For years, cybersecurity veteran Michael Mumcuoglu watched organizations buy more and more great technology, only to see it not being installed or configured properly, leaving them open to undue risk and otherwise preventable breaches.
“A medium enterprise in the US will have 60 to 80 different security tools, and spend millions and millions to buy them,” said Mumcuoglu, the Co-founder and CEO of Tel Aviv-based CardinalOps. “But translating that into an effective cyber defense that would protect their organizational critical assets against constantly evolving threats turned out to be a huge challenge for them.
“So our focus was to look at this area, security engineering, which is the practice of implementing security tools.”
By definition, security engineering is supposed to be proactive. But in practice, it’s reactive, because even though security engineers are receiving a lot of feeds about threats, it’s very hard for them to turn that into actual outcomes because they are working manually, said Mumcuoglu, whose first cybersecurity startup, Light Cyber, was acquired by Palo Alto Networks in 2017.
“We realized that you need something that is really game changing in the world of security engineering, and that is the introduction of artificial intelligence and machine learning to solve this problem,” said Mumcuoglu, who served with Co-founder and CTO Yair Manor in the Israeli military’s vaunted 8200 intelligence unit.
“AI has transformed many other areas of security already,” he said. “We’re bringing cyber AI to one of the last areas of security that was left behind, so organizations can get more value and more effectiveness from the existing security stack. That’s our uniqueness.”
CardinalOps’ first product to market is detection posture management. It integrates deeply into the existing SOC detection stack to maximize detection coverage to the widest possible range of threats, while tuning existing rules to create high-fidelity actionable alerts for the SOC to respond to.
The platform is a SaaS offering that connects through the API to existing security tools. The onboarding typically takes an hour or two, and the platform is then able through that API integration to get all the required context and provide insights to the organization.
The system uses the highly detailed MITRE ATT&CK catalog of adversary tactics and techniques to create a heat map of detection coverage and offer avenues of remediation.
CardinalOps has found that between 10% and 15% of an organization’s existing controls are misconfigured and will not trigger when the time comes. The platform also highlights attacks that are currently happening in the wild that the organization isn’t prepared for, and provides a one-click fix to address those gaps.
By automating up to 90% of the process, CardinalOps allows organizations to optimize the solutions they have at hand, Mumcuoglu said.
“The security engineer or detection engineer would need to only validate the findings of the platform, give us the green light, and the platform will then automatically remediate the problem,” he said. “That basically allows our customers to dramatically boost their effectiveness and throughput, so they’re able to do 10 times more with the same people they have. It really acts as a force multiplier to their team by leveraging that high level of automation.”
This innovation is especially valuable at a time when CISOs are asked to do more with
less, to rationalize spend, and to demonstrate that they’ve been able to translate investments into effective cybersecurity.
“Our tool really addresses that head on,” Mumcuoglu said. “It’s helping them not only show that they’re doing it, but actually reducing the risk of their organization by continuously remediating gaps in their readiness toward the next attack. Cyber defense posture management: that is our vision.”
The company currently has a diverse set of customers across North America and Europe, serving a range of organizations from 300 to 300,000 employees including a Fortune 50 manufacturing company, leading automotive services provider Valvoline, and Spanish energy giant Repsol.
MITRE ATT&CK alignment through CardinalOps has enabled Repsol to improve its detection posture by increasing both the health and coverage of its rules, said Javier Garcia Quintela, Global CISO for the Madrid-based company.
In only three months, the team configured four times the previous number of rules weekly; increased MITRE ATT&CK coverage from 23% to 56%; received 179 recommendations and fixed 125 rules; and configured precise alerts for critical zero-day and new vulnerabilities and exposures. Speed of response has increased significantly, and cost efficiency has improved, he said.
“CardinalOps is the key piece for us in order to optimize all of this [data], to have visibility into the performance of our detection posture in our SIEMs, and to integrate knowledge—our reference is MITRE ATT&CK,” he said.
CardinalOps’ solution supports all major SIEMs, including both legacy systems like Splunk, and cloud-native SIEMs such as Microsoft Sentinel and Google Chronicle.
One trend that’s emerged very strongly in SIEM is the use of multiple SIEMs — both legacy systems and new cloud technologies, each monitoring different things, Mumcuoglu said.
“That turns this task of establishing a detection posture even harder,” he said. “And that is an area where we’ve seen a lot of impact and success with our customers, where we integrate into both SIEMs and provide a holistic view that continuously optimizes both systems by taking into consideration the strength and abilities and visibility of each to get the maximum value of those investments and enable associated cost savings.”