Security Opportunities A Silicon Valley VC Perspective

May 2015

Geoffrey BaehrGeneral Partner

The Facts of Life - 2015 Security “Nightmare Scenario” exists today

– State sponsored actors, also bespoke (custom), per corp customized attack vectors.– Professional dev kits, release trains, PhD level knowledge being applied (MD6)– Jumbled, confusing mish mash of Alerts, CVE’s, Patch Days, Vendor advice. Mess !– Android ~2-4000 config settings/calls affect security of OS/device (!) across many

facets of the OS.– 170 GB/s DDoS record in April 2015– Anti virus and signature based approaches simply don’t cover enough any more

And it’s going to get a lot worse = IoT (Sensity) We already have have numerous 5-8M node networks (Electric Utils -BitStew)

Device-Device autonomous communications proliferating “Unexpected interactions” such as SCADA affecting AC power affecting health care PLC’s made in the 80’s are out there. Shodan is my friend You can’t hide

Certainly Not Confidential 2Almaz Capital Partners

Problem: Most Enterprises don’t understandSecurity = Corporate DNA = Culture

Which Corp do you know which implements security as a ‘Culture’ ? Which Corp stresses Security as its ‘primordial DNA’ ? The practice of Security Culture is usually absent. Not Technical solution ! Which startup allows companies to easily inherit the above attributes ? NONE

(opportunity). I do not mean consulting companies. Where is your “Response Book”, pre planned, pre-staged, ready to go plan, with

call up resources and policy ? Having a non engr Senior person, with a pre-planned, multi pronged response

book, following all the steps for “Breakin Type 27” is what a Corp needs. Responding after the fact, only by engrs, is wrong. Ask me why ? Can this be fixed ? Is it what is holding back progress ? Certainly.

Certainly Not Confidential 3Almaz Capital Partners

State of the Industry - 2015 Anti Virus a dead or dying offering, everyone in A/V scrambling to position

themselves as “State Actor repellent” (APT) ! With a new Market Terminology. The guy with the most monitoring nodes across the net wins: Think FireEye, F-

Secure et al. Catch it quickly, publish in near real time is the mantra. Real Time vs Forensic response the trend, beyond AppFWs, dynamic response Behavioral analytics of people, packets and services emerging. Huge interest

here. Heuristic monitoring. Correlation analysis across multiple axis. Rapidly evolving. Firewalls becoming heuristics collectors.

Massive scale Visualization and graphic modeling tools will be a big opportunity

Certainly Not Confidential 4Almaz Capital Partners

2015 What’s Not Working Giving an illusion of Security

Full Disk Encryption – TPM Firewalls facing the wrong way, with no micro analytic feeds for heuristics. Most anti virus SW, in fact, AV makers are searching for new business models,

it’s so bad that sales are rapidly declining ! Fiddling with PAM, Active Dir and permission based usage/access. PCI, HIPPA, ISO 27002, NERC, GLPA, GPG13, FIPS 140 compliance mean little

to bad actors but give the illusion of progress to mgmt. An acronym never kept anyone safe.

Certainly Not Confidential 5Almaz Capital Partners

Crowded Market but many opportunities exist

Certainly Not Confidential

6Almaz Capital Partners

The SecureEnterprise

AAA

PerimeterControl

Internal/

File IntegrityAuthentication

IntrusionDetection

VulnerabilityAssessment

ThreatManagement

Administration

Authenti-cation

AuthorizationApplication

Security

KernelSecurity

IDVA

Security

Antivirus

VPN

Firewall

Entegrity

ContentInspection

DENIAL OF SERVICE

$

$

$

$

$

$$

$$

$

$

$

$

Craft your Pitch: Using VC Evaluation Criteria (cheat sheet) #1 TEAM – is the team world class ? have they done this before ? Before

anything else, TEAM is everything. Nothing can fix a poor team. #2 Technology – is this world class thinking ? Are there Computer Science

fundamentals behind it ? It the IP patentable (but don’t get hung up on that) #3 Market – How big, how much can they get, how much will that cost ? How

much to get noticed ? Is this an Enterprise Software sale, a Service, Consulting or viral ? Can you guess which model VC’s like these days ?

#4 Finance – How many $$ to get to Goal 1, Goal 2 and have 6 mos reserve in the bank. We can *always* find the money, get smart investors who will help.

Series A – make sure it doesn’t catch fire and burn up, Series B – Sales and Marketing expansion.

Mistakes: don’t worry about profit, take risks ! First mover usually wins, second mover watches first mover win. Do you do Due Diligence on your VC’s ? You should !

