Today, we are thrilled to unveil Gem Security. Gem provides the industry’s first cloud threat detection, investigation and response (cloud TDIR) platform, giving security operations teams the context they need to respond to cloud threats quickly, efficiently and with confidence.
We began building 9 months ago, starting with an $11 million funding round led by Team8 and joined by leading angel investors in the cybersecurity industry. Our product has been deployed in customer environments for the past several months, and our solution is already changing the way organizations stop attacks in the cloud.
But our journey started long before that.
Prospecting
A bit of background. Before Gem, we worked in incident response, helping large organizations to investigate and contain high-profile security breaches. Over the years, we started noticing some patterns. Organizations often had tools like EDR to protect endpoints and workloads, even those hosted in the cloud. Attacks there could be severe, but the tooling gave organizations a solid platform to respond, and we usually had the information we needed to conduct our investigation. But over time, more and more of our cases involved the cloud-native infrastructure itself - key management systems, serverless functions, identity and access management, and more. Organizations rarely monitored this layer, and struggled to understand how to respond when they were attacked. As a result, by the time we were called in, it was often too late. Ron, Ofir and I all met in Israel’s elite military technology unit 8200 - equivalent to NSA in the US - leading teams of attackers tasked with breaking into some of the most fortified networks in the world. Everything in our experience as both attackers and defenders was telling us that the industry needed new tools for cloud security operations. And so the idea for Gem was born.
Mining
We spoke with hundreds of CISOs and Security Operations leaders to hear about their pain points in cloud security. We noticed a common pattern. Organizations were shifting their workloads to cloud faster and faster, but only half of the security team was able to keep up. Tools like CSPM and practices like infrastructure as code were allowing the DevSecOps teams to get a handle on prevention, putting the guardrails in place to ensure the cloud was built securely. But no environment is ever perfect, and when security operations teams had to respond to real alerts in the cloud - when organizations were actually under attack - the wheels fell off. Cloud workloads were constantly spinning up and down and enterprises were constantly changing their architectures, making use of new services on AWS, Azure, and GCP every week. Operations teams struggled to get visibility into what telemetry they needed to detect intruders in their infrastructure - even knowing what logs to turn on was a challenge. And when they did turn them on, they were swamped with massive volumes of data which legacy technologies weren’t able to model in a way that made sense (plus they got stuck with a massive IaaS bill at the end of the month). When alerts triggered in the cloud, analysts struggled to get enough context to take action. Faced with a suspicious action on-prem, an analyst might have a username and an email right in the log that they could reach out to and confirm. In the cloud, an analyst would only have a random ID string generated from a SaaS identity provider in a whole different set of logs that may or may not be enabled. So who are they supposed to email? That required a whole series of manual investigations in the SIEM and an entire afternoon in which an attacker might be moving laterally in the environment undetected.
Cutting and Polishing
Gem solves these problems with industry-first cloud TDIR. Our agentless solution starts with preparedness: in minutes after deploying in an environment, we prepare a complete asset inventory and map all available telemetry against MITRE ATT&CK, so security operations teams can know exactly what they need to get visibility over their environment. Gem’s proprietary detection engine blends TTPs sourced from our own experience in the trenches of incident response with behavioral analytics informed by our attacker perspective into a complete solution to find threats in the cloud. When alerts do trigger, Gem provides an intuitive interface to triage, fusing context from across the entire cloud environment to provide analysts with automatic next steps and allowing them to visualize an attack in progress. When you find a root cause, we provide response automation to enable effective containment of a threat. And lastly, we don’t aim to be (yet) another “single pane of glass.” Gem is API- and integration-first, and we’ll work with your SIEM, SOAR, or any of your other security tools so that your workflow is enhanced rather than disrupted.
Ready to Shine
Today, we have already grown to 20 people, distributed between Tel Aviv and New York City. Our team is comprised of top-tier talent eager to change the game for security operations. We are already solving real pain points for customers in production environments, and we are becoming their go-to platform to understand and stop threats in the cloud. This is just the beginning; our solution is poised to change the game for the SOC, and we’re looking forward to what’s to come.