the innovation sandbox of rsa from the perspective of technology

Posted by punzalan at 2020-03-12

On March 4, local time of the United States, the high-profile RSAC 2019 opened in San Francisco. In the innovation sandbox link known as the "Internet Security weathervane", 10 network security companies shortlisted to show their cutting-edge technologies on the spot. These 10 companies cover a variety of technologies, including asset management, Devops, cloud security, data security and firmware security.

Axionius and duality are on top 2.

Finally, axonius, which received US $13 million a round financing on February 5 this year, was rated as the "most innovative start-up company" of RSAC 2019 innovation sandbox. Based on the past experience, the company awarded this award can maintain strong innovation ability and momentum in the future.

The specific technical analysis can be directly pulled down without further elaboration. Let's talk about how I feel. From the trend of the past two years, there are few subversive innovative products, but more and more minimally invasive new or functional improvements, to solve the pain points that traditional environment or traditional safety products can not be well handled or ignored. For example, in the question and answer session of axionius, the judges said that this is not to solve the problem of tomorrow. The core is to complete the asset and vulnerability management by connecting with various management systems, to solve the user pain points such as enterprise gray asset discovery and asset management of non manageable equipment. For example, the duty is to continue the work of 17 years of homomorphic encryption enviil, to support the data analysis of machine learning, and to add homomorphic encryption The core issue of confidentiality is performance. The reason why duality can achieve higher processing performance than other large enterprises is also optimistic. If they can provide commercial products or engines, their application prospects are very broad.

Back at axonius, I feel that the preferences have changed since the judges changed this year. In the past 15 years, RSAC keynote talked about that security threats are ubiquitous and pervasive, and security enterprises can't fight alone. From "change" (enterprises will die if they don't reform again), the thinking changed from static defense to in-depth and dynamic defense; to "connect to" in the next 16 years "Unity is power" in protect / 17, new technologies emerge in endlessly, cheating, AI, automatic choreography, all of which are to find the ubiquitous but untraceable hacker as much as possible. No matter what new technologies are used, choreograph them to defeat the evil rebel No.1. In the next 18 years, "now" seems to have some ideas, but every one is found Technology is not as good as the security companies boast. They are all in the period of disillusionment: the editing system needs a large number of high-level people who can write scripts. AI is not so intelligent and can only be used in the field of images. Machine learning needs parameters and is not universal. In a word, it seems to have a prospect, but it is not so fast. Everyone asked each other, "now? now what?” , this year's RSAC answer is better. Maybe this year's judges pay more attention to practicality, micro innovation and practical improvement.

So we go back to the first lesson of security: assets, vulnerability, risk and threat. Interests always exist, threats and attackers can never be eliminated. However, we can manage all assets within a given range, obtain the widest and deepest visibility possible, and continuously evaluate and eliminate the vulnerability of assets, so as to effectively mitigate or even avoid risks. Therefore, although asset management is not a kind of tomorrow's technology of the relationship, it is the first and most important step for the security team to build a complete defense system. Sometimes, it's more difficult to know one's friend than to know the other.

The dream is beautiful, and the reality is a little bone feeling. The earlier an enterprise is established, the more complex its business, the more information systems, and the more complex its personnel and business systems are. Most of the existing systems are bad, but they are also good. With these systems, axionius obtains various data, and then conducts correlation analysis to obtain the final asset view. Only when the overall situation of assets is obtained, can the security operation team discover unmanaged assets, enrich asset attributes, and then interact with other systems such as detection, response and forensics, so as to improve the accuracy of analysis and the credibility of strategy distribution.

