AI powered Cyber Security startups

AI powered Cyber Security startups

Artificial Intelligence (AI) and Machine Learning have become mainstream these days, but at the same time, they are some of the most used (abused) term/jargon in the last 2-3 years.

Last year’s Gartner hype cycle report (2016 Hype Cycle for Emerging Technologies – shown below) shows this trend clearly.


Why do we need AI in Cyber security

The biggest challenge in the Cybersecurity Threat Managment space today, is the ability (or lack of) of effective “detection” of cyber attacks. One of the key levers in making “detection” work is reducing the dependency on the “human” element in this entire threat management lifecycle:

  • Let it be the detection techniques (signatures, patterns, and for that matter ML models and their hyper-parameters), or,
  • The incident “response” techniques:
    • involving human security analysts for analysing the detections, or,
    • human security administrators to remediate/block the attacks at the network  or system level

Introducing automation and bringing in cognitive methods in each of these areas, is the only way forward, to take the adversaries head-on. And there has been numerous articles, presentations and whitepapers published on why Machine Learning (ML) and AI will play a key role in addressing the cyber threat management challenge.

In my pursuit of understanding how AI can be used effectively in the cybersecurity space, I have come across products developed by some of the leading startups in this domain. And in this blog post, I attempt to share my thoughts on 10 of these products, chosen primarily on their market cap/revenue, IP (intellectual property) potential, and any reference materials available about their successful detections so far.


  • I have tried to cover as much breadth I can, in terms of covering Products falling under various domains of Cybersecurity – Network detection, UEBA, Application security and Data security, and so there is a good chance I have missed some contenders in this area. AI in Cyber is a rapidly growing plateau, and I hope to cover more ground in the coming months.
  • These Products are listed below in no particular order.

Lets get started.

1. PatternEx

Founded 2013, San Jose, California

PatternEx’s Threat Prediction Platform is designed to create “virtual security analysts” that mimic the intuition of human security analysts in real time and at scale. The platform reportedly detects ten times more threats with five times fewer false positives compared with approaches based on Machine Learning-Anomaly Detection technology. Using a new technology called “Active Contextual Modeling” or ACM, the product synthesizes analyst intuition into predictive models. These models, when deployed across global customers, can reportedly learn from each other and achieve a network effect in detecting attack patterns.

The process of Active Contextual Modeling (ACM) facilitates communication between the artificial intelligence platform and the human analyst. Raw data is ingested, transformed into behaviors, and run through algorithms to find rare events for an analyst for review. After investigation, an appropriate label is attached to each event by the analyst. The system learns from these labels and automatically improves detection efficacy. Data models created though this process are flexible and adaptive. Event accuracy is continuously improved. Historic data is retrospectively analyzed as new knowlege is added to the system.

Training the AI happens when the AI presents a set of alerts to human analysts, who review the alerts and define them as attacks or not. The analyst applies a label to the alert which trains a supervised learning model that automatically adapts and improves. This is a trained AI, and interesting concept, that attempts to simulate a security analyst, helping the AI system to improve the detection over a period of time.

PatternEx was founded by Kalyan Veeramachaneni, Uday Veeramachaneni, Vamsi Korrapati, and Costas Bassias.

PatternEx has received funding of about $7.8M so far.

2. Vectra Networks

Founded 2011, USA

Vectra Networks’ platform is designed to instantly identify cyber attacks while they are happening as well as what the attacker is doing. Vectra automatically prioritizes attacks that pose the greatest business risk, enabling organizations to quickly make decisions on where to focus their time and resources. The company says that platform uses next-generation compute architecture and combines data analytics and machine learning to detect attacks on every device, application and operating system. And to do this, the system uses the most reliable source of information – network traffic. Logs only provide low-fidelity summaries of events that have already been seen, not what has been missed. Likewise, endpoint security is easy to compromise during an active intrusion.

The Vectra Networks approach to threat detection blends human expertise with a broad set of data science and machine learning techniques. This model, known as Automated Threat Management, delivers a continuous cycle of threat intelligence and learning based on cutting-edge research, global learning models, and local learning models. With Vectra, all of these different perspectives combine to provide an ongoing, complete and integrated view that reveals complex multistage attacks as they unfold inside your network.

They have an interesting approach to use Supervised and Unsupervised ML models to detect cyber attacks. They have a “Global Learning” element, where supervised ML algorithms are used to build models to detect “generic” and “new known” attack patterns. “Local learning” element uses Unsupervised ML algorithms are used to collect knowledge of local norms in an enterprise, and then detecting deviations from those norms.

