Whatever you do, don't press the big red button...

I’m not sure if anyone has figures to hand (or the desire to find out) exactly how many cyber security vendors there are out there, but some rough stats suggest that there are verging on 6,000 in the US and UK alone.

And that sounds curiously conservative to me, given how many thousands of start-ups emerge every year. When you consider that there are barely more than half a dozen different cyber security focus areas in reality, that amounts to an awful lot of vendors attempting to do – more or less – the same thing. It’s refreshing therefore, having spoken with the (most definitely) enigmatic Kai Roer of newly-launched Praxis Security Labs, to see a cyber security vendor with a different focus. In a similar vein to ‘Jackson Jeffrey Jackson’, saxophonist featured on the Fast Show’s “Jazz Club”, when asked by compere ‘Louis Balfour’ what’s different about you, to which he replies: “I don’t blow, I suck” Praxis, rather than creating a “me too” product to try and protect the user base, has generated a modelling technique which focuses on the behaviour of the user base when trying to navigate their way around their company’s security infrastructure.

In other words, it turns the focus 180 degrees to look at how users are interacting with their security tools. Depending on what stats you ingest, anything from 60% to over 90% of contemporary cyber security incidents are due to “human error”. However, Kai Roer suggests this is actually misleading, reasoning that the complexity of today’s attack methodologies, combined with inadequate security awareness training, means that a new approach is needed to enable a company to use its cyber defences properly. The primary aims of Praxis’ Navigator offering are to:

• measure, develop and constantly improve security culture across an entire organisation.
• mitigate against the exploitation and manipulation of humans to circumvent technological cyber security measures.
• communicate the business impact of risk, security and resilience to the business side of an organisation.

Fundamental to this approach, is the massive amount of siloed data that is not being analysed efficiently, or is simply being ignored. So, Praxis Navigator uses API-based integrations to access many of the key behaviour-related data stores in common use: MS Defender, Office 365, incident reports, phishing, and spam. Automating such processes can not only maximise use of that relevant data but, even where it is being analysed manually, can reduce that time from weeks or months, to hours, while reducing the burden on human resource. Navigator operations include the ability to:

• analyse an organisation’s unique human behavioural data.
• identify connections, behaviours and potential security risks specific to that organisation.
• interpret the results, based on cutting-edge research and best practices, to deliver recommendations and mitigation plans specific to the organisation and context.
• provide valid, useful metrics to track security interventions.

Somewhat ironically, Praxis Navigator is using exactly the same methodologies – pattern recognition and machine learning algorithms – as those kinds of xDR tools currently often being misused, in order to correct data inconsistencies automatically,  enhancing its accuracy over time. The idea is that this behavioural analysis data will enable a company to improve its security posture, maximise its existing security investment, and enable to user base to be correctly educated in terms of the threats and how to counter them – human risk management, in other words. Obviously, this is very early days for Praxis, but key roadmap directions include automating the interpretation of those unique risks to generate action plans to mitigate against the security risks it identifies and calculating the financial benefits and ROI of following the recommended courses of action. It all adds up to potentially helping the business side of organisations to better understand the impact of risk, security and resilience.

As the co-founder of the concept of CSaaS (Common Sense as a Service) for me the Praxis approach simply does that – makes sense. So, instead of panic buying yet more cyber security products and services to defend the company with (years ago even, Gartner reckoned that less that 20% of the cyber security products and services invested in by a company were actually active) why not look to maximise existing investment, while also improving the security infrastructure management, understanding the real risk and educating the user force in a more meaningful manner.

It will definitely be interesting to see how the company progresses, and what the uptake on the product is. Meantime, if you’re curious, Praxis is offering a free trial via its website: https://praxissecuritylabs.com/ – so don’t just take their (or my) word for it. Give it a go!