Of course, there must be many problems to be solved, such as asset modeling, multi system data consistency. I'm afraid the biggest challenge should be to adapt to other systems. This is similar to the problem that phantom encountered in '16: the choreography system is cool, but the biggest work in the end is to adapt to the third-party actors and data sources. Maybe this finals will give entrepreneurs all the inspiration:

1. When encountering complicated situations, please go back to the first step

2. If you want to do dirty work, but you can solve the problem in the first step, then do it

3. There are also many technical problems to be solved in dirty work

What's interesting is that in the technical comments I wrote earlier, there is "zero leakage computing architecture" in duality, which is also the product of enviil, a start-up company that does homomorphic encryption. In the 17 year RSA innovation sandbox, it won the second place. It can be seen that it has received high attention from the judges. But now, homomorphic encryption is still the second place in the millennium, although it has attracted much attention. The on-site judges repeatedly question why they believe in duality. Although it's fun to talk about PhD on the spot, does it mean that the judges haven't seen enveil prove their value yet (there are less than 10 enveils on the CrunchBase, I don't know if the data is accurate?).

The overall feeling of the scene is that everyone is telling stories and there are few technical presentations. After all, three minutes is not enough. However, on the whole, the trend of agile development / cloud computing seems to have greatly affected the product direction of security startups. Four of them are to solve the development, operation and API problems of Devops, and two focus on the security problems of multi cloud and hybrid cloud. In addition, with the promotion of gdpr, data security will gradually become a hot spot in the security industry. This year, both companies are related to data privacy protection In addition, business security (human-machine identification, reverse collection of wool), equipment firmware security (UEFI, Internet of things firmware) are also emerging security directions.

Here's a technical explanation

Last two weeks, DJ and Hu Hongtao, CEO of Apple capital, respectively interpreted the RSA '19 innovation sandbox final project from the perspective of entrepreneurial team and investment. It is true that the investment and business model direction of innovation sandbox are more considered. Of course, the development of security industry itself is also technological innovation, so this paper also interprets the products of these ten companies from the perspective of technology.

As the author will attend the security summit of RSA and Gartner every year, I feel that RSA is a flourishing industry, while Gartner summit is the opinion put forward by senior consultants after in-depth thinking on the development of security industry, especially the top security technology and security projects released every year, to a large extent covering the new trend of technology development in the industry. So this article also refers to the trends listed by Gartner since 2016 ('16 /' 17 is new technology and '18 /' 19 is new project)

16 new technology

17 new technology

18 new projects

Adaptive Security Architecture

Cloud Workload Protection Platforms

Cloud security posture Management (CSPM) project (configuration check + CWPP)



CARTA-Inspired Vulnerability Management Project

Nonsignature Approaches for Endpoint Prevention

Managed Detection and Response (MDR)

Active Anti-Phishing Project

Remote Browser

Remote Browser

Microsegmentation and Flow Visibility


Software-Defined Segmentation

Network Traffic Analysis

Detection and Response Project(EPP + EDR UEBA Deception)/MDR








Software-Defined Perimeter Project

Pervasive Trust Services

Application Control on Server Workloads Project



Container Security

Privileged Account Management Project

iSOC Orchestration Solutions

Automated Security Scanning Project

Although the two are not completely aligned, for example, the above table does not contain data security related technologies, and only in 19 years, new projects have emerged gray data discovery, but these technologies and projects are largely reflected in the companies that have innovated sandbox finals in history. For example, the innovation of acalvio in '18 is deception, the innovation of hysolate is enhanced experience isolation similar to remote browser, etc. The 19-year Gartner new project has just been released, and you can also refer to ( But it should be noted that "new technology" is more innovative, because "new project" is more practical, and even "more than half of the institutions are successfully deployed" in the evaluation index can't be said as "new". As you know, it's good to make a disclaimer here (thanks to Hongli uncle, an expert of Lvmeng capital and deep)

Let me briefly talk about the feeling of technology and give some subjective scores. But what's more important is whether they achieve their stated goals in full or not, we need to go to the booth to have a good chat with them these two days. For example, arkose Labs' human-computer identification technology seems to be very good, and promises to prevent fraud and abuse with 100% SLA. Whether it can be true or not, you need to judge.

Axionius: plug in asset management integrating multi system

Security area: Asset Management

Application field: General

Axonius's asset management products can be attributed to Gartner's 18 and 19 year security program, Carta inspired vulnerability Management, obtaining visibility in IT environment becomes the premise of resisting threats and security governance. Therefore, it becomes an important content of vulnerability management to know as much as possible where, what attributes, and what vulnerabilities exist of assets. Asset analysis is the first step. Axonius can see as many assets as possible by docking with existing it and security products, However, the asset dimensions and concerns of these third-party product analysis are different, so the asset attributes are quite different, so integration becomes a difficulty. How to ensure the integrity and consistency of asset attributes is a technical difficulty.

