Hed Kovetz has led Silverfort into the forefront of the identity protection space. Its unified identity protection platform consolidates security controls across corporate networks and cloud environments to block identity-based attacks. He recently spoke with CyberIntelMag to share the challenges of identity protection and the satisfaction of developing a solution that resolves these complex issues.
What problems were you seeing that prompted you to start a cybersecurity company?
Before starting this company, I was working in cybersecurity for years, both on the defensive and the offensive side. It became very clear to me that identities were the most vulnerable points in most organizations, just because it’s the easiest target. What’s very interesting for me in this space, is the fact that identity is supposed to be a very mature market. I mean, there are a lot of authentication solutions out there. Multi factor authentication has been around for several decades. I was curious to understand why these attacks are still so dominant, even though there seems to be a solution in place. So I started researching, trying to figure out why identity is not secure.
It became clear to me that people feel like the identity security solutions they have today are not solving the problem. Then I just became more and more engaged in trying to figure out the right approach. What I discovered was that the problem of existing authentication solutions wasn’t that they’re not secure enough. It was that they were all siloed, their scope is very narrow: specific systems, or just on the gateway for specific users. It became clear that the challenge is more about how can we deliver this kind of protection everywhere. So it became a journey of trying to come up with a whole new way of delivering secure authentication – a unified identity protection as opposed to protecting individual systems.
Have other companies noticed this gap as well? How come no one else has rushed in to solve this obvious issue?
I think that what happened is many companies saw this gap but were trying to take the same old approach that worked 10-20 years ago of protecting a specific gateway or specific application or specific server, and they just tried to stretch these approaches. So they added more integrations and APIs and agents and proxies. I think that very few companies really tried to zoom out and say, okay, what we’re doing will never scale. How can we rebuild the whole thing? Thinking this way was harder for the bigger vendors, because they were heavily invested already in the approach that they’re selling. A startup can take a fresh approach, because they’re not invested in any older approach.
Having said that, the technical barriers are huge. The concept that we’ve introduced is connecting to all the identity platforms, and sitting in the backend of the identity infrastructure, as a second opinion, as a seamless layer of enforcement that the clients and applications don’t even see. That sounds very reasonable on paper. But it’s actually very hard to build: how do you plug into all these identity systems, including the legacy ones? How do you analyze all those protocols, including the ones that are encrypted, in a non-intrusive way? How do you do that in different scenarios and for all the different types of servers and applications and environments? How do you do the same for non-human access, the machine to machine access? How do you do this across hybrid or multi-cloud environments. There are so many technical barriers, and it really felt like we were going all in on something that we weren’t even sure was possible… even a couple of years into this into this journey, we weren’t sure we could make this work. Meanwhile, a lot of other potential competitors just gave up, or shifted to settling for passive visibility in analytics, or only doing this for a specific environment or type of asset, like web applications, or just legacy or just cloud. We really went all in on trying to find the more generic approach, we didn’t settle for a partial solution. And it was a long journey. But now it’s paying off because now I think we have hit on something truly unique.
Can you explain a little bit more about the technological barrier that you’re able to solve?
There are a few layers to this technology that I think is really the secret sauce behind our platform. One is the ability to monitor and control authentication protocols, without having to deploy agents and proxies. That was key for being able to create a solution that would work everywhere. Because if you’re relying on agents and proxies and modifications to your applications, it’s very difficult to scale this and make it work with any type of enterprise system. So it had to be something that is non intrusive, that doesn’t require you to install agents or proxies or modify or systems. So the first challenge is how do you actually see the authentications, monitor them and get to a position where you can control them if you can’t touch the systems that are doing the authenticating; this requires a lot of creativity in getting the identity infrastructure to forward authentications to us without having to do anything intrusive. The second challenge, which I think is even more complex, is assuming you can get all the different identity platforms to forward you those indications, how do you actually process or understand all these protocols, especially when many of these protocols are actually encrypted? So our first priority was establishing these two layers, the way that we get all the authentications forwarded to us and the way that we can analyze them without opening the encryption. The third layer is more around the analytics, how do you make intelligent decisions? How do you take us indications that come from different sources and make sense of this data and figure out what the user is doing across the enterprise? Then you take all this data and analyze it together in real time to understand the full picture that each of these individual identity providers will miss because they’re only looking at their own piece of the puzzle. The last step, and that’s one of the latest things we’ve only added this year is how do you also take these protocols and translate between them. We’ve really invested in all these layers, from the basic ability to monitor and understand all the authentication protocols into the ability to enforce unified policies on top of them into the ability to actually consolidate all of them into a more holistic platform.
Where do you think your company will be in five years time?
I think that we have an opportunity to build a very substantial company in this market. And I think that in five years from now, we will be a large company positioned as the leader in identity security. And the reason I’m saying this is I think that there’s a big, untapped opportunity for someone to take the lead in the identity security provider space.
If you think about endpoint security or network security, it’s obvious that those solutions work across all platforms. That’s a key element in doing it effectively. But in identity security, this doesn’t really happen; every infrastructure provider has their own identity security stack. I think that there’s an opportunity for someone to become the independent, agnostic, unified security layer that works on top of all the IAM platforms as the Unified Identity Protection company. I think that five years from now, we will be the leader in identity protection. We are on a clear path to becoming that company.
When you’re not working, how do you spend your time?
I love spending my free time with my wife Shiran and our 2-year-old daughter Danielle – playing, traveling, and just having fun together. It brings me more joy than anything else. I also love good food, movies, spending time with friends, playing guitar and painting. If you asked me 15 years ago, I would have told you I was going to be an artist. But I’m glad that life brought me to where I am today, where I feel extremely happy with what I’m building and with the people that I get to work with.