Lucidum, a startup founded by two former Splunk executives that uses machine learning to identify hidden IT assets for cloud and on-premise networks, emerged from stealth today and announced nearly $4 million in seed funding.
Lucidum is Latin for “bright tapestry” and refers to the tapetum lucidum – a thin layer of tissue on the eyes of some animals that collects ambient light and gives them night vision. Joel Fulton, co-founder and former chief information security officer at Splunk, told SC Media he originally came up with the name while traveling along the Amazon River in South America with his daughter and sleeping out in nature. With no light pollution, everything around them was pitch black except for the glowing eyes of some nocturnal predators who could see everything. He likens their machine learning algorithm to one of those animals, scouring a cloud or on-premise network with enhanced vision and spotting unaccounted shadow IT.
Fulton started the company with co-founder Charles Feng, who also worked at Splunk as head of security innovations and data sciences. While Fulton brings a security background, Feng “solves security problems with math” and helps design and tune the ML algorithm, which is still patent pending according to Lucidum’s press release.
The startup is coming out of stealth today with just under $4 million in funding from a variety of investors. Fulton said about $3.5 of that money comes from GGV Capital, while the remaining $500,000 was provided by Silicon Valley CISO Investments, an invite-only “angel investor syndicate” of Silicon Valley chief information security officers.
SVCI's website says it is "powered by GGV Capital" but in a statement sent to SC Media after publication, Oren Yunger, GGV Capital's head of cybersecurity investments said there is no formal financial relationship and SVCI is a completely separate entity, though they do co-invest in certain projects and GGV Capital provides some administrative support to individual SVCI investors on investment documentation. Fulton himself is among the more than 50 CISO investors at SVCI, as is Yunger, who is also joining the Lucidum board as part of the initial seed funding.
Like a lot of startups, Fulton said he got the idea from talking to customers at Splunk about their pain. In conversations with clients, he would ask them if they had a magic wand, which problem would they solve. Once they got past saving the world in various ways or implementing the current most fashionable tech, a common theme emerged.
“Everyone came back and said ‘you know, honestly I don’t know what’s in my environment, in my cloud or my network,’” Fulton said, later adding “What if we tried to solve the problem that everybody’s got, that everybody ignores?”
It sounds simple but having situational awareness over the devices, systems and data connecting to a network is something many organizations – from commercial companies to the federal government – routinely struggle to overcome. Each unaccounted device, data stream or unsecured cloud bucket represents a potential security time bomb nestled within a company’s network.
Over time, it becomes more and more likely that devices will go unpatched and create a wide open door into the network if it’s first discovered by a bad actor. According to research from IBM’s X-Force team earlier this year, the most common entry point for attackers targeting a cloud environment was through their cloud applications, with many vulnerabilities going “undetected due to Shadow IT.”
That is in essence the problem Lucidum’s algorithm is designed to solve. According to Fulton, it draws information from a wide variety of sources, pulling remnants or traces of data that can eventually used to triangulate and find its hidden source. The more shadow IT an organization finds, the quicker they can register and secure it, removing a weak point and shrinking their overall attack surface.
“One of the reasons we can do what we do is we collect data that people don’t expect us to collect,” Fulton said.
For instance, when a departing employee leaves the workplace and turns in their company-issued phone or laptop, IT often wipes the device and installs a new operating system, in some cases causing it to drop off their tracking radar. Lucidum can draw data from the source code to flag and label that now-hidden device.
They also have APIs that will collect network data flowing to O365, Salesforce, GitHub and other external or unaffiliated sources, collecting “login fingerprints” and identifying relevant users and systems who connected to them. The algorithm also does cohort matching, pattern matching and uses group analysis to identify and label data traces to correspond with the device they are most commonly associated with, like an iPad.
Of course, machine learning algorithms are not magic. They can be constrained by the data they collect, rely on inferences that turn out to be incorrect and they have blind spots depending on the environment they’re working in. Fulton said they don’t open customer files or decrypt SSL, calling Lucidum “the skinny guy at the buffet."
"We want to see all the data but we’re very parsimonious," he said. "We only pick through and select the characters that we need.” That can make it harder to identify malicious activities hidden in innocuous sounding files. The algorithm also relies in part on naming or classification schemes used by the individual organization, in some cases leading to labeling hiccups.
Fulton said the company has six customers now, and the majority of the seed funding will go towards engineering as well as marketing and outreach in the coming months.
“Our goal is to be a blue-collar software company," he said. "We do one thing: we discover all your assets, we do it better than anyone else in the world. We stay in our lane, we solve that problem and we’re done."