By Dennis Kneale
“Is it safe?”
That scary question is posed in a gripping scene in the film “Marathon Man.” It is asked by a Nazi war criminal (played by Sir Laurence Olivier) as he uses dental tools to torture and interrogate a murdered CIA agent’s clueless younger brother (Dustin Hoffman).
Is it safe? Turned out the answer was no, which pretty much sums up the current state of affairs when it comes to cybersecurity. It isn’t safe, it is getting even less so, and for too long a lackadaisical lack of vigilance has afflicted vendors, customers and users alike.
“Everybody is getting attacked, and even the biggest, most sophisticated guys are getting hacked, too. There’s no safety out there. Nothing is safe,” says Alex Polvi, chief executive of CoreOS, which makes a security-centric Linux operating system. We now have “two types of companies,” says George Kurtz, CEO of CrowdStrike: “Those that have been hacked, and those that haven’t figured it out yet.”
But the cavalry is comin’. Private enterprise and venture capital are fueling a new wave of cybersecurity innovation, promising an arsenal of modern weaponry designed to detect threats, adapt and morph as enemy tactics change, and update itself and anticipate the next attack.
“I’m very confident we can fix this,” says Gaurav Banga, co-founder and CEO of Bromium, a cybersecurity shop. “I might be alone in saying all is not lost, but I truly believe we will innovate our way out of this mess.”
Bromium, CoreOS and CrowdStrike are among half a dozen early-stage cybersecurity firms that will be showing off their latest stuff at The Montgomery Summit presented by Macquarie Capital and slated for March 10-11 in Santa Monica, CA. (I’ll be the MC.)
They convene just as tech firms and their business clients are getting more serious about IT security, rattled by the recent debacle at Sony Corp. Hackers infiltrated the company network and set up for months, destroying data, stealing unreleased films, shutting down the computer and phone networks and disclosing embarrassing emails that had Sony movie brass saying snarky things about the talent. Whoops.
“That’s upping the ante for companies. Boards are looking at this thing thinking, ‘Hey now, could I be the next Sony?’” says CrowdStrike’s Kurtz. Robert Ackerman, founder of Allegis Capital, which invests in cybersecurity fledglings, notes: “What motivates people, fear or opportunity? Often it’s fear, and right now there’s a lot of well-placed fear.”
Up to now, businesses haven’t been paranoid enough. J.P. Morgan Chase likely is one of the fattest, richest targets under the most attack, yet it spends only a quarter of 1% of revenue on cybersecurity, notes Donald More, managing director at investment bank Signal Hill. That comes to $250 million a year. “They spend more advertising in sports venues than they do on security,” he says. (Now JPM plans to double that sum.)
Bromium’s Banga says less than half of corporate customers are spending enough to counter the risk they face, and “less than 10% are spending it on the right things.” “The tragedy, the challenge, is spending it right.” Trash-talking, he takes a swipe at the grandpappy of cybersecurity, McAfee: “The problem is a lot of people still believe as long as they buy McAfee, their job is secure. If that were enough, why do we see all these breaches?”
Nowadays some 200,000 new unique pieces of malware are created every day, overwhelming McAfee-style, anti-virus defenses. “The failing of the industry as a whole is it believes there is a malware problem,” says CrowdStrike’s Kurtz, himself a seven-year veteran of McAfee, which bought a security outfit he had started. “The reality is we don’t have a malware problem, we have an adversary problem.”
Taken together, the 21st century anti-hacker schemes of Bromium and other innovators at Monty mark a dramatic departure from the way network security has worked for decades. Their assumption is you’ve already been hacked, the bad guys are camping out inside your network. The key is to sift them out, neutralize them and repel them, and to alter and adapt your defenses rapidly and broadly to keep up with the virality of the enemy
Thus CrowdStrike ties the search for advanced malware to other clues of “adversary activity,” the known techniques hackers use inside a network. It processes and scrutinizes three billion “events” every single day at more than a hundred customer sites (one server can spew out a million or more events in a day). A newfangled “graph database” links and cross-pollinates disparate kinds of information from an array of different sources with an eye on detecting intrusions. Facebook uses a similar technology to let, say, a New Yorker visiting Colorado instantly find which of his friends are nearby, but pick out only the ones who also like snowboarding and weed.
