Elastica stretches to capture a wide range of SaaS security features with its CloudSOC

Transcription

1 Elastica stretches to capture a wide range of SaaS security features with its CloudSOC Analyst: Adrian Sanabria 31 Mar, 2015 Elastica is one of the more recent entries into the busy and popular cloud app control (CAC) market. The CAC market seems to be finished spitting out startups, with about currently active, depending on how you define and categorize the space. Like its peers, Elastica is growing at an astonishing rate. The market appears to be entering a new phase now that most in this market have had products generally available for a year or longer, larger security companies are starting to show interest in the technology. Valuations may be too high for buyers to open the acquisition purses, but legitimate interest in these products is resulting in a frenzy of technical partnerships, OEM deals and reseller activity. The 451 Take While other CAC vendors chose to build the plane on the runway, Elastica surprised us in 2014 by coming out of stealth with 65 employees and a complete offering. The product included everything we expected to see from a CAC vendor, from discovery to enforcement and investigation. The CloudSOC platform is comprehensive, clearly marketed and compares well feature-wise with its closest competitors. Although the market is only just celebrating its second birthday from the first product release, Elastica trails in market recognition and has catching up to do. In a market having broad application across all verticals (as opposed to segments that largely attract regulated industries), making friends with incumbents, integrators and resellers is likely Elastica's best bet for growth. This market could be the first cloud security market segment to achieve ubiquitous appeal, and the first user-focused one to do so since the next-generation firewall. Copyright The 451 Group 1

2 Context Headquartered in San Jose, Elastica has more than doubled since its official public launch in early Out of stealth with 65 employees, the company now has 135 on staff. The majority are located in Silicon Valley, with a significant number based in Sydney and Pakistan as well. CEO Rehan Jalil is also an investor himself and helped finance the company early on. The company raised a significant series B to the tune of $30m from Pelion Venture Partners, Mayfield Fund and Third Point Ventures. Mayfield also funded the company's $6.3m series A. As we've seen with many security startups, the series A focus is the technology and series B ramps up sales and marketing. Here is no different, with the company announcing experienced hires for sales positions coming from the likes of Palo Alto Networks and Qualys. Previously, the company was vocal about key data science hires and the importance of machine learning and analytics to the product. Although the company is just now ramping up sales, it has a significant number of paying customers a number comparative to competitors with a head start over Elastica. Revenue appears to be a key challenge in this market. With most vendors employing a per-user subscription model, ramping up revenue means vendors in this market need to sign up large numbers of customers. For that reason, large resellers have been the preferred channel in this market, with most seeing close to a 50/50 split between direct and channel sales. Elastica is 100% channel-focused and claims partnerships with over 35 resellers combined across the US, Europe and Australia. Accuvant/FishNet Security is a key sales partner with many more deals in the works. We expect to see marketing and sales to continue ramping up in this space in an effort to reach more and more potential customers. Unlike other nascent security markets that tend to be interesting primarily to military or regulatory organizations, we see CAC becoming a pervasive technology attractive across all verticals. Although CAC functionality is broader, in some ways it could be described as a natural progression from next-generation firewalls. Products Elastica's product architecture is built on a platform branded as CloudSOC with a modular approach to building out the various applications that run on it. We normally break CAC functionality into discovery, analysis and control categories. Elastica covers all three, but splits it up across four 'applications.' The intent is to cover a complete security cycle within CloudSOC, from detection to remediation. The Audit app is the discovery piece, which uses firewall and proxy logs to generate a risk Copyright The 451 Group 2

3 assessment for the enterprise. As with its peers, Elastica has assigned risk scores to all the major SaaS products based on 'business readiness.' The general idea is to educate the customer about riskier apps and give them the necessary information to block/allow apps and functionality based on their particular risk appetite. While most next-generation firewalls also provide SaaS risk rankings, Elastica's rankings (like those of other CAC vendors, as well) are much more granular and transparent. This approach allows customers to choose/weight the attributes (out of over 60 different metrics) that concern them the most and receive custom risk rankings. The tool can also automate the generation of executive-friendly risk assessment reports showing trends over time. In these reports, Elastica takes an opportunity to show off its considerable data science chops and presents key information in a colorful, infographic-like format. This app can currently produce two reports a cloud risk assessment and a shadow app risk assessment. The Detect app features event correlation and analysis. Data from different sources can be correlated and submitted to an engine branded as 'StreamIQ' for analysis. In a process similar to how many security products separate good from bad, StreamIQ generates a threat score that can be used to make manual or automated decisions. This score is determined by building and grooming a baseline of normal user behavior, using machine-learning principles to improve accuracy over time. We often see the same approach employed in security analytics products and its use here addresses the same sorts of challenges, just with different data. The Protect app is the bit of the CAC formula we'd normally call 'control.' This piece allows the customer to build rules and thresholds that use environmental factors and the threat score calculated by the Detect app to make risk decisions. An example might be a rule that blocks access to Salesforce if systematic data requests don't follow the natural application flow, suggesting that malware could be systematically scraping the company's data. Another example, using Box, could block the sharing of a file containing HR data to an individual outside the company. By injecting JavaScript, this app can educate and inform users on the reasons why functionality or requests were blocked. 'Investigate' is the final application on the CloudSOC platform, and focuses on enabling the customer to perform investigations on historical data from SaaS app use. The application is geared toward incident response and audit use. A customizable dashboard that Elastica calls an 'SOC for the Cloud' serves as a central point that ties all the applications together. 'Securlets' are Elastica's name for the software a plug-in of sorts (although Elastica also calls these 'applications') that allows inspection and control over each supported SaaS application. Box, Salesforce, Dropbox, Google Drive, Office 365 and Yammer are all examples of currently available Copyright The 451 Group 3