Vectra networks has received funding of about $87M so far, and has seen very good traction in the Enterprise Threat Detection space, where ML models are a lot more effective than using conventional signature/pattern based detections.

3. Darktrace

Founded 2013, UK

Darktrace is inspired by the self-learning intelligence of the human immune system; it’s Enterprise Immune System technology iteratively learns a pattern of life for every network, device and individual user, correlating this information in order to spot subtle deviations that indicate in-progress threats. The system is powered by machine learning and mathematics developed at the University of Cambridge. Some of the world’s largest corporations rely on Darktrace’s self-learning appliance in sectors including energy and utilities, financial services, telecommunications, healthcare, manufacturing, retail and transportation.

DarkTrace has a set of products, which use ML and AI in detecting and blocking cyber attacks:

DarkTrace (Core) is the Enterprise Immune System’s flagship threat detection and defense capability, based on unsupervised machine learning and probabilistic mathematics. It works by analyzing raw network data, creating unique behavioral models for every user and device, and for the relationships between them.

The Threat Visualizer is Darktrace’s real-time, 3D threat notification interface. As well as displaying threat alerts, the Threat Visualizer provides a graphical overview of the day-to-day activity of your network(s), which is easy to use, and accessible for both security specialists and business executives.

Darktrace ICS retains all of the capabilities of Darktrace in the corporate environment, creating unique, behavioral understanding of the ‘self’ for each user and device within an Industrial Control systems’s network, and detecting threats that cannot be defined in advance by identifying even subtle shifts in expected behavior in the OT space.

Darktrace Antigena is capable of taking a range of measured, automated actions in the face of confirmed cyber-threats detected in real time by Darktrace. Because Darktrace understands the ‘pattern of life’ of users, devices, and networks, Darktrace Antigena is able to take action in a highly targeted manner, mitigating threats while avoiding over-reactions. It basically performs three steps, once a cyber attack is detected by the DarkTrace Core:

  • Stop or slow down activity related to a specific threat
  • Quarantine or semi-quarantine people, systems, or devices
  • Mark specific pieces of content, such as email, for further investigation or tracking

DarkTrace has received funding of about $105M so far.

4. Status today

Founded 2015, UK

StatusToday was founded by Ankur Modi and Mircea Danila-Dumitrescu. It is a SaaS based AI-powered Insights Platform that understands human behavior in the workplace, helping organizations ensure security, productivity and communication.
Through patent-pending AI that understands human behavior, StatusToday maps out human threats and key behavior patterns internal to the company.

In a nutshell, this product collects all the user activity log data, from various IT systems, applications, servers and even everyday cloud services like google apps or dropbox. After collecting this metadata, the tool extracts as many functional parameters as possible and present them in easily understood reports graph. I think they use one of the Link analysis ML models to plot the relationship between all these user attributes.

The core solution provides direct integrations with Office 365, Exchange, CRMs, Company Servers and G-Suite (upcoming) to enable a seamless no-effort Technology Intelligence Center.

StatusToday has been identified as one of UK’s top 10 AI startups by Business Insider, TechWorld, VentureRadar and other forums, in the EU region.

Status Today has received funding of about $1.2M so far.

5. Jask

Founded 2015, USA

Jask aims to use AI in solving the age old problem of tsunami of logs fed into SIEM tools which then generate events & alerts, and other indicators that security analysts face every day, which produce a never ending flood of unknowns which forces these analysts to spend their valuable time sorting through indicators in the endless hunt for real threats.

At the heart is their product Trident, which is a big data platform for real time and historical analysis over an unlimited amount of stored security telemetry data. Trident collects all this data directly from the network and complements that with the ability to fuse other data sources such as threat intelligence (through STIX and TAXII), providing context into real threats. Once Trident identifies a sequence that indicates an attack, it generates SmartAlerts, which analysts can use to have the full picture of an attack, also allowing them to spend their time on real analysis instead of an endless hunt for the attack story.

They have really interesting blog posts on their site, which are worth a read.

Jask has received funding of about $2M so far.

6. Fortscale

Founded 2012, Israel

Fortscale uses a machine learning system to detect abnormal account behavior indicative of credential compromise or abuse. The company was founded by security engineers from the Israeli Defense Force’s elite security unit. The products key ability is to rapidly detect and eliminate insider threats. From rogue employees to hackers with stolen credentials, Fortscale is designed to automatically and dynamically identify anomalous behaviors and prioritizes the highest-risk activities within any application, anywhere in the enterprise network.

