Prevoty: Winning the War Against Zero Day Attacks

AWS Startup Spotlight

The AWS Startup Spotlight features startups all over the world building innovative, disruptive businesses on top of cloud infrastructure.

Prevoty delivers application security as a service for enterprises and automatically prevents the top existing application security threats to applications as well as zero day attacks. Unlike traditional security approaches, Prevoty uses in-app calls to access a real-time contextual and behavioral engine that secures users, content and queries without any reliance on past definitions.

Prevoty was launched in March 2013 and is headquartered in Los Angeles.

Prior to Prevoty, cofounder and CEO Julien Bellanger founded Personagraph, an Intertrust company focused on mobile user privacy. He built and led Thomson/Technicolor’s digital advertising business unit in Latin America.

Cofounder and CTO Kunal Anand was the Director of Technology at BBC Worldwide. He has several years of experience leading security, data and engineering at Gravity, MySpace and NASA.

Q&A with co-founder and CTO Kunal Anand

What is Prevoty, and what is security as a service?

Prevoty is a pioneering new security software company. We have developed what Gartner calls “runtime application self-protection” technology delivered as a service. Prevoty uses in-app calls to access a real-time contextual and behavioral engine in the AWS cloud without any reliance on past definitions (i.e. known hacks). This is not just industry hype: The product actually works and we are live with real customers.

Existing offerings in the “security-as-a-service” space are primarily related to static or dynamic code analysis — looking for known vulnerabilities in applications. Development and security teams still have to fix the problems identified and they don’t protect in any way against zero day attacks (previously unknown attacks).

Prevoty’s concept of security as a service goes much further: We deliver active prevention of attacks and we accomplish this by having an intelligent security engine in the AWS cloud that is accessed in real time from within applications via SDKs. We are essentially giving applications the capability to protect themselves automatically.

Who is using Prevoty, and what’s the alternative?

We have a diverse set of customers using the Prevoty service: We have social networks such as Tagged, media and publishers such as Bleacher Report, financial services organizations, e-commerce and retailers, utilities, and energy companies. Basically anyone with a web-facing property, a brand to protect and something of value that hackers covet.

The common theme right now is that these organizations have forward-thinking security and application development executives who realize that they need to build security directly into their applications. They know that a service such as Prevoty’s gives them an ongoing level of protection they simply can’t do on their own.

The alternative is the status quo and that’s a losing battle. It can be summed up as combining two elements: perimeter-based security and developer-oriented security.

With perimeter-based security, incoming traffic is analyzed by a firewall, in particular a web application firewall (WAF), before being allowed to access the application itself. WAFs and advanced network layer firewalls typically rely on definitions and signatures to detect patterns for known threats. Given that hundreds of new hacks happen every week, no matter how many times you update the definitions, your perimeter-based security is guaranteed to be out of date.

For developer-oriented security, the onus is placed on the developer to code their applications with security in mind. Security testing software leveraging static and dynamic code analysis can help to some extent with certain types of application. And in-house security teams assist with best practices, code reviews, audits and penetration testing.

I still see much of this developer-oriented security as best practice, so it is more of a complement than an alternative to Prevoty. Once vulnerabilities have been identified, Prevoty can handle them automatically.

Ultimately organizations hire developers to build great applications with value to the business, not get bogged down by the arcane world of hackers and security holes. Our goal is to make implementing a secure SDLC a lot easier by taking away a lot of the challenges related to application security.

What are the most common threats, and at what point do startups need to worry about this?

The three most common threats that we hear about from our customers are these:

  • Cross-site scripting (XSS), where content can be exploited to cause malicious code to execute inside an application
  • SQL injection (SQLi) where queries can be exploited to access and potentially exfiltrate data from a database
  • Cross-site request forgery (CSRF) which can enable session hijacking and user ID theft

Startups by definition plan on being successful, so they should start considering how they will handle these attacks immediately. Because as soon as it looks like there could be value in attacking an organization’s web-facing assets, the hackers will be on it!

