Gadi Evron has been in the security industry for a long, long time. He's a malware/botnet/honeynets guy. Mile-long resume.<p>This is kind of a surprising pick for YC: a down-the-middle enterprise security play, the kind of company that usually gets funded by Battery because one of the cofounders successfully sold a portfolio company a couple iterations ago.<p>It's interesting to see what seems to be a pretty conventional bit of security technology (sandboxing malware and exploit code into virtual machines is the kernel of several 9-figure security products) get extra attention because of the YC pedigree. Or maybe TechCrunch just got this wrong? Either way: not complaining!
Mass market IT tech has been hacker heaven so far but better stuff isn't making many inroads. All these desktop, cloud, etc offerings don't have a hope of stopping determined attackers. Knowing this, industry mostly focuses on reducing risk, detection, recovery, etc. Honeynets are another great tool that's under-utilized in mainstream industry. They make the right assumption (they'll get in), the right goal (let's spot it), and add extra benefit (real damage maybe averted).<p>With that in mind, I'm liking what I see in the article. A true pro building on honeynet tech while maxing out ease of use and knocking out false positives. That last part is huge if he gets it right: too many just make people ignore the alarms. I look forward to seeing what it achieves in the field.<p>Like the names, too: Deception Stack, Maze Runner... good stuff haha.
This is a solid idea with a great team behind it. The challenge with this kind of product is to make it easy to deploy while delivering actual value to users, and looks like they've figured that out.<p>(It was great meeting Gadi in the speakers lounge at a conference in Hamburg and doing the YC sales pitch last year.)
It's an interesting concept. But there's one thing that bugs me. If an attacker is already in the network, I think we need to distinguish between two types of boxes. Servers, and clients. Honeypots are nothing new, so having a few servers that are honeypots in the network doesn't seem that interesting to me.<p>If someone wants to break into your network, they'll probably target a small amount of users and try to get a RAT on their box to spread from their, I don't know but that's what I'd do.<p>If you want honeypot Clients, things get a bit harder, since you will need to mimic user interaction. But even if a box clicks every link for a decoy email account a drive-by exploit or something can easily fingerprint the system and bail out if it's a VM since it's unlikely for clients to be VMs. Depending on the exploit, that could be hard to detect.<p>So, we're back to honeypots as servers? I don't want to sound negative, but the article is just so vague and that seems to be the only plausible thing.
I actually built an identical project following watching Rob Fuller's talk "Attacker Ghost Stories". I've actually built it twice.<p>First was a Java based service for each service I wanted as a honeypot. FTP, SSH, MySQL, etc. They basically were low interaction honeypots, for example MySQL. Prompt for password, do the handshake, say failure, and report to admin.<p>Second was a Go logtailer and bash script that would securely set up services, tail the logs, and notify admins when there was suspicious activity (err...any activity).<p>It was a ton of fun building it and very straightforward. Gen1 in Java was the most fun implementing all the authentication schemes, but Gen2 worked way better, faster, and easier. I wanted to try to turn it into a company but chickened out that nobody would ever want it. Awesome to see literally the exact same use-case software here! I guess it was a good idea! =]<p>Good luck to you Cymmetria!