(upbeat music) >> Hey, everyone. Welcome to theCUBE's presentation of the AWS Startup Showcase, season two, episode four. I'm your host, Lisa Martin. This topic is cybersecurity detect and protect against threats. Very excited to welcome a CUBE alumni back to the program. Snehal Antani, the co-founder and CEO of Horizon3 joins me. Snehal, it's great to have you back in the studio. >> Likewise, thanks for the invite. >> Tell us a little bit about Horizon3, what is it that you guys do? You were founded in 2019, got a really interesting group of folks with interesting backgrounds, but talk to the audience about what it is that you guys are aiming to do. >> Sure, so maybe back to the problem we were trying to solve. So my background, I was a engineer by trade, I was a CIO at G Capital, CTO at Splunk and helped grow scale that company. And then took a break from industry to serve within the Department of Defense. And in every one of my jobs where I had cyber security in my responsibility, I suffered from the same problem. I had no idea I was secure or that we were fixing the right vulnerabilities or logging the right data in Splunk or that our tools and processes and people worked together well until the bad guys had showed up. And by then it was too late. And what I wanted to do was proactively verify my security posture, make sure that my security tools were actually effective, that my people knew how to respond to a breach before the bad guys were there. And so this whole idea of continuously verifying my security posture through security testing and pen testing became a passion project of mine for over a decade. And through my time in the DOD found the right group of an early people that had offensive cyber experience, that had defensive cyber experience, that knew how to build and ship and deliver software at scale. And we came together at the end of 2019 to start Horizon3. >> Talk to me about the current threat landscape. We've seen so much change in flux in the last couple of years. Globally, we've seen the threat actors are just getting more and more sophisticated as is the different types of attacks. What are you seeing kind of horizontally across the threat landscape? >> Yeah, the biggest thing is attackers don't have to hack in using Zero-days like you see in the movies. Often they're able to just log in with valid credentials that they've collected through some mechanism. As an example, if I wanted to compromise a large organization, say United Airlines, one of the things that an attacker's going to go off and do is go to LinkedIn and find all of the employees that work at United Airlines. Now you've got say, 7,000 pilots. Of those pilots, you're going to figure out quickly that their user IDs and passwords or their user IDs at least are first name, last initial @united.com. Cool, now I have 7,000 potential logins and all it takes is one of them to reuse a compromised password for their corporate email, and now you've got an initial user in the system. And most likely, that initial user has local admin on their laptops. And from there, an attacker can dump credentials and find a path to becoming a domain administrator. And what happens oftentimes is, security tools don't detect this because it looks like valid behavior in the organization. And this is pretty common, this idea of collecting information on an organization or a target using open source intelligence, using a mix of credential spraying and kind of low priority or low severity exploitations or misconfigurations to get in. And then from there, systematically dumping credentials, reusing those credentials, and finding a path towards compromise. And less than 2% of CVEs are actually used in exploits. Most of the time, attackers chain together misconfigurations, bad product defaults. And so really the threat landscape is, attackers don't hack in, they log in. And organizations have to focus on getting the basics right and fundamentals right first before they layer on some magic easy button that is some security AI tools hoping that that's going to save their day. And that's what we found systemically across the board. >> So you're finding that across the board, probably pan-industry that a lot of companies need to go back to basics. We talk about that a lot when we're talking about security, why do you think that is? >> I think it's because, one, most organizations are barely treading water. When you look at the early rapid adopters of Horizon3's pen testing product, autonomous pen testing, the early adopters tended to be teams where the IT team and the security team were the same person, and they were barely treading water. And the hardest part of my job as a CIO was deciding what not to fix. Because the bottleneck in the security process is the actual capacity to fix problems. And so, fiercely prioritizing issues becomes really important. But the tools and the processes don't focus on prioritizing what's exploitable, they prioritize by some arbitrary score from some arbitrary vulnerability scanner. And so we have as a fundamental breakdown of the small group of folks with the expertise to fix problems tend to be the most overworked and tend to have the most noise to need to sift through. So they don't even have time to get to the basics. They're just barely treading water doing their day jobs and they're often sacrificing their nights and weekends. All of us at Horizon3 were practitioners at one point in our career, we've all been called in on the weekend. So that's why what we did was fiercely focus on helping customers and users fix problems that truly matter, and allowing them to quickly reattack and verify that the problems were truly fixed. >> So when it comes to today's threat landscape, what is it that organizations across the board should really be focused on? >> I think, systemically, what we see are bad password or credential policies, least access privileged management type processes not being well implemented. The domain user tends to be the local admin on the box, no ability to understand what is a valid login versus a malicious login. Those are some of the basics that we see systemically. And if you layer that with it's very easy to say, misconfigure vCenter, or misconfigure a piece of Cisco gear, or you're not going to be installing, monitoring security observability tools on that HPE Integrated Lights Out server and so