Dig Security: One Tool for Multicloud Data Security
As Dig Security CEO Dan Benjamin sees it, there’s a huge gap in the security market for protecting data across multicloud environments.
A former product manager for Microsoft Azure Cloud Security and CTO Resident at Google Cloud for Startups, Benjamin said, “All the solutions were either built for on-prem or essentially just required tons of work from different customers and very limited, very fragmented and take six to 12 months to implement. I thought we can do this better.”
It’s Benjamin’s third startup and the second for cofounders Ido Azran and Gad Akuka, all former members of the Israeli Defense Forces.
In the IDF, Benjamin worked on the offensive side, which he believes provides him an inside view of how attackers behave and gives the Dig Security team a better understanding of how to repel them.
“Cloud data stores are always the actual target for an attack. That’s what we used to look for,” he said. “But that’s also the only place today in the public cloud that lacks a dedicated security solution.” While there are products aimed at endpoints, networks and other aspects of cloud infrastructure, Dig Security aims to provide a holistic security solution for data in multiple clouds.
Who’s Using Data and How
Statista reports that more than 60% of enterprise data is stored in the cloud. Meanwhile, nearly half of all data breaches over the past year were cloud-based, according to the 2022 Cost of a Data Breach Report by IBM Security and Ponemon Institute.
Cloud service providers use a shared responsibility model, in which they are responsible for the security of their physical infrastructure resources and services while their customers must secure applications, data, containers and everything else that runs on that infrastructure. But as with everything with multicloud, their policies can differ by vendor. And enterprise data can be in different clouds, used in different ways.
And then there’s “shadow data” — say a database set up in a test environment and forgotten, or an unmanaged backup somewhere — that may contain sensitive data.
The company likes to mention that it found at one of the largest banks in the United States that for three years all the financial reports were being copied every day to the AWS account of a vendor they had stopped working with three years before.
Enterprises often don’t know all the places their data exists or how it’s being used, Benjamin said. Once permissions are given, who knows what’s happening with the data? Dig Security monitors who are using data and how that data moves in real time.
Discovery and Context
Dig offers agentless, full data security posture management (DSPM) capabilities. It monitors data stores such as buckets, files and databases as well as unmanaged data stores such as MongoDB and MySQL servers running on virtual machines to provide a single view of your data across all clouds, as well as by region to help ensure compliance with regulations such as GDPR. It highlights misconfigurations, access anomalies, shadow data and other vulnerabilities.
Using automated classifiers, it analyzes the content and tags sensitive information types such as personal identifier information (PII), credit card numbers and secrets in structured and unstructured data.
In addition to alerting on changes with real-time data detection and response (DDR), it provides options to apply policies to thwart data exfiltration early in the kill chain. It can detect and evaluate actions according to MITRE, SOC-2, ISO27001 and other cyberthreat frameworks.
“Initially, we help organizations discover any type of data store across any type of cloud and across any type of deployment modes. Typically, customers will run in three main types of deployment modes, whether it is PaaS [Platform as a Service] like RDS, Azure SQL, Google BigQuery. Whether it is IaaS [Infrastructure as a Service], someone can boot up a VM, install whatever they want, any type of data store on it, like MongoDB, and start saving sensitive information on it and 99% of the time, most organizations would never know. And, of course, Database as a Service [DBaas], which is anything like Snowflake, or Atlas or Databricks and so on,” he said.
“Once we find all these different data, we bring context the actual data itself. What kind of data do we have? What do we have PII or PHI [personal health information] or PCI [payment card information] or regulated data? Where do we have data replicas or data movements that we think shouldn’t happen? How is my data being used? By whom? Which machines, which users, which vendors, which contractors?
“And once we discover the data and … and classify it, we apply real-time threat detection and response, which we call data detection and response [DDR]. We analyze every type of data interaction, whether it is an admin events, a data events, a connection, and we flag any type of risk.”
Dig studied hundreds of different types of data breaches, understood how they happened and started building detections and responses around them.
Beyond discovering and classifying the data, Dig comes out of the box with dozens of policies dealing with real-time scenarios of what can go wrong with data.
There are the obvious scenarios: No one should download a production database to a local machine or no one should copy sensitive data outside of the customer’s cloud. But there are also more complicated events, such as how to detect a ransomware event. What happens when you see mass encryption events? Or how do you identify that a machine that never touches sensitive data is now touching a lot of sensitive data.
Dig studied hundreds of different types of data breaches, understood how they happened and started building detections and responses around them.
“Essentially, [the data security team] what they do is they threat model each type of data store; they try to steal data. And then they essentially build detections of responses around them, whether it is based on rules or training our existing machine to detect anomalies with data usage,” he said.
“Dig’s detection engines are based on deep security research. By embedding the attacker’s perspective – derived from some of the strongest talent in the Israeli ecosystem — Dig’s opinionated, out-of-the-box detection engine neutralizes attackers, without requiring enterprises to write and maintain policies,” said Liran Grinberg, managing partner of Team8 Capital, which led its seed round.
The company continually adds policies as it finds new ways to exfiltrate data, and while it allows customers to build their own classifiers, if it sees something relevant to its customer base as a whole, it adds that across the board, Benjamin said.
Tomer Kremer recently joined accounting software vendor Tipalti as chief information security officer which is using Dig Security. He says of it:
“Our fundamental security goal is data protection, which is foundational to the payments technology we’re building. It is challenging to build a data protection program without a deep understanding of the data we own, how its moving within the organization, and how it’s consumed. Dig Security offers visibility into all of our cloud data assets in real time so we can easily control these assets. These capabilities enable us to prevent a number of data risks and enforce compliance. We can take action and automate response – it doesn’t just send us alerts that add to the noise.”
He calls it “most mature data security platform we’ve found for cloud data stores that we’ve used. The public cloud represents a quickly evolving threat landscape and Dig has helped us keep pace. … Dig bridges the gap between the velocity of development and the need for data protection. When a new data store or data flow boots up, the platform immediately alerts us to the event, which allows us to keep in sync and govern sensitive data. We have not had any false positives and working with the Dig team to prioritize new capabilities and features has been easy and effective.”
Evolving Data Storage Technology
The Tel Aviv-based company is 14 months old and has raised $45 million, most recently a $34 million Series A in September led by SignalFire and an $11 million seed round in May led by Team8. It employs 40 people around the globe many also with IDF experience.
The IDF has a breeding ground for cybersecurity startups such as Seraphic Security (browser), Hexadite (incident response) and Oxeye (testing), each taking its own tack to the problem. A range of startups, like DoControl, are tackling aspects such as automating policy enforcement on major Software as a Service (SaaS) applications like Salesforce and Google Docs.
Benjamin said there’s till much work to be done to secure the cloud, and Dig will be tackling the different types of data store technologies as they evolve.
“We understand that the ultimate goal is protecting the data and not just discovering it. … So that challenge of coverage, and essentially being able to detect all these different malicious events across the board across different clouds with a consistent engine is very, very powerful. … Because eventually, if you have a file that has credit card numbers, you don’t want to protect it differently across AWS, Azure and GCP. You want to be able to protect it consistently across any type of store that you currently own today.”