Behavioral data is automatically ingested from SIEM tools and enriched with contextual data, and multi-dimensional baselines are created autonomously and statistical analysis reveals any deviations, which are then captured in SMART Alerts. All of this can viewed and analysed in Fortscale Console.

Fortscale was named Gartner Cool Vendor (2016) in the UEBA< Fraud Detection and User Authentication category.

More info about the product can be found here.

Fortscale has received funding of about $40 million so far.

7. Neokami

Founded 2014, Germany & USA

Neokami attempts to tackle a very important problem we all face today – keeping a track of where all our and an enterprises’s sensitive information resides. Neokami’s CyberVault uses AI to discover, secure and govern Sensitive Data in the cloud, on premise, or across their physical assets. It can also scan images to detect sensitive information, as it uses highly optimized NLP for text analytics & Convolutional Neural Networks for image data analytics.
In a nutshell, Neokami uses a multi-layer decision pipeline, wherein it takes in data stream or files, and performs pattern matching, text analytics, image recognition, N-gram modelling and topic detection, using ML learning methods like Random Forest, to learn user-specific sensitivity over time. Post this analysis, a % sensitivity Score is generated and assigned to the data, which can then be picked up for further analysis and investigation.

Some key use cases Neokami tackles are – isolating PII to meet regulations such as GDPR, HIPPA, etc., discovering a company’s confidential information and intellectual property, scan images for sensitive information, protect information in Hadoop clusters, cloud, endpoints or mainframes.

Neokami was acquired by Relayr in Feb this year, and has received $1.1million funding so far, from three investors.

8. Cyberlytic

Founded 2013, UK

Cyberlytic call themselves the ‘Intelligent Web application security’ product. Their elevator pitch is they provide advanced web-application security using AI to classify attack data, identify threat characteristics and prioritize high-risk attacks.

The founders have had a stint with the UK Ministry of Defense, where this product was first used and has been in use support critical cybersecurity research projects in the department.

Cyberlytic analyzes web server traffic in real-time, and determines the sophistication, capability and effectiveness of each attack. This information is translated into a risk score, to prioritize incident response and prevent dangerous web attacks. And the underlying ML models adapt to new and evolving threats without requiring the creation or management of firewall rules. They key to their detection, is their patented ML classification approach, which appears to be more effective in detecting web application attacks than the conventional signature/pattern based detection.

Cyberlytic is a combination of two products – the Profiler, and the Defender. The Profiler provides real-time risk assessment of web-based attacks, by connecting to the web server and analyzing web traffic, to determine the capability, sophistication and effectiveness of each attack. And Defender, is deployed on web servers, and acts on the assessment performed by Profiler, by blocking and preventing web-based cyber-attacks from reaching critical web applications or the underlying data layer.

Cyberlytic has also been gaining a lot of attention in the UK and EU region; Real Business, an established publication in the UK, has named Cyberlytic as one of the UK’s 50 most disruptive tech companies in 2017.

Cyberlytic has received funding of about $1.24 million.


Founded 2014, USA
@harvest_ai aims at detecting and stopping data breaches, by using AI-based algorithms to learn the business value of critical documents across an organization, and offer what it describes as an industry-first ability to detect and stop data breaches. In a nutshell, is an AI powered advanced DLP system having the ability to perform UEBA.

Key features of their product MACIE, includes:

  • Use AI to track intellectual property across an organization’s network, including emails and other content derived from IP.
  • MACIE understands the business value of all data across a network and whether it makes sense for a user to be accessing certain documents, a key indicator of a targeted attack.
  • MACIE can automatically identify risk to the business of data that is being exposed or shared outside the organization and remediate based on policies in near real-time. It not only classifies documents but can identify true IP matches to protect sensitive documents that exist for an organization, whether it be technology, brand marketing campaigns or the latest pharmaceutical drug.
  • MACIE not only detects changes in a single users behavior, but it has the unique ability to detect minor shifts in groups of users, which can indicate an attack.

Their blog has some interesting analysis of some of the recent APT attacks, and how MACIE detected them. Definitely work a read. has received funding of about $2.71 million so far, and interestingly, they have been acquired by Amazon in Jan this year, for reportedly $20 million.

10. Deep Instinct

Founded 2014, Israel

Deep Instinct focuses as End point as the pivot point, in detecting and blocking cyber attacks, and thus fall under the category of EDR. There is something going on in israel, for the last few years, as many cybersecurity startups (Cyberreason, Demisto, Intsights, etc.) are being founded by ex-IDF engineers in Israel, and a good portion of these startups are to do with Endpoint Detection and Response (EDR).

