This autumn is set to be a busy time for CybelAngel, as it introduces a new partner programme and moves more into the external attack surface management space with a new product and new company positioning. Technology Reseller finds out more in conversation with Camille Charaudeau, Vice President, Product Strategy at CybelAngel
CybelAngel started out in 2014 to address data leakage of company assets. Its first customer was a major French bank after it found that many of the bank’s confidential documents, business plans, financial forecasts, invoices, contracts, employee personal information etc. were being stored on an exposed server owned by a third party.
“This happens every single day, and the more you chat and share and do business with a broader ecosystem, the more you expose yourself,” says Camille Charaudeau, Vice President, Product Strategy
“CybelAngel was set up to discover a specific exposure, a specific data leak, but we’ve expanded beyond that. Now, you can think of CybelAngel as a massive internet scanner, looking for exposure continuously 24/7 for our customers.”
It does this by scanning for keywords provided by the customer, such as the company name, company domain, project name, product name or confidential file.
“We can start with your own IT assets that are publicly exposed, and you didn’t know about – what we call shadow IT. It could be a site you created with a former marketing agency that you forgot about and is no longer supervised but which now includes a vulnerability that hackers can use to access the database behind it and perhaps gain access to your network through that asset. It can be an API endpoint. It can be a server running on a cloud instance that you are not using anymore but which you are still paying for. It’s about finding that exposure.
“The attack surface is also exposed credentials, so we go on the Dark Web and look at hackers who are trying to resell employee credentials that could be used as a way inside an organisation. We scan for open databases of partners that are inadvertently leaking information and for malicious domains – small variations in the spelling of your main company domain that are used for phishing campaigns to extract or collect specific information. They, too, are part of the attack surface. And lastly, it’s about finding data leakage on the cloud and on file sharing servers; you can’t imagine how many of them are still open and used freely to share information from one entity to another. If we can find these examples hackers can too.”
Man and machine
CybelAngel processes several billion data points a day and relies on a combination of machine learning and human analysts to filter and investigate that noise.
“We never give a raw feed of information to our customers, because they do not have the time. We filter that first and we have dedicated analysts working with those customers who understand their business contexts and only push what’s relevant to them.”
Each CybelAngel analyst can take care of 8-10 large clients.
Over the last eight years, CybelAngel has grown into an international business of about 180 people, with 60 people in the R&D and engineering departments, and 160 or 170 large enterprise customers, the likes of CVS in the US, NTT in Japan and BT in the UK.
“A large proportion of our customer base is in Europe – in France, the UK and Germany in particular. In 2018, we expanded into the US and North America where we now have somewhere in the region of 40 customers and about 40 employees working from CybelAngel’s regional offices in Boston. We have 4 or 5 people in the UK, one or two people on the sales side in Germany and we very recently opened in the Middle East with two local employees working out of Dubai.”
A global customer base
About 75% of CybelAngel’s customer base is companies with more than 10,000 employees, largely because the bigger a company the more distributed its operations and the broader its digital footprint or attack surface.
“If you are a very small company operating locally, the chances of your assets being exposed on the other side of the world and putting you at risk are low. But if you are a big one, like BT in the UK, with operations around the globe, then you can start to lose visibility, you can start to lose control and will need to know what’s going on with your most strategic assets, your digital assets.”
Strong growth forecast
Market penetration rates for solutions like CybelAngel’s vary by company size and region. Camille Charaudeau says that according to Gartner, the average penetration rate for external attack surface management is somewhere between 8 to 10%. However, he points out that this is growing, with overall revenue for the EASM category forecast to rise 35% year over year to 2026.
“CISOs in large organisations start out securing their internal network. They control that within their firewall, and that’s great because they see everything that’s happening there. But because the world has changed so much and information, workload and content now needs to traverse the firewall, it can’t stop there. So, as a CISO, you start equipping with antivirus, what we call EDR endpoint detection and response, and then you mature as an organisation and go and look at what’s outside. This is external attack surface management, which is where we play.”
Channel-first route to market
Over the last two years, CybelAngel has become very much a channel-first organisation.
“Every time we work with a customer we want to understand their partner ecosystem and try to find a way to ease service delivery and use of the system through a partner. These can be managed services partners, managed detection and response partners or simply procurement- type partners involved in the later stages of the sales process. Almost half of our deals now are partner-led and our mindset moving forward is to be a channel-first organisation.”
Charaudeau says that in Germany more than 80% of its business is now done through managed security service providers who are able to take over the human analysis layer of CybelAngel’s solution and deliver it as part of the SOC or analyst services that they already provide to customers.
“We focus on where we are strong – we are a technology vendor;
and they focus on where they are strong – service and delivery – and bundle that as part of their entire offer.”
New channel programme launching this autumn
As part of its channel-first approach, this autumn CybelAngel is launching a structured channel programme, the Horizon Profit Programme, which it tested in the Middle East over the summer and is now extending globally. This will coincide with a push to recruit more partners in the UK.
“In the UK, we’re looking for a handful of partners that are aligned with our strategic goals – 3, 5, 7 very strategic partners that we can go to market with to approach the various customer segments, large enterprises and maybe MSSPs for smaller businesses, mid-size businesses who understand the value proposition of external attack surface management for less mature markets. We are not after volume, but the quality of the relationship.”
New product launch on October 20
At the end of October, CybelAngel is adding external asset inventory capabilities to its external attack surface management suites that will be available to all customers from their CybelAngel platform, packaged using a good, better, best approach.
“This gives customers a list of all the externally facing IPs, servers, websites, domains that they own that could be a possible threat. From there, we tell them what they should do to reduce their attack surface. Look at all the assets on the list; if it should be out there, make sure that you monitor it and if it shouldn’t be out there, make sure that you take it down.”
Charaudeau adds that the expansion of CybelAngel’s platform is being introduced to meet customer demand and to enable CybelAngel to work directly with security operations teams.
“When you talk digital risk protection, the threats can come from everywhere, including the partner ecosystem and supply chain. If I tell you as the head of security that this partner of yours in Taiwan is leaking blueprints of your next R&D project, that is extremely valuable information. It has a tremendous business value, but you do not necessarily know who to call, who on the business side has a relationship with that specific supplier and how to take that down. So while it is extremely powerful from a business standpoint, the SOC team doesn’t do much with it.
“At the same time our customers are asking ‘How can my SOC team leverage those alerts that you guys are sending?’. So we thought let’s start with the assets that the SOC team is using on a day to day basis, the ones they know. If they can see from there what is exposed, it will give them a direct way to act.”
Charaudeau says this is different to what CybelAngel already provides.
“When we scan the internet starting with keywords from our customers, we are looking at very distant stuff that you may not necessarily own – it could be owned by partners. With this, we start from your known IP addresses, what’s inside your perimeter, and from there we pivot from known assets to discovered, linked, unknown assets – that API endpoint, that admin centre, that marketplace that your own employee forgot about. This is the new evolution that we’re going to introduce and by associating the two approaches, we believe we’re going to provide the most comprehensive view on the external attack surface there is out there.”