Obsidian Security Raises $90M to Safeguard More SaaS AppsFunding Will Help Obsidian Security Stop Session Hijacking on More Platforms
Obsidian Security has closed a Series C funding round to prevent session hijacking on more platforms and increase the number of SaaS applications being defended.
The Newport Beach, California-based SaaS security and posture management vendor wants to go from protecting 25 major SaaS applications today to safeguarding hundreds of SaaS applications in a year or two, CEO Hasan Imam tells Information Security Media Group. The $90 million round was led by Menlo Ventures, Norwest Venture Partners and IVP, and brings Obsidian's total financing to $119.5 million.
"The industry is just starting to recognize the scope of the problem related to SaaS security," Imam says. "It's a massive set of topics that makes this complex. To really solve this problem, you need the solution to be very comprehensive."
Safeguarding Bespoke Apps
Imam says Obsidian plans to use the funding to create a framework that allows organizations to protect not only slightly less ubiquitous SaaS applications such as Dropbox but also the thousands of nonpublic SaaS apps that enterprises use to run their own businesses. The investment will take advantage of Obsidian's knowledge of the threat surface area to ensure that the integrations between SaaS apps are secure (see: Contactless Payments: The New Wave).
The largest SaaS applications - Salesforce, ServiceNow and Office 365 - are truly platforms with their own configuration methods and privilege models, and Obsidian needs to unpack those platforms into their base elements to truly understand what types of threats the apps are vulnerable to and what risks they need to think about, Imam says. Making the investment to do that for core SaaS apps is necessary.
But for SaaS applications that are neither as significant in enterprise environments as Salesforce and ServiceNow nor as complex, Obsidian plans to create a simpler defense model that can scale much more easily. Pre-building integrations for the thousands of nonpublic SaaS apps used internally by enterprises would be impossible since there'd be no way for the company to get a return on its investment, he says.
The framework Obsidian will build with the Series C funds will allow enterprises, systems integrators or members of the developer community to get protection for bespoke apps without Obsidian having to significantly invest, Imam says. Instead, customers will plug into a set of APIs that leverage Obsidian's experience and data to protect the 250 or 300 SaaS apps that most large enterprises use routinely.
"These SaaS applications live on an island," Imam says. "They are not within the perimeter. The privileges are set in a decentralized manner by administrators that don't sit in the CIO organization … We provide a view of what's on that island relative to their enterprise and a centralized way to see the risks and the threats to that island that they are so dependent on."
Avoiding Account Takeover
Obsidian built a solution 18 months ago that prevents attackers from taking over user accounts on Azure Active Directory and Okta, and the company wants to extend its session hijacking protection capabilities to other identity and access management platforms. The company wants to guard against more session hijacking scenarios since it's one of the primary ways hackers compromise SaaS application accounts.
The company also wants to build up its defenses around API integrations, OAuth integrations and the reuse of legitimate certificates to access SaaS apps, Imam says. For instance, Russian foreign intelligence service, or SVR, hackers compromised a legitimate Mimecast certificate used to authenticate several of the company's products to Microsoft 365 Exchange Web Services as part of the SolarWinds campaign.
Given that OAuth integrations and valid certificates can be breached by attackers to get into core SaaS applications, Imam says Obsidian wants to invest in giving customers deeper and more comprehensive coverage in those areas.
Iman says Obsidian also wants to enhance its understanding of and visibility into SaaS application data so that the company can provide more granular privileged management. Today, Imam says, businesses don't know how much of a SaaS application the user is actually tapping into after they've been granted initial access.
With the Series C funding, Obsidian plans to pull together the activities a user is involved in, the privilege model, the configuration model, and the integration between SaaS apps and correlate all that data to tell CIOs how over-privileged users are in relation to the activities they actually undertake on a daily basis. Having all that data in a single structure will make it easier for Obsidian to correlate the data.
"The solution has to be comprehensive and deeply contextual," Imam says. "This funding helps us ensure that we have comprehensive coverage of the SaaS ecosystem and continue to build deep context."