4 Securlets. Technology Elastica, like its peers, is ingesting data from a number of sources APIs (when available and rich enough), firewall and proxy logs and an in-line proxy. Elastica is in a minority that has chosen not to go with a reverse proxy for the in-line architecture. We've discussed the pros and cons of reverse proxies previously, but the primary downsides concern app breakage. Rewriting URLs can break SaaS applications, especially mobile versions. Also, changes to the SaaS application can temporarily break apps until reverse proxy-based CAC vendors have time to update support for the app. On the flipside, vendors using reverse proxies argue that most vendors have early access programs for partners, allowing them to plan in advance for application changes. Reverse proxies are also able to capture access attempts from any systems not just those that are corporate-owned. API data can catch these events also, but we're told that there are very few sources of rich API data from SaaS vendors today. Elastica prefers a 'forward' proxy approach which, when implemented is transparent to users (i.e., doesn't have to change URLs to dropbox.cacvendor.com). Also, if the application changes, the customer can still capture and audit traffic and the user's experience isn't interrupted. Proxy settings can be pushed to endpoints and mobile devices through a number of means, including Active Directory's group policy and MDMs. Elastica has also branded some of the technology it has built in-house StreamIQ, ThreatScore and ContentIQ. This may be to highlight the company's investments in data science and development talent, or the company could have an interest in licensing the technology separately in the future. The first of these is StreamIQ, which extracts and records events from live HTTP traffic, using machine learning and behavioral profiles to weigh events based on a number of factors, including context. StreamIQ is ultimately responsible for providing events to ThreatScore (the second), which uses another set of machine learning engines to build a score with StreamIQ and API-sourced data. The customer can then take advantage of this score through policies in the Protect app to block actions that exceed a threshold. Individual employees are also assigned threat scores based on actions versus a 'normal' baseline and other employees. RedOwl Analytics, a member of the nascent insider threat market, does something similar with internal corporate data rather than SaaS applications. The third is ContentIQ, which Elastica's proprietary data-loss prevention (DLP) technology. The company is quick to point out that it is not just employing regular expressions (regex) and labeling it DLP, which we must admit is the norm when DLP isn't the primary focus for a security or Copyright The 451 Group 4

5 technology company. False positives are often unmanageably high when employing vanilla regex for DLP purposes. Elastica is also employing some data science skill here, using semantic analysis to discover types of files source code, for example that could never be detected with any accuracy when using regex. DLP is commonly found among competitors in this market, although encryption is nearly as common. Almost legendary for being difficult to implement, SaaS encryption is one feature Elastica has yet to address. Competition There is heavy competition in the CAC market, and when we say this, we don't mean that there are lots of vendors and growth. The rumor mill is filled with stories of scalability issues, latency issues, missing features and key customers leaving for competitors. One thing that's clear is that 2014 was a year of rapid growth and maturing for this market. That seems to have been the year for bugs to be worked out and technical issues addressed. This year may be the year for alliances to be formed and for the general IT population to get familiar, even comfortable with SaaS security. In this market, Elastica directly competes with Skyhigh Networks, Netskope, Adallom, Skyfence (an Imperva company), FireLayers, Bitglass, CloudLock, CipherCloud, Cinaya, Managed Methods and Perspecsys. All of these vendors are what we'd consider 'pure play' CAC competitors. Even so, most of them have unique features and focuses. Some are heavily focused on just one or a handful of SaaS applications. Some, like CipherCloud and Perspecsys, were formerly pure-play encryption gateways and have added CAC functionality in the last year or so. A few other vendors have significant overlap, although we don't consider them pure play. These include Zscaler, Intermedia (AppID), OpenDNS (discovery only), Microsoft (discovery only) Managed Methods (CAC for APIs, you could say) and even next-generation firewall vendors. Some of these are often used alongside CAC vendors, while others compete more directly. SWOT Analysis Strengths Weaknesses We've often remarked that strength lies in a flexible platform, and Elastica appears to have that in CloudSOC. Its platform has a lot of technology in common with security analytics another very hot market at the moment. Although Elastica is one of the younger startups in this space, it has caught up quickly, with roughly the same number of paying customers as most of its competition. Elastica's age puts it behind others in terms of sales and name recognition and it has some catching up to do in a relatively busy market. Encryption is a popular feature in this market that lies outside of Elastica's scope for now. Opportunities Threats Copyright The 451 Group 5

6 The company's modular platform should make it easy to ingest and correlate other types of data to improve visibility and accuracy. The addition of threat intelligence, partnerships and additional log types could allow Elastica to organically grow into other security markets. Partnerships, alliances and M&A activity could have significant impact on this market. We keep hearing that valuations are high, but still expect to see at least one or two acquisitions this year. A few strategic technology partnerships have already emerged and we expect to see many more in Copyright The 451 Group 6

7 Reproduced by permission of The 451 Group; This report was originally published within 451 Research's Market Insight Service. For additional information on 451 Research or to apply for trial access, go to: Copyright The 451 Group 7