Next-Generation Technologies and Secure Development
Obsidian Security Funding Helps Stop Session Hijacking on More Platforms
Michael Novinson •
April 14, 2022
Obsidian Security closed the Series C funding round to prevent session hijacking on more platforms and increase the number of SaaS applications being defended.
See also: FinServ Discussion | Zero Trust is Identity Centric, but what about Identity Governance?
The California-based Newport Beach, California wants to sell security and management posture from protecting 25 major SaaS applications today to protecting hundreds of SaaS applications in a year or two, the CEO said. Hasan Iman of Information Security Media Group. The $ 90 million round was led by Menlo Ventures, Norwest Venture Partners and IVP, and brought Obsidian’s total financing to $ 119.5 million.
“The industry is just beginning to recognize the scope of the problem associated with SaaS security,” Iman said. “It’s a huge range of topics that makes it complex. To really solve this problem, you need the solution to be comprehensive.”
Beware of Bespoke Apps
Iman said Obsidian plans to use the funding to create a framework that allows organizations to protect not only slightly fewer SaaS applications such as Dropbox but also thousands of non-public SaaS apps. used by businesses to run their own businesses. The investment will take advantage of Obsidian’s knowledge of the threat area to ensure secure integrations between SaaS apps (see: Non-Interaction Payments: The New Wave).
The largest SaaS applications – Salesforce, ServiceNow and Office 365 – are truly platforms with their own configuration methods and privilege models, and Obsidian needs to unpack those platforms into their base elements in order to truly to understand what types of threats apps are vulnerable to and what the risks are. they need to think, Iman said. Making the investment to do that for basic SaaS apps is necessary.
But for SaaS applications that aren’t as valuable in business environments as Salesforce and ServiceNow or aren’t as complex, Obsidian plans to create a simpler defense model that’s easier to measure. Pre-building integrations for the thousands of non-public SaaS apps used within businesses would be impossible because there is no way for the company to get a return on its investment, he says.
The framework that Obsidian will create using Series C funds will allow businesses, system integrators or members of the developer community to gain protection for custom apps without having to invest in Obsidian, Iman said. Instead, customers will include a set of APIs that use Obsidian experience and data to protect the 250 or 300 SaaS apps commonly used by most large businesses.
“These SaaS applications live on an island,” Iman said. “They’re not within the perimeter. The privileges are set in a decentralized way by administrators who don’t sit in the CIO organization … We provide insight into what’s on that island in relation to their business and a centralized way to see the dangers and the threats on that island on which they depend. “
Account Takeover Avoidance
Obsidian created a solution 18 months ago that prevents attackers from taking over Azure Active Directory and Okta user accounts, and the company wants to extend its session hijacking protection capabilities to other platforms. of identity and access management. The company wants to guard against more session hijacking scenarios because it’s one of the main ways hackers compromise SaaS application accounts.
The company also wants to build its defenses around API integrations, OAuth integrations and the reuse of legitimate certificates to access SaaS apps, Iman says. For example, the Russian foreign intelligence service, or SVR, hackers compromised a legitimate Mimecast certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services as part of the SolarWinds campaign.
Because OAuth integrations and valid certificates can be violated by attackers to gain access to key SaaS applications, Iman said Obsidian wants to invest in providing customers with deeper and more comprehensive coverage in those areas. .
Iman said Obsidian also wants to improve its understanding and visibility of SaaS application data so that the company can provide more grain management privileges. Now, Iman says, businesses don’t know how much of a SaaS application a user actually taps after they’re given initial access.
With Series C funding, Obsidian plans to aggregate activities involving a user, the privilege model, the configuration model, and the integration between SaaS apps and link all that data to tell CIOs how relevant super -privileged users are. the activities they actually do on a daily basis. Having all that data in a single structure will make it easier for Obsidian to associate the data.
“The solution needs to be comprehensive and in -depth context,” Iman said. “This funding helps us ensure we have comprehensive coverage of the SaaS ecosystem and continue to develop deep context.”
.