“Don’t wake a sleeping lion.”
This was the reaction my two co-founders Tal Morgenstern, Roy Horev, and I had gotten over and over again when sharing with our colleagues our intention to establish Vulcan Cyber.
“There are so many other problems, why this one?”
Well, for me the answer was clear. I knew that solving this problem would profoundly change the face of cybersecurity. And that was enough.
Before Vulcan, I’ve spent the 5 years in different business development and marketing roles in the incident response space. As I moved around from one F500 company to another, I sung the same tunes — “move away from prevention” and “invest more in detection and response.”
But deep down, this did not sit right for me. It may sound more glamorous to talk about zero-day and next-generation threats, but known vulnerabilities are truly where the rubber meets the road.
Industry focus on identifying the next mega zero-day exploit led security stakeholders and vendors to neglect the ever-growing list of known vulnerabilities. This strategic mistake led to the one-two knockout punch in 2017 which the enterprise world is just now starting to recover. The Equifax breach and the Eternal Blue vulnerability (which led to the WannaCry and Petya attacks) were — without a doubt — earth-shattering.
My discomfort with this situation drove me to take action, and to start, alongside my two co-founders, the journey to understand what is broken in the vulnerability management process, and why — in a world of agile IT, Cloud, and DevOps — so many organizations struggle to remediate known vulnerabilities from their environment.
After talking with over 100 different enterprises from all verticals — technology, finance, healthcare, utilities and more — we’ve identified a pattern. All, regardless their mindset, vision, infrastructure, or size, manage vulnerabilities with the same tools and methods that were used 20 years ago.
Here’s what that looks like:
- It starts with a scanner, which scans a part of the enterprise’s digital estate for vulnerabilities. Some search for vulnerabilities in production, some in the code base, but all share the same output — a packed report with thousands (if not tens of thousands) of vulnerabilities.
- Next, the vulnerability management teams have to investigate each vulnerability and assess the degree of urgency to remediate it. This process is tiring and manual — and according to the latest Ponemon Institute research, can cost enterprises up to 320 man-hours per week.
- Finally, once the prioritization process is completed and a remediation plan is formulated, the security team needs to start chasing IT, DevOps and R&D to apply changes to the environment to mitigate the vulnerability.
No doubt, this is a long and inefficient process.
At first, we thought this pattern existed primarily in organizations managing their IT infrastructure in more traditional frameworks like ITIL. To our surprise, this inefficient process is happening in even the most cutting-edge companies who practically live in the Cloud and manage development and IT processes fast with an agile mindset.
For some reason unbeknownst to us, security is the only part of organizations that has not seem to adapt to this agile reality.
Changing the Mindset — a Personal Story
Digging down, we learned that the core of the problem is in the mindset — not of the teams, but rather of the industry vendors and the tools they deliver.
To explain the problem, I want to share a short story from my military service. I started my career in the top unit for the intelligence and cyber unit of the Israeli Defense Forces. As a young officer, one of the questions that bugged me was “How I can tell if the intelligence I provide is relevant or not?” In many cases, I worked long hours unpacking intelligence that we believed to be interesting and relevant — which turned out not to be useful at all.
It took me a while, but eventually, it became clear that the first rule about relevant intelligence, is that it has to drive decision makers to take action. Every piece of intelligence that doesn’t support this basic purpose — regardless of how interesting or sexy it is — is useless at the end of the day.
In the vulnerability management market, vendors are making the same mistake I had made as a young officer: they collect a lot of interesting, technical data about the network and vulnerabilities, deliver it to the user under many different titles — “vulnerability intelligence”, “network visibility”, “exposure insights”, etc., — but forget the first rule: if this data doesn’t drive the users into action, it’s useless.
In the vulnerability context, action means remediation.
With this in mind, we started to build Vulcan. Every single thing we’ve done since then — whether it’s product design, R&D and even choosing our team — has been powered by our remediation focused mindset.
Creating a Winning Team
Many people may think that when startup founders talk about the team that they are building, they are referring to the people they are hiring. In our case, it’s not that way at all. We totally know — very well at this point — that to change the way an industry thinks and operates, building an amazing core team is key but simply not enough.
To succeed in developing and designing our platform, we knew that we needed to create a disruptive (i.e., challenging, engaging, questioning and even defiant) yet supportive environment composed of the right investors and advisors, alongside an extraordinary and multidisciplinary core team.
We were extremely fortunate to join hands with one of the most innovative VC’s in Israel and the States — YL Ventures. Furthermore on the investor front, joining us is Giora Yaron, the chairman of Tel Aviv University’s governing committee, and one of Israel’s high-tech pioneers, alongside a strong a group of entrepreneurs and founders from Israel most successful cybersecurity startups. With their unique approach and network, we have the benefit of engaging with dozens of industry leaders — CISO’s, analysts and thought leaders, all helping us with our mission of building Vulcan.
On the advisor front, we are so very fortunate, too, to be working with industry experts like Andy Ellis, Akamai CSO. He, along with others, is are guiding us and advising us with tremendous product, market and industry insights.
Last, but not least, is our core team. In my wildest dreams, I couldn’t have imagined myself being surrounded by such a talented, hungry, and relentless team mastering multiple disciplines — Security, IT and DevOps — with knowledge and experience that we knew was required to build our product with excellence.
We are all here now to ‘rattle the cages’ of the twenty-year-old vulnerability management space, presenting a new, remediation-focused approach to solve the vulnerability management problem once and shift to today’s reality.
And that’s what we’re here to do. We strive to constantly undermine the vulnerability management status quo with persistent learning, adjusting to new ideas and innovation. We are building Vulcan as a Continuous Vulnerability Remediation Platform, by leveraging the huge opportunity of the cloud and agile IT, combined with a nuanced and mature understanding of security and technology.
This is Vulcan. This is us. We’re here to wake the lion up, and turn it into a small, fluffy kitten chasing a ball of yarn.
If you want to hear more, don’t hesitate to reach out to us at [email protected], and subscribe to receive our updates.