on. What you'll find is that you've got people overworked that don't have the capacity to fix. You have the fundamentals or the basics not well implemented. And you have a whole bunch of blind spots in your security posture. And defenders have to be right every time, attackers only have to be right once. And so what we have is this asymmetric fight where attackers are very likely to get in, and we see this on the news all the time. >> So, and nobody, of course, wants to be the next headline, right? Talk to me a little bit about autonomous pen testing as a service, what you guys are delivering, and what makes it unique and different than other tools that have been out, as you're saying, that clearly have gaps. >> Yeah. So first and foremost was the approach we took in building our product. What we set upfront was, our primary users should be IT administrators, network engineers, and that IT intern who, in three clicks, should have the power of a 20-year pen testing expert. So the whole idea was empower and enable all of the fixers to find, fix, and verify their security weaknesses continuously. That was the design goal. Most other security products are designed for security people, but we already know they're task saturated, they've got way too many tools under the belt. So first and foremost, we wanted to empower the fixers to fix problems that truly matter. The second part was, we wanted to do that without having to install credentialed agents all over the place or writing your own custom attack scripts, or having to do a bunch of configurations and make sure that it's safe to run against production systems so that you could test your entire attack surface. Your on-prem, your cloud, your external perimeter. And this is where AWS comes in to be very important, especially hybrid customers where you've got a portion of your infrastructure on AWS, a portion on-prem, and you use Horizon3 to be able to attack your complete attack surface. So we can start on-prem and we will find say, the AWS credentials file that was mistakenly saved on a shared drive, and then reuse that to become admin in the cloud. AWS didn't do anything wrong, the cloud team didn't do anything wrong, a developer happened to share a password or save a password file locally. That's how attackers get in. So we can start from on-prem and show how we can compromise the cloud, start from the cloud and show how we can compromise on-prem. Start from the outside and break in. And we're able to show that complete attack surface at scale for hybrid customers. >> So showing that complete attack surface sort of from the eyes of the attacker? >> That's exactly right, because while blue teams or the defenders have a very specific view of their environment, you have to look at yourself through the eyes of the attacker to understand what are your blind spots, what do they see that you don't see. And it's actually a discipline that is well entrenched within military culture. And that's also important for us as the company. We're about a third of Horizon3 served in US special operations or the intelligence community with the United States, and then DOD writ large. And a lot of that red team mindset, view yourself through the eyes of the attacker, and this idea of training like you fight and building muscle memory so you know how to react to the real incident when it occurs is just ingrained in how we operate, and we disseminate that culture through all of our customers as well. >> And at this point in time, every business needs to assume an attacker's going to get in. >> That's right. There are way too many doors and windows in the organization. Attackers are going to get in, whether it's a single customer that reused their Netflix password for their corporate email, a patch that didn't get applied properly, or a new Zero-day that just gets published. A piece of Cisco software that was misconfigured, not buy anything more than it's easy to misconfigure these complex pieces of technology. Attackers are going to get in. And what we want to understand as customers is, once they're in, what could they do? Could they get to my crown jewel's data and systems? Could they borrow and prepare for a much more complicated attack down the road? If you assume breach, now you want to understand what can they get to, how quickly can you detect that breach, and what are your ways to stifle their ability to achieve their objectives. And culturally, we would need a shift from talking about how secure I am to how defensible are we. Security is kind of a point in time state of your organization. Defensibility is how quickly you can adapt to the attacker to stifle their ability to achieve their objective. >> As things are changing constantly. >> That's exactly right. >> Yeah. Talk to me about a typical customer engagement. If there's, you mentioned folks treading water, obviously, there's the huge cybersecurity skills gap that we've been talking about for a long time now, that's another factor there. But when you're in customer conversations, who are you talking to? Typically, what are they coming to you for help? >> Yeah. One big thing is, you're not going to win and win a customer by taking 'em out to steak dinners. Not anymore. The way we focus on our go to market and our sales motion is cultivating champions. At the end of the proof of concept, our internal measure of successes is, is that person willing to get a Horizon3 tattoo? And you do that, not through steak dinners, not through cool swag, not through marketing, but by letting your results do the talking. Now, part of those results should not require professional services or consulting. The whole experience should be self-service, frictionless, and insightful. And that really is how we've designed the product and designed the entire sales motion. So a prospect will learn or discover about us, whether it's through LinkedIn, through social, through the website, but often because one of their friends or colleagues heard about us, saw our result, and is advocating on our behalf when we're not in the room. From there, they're going to be able to self-service, just log in to our product through their LinkedIn ID, their Google ID. They can engage with a salesperson if they want to. They can run a pen test right there on the spot against their home without any interaction with a sales rep. Let those results do the talking, use