Odds are good that the winner of this year's RSA Conference Innovation Sandbox will be a security automation player -- because almost all of the finalists for this year's competition for "most innovative startup" highlight security automation in some form or another.
As has happened almost every year since 2005, Innovation Sandbox finalists will face a panel of judges to make their cases for why they should win the title of most innovative startup. The finalists each get three minutes to present a "quick pitch" followed by a Q&A with the judging panel on Monday afternoon. The Innovation Sandbox debuted in 2005 under the name "Innovation Station," and continued under that name until 2007 -- but the program took a break in 2008 before returning with the new name in 2009.
Long-term success is not a lock for Innovation Sandbox winners, but many past winners are notable, including Sourcefire (2005), Imperva (2006), Appthority (2012), Waratek (2015) and BigID (2018). Even being nominated may help point the way as some leading infosec names that were runners-up in recent years include Cylance, Fortanix and Silent Circle are some notable alumni of the competition.
The judging panel this year includes Asheem Chandna, partner at venture capital firm Greylock Partners; Patrick Heim, operating partner and CISO at cloud storage provider ClearSky; Niloofar Razi Howe, cybersecurity entrepreneur and investor; Shlomo Kramer, CEO and co-founder at cybersecurity vendor Cato Networks; and Richard Seiersen, author and former CISO at LendingClub, Twilio and GE Healthcare. Returning as emcee is Symantec CTO Herbert (Hugh) Thompson.
Chandna, Heim and Howe have served on the judge's panel in previous Innovation Sandbox contests; according to an RSAC spokesperson, this is to provide consistency and integrity of the process.
"We select judges that are leaders in their field, bring a broad spectrum of expertise, and who are exceptionally well-versed in market trends, buyer needs and emerging security challenges," the spokesperson said, adding that Kramer and Seiersen were selected as new judges to provide additional perspective.
RSAC 2019 Innovation Sandbox finalists
For most this year, the three-minute presentation will at least touch on innovative new security automation technologies. This year's finalists, listed alphabetically, include:
Arkose Labs: Arkose Labs' approach to fraud prevention is two-pronged, focusing on both easing the authentication process for legitimate users based on telemetry and behavioral risk assessment, while also adding enforcement challenges for suspicious login attempts. The result is that the San Francisco-based startup offers a 100% service-level agreement that guarantees automated attack remediation.
Axonius Inc.: Axonius, based in New York City, offers a cybersecurity asset management platform that consolidates information about every asset in an organization, and matches that with threat and security information that relates to those assets, in order to detect automatically whether those assets meet the organization's security policies. Axonius' platform enables a process of ongoing and automated security policy validation for all identifiable cybersecurity assets in the organization.
Capsule8 Inc.: Capsule8, based in Brooklyn, N.Y., brings security automation to zero-day exploit detection for Linux production environments of all types: containerized, virtualized or bare metal. The company's platform detects -- and shuts down -- exploits as they happen, while protecting production infrastructure from risk of disruption from those exploits.
CloudKnox: CloudKnox, based in Sunnyvale, Calif., brings automation to managing and authenticating credentials for all types of cloud access -- whether initiated by humans or processes. The CloudKnox Security Platform is touted as a non-intrusive, automated mechanism for responding to accidental or malicious misuse of credentials through a continuous detection and mitigation process.
DisruptOps Inc.: Based in Kansas City, Mo., DisruptOps brings security automation to cloud management. DisruptOps' Security Operations Platform monitors and controls cloud infrastructure automatically, with the goal of maintaining consistent and secure cloud configurations that comply with customer policy "guardrails."
Duality Technologies: Duality Technologies, based in Newark, N.J., bucked the security automation trend this year with its SecurePlus platform for applying analytics and AI on encrypted data -- the data is encrypted end-to-end with quantum-resistant, homomorphic encryption. SecurePlus enables secure processing of encrypted data, without risk of exposing the data.
Eclypsium Inc.: Based in Beaverton, Ore., Eclypsium focuses on security threats at the hardware and firmware levels. Nominated for its firmware protection platform, Eclypsium addresses threats to all enterprise systems, from end-user desktop and laptops to enterprise servers by scanning and categorizing potential threats in system firmware, including the firmware incorporated in system components like hard drives, networking interfaces and system controllers, and gives defenders a tool for detecting and mitigating firmware threats.
Salt Security: Salt Security, a startup based in Palo Alto, Calif., puts its "AI-powered" API Protection Platform to work continuously -- and automatically -- to identify, review and monitor all the APIs used in enterprise environments.
ShiftLeft Inc.: ShiftLeft brings automation to application security. The startup, based in Santa Clara, Calif., offers a line of products that aim to improve application security through a combination of improved tools for analyzing, protecting and auditing code for security issues, as well as reducing the need for human intervention when issues arise.
WireWheel Inc.: WireWheel protects privacy through its cloud-based Data Privacy & Protection Platform. The Arlington, Va., startup's platform enables customers to do data inventory and mapping, collaboration, vendor risk management and more. The platform helps automate important privacy tasks, including providing a comprehensive workflow for privacy compliance and automating discovery of cloud assets and mapping of business processes.
Innovation Sandbox finalist selection criteria
To be considered for the Innovation Sandbox contest, a product must have been on the market for no more than one year. Beyond that, it must meet several other criteria, according to the RSAC spokesperson, including:
- The product matches an identified problem in the information security marketplace.
- The product takes an original and sound approach to solving a problem and has the potential to make a significant impact on information security.
- The product is validated through a client's beta testing or purchase of product.
- The product can be demonstrated live and on-site during the RSAC Innovation Sandbox Contest.
- The company has a management team with a track record of successfully delivering products to market.
- The company is privately held, with less than $5 million in revenue in 2018.
This year's contest will again be hosted in San Francisco at the Marriott Marquis on Monday afternoon.