Increase web application security without causing any user disruption
In this podcast recorded at RSA Conference 2020, Jason A. Hollander, CEO, and Paul B. Storm, President at Cymatic, talk about how their platform builds a defensible barrier around the user, so web-based threats can be stopped at the source.
Here’s a transcript of the podcast for your convenience.
Welcome to the Help Net Security podcast. In this edition, I’m joined with the guys from Cymatic. Can you please introduce yourselves?
My name is Paul Storm. Good morning or good afternoon, wherever you are. And my name is Jason Hollander and we’re both the co-founders of Cymatic.
Can you tell me what is Cymatic’s approach to web security and what differentiates you in the marketplace?
Paul: Sure. I guess I could take it Paul. We built a web application defense platform that’s able to identify, basically calculate risk, and also really understand users from inside of the web application. Think of it as almost like a client-side WAF.
Jason: When you think about web application defense, it includes a lot of different silos of technology. And one of the things that we want to do is build a technology that brings the silos together. That way they can leverage each other to make smarter decisions. And we’re able to bring that as close to the user as possible.
If you think about web application threats and breaches, you want to catch it left of boom. A lot of the technology today is either at boom or right of boom because it’s in the network. We push it straight out to the user. It’s invisible. We surround the browser or the mobile device, and therefore we’re able to eliminate a lot of the threats, to see the threats that a lot of technology cannot, because they create silos.
In browser automation detection
Your website mentions next generation pre-endpoint protection. Can you tell our listeners exactly how does it work?
Paul: I’ll preface this by saying we are a young startup and messaging is something we’re still working on. For the world of startups out there, it’s an iterative process.
How does it work? There is a line of JavaScript that gets embedded into an implementer’s header tag. We don’t mind if it’s an internal site, an external site, internal users, contractors or consumers landing on that site. Once an entity lands on the site, they don’t need to authenticate, they don’t need to be registered users, and they don’t need to be logging in from a controlled device.
We open up a socket from that browser session, back to our Cymatic cloud. Then everything’s streamed on a real-time socket. One of our micro services will pick up on the feed or speed and only grab the elements that it needs to provide visibility, control or identify risk.
Jason: One of the things we did, Paul mentioned it, it’s got this real-time socket connection back to our cloud, which does all the AI and ML part of our product. A lot of technology is stateless. Once they do their job, they fall off. We’re stateful, we see it the moment someone lands on a web application, to the moment that they end their session – we’ve got complete visibility and complete control over that.
Identity assurance
If we take a look at the current cybersecurity trends in the industry, we see account takeover attacks have been rising steadily in the last year. So, how does your company help organizations with this type of attacks?
Paul: When we first created this, ATO was the first thing that we were trying to attack, probably the wrong choice of words, but to stop. We are basically looking at users based upon user behaviors. When you do that and you’re looking at not just a single vector, it’s really able to identify not just ATO risks, which is a definite problem, but all the other issues that come with an externally facing property. It’s a lot more holistic than just going after ATO. We’re identifying bots, IP risk session based threats. It’s not just looking at specifically ATO.
Jason: I’d say with ATO, a lot of technology just looks at “I want to stop ATO by blocking automation”. You have a lot of bot mitigation products that do that. You could stop ATO by having a multifactor. There’s a lot of ways to try to prevent it. But again, our approach is taking these silos, that are blind, to really understanding if that bot is a real risk and combining that with the verification of the user, combining that with identification of their interactions to other users, environmental things, credential hygiene that the user might have.
Let’s try to be preemptive to stopping attacks. If you think about an ATO, typically it’s from a credential breach. But what if those credentials have been breached but they haven’t been exposed publicly yet? Now how do you determine that? How do you determine if someone has poor credential hygiene?
The credentials might not have been breached, a company might not have been breached, but they are a risk to the organization because they possibly share credentials with other people. Or maybe they leverage those credentials, their corporate credentials, which should be a lot more secure and controlled, on social networks. Our technology, because of where we sit and the visibility we have, we’re able to triangulate that. And that provides better visibility and an indication of possible breach to an organization, than a lot of the technologies that, again, are after boom.
Compliance-driven reports and analytics
Your platform provides compliance, written reports and analytics. Can you tell us more about it?
Paul: All these bits of information are being streamlined. We could either visualize that through our own dashboards or you can basically tie it into a SIEM or SOC. With all of this data, we’re able to look at things from an actual compliance side of things, especially on devices that aren’t managed.
Jason: For us, the product has always started with visibility cause what you can’t see, you can’t control or manage. It’s hard to just turn on switches and turn knobs, and those types of things. One of the things that we do right out of the box, and because it deploys so easily, like Google Analytics, it’s just as line of JavaScript. Basically, within seconds we light up where those visibility gaps are. That’s one of those reports that security practitioners, or board members, the stakeholders around that organization’s security posture can look at and say: “All right, this tool has been running. Where do we have these gaps in our current technology set?”
And once they recognize that, then Cymatic can start remediating that on the fly. So, we do a lot of auto remediation. We don’t have a lot of roles because once you start flipping switches, turning knobs, and you don’t really understand how the product is making decisions, it actually increases your risk. We try to take all that decision making out of the organization, put it into the product, let the product remediate. And then over time you see these gaps start settling and going away.
Also, out of that is these reports that provide organizations insight to their probability of being breached. Cause today, if you ask CISOs or anyone in security: “Do you really understand the probability that your organization could be breached?” Typical answer is no, they just don’t, with the current toolset. At Cymatic, we can print out this report and they can say: “Okay, I feel not that they’re not going to get breached, but I feel a lot more confident in our ability to defend against any attack that we might have.”
To find out more information, please visit our website at cymatic.io and you can always contact us. There’s information on there too. If you want to learn more about Cymatic or see a demo and how it can help your organization.