Technological innovation:++++

Technical difficulties:++++

Duality: a homomorphic encryption engine supporting machine learning

Security area: privacy protection

Application fields: cloud computing, data analysis

The product of duality is a data analysis and privacy protection scheme based on homomorphic encryption. Homomorphic encryption supports the calculation and operation of ciphertext, such as direct calculation of encrypted numbers, which keeps the confidentiality of data in uncontrollable scenarios. It is also the product "zero leakage computing architecture" of enveil, a homomorphic encryption start-up company. It won the second place in the 17 year RSA innovation sandbox, which shows that it has received high attention from the judges. The innovation of duality is that homomorphic encryption algorithm integrates the support of machine learning, which should be a considerable threshold for algorithm design. Once the technology is mature, in the public cloud or enterprise sensitive data analysis scenario, advanced data analysis can be carried out while ensuring data confidentiality, and the concerns of the data analysis team about cloud access and analysis of sensitive data can be thoroughly cleared, which can generate a large number of applications with great significance.

Technological innovation:++++

Technical difficulties:++++

Technical difficulties:++++

Cloudknox: an identity authorization management platform for hybrid cloud environments

Security area: iam

Application area: hybrid cloud

The biggest highlight is that it overcomes the traditional static and prior authority management, monitors the authorization situation during operation, and then dynamically evaluates the necessity of the authority. The closed-loop operation can make the authority management accurate and adjustable, and achieve the goal of minimizing the authority.

Cloudknox's rights management scheme belongs to Gartner's new project, privileged account management project, '18,' 19. Gartner emphasizes the need to use a risk-based approach, focusing on high-risk and high-value accounts. Cloudknox's solution is to reduce the high-risk rights of these accounts, and support hybrid cloud is a good feature. Of course, from the perspective of scheme integrity, multi factor authentication, Siem and soar, employee and machine accounts, etc. should also be supported.

Technological innovation:++++

Technical difficulty:++

Discuptops: a multi cloud management platform for Agile Development

Security area: devosecops

Application field: multi cloud, agile development

Multi cloud is the focus of cloud computing operation team, and Devops also uses new technologies such as no service, cloud native, container and agile development concept set, becoming the focus of development team. From the perspective of security, the security of multi cloud and agile development is also a new security trend worthy of attention. For example, Devops is a new technology of Gartner's' 16 and '17. In the way of SaaS service, discuptops can quickly detect and automatically repair the security and operational problems of multiple cloud resources of users. On the one hand, it can save the cost of customers' access to the cloud, on the other hand, it can realize the continuous security control of the cloud infrastructure, and bring maximum benefits to users in terms of security, operation and cost. In addition, with the help of automation and service choreography technology, promote the implementation of cloud native applications and devosecops. Just from the technical point of view, the product does not seem to involve the innovation point at the technical level. Perhaps it is relying on the industry hotspot, the entrepreneurial team and business prospects are favored by the preliminary judges?

During the speech, it introduced the management of access credentials and detected the abnormal deactive, which is very useful in the application interaction of million level. It's a good story. It's only about this in 3 minutes. It's a bit of a sudden stop

Technological innovation:++

Technical difficulties:++

Eclypsium: focus on the safety protection of the bottom firmware of the equipment

Security area: firmware security

Application field: desktop, Internet of things terminal

The research team of the company has deeply studied the security issues in UEFI firmware, and introduced the remote attack surface of UEFI based systems at the Black Hat USA 2018 conference, and introduced similar topics at the Defcon 26 conference, which shows that the company has profound capabilities in computer firmware security. In addition to firmware such as UEFI and BIOS, the company also has rich security research accumulation in BMC (baseboard management controller).

