Paradigm shift in cybersecurity and the emergence of Enterprise Forensics — a chat with Binalyze’s founder
We at Earlybird Digital East are excited to announce the $10m Seed round of Binalyze, the Enterprise Forensics platform which enables enterprises to respond to cyber threats faster and more effectively.
Since we led their pre-seed round in 2021, we feel proud to see Binalyze developing into a category leader in the Enterprise Forensics space, as well as witnessing our investment thesis materialize (which you can read in our earlier blog post).
Emre, Binalyze’s founder and CEO and an experienced cybersecurity veteran, is surely one of the main driving forces behind the company’s impressive performance so far. To mark this important milestone for the company, we sat down with Emre to talk about his personal journey and the future of Enterprise Forensics, an emerging new cybersecurity category.
Emre, let’s take it from the start. Tell us about your professional background and how you decided to found Binalyze.
Software development has been my passion from an early age, but my cybersecurity journey started almost 10 years ago, as an R&D engineer at Zemana, a provider of antimalware products. Here, I had the opportunity to develop products fighting against advanced rootkits, serving millions of customers in the US. After Zemana, I joined Comodo, a leading endpoint and network security solutions provider, as the Malware Analysis Team Lead.
During the last few years of my professional career before founding Binalyze, I was already involved in a number of high-profile cyber investigations which showed me the fundamental shortcomings of the existing solutions on the market. I realized that it is practically impossible to completely prevent cyber breaches which, as a security professional who has spent more than 10 years in creating preventive solutions, was a turning point for me. It was then that I decided to found Binalyze.
I convinced one of my colleagues to join me, and within six months, we’d come up with a prototype. The rest of our best guys joined us soon after that, forming a strong core team in a really short period of time. Binalyze is actually a 4-year old company with 10 years’ worth of R&D.
Traditional digital forensics has fallen behind in innovation compared to other cybersecurity categories. Why do you think it is changing now with the emergence of next-gen Enterprise Forensics?
Our involvement in digital forensics was triggered by our advisors from law enforcement. When Binalyze was still in the concept stage, we quickly realized that existing digital forensics practices and solutions were archaic and were no longer applicable to modern cyber investigations. Over the last few decades, every enterprise’s attack surface has grown steadily, exposing more and more services and endpoints, and resulting in an increasing volume of ever more sophisticated attacks. The strong trends toward cloud adoption in the past decade and the more recent shift to remote working have complicated the situation even further. With breaches becoming more frequent and severe than ever, security teams are overwhelmed and in dire need of modern forensics and incident response tools. Traditional forensics tools, which are typically 10-to 20-year-old incumbents with outdated architecture and high technical debt, could not keep up under these circumstances. There are also strong entry barriers for new players, since digital forensics is a highly technical area that requires significant expertise not only in malware, forensics, and incident response, but also in operating systems, cloud, and containers. Given all these, it’s evident that traditional forensics is no longer sufficient and that we need a new forensics paradigm. We call this new forensics approach Enterprise Forensics and, as Binalyze, I can clearly say we’re at the cutting edge of the field, tackling the right problem at the right time.
There are already mature SIEM and EDR players playing similar, yet different roles in the cybersecurity stack. They also have some forensics capabilities. One wonders whether there’s a need for a separate solution.
Widely used cybersecurity products such as SIEM and EDR are geared towards the monitoring and detection of cyber incidents. SIEM simply receives event logs from multiple security software applications, which are recorded in a limited timeframe, and tries to correlate them. And EDR is an evolution of antivirus/endpoint protection suites. It monitors endpoint activity, and collects and analyzes the data collected from endpoints to identify threat patterns. Whenever a SIEM or EDR detects an incident and generates an alert, the ball is then in the security operations team’s (SOC) court. The SOC team has to decide whether it’s a real incident or just a false positive, which are produced quite frequently — even by market-leading SIEMs/EDRs. If it is a real incident, then they need to investigate further with forensics software to identify the source, and understand the extent of the breach and the damage caused. And more importantly, there are many cases where SIEMs/EDRs fail to generate alerts even when there is an actual breach. For a continuous compromise assessment, SOC teams should have a forensics history of their assets and should be able to access this data in near real-time.
Some EDRs may provide forensics features to some degree, but these features are usually just provided “as a bonus” since forensics isn’t EDR’s core value proposition. Indeed, these bonus forensics features couldn’t be compared against a fully-fledged product that’s designed for forensics from the first line of code. This is something we as a team have also experienced first-hand while working at EDR, antimalware, and endpoint security vendors prior to Binalyze. Therefore, we’ve never considered EDR or SIEM products as competitors. Digital forensics is a 40-year old practice and it is far more than just a ‘bonus feature’ — it is an industry in its own right.
