Pure play companies must evolve, or else — Imperva CTO

In the current enterprise landscape, there is a tool or solution for every security issue— be it API, cloud, or on-prem. Given the multitude of cyberthreats that continue to multiply every second, businesses cannot afford to be complacent. However, the complexity resulting from stitching together too many security solutions is becoming unmanageable.

Kunal Anand, the Chief Technology Officer and Chief Information Security Officer of Imperva, is aware of this dilemma. He believes many pure play security vendors will no longer be able to remain as such within the next year.

Anand sat down with Frontier Enterprise for a chat on the sidelines of the GovWare event in Singapore.

Can you share a bit about your transition from the BBC, to founding your own company, Prevoty, up until Imperva’s acquisition of Prevoty?

When I was at the BBC, we were using different types of technology, including cloud firewalls and network firewalls. Despite this, we kept having significant application attacks. It realised that even though I was buying top-tier technology, attackers were still finding ways to circumvent our defences. Preparing for the 2012 Olympics was a critical driver for us; it pushed both BBC Public Service and BBC Worldwide towards a comprehensive digital transformation. During this phase, we transitioned resources from an on-prem data centre to AWS. At that time, our use of AWS was in its early stages. We were among the early adopters of programming languages like Go and Node.js, even before Node.js reached version 1.0. All these efforts, however, led us to realise that the prevailing security solutions weren’t enough to keep the bad actors out. One particular challenge was getting developers within our organisation to care about security.

Kunal Anand, Chief Technology Officer and Chief Information Security Officer, Imperva. Image courtesy of Imperva.

The idea of Prevoty was inspired by the question, “Is there a way you could take the essence of something like a firewall, and put it directly inside an application?” The goal was to achieve this without requiring developers to change a line of code. That’s the Holy Grail, right? It’s either someone in operations, or it’s a plugin. If you can bring in a plugin from a third-party library, you should be able to bring in something. What’s awesome is that we didn’t coin the term RASP (runtime application self-protection) when we started the company.

I met my co-founder, and together we launched Prevoty in 2013. The first year was incredible. We raised about US$750,000 in our angel round and generated over a million dollars in revenue, all in less than a year. This success showed us we were onto something significant, but we didn’t know how to fully scale that business. We knew that people cared about application security, suggesting that our approach wasn’t as contrarian as we thought. People were seeking new methods of securing applications. As we continued to develop our product, the term RASP began to gain traction in the industry, and Prevoty emerged as a leader in this space. RASP solutions started being viewed as either complementary or as a replacement to web application firewalls. This shift in perception indicated that our approach was more than just a rogue contrarian disruption; this may have some legs. Our solutions began replacing traditional web application firewalls in customer environments, displacing our competitors. That’s when Imperva came knocking. Imperva did such an incredible job pioneering web firewalls but they didn’t have something inside the application stack.

How was your role in Prevoty different from when you started at Imperva?

When Imperva acquired us, the initial approach was to create minimal disruption and keep the core team intact. When I joined in 2018, I never imagined becoming the CTO of Imperva. My focus was on growing the company, and I would have been content doing that. However, our CEO at the time offered me Imperva’s CTO role. My career had been mostly in application security up to that point. I told him, “Listen, if this is something you want me to do, you’re going to have to invest in me, so I can learn the other parts of our portfolio, but more importantly, understand how customers are using our products.”

By January 1st, 2019, I became the CTO of Imperva. That year, I travelled extensively to see how customers were using our products and solutions. Around the same time, Thoma Bravo acquired Imperva, transitioning us from a publicly traded to a private equity-held organisation. This shift brought significant changes in scale and product portfolio. I learned a great deal in that first year and am grateful for the opportunity.

My remit now is totally different. My days are all over the place. I’m now in a global role. Prevoty wasn’t a global company but now, I wake up around five o’clock in the morning every day. My first call is at 6 am daily. Living in Los Angeles, I spend the first few hours of my day on calls with colleagues in Europe and the US East Coast. Then, as my day progresses into morning and early afternoon, my focus shifts to calls and work related to Latin America. In the afternoon, when Australia, Japan, and Singapore come online, I’m there, and then I’m working with our teams in India in the evening.