that as a starting point to engage in a more complicated proof of value. And the whole idea is we don't charge for these, we let our results do the talking. And at the end, after they've run us to find problems, they've gone off and fixed those issues, and they've rerun us to verify that what they've fixed was properly fixed, then they're hooked. And we have a hundred percent technical win rate with our prospects when they hit that find-fix-verify cycle, which is awesome. And then we get the tattoo for them, at least give them the template. And then we're off to the races. >> Sounds like you're making the process more simple. There's so much complexity behind it, but allowing users to be able to actually test it out themselves in a simplified way is huge. Allowing them to really focus on becoming defensible. >> That's exactly right. And the value is, especially now in security, there's so much hype and so much noise. There's a lot more time being spent self-discovering and researching technologies before you engage in a commercial discussion. And so what we try to do is optimize that entire buying experience around enabling people to discover and research and learn. The other part, remember is, offensive cyber and ethical hacking and so on is very mysterious and magical to most defenders. It's such a complicated topic with many nuance tools that they don't have the time to understand or learn. And so if you surface the complexity of all those attacker tools, you're going to overwhelm a person that is already overwhelmed. So we needed the experience to be incredibly simple and optimize that find-fix-verify aha moment. And once again, be frictionless and be insightful. >> Frictionless and insightful. Excellent. Talk to me about results, you mentioned results. We love talking about outcomes. When a customer goes through the PoC, PoV that you talked about, what are some of the results that they see that hook them? >> Yeah, the biggest thing is, what attackers do today is they will find a low from machine one plus a low from machine two equals compromised domain. What they're doing is they're chaining together issues across multiple parts of your system or your organization to opone your environment. What attackers don't do is find a critical vulnerability and exploit that single machine. It's always a chain, always multiple steps in the attack. And so the entire product and experience in, actually, our underlying tech is around attack paths. Here is the path, the attack path an attacker could have taken. That node zero our product took. Here is the proof of exploitation for every step along the way. So you know this isn't a false positive. In fact, you can copy and paste the attacker command from the product and rerun it yourself and see it for yourself. And then here is exactly what you have to go fix and why it's important to fix. So that path, proof, impact, and fix action is what the entire experience is focused on. And that is the results doing the talking, because remember, these folks are already overwhelmed, they're dealing with a lot of false positives. And if you tell them you've got another critical to fix, their immediate reaction is "Nope, I don't believe you. This is a false positive. I've seen this plenty of times, that's not important." So you have to, in your product experience and sales process and adoption process, immediately cut through that defensive or that reflex. And it's path, proof, impact. Here's exactly what you fix, here are the exact steps to fix it, and then you're off to the races. What I learned at Splunk was, you win hearts and minds of your users through amazing experience, product experience, amazing documentation. >> Yes. >> And a vibrant community of champions. Those are the three ingredients of success, and we've really made that the core of the product. So we win on our documentation, we win on the product experience, and we've cultivated pretty awesome community. >> Talk to me about some of those champions. Is there a customer story that you think really articulates the value of node zero and what it is that you are doing? >> Yeah, I'll tell you a couple. Actually, I just gave this talk at Black Hat on war stories from running 10,000 pen tests. And I'll try to be gentle on the vendors that were involved here, but the reality is, you got to be honest and authentic. So a customer, a healthcare organization ran a pen test and they were using a very well-known managed security services provider as their security operations team. And so they initiate the pen test and they wanted to audit their response time of their MSSP. So they run the pen test and we're in and out. The whole pen test runs two hours or less. And in those two hours, the pen test compromises the domain, gets access to a bunch of sensitive data, laterally maneuvers, rips the entire environment apart. It took seven hours for the MSSP to send an email notification to the IT director that said, "Hey, we think something suspicious is going on." >> Wow. >> Seven hours! >> That's a long time. >> We were in and out in two, seven hours for notification. And the issue with that healthcare company was, they thought they had hired the right MSSP, but they had no way to audit their performance. And so we gave them the details and the ammunition to get services credits to hold them accountable and also have a conversation of switching to somebody else. >> Accountability is key, especially when we're talking about the threat landscape and how it's evolving day to day. >> That's exactly right. Accountability of your suppliers or your security vendors, accountability of your people and your processes, and not having to wait for the bad guys to show up to test your posture. That's what's really important. Another story that's interesting. This customer did everything right. It was a banking customer, large environment, and they had Fortinet installed as their EDR type platform. And they initiate us as a pen test and we're able to get code execution on one of their machines. And from there, laterally maneuver to become a domain administrator, which in security is a really big deal. So they came back and said, "This is absolutely not possible. Fortinet should have stopped that from occurring." And it turned out, because we showed the path and the proof and the impact, Fortinet was misconfigured on three machines out of 