Thoughts from RSA and the Climate for Security Startups The year ahead in security tech and VC

Just getting back from a few days at RSA. We kicked it off Sunday night with a boldstart founders and execs dinner where we talked about what’s next in cybersecurity with some of our portfolio companies like security scorecard, bigid, snyk, stealth co and many friends from the industry representing strategic partners and IT buyers. After a couple more days of straight security talk with lots of new vendors, VCs, strategics and CISOs, I wanted to share a few observations. Many of these are not earth shattering but important to cover nonetheless.

  1. There are way too many cyber security startups. A record $3b went into these companies in 2016 and $2.5b in 2015. Many startups are features or products and not businesses. Each category and mini category used to only have a few vendors and now you can expect up to 10. Lots will struggle and go out of business and industry consolidation is ahead.
  2. That being said, cyber security budgets keep increasing! Banks like JP Morgan spent $500mm on security and yet they are still not secure. While many large cos will still buy from best of breed startup vendors, the landscape is changing as Palo Alto Networks and Symantec keep incorporating new tech and provide an integrated seamless stack.
  3. Which leads me to my next point. One CISO of a large bank told me that his team met with over 300 vendors last year. Large companies can’t possibly integrate all of these disparate technologies and the more you have, the more false positives you have.
  4. Rise of Nation State attacks – more sophisticated and deadly – many are targeting the largest financial institutions.

    Read More

The state of consumer security

I had the pleasure, and I mean pleasure, of recently rebuilding two of my home PCs running Windows XP because of performance degradation and other issues.  I ended up doing a clean wipe of the hard drives and reinstalling Windows XP from scratch.  Once I got the machines up and running with broadband connection, I recognized that I was completely naked on the web with no protection.  As you may or may not know, I have invested and am on the board of 2 security technology companies which sell into the SMB and enterprise markets (see Deepnines and netForensics).  Therefore, I clearly understand the need to lock down your systems and protect yourself against spyware, viruses, and other malicious attacks.  Of course, there is always a tradeoff between security and performance.  In the past, I have been an avid user of best of breed software on my PC – ZoneAlarm Pro for firewall, Norton Antivirus, and Webroot SpySweeper for Spyware.  One, this is not cheap, and two, and it becomes a headache to manage and keep track of after awhile, especially if you have more than one machine in the house where you have to set up rules for each separate PC.  For example, as you can see from a recent post, a new software release from Webroot killed one of my machines.  Despite the management overhead, what this best-of-breed approach offers me is diversified protection and real-time scanning.  What good is having virus protection if you are already infected and the virus scan detects and removes it after you are already infected?  There is a huge difference between prevention and remediation. 

So of course, with an eye on simplifying my life, I decided to download and install Windows OneCare on one machine.  It was easy to download, offered diversified protection against threats, and also allowed me to add multiple machines.  However, one drawback, which did not really seem to be highlighted anywhere was that there was no real-time scanning and protection for incoming email.  That in my mind is a huge flaw.  How can Microsoft give everyone the perception that they are locked down with this new service when it does not scan your PC in real time for threats antivirus threats in your email?  I can see a whole army of consumers feeling secure but still having tons of issues without the real-time functionality. 

Anyway, this post is not about Windows or any one specific product, but the fact that I have to download and install security software on multiple machines and have to set them up and manage them.  As you know I am all about simplicity and reducing friction in usage, so why not have one simple box that does it all for the consumer – cable/dsl modem, router, wireless LAN, with best of breed security software loaded into the device?  Zarouterpressfinal3jg Just like the enterprise security market went from packaged software installation to set and forget appliances, why can’t I have the same functionality in the consumer market?  As we all know, hardware is a commodity and prices have fallen dramatically.  And just like enterprises, I want defense-in-depth for my house which means building in security at the edge before it can even get to my machines.  With best-of-breed security functionality built into the router, I can set security policies once for my whole house and not have to install and manage client software for every machine.  I also get my CPU cycles back on my PCs as they can be a drain for the machines.  The good news is that forward thinking companies like Checkpoint ZoneAlarm are starting to go after this market and recently announced just such a device for the consumer market.  If you look at this graph you can see why having comprehensive security at the edge is needed.  Malware gets blocked at the edge before it can do damage to your PCs.  In my mind the state of consumer Internet security is that we are still in the dark ages but it is getting better.

