The IT security community is a fluid one, with professionals changing jobs and adjusting to a continuously evolving threat landscape. Aaron Portnoy, a well-known and respected figure who until recently was the manager of the Security Research Team at HP TippingPoint and the Zero Day Initiative (ZDI), is an example in point: Portnoy is now a co-founder and VP of Research at a new security startup called Exodus Intelligence. In a conversation with eSecurity Planet, Portnoy explained how his new startup will be different from the work he did at HP.
"At Exodus we are able to focus on the vulnerabilities, the threats they pose, how to mitigate them, and subsequently analyze the trends that emerge," Portnoy said. "As we aren't supporting any products directly, we aren't distracted with development efforts -- especially for implementation-specific solutions."
Exodus Intelligence provides customers with a vulnerability intelligence data feed that contains a detailed analysis of zero-day vulnerabilities, their relative risk, proprietary vulnerability research, and recommendations for mitigation. One of the ways Exodus aims to set itself apart is by focusing on vulnerabilities that the company believes are likely to be exploited in the wild (as opposed to being simply theoretically exploitable). To that end, the company recently launched the Exodus Intelligence Program, which reviews and pays for new vulnerabilities submitted by security researchers. Because Exodus has no products of its own to support, the company is able to consider a wider range of vulnerabilities than some of its competitors.
"At Exodus our expertise is applied directly to helping our customers understand and apply the information we provide through our intelligence feed and not hindered by other business requirements," Portnoy said.
Another key focus for Exodus Intelligence will be on vulnerability disclosure quality, more so than quantity. Portnoy commented that the output of many vulnerability analysis firms seems to be measured by quantity and not by the realized impact of a threat. That's where the name of Portnoy's new company comes in as the researchers believe that quantity is the wrong way to approach security. As such, they decided that it was time for an 'exodus' from the "checkbox security" mentality.
The new security startup has received venture capital funding that enables Portnoy and his partners to run the Exodus Intelligence Program and procure vulnerabilities. The company's business model is based on supplying vulnerability information in a consumable format that will enable its customers to apply vulnerability intelligence in their IT environment.
Competition for Vulnerabilities
There are multiple groups in the IT security business that provide financial incentives to security researchers for vulnerability disclosure -- including HP TippingPoint, VeriSign iDefense, Google, Mozilla, and others. Exodus will have to compete with many of them and will leverage a team that Portnoy said has over 30 years' combined experience procuring, analyzing, discovering, and exploiting vulnerabilities.
"Our goal at Exodus is to supply actionable information on vulnerabilities that we believe will be exploited," Portnoy said. "Other such groups are either buying information to fix their own products, or to bolster marketing and help sell defenses that are questionable in effectiveness given today's advanced threats. Simply put, we plan to deliver signal, not noise."
Going a step further, since Exodus' focus will cover a broad range of software, the company will be able to provide trending information that will help its customers make more informed decisions regarding their infrastructure.
"This applies not only to the information extracted through analysis of the vulnerabilities we procure, but will also be derived through our close relationships with many of the leading researchers in the industry," Portnoy said.
Aside from doing security research and buying vulnerabilities, one of the things that Portnoy is well-known for in the IT security industry is his stewardship of the annual Pwn2Own security challenge. It's an event that he may yet still be involved in at Exodus Intelligence, albeit in a different capacity.
"We have no current plans for starting a Pwn2Own-like event," Portnoy said. "However, we may be involved as competitors."