5,000. And they had no idea. >> Wow. >> So it's one of those, you want to don't trust that your tools are working, don't trust your processes, verify them. Show me we're secure today. Show me we're secure tomorrow. And then show me again we're secure next week. Because my environment's constantly changing and the adversary always has a vote. >> Right, the constant change in flux is huge challenge for organizations, but those results clearly speak for themselves. You talked about speed in terms of time, how quickly can a customer deploy your technology, identify and remedy problems in their environment? >> Yeah, this find-fix-verify aha moment, if you will. So traditionally, a customer would have to maybe run one or two pen tests a year. And then they'd go off and fix things. They have no capacity to test them 'cause they don't have the internal attack expertise. So they'd wait for the next pen test and figure out that they were still exploitable. Usually, this year's pen test results look identical than last year's. That isn't sustainable. So our customers shift from running one or two pen tests a year to 40 pen tests a month. And they're in this constant loop of finding, fixing, and verifying all of the weaknesses in their infrastructure. Remember, there's infrastructure pen testing, which is what we are really good at, and then there's application level pen testing that humans are much better at solving. >> Okay. >> So we focus on the infrastructure side, especially at scale. But can you imagine, 40 pen tests a month, they run from the perimeter, the inside from a specific subnet, from work from home machines, from the cloud. And they're running these pen tests from many different perspectives to understand what does the attacker see from each of these locations in their organization and how do they systemically fix those issues? And what they look at is, how many critical problems were found, how quickly were they fixed, how often do they reoccur. And that third metric is important because you might fix something, but if it shows up again next week because you've got bad automation, you're in a rat race. So you want to look at that reoccurrence rate also. >> The reoccurrence rate. What are you most excited about as, obviously, the threat landscape continues to evolve, but what are you most excited about for the company and what it is that you're able to help organizations across industries achieve in such tumultuous times? >> Yeah. One of the coolest things is, because I was a customer for many of these products, I despised threat intelligence products. I despised them. Because there were basically generic blog posts. Maybe delivered as a data feed to my Splunk environment or something. But they're always really generic. Like, "You may have a problem here." And as a result, they weren't very actionable. So one of the really cool things that we do, it's just part of the product is this concept of flares, flares that we shoot up. And the idea is not to cause angst or anxiety or panic, but rather we look at threat intelligence and then because all of the insights we have from your pen test results, we connect those two together and say, "Your VMware Horizon instance at this IP is exploitable. You need to fix it as fast as possible, or is very likely to be exploited. And here is the threat intelligence and in the news from CSAI and elsewhere that shows why it's important." So I think what is really cool is we're able to take together threat intelligence out in the wild combined with very precise understanding of your environment to give you very accurate and actionable starting points for what you need to go fix or test or verify. And when we do that, what we see is almost like, imagine this ball bouncing, that is the first drop of the ball, and then that drives the first major pen test. And then they'll run all these subsequent pen tests to continue to find and fix and verify. And so what we see is this tremendous amount of excitement from customers that we're actually giving them accurate, detailed information to take advantage of, and we're not causing panic and we're not causing alert and fatigue as a result. >> That's incredibly important in this type of environment. Last question for you. If autonomous pen testing is obviously critical and has tremendous amount of potential for organizations, but it's only part of the equation. What's the larger vision? >> Yeah, we are not a pen testing company and that's something we decided upfront. Pen testing is a sensor. It collects and understands a tremendous amount of data for your attack surface. So the natural next thing is to analyze the pen test results over time to start to give you a more accurate understanding of your governance, risk, and compliance posture. So now what happens is, we are able to allow customers to go run 40 pen tests a month. And that kind of becomes the initial land or flagship product. But then from there, we're able to upsell or increase value to our customers and start to compete and take out companies like Security Scorecard or RiskIQ and other companies like that, where there tended to be, I was a user of all those tools, a lot of garbage in, garbage out. Where you can't fill out a spreadsheet and get an accurate understanding of your risk posture. You need to look at your detailed pen test results over time and use that to accurately understand what are your hotspots, what's your recurrence rate and so on. And being able to tell that story to your auditors, to your regulators, to the board. And actually, it gives you a much more accurate way to show return on investment of your security spend also. >> Which is huge. So where can customers and those that are interested go to learn more? >> So horizonthree.ai is the website. That's a great starting point. We tend to very much rely on social channels, so LinkedIn in particular, to really get our stories out there. So finding us on LinkedIn is probably the next best thing to go do. And we're always at the major trade shows and events also. >> Excellent. Snehal, it's been a pleasure talking to you about Horizon3, what it is that you guys are doing, why, and the greater vision. We appreciate your insights and your time. >> Thank you, likewise. >> All right. For my guest, I'm Lisa Martin. We want to thank you for watching the AWS Startup Showcase. We'll see you next time. (gentle music)