This post was originally published on this site.
Cybersecurity has one of the biggest and most urgent talent shortages in the tech industry. Malicious attacks are on the rise, and the techniques being used to worm into networks are growing ever more sophisticated. Yet, the World Economic Forum recently found that there are 4 million cybersecurity positions unfilled globally, and it expects that number to balloon to 85 million in the next five years.
Itai Tevet was all too aware of what those shortcomings look like in the real world. In charge of the Cyber Incident Response Team (CERT) in Israel’s IDF, Tevet found that even an organization like the IDF — famous for its cybersecurity work — did not have enough people to triage the many alerts generated by its sophisticated monitoring tools. How were they to know if one alert represented a major breach, while another was a minor incident?Â
That incomplete circle became the basis for Tevet’s next gig. That gig, a startup called Intezer, has just raised a Series C of $33 million to expand its business on the heels of strong growth as well as some near misses it was able to catch.Â
Norwest Venture Partners is leading the round, and all the startup’s existing investors — including Intel Capital, OpenView, Magma, and Alon Cohen, co-founder of CyberArk — are participating. (Cohen is actually also a co-founder of the startup, along with CTO Roy Halevi, another IDF alum.) The startup has raised $60 million to date and is not disclosing its valuation. Â
Intezer, based out of New York but with deep roots in Israel, hasn’t so much focused on reinventing the security wheel as it has on building better mechanics to help cybersecurity processes run more smoothly.Â
Today, we have a plethora of security products, and they have created a number of innovative ways to spot when something unusual is happening on networks, devices, or apps. But the number of alerts they collectively create — estimates range between 4,000 to 11,000 per day — can end up flooding a security team. As Tevet sees it, that translates to an operational nightmare.Â
“In most cases, the time to investigate an alert ranges, for humans, between half-an-hour to four hours,” he said. Teams must not only examine the activity that produced the alert, they have to also look at other logs and activity that might be related to it. They might have to interview people, too. Many of these alerts are often false positives, but that might not be apparent before the investigation is done.
One can see how this starts to look impractical without any kind of triaging in place, and how tying up security teams with such work could end up as a security risk in itself.Â
Intezer says its autonomous technology can take on both triaging and investigation. It essentially treats every alert as a high-priority alert from an investigation point of view, and then determines if they really are issues or not. For each alert that could take a person hours to examine, “Intezer does the work in two minutes,” Tevet said.
Mapping the security genome
The company’s AI is partly based on its research from earlier days. When I last wrote about Intezer, it had raised $15 million to continue mapping what could essentially be described as a “genome” of security issues: A DNA-style map all of the different permutations, origins and connections of different vectors that make up the universe of cybersecurity threats.Â
At the time, the aim was to build products that would apply that knowledge to the broader world of security threats, and by the time I’d covered the company, Intezer had already accomplished that to some impressive ends. It was the first to identify that WannaCry came out of North Korea; it built a code map that helped link the Democratic National Committee breach and Russian hackers; and it identified a new malware family called “HiddenWasp” linked to Linux systems.Â
Intezer’s platform today is the descendant and scaled version of that work. It combines not just the ability to identify the truly minor from the unwittingly major alerts, it can also automatically triage alerts that need attention. Some of this has been built on the startup’s in-house work (such as the DNA mapping and the remediation), and some taps into third-party technology.
For example, Tevet told me that Intezer is using OpenAI APIs to “read” natural language text in, say, internal communications, which in turn is fed into its system to determine whether there are security flags to chase down.
Typically, about 4% of an organization’s alerts are escalated red alerts, Tevet estimated, but the million-dollar question will always be which 4% is the right 4%.
He told me of two recent incidents — one at a major technology company and another at a large healthcare company — where security operation center teams each waved off an alert that appeared innocuous. “The security team did not have time to look at everything,” he said.Â
But both organizations were using Intezer as second pair of eyes for all its alerts. “We actually identified that it was a Chinese state actor in their networks,” he said.Â
That anecdote, of course, points to challenges for Intezer down the line. The number of tools that are being built to look out for and stop unusual activity continues to grow, but in some ways, we are already at a tipping point.Â
Some security companies are getting to the ends of their runways and aren’t able to raise more. Others are getting snapped up by bigger players. Although Intezer has partnerships with big security platforms like Palo Alto Networks, Wiz and CrowdStrike — the startup is coordinating its fundraise news with a big CrowdStrike user conference, in fact — they might also potentially shape up to be competitors as they develop tools to help make their customers’ work easier.Â
That represents a potential crossroads for the likes of Intezer: Whether to jump on the consolidation train, or try to go it alone. Tevet said his company gets approached regularly in exploratory discussions, but nothing has escalated to a red alert as of yet.