Justdial, Bigbasket, Unacademy — these are some of India’s biggest tech companies and startups, with the latter two being unicorns and Justdial being one of India’s handful of publicly-listed tech companies. Coincidentally, they are also the subject of three of the most high-profile data leaks from India over the past two years.
As more and more companies and government entities experience the heat of security breaches, the wave of compromised data is only going to get worse. The recent data leak from Bigbasket affected over 20 Mn users whose names, email IDs, addresses, dates of birth, locations, password hashes, contact numbers (mobile and phone) and IP addresses of login and more were exposed. Reactive in its approach, BigBasket learnt the hard way and is now reassessing the extent of the breach.
Besides these three companies, Paytm Mall, Religare Health Insurance, Truecaller and others have also fallen prey to hacks, while even Prime Minister Narendra Modi is not immune to such attacks. The PM’s Twitter account and his website were targetted in separate hacks.
In October, a leaked database exposed personal information of users who had donated funds to the PM Relief Fund and several other such funds for the PM’s pet causes such as “Beti Bachao Beti Padhao (girl child education)”. Over 5.7 Lakh users of the website were impacted, some of whom saw their bank-related information compromised. This just highlights the severity of the situation. National Cyber Security Coordinator Lt Gen (Dr) Rajesh Pant had also stated that India lost close to INR 1.25 Cr due to cyber crimes.
Targetting the rising cyber security menace for businesses in the country and around the world, cybersecurity startup FireCompass is taking a proactive approach and targeting the source of the attack so companies can take steps to mitigate them in real-time rather than addressing isolated incidents after leaks or breaches.
“We need to stay one step ahead of the hackers by proactively monitoring and orchestrating these attacks,” said Bikash Barai, cofounder at FireCompass, an AI-powered cybersecurity startup.
Traditionally, companies used to contract so-called ‘ethical hackers’, essentially white-hat cyber security consultants, to evaluate and test the vulnerability of the platform using multiple tools. The challenge here is that everytime there is a new APIs or tool, there is a need for more and more ethical hackers. But, unfortunately, there exists a dearth in talent as well.
Automating the entire experience, FireCompass claims its platform requires no human intervention as it automatically conducts penetration testing using network, cloud, application, email and multistage attacks. The system then sends alerts to concerned stakeholders upon discovering the vulnerability.
Founded by serial entrepreneurs Bikash Barai, Nilanjan De and Priyanka Aash in 2019, the company has developed a SaaS platform for Continuous Automated Red Teaming (CART) which was launched last month. This goes along with its Attack Surface Management (ASM) and Ransomware Attack Surface Monitoring (RASM) products. With these, the team continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. Prior to starting FireCompass, the founders had developed India’s first SaaS security company which was backed by IDG Ventures, and later acquired by Cigital (now Synopsys).
FireCompass claims to discover the digital attack surface for its customers and launches multi-stage safe attacks which don’t actually affect the data of the business or organisation. This helps identify breach and attack paths that are otherwise missed out by conventional tools. Some of its clients include US telecom giant Sprint, Security Innovation, Nykaa (which incidentally suffered a data leak last year), Manthan, Larsen & Toubro and Edelweiss among others.
Furthermore, its platform is said to automatically discover an organisation’s ever-changing digital attack surface, including unknown exposed databases, cloud buckets, code leaks, risky cloud assets, exposed credentials, APIs and open ports. Once discovered, its attack engine then launches multi-stage attacks, which includes network attacks, social engineering attacks, application attacks, which are otherwise missed by conventional ethical hacking tools, including SuperScan, Network Mapper, Metasploit, Angry IP Scanner and others.
On the other hand, FireCompass’ CART claims to uniquely combine Attack Surface Management (ASM), and multiple security testing technologies, thereby eliminating the need for multiple tools and significant manual effort, and time. “Scans that took weeks and months, with our platform it can be completed in minutes or hours,” said Barai.
FireCompass said that it currently focuses on international customers, along with early-stage companies in India, who are serious about data security and safety of digital assets. Given the enterprise SaaS model, the pricing ranges between $15K (small enterprises) and $500K (large organisations) annually depending on the usage.
Currently, FireCompass is backed by investors and venture capital funds including Phanindra Sama (former CEO & co-founder Red Bus), Khiro Mishra (former CEO NTT Securities America), Ed Adams (President & CEO Security Innovation Inc.) and CIIE.CO’s Bharat Innovation Fund. As the company is heavily looking to invest in technology and talent, its unit economy which is currently positive at the moment is likely to turn negative in the coming years. The cofounder also said that they have already raised funding from various investors, and will be announcing it soon.
Reinventing Traditional Red Teaming Using AI & SaaS
In the global market, FireCompass competes with the likes of cybersecurity startups including Randori, CyCognito, Nessus, Seconize, Tenable.io among others. “While everybody is trying to innovate, there are only a few players in the space who scans the dark web and focus on the attacks, besides surface discovery,” claimed Barai.
FireCompass claims to leverage machine learning, which helps the platform generate intelligence, continuously without the need for on-premise software, hardware or additional employee resources on the customer end.
It runs on a homogenous big data platform where all the data gets stored and indexed, which then is used to run attacks and scan for vulnerabilities and threats. “We are not looking to monetise the data collected from our clients in any way,” added Barai.
Further, Barai said in the cyber security space any company that claims to provide 100% safety and away from data breach is highly unlikely, instead the goal should be to cover various levels of security and solutions including network level security, application level security and other benchmarks.
“Most importantly, we act as friendly advisors for organisations to help them be prepared and resist such attacks from occurring through nation-state actors/ethical hackers,” he concluded stating “hack yourself before hackers do!”
[With inputs from Deepsekhar Choudhury]