Startup Axonius steps in to help enterprises (re)tackle the basics
A Savage Security Market Report
The security industry is full of solutions to prevent advanced and sophisticated attacks, but somehow we still lack the basic ability to perform effective asset discovery and identification. Of all the controls we consider to be ‘the basics’ of information security, asset management is considered the first and most critical. This is why Savage Security is interested in what Axonius will be up to in the near future.
Company Data
Axonius is an Israeli security startup focusing on the problem of asset discovery and management. YL Ventures led a $4 million seed round for Axonius, with Vertex Ventures and Emerge participating.
Identifying the Problem
Axonius will focus, in particular, on the influx of IoT devices in the enterprise. Yoav Leitersdorf, managing partner at YL Ventures, has described this influx as a “Cambrian-like explosion”. Yoav’s description isn’t far off the mark, though the problem is even more problematic than just new devices. The average organization still struggles with existing devices. The Bring Your Own Device (BYOD) trend that emerged in the late-2000s is still an unsolved problem for a significant percentage of organizations today.
It’s only a matter of time before organizations start finding the ‘smart’-equivalent of space heaters and fans at employees’ desks and connected to the corporate network. It isn’t just consumer IoT that’s part of this ‘Cambrian’ event — industrial IoT is competing for enterprise network IP space as well. Heat and air systems, datacenter sensors, building security and a myriad of other embedded smart devices will all talk on the corporate network, gathering data or asking permission as their charge requires.
Ultimately, most security and IT problems begin with visibility and that’s where we find the core of the problem Axonius is set to address. It’s not enough to know that active devices exist on the corporate network. The devices must be identified, categorized and assigned to owners, if possible. Only after all these things have occurred can security decisions be safely made regarding them and security policy applied to them.
Why hasn’t this been solved yet?
Our market is full of machine learning, big data and even virtual reality interfaces. So why, as an industry, haven’t we properly addressed so many of the basics? The answer is simple: the basics are hard. It might not be the sexiest problem to solve, but asset management is critical to an effective security program. We can’t secure what we don’t know about. The security industry has some serious unfinished business to contend with.
That’s not to say that the industry hasn’t tried to address these issues in the past. Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) suites emerged to address the BYOD challenges, but were met with pushback, as many employees weren’t comfortable turning over full control of their personal property to their employer.
Network Access Control (NAC) emerged in the 2000s as well. NAC seemed, in theory, the perfect formula to address unauthorized assets in the enterprise: analyze and authenticate devices before allowing them to join the network proper. In reality, the level of integration and automation necessary to make NAC work smoothly wasn’t there initially, and the security industry saw its first wide-scale market failure. It’s a rare event in the security industry when more than a few companies simply go out of business, and the NAC space lost more than a dozen with some help from 2008's Great Recession.
Currently preoccupied with applying machine learning algorithms to everything, the security industry has, for the most part, stayed away from large-scale device identification, authentication and management efforts for nearly a decade. It seems strange that, in 2017, our tools should have difficulty telling the difference between an Amazon Echo and a Laptop running Ubuntu, but now is definitely the right time to revisit this problem.
Product
The core of the problem Axonius addresses is visibility. It’s not that products offering visibility don’t exist — the market is full of them, in fact. The problem is that most of these products are siloed and geared toward different audiences. Gigamon and Solarwinds favor network admins. Qualys, Tenable and Rapid7 can gather a wide variety of information from devices, but access to their repositories tends to be limited and the information represents a point-in-time that can grow stale and inconsistent. Tanium can answer questions about an environment in real-time, but has a server and workstation focus.
Few of these offer more than a murky view of the IoT landscape and fewer reach beyond the traditional corporate network, into public cloud assets and off-premise devices. Axonius doesn’t attempt to reinvent discovery and interrogation techniques. Instead, it wisely takes advantage of existing systems-of-record and APIs, allowing it to have a rich view into the big picture with minimal effort. This allows Axonius to focus its efforts on the problem of answering the correct questions and presenting the information in a more effective context.
More wisely, Axonius avoids competing with most of the aforementioned vendors by enhancing the information they collect, not replacing it. Axonius’s modular, API and platform-based approach somewhat resemble Tanium’s basic design. Reporting, information gathering, control and enforcement are all a matter of integrating additional modules into the platform. The advantage of this approach is that Axonius can build a comprehensive platform without pricing the product out of the reach of smaller budgets, or organizations that only need the visibility components.
The modular approach suits the world of industrial IoT as well, where the technology can be as unique as the industry verticals it serves. A restaurant chain, for example, is unlikely to have need for a modbus-aware module that an energy company might find invaluable.
Competition
It will be easier to properly judge Axonius’s competitors at later stages, but currently, there seem to be at least a few offering some similar functionality. Claroty, Bayshore Networks and SecurityMatters are examples that focus on OT (Operational Technology, as opposed to IT — Information Technology). We’re interested to see if this is an effective approach long-term, especially concerning who the buyer might be. If Axonius can succeed on the OT side of the equation, it will be serious competition for the OT-only platforms.
Senrio’s Insight is the closest product we could find to Axonius, in that it focuses on the big picture, not just one side of the IT/OT equation. Last, but not least, Tripwire is an interesting competitor here. Originally associated with file integrity monitoring, the company made acquisitions into the vulnerability management (nCircle) and SIEM/monitoring (Activeworx) spaces. The acquisition of Tripwire by industrial manufacturer Belden in 2014 was unexpected, but was the move that puts the company onto this list. Since the acquisition, Tripwire has steadily extended its existing offerings to suit the OT side of the market, making it a competitor here.
The Future
Real-time notification of state changes, new unauthorized devices and firmware update availability are all things to look forward to. The industry has some work to do to get there, but there’s no reason to aim for less than complete situational awareness regarding the assets we own. Expect to see more startups in this category, overlapping with it and adjacent to it. Asset management and identification is one of the basics we need to master sooner rather than later.
