an overview of what’s coming next in security without having to feel like they have to jump into a deep dive right out of the gate. They get 10 three-minute presentations that delve into a host of security problems begging for better solutions. 

(The presenters also likely appreciate getting that stressful three minutes over with so they can relax and enjoy the rest of the conference, but I digress.) 

The Innovation Sandbox also gives RSA Conference program Chairman Hugh Thompson a perfect forum to put things in perspective as only he can. Last year, it was a story about how the crew of a flight he was on responded to discovering that a bird had stowed aboard the plane. This year, he told another flight-related story, only the events occurred many years earlier, far from any airplane. 

It went like this: Thompson’s seat neighbor, a long-time IT professional, had at one time worked for a mid-sized company that he discovered was not backing up a system controlling a critical assembly line process. This was back in the era of 5 ¼ inch floppy discs, and this man proceeded to back up the system using 10 floppy discs, which he then walked over to his secretary and asked her to label and store in a fire proof safe. 

Three months later, a power surge destroyed the system in question, necessitating that it be rebuilt from scratch. Thompson’s flight mate retrieved the discs, popped the first one in, and got a system administrator’s nightmare message: “media error.” 

He again rebuilt the system from scratch, and days later took another set of discs to the secretary, asking her again to label and secure them. Then he watched in horror as she took the first disk and stuffed it into the typewriter, which was clearly how she’d labeled the earlier discs, rendering all of them useless. 

Eventually, it was determined that the gaffe wasn’t the secretary’s fault because she’d been given technology, but not the knowledge of how to use it. 

“Every day, we’re confronted with new technologies,” said Thompson in nailing home the point of his story, “but we don’t know how to make good decisions with those technologies.” 

This, as it turned out, was a major theme of this year’s Innovation Sandbox presenters: Namely, taking human decision-making out of the equation by putting artificial intelligence to work and extracting insight from data. No fewer than six of the 10 startups consider AI a central component of their solutions: 

-StackRox is looking to make security behave more like applications. In other words, CTO Ali Golshan said, security should be portable, agile and continuous, and it should be automated and integrated. And it’s not just about humans—StackRox wants to take the business itself out of making decisions, a reflection of how companies increasingly want to focus on their core businesses and not get bogged down with IT tasks. 

-ShieldX is leveraging machine learning to automatically discover cloud assets, and then use containerized microservices to orchestrate security across those assets. 

-ReFirm Labs has created an automated cloud-based platform for monitoring device firmware and providing alerts about any new vulnerabilities that could exploit the firmware, which CEO Terry Dunlap said is a favorite point of exploitation for nation-state hackers. 

-BlueVector is tapping AI to sense and respond to threats before they happen. The company scores network traffic events; higher scores trigger automatic monitoring, lower scores are moved to a workbench for further analysis. CEO Kris Lovejoy said the company’s technology can detect threats up to 13 months in advance. 

-Awake Security’s AI-driven security investigation platform uses network intelligence to literally alert security teams as to the most important threats, an approach CEO Michael Callahan said enables customers to find attackers who are blending in, especially if they’re doing so via unmanaged devices. 

-Acalvio is taking a decidedly AI-fueled approach to deception, applying data science to create just-in-time “fluid deceptions,” something that humans have been tasked with until now. The idea is that by engaging nefarious actors with an autonomous deception engine rather than simply observing them, companies can divert attackers away from their targeted booty. 

Lest it seem that AI is taking over the security world, there were a few Innovation Sandbox finalists whose products aren’t AI-dependent (although there is no doubt AI behind them somewhere): 

-Audience favorite Hysolate has created a virtual air gap approach that essentially lets a single laptop act as if it’s two laptops running on two separate operating systems, one of which is specifically for accessing enterprise data. This has the potential to not only greatly improve security by limiting attackers to the less sensitive OS, but also to increase productivity by preventing users from having to carry two separate laptops. 

-CyberGRX’s cloud-based third-party risk assessment as-a-service seeks to plug another huge hole, one created by the abundance of third-party vendors that access and interact with a company’s network. 

-And finally, Fortanix, which was one of the competition’s two finalists, has built a run-time encryption platform that keeps applications encrypted while they’re running, filling a hole that’s been left by technologies that encrypt data while it’s at rest or in transit, but not while it’s actually being used by an application. 

In the end, the judges favored a company that combined an uncanny sense of timing with an approach that’s closely related to AI. BigID is using what it calls “deep data science” to help organizations take stock of their data and gauge their privacy risks, as well as the potential exposure associated with those risks, a timely proposition as the May 25 deadline to comply with Europe’s General Data Protection Regulation approaches rapidly. 

And it’s not just the GDPR deadline that makes BigID’s approach so opportunistic; the technology also can be used to address the kind of privacy issues that have dogged Facebook of late. 

Ultimately, all 10 finalists should fine market receptivity: Thompson ran a ticker showing that the last 50 Innovation Sandbox finalists have raked in billions in venture investment, and 15 of them have been acquired. Those are numbers that attract the attention of entrepreneurs, with or without the help of AI.