How Aussie innovation is helping secure IT

Last September a report by US think tank, the Center for Strategic and International Studies, commissioned by Intel Security, found that 88 per cent of Australian IT decision makers surveyed believed there was a local shortage of cyber security skills.

“That figure is on a par with IT chiefs in Mexico, but higher than the six other countries surveyed,” CIO noted.

The survey’s 75 Australian respondents also predicted that 17 per cent of cybersecurity positions advertised by their company would go unfilled by 2020 — higher than the 15 per cent of jobs estimated globally.

Absent an increase in the number of cyber security professionals, there are three ways to address the problem: Better security tools, better leveraging the available security expertise, and designing systems that are inherently less vulnerable.

While Australia might currently have a deficit of security professionals working directly to protect systems, there are many innovation-minded individuals working in startup companies looking to capitalise on the growing demand for new security technologies and expertise.

The government-backed Australian Cyber Security Growth Network (ACSGN) yesterday released a roadmap to help grow Australia’s security sector . Over the next 10 years, the size of Australia’s cyber security sector could potentially triple, reaching annual revenue of $6 billion by 2026 — up from $2 billion today — according to the ACSGN.

Computerworld spoke to the people behind three startups — each at a different stage of growth — that are individually pursuing three avenues of cyber security: Technology, expertise and systems design.

Kasada aims to beat the bad bots

The first of these, and the least mature, is Kasada, which is just about to emerge from stealth mode. It has developed technology designed to protect against one of the greatest scourges of the internet: Malicious bots that endeavour to log into websites using stolen credentials.

According to Kasada, such bots account for 30 percent of all web traffic. Thanks the growing number of logins that internet users need to remember, and hence their increasing tendency to re-use passwords, the malicious bot success rate is growing rapidly.

Kasada co-founder Sam Crowther told Computerworld: “We have seen some attacks where they get a nine per cent hit rate with stolen accounts.”

It was this technique he says that was used in the notorious Sony Playstation website attack that, on Sony’s own estimates, cost it US$170 million. According to Kasada some US$113 billion is lost annually through these attacks every year, and the figure is growing.

Kasada’s secret sauce is its ability to automatically distinguish between a good bot (such as a search engine indexing the site), a bad bot and a human.

“We empower organisations to fight these attacks by automating their web defences,” he said. “Traditional defences are very manual, based on rules. Is this IP address bad? Can requests come from this country? Every time there is a new attack somebody has to manually update things to reflect that. It is not sustainable when an attacker has automate things on their side.”

Kasada counters these threats by diverting traffic through servers in AWS that run its protection technology, Polyform. Crowther says the Kasada technology works in two ways.

“We have developed technology that allows us to fingerprint these bots in a unique way. The other aspect is our cryptographic challenge. We use some really cool principles in cryptography to force bots to prove that they are worthy of getting to the website and this has proved highly effective in stopping large-scale attacks.”

Kasada offers few details of how Polyform works. Crowther said: “We basically give the bot a very hard algebra question. We control the difficulty. We can make it take hours or days.”

“It is very simple to implement and does not chew up any of the website’s resources,” he adds.

Aside from any security benefits, he says users can see an immediate RoI as a result of reduced load on their web servers. “If they are hosting on AWS they see the cost dropping because the bots are not chewing up resources.”

Kasada may be still a very young company but it already has major organisations as customers: A mid-tier bank and one of Australia’s largest ticketing agencies.

“The bank had huge risks around brute force attacks and automated fraud, and their systems could not detect it. They had no visibility into that type of traffic,” Crowther said.

The ticketing agency faced the challenge of stopping automated bots buying up most of the tickets to popular events for on-sale at several multiples of the face value, and found that captchas significantly drove sales from online to the phone, greatly increasing the cost of sales.

When Computerworld spoke to Kasada in late March the company was on the verge of emerging from stealth mode. It had six employees, an advisory board and had secured some seed funding.

Crowther said the company would hit the ground running. “We have three customers, all substantial brands and a significant pipeline of top tier companies that have approached us. They are facing enormous problems they just cannot solve.”

He said channel partners would be crucial to the company’s success. Kasada has already established a relationship with security systems integrator VMTech that is focussed on financial services, ecommerce and health records.

Secure Code Warrior promotes secure programming

The second of the three startups Computerworld spoke to aims to make software inherently less vulnerable to attack.

Secure Code Warrior was born out of its founders’ frustration as security consultants repeatedly encountering the same vulnerabilities introduced by poorly written code.

Founder and CEO, Peter Danhieux, and his co-founders had worked in cyber security for about 15 years, mostly as white-hat hackers. “We got frustrated that after 15 years we kept seeing the same security weaknesses in software time and time again,” he said.

“Every company and every test we did we were able to get in because of flaws that were 20 years old and nobody knew how to fix them.”

A classic example, he said, was the technique used in the Panama Papers hack, the Ashley Madison hack and others.

