Cybersecurity Startup Aorato Exits Stealth With A ‘Behavior Firewall’, $10M In Funding

Make way for another startup in the area of cybersecurity: Aorato, which has developed a behavior-monitoring firewall for Microsoft Active Directory services, is coming out of stealth today. At the same time, the Israel- and New York-based company is announcing funding of $10 million, with investors including Accel, Trusteer’s co-founders Mickey Boodaei and Rakesh Loonkar, Eric Schmidt’s Innovation Endeavors and Glilot Capital Partners.

Active Directory services are used by some 95% of organizations today, and so while this may sound like a platform-dependent solution with a focus on Microsoft, it’s more wide-ranging than that. Aorato’s solution, in essence, monitors for suspicious usage of employee credentials, including multiple guessing attempts.

There have been some notable Active Directory breaches in particular that point to the problem that Aorato is trying to tackle. For example, in several advanced targeted attacks, such as Night Dragon and recent breaches at security companies Bit9 and RSA, the attackers stole the credentials of legitimate employees.

The Conficker worm, meanwhile, stole user credentials by attempting to guess the employees’ passwords as they were stored in Active Directory.

And even a breach such as the one at the NSA could have been detected by Aorato. “Snowden reportedly used colleagues’ passwords to access sensitive docs,” Aorato’s co-founder and CEO, Idan Plotnik, notes to me. “Even if the user activity seems legitimate,the same account would actually present suspicious or abnormal behavior behind the scenes which Aorato would detect.”

The key point with Aorato is that it its protects systems by detecting unusual behavior of profiles that are otherwise legitimate and approved — thereby specifically targeting malicious hacks that gain control of passwords and profiles to obtain data.

For an explanation of what Aorato does, and the trend into which it fits in terms of cybersecurity, Plotnik described the difference between “traditional” and “non-traditional” bouncers:

“The traditional bouncer prevents an unruly person from entering the club (or removes the individual, if already in the club) according to a pre-set checklist: age, a clothing guideline, forbidden weapons, etc.,” he says. “Although that checklist might prevent some unruly individuals from entering, one clear problem is that actual innocent individuals might be held out (say, due to the wrong clothing guideline). The second problem is that this type of sifting won’t necessarily rule out individuals with an actual rough intent.

“A “non-traditional” bouncer would actually consider the behavior of the individuals entering the club- as well as those already present inside the club. They’d look around and see how the individuals are interacting with other people. Are they harassing to a different degree, do they seem to be on the borderline of harassing, or is it all social? They’d also put in efforts to consider the interaction of individuals with the heart of the club – the bar. Are people losing control there or are individuals acting as would be expected in a club?”

Plotnik says that this kind of behavioral detection — constantly shifting parameters — is part of a new trend in threat detection and online security: it prevents the problems of flagging non-malicious activity as malicious, and second, it detects the threats in real-time, as they actually change themselves.

While Aorato is offering the service both virtualised and as an appliance, he believes that over time virtualised will be the way forward. “The reason is that it’s much more easier and convenient to install and maintain. Enterprises are still wary of adopting complete virtualization solutions and so those are the ones that use an appliance. Looking at market trends, as mentioned, they too will show more interest in the virtualized solution,” he says.

Although Aorato focuses on the the Active Directory today, longer term it says it will be able to see the interaction of all entities in an organization, whether or not they are passing through the Active Directory.

Plotnik, along with other co-founders Michael Dolinsky and Ohad Plotnik, are cybersecurity veterans from the Israeli defense forces, with a special focus on Microsoft systems. A previous company, Foreity, was acquired by the security specialists the Aman Group.

“Accel is excited to be partnering with a world-class team building a pioneering product. Aorato’s Directory Services Application Firewall is a unique solution for a very important part of enterprise infrastructure, and the founders’ cyber-security expertise is second to none,” said Kevin Comolli, the Accel partner who led the investment.  

Three early customers for the service on launch are Trusteer, NICE Systems and Matrix.