HiddenLayer, an AI application security startup from Austin, Tex., won RSA Conference 2023’s Innovation Sandbox contest, beating out finalists with solutions for everything from threat detection to privacy compliance and polymorphic encryption.
HiddenLayer’s machine learning detection and response (MLDR) platform is designed to attack the problems that AI can exacerbate, according to co-founder and CEO Chris Sestito.
“Artificial intelligence is the fastest-growing technology the world has ever seen, but unfortunately for us, it’s also the most vulnerable,” Sestito said. “At HiddenLayer, we predict that in less than three years, protecting AI will be a bigger societal need than protecting operating systems.”
The growing use of AI should concern everyone, Sestito said. He pointed to the many AI deployments being developed with open source code, which are susceptible to malware, data-poisoning attacks, and inference attacks. What’s more, GitHub today has at least 30 automated attack tools available, making attacks on a machine learning or AI-based model easier than ever.
HiddenLayer developed its MLDR platform to be code-, cloud-, and ML use case-agnostic, meaning that it can protect most models in a typical organization. Its patent-pending software monitors the inputs and outputs of ML algorithms to respond quickly to anomalous activities. The platform relies on its integrations and partners to make it happen. For example, a data scientist can work with a secured model directly from Databricks while a security operator can read the MDLR’s detections directly in Splunk.
RSA Innovation Sandbox 2023: The Rest of the Best
HiddenLayer may have won the contest, but plenty of other interesting runners-up generated interest. Each of the Sandbox Innovation finalists had unique takes on a cybersecurity approach.
Web3 security operations center
AnChain.AI showcased Web3SOC, which the company said is the first Web3 security operations center. The product aims to protect organizations’ Web3 digital assets and secure exposure to cryptocurrency risk. Web3SOC provides live monitoring and detection, simulates real-life threats for testing purposes, and monitors critical infrastructure.
The big idea of Tel Aviv-based Astrix Security is to reduce third-party risks by providing full visibility and governance for all app-to-app connections. The Astrix Security Platform does this by ensuring that core systems connect securely to internal and third-party apps via API keys, OAuth tokens, and service accounts. According to Astrix Security CEO Alon Jackson, the market lacks products to secure non-human connections. The product enables automated remediation of issues and collaborative end-user workflow, he noted.
API-based security services
Palo Alto-based startup Pangea had its Security Platform as a Service (SPaaS) featured in the Innovation Sandbox. The SPaaS provides an automated method for application developers to add security functions to their applications, such as logging security events and identifying malicious files. Pangea also partners with cybersecurity companies, including CrowdStrike, to provide pay-as-you-go threat intelligence. Code can run where the applications are running: AWS, Google Cloud Platform, or Azure. The platform has SDKs available for multiple languages and can run on AWS, Google Cloud Platform, and Azure, said Pangea founder Oliver Friedrichs.
AI-bolstered privacy compliance
Relyance AI manages privacy and data protection by creating a real-time data inventory that maps data flows and monitors personal data movement through code, applications, and infrastructure. This approach enables companies to monitor third-party vendors at a granular level. “Relyance AI flips all traditional approaches on their heads,” said co-founder Abhi Sharma. “You can match the speed of privacy and data governance ops to the speed of DevOps.”
A security trust center
The idea behind SafeBase is that trust is essential to keeping customers, suppliers, and the market happy. As such, companies need to ensure resources are secure, regulatory compliance is followed, and third-party suppliers are trustworthy. Safebase’s Smart Trust Center collects and organizes security information in a public security portal. The product enables companies to update customers, vendors, and prospects on document availability, policy updates, and potential security vulnerabilities. Smart Trust Centers are powered by dozens of integrations to capture data and measure insights. They can also be connected to map the risk and exposure of the company’s network of vendors, according to SafeBase co-founder Al Yang.
SaaS security posture management
As companies adopt more software as a service, they become more concerned about the security of third-party integrations, identity, configurations, and data sharing. Security teams often have limited visibility into these types of risks, said Yoni Shohet, CEO of Valence Security. Shohet said that since SaaS applications are frequently adopted without much thought about security oversight, visibility is no longer enough. Instead, it’s about decentralizing remediation through automated workflows that help contextualize and remediate SaaS risks. Valence Security’s SaaS security management offering was featured in RSAC 2023’s Top 10 Innovation Sandbox.
Open source software security
Open source is a bedrock for many software engineers, but it can bring unwanted security vulnerabilities along with it. Solving this problem requires intervening in the developer workflow to help them choose more secure, sustainable open source libraries, said Endor Labs co-founder and CEO Varun Badhwar. “Once you have to that, you can then arm security teams with the mechanisms and policies to focus on the security issues that cause a problem in your specific environment and get rid of all the compliance noise,” he said. Endor Labs’ Dependency Lifecycle Management Platform aims to help development and security teams more safely evaluate, maintain, and update open source software dependencies. The company built the platform by scanning 47 million open source packages for their source code and metadata. The company then built essentially a Carfax-like report for the open source software, Badhwar explained.
Cloud security remediation
Cloud security is top-of-mind today, and upstart Dazz says it has an automated, SaaS-based approach to identifying and remediating cloud-native risk. Its remediation cloud maps code-to-production pipelines, performs root cause analysis, prioritizes risk, and identifies code owners. Remediation can then take place without changing the architecture. “We look at cloud security remediation as a data problem, so we collect data from the entire environment: the engineering environment, the cloud environment, and the security tools,” said Dazz CEO Merav Bahat. Only then can the system connect the dots and produce results.
In a nutshell, homomorphic encryption enables applications to run privately by processing data blindly. “By processing data blindly without actually decrypting it, we can create encrypted AI,” said Pascal Paillier, CTO of Zama, which showcased its open source cryptographic tools TFHE-rs and Concrete. Homomorphic encryption is the secret behind enabling encrypted conversations with large language models, similar to how people have encrypted conversations on messaging apps. Zama’s engineers created a framework for developers to use homomorphic encryption without having to know cryptography, Paillier said.
About the authorKaren D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive.