CORVID is a new Cheltenham-based security services firm that depending on your perspective is either a novel type of startup or an innovative way of reinventing an established brand to look and behave like one.
Up and running since October 2015, CORVID (the name is a reference to the Crow family) started life in 2013 as the newly-minted cybersecurity department of British FTSE-250 firm Ultra Electronics which in its long history has made everything from early TV sets to bits of WW2 bomber aircraft. Today, the group consists of 26 autonomous firms selling high-end defence engineering with CORVID itself at the core.
At first this approach is hard to get your head around. CORVID isn’t a spin-out because it still serves its parent firm’s divisions and barely resembles what is sometimes called the ‘spin-in’ beyond the fact that its IP is owned by its parent group. Driven by the boom in security services, the easiest option is is to label the firm as an unusual hybrid of the two approaches.
What CORVID offers is a security service built around a platform of modules providing incident response, malware and network detection, analytics and something it calls ‘attack surface management’. The point of this system is not to generate alerts as an end in itself but to build a bigger picture. The premise is that attackers are now impossible to keep out. The technology aims to spot threats at the earliest moment of compromise and stop damage before it gets out of hand.
“Our strangeness reassures them,” says CORVID’s CTO Andrew Nanson of the customer response to the company’s back story. “We’re not a fly-by-night company or funded by a VC looking to make a quick buck and get out of the business.”
It’s an interesting point that has bedevilled security startups everywhere. In the UK, buying a complex system for something as core as security from an unknown name would be almost unthinkable in some quarters. Having the backing of Ultra and its many global divisions gives CORVID a track record and sense of stability and permanence other newcomers might struggle to emulate.
Nanson is scathing about the era of security products that seems to be dying on its feet. Many products look the part but have turned out to have numerous problems, including simply being too complex to manage.
“We came to the conclusion that there is no product that is going to achieve security,” he says bluntly before noting that the market has become hypnotised by the idea of compliance as an end in itself.
In his view the problem is simply that security was captured by a narrow group of security vendors that fell behind the attackers. The tidal wave of data breaches is an obvious result of this flawed thinking.
“People were buying SIEM technologies, some ridiculously expensive. But they didn’t stop you being compromised in the first place,” says Nanson.
“Buying products doesn’t solve your problem. If it makes your infrastructure more complex all it does it makes it harder to spot attackers. You have people with a little knowledge [defenders] trying to combat people with a lot of knowledge [attackers].”
Nanson’s CV includes stints as chief security architect and resilience with Vega (now part of Selex AS), where he worked on NATO’s computer incident response capability. Before that he helped to design the Met’s Police Counter-Terrorism Hi-Tech Forensic laboratory.
It is no surprise to learn that CORVID has based itself within shouting distance of GCHQ in Cheltenham with a ready supply of qualified techies to draw upon.
CORVID - architecture
Nanson is willing to discuss the technology CORVID has developed and on which it bases it manages services. The firm adopts an active approach, constantly looking for malware it assumes will be there, rather than waiting for something to trip an alert. Malware is simply one indicator. By the it is noticed the damage will have been ongoing for some time.
The traffic in and out of the customer is also filtered down to DNS nameserver level with analytics carried out on what Nanson calls a Very Large Repository (VLR), a database that sits at the heart of its operation, interpreted by analysts and fed by network sensors.
Essentially, it’s an updated version of managed services, taking the problem away from large enterprises and governments who no longer feel qualified to do what is now seen as a highly specialised task. The response window Nanson aims to meet is 48 hours in a business world where compromises can take weeks or months to be uncovered and understood. That sort of timescale is now a complacent luxury.
“We answer the question no anti-virus can answer – how did the attacker get in?” says Nanson.
Does it stack up for originality? A surprising number of the new technologies that have emerged from the US in the last three years are basically analytics systems that aim to look a bit harder at data that might once have been a simple statistical battle to sift real alerts from false positives. Now it’s become much more about a process of evolution, of updating the threats that are looked for as they are deployed.
Working out who has a lead in this area of not easy - everyone claims they’ve found the magic algorithm. The test is clear. If by 2018, the rate of data breaches has not slowed down among firms deploying analytics systems that go beyond basic SIEM then just being clever about compromise hunting will be as much a failure as all the older tech it is replacing.
One advantage that services might have is that they are much harder for the attackers to reverse engineer and can apply learning in nearly real time. If an analyst uncovers an attack trick one day his or her knowledge of that is in service by the next morning without the need to create a signature.
So far the firm has found some joy among early adopters of this kind bespoke service suits, including financial and wealth management companies and banks. There has also been interest from governments.
It’s a lot for a startup to take on, even one that had more than two dozen customers from day one. The plain fact is that very few new firms in the UK with any track record are doing this sort of thing, leaving managed security services up to established consultancies. Embedded inside a large brand CORVID could offer better-known firms the sort of competition startups can rarely put up. A world where large UK organisations hand their security and compromise monitoring to companies such as this isn’t here but it could be coming.