We are excited to bring Transform 2022 back in person on July 19 and almost July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register now!
Although businesses have embraced software-as-a-service (SaaS) in massive ways, questions on how to best secure the use of data in those applications remain unanswered for many organizations. A startup hopes these questions don’t have to remain unanswered for long, though.
Obsidian Security, which today announced raising a $ 90 million series C funding round, offers a platform aimed at addressing the largest use cases for businesses looking to reduce their security risk with SaaS .
Notably, the SaaS Security and Posture Management (SSPM) platform uses Obsidian’s proprietary “knowledge graph”-which links data from different apps to create a comprehensive and in-depth contextual worldview of SaaS ”where customers live, said Obsidian Security CEO Hasan Imam.
Currently, the use cases resolved by Obsidian’s SSPM platform are: identifying whether an account has been compromised; determining if there is insider activity that could pose a threat; detection of configuration drift that creates inappropriate risk for the enterprise; discovering enormous privilege that creates risk; and determining whether data was accidentally made visible to the outside world.
However, “we believe we’re just scratching the set of challenges in front of us, because it relates to SaaS,” Imam told VentureBeat. “The difference is the graph-because that’s the comprehensive view that allows us to solve these use cases. But that also means tomorrow, as we see new threat vectors, we’ve come up with a model that allows us to quickly resolve a new threat vector that we may not be thinking about right now. “
Menlo Ventures led the series C round of funding for Obsidian. The round also included support from IVP, Greylock, Norwest Venture Partners, Wing and GV. Obsidian has now raised a total of $ 119.5 million since its launch in 2017.
The CEO and founder of Obsidian are all veterans of well -known cybersecurity startups over the past decade.
Imam was previously the chief revenue and customer officer at Shape Security, which F5 acquired for $ 1 billion. Obsidian CTO Ben Johnson was former cofounder and CTO of Carbon Black – which merged with Bit9, went public and was eventually acquired by VMware for $ 2.1 billion.
Meanwhile, CPO Glenn Chisholm was former CTO of Cylance, which BlackBerry acquired for $ 1.4 billion, and Obsidian chief scientist Matt Wolff previously served as Cylance’s chief data scientist.
“We’ve created a model that allows us to quickly resolve a new threat vector that we may not be thinking about right now.”
Hasan ImaM, CEO, Obsidian Security
Compromise detection
Obsidian’s approach, based on its graph technology, is the opposite of solutions that involve placing a proxy to see how users upload or download data from a SaaS app, according to Imam .
This approach is “fundamentally flawed” because it doesn’t take into account the fact that SaaS applications are “talking to each other,” Imam said.
“And there are a lot of SaaS applications that aren’t accessible through a proxy,” he said. “And even if it is accessed through a proxy, proxies have very specific rules. If the rules are not triggered, it is of no value. ”
On the other hand, the Obsidian platform collects and normalizes data from many major SaaS applications-currently including 25 of the most used SaaS apps, with more on the way, the company says. The SSPM platform resolves accounts identities and introduces threat intelligence, while also adding additional context-resulting in a system that can detect threats using a customer’s SaaS app, according to Obsidian .
As an example, hijacked sessions using tokens are a significant threat vector for how SaaS applications are compromised, Imam says. Because the token resides in the end user’s browser, the authentication service provider cannot prevent an attack if the user’s browser or device is compromised, he says.
But with the Obsidian system, once an attacker has gained access to certain credentials – and used those credentials to access SaaS apps protected by an identity service – “we can see that from a contextual perspective, “said the Imam. “From a behavioral perspective, we can see that we have an attacker who behaves very differently than the user with its credentials.”
Customer traction
Obsidian Security based in Newport Beach, Calif. currently employs 80, and is expected to reach 120-140 employees by the end of the year.
Obsidian reports that it has nearly 100 customers – 20 of whom currently pay more than $ 100,000 in annual recurring revenue (ARR). The startup said it saw a 5X increase in ARR’s $ 100,000 customers last year, and its revenue increased approximately 3.5X overall in 2021, year-on-year.
While Obsidian provides its platform in nearly eight different verticals, its strongest verticals are financial services and healthcare. Others include technology, education, telecommunications and retail.
Along with expanding its sales – Obsidian aims to grow revenue 3X this year, Imam said – the new round of funding will go towards enabling Obsidian to continue to expand the number of SaaS applications that can be included of its platform.
Current integrations include Salesforce, Workday, Microsoft 365, ServiceNow, Google Workspace and GitHub, but the goal will eventually cover all major SaaS-related apps across the U.S., Europe, Asia-Pacific and Japan, according to Imam. Obsidian ultimately, aims to “cover the long tail of SaaS applications,” he said.
The extent of Obsidian’s coverage for SaaS applications is great, however – and one of the big differences for the platform, according to Venky Ganesan, partner at Menlo Ventures.
Obsidian also stands out for ease of implementation, Ganesan said. As part of its corresponding effort with Obsidian, Menlo laid out the platform for its own systems – and quickly gained more visibility into what was happening with its use of SaaS, he said.
“We got value in 30 minutes,” Ganesan said. “There is no CISO in the world, within 30 minutes of installation [Obsidian]there will be no value. ”
‘Iconic company’ in the making?
Obsidian also does more than just provide enhanced visibility, but also brings remediation capabilities for actively stopping the malicious behavior it detects, he said.
“The combination of those three things – availability, extent of coverage, and visibility and remediation – is a trifecta unlike any other,” Ganesan told VentureBeat.
Within the security market, protecting the use of SaaS apps is likely to be the “next big chunk of spending,” he added – and he said he believes Obsidian is positioned to lead in this area.
Ganesan led Menlo’s investment in Palo Alto Networks and previously sat on its board. He noted that the potential he sees in Obsidian reminds him of Palo Alto Networks – which is now ranked as the most important security vendor in the world with a market cap of $ 60 billion.
At Obsidian, “it looks like an opportunity to build a very iconic company in a big area,” said Ganesan, who joins the startup board.
One of Obsidian’s other investors, IVP’s general partner Somesh Dash, made a comparison between the startup and one of the world’s other security giants – CrowdStrike (where IVP invests).
“We’re looking down the road [CrowdStrike has] protects the endpoint as an analogy for how Obsidian protects the application layer, ”Dash told VentureBeat.
“If they do that for U.S. and global Fortune 5000 companies, mid -stage companies, government agencies, regulated industries – I think this company has a chance to be a $ 10 billion+ public company in the non too distant future, ”Dash said. “That’s not something we see in a lot of companies.”
The mission of VentureBeat has become a digital town square for technical decision makers to gain knowledge about transformative enterprise technology and transactions. Learn more about membership.