The conventional cybersecurity thinking is to protect the network. The reality is that networks are regularly hacked and hard to defend. Even worse, companies are often unaware of hacks. Austin-based ALTR starts from a conservative assumption: if hackers have breached your network, how do you protect your data? Their answer is to use blockchain as a tool.
While standard practice is that blockchains involve multiple parties, cybersecurity is one of the few cases where that isn’t the case. ALTR sees itself as an enterprise data security company that leverages blockchain’s architecture. In this case, clients will have their own private in-house blockchain. If one had to pigeon-hole ALTR, it’s more of a SaaS company than a blockchain business.
The cybersecurity problem
Major data breaches are now commonplace. A week ago British Airways (BA) announced that 380,000 payment transactions were compromised, most likely via the website payment process. In the 2014 Home Depot case, the breach lasted for six months, and 40 million customers’ credit card details were stolen. Hackers installed the malware on most of the company’s cash registers.
In both of the above cases, the hack was at the point of sale. In the fast-moving software landscape, almost every application includes open source software components. It’s vital that companies keep on top of updating software when vulnerabilities are announced. A failure to do so resulted in the Equifax hack which impacted 148 million people. Friday was the anniversary of that breach.
In 2017 Accenture conducted research that showed the rate of security breaches is increasing by 27.4% per year.
One of the issues is companies often aren’t aware of the hacks.
ALTR CEO David Sikora commented: “They don’t know even [right] now if they’re being hacked. When they determined that they’ve been hacked, they don’t know when they were hacked. And they don’t even know how much was hacked.”
The C-suite cybersecurity perspective
Part of the problem is how data is valued.
Sikora said: “Companies don’t treat data the same way they do money. Even though data is just as valuable as their financial assets. And if you were to ask the CEO of a company: ‘How many people have access to your money?’ you could probably count the number on one hand how many people actually can affect a transaction.”
“But then you ask: ‘How many people have essentially Godlike credentials to your data?’ And you’ll get a lot of blank stares.”
In essence ALTR’s approach is to treat the data like money: monitor data usage, govern access to the data and protect it by hiding it.
How it works
Databases often have sensitive fields like bank accounts or social security numbers. The norm is to encrypt these. ALTR Protect takes the sensitive data, tokenizes it or renders it illegible, and then splits it up into pieces and scatters it across separate nodes or servers.
Sikora observed: “So if one person got access to one node, they would only have access to one fragment of information. And then we have built the consensus algorithms and have a low latency way of reassembling that data when the application or when the users need it.”
This is reminiscent of how the InterPlanetary File System (IPFS) works for files as opposed to databases. But ALTR has patented its own method for databases and has several other patents as well. The company’s products support all the major types such as Oracle, SQL Server, MySQL, or Postgres.
So if the data is protected, what about if someone who has authorized access starts misbehaving? ALTR Monitor tracks all access to the database and also stores it on a private blockchain. The access data is fragmented and scattered in the same way as the data itself.
Servers tend to have logs for both server access and data requests. So when you’re hacked, there’s a trace. However, sophisticated hackers will often delete evidence of their activity. That’s viable if there’s just one server, but if the access data is on multiple servers, it’s far harder. Fragmenting the data adds yet another hurdle. Which means you’ll have the logs and know a breach has happened.
The final piece of the puzzle is controlling access to the data itself. ALTR’s Govern product puts granular data access controls in place so that inappropriate access can either be slowed down or stopped.
ALTR was founded in 2014 by a team with a background in algorithmic options trading technology. Five of the six founders were developers led by CTO James Beecham. That sort of trading environment requires lightning-fast execution speeds, but at the same time, security validation and checks have to be done in real time. Much like ALTR’s performance requirements.
Sikora wasn’t part of the original team but met them in 2016, the same year he joined geopolitical intelligence company Stratfor as Executive Chairman. The company had a significant voice in cybersecurity. So ALTR, at that stage still in stealth mode, approached Stratfor.
Sikora was impressed, joined their Advisory Board, became an angel investor and moved into the CEO role earlier this year. Other angel investors and advisors include several high profile technology executives such as Mike Maples formerly of IBM and Microsoft. Maples was credited as the first ‘adult’ in Microsoft.
The startup came out of stealth mode in June this year. And at the same time, it announced a $15 million Series A round with Ronin Capital as the anchor investor. The company already has a dozen registered patents.
By the end of this month, ALTR expects to have 7-10 clients, some in production and some pilots. Clients range from a small healthcare company that wants to be HIPAA compliant to a large Fortune 100 company, and a significant organization that helps hundreds of banks with their online banking. Going forward the company will work through third-party sales channels including managed security service providers (MSSPs).
Blockchain aside, there’s plenty competition in data security. There are significant competitors such as IBM and Dell including its subsidiaries EMC and VMWare, as well as the smaller Varonis. But the others aren’t using blockchain, and for this application, it seems a good match.