Deep Instinct uses deep learning to detect unknown malware in real-time, just by analysing the binary raw details of the binary picked up by the system. The software runs efficiently on the combination of central processing units (CPUs) and graphics processing units (GPUs) and Nvidia’s CUDA software for running non-graphics software on graphics chips. The GPUs enable the company to do in a day what would take three months for a CPU.

I couldn’t find enough documentation on their website to understand how this deep learning system actually works, but their website has a link to register for an online demo. So it must be definitely worth a try.

They are also gaining a lot of attention in the EDR space, and NVIDIA has selected Deep Instinct as one of the 5 most disruptive AI startups this year.

Deep Instinct has raised $50 million so far, from Blumberg Capital, UST Global, CNTP, and Cerracap.


Machine Learning talks in RSA Con 2017

Machine Learning talks in RSA Con 2017

The RSA Conference is one of the most widely attended security conferences in the world, and the 2017 edition, held in SFO, concluded just about 10 days ago.

There were close to 20 presentations this time, around using Machine Learning (referred to as ML hereon in this post) in detecting/preventing cyber attacks of various kinds. And in this post I share my take and a summary (detailed in some cases) on the Top 10 talks on ML.

Some of these talks, especially research projects, require a detailed discussion and analysis, but I’ve tried to do justice to them by keeping my summary as detailed as possible. I plan to dive deeper into some of these topics, in the future.

Note: I have included a link to the original Talk (presentation or video) wherever I could find them, so do check them out.

  1. A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts

Dan Plastina, who heads Threat Protection at Microsoft, gave a talk on striking a balance between using ML in threat detection and also in Incident Management/Orchestration process, using linked Graph and chat Bots, in “SecOPS Console”, to better manage the growing flood security alerts. What I found interesting in this talk is the mention of a whole gamut of Microsoft products, many of which are familiar to us, like AD, Office, Azure security center. But I couldn’t find if Dan was also referring to an IR Orchestration tool that Microsoft has built or is int roadmap. Also, I see that R is being tightly integrated into various Microsoft products.

An interesting talk indeed, and here is the link to the original talk.

2. Advances in Cloud-Scale Machine Learning for Cyber-Defense

Another talk from Microsoft; this one by Mark Russinovich, the CTO for Microsoft Azure. This one was quite a deep dive into how Microsoft uses ML in detecting cyber attacks on the Azure platform. My quick notes below:

  • He started off with some metrics:
    • More than 10,000 location-detected attacks (detected/reflected attacks) – I didn’t understand what exactly he meant here.
    • 1.5 mil compromise attempts deflected
  • Red team and Blue team kill chain – it was interesting to see how each of the blue team’s “response” are mapped to read team’s malicious action stages
    • Attack disruption shows execute stage before move stage
  • Their “supervised” learning approach enables detection with minimal FP – this is an interesting claim
  • “Attack disruption” requires us to think of ML beyond detection
  • He also covered properties of successful ML solution – adaptable, explainable, actionable, results in successful detection
  • Framework for a successful detection – honestly this is one of the best and simple visual representation/explanation of how an ML based solution should look like. He also talks about two Case studies where IPFIX data is used as a training set, and detecting malware using a combination of Rules and ML
  • Then he goes deep into Case study 2 where he talks about the algorithms and compares fingerprint based detection to behaviour based.
  • Triage incidents not alerts – very valid point
  • In a nutshell – attack disruption means to shorten blue team kill chain

The Video to the original talk is available here.

3. Combatting Advanced Cybersecurity Threats with AI and Machine Learning 

This one was by Andrew B. Gardner, Head of Symantec’s ML Program. My notes below:

  • Interesting perspective shared here, but a bit high level.
  • He starts off with comparing AI & ML and how they differ in cyber – interesting point about the use of ML in cybersecurity, rather than AI, for various reasons:
    • complex sequential data
    • not human intuitive (logs)
    • labels are expensive (scarce)
    • closed research models
  • Typical use of ML in cyber today: collect data sets > training algorithms > build a model > updated classifiers > ingested to another “threat detector”
  • Though the advantages of using ML in cybersecurity are good, Andrew poses interesting argument around what are disadvantages of using ML in cyber security:
    • dependency on data (quality, completeness), and system
    • adversaries also have access to ML
  • ML at Symantec
    • some interesting approaches shown, about optimizing models – True positive to false positive ratios (ROC) and how to optimize them
    • use of string scoring services – Charlatan

Link to the original talk is here.

