SafeBreach
The profile is currenly unclaimed by the seller. All information is provided by CB Insights.
Founded Year
2014Stage
Series D | AliveTotal Raised
$106.5MLast Raised
$53.5M | 9 mos agoMosaic Score
+10 points in the past 30 days
Research containing SafeBreach
Get data-driven expert analysis from the CB Insights Intelligence Unit.
CB Insights Intelligence Analysts have mentioned SafeBreach in 2 CB Insights research briefs, most recently on Jun 6, 2022.
Expert Collections containing SafeBreach
Expert Collections are analyst-curated lists that highlight the companies you need to know in the most important technology spaces.
SafeBreach is included in 1 Expert Collection, including Cybersecurity.
Cybersecurity
4,937 items
SafeBreach Patents
SafeBreach has filed 3 patents.
The 3 most popular patent topics include:
- Trees (data structures)
- Binary trees
- Computer memory
Application Date | Grant Date | Title | Related Topics | Status |
---|---|---|---|---|
12/28/2017 | 5/25/2021 | Computer network security, Computer security exploits, Computer security, Trees (data structures), Operating system security | Grant |
Application Date | 12/28/2017 |
---|---|
Grant Date | 5/25/2021 |
Title | |
Related Topics | Computer network security, Computer security exploits, Computer security, Trees (data structures), Operating system security |
Status | Grant |
Latest SafeBreach News
Aug 1, 2022
Which comes first, security or compliance? In an ideal world, they work together seamlessly. Here's how to achieve that. Thinkstock As numerous data compliance laws proliferate across the globe, security professionals have become too focused on checking their requirements boxes when they should be focused on reducing risk. Can the two work harmoniously together? The answer depends on how effectively IT security leaders can work with their auditors and speak to their boards, say experts. These are their top five recommendations: 1. Focus on data protection It’s well-known that compliance is about protecting regulated data, while cybersecurity is focused on keeping bad guys out. From a data protection perspective, the key security measure then is to avoid processing or storing regulated data that isn’t needed. If regulated data must be stored, make sure you’re using stronger-than-recommended encryption, says James Morrison, national cybersecurity specialist for Intelisys, the infrastructure support division of payment systems company, ScanSource. “In my career, I’ve seen small healthcare providers sending patient data in cleartext. So, to create compliant policies, ask how regulated data is handled from cradle to grave,” explains Morrison, formerly a computer scientist with the FBI. “You should be mindful of where your data exists, where it’s stored, how it’s stored, and for how long. That’s the right way to start the conversation around compliance and security.” 2. Make security auditors your friends As important as learning the perspective of auditors is helping them understand the basics of cybersecurity. As CISO at a previous company, Morrison held weekly meetings with his auditor to maintain a “two-way” conversation inclusive of compliance and security. By the time the company conducted its ISO 27001 infosec management update, the audit team was able to articulate clearly what they needed from the security team. Then Morrison himself gathered the information the auditors requested. “Auditors are more appreciative if you take a team approach like this. And so are the CEO’s and boards of directors,” he adds. However, teaching cybersecurity basics to auditors is difficult, adds Ian Poynter, a virtual CISO based on the U.S. east coast. This is especially problematic among auditors that come from the big consulting firms, who he likens to “people with clipboards who ask questions but don’t understand the security and risk context.” In case after case, Poynter describes past experiences in which his clients passed their “clipboard” audits while fundamentally failing at security. For example, in one instance the auditor asked if the company had a firewall and the IT manager checked the “yes” box because they had a firewall, even though it was still in the package and hadn’t been installed yet. “The auditors didn’t understand that the firewall is not actually doing anything, although you still have a firewall,” Poynter says sardonically. “So, to audit properly, you need to know the context around the questions and how to ask the questions.” As a consultant to smaller companies, Poynter says it’s important to engage with auditors with those relationships to security and who understand the security and compliance aspects in tandem. For example, he points to a company preparing to spend $3 million on a SOC 2 provider. Going into the SOC 2 audit with the provider, Poynter provided both sides with security and vulnerability reports that were correlated against audit requirements. This, he says, greatly narrowed down the field of focus for the audit team, adding that it was a good example of how compliance and security mesh together to further the IT leader’s business skills and improve security posture. 3. Use compliance as a base to build better security Poynter also cautions that audit checklists go out of date regularly, so just passing an audit does not protect IT assets. Take, for example, passwords, which NIST used to require changing every 90 days. NIST has rescinded that rule because people can’t remember their passwords, and instead recommends using passphrases with numbers and symbols that users can remember. Avishai Avivi, CISO at security control validation company SafeBreach, agrees with Poynter. Avivi believes that compliance frameworks provide a basis for thinking about security programs, but compliance mandates are not prescriptive, nor do they rate the efficacy of controls. For example, he says, “A compliance checklist tells you that you need to have a firewall. It doesn’t tell you what type of firewall is suitable for your business, or what firewall rules to implement.” He also points to requirements for annual penetration tests, even though threats evolve much more frequently than that. This gap leaves “compliant” companies at risk of new vulnerabilities they don’t know they have. Also open to interpretation is how to conduct the pen-test and against what computing resources, he continues. “We had a client that was only testing its external attack surface. So, we did a simulation from an internal corporate office network and showed them that if just one of their end-user stations is compromised, it can access all their development and production networks,” Avivi explains. “The client followed the compliance guidelines in terms of segmenting development from production networks, but there were no firewall controls to prevent someone from coming in from a corporate office to those environments.” In industrial control systems (ICS), NERC CIP and other standards are particularly bare-bones in their requirements, according to Jason D. Christopher, director of cyber risk at Dragos. “Due to the lack of OT-specific detection in industrial networks, it’s more difficult to interpret compliance rules. It’s a lot harder to have a compliance conversation because it’s hard to distinguish on a plant floor if you had a security incident that requires reporting or if it is a maintenance incident.” ICS systems like energy and power companies are already behind because their security controls are also at the low end of the maturity curve, Christopher continues. He then describes the compliance maturity curve in three stages. Crawling is filling in the check boxes. Walking is building a program around audit findings and cross-checking findings with compensating controls. In the run stage, network operators have exceeded compliance rules with the proper workflow and chain of command to support security and audit duties. Christopher stresses that the more mature the compliance and security programs, the better the collaboration and communication between auditors, CISOs, and the board. 4. Fix the vulnerabilities you find It’s that middle stage of maturity, the walk stage, where organizations mostly get hung up, say experts who call out many instances where organizations failed to make basic repairs based on audit findings. “We had a company that did their pen-test as required by compliance. Then, a year later, the new pen-test came back with exact same vulnerability finding because the client had not addressed the findings from the prior year’s pen-test,” Morrison says. “Ultimately, they suffered a second breach around the same vulnerability. This time, the company fell into trouble with regulatory bodies.” Morrison’s story sounds like a famous case currently winding through the U.S. District Court of San Francisco. In it, Joe Sullivan, CISO of Uber, faces prison time under federal charges because he didn’t report a second ransomware breach that took advantage of the same vulnerability the FTC had demanded they close after a prior breach. Recently, more charges of wire fraud were added in what the FBI is now calling a cover up. 5. Measure improvements in security and risk posture More than just a driver for reducing risk, compliance can also be used to measure improvements in security and risk posture. Morrison suggests a compliance dashboard to measure your risk score and using those dashboard policies to keep ahead of changing risks, such as adding a new tech or supporting a remote workforce. The dashboards should also help IT managers report to upper management in the business language of risk and reward that they understand. As Avivi from SafeBreach explains, “If you do security right, you’re probably compliant. But if all you care about is compliance, you’re probably not going to be secure.” Next read this
SafeBreach Web Traffic
SafeBreach Rank
When was SafeBreach founded?
SafeBreach was founded in 2014.
Where is SafeBreach's headquarters?
SafeBreach's headquarters is located at 111 W. Evelyn Avenue, Sunnyvale.
What is SafeBreach's latest funding round?
SafeBreach's latest funding round is Series D.
How much did SafeBreach raise?
SafeBreach raised a total of $106.5M.
Who are the investors of SafeBreach?
Investors of SafeBreach include Bright Pixel Capital, Israel Growth Partners, Leumi Partners, Sands Capital, ServiceNow Ventures and 11 more.
Who are SafeBreach's competitors?
Competitors of SafeBreach include Veracode, PlexTrac, HackerOne, Pentera, XM Cyber, SCYTHE, Horizon3.ai, ForAllSecure, Snyk, Noetic Cyber and 23 more.
You May Also Like

