Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Connect Directly

Axonius' 'Unsexy' Tool Wins RSAC Innovation Sandbox

Judges award top honor to new company solving an old, unsolved problem: asset discovery and management.

RSA CONFERENCE 2019 – San Francisco – Axonius, a company solving the "unsexy" topic of asset discovery and management, was awarded top honors at the RSAC Innovation Sandbox Contest here Monday, beating out solutions for edgier problems including firmware vulnerabilities and API attacks.

Axonius narrowly beat out second-place honoree Duality, an end-to-end homomorphic encryption solution that enables collaborative data analysis in low-trust situations. 

The Innovation Sandbox recognizes emerging security companies with creative, marketable solutions to big challenges. The 10 finalists chosen this year also covered identity management, cloud security ops automation, API security, and more.

"We fought long and hard to get to the top 10 this year," said Niloofar Howe, tech investor, entrepreneur, and one of the Sandbox judges. "It really was hard, but I think it is an incredible group."

After all finalists made three-minute pitches and endured interrogation by a panel of judges, Axonius rose to the top (despite the fact its CMO, Nathan Burke, had to fill in for its CEO, Dean Sysmun, whose flight to San Francisco was delayed).

Companies were judged on the problem they were trying to solve, the originality and soundness of their intellectual property, their go-to-market strategy, their team, the impact the solution was likely to have, and how well the product had already been validated by the market. The judges were Howe; Patrick Heim, operating partner and CISO of ClearSky; Richard Seiersen, CISO, author, and adviser; Asheem Chandna, partner at Greylock Partners; and Shlomo Kramer, CEO of Cato Networks and founder of multiple security firms.  

The judges praised runner-up Duality for the way it enabled collaborative data analytics projects in cases where widescale trust among the parties was impossible to achieve. Speaking from his own experience as a CISO in both financial services and healthcare, Seirsen said that "in both cases, to be able to have privacy-protected analysis is really the holy grail." Pharmaceutical companies, hospitals, and insurance companies, for example, might be able to gain insights from one another’s data, but it could not be shared without addressing privacy concerns.

Judges praised Axonius for solving a fundamental, widespread, long-standing problem that for some reason has not been solved.

"I’ve lived the pain of never having a straight answer around assets," said Heim, who has been CISO for companies with over 200,000 users said. "We never know how many servers there are, virtual machines, endpoint devices. ...

"Before we worry about solving problems – you know, ninjas chasing us with APTs and zero-days, basically – there are some basic things you need to solve first," Heim said. "Axonius really resonated very, very strongly with me because finally I can put a checkbox into one of these problems that's been around for 20, 30 years, and basically say, 'This has potential for solving it, and it leverages my existing security infrastructure investments by pooling it all together, versus having to deploy more agents."

In an interview with Dark Reading, Axonius' Burke said, "The last thing we want to say is, 'You have yet another dashboard, another solution you've got to manage.'" Therefore, Axonius integrates with other security products, so the asset management information it gathers could be used by another company's orchestration product, for example. 

If Axonius can "kill one of these really old problems," it frees up companies' security resources for other responsibilities, Burke said. "You could really use people better and not spend your time on boring stuff," he said, and thanked the judges "for taking an unsexy thing and making it a winner."

The other eight Innovation Sandbox finalists were:

• Wirewheel: A cloud-based data privacy and protection platform that can "translate your technical stack into something your privacy program can use." Wirewheel is trying to tackle the data privacy problem at scale by partnering with infrastructure-as-a-service providers like AWS.

• ShiftLleft: A continuous application security platform that both finds vulnerabilities so you can fix them and protects the application against the vulnerabilities you decide not to fix. It uses a combination of static code analysis (code property graphs) and application instrumentation.

• Salt Security: Discovers API vulnerabilities and attacks. Salt uses an AI-based behavioral protection model that learns how an organization's APIs work and can therefore – without much customer configuration – determine what's normal, what's abnormal, and what's malicious.

• Eclypsium: Firmware security company that detects firmware vulnerabilities and compromises (like Meltdown and Spectre) and protects devices from tampering throughout the OEM supply chain. 

• {disruptOps}: Automates security operations for the cloud. Helps cloud users set and reach security benchmarks quickly (like finding and deactivating stale identity access keys).

• CloudKnox: Manages identity privileges across hybrid cloud and multiplatform cloud environments. Uses a "privilege creep index" and a "Just Enough Privileges controller" to ensure that identities have only the privileges they need, when they need them. Head of product Balaji Parimi told judges that CloudKnox might replace whatever product an organization is currently using to mitigate insider threats. 

• Capsule8: Provides security for production Linux systems without taking a toll on operations. API-first, fully extensible, operating outside the Linux kernel, Capsule8 stops attacks like kernel exploits and container escapes in real time, without the performance impacts.   

• Arkose Labs: Low-friction fraud and abuse prevention tool, backed by PayPal, that helps prevent attacks like account takeover and carding.




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...