4. Automated prevention of ransomware with Machine learning and GPOs

This talk was by Rod Soto (Security Researcher at Splunk) and Joseph Zadeh (Security Data Scientist at Splunk). My notes below:

  • Rod and Joseph started with some key aspects of detecting ransomeware in the “new age” – behavioural modeling, unsupervised ML, anomaly detection and leveraging big data
  • Use of Aktaion tool kit for building the detection system
    • Take PCAPs of known (labeled) exploits and known (labeled) benign behavior and convert them to bro format
    • Convert each Bro log to a sequence of micro behaviors (machine learning input)
    • Compare the sequence of micro behaviors to a set of known benign/malicious samples using a Random Forest Classifier
    • Derive a list of indicators from any log predicted as malicious
    • Pass the list of IOCs (JSON) to a GPO generation script
  • Key is to focus on delivery of exploit (in addition to using system specific and call back specific behaviours) – following key steps were covered:
    • training a model (Random forest algorithm used in this case), to detect exploit delivery, using known malicious indicators
    • tuning the hyper parameters – risk factor, age, session time, entropy, etc.
    • model classifier built with 6 trees
    • the model will start generating output that separates signal from noise (they use the Splunk MLTK in this case)
    • link it to GPO scripts to automate the response procedures via power shell (active defense)
  • Training set and test data used in the demo include datasets from Contagio, DeepEnd Research, Ransomware samples with some call back and file system level indicators, labelled benign http user traffic (anonymized bluecoat logs)
  • The talk then ends with a PoC demo of this whole workflow
  • Summary: ML + GPO = Active Defense

Link to the original talk here.

5. Big Metadata: Machine Learning on Encrypted Communications

This one was by Jennifer Fernick and Mark Crowley, Security Researchers from University of Waterloo. My notes below:

  • This is derived from a research project, and was a very interesting session where not just the application of ML in cybersecurity was discussed, but also the inverse – security in the computational functions of ML
  • In this talk Jennifer and Mark talk about
    • ML research in cyber security – applying ML to problems in cybersecurity
      • using ML in cyber security
      • cybersecurity for ML – adversarial ML – study of ML systems in adversarial environments, where an attacker might train the system in hopes of modifying its behaviour to allow for an attack
      • a mid way – secure ways of computing ML functions
    • Candidate problems depend on information sources
    • Metadata – how can we use metadata for building the training set, while keeping privacy concerns intact?
    • ML 101 – a crash course
    • Their work in the field, and
    • Future direction
  • In the “security for ML” topic, there were some very interesting concepts presented – secure multi-party computation, privacy preserving data mining, homomorphic encryption, differential privacy. All these are deep mathematical and computation fields in themselves and definitively requires intensive reading. And so I am going to stop at that!
  • In the “ML in cybersecurity” topic, some fundamental questions were called out – what problem am I trying to solve
    • securing my learning data?
    • learning my security data?
  • On “ML 101” topic, they give an excellent crash course on ML and how to use it in cybersecurity
    • use of clustering (unsupervised learning) and classification (supervised learning)
    • system design and algorithm choices
  • Their work in ML – use of ML on encrypted data – analysing private and public communication networks to detect anomalies
  • I have to confess I found this talk to be the most difficult to thoroughly grasp, as the talk was research oriented and definitely calls for an in depth reading on each of the sub-topics covered. A great presentation indeed!

Link to the original talk here.

6. Applied Cognitive Security: Complementing the Security Analyst

This one was by Vijay Dheap, Program Director, Cognitive Security at IBM.

  • This talk was primarily about IBM’s Cognitive security product built on Watson their Qradar Security intelligence platform, and how it can help a Security Analyst better detect, analyse and respond faster to security incidents.
  • The presentation was high level and didn’t get into the details of how Cognitive Security with IBM Watson actually works. For ex., what algorithms are used, and what are the typical hyper parameters, and how they are used in conjunction with contextual feeds (vulnerability, asset, identity, behaviour) to detect security incident more effectively.
  • The presentation did cover one case study with a Botnet use case, but didn’t reveal much information on the inner workings (atleast some indication) of how ML and Watson’s AI detected this incident.
  • A good “high level” talk over all.

Link to the original talk here.