I am still very technical – I still prototype some things. However, I’m no longer writing code that’s going into production; I’m not that guy anymore. What I focus more on now is, “Where are we going? Where’s the industry headed?” I also spend time hearing from customers what they want to do, which helps in designing and crafting a strategy for our product portfolio. I spend a lot of time there.

Given the current fragmentation in the security market, what do you foresee in the near future?

A year ago, my role expanded to include CISO responsibilities, in addition to being CTO. When I say CISO, it’s a little bit different from other vendors. For most, when they say CISO at a security vendor, it’s code for a sales role. I’m a real CISO. I’m actively managing our risk register and risk framework. Just this morning, I had a meeting with our cyber committee, walking them through our Q3 risk register.

I think there is so much uncertainty from the macroeconomic perspective, globally. In my discussions with peers in EMEA, APJ, APAC, and North America, I’ve observed that every CISO is reducing their cybersecurity spend. I haven’t encountered a single CISO who is currently increasing spending. Instead, they’re all looking to optimise their portfolios. There are a million companies in these categories, and some of these categories make you wonder, “Are they really categories?”

You have to ask yourself, how much of this is created by zero-interest rates? Zero-interest rates mean you need to invest capital, including a lot of VC money that’s been on the sidelines. You have many smart people and teams with good ideas, but the critical question is whether these ideas can transform into a large business or market. For example, with RASP – the company that I built with Prevoty – you can establish a good market, but it’s not on the same scale as a large market like WAF (web application firewall).

I’ve been coming to GovWare for over three years now, both virtually and in person. From what I’ve seen, I predict that about 25% of the vendors and start-ups here might not be present next year as pure players. In some categories, the landscape for pure-play companies is changing. Take API security, for instance: API is important. When COVID started, API traffic constituted around 20% of all internet traffic. We monitor this closely through our extensive global network, handling trillions of requests monthly. The pandemic has accelerated a shift in this dynamic. Now, API traffic comprises 80% of all internet traffic.

What’s super crazy is when you think about these point solutions in the context of the actual threat landscape for APIs. One of the big challenges with APIs is dealing with bots. In general, bots constitute 50% of all internet traffic, and about half of those are bad bots. Applying this to API traffic, which now accounts for 80% of all internet traffic, means that 40% of it is bots. That’s insane to me. It means that 20% of API calls, or one out of every five, is a bad bot attack on an API. This situation poses a serious problem for point solutions in API security. If you’re any one of these point solutions doing API security, you legitimately are not correctly handling bad bot traffic, which makes up 20% of the work that you do. I’m sorry, I don’t know any CISOs or CIOs who would be okay with a solution that has a failure rate of 20%.

This leads back to the broader issue: There are too many point solutions out there, and they need consolidation. Our intuition in 2020 led us to acquire a company specialising in API security, and we successfully integrated it. Now, when we discuss with clients, we present it as a unified space, not just WAF anymore. When I joined Imperva, it was about WAF and DDoS. Now, it’s WAAP—web application and API protection. But it’s more than that; it includes network DDoS, layers three and four, web DDoS, layer seven, web application firewall, API, bot management, and client-side protection. All these pieces come together.

Finally, what’s the most exciting stuff happening over at Imperva’s labs?

I think firstly, it’s no longer just about building new sensors. What’s critical now is providing insights, giving CIOs and CISOs real visibility, and demonstrating the actual value of what’s happening. In the coming years, CISOs will struggle to justify the value of their products and technologies. At GovWare, you see many people talking about sensors to block or stop attacks. But how many are showing the return on investment? Our short-term focus is on demonstrating this value.

Of course, there’s a lot of disruption around our threat research team, particularly their use of AI. We’ve been ahead of large attacks and supply chain issues thanks to our global network. Our portfolio already incorporates all sorts of machine learning, a field in which we’ve been investing since 2018. When you think about it, there’s statistical analysis, there’s machine learning, and now the world is trying to figure out deep learning, right? These models help us detect novel attacks in the wild, and our threat research team develops hundreds of rules daily to protect our customers, often from zero-day attacks they aren’t even aware of.

Another focus area is the challenge of stopping generative AI attacks. Right now, we’re investing heavily in figuring out this aspect of our stack. Consider a scenario where traditional detection methods like capture farms aren’t available, and where you don’t have highly detectable classification systems. In such a situation, where the attacker looks and acts like a normal human, how do we identify and understand what’s really happening? These are the meta challenges we’re currently tackling.