Protecting web users from direct attacks like crypto-jacking — an interview with Tala Security CEO and co-founder, Aanand Krishnan


1*KKR8xFWcSQAofhbYoV2mzw

If you were at RSA’s Innovation Sandbox this year, you may have seen Aanand and his team from Tala Security. They were demonstrating how their technology protects attacks against web browsers from being leveraged to steal data from secure web sites. Gula Tech Adventures invested in Tala Security last year as part of our focused on web security. As is tradition with many of our portfolio companies, I was able to catch up with Aanand and ask him interview questions.

What class of web attacks does Tala Security help prevent?
Tala protects against attacks that can happen either via a compromise on a website, any of the third parties that are integrated into the site, or even a compromised user. We target cross-site scripting, clickjacking, various types of code injection and man-in-the-browser attacks. We also have unique solutions for third-party compromises, and new and emerging threats like crypto-jacking.

A base component of your offering is creation of the Content Security Policy for your web server. How does Tala Security automate the creation of these for a complex web site that has lots of third party javascript is constantly changing?
Our analysis is very quick and we integrate with CI/CD pipelines to enable regeneration of a policy whenever the app changes. With respect to third party sources of javascript, this is a significant attack surface already and increasingly so. Tala tracks all third parties that you have integrated into you websites, determines reputations for these third parties, models their behaviors and uses this to detect and protect against a compromised third party that is serving your users malicious code, say crypto-mining code.

I run Tala Security on www.gula.tech and detected a visitor to the web site that had a variety of issues in their browser as you can see in the below screen shots. If I was running an ecommerce site or was offering secured private content, how could these security issues be leveraged?


1*RnTEokJvIDbLN0lIl_8InQ

Example real-world detection of visitors to www.gula.tech that had client-side web security issues

With Tala, your app sec team, your web security team or fraud teams can actually monitor attacks against all their web users, PC and mobile, in real-time. So if you’re an eCommerce company, this means that you can identify if your user experience is being attacked with malicious ads, competitors ads, link redirects etc. If you’re a bank, you can identify financial trojan attacks, or crypto-jacking attempts against your users and use that to adjust your risk metrics, enforce additional authentication measures etc.

What are the requirements of running Tala Security? Do I need to
operate my own web server?
Tala integrates seamlessly with your web server, load balancer or reverse proxy. We support all major technologies.

Where can users go to learn more?

There’s more information on our website at 
www.talasecurity.io. You can also request a demo via our site to see how Tala can help protect your websites and web apps.