security opportunities a silicon valley vc perspective
Post on 24-Jul-2015
66 Views
Preview:
TRANSCRIPT
The Facts of Life - 2015 Security “Nightmare Scenario” exists today
– State sponsored actors, also bespoke (custom), per corp customized attack vectors.– Professional dev kits, release trains, PhD level knowledge being applied (MD6)– Jumbled, confusing mish mash of Alerts, CVE’s, Patch Days, Vendor advice. Mess !– Android ~2-4000 config settings/calls affect security of OS/device (!) across many
facets of the OS.– 170 GB/s DDoS record in April 2015– Anti virus and signature based approaches simply don’t cover enough any more
And it’s going to get a lot worse = IoT (Sensity) We already have have numerous 5-8M node networks (Electric Utils -BitStew)
Device-Device autonomous communications proliferating “Unexpected interactions” such as SCADA affecting AC power affecting health care PLC’s made in the 80’s are out there. Shodan is my friend You can’t hide
Certainly Not Confidential 2Almaz Capital Partners
Problem: Most Enterprises don’t understandSecurity = Corporate DNA = Culture
Which Corp do you know which implements security as a ‘Culture’ ? Which Corp stresses Security as its ‘primordial DNA’ ? The practice of Security Culture is usually absent. Not Technical solution ! Which startup allows companies to easily inherit the above attributes ? NONE
(opportunity). I do not mean consulting companies. Where is your “Response Book”, pre planned, pre-staged, ready to go plan, with
call up resources and policy ? Having a non engr Senior person, with a pre-planned, multi pronged response
book, following all the steps for “Breakin Type 27” is what a Corp needs. Responding after the fact, only by engrs, is wrong. Ask me why ? Can this be fixed ? Is it what is holding back progress ? Certainly.
Certainly Not Confidential 3Almaz Capital Partners
State of the Industry - 2015 Anti Virus a dead or dying offering, everyone in A/V scrambling to position
themselves as “State Actor repellent” (APT) ! With a new Market Terminology. The guy with the most monitoring nodes across the net wins: Think FireEye, F-
Secure et al. Catch it quickly, publish in near real time is the mantra. Real Time vs Forensic response the trend, beyond AppFWs, dynamic response Behavioral analytics of people, packets and services emerging. Huge interest
here. Heuristic monitoring. Correlation analysis across multiple axis. Rapidly evolving. Firewalls becoming heuristics collectors.
Massive scale Visualization and graphic modeling tools will be a big opportunity
Certainly Not Confidential 4Almaz Capital Partners
2015 What’s Not Working Giving an illusion of Security
Full Disk Encryption – TPM Firewalls facing the wrong way, with no micro analytic feeds for heuristics. Most anti virus SW, in fact, AV makers are searching for new business models,
it’s so bad that sales are rapidly declining ! Fiddling with PAM, Active Dir and permission based usage/access. PCI, HIPPA, ISO 27002, NERC, GLPA, GPG13, FIPS 140 compliance mean little
to bad actors but give the illusion of progress to mgmt. An acronym never kept anyone safe.
Certainly Not Confidential 5Almaz Capital Partners
Crowded Market but many opportunities exist
Certainly Not Confidential
6Almaz Capital Partners
The SecureEnterprise
AAA
PerimeterControl
Internal/
File IntegrityAuthentication
IntrusionDetection
VulnerabilityAssessment
ThreatManagement
Administration
Authenti-cation
AuthorizationApplication
Security
KernelSecurity
IDVA
Security
Antivirus
VPN
Firewall
Entegrity
ContentInspection
DENIAL OF SERVICE
$
$
$
$
$
$$
$$
$
$
$
$
Craft your Pitch: Using VC Evaluation Criteria (cheat sheet) #1 TEAM – is the team world class ? have they done this before ? Before
anything else, TEAM is everything. Nothing can fix a poor team. #2 Technology – is this world class thinking ? Are there Computer Science
fundamentals behind it ? It the IP patentable (but don’t get hung up on that) #3 Market – How big, how much can they get, how much will that cost ? How
much to get noticed ? Is this an Enterprise Software sale, a Service, Consulting or viral ? Can you guess which model VC’s like these days ?
#4 Finance – How many $$ to get to Goal 1, Goal 2 and have 6 mos reserve in the bank. We can *always* find the money, get smart investors who will help.
Series A – make sure it doesn’t catch fire and burn up, Series B – Sales and Marketing expansion.
