The Vicarius platform enables companies to predict, prioritize, and protect against unknown software vulnerabilities before they can be exploited by hackers. In this interview, Vicarius CEO Michael Assraf describes some notable trends in cybercrime and explains how early identification and prioritization can help organizations tighten their security posture and remain protected.
Please describe the story behind Vicarius: What sparked the idea, and how has it evolved so far?
Vicarius started as a classic startup cliche, by three guys in a garage, somewhere around 2016.
We understood that there are limitless ways to do harm using a computer, but the tools and the modules that can be used by malicious actors are limited. If you can find them on the OS and application level and limit their access, you’ll be able to prevent most attacks.
Since then, the product and company have changed a lot, as most startups do. Today, we’re pretty much taking the whole stack of understanding what a vulnerability is, setting the criticality level for the customer to mitigate it, and then also do the mitigation part, whether by installing security patches or not.
I think our first achievement was in mid-2017 when we deployed our platform to our first customer. The second milestone was our first funding round, which happened at the end of 2018. And then I think the biggest milestone was starting to build the team, which is what we’re most proud of.
So what is Vicarius all about?
Vicarius’ vision is to change the way organizations understand threats residing in third party software, and the ways to mitigate them. We want to give the organization consolidated, Next-Gen capabilities that no other product has.
Our product has multiple benefits. The first one is the inventory. We get inside the organization and map out all the assets: all the software, all the versions. We also map out the binary files of every software the organization has, and then we take a very unique approach in order to prioritize threats. We look at every edition of every app to see how the software is behaving and what’s changed, and we customize our prioritization to the environment of the customer.
Lastly, we offer very coherent and simple mitigation ways. It can either be an installation of a security patch, which is something that is embedded into our product or protecting a software without the necessity to continuously patch it, using the proprietary technology that we’ve developed.
This short demo illustrates what Vicarius is all about:
What are some notable trends in cybercrime these days?
There are two kinds of threats that you can find today. The first one is Advanced Persistent Threats (APT). These are state-sponsored or highly-orchestrated targeted attacks, which are very complex and hard to prevent. Typically, you would need specific products that only handle APTs. If you’re being targeted against this kind of attack, you’re in big trouble and you’re probably aware that you might be targeted.
The second type of attack is what I call the Pareto attacks. It’s 80% versus 20%. They are not very complex. The attackers are simply looking to find the organizations with the worst cyber hygiene that they can exploit in the shortest amount of time. Their efforts will be very small and they will be able to steal information, maybe do some ransomware attack, and then blackmail the company in order to get some money.
From what we can see, this is the majority of attacks because if the organization is getting targeted by a specific group or a specific state, it probably knows about it. You know that you need to buy products that will tackle this problem. But for SMBs, SMEs, or even fortune 2000 companies that are simply getting a lot of attacks on a daily basis, it’s a bit harder because you need to understand what is the attack surface and how to mitigate it. It’s very labor-intensive because you always have new vulnerabilities and techniques to look out for. Some vulnerabilities reside in your hardware, operating system, and applications or even by network misconfigurations. So you need constant visibility over the threats that you have.
What are the main challenges that security teams are struggling with these days?
Firstly, there are not enough hands to fix all the problems, and secondly, you don’t really know what all your problems are. If you knew about all of your problems and threats, you’d probably want to hire more people, but after you hire more people, it still wouldn’t be enough.
A lot of the organizations that we’re working with do have the right products in place, but they’re so overwhelmed with everything that they can’t really operate them. And that brings me to the second part, which is automation.
You can’t tackle everything, but it’s probably going to be easier if you can automate some of the manual processes that you’re doing. This isn’t a recent trend, it’s been around for three or four years. The main transformation that the security world is going after is automated workflows. You don’t have to do things manually, everything is being done by policies that you define. Particular incidents will trigger automated responses to get the ball rolling. Get a product to do that for you because they have more knowledge of how to tackle these kinds of threats.
What would you say are the most fundamental things to consider when building an organizational Security Strategy?
I think the first thing to consider is that you have limited Human Resources. You don’t have an endless capacity of people, so you need to find a way to first visualize and prioritize your risks because you can’t tackle everything. It doesn’t really matter how many people you’re going to recruit to your security team, because at the end of the day, the threats are growing exponentially, and your team doesn’t.
So the main thing is to ensure that the technology products you’re choosing are visualizing your work and prioritizing it, with the notion that you can never be 100 percent secure. There are new techniques and new malware every day, so you need to prioritize your goals wisely.
Which Cybersecurity trends do you expect to see more of in the coming years?
Yes, so first, the major trends in cybersecurity are consolidation or integration of multiple products, and automation. Once everything sits under one platform or product, it’s much easier to orchestrate and automate solutions.
So on the one hand, we can see that clients don’t want 10 vendors selling them different products. They want one vendor; they want this vendor to have everything, and they want everything to be automated and orchestrated. If you don’t have the full capacity, you will need to integrate with other products. So I think the major trends are integration, consolidation, and automation.
I think that the technological advancements these days are happening much faster than the security products that come along. For every new advancement that you have, the security products that will come to protect it are coming two or three years afterward. We can see that happening in the industrial realm. Most industry-level security products will not really prevent attacks. They will let you know about them once they happen, but they wouldn’t be able to prevent them because SCADA interfaces and IoT devices were not built from a security perspective, they were built to work. It was only in hindsight that we started to add all the layers of security on top of them.
Everything is becoming connected. Everything is becoming more complex and more software-based. But even after we’ve invested so much money and even though we have so many security startups, it’s still not enough. So, I think that we will see more companies targeting specific niches, and then more consolidation, meaning that these companies will get acquired much faster.
How do you think COVID-19 affected your business specifically, and the Cybersecurity industry in general?
COVID-19 throws a very bold line between companies that operate via the client’s internal networks, and companies that are more modern and operate from the cloud, such as complete SaaS products. You need to go SaaS ASAP because the perimeter of the organization is no longer your internal network, it’s everywhere. Every employee has their own computer and they can go and work from wherever they want. Companies who understood that quickly and adapted have become stronger because they created better solutions and added more features. The rest either stayed behind or they’re still trying to sell the same on-premise solutions that require you to install servers or appliances inside the organization.
I think that this positioning process is happening radically fast and companies that have adapted will shine above the rest in the long term. With Vicarius, we’ve always been SaaS. We don’t do any installations of servers inside the organization; we don’t sell appliances or any kind of hardware device.
We also added more features to help customers tackle the work-from-home trend. At the end of the day, the computers that employees are using are not necessarily the devices that the organization has acquired and hardened. So in this notion, it’s like the wild wild west because it’s someone’s personal computer, they installed a VPN and that’s it, they are completely connected to all the systems in the organization. So the need for our kind of solution has increased since COVID-19. So in that sense, I think that we’re doing very well.