Michael Warnock, Aura Information Security's Australia country manager, said Aura started up in New Zealand in 2006 primarily servicing the country's government, before being acquired by Kordia to provide cybersecurity services to enterprise and government. The company began an Australian expansion two years ago.
Aura positions itself as a cyber advisory and assurance business, focusing on the mid-market – organisations of 20 to 200 employees. Warnock says the company can service organisations of other sizes but finds the mid-market is digitally transforming and engaging in cybersecurity conversations, while the "top end of town is quite mature, either they do cyber-security in-house or with partners already."
"Aura is having great conversations," he says, finding companies in this space haven't typically thought much about cyber security but are becoming more aware of their need to be through legislation like Europe's GDPR and Australia's mandatory data breach reporting.
Aura's original chief executive, Andy Prow, stepped out and created the RedShield product after the Kordia acquisition, which is exclusively distributed throughout ANZ through Aura.
Warnock explains, "Andy was doing penetration testing for government and would find he was giving the same report every six months. The needle wasn't moving on vulnerabilities. More and more work was performed online, more applications were being introduced, and the vulnerability list kept growing."
Prow thought there had to be a smarter way to help manage vulnerabilities, and created RedShield, essentially a bundle of existing security products that are delivered through a single managed service. This service sits between a user and a vulnerable Web application and API. Inside the routing between these, whether in the cloud or on-premise, RedShield has thousands of rules relating to the applications it has been assigned to protect, applying virtual patches on-the-fly.
What this means in practice is a Web application may have known vulnerabilities, but with RedShield sitting in the middle, the end user — or hacker — is presented with a version that does not have those vulnerabilities. Ultimately, it is best for the organisation to patch its application, but if it is unable to do so for whatever reason — compatibility problems, testing constraints, and so on — RedShield "will guarantee 100% mitigation against a known vulnerability", Warnock claims.
Australian customers include the Commonwealth Bank Health Services, StarTrack Express, and Australia Post. "Running with it provides them a mechanism to protect vulnerable critical customer-facing Web apps currently exposed to a cyber attack," Warnock says. "Nobody else is doing delivering a service like this."
This service, Warnock says, is "security with a service" — or SwaS — representing the product's continual research and development into new vulnerabilities.
"Customers should focus on fixing vulnerable applications and treat RedShield as a temporary fix, but it does allow companies to mitigate before they remediate," Warnock says.
The massive Equifax data breach in 2017 resulted from a vulnerability in Apache Struts. Equifax suffered from an archaic change management control adding 100 days to its patching process. By comparison, "RedShield customers were all shielded within a day of the patch [being] available", Warnock says.
Aura is currently talking to the Australian market through approaching businesses and through channels. "We are also about to announce a large association with a carrier, who will embed RedShield into their managed application security product," Warnock says.
The decision to adopt a security solution is not the domain of the IT department alone. "The boards need to be actively involved," Warnock says. "Security touches every part of the business. There is a fiduciary duty to be involved – mandatory breach reporting legislation means the board are wedded to the process and have skin in the game."