Despite security concerns, businesses are growing more confident in adopting cloud-based services, and in addition are investing more in corporate mobile devices while also allowing employees to use their own in bring-your-own-device mode at work. So it's not surprising that recent security startups are zeroing in on things such as encrypting data held in the cloud or how to safeguard corporate data on BYOD devices. Venture-capital firms are eagerly funding these startups -- noticeable among them is Andreessen Horowitz, plowing $9.5 million into mobile-security startup Bluebox in June and $30 million into CipherCloud just last month.
Here are the security startups we're keeping an eye on in 2013 to see what they roll out, and if they're snapped up by larger security vendors to quickly gain a foothold in cloud or mobile security. That's what happened to mobile risk-management startup Mobilisafe just three months after its debut, acquired by vulnerability-assessment firm Rapid7.
Some startups have large-scale aspirations to change the world of cloud security. Nok Nok Labs, still mainly in stealth mode, is backing the concept of a new open and flexible authentication protocol for cloud-based Web infrastructures that would be basically free but supported by the larger hardware and software vendors. ForgeRock is also an open-source advocate with its Open Identity Stack that lets enterprises and service providers centrally provision the enterprise, mobile and software-as-a-service applications. Others, though, simply contend they are building a better mousetrap for the enterprise -- as Lastline claims to do with its Previct product and service to detect malware, or TaaSERA, which formally launches at the end of the month with its behavior-based threat analysis product.
Allgress Business Risk Intelligence
Headquarters: Livermore, Calif. 2008 About $6 million, mainly from founders Jeff Bennett and Gordon Shevlin Gordon Shevlin, CEO
Why we're watching it: Allgress last June introduced software designed to give CISOs a view into the security and risk-compliance status of corporate networks and data resources. The company aggregates information into a "heat-map" view of where compliance is strongest or weakest. The purpose is to make good use of security-related information that's already available from scans, penetration tests and other technologies used to determine compliance with the PCI payment-card rules or healthcare regulations related to HIPAA, for example, and express it in business language that can be easily shared with CIOs and upper management. "It's about gathering the information together and helping them use what they have," according to Jeff Bennett, Allgress president and COO. The company claims to have about 40 customers, including eBay and several banks.
Fun fact: Shevlin is also co-founder and COO of another startup, Security Starfish, the company founded last year with eBay's former Chief Information Security Officer Dave Cullinane for discreetly sharing real-time cyberthreat information among IT security professionals.
Headquarters: San Francisco 2012
Funding: The company in June grabbed $9.5 million in Series A funding from Andreessen Horowitz, as well as Andreas Bechtolsheim, co-founder of Sun Microsystems, with other investors that include SV Angel; Ram Shriram, board member at Google; and Brian Cohen, former CEO of SPI Dynamics.
Leadership: Caleb Sima, CEO, along with co-founder & COO Adam Ely, are industry veterans. Sima was CTO for HP's Application Security center, which he joined after HP acquired SPI Dynamics, a company he co-founded. Ely was chief information security officer at the Heroku business unit at Saleforce.com.
Why we're watching it: Still secretive about exactly what it's doing, Bluebox is known to be building products designed to protect corporate data on mobile devices, especially employee-owned ones that are brought to work, and the company is expected to introduce its offerings shortly.
Investors can't refrain from hyping what's to come. "Enterprise security on mobile is an unsolved problem, and frankly, is in need of innovation," said Bechtolsheim last month. "Bluebox is developing a solution that will change the way enterprises think of how to successfully and seamlessly protect their data." That remains to be seen -- stay tuned for the next episode of the Bluebox product rollout.
Fun fact: The name "Bluebox" harks back to the term used by phone hackers back in the 1960s and 1970s to describe the kind of unauthorized homemade devices they came up with to route calls over long-distance networks -- and it's just vintage and nostalgic.
Headquarters: San Jose, Calif. 2010 $30 million from Andreessen Horowitz, along with other funding from Index Ventures, T-Mobile Pravin Kothari, chair, CEO, and founder
Why we're watching it: The firm is tackling the issue of securing data in cloud environments through its encryption and tokenization gateway technology which today can be used with Gmail, Salesforce and Amazon, among other services. The company says its customers include two large banks. CipherCloud's gateway-based approach could find wide appeal if, as many expect, enterprises this year will show more confidence in putting sensitive data subject to regulatory controls into cloud-based services where data that's accessed frequently for business purposes would need to be encrypted.
Fun fact: Kothari is an industry veteran who also started ArcSight, later sold to HP for more than $1 billion.
Headquarters: San Francisco 2011 $26 million from investment firm Warburg Pincus George Kurtz, CEO (formerly EVP and worldwide CTO for McAfee), and Dmitri Alperovitch, CTO (former McAfee VP of threat research)
Why we're watching it: CrowdStrike, which hasn't yet formally unveiled products and services, is focused on finding ways to identify attacks against enterprise networks and even provide capabilities to hunt down attackers, especially those attempting to stealthily compromise and steal data. Kurtz and Alperovitch claim the "active defense" capability that's being developed will be a "game changer."
