When it comes to tech talent shortages, cybersecurity is one of the largest and most urgently in need of filling. Malicious attacks are on the rise, and so are the techniques used to infiltrate networks. Yet the World Economic Forum recently reported that there are 4 million unfilled positions worldwide; a number it predicts will balloon to 85 million over the next five years.
Itai Tebet was keenly aware of what these shortcomings looked like in the real world. As head of the Israel Defense Forces' Cyber Incident Response Team (CERT), Tebet realized that even an organization like the IDF, renowned for its cybersecurity efforts, lacked the manpower to triage the numerous alerts generated by its tools, even with all of the most sophisticated technology to detect anomalous activity. How could they determine whether one of the alerts represented a major breach, while another was a minor incident that didn't warrant spending valuable resources investigating it?
This imperfect circle became the basis for Tebet's next job: a startup called Intezar, which has just raised $33 million in Series C funding to expand, thanks to not only strong growth but also a successful close call.
Norwest Venture Partners led the round, with participation from all existing investors, including Intel Capital, OpenView, Magma, and CyberArk co-founder Alon Cohen. (Cohen is actually listed as a co-founder of the startup along with another IDF alumnus, Roy Halevi, who is CTO at Intezer.) The startup has raised $60 million to date and did not disclose a valuation.
Based in New York but with deep roots in Israel, Intezer isn't looking to reinvent the wheel when it comes to security, but rather focuses on building better ways to make security work more smoothly.
Today, the market is saturated with security products, with many highly innovative ways to detect if something unusual is occurring on a network, device, or app – a potential threat. But the number of alerts these products generate – estimated to range from 4,000 to more than 11,000 per day – can overwhelm security teams. In Tevet's view, this creates an operational nightmare.
“In most cases, it takes a human to investigate an alert anywhere from 30 minutes to four hours,” he says. That's because they not only have to look at the actual activity that triggered the alert, but also look at other logs and activity that might be related to it, and sometimes interview people. Many of these alerts are typically false positives, but that might not be obvious until the investigation is complete.
You can see how this is impractical without some sort of triage, and how tying up cyber teams to this kind of work can be a security risk in itself.
Intezer's autonomous technology is capable of both triage and investigative activities, essentially treating every alert as a high alert from an investigative standpoint and looking deeper to determine whether it's a real problem or something that can be ignored. For every alert that could take hours to investigate, “Intezer does the work in two minutes,” Tevet says.
Mapping the Security Genome
The company's AI is based in part on earlier research: When I last wrote about Intezer, it had raised $15 million and was continuing to map what could be called the “genome” of a security problem — all the different permutations, origins, and connections of the different vectors that make up the cyber threat universe, in DNA format.
The goal then was to develop products that applied that DNA knowledge to the broader world of security threats, and by the time I covered the company, Intezer had already accomplished this goal in some impressive ways: it was the first to identify that WannaCry came from North Korea, it produced a code map that linked the Democratic National Committee intrusion to Russian hackers, and it identified a new malware family called “HiddenWasp” that was linked to Linux systems.
Intezer's latest focus, its platform, is an offshoot and scale of that effort, with the ability to distinguish between really small and unwittingly big alerts, as well as automatically triage alerts that need attention. Some of this functionality is built on Intezer's in-house work (like DNA mapping and remediation), and some of it leverages third-party tech. For example, Tevet says Intezer is using the OpenAI API to “read” the natural language text of, say, internal company communications, and pull that into its system to determine whether there are any security flags that should be pursued.
Tevet estimates that typically about 4% of an organization's alerts are escalated red alerts, but the key question is always which 4% is the right 4%.
He told me about two recent incidents, one at a large technology company and the other at a large healthcare company, where security operations center teams ignored seemingly harmless alerts in each case. “The security team didn't have time to look at everything,” he said.
But both organizations used Intezer as a second set of eyes monitoring all of their alerts. “We actually identified Chinese state actor intrusions on their networks,” he said.
Of course, this anecdote is indicative of the challenges ahead for Intezer: the number of tools being built to monitor and stop anomalous activity continues to grow, but in some ways we're already at a tipping point.
Some security companies with interesting technology are running out of cash and unable to raise more money. Others are getting acquired by bigger companies. Large security platforms like Palo Alto Networks, Wiz, and CrowdStrike are currently partners with Intezer (in fact, the startup timed its funding news to coincide with a major CrowdStrike user conference), but as it moves further into tools that make life easier for customers, they could also become competitors.
That presents a potential crossroads for a company like Intezar: join the consolidation wave or go it alone. Tebet said his company regularly receives offers for exploratory talks, but nothing has escalated to an alarming level so far.