What needs to be done to make us more secure

I was in a meeting with an executive at a large financial services company today discussing some of his technology problems and how my portfolio companies could address them. One of the big issues he mentioned was spam and stopping worms. Even though his company has spent real dollars in those areas, they are still problems which need to be solved. As Sasser and other worms and blended threats spread rapidly around the Internet, it got me thinking about what needs to be done to make us more secure. Techdirt has a great piece about taking a hyrbid strategy to stopping these threats, an approach I agree with wholeheartedly. I have always been a fan of a defense in depth strategy where you have security devices at the network level and down to the desktop. Have you seen Cisco’s recent advertising campaign about self-defending networks? While it is a broad-based strategy which you can read more about on their site, one aspect I like about the NAC initiative is that it does not allow anyone to access a network wirelessly or wired before a scan is done to make sure the device is virus and worm free and up-to-date with its patches and antivirus software. They currently have an enterprise focus, but the logic behind the initiative makes a ton of sense. Recently, Earthlink launched a deal with Symantec where consumers could get antivirus and firewall software from Symantec on their monthly bill. While I like the direction Earthlink is taking, I think all ISPs should take this a step further and replicate the Cisco NAC initiative where no user can log on to a network until their system is scanned and updated with the latest patch and antivirus software. Charge consumers an extra $1 a month but make it a prerequisite to get on the Internet. On top of that ISPs are and should continue to apply a number of different security devices on the edge of the network to prevent attacks from reaching end users. Vendors sellling home networking equipment like Linksys and D-Link should figure out how to embed and price antivirus and antispam software in their boxes as well. For the most part this will only stop the vulnerabilities and attacks that we know about, but the reality is that many of these attacks take advantage of known vulnerabilities. Helping the naive consumer in a proactive way will help us take one big giant step in making the Internet a more secure place.

Mydoom and securing the perimeter

As I said before, if you want to stop blended threats like Mydoom and others, the best way to do so is to secure the perimeter by preventing an attack before it has a chance to infiltrate your network. That is best done on the edge, IN FRONT OF THE ROUTER, but for a number of reasons no one has attempted it. Of course, if you tried to do it on the router it would degrade performance 60-70% which is not a good solution. One other big issue is having the scalability to inspect every packet entering and leaving a network (router) with minimal latency. Finally, being able to effectively detect and prevent anomalous traffic from entering a network requires sophisticated algorithms. You have to have minimal false positives and no false negatives. In other words, the last thing a Chief Security Officer wants to be blamed for is screwing up a large multi-million dollar transaction for a business unit by blocking it from entering or leaving the network. Therefore, many CSOs are willing to just have the detect function turned on instead of solely relying on technology to make decisions about what is good and what is bad traffic. Of course, given the proliferation of complex viruses and blended threats, we are seeing more and more security teams moving from detection to prevention.

Before we dive further into securing the perimeter, let’s first understand how Mydoom works. Mydoom is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa. The worm harvests addresses from infected machines and also tries to randomly generate or guess likely email addresses to send itself to. It also leaves a backdoor wide open for hackers to take control of the machine to steal user information or start spam campaigns or DDoS attacks. The kicker is that these new viruses typically send email messages using a built-in messaging or SMTP system bypassing the normal messaging host on a computer and therefore bypassing any antivirus software you may have installed. This sounds pretty nasty, doesn’t it? The amount of inbound and outbound email traffic can easily bring your network down leading to lost revenue and lost productivity. The fact that it leaves a back door open for nefarious uses could be even more damaging. For example, someone could use millions of infected computers to launch a DDoS (Distributed Denial of Service) attack on you bringing down your transactional web site.

In my opinion, an effective security solution would sit on the edge, prevent anomalous traffic and malformed packets from entering or leaving a network, and provide capable antivirus technology. In other words, you would buy an integrated security solution that includes a firewall, intrusion prevention, DDoS, and gateway antivirus technology that can sit in FRONT OF THE ROUTER. Therefore the only data that should be traversing your network is good, clean data and all of the bad stuff, ingress and egress, is left behind and dropped. I have spent a fair amount of time during the last few years looking at this problem. During the last 3 months, I have been working closely with one company that can offer customers all of the above. Please check back in the near future to learn more about it. Of course, if you have come across any companies that fit the bill, I would love to hear from you.

Life in a connected world…

As we increasingly move to a connected world where all of our devices and products have embedded chips in them communicating with a wireless network to share information and data, we will become more susceptible to privacy and security issues. The New York Times has a great article (must log on but free to join) on automobiles and how products like Onstar from GM, EZPass, and even tires from Michelin can share data about you and where you have been. Obviously, there are a plethora of benefits from services like the above and a potential invasion of privacy is the tradeoff that we need to live with in order to have more convenience. However, there is one aspect of living in a more connected world that I worry about and that is security. In an earlier posting, I commented on potential security breaches in mobile phones and other devices. Currently Onstar can remotely unlock your doors and turn on lights and horns. What if a hacker found ways to control other functions in your automobile via Onstar? As new technologies emerge and proliferate into the market, you can bet that hackers will find a hole to exploit. When taking advantage of new technology and designing new products, companies must carefully balance the tradeoff between convenience/simplicity and security.

Citrix buys GoToMyPc maker, Expertcity-great day for ASPs

Congratulations to Expertcity and Andreas, John, and Klaus. It has been great to work with you from a board level over the last 4 1/2 years. When the transaction closes, I look forward to writing a little more about how you were able to persevere through some tough times, launch new product, stay focused on leveraging the core screen sharing technology, and build a high growth business in a completely new market. Not only were you an early player in remote access, but you also were one of the first ASPs out there.