Pentera utilizes an automated penetration-testing platform that assesses and validates corporate cybersecurity risks. By applying the hacker's perspective and performing machine-based penetration testing, its software identifies, analyzes, and prioritizes remediation of cyber defense vulnerabilities and instrumentation.

Bugcrowd provides Crowdcontrol, which is used by companies to proactively uncover and resolve security bugs in their products - leveraging a vetted community of more than 27,000 security researchers. The company also provides a range of responsible disclosure and managed service options that allow companies to commission a customized security testing program that fits their specific requirements.

Cymulate is an Israeli cybersecurity startup that conducts penetration tests. The company has developed a platform enabling enterprises to simulate cyber attacks in real-time while testing the security system's resilience from the potential attacker's perspective. Among other things, Cymulate makes it possible to assess an enterprise's readiness for ransom and phishing attacks and for detecting more complicated breaches through which hackers can take over an enterprise's computers and apps.

Vulcan Cyber is a Continuous Vulnerability Remediation solution that integrates, automates and orchestrates existing tools and processes, eliminating the most critical risks caused by vulnerabilities while at the same time avoiding any unexpected impact to business operations.

HackerOne is a vulnerability management and bug bounty platform. HackerOne empowers companies to protect consumer data, trust, and loyalty by working with the global research community to surface the most relevant security issues.

Detectify offers a website vulnerability scanner that is in part powered by the crowd.
Discover the right solution for your team
The CB Insights tech market intelligence platform analyzes millions of data points on vendors, products, partnerships, and patents to help your team find their next technology solution.