Unlike traditional penetration testing or ethical hacking, which is
driven by security consultants such as PwC or a KPMG or any known
security firm, iViz Security claims to be the industry’s
first cloud-based penetration testing company. The cloud-based
model is working well for iViz as it has signed up more than 150
customers and 20 global partners. The customers who are using its
services include some big names in sectors such as the banking and
financial sector, telecom, e-commerce and defense. These include
names such as Sony, Oracle, ING, HSBC, Aviva, Vodafone, Airtel,
Fiat, CNN IBN, CNBC, Makemytrip, Yatra and Indian Defense.
"Our technology simulates a human hacker, and has the
capability to simulate all possible attack scenarios"
- Bikash Barai, CEO, iViz Security
iViz claims that the cloud-based model offers significant
advantages over a traditional model. “Conventional
penetration testing or ethical hacking is driven by consultants and
hence is time consuming, costly, non scalable and lacks uniformity
in quality. Compared to this, a SaaS-based model offers scalable
penetration testing with easy compliance to standards such as SOX,
HIPAA, ISO 27001 and PCI DSS. Our technology simulates a human
hacker, and has the capability to simulate all possible attack
scenarios,” claims Bikash Barai, CEO, iViz Security. The firm
has already won numerous awards from organizations such as the US
Navy, US Department of Homeland Security, Intel, University of
California Berkely, Red Herring, Nasscom etc.
The ability to simulate all possible attack paths is crucial, as
most standalone technology solutions are not able to understand the
big picture behind multiple small attacks. thereby providing a more
comprehensive solution. For example, in complex security threat
scenarios, attackers exploit multiple security weaknesses that
individually are not critical, but in the aggregate, they allow an
attacker to compromise business critical data. iViz’s
solution uses artificial intelligence techniques to address this
issue.
Barai explains this with the help of an example. “While
conducting one conventional penetration testing exercise during the
year 2006, it dawned on us that even as a security expert; we
cannot comprehensively detect all multi-stage attack path
possibilities. Especially, once a network is successfully broken
into, we tend to become complacent and the mental incentive to find
all and every ways to penetrate diminishes. To overcome this
barrier related to basic human instinct, we explored the usage of
artificial intelligence to simulate all multi stage attack
possibilities. We have developed a technique to compute all
possible permutations and combinations of attack paths in a complex
network or a system. Such a simulation process has high complexity
and demands very huge infrastructure and huge amount of time. We
optimized the process using different techniques, which has made it
possible for us to detect such attacks.”
iViz has partnered with security consulting firms to lower their
operational cost and increase their scale of operations. Many
organizations have already partnered with the firm since they can
now do business at any scale while maintaining almost zero
operational cost.
As the cloud-model is built for scale, it scores heavily over
traditional models.
“Any known security firm can conduct penetration testing
using consultants and tools. However, the problem is with the cost,
scalability, uniformity in quality and manageability of
vulnerabilities. Most of the security firms would not be able to
handle customers who have 600 applications that need to be tested
four times a year. They will not be able to hire enough people to
do the job,” explains Barai.
Due to the high costs, customers do not test all their
applications, which in turn, results in partial security. The
cloud-based model enables firms to test hundreds or thousands of
applications in parallel which is not possible in the case of the
consulting approach.
For iViz, the scale of opportunities on the global stage is huge,
as globally there are more than 165 million online websites that
need protection. “The security testing market is more than 3
billion USD in size. Our vision is to build a 100 million USD
company in this space,” says Barai.