Mistakes: don’t worry about profit, take risks ! First mover usually wins, second mover watches first mover win. Do you do Due Diligence on your VC’s ? You should !
Certainly Not Confidential 7Almaz Capital Partners
Pitches/Huge Opportunities we see Golden Rule “Do something which the customer needs and can’t do themselves”
Solve their pain. Go for the largest market. Scale from there ! Use recent VM work (Docker, Jelastic) to use rapid spinup VM’s for isolation Continuous randomized testing. Single Sweeping is dead. Chaos Monkey, Janitor
Monkey, Security Monkey, Doctor Monkey – ‘Simian Army’ for continuous pounding and testing, thanks to Adrian and Netflix crew.
Multi Tenant Cloud crypto, data comingling, data hotel = Key Mgmt opportunity Intent Analysis, Behavioral Profiling. Behavioral Analytics, app/svc/connection/flow. Where’s OpenStack Behavioral
Analysis ? Unstructured data analytics, eventual consistency (cassandra) use for Sec Internet <-> Data Center perimeter changing to top of rack, what does this imply? In memory networking and computation (think VM’s, GridGain, Mongo) no pkts on
the wire. Now what ? “In Memory firewall” ? A generic issue. NOT solved. Did you know that just DLP alone was a $665M market in the USA alone 2014
(Gartner) ? Go for the big $$.
Certainly Not Confidential 8Almaz Capital Partners
Huge Opportunities (cont) Translating CVE’s, CERT’s etc to actionable intelligence for enterprises AND
applying it somehow. Device-Device IoT traffic analysis. Super Proxy, Super Tunnels (M’s) ? CPU
crypto load vs power, solve that equation. IoT sensor fencing, distance vector too. Plenty of OS and BIOS work to go around. Probability you can get your sec
product on to the motherboard is unfortunately, Zero. A real problem. Many IPv6 related problems, esp in Mobile Operators networks (major users)
Certainly Not Confidential 9Almaz Capital Partners
Who is doing interesting Sec work NOW (startup wise) Automated code analysis with pointing to bad code, so less senior guys can
handle the fix. As a Service for DevOps.– Tinfoil Security. A step beyond nessus, thinks “nessus plus the fix”. Cute !
Encryption of all data at rest, with selective reading/revocation: – WatchDox (used a lot in Hollywood for screenplay protection)
Secure private cloud within any cloud, multi tenancy, unstruct data protection: Varonis
Secure enterprise collaboration, used by drug discovery pharma,finance– IntraLinks
Network+VM+app+traffic analysis and microsegmentation: Illumio Non signature, zero day, heuristic tool: Cylance Behavioral Analysis: Veracode. Behavorial Analytics: Fortscale
Certainly Not Confidential 10Almaz Capital Partners
As promised:Who has the Worst Security in the World ?
Hint… think VC’s put their money in to … ?
Certainly Not Confidential 12Almaz Capital Partners
STARTUPS in Silicon Valley ! Situation is laughable (maybe crying?) I have personally seen all of these…. Ask yourselves, do YOU say these words:
– “Of course it’s ok that all the source code is on every laptop all the time ! How silly to ask !”
– I am an ENGINEER (Cymbals Crashing sound!), I don’t maintain ….. Servers/AWS!– We have no money for a sys Admin, I am busy coding, go away !– Password on our AP’s is same as company name or “12345” or blank – Log, what logs ? I don’t need no stinkin’ logs, besides I am too busy to read them– Engineering will rebel if they don’t have root access to everything and every router!– Locks ? Doors wide open 24x7, machines being physically stolen– Distributed teams with collaboration tools, code repos – Why of course everyone needs
full access to the entire code base. GROAN !
Even more astounding is that Dumb VC’s watch their $20M investment like a hawk, but not that their precious product output is being stolen under their noses
US Senate Judiciary Committee – Estimate 1-3% US GDP trade secret theft every year via net (5/1/2015 New York Times). Try 3% of $14T = $420B.
2014 – 18% of 1598 breaches examined were used for Trade Secret theft.
Certainly Not Confidential 13Almaz Capital Partners
The Result – An Example I was aware of an event where the bad guys came in, hit the server and thought
they got the code base. They missed and hit the wrong server, so they came back 2 nights later and did
succeed. $20M investment… poof ! Did those guys get funded the 2nd time around ? So – think it through, if you include your good Sec hygiene practices to investors,
it might make the difference about funding (at least to us !)
Certainly Not Confidential 14Almaz Capital Partners
!
top related