However, its product highlights are few, and the security mechanism of firmware such as UEFI in the industry has more work. The novel function is the detection of unknown attacks. The idea we can think of is to capture the logs related to hardware devices, but it needs to see whether there are logs in the underlying firmware such as UEFI and whether the amount is large enough to meet the detection of device behavior and external interface access in a long period of time, and some changes need to be made to the UEFI firmware. Members of the company are good at this aspect. The question is, if the team develops a UEFI firmware, does the customer have a reason to use the firmware and platform to meet the security needs of the equipment in the enterprise? Obviously, there is no reason to convince customers that they must use the platform to ensure the equipment is safe enough. In addition, with the advancement of byod and the Internet of things, how to deal with the firmware security of the Internet of things devices? After all, it's too fragmented

Technological innovation:+++

Technical difficulty:+++++

Judges' Q & a briefing: equipment standardization, working with equipment manufacturers to jointly propose solutions

Capsule8: real time 0day attack detection, new source and response platform in hybrid environment

Security area: detection response

Application fields: cloud computing, agile development

Agile development involves a lot of team and technology, which leads to the complexity of IT technology, including the security protection of bare machine, virtual machine, container and other facilities and workflow business. Because these mixed environments have scattered boundaries and many exposures, the risks and security threats they face cannot be ignored. Traditional cloud security solutions, such as access control, intrusion detection, web protection, DDoS mitigation and anti-virus, are cloud computing scenarios suitable for traditional business models, which are difficult to be applied to such complex environments and business scenarios. Capsule8's solution removes old technologies such as intrusion detection and anti-virus The mechanism of school is directly oriented to the common operating system of these it facilities: Linux, which can be deployed on all terminals to achieve no dead corner. Through behavior detection, it can timely identify the behaviors different from normal daily behaviors, quickly find 0day, avoid missing reports, and complete closed-loop protection in response to disposal.

Technically, the detection model based on edge like computing improves the detection speed and reduces the data transmission and the risk of sensitive data leakage. Combine expert knowledge with detection engine to improve recognition accuracy. In the future, if expert support is packaged as an independent service, it is MDR service in the cloud.

Capsule8 is more of an architectural integration innovation, involving new technologies and projects proposed by multiple gartners: detection and response '19, security incident response' 19, container security '17,' 19, cloud workload protection platforms' 17, MDR '17.

Technological innovation:+++

Technical difficulties:+++

Look back, they're doing very well

Wirewheel: SaaS based collaborative protection platform for enterprise data privacy

Security area: privacy protection

Application area: data analysis

Wirewheel focuses on the protection of data flow sensitive information among multiple enterprises, and is committed to providing a way of SaaS services, so that more enterprises can lower the access threshold, and then more companies join means a more complete data flow view, with better protection effect, forming a benign closed loop. The innovation in technology is not so much the innovation in model as the innovation in technology. Cloud services and technical means are used to solve the practical compliance problems such as the third-party supply chain and data cross-border.

Gartner is also the first time to list the data security dark data discovery '19 gray sensitive data discovery into the top ten new projects. It can be seen that compliance requirements such as gdpr push the technology forward. The rapid discovery and identification of privacy data and the visualization ability of wirewheel products are just part of this project, laying the foundation for the protection of sensitive data in the next step.

The first step of data discovery & classification is this project.

Technological innovation:+++

Technical difficulties:+++

I took a group photo of the company and missed it. However, to add another word, although the innovation of technology itself is not obvious, model innovation and data security focus are closely linked.

Salt security: a solution and platform for detecting and defending API attacks

Security area: Application Security

Application area: SaaS

With the development of service free and service grid technology, the security of service portal, that is, API, will become a hot spot. The existing API / Web protection can only implement the protection of known patterns, but not the protection of unknown logic vulnerabilities. Salt security establishes a behavior baseline by learning the characteristics of API calls, and then blocks API calls that deviate from the baseline. In terms of technology, it is more advanced than the way of rule matching in the past, but considering that technologies such as ueba and EDR are all the ways of "establishing baseline and departing from baseline alarm", it is not a breakthrough innovation.

