Perygee is bringing no-code ease to OT cybersecurity

This story was originally published on Friday Oct. 28, 2022 in my weekly IoT newsletter. 

This week, a three-year-old security startup called Perygee raised $4.75 million from investors that include some significant names in cybersecurity. The company says it has created a no-code cybersecurity platform that brings in data from devices on a network and marries that data with existing vulnerability data to alert and mitigate threats.

The idea is that mid-market companies and businesses without large security staffs can more easily manage and secure the devices on their IT networks, as well as set policies around solving basic security problems. Given the attention paid to cybersecurity in the last decade and the challenges associated with building out robust security, the time seems ripe for such a platform to start selling.

Perygee was founded by CEO Mollie Breen, a former technical project manager with the Department of Defense; and Mark Watabe, the former head of product at Tulip Interfaces, an industrial manufacturing software provider. The product is software that will run on a company network, monitoring devices for vulnerabilities and behavior anomalies.

What makes it different from the many other companies promising similar services is how much effort Perygee has put into making it easy to pull in data about the devices on the network and manage the constant influx of vulnerabilities and alerts. Breen says the software grabs data from private company resources — such as building management systems, existing CRM or workflow software, and networking gear — through existing libraries and APIs or integrations that Perygee builds for the client.

The private data might include information about what room a specific device is in, its software bill of materials, and even things such as the device maker and contact name of the person at the vendor. This private data is combined with public data from various vulnerability databases, vendor warnings or updates, and other sources. With Perygree, the security expert at a client no longer has to read a PDF of a vulnerability report, look in a database (if they have one) to see if anything on their company’s network is affected, and then figure out a mitigation strategy.

Instead, Perygree’s software can “read” the vulnerability reports, flag affected devices, and even implement predetermined policies to mitigate the issue. All of this is done via easy-to-understand dashboards that turn the work of reading a government PDF and figuring out how to implement a mitigation into an automated step.

This obviously helps companies that are understaffed on the security side. Breen says the current target market is mid-market businesses — such as hospitals, community colleges, and small manufacturers — as well as others who can’t afford security teams.

Breen calls this a convergence of IT and OT (operational technology) security, but on the IT side, the software isn’t protecting computers, but rather the network itself. It’s a subtle distinction, but one worth making because many cybersecurity incidents start with ransomware  on a computer. Sure, once the ransomware starts propagating across a network, this software might see it and stop it, but it’s not designed for that particular threat.

I still love the no-code approach to cybersecurity because it’s easy and because it will force companies to discuss the tradeoffs between securing their networks and operating their business. A benefit of no-code software is that anyone can use it, but to make software that anyone can use, all the underlying policy decisions have to be baked into the software ahead of time. This will force management to consider their goals, how implementing those goals will affect operations, and when to make exceptions.

And by doing this in advance while setting up the software, buyers will be forced to develop a security framework that isn’t just an ad hoc assembling of security software packages and reactions to their latest hack. At least, that’s my hope.