This is especially important for startups that have web sites and applications that feature user-generated content such as comments, ratings, reviews (an extremely common attack vector) and those that store personally identifiable information (PII) such as user names and passwords. In other words, just about everyone!

Take us under the hood of Prevoty. How does it work?

There are four components to the Prevoty solution:

Developer SDKs

Developers add literally three lines of code to their application:

  1. Include the Prevoty client SDK
  2. Create an instance of Prevoty client when the application starts
  3. Invoke client methods to the Prevoty engine to validate inputs, queries and tokens

Pre-built SDKs are available for all common languages and frameworks, including PHP, Python, Java, C#, Ruby on Rails, Objective-C, Hibernate, etc. All of these SDKs are available on our GitHub:

Security Configuration

Prevoty administrators set up how the engine should process inputs, queries and tokens using an easy-to-use admin console (AWS-hosted, of course!). Common configurations can be set up using our simple drag-and-drop tooling, while more advanced configurations can be created using JSON.

Prevoty Engine

When an API call is made, the Prevoty engine processes each piece of content, each database query and each change of state of a user token and provides back only valid and nonmalicious responses to the application. Compute processing time for each call is submillisecond.

Real-time Threat Intelligence

In addition to “cleaning” malicious content and queries and managing the validity of user tokens, Prevoty’s engine delivers real-time updates to security teams on the threats that are being seen within an application. And, importantly, when using Prevoty with multiple applications, the data is aggregated to a real-time view across the whole application portfolio.

What were you doing before starting Prevoty and how did you see there was a problem that needed solving?

I first started working on application development and security issues at NASA’s Jet Propulsion Laboratory and took that knowledge with me when I joined MySpace, where I would eventually lead the security team. At that time, shortly after the acquisition by News Corp, MySpace was one of the biggest web properties and was subject to an amazing amount of attempted hacks, particularly using XSS. I was fortunate to have been exposed to such an amazing time in web application security.

Following that baptism by fire, I moved to become director of technology at the BBC Worldwide, overseeing engineering and operations across the company’s global digital entertainment and gaming initiatives. The BBC was another major organization with significant security challenges, not just because of the ordinary hackers but because the content used in the BBC’s properties came from such a diverse group of sources and some of that information was extremely sensitive (facets spanning PII to troop movements in the Middle East).

I realized then that security professionals and application developers were fighting a losing battle against sophisticated hackers and that a radical new approach was going to be required in order to provide the maximum defense for an organization in the cat-and-mouse game of information security.

So I spent a number of years researching and developing an approach that we have productized and are now delivering with our Prevoty service — one that does not rely on having seen an attack before and one that can handle the reality of today’s dynamic, distributed applications.

How does cloud enable your business? Why AWS?

First, let’s just talk about the practicalities of being any type of startup: By definition you have limited funding and limited resources. The last thing you need to do is to waste capital on building out infrastructure. So we run everything in the cloud. Everything. As a company we literally have no infrastructure that we own — our only capital outlay is our laptops (and they are BYOD!).

More important is what the cloud, and AWS in particular, gives us in the way of a platform to deliver the Prevoty service:

  • Amazon Route 53 is a fantastic way to manage DNS; being able to link A records to Elastic Load Balancing load balancers is a real treat. Combined with health checks, Route 53 can do some fun things with automated failover.
  • Amazon EC2 instances are fast to provision and image in the event of scaling bursts. And Amazon CloudWatch alerts keep us apprised of such things.
  • Amazon RDS and Amazon DynamoDB help us to focus on developing and deploying new features to our API instead of managing data stores, AZ replication, etc. (We secretly hope that AWS introduces region-based replication — wink, wink ☺).

You mentioned some AWS services you use. Can you tell us more about how you use those?

I’ll give you the highlights of the services that are critical for us:

Amazon Route 53 manages our DNS. Frankly, we wish a lot of DNS managers were as simple and intuitive as this.

We use Elastic Load Balancing to provision load balancers for various services: API, preview (demo sandboxes), WWW, etc. We terminate SSL on ELBs; this is such a convenience over managing certificates across Amazon EC2 instances.