7. Dealing with Millions of Anomalies

This one was by Chris Larsen, Threat Researcher with Symantec

  • The talk was about detecting malicious traffic, by using ML (anomaly detection), and TI data
  • He first approach to handle the issue of picking “interesting anomalies” in millions of anomalies, is to pick “One Hit Wonders” and “One Day Wonders”, and then investigating them further by using various attributes (IP address licenses, ports used, are they DGA, etc.)
  • Once we have this “interesting anomalies” filtered out, then run it against good TI, to pick the most probable malicious traffic.
  • Summary: good TI is the key, and a good place to start, are TI that has malware/attack “families” context, industry/vertical/geo context.
  • Definitely an interesting talk with real world examples like using IOC data for Angler and Magnitude exploit kits, to filter out “most probable” malicious traffic, and then drilling further down from there.

There is a video of Chris’s gal available here. Definitely worth watching.

8. Machine Learning: Cybersecurity Boon or Boondoggle

This one was by Dr. Zulfikar Ramzan, CTO of RSA.

  • The talk starts at an elementary level, covering the fundamentals of ML and its use in Cyber security.
  • But towards the end, Zulfikar covered some very interesting facts/tips/best practices while using ML in cyber security. For ex.:
    • The importance of ROC (Receiver Operating Characteristic Curve) while making a trade-off between True positive and false positive classifications.
    • ML (in this case unsupervised) only is helpful in detecting bad “actions”, and not bad “intent”, and thus resulting in calling out lot of legitimate “unusual actions” as “bad/malicious”.

Link to the original talk here.

9. Applied Machine Learning: Defeating Modern Malicious Documents

This one was by Evan Gaustad, Sr. Manager, CSIRT – Target.

  • The talk basically starts with typical vulnerabilities exploited in Microsoft Office (Macros), and some examples of the attack lifecycle using malicious documents itself
  • Evan then gets into the details of the project he has been working on, where he used supervised ML (classification) to detect malicious documents. There is a video recording of his talk here, and I strongly recommend it. He covers a lot of details of how the model and its classifier actually works, with examples.

There is a video of Evan’s talk available here. Its a must watch.

10. An Introduction to Graph Theory for Security People Who Can’t Math Good

This one was by Andrew Hay, CISO, Data Gravity.

  • Though this talk didn’t actually cover how ML is used in detecting/preventing cyber attacks, it was a great crash course on Graphs theory (for the non-mathematicians amongst us), and how it can be extremely useful in visualising an attack lifecycle
  • Application of Graphs in security context
    • incident response – use of Google’s Fusion tables to visually represent the communication/interactions between user and entity in a security incident
    • actor tracking – detecting the source of a phishing campaign – using the IOCs available, use Maltego (CE)
  • What was interesting in this talk was – it is so easy to build a visual representation of the interaction. However, it can get way too complicated to interpret, due to a bad choice of dataset and the “vertices” (nodes) and “edges” (connections) in it.

The link to the original talk is available here.


Thanks for reading through my point of view RSA Con USA 2017. I hope I was able to provide byte sized (mega!) summary of some of the most interesting talks in this conference this year.

PS: Do subscribe to this blog, to get notified the moment I publish my next post.

On Apple’s Bug bounty program

On Apple’s Bug bounty program

The Head of Security Engineering and Architecture at Apple, Ivan Krstić, announced to Black Hat attendees last week, that Apple will begin offering cash bounties of up to $200,000 to researchers who discover vulnerabilities in its products.

Krstić’s talk at Black Hat was definitely interesting and covered a good breadth of the technical measures that Apple has been taking in making iOS secure, from grounds up. The presentation also included a level of technical detail and disclosure of security—here, related to AutoUnlock, HomeKit, and iCloud Keychain—that has been mostly absent in the past at conferences, according to those present.

Apple being so open and forthcoming, about their security architecture, is somewhat unusual, but definitely welcoming.

Now, about the the bounty program itself, it will initially be limited to about two dozen researchers who Apple will invite to help discover difficult-to-uncover security bugs in five specific categories:

Screen Shot 2016-08-24 at 9.18.30 PM

Each of these aspects represent key threat vectors for attacks by governments and criminals alike. While iOS has never had exploits spread significantly in the wild, jailbreaking the software has made use of various methods of running arbitrary code in iOS. In another Black Hat presentation, the makers of the Pangu jailbreak for iOS 9 (fixed in 9.2), described how they achieved that kind of code execution.

Until now, there’s been no known extraction of data from Secure Enclave, the dedicated hardware in iOS devices with an A7 or newer processor that acts as a one-way valve to store fingerprint characteristics and certain data associated with Apple Pay. It is also used to prevent downgrading iOS to exploit a bug in a previous release. iCloud, which has been in the media sometimes for the wrong reasons, have had some accounts compromised in the past through certain weak password entry endpoints and social engineering of celebrity accounts, there has been no reported breach of iCloud servers itself.