Expertcity is not the only ASP making headlines today. Salesforce.com filed to go public and raise $115mm. As I mention in an earlier posting about Google and IPOs, pre-bubble, it took companies 4-6 years from their first round of funding to IPO/acquisition. During the bubble it took 1-2 years. While I am excited about today’s announcements and other recent deals like VMWare (bought by EMC) and Zonelabs (bought by Checkpoint), it is obvious that we have returned to a pre-bubble mentality and the companies that will be significantly rewarded are the ones that embody the philosophy of building real businesses with real revenue and cash flow. Well, isn’t that just business 101? Yes, and this is great news as it is something we can all understand.

Check Point makes first meaningful acquisition

So Checkpoint is going to buy Zone Labs for $205mm. Here are my thoughts on the deal. Zone is expected to do around $28mm of revenue in 2003 and $42mm in 2004. The revenue multiple is 7x for 2003 and 5x for 2004. That is pretty much in line with existing security multiples of 6-8x revenue. The more significant point is that Checkpoint made its first, meaningful acquisition. So for all of you security companies out there, add Checkpoint as another potential acquirer. Some future deals could include an SSL VPN player or network intrusion prevention provider. It seems that concerns over their revenue growth has finally hit management, and they are trying to find ways to accelerate the top line. However, I am not too sure that acquiring a desktop firewall product and competing against established competition like Microsoft, Symantec and NAI is the way to do it.

Securing Cyberspace-the Government vs. the private sector

There were 2 conferences yesterday addressing cybersecurity. One was the National Cyber Security Summit in Santa Clara and the other was a smaller event in DC. While I was not in attendance, I did speak with a couple of people who participated in the events. The takeaway is that 85% of the critical infrastructure in the US is owned and controlled by the private sector. The other 15% is the government. While security has gotten better over the last few years, there are still some major holes in the system. There is a classic standoff right now as the government wants the private sector to take control of securing their networks and data while the private sector says why bother when the government’s infrastructure is not even secure. For example, if cyber terrorists took down critical DNS systems, whether or not the private sector secures its infrastructure is moot as the Internet will have massive troubles. Some in the private sector also alluded to the fact that Chief Security Officers do not have enough control as most are only VPs who report to CIOs who sometimes report to CFOs. If CSOs have no real control over budget, then how can they really effectuate change? The government, on the other hand, is threatening to take action and impose mandates for securing private infrastructure. The government wanted to give the private sector the chance to organize itself and develop its own best practices before it is forced to do so through legislative mandate. To hammer the point home, one official apparently said that the next terrorist attack could be on the information systems of a large financial services institution causing serious economic damage. Despite the warnings, it does not sound like the 2 sides made much progress yesterday. At the end of the day, companies in the private sector are driven by dollars. If these companies feel secure enough already, they are not going to rush out to spend more money for the sake of national cybersecurity. Therefore, my feeling is that Ridge and his team will not get what they want until the private sector feels pain on their bottom line in the form of stiff economic sanctions. That being said, the government has to live up to its end of the bargain and drive security in its 15% of the infrastructure as well, because as Ridge says, all it takes is one hole to compromise national security.

Hand-held device security

Hackers like to go where they can cause the most pain. As 3G rolls out in the US, you can bet that hackers will go there as well. There was a great article last Friday in the New York Times about viruses and other security issues on cellphone and hand-held devices in Japan(free site but registration required). It is clear that we should look at how Japan is dealing with this issue as their wireless infrastructure is much more advanced than ours at this point. At the same time, it seems that not many people in the US are dealing with the issue now. Having suffered attacks in the past, NTT DoCoMo has gotten proactive and not only put security software on its servers but also on its handsets. We should learn from this and prepare our infrastructure accordingly. Spam is not the major problem on these devices; think viruses that can jam the 911 emergency response system or denial of service attacks that can bring a wireless network down. What happens when we live in an even more embedded world where chips in cars, appliances, etc. begin talking to a wireless network and becomes infected with a virus?

Many of the companies that I have seen that focus on wireless security are looking at the client or handheld device level. This is the approach that companies like Network Associates and Symantec are taking with handhelds. While I applaud the effort to protect our devices, I do not believe that putting antivirus software on every handheld device is the right solution:

1. Installing antivirus software on every device is not an easy to manage task;
2. While it is much easier to constantly update virus definitions on connected devices, this will increasingly eat up precious memory and computing cycles on your device.

What is needed is smart security on the edge. This will require software that can sit on the network/server layer and in real-time inspect every message being sent from one device to another. It is not easy to sit inline and inspect every message without creating latency. In addition, the software will have to be able to prevent unknown attacks through behavioral analysis and not rely solely on signatures to prevent nefarious activity. This will lessen the need to constantly update every handheld, chew up precious memory and power, and give users an easy way to use their connected devices without headaches.