We'll see -- but how far can anyone legally go anyway to pursue an adversary across the Internet or even strike back? Alperovitch says CrowdStrike has had intelligence and response services available that have been used by large corporations and government agencies since the second quarter 2012. CrowdStrike is also developing what it calls a "big-data analytics platform" to identify and prevent damage from targeted attacks in real-time by monitoring, sharing and mitigating the adversaries' tactics, techniques and procedures. The technology is currently in beta and expected to be launched this year.
Fun fact: Knowing there are legal questions surrounding the topic of pursuing attackers to stop them, CrowdStrike likes to note that last April it hired Shawn Henry, retired executive assistant director of the criminal, cyber, response and service branch of the FBI, as president of its CrowdStrike Services.
Headquarters: San Francisco 2009 in Oslo, Norway $7 million from Accel Partners, and an undisclosed sum from Sun co-founder Scott McNealy Mike Ellis, CEO (former senior exec with SAP, Oracle, i2 Technologies) and Lasse Andresen, CTO (former Sun exec)
Why we're watching it: ForgeRock's software, Open Identity Stack, can be used to tie together a centralized provisioning and access-management system for enterprise, mobile and software-as-a-service applications. The company says it already has about 130 corporate customers for its subscription-based services. The startup has its roots in the open-source model, making use of the identity-management code base at ForgeRock.org community developer site to sell commercial products available at ForgeRock.com. ForgeRock vets the open-source code it uses for inclusion in its commercial products. The startup will be bumping up against the likes of IBM, Symplified and Symantec, among others in the identity-management space.
Fun fact: Much of the engineering and sales talent hail from careers in the open-source identity and access management division at Sun Microsystems, acquired by Oracle in 2010. ForgeRock's product finds its origins in the open-source IAM from the Sun era that was developed to adapt to a cloud environment.
Headquarters: Santa Barbara, Calif. 2009 by university researchers Giovanni Vigna, Christopher Kruegel and Engin Kirda $3 million, including $1 million from E.ventures Jens Andreassen, CEO (previously with Fortinet)
Why we're watching it: Lastline in November made its official debut with an anti-malware product and service called Previct which aims to prevent malware infections from entering the enterprise and also inspects and analyzes outgoing traffic. Though there's plenty of competition in malware detection today, the three university researchers (from UC Santa Barbara and Northeastern University) who developed it claim it's a better anti-malware mousetrap.
The technique Lastline came up with gets out in front of malware by using code emulation to securely analyze what effect the malware is trying to have rather than try to detect malware based on signatures as traditional antivirus would, says Christopher Kruegel, co-founder and chief scientist. In terms of competition, Lastline regards its approach as somewhat similar to that of FireEye, an earlier startup that's gotten plenty of attention for its anti-malware detection process.
Fun fact: The company's founders also started the International Secure Systems Lab (iSecLab), which helps share research across five labs in the U.S. and Europe.
Nok Nok Labs
Headquarters: Palo Alto, Calif. 2011 Undisclosed Phil Dunkelberger, CEO and founder
Why we're following it: Dunkelberger, who was co-founder of PGP Corp. in 2002, is making the case that cloud-based computing services and their users would benefit from a new style of strong authentication based on an open authentication protocol. Expect software from Nok Nok Labs this year. A big question is whether enough large hardware and software vendors will get on board. But Dunkelberger, as he did at the recent Cloud Security Alliance meeting, is energetically arguing change is needed, asking, "How many have ever ripped out an authentication method? Not many -- it's costly and hard to do." But despite the fact that so many authentication types exist today in what's a security "Tower of Babel" and the cloud means "the perimeter doesn't exist anymore," there's no easy way to turn on authentication based on risk use cases, he argues. His idea? A scalable authentication protocol for the cloud defined by working groups so it will be free, and products that can add value in management. It's another case of stay tuned for the next chapter, which could be at the upcoming RSA Conference in San Francisco.
Fun fact: Dunkelberger acquired the encryption technology known as "Pretty Good Privacy" for less than $2 million and sold it to Symantec two years ago for more than $300 million. Nok Nok Labs is Dunkelberger's fifth startup.
Headquarters: Chicago 2011 $6.25 million in Series A funding led by US Venture Partners with Tugboat Ventures and Costanoa Venture Capital Co-founders CEO Ed Bellis and CTO Jeff Heuer
Why we're watching it: Risk I/O offers a software-as-a-service tool by the same name that aggregates large quantities of data from a variety of security-assessment tools for the purpose of vulnerability management.
It can be used collaboratively by a team, and the tool is being employed by about 700 companies today. Bellis has said he started the company based on his experience as CISO at Orbitz and the security challenges he faced in business.
Fun fact: The company began life with the name HoneyApp.
Headquarters: Mountain View, Calif. 2011
Funding: $26 million, including the $20 million Series B financing announced this January from participants including Kleiner Perkins Caufield & Byers, Allegis Capital, Google Ventures, Eric Schmidt's Tomorrow Ventures and former Symantec CEO Enrique Salem. The earlier $6 million round was from Kleiner Perkins and Tomorrow Ventures.
