We’re excited to deliver Remodel 2022 again in-person July 19 and nearly July 20 – 28. Be a part of AI and information leaders for insightful talks and thrilling networking alternatives. Register at this time!
Whereas companies have embraced software-as-a-service (SaaS) in a large approach, the questions round methods to greatest safe using information in these purposes stay unanswered for a lot of organizations. One startup hopes that these questions gained’t want to stay unanswered for lengthy, although.
Obsidian Security, which at this time introduced elevating a $90 million collection C funding spherical, presents a platform that goals to handle the most important use instances for companies that need to cut back their SaaS safety threat.
Notably, the SaaS Safety and Posture Administration (SSPM) platform leverages Obsidian’s proprietary “information graph” — which ties collectively information from completely different apps to “create a complete and deeply contextual view of the SaaS world” that’s inhabited by prospects, mentioned Obsidian Safety CEO Hasan Imam.
At present, use instances that Obsidian’s SSPM platform solves for are: recognizing if an account has been compromised, figuring out if there may be insider exercise that might pose a risk, detecting configuration drift that’s creating undue threat for the enterprise, detecting outsized privileges which might be creating threat, and figuring out when information has been unintentionally made seen to the surface world.
Fixing for brand new SaaS safety threats
“We imagine that we’re simply scratching the floor on the set of challenges in entrance of us, because it pertains to SaaS,” Imam instructed VentureBeat. “The differentiation is the graph — as a result of that’s the great view that permits us to resolve for these use instances. However what that additionally means is that tomorrow, as we see new risk vectors, now we have created a mannequin that permits us to rapidly resolve for a brand new risk vector that we is probably not fascinated with at this time.”
Menlo Ventures led the collection C spherical of funding for Obsidian. The spherical additionally contains backing from IVP, Greylock, Norwest Enterprise Companions, Wing and GV. Obsidian has now raised a complete of $119.5 million since its launch in 2017.
Obsidian’s CEO and founders are all veterans of well-known cybersecurity startups of the previous decade.
Imam was beforehand the chief income and buyer officer at Form Safety, which F5 acquired for $1 billion. Obsidian CTO Ben Johnson was beforehand the cofounder and CTO of Carbon Black — which merged with Bit9, went public and was in the end acquired by VMware for $2.1 billion.
In the meantime, CPO Glenn Chisholm was previously the CTO of Cylance, which BlackBerry acquired for $1.4 billion, and Obsidian chief scientist Matt Wolff beforehand served as Cylance’s chief information scientist.
“We’ve got created a mannequin that permits us to rapidly resolve for a brand new risk vector that we is probably not fascinated with at this time.”
Hasan ImaM, CEO, Obsidian Safety
Detecting compromise
Obsidian’s method, based mostly on its graph know-how, is available in distinction to options that contain inserting a proxy to see how customers are importing or downloading information from a SaaS app, in line with Imam.
This method is “basically flawed” as a result of it doesn’t account for the truth that SaaS purposes “are speaking to one another,” Imam mentioned.
“And there are a lot of SaaS purposes that aren’t accessed by a proxy,” he mentioned. “And even when it’s accessed by a proxy, the proxies have very particular guidelines. If the foundations aren’t triggered, it doesn’t have any worth.”
However, Obsidian’s platform collects and normalizes information from quite a few main SaaS purposes — at the moment together with 25 of the most-used SaaS apps, with extra on the best way, the corporate says. The SSPM platform then resolves accounts to identities and introduces risk intelligence, whereas additionally including additional context — leading to a system that may detect threats throughout a buyer’s SaaS app utilization, in line with Obsidian.
For instance, hijacked periods utilizing tokens are a major risk vector for a way SaaS purposes are being breached, Imam mentioned. For the reason that token lives within the browser of the tip person, the supplier of the id authentication service can’t forestall an assault if the person’s browser or system is compromised, he famous.
However utilizing Obsidian’s system, as soon as an attacker has gained entry to sure credentials — and used the credentials to get into SaaS apps that an id service is defending — “we’d be capable to see that from a contextual perspective,” Imam mentioned. “From a behavioral perspective, we’d see that now we have an attacker that’s behaving very in another way than the person whose credential it’s.”
Buyer traction
Newport Seaside, Calif.-based Obsidian Safety at the moment employs 80, and expects to achieve 120-140 staff by the tip of the yr.
Obsidian stories having practically 100 prospects — 20 of that are at the moment paying greater than $100,000 in annual recurring income (ARR). The startup says it noticed a 5X enhance in $100,000 ARR prospects final yr, and elevated its income about 3.5X general in 2021, year-over-year.
Whereas Obsidian is offering its platform throughout about eight completely different verticals, its strongest verticals are monetary companies and healthcare. Others embody tech, training, telecommunications and retail.
Together with increasing its gross sales — Obsidian goals to develop income by 3X this yr, Imam mentioned — the brand new funding spherical will go towards enabling Obsidian to proceed broadening the variety of SaaS purposes that its platform can combine with.
Present integrations embody Salesforce, Workday, Microsoft 365, ServiceNow, Google Workspace and GitHub, however the eventual purpose is to cowl all the main SaaS apps which might be related throughout the U.S., Europe, Asia-Pacific and Japan, in line with Imam. Obsidian, in the end, goals to be “overlaying the lengthy tail of SaaS purposes,” he mentioned.
The breadth of Obsidian’s protection for SaaS purposes is already wonderful, although — and is among the huge differentiators for the platform, in line with Venky Ganesan, accomplice at Menlo Ventures.
Obsidian additionally stands out with ease of implementation, Ganesan mentioned. As a part of its due diligence on Obsidian, Menlo deployed the platform for its personal methods — and quickly gained larger visibility into what was occurring with its SaaS utilization, he mentioned.
“We acquired worth in half-hour,” Ganesan mentioned. “There’s not a CISO on the planet who, inside half-hour of putting in [Obsidian], gained’t get worth.”
‘Iconic firm’ within the making?
Obsidian additionally does extra than simply present enhanced visibility; it additionally brings remediation capabilities for proactively stopping malicious conduct that it detects, he mentioned.
“That mixture of three issues — that usability, breadth of protection, and visibility and remediation — is a trifecta that nobody else has,” Ganesan instructed VentureBeat.
Throughout the safety market, defending the utilization of SaaS apps is more likely to be the “subsequent huge space of spend,” he added — and mentioned he believes Obsidian is positioned to guide on this space.
Ganesan led Menlo’s funding into Palo Alto Networks and beforehand sat on its board. He famous the potential he sees in Obsidian reminds him of Palo Alto Networks — which at this time ranks because the world’s most-valuable safety vendor with a market cap of $60 billion.
With Obsidian, “it seems to be like an opportunity to construct a really iconic firm in an enormous space,” mentioned Ganesan, who’s becoming a member of the board on the startup.
One in all Obsidian’s different traders, IVP basic accomplice Somesh Sprint, drew a comparability between the startup and one of many different giants of the safety world — CrowdStrike (which IVP had invested in).
“We view the best way [CrowdStrike has] protected the endpoint because the analogy for a way Obsidian’s going to guard the applying layer,” Sprint instructed VentureBeat.
“In the event that they pull that off for U.S. and world Fortune 5000 corporations, mid-stage corporations, authorities businesses, regulated industries — I believe this firm has the possibility to be a $10 billion+ public firm within the not-so-distant future,” Sprint mentioned. “That’s not one thing we see in a whole lot of corporations.”
