YC-Backed Cymmetria Uses Virtual Machines To Decoy And Detect Hackers

YC-backed Cymmetria, which is uncloaking from stealth now after around a year working its cyber security startup business, wants to tilt the traditional security odds so it’s hackers who are left feeling vulnerable and on their guard — by giving the businesses whose systems are under attack a ‘home advantage’.

How does it flip the attacker/attacked dynamic? By creating decoys which are embedded into the network and designed to draw hackers to them, making it quicker and easier for a business to detect and mitigate a security breach. And harder for a hacker to know what’s what.

“I’ve been sitting on this idea for several years, really, waiting for the right timing,” says co-founder Gadi Evron, who used to head up the Israeli government’s Internet security operation, and has also worked in senior security roles for PwC and Kaspersky.

“I got somewhat exhausted with the security industry. From various directions. In a way we’re very defeatist — we go to work everyday knowing that the attackers will succeed if they just want to. That eventually they will get in. Two and a half years ago people started saying the words ‘assume compromise’. Assume the attacker’s already inside. And then suddenly we all discovered that is not just the perception but rather the reality of how things actually work.”

High profile hack attacks make the news every week. Right now the attention is on the U.S. Office Of Personal Management data breach. Last year a massive Sony Pictures hack which leaked all sorts of salacious celebrity gossip into the public domain via a dump of the stolen emails turned into a media feeding frenzy. A huge breach of retailer Target’s systems in which millions of customer credit card details were reported compromised, back in 2014, has cost the company some $162 million purely in expenses — minus any class action lawsuits. Earlier this year health insurance provider Anthem fessed up to a data breach likely compromising the personal data of tens of millions of its customers. The list goes on.

Current solutions generate thousands upon thousands of alerts every day. We generate one because our decoys are real machines.

“Every day there is another data breach,” says Evron. “That was very frustrating for me personally.” Cymmetria was born out of that sense of frustration — with the team hoping to shake up a reactionary status quote by doing something “inherently different in the security industry”, as Evron puts it.

Their focus is APT attacks. Aka: advanced persistent threats — where attackers, perhaps State-sponsored, are aiming to get into a network and lurk undetected for a long time in order to steal large amounts of data.

“The first value proposition is essentially one alert — one critical alert,” he says, explaining how Cymmetria works. “Current solutions generate thousands upon thousands of alerts every day. We generate one because our decoys are real machines and nothing should run on them except for what we put on them. Which exactly means that if anything now runs on that computer that is not ours that is a 100 per cent indication there is an attacker now in the network. There are no false positives.”

At that point Cymmetria also performs forensic analysis on the attack, and offers an action plan on how to mitigate it — using a company’s existing systems and security infrastructure, with which it integrates. It’s not the only decoy-based security startup out there but Evron argues the focus on integrating with a business’ operations and processes makes its approach distinct.

“There are quite a few startups out there that are in the same active defense or cyber deception space but I can’t really say that any of them are working exactly the way we do it. Some of them just deploy decoys across the network, some of them are trying to use SDN technology for datacenters. We haven’t really seen anybody out there trying to approach this from a management perspective and a business perspective,” he says.

“We automate forensics. They now can know what attack an attacker used, vulnerability credentials, Trojan horse, everything the attacker did — where they connected on all the networks, they already have ready made information becoming available to them,” he adds, noting that the typical security scenario is that a breach is not detected until long after it has occurred — whereas Cymmetria is able to flag it up if not quite in real-time, then in a “significantly reduced time window”.

“You get immediate information that you can start using immediately to mitigate.”

What are the decoys exactly? Virtual machines, making them indistinguishable from any other machine on the network, according to Evron. Cymmetria’s approach also doesn’t require companies to install on premise hardware or put agents on computers or change existing network structure. As near to ‘plug and play’ as possible is the idea. He says a generous estimate for getting the system up and running is just a day.

“Essentially they are real machines. They’re machines just like any other. They could be a CEO laptop, they could be a super secret backup. But essentially attackers are going to see computers around the network, computers and other types of resources around the network that are simply not real — and they’re not going to be able to distinguish what’s real and what’s not,” he adds.

“We don’t mimic. That’s exactly the point. We create real machines — we use the world of virtualization. Ten years ago if an attacker would see a virtual machine they’d say that’s a researcher, trying to mimic a real machine. Today, when you look at organizations, a lot is in the cloud. Local cloud with virtualized environments. Global cloud like Amazon, Google, whatever. But essentially these are part of the corporate network. They’re just regular machines. So as long as my machines are just like any other machines they have no way of distinguishing.”

The system uses a series of breadcrumbs to lead attackers to the decoys. “When the attackers try to spread through an environment they essentially look for certain things. These signposts or breadcrumbs are what’s going to lead them towards the decoys,” is how Evron explains this element, careful not to give away too many signposts (given the game of smoke and mirrors it intends to play with attackers).

The primary target market for Cymmetria is large enterprises and Fortune 500 companies, plus financial institutions and banks — although security is generally rising up every digital business’ agenda. It has “several” early users at this point, including a major U.S. bank that it’s working with as a “design partner” — so tailoring the system to meet their needs while using their feedback to help shape the software. Its first user deployment was this February. Evron says it hasn’t yet encountered an APT attack with this initial group of beta users.

In terms of funding so far, Cymmetria has taken in early investment from several angels, YC, Seedcamp and U.S. VC firm Felicis. The business model is a multi-layered SaaS. “We support different types of models for different types of customer,” says Evron. “From on premise to the cloud, we support it all.”

Cymmetria is the first Israeli security company to be selected by Y Combinator. The team will be presenting at demo day at the end of August, when it will be looking raise its next round and start to scale up and grow the business.