We recently spoke with the chief executives of companies that participated in the recent AWS Startup Showcase: The Next Big Things in AI, Security & Life Sciences to find out what drives them and learn about their visions for the future. This feature is part of theCUBE’s ongoing CEO Startup Spotlight series.

The largest data security breach in history did not happen because an advanced attacker found a clever ploy to infiltrate in a way that had never been done before

Instead, it was the result of finding the path of least resistance, Avi Shua (pictured), co-founder and chief executive officer of Orca Security Ltd., said of the 2017 Equifax breach that cost the credit reporting agency $575 million as part of a settlement. Equifax was hacked because a widely known vulnerability within its system hadn’t been patched, an encryption certificate had not been renewed, and because other simple measures that should have been — but were not — carried out.

Shua, who was previously chief technologist at Check Point Software Technologies Ltd., and served the Israeli Defense Forces before that, explained that “one of the unique things about cybersecurity is that there is a major gap between what people love to talk about and what is actually important. Practitioners like to discuss the sexy stuff, like zero-day vulnerabilities, quantum computing and advanced attacks, but breaches today are largely due to the lack of hygiene in simple areas such as updating patches and maintaining best practices.”

That’s because large organizations don’t have clear oversight of which services exist in the environment, who the owner is, who should maintain them, and what the major risks are, he added. While it may be easy to accomplish the basics on a small scale with a dozen machines or services, it becomes massively difficult for an organization that may have a half-million machines or services. 

Another issue is the gradual shift from on-premises computing to the cloud environment. 

“You can’t follow the same set of rules with cloud computing,” Shua said. “Copying the same processes and tools from the on-premise paradigm and applying them to the cloud is suboptimal. They worked for certain physics and a certain set of constraints that no longer apply; it’s going backward, not forward.” 

Shua had this in mind when starting Orca Security with his co-founders. 

“We thought about our approach to the cloud and asked ourselves, how can we best secure the cloud, looking at the practical things and determining what the real problems are that account for the majority of the attacks,” he explained. “Instead, we looked at what can be done to protect the cloud environment and implement those measures now. At the end of the day, attackers just want the easiest way to get to an organization.” 

Taking a frictionless approach

Orca Security uses a unique technology called SideScanning — invented and patented by Shua — that provides a comprehensive, realistic view of any cloud environment to deliver full stack visibility of a company’s security posture. Orca Security sees all of the risk, whether it’s vulnerability, misconfiguration, lateral movement risk, work that has already been compromised and more, all within minutes. It does this without having to deploy agents, run network scanners or perform other maneuvers, making it a frictionless process. On top of that, the software provides context awareness so that organizations can understand and find the most critical vulnerabilities that need immediate attention.

Shua gave a customer example of a media company that, before working with Orca Security, took two years and many millions to deploy security agents across the system and managed to secure only 40% of the environment. With Orca Security, the company secured 100% of the environment in two days. 

“This is because we don’t require any per-asset integration from the infrastructure, and we don’t need to meet with hundreds of other teams on an integration project,” Shua explained. “There are too many workloads involved, too many processes and too much organizational friction. We have taken all of that away.”

Prioritizing which vulnerabilities or risk areas should be mitigated is a key component of Orca Security’s solution. Shua asserted that while most tools will provide a list of all the “pickable locks” within an organization and identify which lock is most pickable, what is also needed is visibility into who has access to the lock and what is behind it. The combination of these three factors provide the best indication of which areas are a higher priority.

“If I’m running an organization and I’m told that a cleaning closet is my most pickable lock, I wouldn’t care because a) no one can access it because you’d have to go through my office first, and b) there is nothing valuable inside the closet,” he explained. “Because we built our solution for the cloud, we’re able to look at the environment as a graph and tell you which areas are the most accessible and what’s behind them. When you take all of that into consideration, you can focus literally on the 0.5% of the pickable locks that matter within your environment.”

Moving fast and aiming high

This frictionless approach, combined with prioritizing vulnerabilities, is resonating with the market. In 2020, Orca Security achieved more than 1,000% year-over-year growth and signed Robinhood, Databricks, Unity, Live Oak Bank, Fiverr, Lemonade and BeyondTrust, among others. The company has raised $550 million in combined funds at nearly a $2 billion valuation since its founding two years ago and has gone from 30 employees a year ago to more than 200 today. It is also an AWS Advanced Technology Partner in Security Competency. 

How is the company managing this rapid growth? 

“Eighty percent of our employees have never met most of their colleagues face-to-face, so we have some interesting challenges from both a growth and personal connection perspective,” Shua said. “We’re looking for ways for people to get to know each other; for example, through virtual coffees or gatherings in cities where there is a larger concentration of employees. Otherwise, you’re just going from meeting to meeting all day, without personally connecting with people.”

Orca Security has achieved success because the founders took a very different approach to cybersecurity. Instead of looking to build a better agent, they took advantage of the cloud environment to develop an agentless solution. 

“This is also the way we are trying to handle the other parts of the business, whether it’s engineering, sales or marketing,” Shua added. “We don’t need to do things the same way they were done before, so another company focus has been to allow people to work directly with each other without having to go through managers and taking unnecessary time to schedule meetings and so forth. It’s completely fine for a sales rep to reach out to an engineer or a product manager, for example, without the extra coordination involving a VP or manager.”

Interestingly, this initiative mirrors the agentless approach that Orca Security takes to cybersecurity — by removing the extra parties associated with employee interaction, the culture comes closer to being frictionless.

Going forward, the company is aiming to be the world’s leading cloud security vendor, and it certainly seems to be on track, with the growth rate it’s already experiencing. Shua attributes this to solving a really big problem that needs a solution.

“Essentially, my belief is that Orca Security has the potential to provide everything cloud security-related and that our platform will be a consolidation of many tools that today have to be purchased separately,” Shua said. “If we’re going to succeed, I’m a big believer that as a startup, we can’t operate the same way in the new environment we live in. We have to do things in a more radical way.”

Photo: Avi Shua