Going by these clearly laid out vulnerability categories and qualification parameters, I see that Apple’s program sets clear objectives – find exploitable bugs in key areas. It makes complete sense, because proving exploitability with a repeatable proof of concept, takes lot more effort than merely finding a vulnerability. If the bug is found to have significant impact on security, then Apple will pay the researchers a fair value for their work. By doing this, Apple aims to learn how to improve a bug bounty program, over a period of time, and derive maximum value out of it.

The end result is – high-quality vulnerabilities (and their respective exploits) discovered, by researchers and developers who Apple believes have the skills and the right intentions to help advance product security. Bounty fees at other companies range from a starting point from $100 to $500, and are capped at from $20,000 at Google to $100,000 at Microsoft, clearly indicating the focus being quantity, unlike Apple’s focus on quality and difficult to discover, exploit and reproducible vulnerabilities.

Many major tech companies, like Google, Facebook, Microsoft, Adobe, and SAP, have been running Bounty programs for years. But there is a reason for Apple not getting into the Bounty business until now, even if security has always been a priority for them and iOS is way more secure, grounds up, than other competing mobile OS platforms today. That reason is primarily to ward off governments and underground hackers who merely want to make money, by not being in a position to negotiate with them. The disclosure by the United States government on last week that an unknown third party had approached it — and not Apple — to help open a controversial iPhone only highlights how the giant company approaches bug-hunting efforts and security differently from the rest of the tech industry.

Asked by the audience at Black Hat why Apple waited so long to launch a bounty program, Krstić said the company has heard from researchers that finding critical vulnerabilities is increasingly difficult, and it wanted to reward those who take the time to do it.

I have been following Apple closely since 2009, when I bought my first Apple product – an iPhone 4 (the last phone Steve Jobs personally launched). Being a Security Consultant myself, I have always wondered to how Apple builds their software to be far more secure than other operating system platforms. And this has been true from the very beginning of Mac (built on a strong Unix base), And so I have always tried to understand iOS and Mac security a bit deeper, but Apple has always been secretive about sharing information, just the way they are about their product strategy and roadmap. So this new development with the Bounty program and the overall incharge for Product security at Apple making a presentation at Blackhat, is very exciting to me.

I am looking forward to understanding how Operating System security is best handled, from a company that makes the best software and hardware in the world today.


  1. Krstić’s presentation at Black Hat is available here
  2. The video of the talk has been published recently on YouTube


Feature Image courtesy:

Need a security expert? You got to hire a coder!

Need a security expert? You got to hire a coder!

As security (cyber) becomes more and more important, to businesses, governments, and also to our personal lives, the need for good security engineers and researchers is increasing at a rapid pace.

This is true whether one is working in an entry-level position or is already a senior researcher.

It is often said in the security industry that “It is easier to teach a developer about security than it is to teach a security researcher about development (coding).”

Information security professionals are used to seeing, experiencing and talking about failures in the industry. This usually leads them to assume that badly written (vulnerable) code is always the product of unskilled developers. If these professionals have never been exposed to software development, even at a small scale, then they do not have a fair understanding of the complex challenges that developers face in secure code development. And I think that a security professional cannot be effective in designing detective and preventive security controls (tools, architectures, processes) if he or she doesn’t appreciate these challenges.

Let me illustrate that with an example- ‘code injection” attacks against NoSQL databases versus SQL databases. Simply put, SQL and NoSQL databases both collect, organize and accept queries for information, and so both are exposed to malicious code injections. So, when NoSQL databases became popular, people were quick to predict that NoSQL injection would become as common as SQL injection. Though that is theoretically true, developers know that it’s not that simple.

If you take sometime out understanding NoSQL databases, you will quickly realize that there are a wide variety of query formats, from SQL like queries (Cassandra), to JSON based queries (MongoDB, DynamoDB), and to assembly like queries (Redis). And so security recommendations and tools for a NoSQL environment have to be targeted to the individual server that is underneath. Also, your security testing tools must have the injection attacks that are in the format of that specific database. And so one cannot blindly recommend controls or preventive measures, without understanding that the vulnerabilities are not available on all platforms. Encoding recommendations for data will be specific to the database type as well. This OWASP article explains how one can test for noSQL injection vulnerabilities.

