Mountain View, Calif-based Lacework has closed a $24 million Series B funding round with Sutter Hill Ventures, bringing the total raised, including Series A early stage venture funding, to $32 million.
The company was founded in 2015 by Sanjay Kalra (chief strategy officer) and Vikram Kapoor (CTO). Stefan Dyckerhoff, MD at Sutter Hill Ventures, is CEO.
The new funding will be used to accelerate Lacework’s sales and marketing efforts. “The product became available about a year ago,” Dyckerhoff told SecurityWeek; “and with minimal sales and marketing we have achieved thirty happy customers with more in the pipeline. It’s time to rev up our sales and marketing efforts.”
Lacework is a SaaS platform designed to enable security in public cloud implementations “automatically, at speed, end-to-end, and with scale,” he explained. “So, just like you’re doing DevOps and automation on the development side in the public cloud, we think we have built a platform that can achieve the same thing on the security side while maintaining a very high degree of efficacy.”
As soon as the product is deployed, it starts to automatically discover the customer’s environment. It tells the customer what parts of the environment are in compliance and what is out of compliance. It detects things that shouldn’t be happening, and helps the customer to remediate them.
It is not a complete security product in itself, but a platform that enables the customer to do security properly and at scale. For example, it doesn’t operate like a CASB — it doesn’t locate rogue storage accounts operated by staff on shadow IT. It does, however, monitor and record everything that happens on the client’s cloud account. “We do see is misuse or rogue use of existing S3 buckets,” explained Dyckerhoff.
Sometimes, this can include employees using what’s available just because it’s easy. “For example,” he continued, “if developers know an account exists, would you really know if they fired up a new AWS Region in Japan over the weekend? The answer is probably ‘no’ — unless you use a tool like Lacework.”
Lacework sees everything that happens within the cloud account. “We have found attacks in this same category,” said Dyckerhoff. “We detected live instances of bitcoin mining in one of our customers where the compromised credential of a developer was used to fire up a different Region to do bitcoin mining. With conventional tools there would have been no way to catch that. So, we don’t help with small accounts set up by the employee with his own funds; but for misuse of the corporate account, we absolutely catch everything.”
It is the ability to see everything that happens that gives Lacework the capacity to monitor compliance. Where regulations are mature — such as PCI and HIPAA— it is able to deliver traffic-light compliance reports immediately. GDPR is a little different because the regulation is so new and enforcement practices are still unknown. Nevertheless, Lacework’s ability to continuously monitor the entire cloud account can highlight moments when the company does or is in danger of slipping out of GDPR compliance.
“Right now,” he suggests, “the key questions for GDPR compliance are ‘where is my data?’ and ‘who accessed it?’. These are questions that can absolutely be answered by Lacework.”
Assuming the company knows where its GDPR-sensitive data is stored, Lacework will discover every API call made within the account. “We know every S3 bucket and which API called it,” explained Dyckerhoff. “We keep that data over time. But we also map out the applications. So, once we are fully deployed we will know exactly which process talked to which other process, how that relates to an API call, and whether it resulted in an S3 transaction or a network transaction.”
The customer gets all these records, and can see if there is an API call to a location storing EU PII that did not come from another EU location. “For GDPR,” he continued, “you must not miss a single transaction — and that’s what we provide. The customer still needs to know what is his GDPR data and where it is stored; but from then on, we can show all legitimate and illegitimate access to that data, demonstrating whether his storage data is in compliance or out of compliance with GDPR.”
Dyckerhoff believes that the cloud marketplace is accelerating rapidly. “Over the last 12 months,” he said, “cloud has progressed from early adopters to early mainstream adopters. A better understanding of the ‘shared responsibility’ security model is emerging. Our platform assumes the cloud is there. We have all the APIs and data sources that allow us to do automated discovery and analysis and gives the customer the tools to use the cloud securely.
“The cloud is certainly no less secure than on-prem; but it’s very different. The cloud is secure if you make it secure; but you have to think about it in a new way. Lacework helps to do that.”
In May 2018, Gartner include Lacework in its ‘5 Gartner Cool Vendors in Cloud Security — 2018.’ It said, “Lacework addresses the challenges enterprises face via their Polygraph technology. Polygraph combines cloud resource monitoring, data collection and correlation, and strong visualization. Lacework also provides threat insights into cloud environments as well as security automation tools.”