Check out all the on-demand sessions from the Intelligent Security Summit here.
Organizations can struggle to answer complex questions about their cybersecurity.
What are the control gaps in their security strategy? How well are their security stack and processes detecting adversaries? Can they operationalize finished intelligence?
Often, the answers to these questions is “no,” says Nick Lantuh, CEO and cofounder of Interpres Security. The company today launched from stealth with the aim to help organizations check off “yes” to such questions.
As Lantuh noted, organizations struggle to get a complete view of their defense surface because there are so many specialized tools in their security stack. This can make it difficult to get a unified view of their security posture to defend against prioritized threats.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
“It is time for something new,” said Lantuh, whose company offers customized, continuous, threat-informed analysis of an organization’s detection and mitigation capabilities.
“The current compliance, alert triage and vulnerability-centric approaches to the cybersecurity space are not working,” said Lantuh. “A threat centric approach is the answer.”
Dozens of tools, yet continued attacks
To address the expanding number of cybersecurity threats — and facing the fact that the average cost of a data breach now sits at $4.35 million — organizations are adding more and more tools to their security tech stacks.
In fact, security teams from big enterprises now have a whopping average of 76 security tools in place. Databases top the list of assets that security leaders have the least visibility into.
As a result, many security leaders are blindsided by security events, incidents or breaches that evaded a control they thought was in place. Furthermore, security teams spend more than half their time manually producing reports.
“There are many seams and gaps that exist between security products that advanced adversaries exploit,” said Lantuh. “The industry by default is not starting with the threat, which is more manageable.”
Detecting and filling gaps
The Interpres founding team developed what it calls a new “threat-centric methodology” after experiencing a systems breach firsthand while working at a classified security operations center.
“We have firsthand knowledge of how hard it is to understand holistically how each security tool was working together (or not), the intensive manual effort to identify gaps in controls and the subsequent detection engineering to make it work,” said Lantuh.
In automating a tool to address this, the team got a holistic view and a true understanding of how the security stack actually worked, he said. In doing so, they successfully mitigated and blocked one of the best red teams in the world, as well as numerous advanced persistent threats (APTs).
This was the genesis of Interpres, which integrates the MITRE ATT&CK framework and insights from CISA, FBI, NSA and others.
This threat-based method profiles actors targeting an organization, their operational objectives, how they’re going to act — and once they do get in, what they can do next, said Lantuh.
The platform then recommends the mitigations, telemetry collection strategies and detection logic best suited to fill gaps in coverage.
Adversaries can do anything?
As Lantuh noted, all organizations struggle with their security posture and strategy.
“We believe this traces back to the belief that adversaries can do anything, and that you have to protect against everything,” he said.
But, this really isn’t true. Companies are reactive, buying products to counter one-off threats, versus investing proactively into a threat-informed strategy, he said.
“Security solutions are focused on trying to manage an infinite number of vulnerabilities or trying to triage millions of noisy alerts,” said Lantuh.
As a whole, the cybersecurity community must move away from such a risk-based approach. Notably, research from experts and nation-level entities can help the industry optimize strategy as opposed to just plugging holes, he said.
“We need to make use of the campaign plans that the government provides to hone our aim and guide our defenses,” said Lantuh.
This allows data-driven decision-making “where we know our enemy, and we know ourselves,” said Lantuh.
He compared the industry to other threat-based models, including insurance. “Only in cyber have we decided that the adversary is all-powerful and all-knowing, which requires excessive investment to defend against, and is simply unsustainable,” he said.
No more blind trust
Interpres integrates with existing cybersecurity tools and features a situational awareness dashboard that detects drift in configuration and changes to risk posture, while also offering detailed board-level reporting.
This means that organizations don’t have to “blindly trust” their security product and services vendors, said Lantuh. This then frees them up to focus on the areas where they may be most vulnerable.
The company first builds out what it calls a “continuous threat-informed defense baseline” using patented analytics. The platform then prioritizes and tailors defensive actions against malware and adversary groups. It then provides real-time defensive-posture awareness by monitoring and alerting on changes in security posture and conducting “what if” analysis on breaking events.
For instance, Interpres has worked with organizations that have been compromised due to unoptimized and overlapping tools, configuration drift, lack of visibility and failure to apply appropriate detection logic. One customer had recently received a security operations center (SOC) certification, yet was breached by a red team shortly thereafter.
Interpres demonstrated where they had latent capabilities installed, optimized their detection-logic engineering and pointed out where capabilities were providing subpar return on investment, Lantuh explained. Over the next few months, the organization successfully defended their network against two additional red team evaluations and multiple APTs.
In another instance, Interpres conducted an automated analysis of a customer environment. Within 60 minutes, they diagnosed the customer’s top 10 potential attackers, preferred techniques, tactics and procedures, then compared those to the customer’s security stack. They identified several detection logic feeds that were not enabled, multiple detection signatures that were misconfigured, and missing detection logic, said Lantuh.
Enabling, configuring and automating security engineering was then prioritized, and Interpres provided automated security engineering in detection logic to free up resources to be used in other high-value activities.
Shrinking the stack
Interpres also today announced an $8.5 million funding round led by Ten Eleven Ventures. As Mark Hatfield, general partner at Ten Eleven Ventures commented: “We see CISOs regularly struggle to get a handle on which security tools are most effective for their organization’s specific needs.”
As such, they want to hold vendors accountable for what they’ve promised, he said: To understand how well their tools stand up to threats they are most likely to face.
Interpres’s platform allows organizations to “shrink the stack,” said Hatfield, and “get the most out of their existing cybersecurity investments, understand where they are and are not protected, rationalize product investments and harden their defenses.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.