“They used an SQL injection vulnerability that was first discovered in 1999. We’ve known the solution since 1999, but nobody has bothered to tell the developers writing code ‘Guys if you call a function in this way it can lead to really bad things. If you do it this way it is much more secure’.”

Danhieux lays the blame for this situation on universities and the way they teach programming. “They never think about the security implications. We have checked with universities here and in the UK and USA and they say there is no time to teach secure coding.”

While a number of training organisations produce material that purports to teach secure coding, he says usage is generally perfunctory and undertaken primarily to achieve compliance.

“There are training materials out there — videos and PowerPoints — that are sold into all the big companies worldwide but it is high level, and developers don't get excited about things like that.”

Secure Code Warrior’s solution is to gamify the training and introduce a competitive element.

“We started development with three people in 2015. It took us about nine months and by March 2016 we had a product that I thought was saleable and secure and started pushing it in Europe and the US,” Danhieux said.

Since then the company has signed up some impressive clients: One of Australia big banks with several thousand developers is using it. ING is using it for about 1500 developers and Secure Code Warrior has signed up a major US telco with several thousand developers.

In total Danhieux said some 6000 developers around the world were actively using Secure Code Warrior. The company also offers access to its training material to individuals for $50 per month.

Secure Code Warrior has been self-funded to date but Danhieux is looking to raise Series A funding in the next few months. He wants to add assessment and tournament features and to increase the number of programming languages offered.

“To date we have supported language s the banks are using, but we want to go into telcos and they are using Ruby On Rails, Python etc. In the IoT space you need C and C++ and a whole bunch of other languages.”

Hivint

Like Secure Code Warrior, Hivint grew out of its founders’ frustration at dealing with the same security issues over and over again, but it has taken a quite different two-pronged approach to the problem.

One part of the Hivint business is a standard security consultancy practice but instead of undertaking each project in isolation Hivint reaches an agreement with the client to keep ownership of any intellectual property generated during the project and then, stripped of anything that can identify the client, it uploads that information to its resource library, access to which is available to any organisation for an annual subscription of $2700.

Nick Ellsmore, the company’s security advisor and ‘chief apiarist’ told Computerworld that Hivint had undertaken a $400,000 security awareness program for one of the big banks and that all the material developed for that project: Booklets, presentations to staff and the board was now available on its portal.

Ellsmore and his co-founders at Hivint formerly ran Stratsec – the largest IT security consultancy in Australia when it was sold to BAE Systems in 2010. Their experience at Stratsec led them to found Hivint in 2015, as he explains.

“We kept completing the same project over and over again, delivering the same solution over and over again, but there were really no efficiencies being generated for the client. So we came up with the idea of the portal. Whenever we deliver a security project we negotiate to keep the IP and de-identify it and make it available through the portal.”

This ‘creation of collective knowledge’ approach is the source of the company’s name. “In the same way the collective knowledge of the beehive goes far beyond the knowledge of the individual bees at any point in time, we provide our customers with a level of security advice and resources that they could not individually achieve,” its website explains.

This dual business model provides the company with steady cash flow to fund growth. Hivint is the fastest growing cyber security company in the Deloitte Fast 50, Ellsmore says. It presently has 28 staff and expects to hit 50 by year-end.

“We turned over $2.9 million last year and we will turn over $5 million this year. If we get to the team of 50 this year, as I expect we will, we will turn over $10 million next year,” he said.

And while the consultancy business is essential to feed the resource library, he says the resource library with its associated portal is the long-term growth engine of the business because of its scalability.

“The consultancy business is growing as fast as we can feed it, because to make the content re-usable we discount the fees, but long term, particularly internationally, the portal will be where growth will come from. We do have international subscribers already and we would like to build into the US market.”

To do that Hivint is looking to either expand its consultancy business into the US, or establish a relationship with a US consultancy that can provide the local expertise and content needed to feed the portal.

Ellsmore said one of the challenges Hivint faces is that its portal and the consultancy business have different markets that require different marketing strategies. “We are very good at high-value, low-volume sales that are relationship and knowledge driven. With the portal we have to find a way of doing high-volume, low-value sales. We have been investing quite a lot in social media, blogs videos on YouTube, even advertising on social network to target people with an interest in security.”

Ellsmore said the portal had about 1000 customers, about 90 percent of them free subscriptions with access to a subset of its content. Of the 100 paying subscribers he said most were also clients of the consulting business.

To boost numbers the company is mounting a campaign targeting superannuation and private health insurance. “Both sectors have traditionally had quite low security maturity compared to their broader financial sector peers,” Ellsmore explained.

Meanwhile Hivint is building up the portal with additional functionality that does not rely on input from the consultancy. It recently added a vendor risk assessment module that enables an organisation to get a security score for any other an organisation, to get a sense of the security maturity of their suppliers. A free subscription enables an organisation to see its own security score.

Ellsmore said this had been very effective in driving sign-ups and would be followed by a cyber security assessment module. “The user to be able to go in, answer questions about their cyber security status and have that enhanced by the vendor risk data. That will drop out a list of recommendation about areas requiring work that will tie back to the resource library material.”