Naturally we use EC2. For our API tier, we have some customers that hit us north of 20,000 requests per second. We’ve never run into any networking or ELB issues during any of these spikes. Last year, I developed a service called SmartCache (which runs on EC2) that’s effectively a combination of a cache/queue with aggregated persistence to MySQL. SmartCache helps us keep track of all the high-level statistics over arbitrary time periods.

We take advantage of EC2 tags to help us logically group services. We deploy Go binaries to our servers that run as HTTP daemons. For deployments, we’ve built a homegrown system (called PD) for AWS created by our Director of Engineering, Jason Mooberry. With PD, we can not only spin up more instances but also manage code rolls as well as creating new images with default packages and configurations.

We use Amazon SQS as a message bus between our API servers and asynchronous processing, such as link analysis.

We use MySQL on Amazon RDS for account persistence and aggregated statistics (rollups). Our data model is relatively de-normalized, which gives us opportunities to experiment with moving facets to Amazon DynamoDB.

Last but not least, we recently started using DynamoDB and absolutely love it. Fast and managed key-value storage has been great for keeping track of rolled up statistics and API request-response metadata.

You came out of an accelerator in LA, Launchpad LA. What about the accelerator experience was most helpful to your startup?

We really focused on spending our time at LPLA understanding product-market fit. Being able to meet with mentors, investors and advisors was a fantastic experience. Getting real feedback from potential customers was invaluable.

A key benefit we picked up from LPLA was being able to get access to subsidized and discounted resources. We got lucky as AWS was on the list! This was huge win for us: We got to focus our limited resources on product development instead of operations or a classic production build-out.

What initially brought you to LA, and how is the startup ecosystem there?

Even though Julien, my cofounder, and I met in the Bay Area, we decided that it made a lot of sense for us to start Prevoty in Los Angeles.

I’ve been able to travel to and live in interesting cities all over the world, but I consider LA as my home (born and raised in the Valley). For Julien, LA was the first place he settled into when he was relocated to the US for work.

The biggest deciding factor to be in LA was our desire to be in close proximity of our families and closest friends. Like any startup, there are highs and lows. Both Julien and I wanted to be surrounded by a support network. I can’t express how great this has been.

A secondary benefit from being in LA is the ability to connect with other fantastic startups and technologists. Startups in LA seem to be a lot closer to each other — every company wants the other to succeed. As a great example, I’m lucky to be able to pick up the phone and talk to guys like Ankur Bulsara (CTO of Scopely) whenever I need to bounce an infrastructure idea off of someone at 2 AM.

You’ve raised over $3M in angel and seed funding. What advice could you give other startups trying to raise capital?

There are many hundreds of entrepreneurs better qualified to answer that than me! But I can tell you that from my experience I see the keys as having a singular mission, a clear and easily-articulated view of the market opportunity, some great core technology, a passion for networking and a very thick skin. You have to kiss a lot of frogs to find the one that turns into a handsome prince.

With Prevoty, our simple mission is to revolutionize application security with the Prevoty service and the market opportunity is pretty much every enterprise and government organization that does business on the web. Then when a potential investor looked skeptical, we would blow them away with a live demo of the Prevoty engine. The passion for networking didn’t come so easily for me, but my cofounder, Prevoty’s CEO, is an extrovert, has an MBA from Dartmouth and quite obviously loves that side of things, so I just let him drag me along to countless pitches and meetings.

Any general advice for startup CTOs?

First, trust your instincts with respect to your tech but be flexible when it comes to product-market fit. The core technology may rock, but unless someone is willing to pay for the product that is built on top of it you are not going anywhere. So get a minimum viable product to market as early as possible and iterate rapidly based on feedback of customers, prospects and, especially, those who chose NOT to buy.

Second, hire great people. Never settle for anything less than A+ players. A startup that is nimble and populated with a small group of amazing people can achieve more in a month than hundreds of developers in the multinationals can achieve in two years. Quite honestly it’s scary what our team cranks out in a week. But fun!