Technological innovation:+++

Technical difficulties:+++

Arkose labs: a high confidence anti fraud mechanism based on customer remote sensing and human-computer recognition of image arrangement

Security area: anti fraud

Application field: Web Application

Anti fraud is different from traditional network security, focusing on the security of business itself, such as human-computer identification by Arkose Labs. Many companies have been doing human-computer identification, such as Google's recapture, but the attacker is also learning the algorithm of defender, which is a typical adversary learning. In view of the shortcomings of traditional human-computer recognition algorithm, which has fixed features and can be calculated offline in a limited time, arkose labs proposes a new 3D image transformation and mapping technology, which makes it impossible for attackers to analyze the parameters of defender model in a short time. In addition, it is also seen that single point human-computer recognition can not distinguish human-computer accurately in a short time, so we use the idea of Threat Intelligence for reference, identify the client through web script and establish reputation, spread the reputation in the global scope, and finally form a closed-loop between cloud reputation and customer side identification engine. It seems to solve a very classic problem, but there is some innovation in the technical level, and there are some similarities with pseudo defense.

Technological innovation:++++

Technical difficulties:++++

Good answer

Shiftleft: continuous security protection for software development life cycle

Security area: devosecops

Application area: Agile Development

The above-mentioned devosecops is a new technology proposed by Gartner, and shiftleft is undoubtedly closely related to this problem, which overcomes the problems of high false positives rate and time-consuming of traditional SAST. In static analysis, CPG is used to create a multi-layer three-dimensional representation of the code, with strong insight, which enables developers to fully understand the content and possible risks of each version of the application; in dynamic monitoring, it enables developers to With RSAP technology, the detection accuracy of malicious behavior is higher; in addition, there is the ability of vulnerability detection. The whole scheme covers development and operation, is relatively complete, and the technology used is also innovative.

Technological innovation:++++

Technical difficulties:++++

Content editor: Liu Wenmao, innovation center editor in charge: Xiao Qing

Past review

[rsa2019 innovation sandbox] arkose labs: a high confidence anti fraud mechanism based on customer remote sensing and human-computer recognition of image arrangement

[rsa2019 innovation sandbox] shiftleft: sustainable security protection for software development life cycle

[rsa2019 innovation sandbox] salt security: a solution and platform for detecting and defending API attacks

[rsa2019 innovation sandbox] eclypsium: focus on the safety protection of the bottom firmware of the equipment

[rsa2019 innovation sandbox] capsule8: real time 0day attack detection, source and response platform in hybrid environment

[rsa2019 innovation sandbox] axionius: plug in asset management integrating multiple systems

[rsa2019 innovation sandbox] wirewheel: SaaS based collaborative protection platform for enterprise data privacy

[rsa2019 innovation sandbox] duality: data analysis and privacy protection scheme based on homomorphic encryption

[rsa2019 innovation sandbox] cloudknox: identity authorization management platform for hybrid cloud environment

[rsa2019 innovation sandbox] discuptops: a multi cloud management platform for Agile Development

The original article of the official account only represents the author's viewpoint and does not represent the position of the Green League. All original content copyright belongs to green alliance technology research communication. Without authorization, no media, WeChat official account is allowed to be copied, reproduced, excerpts or otherwise used. The reprint should be marked from the Green Alliance Technology Research Newsletter and attached to the link.

About us

Lvmeng technology research communication is operated by Lvmeng technology innovation center, which is the leading technology research department of Lvmeng technology. It includes Cloud Security Lab, security big data analysis lab and Internet of things Security Lab. The team members are composed of doctors and masters from Tsinghua University, Peking University, Harbin Institute of technology, Chinese Academy of Sciences, Beijing post and other key universities.

As one of the important training units of "post doctoral workstation sub station of Haidian Park of Zhongguancun Science and Technology Park", Lvmeng science and technology innovation center has carried out post doctoral joint training with Tsinghua University. The scientific research achievements have covered all kinds of national projects, national patents, national standards, high-level academic papers, professional books, etc.

We continue to explore the cutting-edge academic direction in the field of information security, starting from practice, combining the company's resources and advanced technology, to achieve a concept level prototype system, and then deliver product line incubation products and create huge economic value.

Long press the QR code above to follow us