E8, another Monty presenter, deploys technology and techniques used by Google, Netflix and Amazon. “Netflix can recommend a movie, Amazon a book, Google knows what you’re searching, all enabled by machine learning and recommendation assistance, self-learning and analytical methods. That is what we are trying to bring to cybersecurity,” says Ravi Devireddy, founder and CEO of E8.
Every day, big companies and giant banks get thousands of alerts saying their systems are being hacked, overwhelming their limited security staffs. “The alert storm, we call it,” Devireddy says. Yet hackers already have set up inside many companies, undetected for weeks or even months. Last year, the typical intrusion lasted 223 days, he says. At Sony, the break-in happened months before any notice of it.
To ferret out the bad guys, E8 uses AI, machine learning and “behavioral anomaly detection” to mine its way through Big Data and identify anything that looks suspicious, self-learning what is normal and what’s fishy.
That’s deep inside the network, but 70% of all break-ins occur at the endpoint out on the edge, where users and web-surfing and dreaded email attachments intersect. Bromium focuses there and likens its approach to hospitals’ use of disposable gloves to reduce the spread of infection.
Bromium creates a distinct, separate “virtual machine” for each and every task each user performs, thousands upon thousands of “micro-VM’s” every day, one for each email, web-page visit, etc. Each evanescent micro-VM lives fleetingly and disappears instantly as the command it envelops is completed, thus malware and other offenders can’t slip into the network by hitching a ride onboard a micro-VM. A user will run through hundreds of these virtual PC’s in a day.
“Our secret sauce is being able to support those hundreds of VM’s, creating them and being able to destroy them really fast, in milliseconds,” says Gaurav Banga of Bromium. A virus can’t infect the host if the host doesn’t exist long enough to carry it.
McAfee-style virus detection is akin to a bouncer who admits approved guests but fails to monitor their behavior once they are “In Da Club” (as the rapper 50 Cent put it). At Prevoty, “We are that SWAT team that goes into the club looking at you in real-time and preventing you from doing malicious stuff,” says CEO Julien Bellanger.
Prevoty tries to bulletproof at the applications level. It has patented a “contextual behavioral and lexical analysis engine” that learns how various tasks should interact with applications and then isolates and rejects commands when anything smells suspicious. It then uses the cloud to make a system-wide fix instantly while an application still is running, rather than wait a few months for developers to zap out a patch.
The whole security market, pegged at almost $60B for 2015, 60% services and 40% products, seems ripe for a round of rollups. The business is fragmented and filled with niche players with arcane specialties. Some 27 security software vendors have sales of $150MM or more, yet the Top 10 combined hold less than 50% of the market, according to an IBM report. (You can read it here: http://ibm.co/1ynFs5i)
IBM, #3 in cybersecurity to Cisco (#1) and Symantec (#2), already has begun doing its own rollup, notes Donald More of Signal Hill. It has snagged five deals in four years, including Q1 Labs for a reported $700MM.
Now, “There’s going to be a lot more integration, because the existing point solutions aren’t enough by themselves,” says Venky Ganesan of Menlo Ventures. Menlo reaped nice upsides in Q1 and Ironport, a security outfit bought for $900MM by Cisco in 2007. The firm bet on Palo Alto Networks at a $70MM valuation, and it’s now public at a $10 billion market cap—a 140-fold return. “I think it’s going to double from here,” he says.
This consolidation wave boosts the prospects for fast exits and rich returns for upstarts like those seeking investors at Monty. No wonder the cyber guys are getting a little cocky.
Cybersecurity Presenters at Monty so far:
Cover image taken from Modulo, http://modulo.com/solutions/smart-government/cyber-security-for-critical-infrastructure/