Leader: CEO Derek Smith
Why we're watching it: Though still in stealth mode, the company appears to be taking on Web security. Investors, of course, are lavishing praise on the yet-to-be unveiled technology they are privy to know Shape Security is developing. "Signature and heuristic-based detection have proven unsuccessful in keeping pace with the complexity of modern Web attacks," says Shape investor Enrique Salem, the former CEO of Symantec whose career ended abruptly when the board at that company forced him to step down in July 2012. "I'm excited about Shape's technology because it will allow websites to deflect attacks automatically, using a far more sophisticated approach." A company spokeswoman said Shape plans to have a generally available product by the end of 2013, though this could trail into the start of 2014.
Fun fact: Smith was the co-founder of data-loss prevention vendor Oakley, sold to Raytheon in 2007. He started up Shape Security with CTO Justin Call and Sumit Agarwal, the former senior adviser for cyber innovation at the U.S. Department of Defense.
Headquarters: Cupertino, Calif. About $2 million in private angel-investor funding CEO C. Scott Hartz, who brings more than 40 years of strategy and technology consulting, including seven years as CEO of PwC Consulting 2012 by Shrinivas Kumar, CTO and vice president
Why we're following it: The name "TaaSERA" is said to mean "trust as a service." But the startup will be offering a product as well, known as the TaaSERA Attack Warning and Response Engine (AWARE), that will be out later this month as the company makes its formal debut with its behavior-based malware and attack-detection software. It will include agent software initially for Windows-based computers and the Google Android platform, plus network sensors, that are intended to be installed to monitor and detect signs of malicious behavior from attackers and malware in real time.
The approach, which is likened by company insiders to what security firm FireEye does in malware detection, is also intended to be used in conjunction with other security products to receive additional data feeds -- alliances with Bit9 and HP ArcSight, for example, are underway -- to gain additional evidence of malware and detect zero-day malware attacks. The TaaSERA NetAnalyzer tool, installed as a virtual appliance on the network, is supposed to collect behavioral evidence to analyze malware patterns, categorize threats and provide forensics. Early adopters are said to be in tests with it.
The startup has managed to attract Tom Ridge, former secretary of the U.S. Department of Homeland Security and former governor of Pennsylvania, to join its advisory board. Ridge, who says he does have a "modest" stake in TaasSERA, claims he won't be actively lobbying for the startup, but is convinced TaaSERA's approach represents a "very significant development" in using analysis for security that is needed today. The startup has come up with "sophisticated data analysis to identify in advance potential terrorists and criminals," he says, adding he believes the threat today is greater than it was 10 years ago.
Fun fact: Shrinivas Kumar, the inventor of the core technology, was previously solutions architect at VMware, and TaaSERA's approach is described as optimized for VMware-based infrastructures.
Headquarters: London 2012 as a joint venture by ARM, Gemalto and Giesecke & Devrient Undisclosed, although "tens of millions" in investment is being bandied about in the media Ben Cade, CEO, a former executive of ARM where he led the Secure Services Division
Why we're following it: Trustonic has what's called its TrustZone technology embedded in integrated circuits which it wants to see used for purposes such as secure encryption key storage in mobile devices or electronic payments or television set-top boxes. Debuting in December 2012, Trustonic is a play by techno-savvy Europe-based firms to get the rest of the world to embrace its crypto-based model, essentially an embedded operating system of sorts, as a common platform to roll out new ways to deliver subscriber-based content like video or pay for things or other personalized services on mobile devices. So far, Trustonic is being backed by firms that include Cisco, Samsung, Symantec, Sprint, Nvidia, Good Technology, Wave Systems, MasterCard and 20th Century Fox Entertainment, among others. Though details are sketchy, Stephen Bye, CTO at Sprint, said the carrier expects to make use of the technology in the future to deliver services.
Fun fact: Trustonic's crypto-based technology is already deployed in the latest Samsung Android Galaxy S III and Note II mobile devices.
Headquarters: New York City 2009 by Ben Matzkel, chief strategy officer, and CTO Maayan Tal, both from McAfee $10 million from 406 Ventures, New Science Ventures and Harmony Partners, plus a few million in angel-investor funding Elad Yoran, chairman and CEO, whose 20-year career in cybersecurity includes stints at Riptech (acquired by Symantec) and Sentrigo (bought by McAfee)
Why we're following it: Vaultive's first product out last May allows enterprise security managers to remotely control encryption of email data held in the Microsoft 365 cloud service. The encryption proxy uses the Advanced Encryption Standard to encrypt this cloud-stored data in a way that only authorized individuals can run an encrypted search query at the Exchange Server hosted by Microsoft to present the results in decrypted form that can be read in cleartext.
As Yoran has noted, the approach means businesses encrypting data this way in the cloud can prevent it being accessed or handed over to law enforcement under subpoena without the business knowing about it. New methods of providing cloud-based encryption appear to be something that start-ups and their investors are willing to bet on as businesses demonstrate growing confidence in use of cloud-based services.
Fun fact: Prior to co-founding Vaultive, Maayan Tal was general manager of McAfee's Israeli development operations.