Certainly Not Confidential 7Almaz Capital Partners

Pitches/Huge Opportunities we see Golden Rule “Do something which the customer needs and can’t do themselves”

Solve their pain. Go for the largest market. Scale from there ! Use recent VM work (Docker, Jelastic) to use rapid spinup VM’s for isolation Continuous randomized testing. Single Sweeping is dead. Chaos Monkey, Janitor

Monkey, Security Monkey, Doctor Monkey – ‘Simian Army’ for continuous pounding and testing, thanks to Adrian and Netflix crew.

Multi Tenant Cloud crypto, data comingling, data hotel = Key Mgmt opportunity Intent Analysis, Behavioral Profiling. Behavioral Analytics, app/svc/connection/flow. Where’s OpenStack Behavioral

Analysis ? Unstructured data analytics, eventual consistency (cassandra) use for Sec Internet <-> Data Center perimeter changing to top of rack, what does this imply? In memory networking and computation (think VM’s, GridGain, Mongo) no pkts on

the wire. Now what ? “In Memory firewall” ? A generic issue. NOT solved. Did you know that just DLP alone was a $665M market in the USA alone 2014

(Gartner) ? Go for the big $$.

Certainly Not Confidential 8Almaz Capital Partners

Huge Opportunities (cont) Translating CVE’s, CERT’s etc to actionable intelligence for enterprises AND

applying it somehow. Device-Device IoT traffic analysis. Super Proxy, Super Tunnels (M’s) ? CPU

crypto load vs power, solve that equation. IoT sensor fencing, distance vector too. Plenty of OS and BIOS work to go around. Probability you can get your sec

product on to the motherboard is unfortunately, Zero. A real problem. Many IPv6 related problems, esp in Mobile Operators networks (major users)

Certainly Not Confidential 9Almaz Capital Partners

Who is doing interesting Sec work NOW (startup wise) Automated code analysis with pointing to bad code, so less senior guys can

handle the fix. As a Service for DevOps.– Tinfoil Security. A step beyond nessus, thinks “nessus plus the fix”. Cute !

Encryption of all data at rest, with selective reading/revocation: – WatchDox (used a lot in Hollywood for screenplay protection)

Secure private cloud within any cloud, multi tenancy, unstruct data protection: Varonis

Secure enterprise collaboration, used by drug discovery pharma,finance– IntraLinks

Network+VM+app+traffic analysis and microsegmentation: Illumio Non signature, zero day, heuristic tool: Cylance Behavioral Analysis: Veracode. Behavorial Analytics: Fortscale

Certainly Not Confidential 10Almaz Capital Partners

Now for some Fun !

Certainly Not Confidential 11Almaz Capital Partners

As promised:Who has the Worst Security in the World ?

Hint… think VC’s put their money in to … ?

Certainly Not Confidential 12Almaz Capital Partners

STARTUPS in Silicon Valley ! Situation is laughable (maybe crying?) I have personally seen all of these…. Ask yourselves, do YOU say these words:

– “Of course it’s ok that all the source code is on every laptop all the time ! How silly to ask !”

– I am an ENGINEER (Cymbals Crashing sound!), I don’t maintain ….. Servers/AWS!– We have no money for a sys Admin, I am busy coding, go away !– Password on our AP’s is same as company name or “12345” or blank – Log, what logs ? I don’t need no stinkin’ logs, besides I am too busy to read them– Engineering will rebel if they don’t have root access to everything and every router!– Locks ? Doors wide open 24x7, machines being physically stolen– Distributed teams with collaboration tools, code repos – Why of course everyone needs

full access to the entire code base. GROAN !

Even more astounding is that Dumb VC’s watch their $20M investment like a hawk, but not that their precious product output is being stolen under their noses

US Senate Judiciary Committee – Estimate 1-3% US GDP trade secret theft every year via net (5/1/2015 New York Times). Try 3% of $14T = $420B.

2014 – 18% of 1598 breaches examined were used for Trade Secret theft.

Certainly Not Confidential 13Almaz Capital Partners

The Result – An Example I was aware of an event where the bad guys came in, hit the server and thought

they got the code base. They missed and hit the wrong server, so they came back 2 nights later and did

succeed. $20M investment… poof ! Did those guys get funded the 2nd time around ? So – think it through, if you include your good Sec hygiene practices to investors,

it might make the difference about funding (at least to us !)

Certainly Not Confidential 14Almaz Capital Partners

!

Thanks For Listening

Certainly Not Confidential 15Almaz Capital Partners