We see a major paradigm shift in cybersecurity from prevention to detection and incident response. What has been driving this shift and what are the implications for the cybersecurity software stack?
That’s true. We’d say that there is an arms race in cybersecurity and adversaries are currently leading the way through their constantly evolving attacks. Security teams try to reconfigure and improve their prevention capabilities, but that typically doesn’t deter attackers, who inevitably come back with another attack exploiting some other vulnerability. It can be an APT group, a script kiddie, or an insider — there’s no 100% prevention of cyberattacks. There will always be a breach, meaning detection and response are more critical than ever. Layers of products can create a false perception of security. In reality, though, many of them are simply lagging behind the latest threats in the market. Detecting a breach isn’t sufficient in itself; the “timely” detection and response are critical. The SolarWinds hack, for example, was detected almost a year after the breach. Our industry is moving towards an era in which enterprises are required to perform continuous compromise assessment and damage control, and forensics is an integral part of this new approach. Without faster, more detailed, and more accurate investigation capabilities, enterprises will fall behind in detection and response capabilities.
“100% prevention of cyberattacks is simply not possible. There will always be a breach, meaning detection and response are more critical than ever. We are moving towards an era in which enterprises must perform continuous compromise assessment and damage control. Enterprise Forensics is an integral part of this new approach.”
The growing shortage of global cybersecurity professionals is affecting enterprises of all sizes. How can they deal with such a gap and keep up with the volume of cyber breaches?
We’re in the middle of a talent war. Finding talent and keeping them up-to-date with the recent advancements in cyber security is a big challenge. When you don’t have a large army of security professionals with sufficient skills, defending your network, servers and endpoints against highly motivated hackers, some of whom can even be nation-states, becomes a huge challenge. Looking at the security talent supply and demand trends, it looks like this gap won’t close anytime soon. One way organizations can overcome this talent shortage is to automate their security operations with modern tools and processes. DevSecOps, breach and attack simulation, continuous security validation, automated penetration testing, and many more new categories have emerged in response to such needs. And, as one of the most labor-intensive tasks within a SecOps team currently, forensics and incident response is also ripe for automation. At Binalyze, we’re obsessed with automation. It’s one of the earliest design principles of our products, and we still release every feature by taking into account the level of automation it will bring to our customers so that they’re less likely to have congestion in their daily operations, and can manage larger and more distributed infrastructures with smaller and less specialized teams.
Looking back, what were the defining points in your journey so far that you think had a significant impact on Binalyze? I believe seeing the initial demand in your first product would be a great validation point for realizing how big the enterprise use case can get.
Exactly. Before AIR, we had our data collector — the fastest in the market — which allowed our customers to collect forensically-sound evidence during their investigations. With AIR, we’ve introduced several key features such as a central management console, the ability to collect data remotely via passive endpoint agents, real-time collaboration and timeline analysis, and the automated compromise assessment of artifacts. These new features significantly expanded our value proposition to larger customers. The turning point was how quickly it was picked up in the market, even without any marketing or sales effort. In the startup world, it’s very rare that the advice “if you build it, they will come” holds true. In our case though, it certainly did.
Another validation point for us was having our first investment from Earlybird Digital East in 2021. We truly realized the global opportunity in leading the development of a new category — and how that requires A-players both in your team and board. We’ve since focused more on hiring the best talent and filling critical positions after bootstrapping for three years.
Congrats on the recent $10 Series Seed, a great milestone that came shortly after your pre-seed round. Please tell us about your plans and share your vision for Binalyze.
We’re on a mission to innovate digital forensics by making it available for any enterprise investigation whether it’s an internal investigation, a cyber-security alert, or a ransomware case, and enable our customers to see what was previously unseen. The aim here is to make Binalyze synonymous with digital forensics.
Our recent round is an acknowledgment of the fact that we’re on track to being the industry leader in Enterprise Forensics and we’ll keep going at the same pace, addressing the current problems of our industry. We’ll use the new investment for our US market expansion and to maintain our product leader position in this emerging category by adding unique features for cloud and container forensics that will make our product a one-stop shop for any enterprise investigation.
Follow Binalyze here.
Learn more about our original thesis for Binalyze here.
See our other recent cybersecurity investments Trickest, Picus Security
Written by Mehmet Atici and Baturay Kaya
