Cloud infrastructure identity detection and response firm Permiso has emerged from stealth with $10 million seed funding. The company identifies and tracks human, machine, vendor and service provider identities in IaaS and PaaS infrastructures.
The funding comes from a combination of leading institutions (led by Point72 Ventures and including Foundation Capital, Work-Bench, 11.2 Capital, and Rain Capital); and numerous industry individuals such as Jason Chan (former VP of Information Security at Netflix}, Talha Tariq (CSO at Hashicorp), Travis McPeak (head of product security at Databricks), and others.
Palo Alto, CA-based Permiso was founded in 2020 by co-CEOs Paul Nguyen and Jason Martin, CTO Stephen Demjanenko, and VP of engineering Phani Modali.
Identities within cloud infrastructures have multiplied rapidly driven by both cloud migration and business transformation. But the ability to monitor the activity of those identities is notoriously difficult. “Identity is as close to a silver bullet as it gets in the cloud,” comments investor and advisor Chan. “If you get it wrong, you face significant risks and challenges in securing your enterprise effectively.”
The Permiso product is designed to detect identities, interpret their behavior, and allow the security team to respond as and when necessary. It seeks to highlight who or what is in the cloud environment, what the identity is doing, and whether that behavior is expected or potentially malicious. It operates entirely within the cloud environment and introduces no performance overhead.
“When we sign up a new customer, we do two primary things,” Martin told SecurityWeek. “Firstly, we build an identity graph to understand all the identities that are in the environment – how those identities relate to each other, and the permissions and permission boundaries associated with them.” This includes human user identities, machine identities, any third-party vendors that operate within the environment, and identities belonging to the cloud service provider.
It is worth noting that the inclusion of third-party vendor identities is particularly useful for the detection of potential supply chain attacks.
“We get a complete picture,” continued Martin. “We look at the permissions to determine the blast radius for each of those identities. This allows us to understand if an identity is compromised, or being used for suspicious/malicious activity, and the extent of damage that could occur if it went unchecked. We also scan the identity graph for vulnerabilities in the way that the permissions are configured.”
The scan looks for permission vulnerabilities that would allow a compromised identity to increase its access or extend its behavior beyond its known and allowed blast radius.
“The second thing we do simultaneously,” said Martin, “is build a run-time graph so we know what the identities are doing – whether they be human, machine, vendor or provider. With those two graphs in play, we can see who is in the environment, what permissions they have, and what they are doing. We can indicate whether we think the behavior is associated with normal workflows for the identity, if it’s associated with potential policy violations, or if it could be suspicious or malicious.”
Onboarding takes just a few minutes. “The initial identity scan probably takes 5 to ten minutes,” said Martin. “The runtime scan starts as soon as it is connected, and monitors the environment from that time forward.” Installation provides a rapid time to value.
“We’ve done hundreds of customer interviews and worked with over 10 co-development customers over the last year and we find that when it comes to cloud infrastructure runtime security, most organizations are collecting data in their SIEM or a data lake; however, they can’t really make sense of it rapidly or in a manner that answers the questions their cloud security and infrastructure teams have,” said Martin.
Two of the design principles in the product development have been the safe minimization of false positives, and assistance for a security team that may not have a cloud expert in-house. For the latter, said Martin, “Our litmus test is can we take someone who knows very little about the cloud and drop them into our interface, and can they then tell us a story about what someone is doing. Can we take someone who doesn’t really understand the cloud or speak cloudish and give them the ability to ‘observe, orient, decide and act’? We are focused on providing the right information at the right time to allow this.”