Our Investment in FireCompass
By: Som Pal Choudhury, Rohan Choukkar, Sanjay Jain, Shyam Menon
Cybersecurity attacks, enterprise breach events and phishing attacks are on the rise, with incidents apparently happening every 39 seconds according to Security Magazine. A significant number of hacks never get reported and it may take up to 6 months for enterprises to even realize that a data breach has happened. Since COVID-induced lockdowns began, the FBI has reported an increase of 300% in reported cybercrimes in USA, while in India the number is over 500%. All these hacks and breaches happen while an eye-popping $123 Billion get spent annually on cybersecurity, with several thousand cybersecurity vendors offering tools and services. Clearly, the hackers have managed to stay a few steps ahead of the defenders!
Looking at the history and evolution of Cybersecurity and the current state we are in, three key transition points are worth highlighting.
- Till the early 90s, data and computation were all done in large mainframes or PCs. Security threats and resolutions were largely focused on individual machines. Some of us old enough would recall the virus-infected floppy drives or disabling copies.
- The proliferation of networks and the internet came next. Data was shared but was still within the enterprise boundaries. Internet access created the need for firewalls. Vulnerability scanning and penetration testing became the norm, and automated tools emerged.
- The wild west emerged in the last decade with rapid migration of data and assets to the cloud, use of open source tools, databases and frameworks, an API driven culture, increasing use of 3rd/4th party vendors, geographically dispersed teams and now with employees mostly on WFH mode, a proliferation of outsourced teams and billions of leaked credentials on the dark web with the rise of phishing attacks have become the norm. ‘Attack Surface’, defined as the sum-total of all open vulnerabilities hackers can compromise has suddenly increased by several orders of magnitude. Under the guise of agile processes, employees routinely bypass IT and security teams, which Gartner refers to as ‘Shadow IT’. Many will recall that even a few years back, IT teams were your guardian angels for all hardware/software needs. Today, instead of filing an IT ticket and waiting for a resolution, you simply swipe your card and open a cloud instance!
The good old approach to security testing, running Vulnerability Assessment and Penetration Testing (VAPT), works well when your assets are ‘Known’. You simply monitor and test those assets, run deep scans and put layers of security to secure them. But over the last few years, cloud adoption has increased substantially, data and content are being added and deleted without the security team’s knowledge along with increasingly compromised credentials, inability to monitor the security posture of vendors and partners etc., in short, the ‘Attack Surface’ and the ‘Unknowns’ have increased significantly. Hacks happen both due to errors like not securing a database with customer data inside a cloud bucket as well as far more sophisticated multi-stage attacks, where hackers use multiple vulnerabilities obtained over time to stage an attack. These vulnerabilities independently may be low risk and hence often overlooked.
Security tools have obviously evolved with the changing times. Digital Risk Protection tools have emerged to scout for internet exposed digital assets of the company. Breach and Access Simulation (BAS) tools run a cordon of simulated environments to see what other assets are susceptible if a breach happens. An increasing number of enterprises are doing ‘Red Teaming’ exercises or are regulated to do so, having a team of ethical hackers using all possible Recon + Attack techniques to try and compromise an enterprise, just like real hackers would do. Red Teaming also helps to check how well the Security Operations Center (SOC) reacts to these attacks, without knowledge of the red team’s existence and targets.
Conversations with global CISOs and security consultants educated us on their pain points, the changing landscape with increased ‘unknowns’, and the challenges and limitations of the current tools and solutions. CISOs were also overwhelmed with the sheer number and varieties of tools involved. Digital Risk Protection tools threw up a lot of false positives requiring time-consuming validations and are not integrated with actual vulnerability assessment tools. Current scanners are mostly depth-first deep scans, providing data-dump outputs which are hard to parse quickly, and most tools are still evolving to account for the growing external attack surface. BAS tools mostly allow for a post-breach after-the-fact analysis, simulated at best. Leading CISOs are increasingly implementing ‘Red Teaming’ where a team of expert ethical hackers over the course of 4–8 weeks look for ways to identify vulnerabilities and compromise an enterprise. Unfortunately, these efforts are by their very nature manual, aided by a plethora of scripts and tools, constrained by available time and resources, relying on the skills, experience and the motivation of the expert hackers to find as many issues as possible in a limited time. Professionals with such skills are rare and expensive. This problem is exacerbated by the wide range of opensource and commercial tools used by such teams, which are often not interoperable. Such exercises, while expensive, non-scalable and of limited coverage, remain only a snapshot in time, mostly done once or twice annually.
A new generation of startups is now emerging to discover and manage this ever-increasing internet-wide attack surface and then to run real but safe attacks on this surface more frequently and autonomously. While this category is still emerging with no market coverage or definition by any top IT/Cybersecurity consulting firms as yet, some investors have entered this space as it is one of the emerging whitespaces in cybersecurity with just a handful of players in an otherwise congested sector.
With offices in Bangalore and Boston, a veteran team of Cybersecurity experts at Firecompass is building the next-generation Continuous Autonomous Red Teaming (CART) and Attack Surface Management (ASM) SaaS platform to identify the internet-wide attack surface, and then run safe attacks to proactively identify security blind spots before attackers do. The patented platform has already analyzed a ton of data from the dark, deep and surface web, classifying and indexing domains, sub-domains, cloud buckets, open ports, leaked credentials etc. discovering an organization’s ever-changing attack surface. The attack engine fires up on this discovered surface running a range of complex multi-stage safe attacks on networks, web/mobile applications, social engineering attacks and many more to identify attack paths just as Red Teams would, but at scale and automated, all in a single platform.
The FireCompass team had earlier built iViZ (acquired by Cigital/Synopsys) and CISO Platform, one of the largest communities of CISOs and security buyers globally. We were impressed by the founding team’s insights as ethical hackers running red teaming efforts, ability to identify serious vulnerabilities at top organizations, build and nurture a well-respected CISO community, develop scalable security products over last two decades and the traction built with global customers like Sprint Telecom and Unisys and partners like Security Innovation.
Firecompass fits squarely within our vision and mission to catalyze the growth of globally competitive innovation-focused companies coming out of India and help scaling them globally. We look forward to being a part of FireCompass’s journey to build the world’s foremost Recon + Attack Platform.
About the Authors:
Som Pal Choudhury is a Partner at Bharat Innovation Fund. He tweets @sompalchoudhury.
Rohan Choukkar is an Associate at Bharat Innovation Fund. He tweet @choukkar.
Shyam Menon is a is a Partner at Bharat Innovation Fund.
Sanjay Jain is a Partner at Bharat Innovation Fund. He tweets @snjyjn.
About Bharat Innovation Fund:
Set-up in affiliation with CIIE.CO, Bharat Innovation Fund backs fearless entrepreneurs building deep-tech innovation led companies of consequence from India. We believe India’s talent, data and cost advantage makes India uniquely poised to produce globally-competitive tech innovations which will be global game-changers. We invest at early stages of ventures — typically writing our first check during pre-Series-A to Series-B rounds of start-ups.