See All to Secure All — Why I’m Joining Axonius

In the 4 months since Hexadite’s acquisition by Microsoft, I’ve had a lot of fun. Working to integrate the security automation functionality of Hexadite AIRS into Windows Defender ATP (in record time) was a great experience and I had a chance to work with some truly amazing people. But now it’s time to go back to the startup world, and as of 12:01 this morning, I’m the Chief Marketing Officer at Axonius. I’m excited.

The Problem

There are plenty of problems worth solving in cyber security. Let’s just say it’s a target rich environment. At Hexadite, we were solving the cyber security capacity problem: too many attacks cause too many alerts, and there aren’t enough people to follow up.

With Axonius, we’re trying to help IT and Security Teams answer four basic questions:

1. How many devices are on my network?
2. Why are these devices important?
3. Where are the blind spots?
4. What can I do if I know the state of all devices?

The Easy Question With A Difficult Answer

The first question: “How many devices are on my network?” should be easy, right? Not exactly. As Adrian Sanabria wrote in a piece on Axonius:

Our market is full of machine learning, big data and even virtual reality interfaces. So why, as an industry, haven’t we properly addressed so many of the basics? The answer is simple: the basics are hard. It might not be the sexiest problem to solve, but asset management is critical to an effective security program. We can’t secure what we don’t know about. The security industry has some serious unfinished business to content with.

and

Currently preoccupied with applying machine learning algorithms to everything, the security industry has, for the most part, stayed away from large-scale device identification, authentication and management efforts for nearly a decade. It seems strange, that in 2017, our tools should have such difficulty telling the difference between an Amazon Echo and a Laptop running Ubuntu, but now is definitely the right time to revisit this problem.

Why Is Every Device Important?

Surely a home laptop is different than a production server, which is different from a smart aquarium, right? There are two very important points to keep in mind when determining whether a device is relevant:

1. Devices have access to information — whether you’re talking about access to a company drive or even stored credentials to a salesforce.com instance, devices are given access to corporate data that you don’t want in the wrong hands.
2. Each connected device is a node in a cyber attack — I think it’s interesting to think of devices from the hacker’s perspective to understand that each device — regardless of form — is a potential entryway to get what they’re after. I used the “smart aquarium” example above, but this is a real example of an attack from security firm Darktrace (via CNN):

Hackers attempted to steal data from a North American casino through a fish tank connected to the internet, according to a report from security firm Darktrace.

Despite extra security precautions set up on the fish tank, hackers still managed to compromise the tank to send data to a device in Finland before the threat was discovered and stopped.

“Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” Justin Fier, director for cyber intelligence and analysis at Darktrace, explained to CNN Tech.

As internet-connected gadgets and appliances become more common, there are more ways for bad guys to gain access to networks and take advantage of insecure devices. The fish tank, for instance, was connected to the internet to automatically feed the fish and keep their environment comfortable — but it became a weak link in a the casino’s security.

Where Are The Blind Spots?

Another interesting question: “How do I find those devices that aren’t managed?” For example, most larger companies use a mobile device management solution to secure corporate data on personal phones, and most have some kind of EDR product on the endpoints. But what about those things that are connected, but not managed? How do you find out what they are and where they are (both geographically and on what part of the network)?

Like Sanabria mentioned in the above referenced profile:

“We can’t secure what we don’t know about.”

What Can I Do if I Know?

So let’s take a leap forward and assume the problem is solved. Everyone now has the ability to see every laptop, desktop, server, phone, fish tank, whatever, and they can see the software running on each. What net new capabilities would that bring?

1. Show me how many and which of my machines are vulnerable to WannaCry — Think of what you’d have to do currently to answer that question. You can’t just ask Alexa.
2. Increase security solution coverage — If you can see which machines are covered by which security tools, you can both use that information to broaden coverage and you can intelligently address the blind spots.
3. Verify security policies — You may have airtight security policies on paper, but what if you could verify that they are working in reality? What if you could automatically test whether your DLP solution is working across all devices?
4. Focus your patch management efforts — knowing which devices are running which versions of un-patched software certainly helps in patch prioritization.

Of course, that’s just the beginning. I could go on (and will….soon), but this is day one. I’m incredibly excited to get started with a clean slate, an awesome team of super smart and genuinely good people.

Here we go. See all to secure all.