This is all the knowledge that one can learn by digging deep into a subject and experimenting with technologies at a developer level. And so people with development backgrounds can also, often times, give better technical advice.

If one looks at the people leading security programs or initiatives at companies like Apple, Facebook, Google, and other large successful tech companies, many of them are respected because they are also keeping their hands on the keyboards and are speaking from direct knowledge. They not only provide advice and research but also tools and techniques to empower others in the same industry.

So to summarise, I would like to say that whether one is a newly graduated engineer or a senior security professional or a security researcher, one should never lose sight of the code, as that is where it all begins!



Picture courtesy:

Verizon’s acquisition of Yahoo

Verizon’s acquisition of Yahoo

TechCrunch just reported that Verizon has acquired Yahoo for $4.83 billion. 

This definitely is a shocker and I am sure many would agree with me. Not many of us were expecting Marrisa Mayer to call it a day by dropping the ball so soon. 

One of the most important companies of the first dot-com boom, Yahoo, has reached the end of its life as an independent company. This deal represents a stunnin decline for a company that was valued at more than $100 billion at its its peak in 2000. 

Marissa’s roots as an engineer at Google, definitely helped in improving the brand value with software programmers and technology users alike, and she did make an effort to beef up Yahoo’s technical talent. She instituted a regorous recruitment process and it worked hard at hiring computer scientists from some of the best universities. But there is little sign that these moves changed the culture at Yahoo or improved morale among the programmers working there. They always saw and projected themselves as a “media company” and not a “technology company”. I am not sure if it played out well for them, as its attempt to be a tech company and a media company at the same time, resulted in an organisation that was less than the sum of its parts. 

I strongly believe that one reason why Verizon was a strong contender was that they have done this before; Verizon acquired another struggling Internet company last year. Like AOL, Yahoo makes a lot of money by creating Internet  content and selling ads against it. So from Verizon’s perspective, this definitely looks like a logical step.

With respect to Mayer’s future at Yahoo, I am sure she is pursuing opportunities outside, as the statement that Yahoo released about this deal, “Yahoo will be integrated with AOL under Marni Walden, EVP and President of the Product Innovation and New Businesses organisation at Verizon”, makes it evident that Marissa Mayer’s future lies outside of Yahoo. 

I wish her all the best, and am sure she will build something very interesting soon in the tech business.

Picture courtesy:

Cyber weapons and Nuclear weapons

A good essay pointing out the weird similarities between cyber weapons and nuclear weapons. 

On the surface, the analogy is compelling. Like nuclear weapons, the most powerful cyberweapons — malware capable of permanently damaging critical infrastructure and other key assets of society — are potentially catastrophically destructive, have short delivery times across vast distances, and are nearly impossible to defend against. Moreover, only the most technically competent of states appear capable of wielding cyberweapons to strategic effect right now, creating the temporary illusion of an exclusive cyber club. To some leaders who matured during the nuclear age, these tempting similarities and the pressing nature of the strategic cyberthreat provide firm justification to use nuclear deterrence strategies in cyberspace. Indeed, Cold War-style cyberdeterrence is one of the foundational cornerstones of the 2015 U.S. Department of Defense Cyber Strategy.

However, dive a little deeper and the analogy becomes decidedly less convincing. At the present time, strategic cyberweapons simply do not share the three main deterrent characteristics of nuclear weapons: the sheer destructiveness of a single weapon, the assuredness of that destruction, and a broad debate over the use of such weapons.

Questions to ask before you get your first Threat Intel data source

Anton Chuvakin (one of the leading Gartner experts in the Threat Detection space) had a recent blog post on some of the key questions one must ask while identifying the first threat Intel data source. 

Here is the list

  • What is the my primary motivation for getting TI, such as better threat detection, improved alert triage or IR support?
  • Where do I get my first threat intel source [likely, a network indicator feed, IP/DNS/URL]?
  • How do I pick the best one(s) for me?
  • Where do I put it, into what tool?
  • How do I actually make sure it will be useful in that tool?
  • What has to happen with the intelligence data in that tool, what correlation and analysis?
  • What specifically do I match TI against, which logs, traffic, alerts?
  • What you have to do with the results of such matching? Who will see them? How fast?
  • How to I assure that the results of matching are legitimate and useful?
  • What do I do with false or non-actionable matches?
  • How do I use intel to validate alerts producted by other tools?
  • Do I match TI to only current data or also to past log/traffic data? How far in the past do I go?

The post is worth a read, as he has linked his earlier posts on this topic in this blog post. Do note that the white papers he has has linked requires GTP access.