Graeme Dawes - Fotolia
CyCognito believes it's time to think more like the attacker.
The cybersecurity startup, which is based in Palo Alto, Calif., and was founded in 2017, specializes in what it calls "shadow risk elimination." CyCognito's botnet-powered platform assesses hidden risks to enterprises by using publicly available information to see what attackers see. The platform then uses that information to conduct threat actor-like reconnaissance on enterprise environments and conduct simulated attacks.
CyCognito recently $18 million in Series A funding. Co-founder and CEO Rob Gurzeev discusses the insights that led to his company's founding, how its attack simulations work and a common challenge faced by CISOs.
Editor's note: This interview has been edited for length and clarity.
How was CyCognito was founded?
Rob Gurzeev: We started two and a half years ago when we had the insight, based on our experience from working with intelligence agencies for many years, that attackers work in a completely different way from security teams in the sense that all of the tools that security teams use are based on the knowledge of the assets you actually have. And attackers always run a 'black box' process, meaning they have to run these reconnaissance processes first. And we understood and learned that this reconnaissance process is what gives attackers advantage over the defenders every single time, and no matter how many tens of millions of dollars you invest in defending the assets you know, it's the assets you don't know or don't control that will eventually be targeted by attackers. We started with that understanding, we built a prototype very quickly and we saw that every single organization we looked at and worked with had huge problems.
Rob GurzeevCo-founder and CEO, CyCognito
That was the first key insight that led to us building the company, and the other insight was that these new approaches of reconnaissance actually counter six different Gartner categories in asset management, penetration testing, vulnerability management, threat intelligence, security ratings and breach and attack simulation. And we learned that if we built such a platform, we'll be able to counter and eventually replace over time these legacy approaches that were built 20, 25 years ago when companies had just two servers connected to the Internet; that's when these legacy approaches and legacy tools and legacy technical design were built.
How does your platform work?
Gurzeev: To run such a reconnaissance process at such a high scale, you cannot use a legacy technical approach either, meaning having two servers or scanning a few IP ranges or domain names you know. What we're doing is the same way to how Google indexes web pages; we have built one of the biggest bot networks in the world that we fully control and own, and we quote-unquote index the three and a half billion servers and devices connected to the internet to allow ourselves in the second stage to build a mathematical graph of an organization and understand what assets are owned by the company and what assets affect and are related to the company's security posture. And also, what is their business context? Unlike these legacy tools, which would receive this one-dimensional list of IP addresses from the security teams to run their scans and whatnot, our botnets actually map these assets with zero input from the customer in order to simulate these reconnaissance operations. And that process actually allows us to discover between 30-70% more assets than the security team knows about, and most of the critical attack vectors that were affected are usually based on these unknown and unmanaged assets.
Walk me through an attack simulation.
Gurzeev: So we pair these assets that we own and are strongly related to the company, we are able to handshake them without exploiting them at all to understand what are some data exposures that attackers can leverage. For example, if you have these servers that expose your source code, that data exposure that creates for the company and is not based on a vulnerability and that you don't need to exploit something to understand that it's usually not supposed to be there. Also, based on these handshakes, we can learn that this authentication method just doesn't exist or is using a 20-year-old encryption that can easily be decrypted or is using a piece of software that can be exploited using public tools for 10 years now. We will not exploit these attack vectors, but we can learn about them, and our accuracy is extremely high.
What is a common security challenge that organizations often run into?
Gurzeev: Many CISOs, especially in the last few years, talk about the challenge of managing their modern IT assets. For example, just understanding what kind of stat solutions you're using, what are the 500 AWS accounts that you actually have and what are the new assets that these subsidiaries or new companies you just acquired as an enterprise, and how they affect your network. That's a critical challenge that we're seeing that CISOs have struggled with over the last five or 10 years and that's one of the areas we are focusing on the most.
CyCognito just raised an $18 million Series A. What are your plans for utilizing this new funding?
Gurzeev: For the most part, it's spending on the engineering and research teams even more so that we can expand and improve our platform even more and become the category king of attack surface security. That's one area, and the second area is our sales team so we can address the market's demand and approach and response to a larger number of customers and organizations.