Evident.io – Security for Cloud Infrastructure


evidentBrilliance Security Magazine interviewed Tim Prendergast, founder and CEO of ​Evident.io​ to get a sense of who they are and what they do. What we found is a security firm that is the embodiment of a traditional cloud company. They are young, fresh, and see the vision and economies of scale offered by cloud infrastructure. If you have migrated to the cloud, or are even thinking about it, and are concerned about security aloft, you owe it to yourself to check this company out. You will not find any sense of “cloud adaptation” with this group, they were conceived in the cloud, built around it, and that is their sole habitat.

With an eye toward providing a security service technology for Amazon Web Services, Tim and the executive team have assembled what Tim calls “the dream team of cybersecurity professionals.” Together they offer more than 60 years of network and information security experience and have more than 22 years of AWS specific security experience. Gathering from such places as Adobe and Netflix they have assembled some of the best talent in the industry.

Today’s threat­ladened security environment requires one of two things; either a company can acquire a team of highly experienced, and highly paid, cybersecurity professionals or they can deploy a security platform that enables project managers, system administrators, and other staff to have global visibility and awareness of security issues. Tim says they have “democratized security for the cloud.”

While Tim is quick to point out that startups and quickly growing development teams are not their sole focus, it is easy to see that the same kinds of firms that are attracted to the low initial cost and scalability of cloud infrastructure are also attracted to a cloud ­native security solution.

Because it is a cloud based service, Tim’s team can inject zero­day intelligence literally minutes after discovery. Long before your data center security team can be alerted, find the patch, and resolve the issue, your cloud infrastructure will already be protected. It is important, however, to state, what for many will be obvious, but nonetheless; a cloud infrastructure security platform, like Evident.io is intended to address attack vectors that impact everything from applications to networks, storage, and servers. They do not, however, work inside the host or application stack like existing solutions.

Largely the market for a company like Evident.io was created, and continues to grow, as forward thinking companies embrace cloud infrastructure but then wonder how they will handle security. They understand that they can’t take their familiar firewall servers and IDS boxes and ask Amazon to plug them into their new infrastructure. These cloud security platforms are a service developed specifically to detect vulnerabilities, assess risk, and offer remediation assistance that replaces the security hardware used in the on premise data center. One of the benefits of these solutions is that, as you migrate to the cloud, your net spend on security will not necessarily increase; it simply moves from security hardware/software to security services.

When we probed Tim about his market sweet­spot it seemed apparent that Evident.io (and yes, we asked ­ .io is part of the branding. Think Salesforce.com) was created by and for web application developers. His business is even built around the DevOps philosophies that stress communication, collaboration, integration, and automation. To be fair, he did point out that they have several customers running business applications on AWS that use Evident.io’s security platform, not just development firms. When questioned about this, Tim articulated how he sees little difference in vertical market segmentation since the threats and vulnerabilities are largely the same.

That being said, the benefits of automated security are best realized in a development environment. For instance, imagine a development team that has built an auto­scaling system on AWS. The auto­scaling is accomplished by utilizing blueprints (like a system image) and launching new instances as needed. If these blueprints include code that contain vulnerabilities they automatically increase the risks as new resources are spun up. In high­scaling environments it is even more important that systems are implementing appropriate automated security controls.

What about PCI, HIPAA, or other compliance issues? Compliance is natively part of the platform because their security controls address a Common Control Framework (CCF) that solves many compliance concerns across numerous frameworks. Customers inherit these by default. Then they can customize the controls further and define them to handle more nuanced compliance needs.

One might think that what would keep Tim up at night would be the idea of the big security firms deciding they now want to dominate the cloud infrastructure security market, but he says “not so.” Before starting Evident.io about two years ago Tim tried to get the big boys to see the vision of providing a security platform specficially designed for cloud infrastructure but he says “they couldn’t get it.” Now, he says, they have a dream team in place and enough of a head start that he’s not worried. Spoken like a true entrepreneur.

Lest anyone mistake this report for a product endorsement, let us be clear that Brilliance Security Magazine did not use, try, or demo the Evident.io solution. We like what we’ve heard so far and we hope to see a demonstration of it at the Black Hat conference in a few days. We will certainly report any significant findings, in support of or otherwise, after that demonstration.

Steve Bowcut, CPP, PSP is a 30 year veteran of the security industry. He is a senior security consultant for Brilliance Security Consulting and acts as Editor­in­Chief for Brilliance Security Magazine. He can be reached at ​ Steve.Bowcut@BrillianceSecurityConsulting.com​ . To comment on this article, please “Like” our ​ Facebook page​ .