When it comes to talent shortages in tech, cybersecurity is one of the biggest and most urgent that needs filling. Malicious attacks are on the rise, and the techniques being used to worm into networks are also scaling up. Yet the World Economic Forum recently found that there are 4 million positions unfilled globally — a figure it projects will balloon to 85 million in the next five years.
Itai Tevet was all too aware of what those shortcomings look like in the real world. In charge of the Cyber Incident Response Team (CERT) in Israel’s IDF, Tevet found that even with all the most sophisticated technology to pick up strange activity, even an organization like the IDF — famous for its cybersecurity work — did not have enough people to triage the many alerts that were generated by their tools. How were they to know if one alert represented a major breach, while another was a minor incident that shouldn’t take up precious resources to investigate?
That incomplete circle became the basis for Tevet’s next gig. That gig, a startup called Intezer, has just raised a Series C of $33 million to expand its business on the heels not just of strong growth but also some near misses it was able to catch.
Norwest Venture Partners is leading the round, and all its existing investors — they include Intel Capital, OpenView, Magma, and Alon Cohen, co-founder of CyberArk — are participating. (Cohen is actually also called a co-founder of the startup, along with Roy Halevi, another IDF alum who is Intezer’s CTO.) The startup has raised $60 million to date and is not disclosing its valuation.
Intezer — which is based out of New York but with deep roots in Israel — hasn’t so much set out to reinvent the security wheel, as it has focused on how to build better mechanics to help it run more smoothly.
Today, we have a plethora of security products on the market, and they have essentially created a number of very innovative ways to spot when something is happening in networks, on devices, or in apps that is unusual, thus a possible threat. But the number of alerts they collectively create — estimates have ranged from as many as 4,000 per day to 11,000 or more — can end up flooding a security team. As Tevet sees it, that translates to an operational nightmare.
“In most cases the time to investigate an alert ranges, for humans, between half an hour to four hours,” he said, due to the need to not only examine the actual activity that threw up an alert, but then to look at other logs and activity that might related to it, and potentially also to interview people. Many of these alerts typically are false positives, but that might not be apparent before the investigation is done.
You can see how this starts to look impractical without any kind of triage, and how tying up cyber teams with this kind of work could end up being a security risk in itself.
Intezer’s autonomous technology has the capability to take on both the triage and investigation activities, essentially treating every alert as a high alert from an investigation point of view, and then looking further to determine if they really are issues, or negligible. For each alert that could take hours to look at, “Intezer does the work in two minutes,” Tevet said.
Mapping the security genome
The company’s AI is based in part on research it did in its earlier days. When I last wrote about Intezer, it had raised $15 million to continue mapping what could essentially be described as a “genome” of security issues: a DNA-style mapping all of the different permutations, origins, and connections of different vectors that make up the universe of cyberthreats.
The aim at the time was to build products to apply that DNA knowledge to the wider world of security threats, and by the time I’d covered the company, Intezer had already done this to some impressive ends. It was the first to identify that WannaCry came out of North Korea; it built a code map that helped provide the links between the Democratic National Committee breach and Russian hackers; and it identified a new malware family called “HiddenWasp” linked to Linux systems.
The platform Intezer has focused on more recently is the descendent and scaled version of that work, combining not just the ability to identify the truly minor from the unwittingly major alerts, but also an automated ability to triage those that need attention. Some of this has been built on Intezer’s in-house work (such as the DNA mapping and the remediation), and some taps into third-party technology. For example, Tevet told me that Intezer using OpenAI APIs to “read” natural language text in, say, internal communications, which in turn gets fed into its system to determine whether there are security flags to chase down.
Typically, about 4% of an organization’s alerts are escalated red alerts, Tevet estimated, but the million-dollar question will always be which 4% is the right 4%?
He told me of a two of recent incidents — one at a major technology company and one at a large healthcare company — where security operation center teams each waved through an alert that appeared innocuous. “The security team did not have time to look at everything,” he said.
But both organizations were using Intezer as second pair of eyes on all its alerts. “We actually identified that it was a Chinese state actor in their networks,” he said.
That anecdote, of course, points to challenges for Intezer down the line. The number of tools that are being built to look out for and stop unusual activity continue to grow, but in some regards we are already at a tipping point.
Some security companies — even those with interesting technology — are getting to the ends of their runways and unable to raise more. Others are getting snapped up by bigger players. Although the big security platforms like Palo Alto Networks, Wiz and CrowdStrike are partners to Intezer today — the startup is coordinating its fundraise news with a big CrowdStrike user conference, in fact — they might also potentially shape up to be competitors as they go deeper into tools to help ease the work of their customers.
That represents a potential crossroads for the likes of Intezer: whether to jump on the consolidation train too, or try to go it alone. Tevet said that his company gets approached regularly in exploratory discussions but nothing that has escalated to a red alert as of yet.