XM Cyber Unveils Automated Purple-Teaming at Speed and Scale

Israeli Cybersecurity Startup Launches Automated Advanced Persistent Threat (APT) Simulation Platform

Penetration testing is the most effective method of testing whether existing security policy stands up against advanced attackers, but it doesn’t scale well to large, dynamic networks, and only provides a single conclusion at a specific point in time. The solution is clearly automation.

XM Cyber is an Israeli firm founded in 2016. Its three co-founders are Tamir Pardo (formerly head of Mossad); Boaz Gorodissky (formerly head of technology for the government of Israel); and Noam Erez (who spent 25 years in Israeli intelligence). Its headquarters are in Israel, but with a presence in the U.S. and Australia. It has customers in Israel, the U.S. and Europe.

Its primary product, an automated APT simulation platform called HaXM, is unveiled today. The product simulates the possible behavior of an attacker in order to locate potential weaknesses on the system; and then, using the data gathered, provides recommendations for the remediation of those weaknesses. In this manner it provides automated red teaming with blue teaming to produce purple teaming at speed, continuously, and at scale.

“The problem we solve,” VP of Product Adi Ashkenazy told SecurityWeek, “is that when you look at modern organizations and you see the kind of security stack they have in place, you have to wonder if they are actually securing their critical assets. This is something the companies ask themselves as well. They spend a lot of money on different products and vendors; but at the end of the day, if you ask them, ‘are your critical assets secure?’, they may have hope and some belief, but they have no concrete evidence to support the idea.”

Manual penetration testing to prove the hypothesis of security, he continued, makes no sense for the modern organization that may have tens of thousands of endpoints, and hundreds of subsystems; and is continuously evolving and changing.

“This is why we founded XM Cyber,” commented Noam Erez: “to equip enterprises with a continuous 360-degree view of which critical assets are at risk, what security issues they should focus on, and how best to harness their resources to resolve them.”

HaXM places sensors only on ‘endpoints of interest’. “We don’t have to map the entire network,” said Ashkenazy. “We deploy our sensors on the endpoints of interest within the infrastructure that hackers are able or likely to use. We try to be almost religious in the way we mimic attacks — we don’t put sensors on every endpoint.”

Nor does HaXM start with any preconceived idea of a potential attack. “We don’t define the attack vectors in advance,” he said. “We act like a virtual hacker. We start from points of likely breach — which could be internet-facing servers, for example; or endpoints that receive external email. We place our virtual hacker in those starting points with a tool box that mimics the capabilities of an advanced attacker; and from that moment on the virtual hacker mimics the steps taken by a real hacker trying to find his way to critical assets. We never know in advance what will be found, but so far the virtual hacker has always eventually managed to compromise the entire network.”

This is HaXM’s simulation mode, where great care is taken not to trigger any alarms from the customer’s existing security stack. It checks for the conditions that could be used by an attacker. “This is what we use for 24/7 testing. But we also have a validation mode,” added Ashkenazy. “When you switch to validation mode, this is not continuous, but is a controlled mode, where you specify when and where you want to actually test a specific attack vector — and then we conduct the malicious activities to their full extent so that you can check the security stack in its entirety.”

HaXM provides a visualization of the route an aggressor can take from initial entry point on a network to the company’s critical assets. In doing this, it definitively presents the existence or absence of sufficient security, highlighting if and where additional security is necessary. While many security products seek to find indications of actual compromise after an initial breach, XM Cyber’s approach is to find routes of potential compromise irrespective of an existing breach. It will not locate an attacker; but it will tell the customer what an attacker could achieve.

XM Cyber has offices in Herzliya, Israel; New York; and Sydney, Australia. It has raised $15 million as initial funding in its first two years. The product will be demonstrated at the RSA Conference in San Francisco, California in April 16-19, 2018.

Related: From IDF to Inc: The Israeli Cybersecurity Startup Conveyor Belt 

Related: Using Machine Learning for Red Team Vs Blue Team Wargames