IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

12 Startups Poised to take on the Latest Cybersecurity Threats

The market is prime for a new class of startups that can decipher tomorrow’s cybersecurity threats.

According to Gartner, by 2020, 60 percent of digital businesses will fall victim to devastating service failures due to their inability to handle the threats present in new technologies. Digital hazards are so pervasive that Gartner reports that the worldwide security software market grew 4.9 percent and totaled $19.9 billion by the end of 2013.

Though dismaying statistics for government officials, the news is catalyzing IT entrepreneurs and venture capitalists to launch startups to meet demand. Research group PrivCo noted companies in the cybersecurity sector jumped by nearly 60 percent in early stage funding from 2012 to 2013, and worldwide, listed investments at $244 million.

In light of the rising tide of cyberattacks, Government Technology interviewed 12 emerging security companies to hear about their strategies and tactics for protecting their customers’ digital assets.

Synack

Enterprise-level crowdsourced security testing for Web applications, mobile apps and host-based infrastructure. The company points to its Red Team, made up of security pros spanning six continents and 27 countries, as vital to the success of its security business model.
Primary customers: Retail, financial services, oil and gas, and health-care services.
Founded: January 2013
Founders: Jay Kaplan and Mark Kuhr

What’s the most dangerous threat affecting organizations?    
“The most dangerous threats are those that organizations don’t know about. Specifically, we find threats to mobile applications are on the rise. Every day organizations are getting compromised via a variety of attack vectors without ever realizing it.”

What’s the most dangerous type of malware today?
“Malware with an extremely small footprint is difficult to spot and difficult to remediate against. Malware and malware detection solutions will continue to play a cat-and-mouse game for many years to come.”— Jay Kaplan, CEO
 

Axon Ghost Sentinel

The startup provides protection for mobile devices, enterprise networks and smart devices within the Internet of Things, such as home automation systems, smart cars and smart medical devices. Its unique process deploys lightweight software entities called “ghosts” to assess device status, processes and application activity and to classify abnormal behavior in real time.
Primary customers: Consumers, small and medium-sized businesses, and large enterprise networks.
Founded: January 2014           
Founders: Kent Murphy, Sven Brueckner, Ravi Gupta, Andrew Yinger and Hugh Brooks  

What’s the biggest misconception IT professionals have about cybersecurity?
“That existing approaches to security — containerization, centralized data analysis, firewalls and anti-virus — can deal with new threats and especially, can work on new types of smart devices.”

What’s the most dangerous threat affecting organizations?
“The increasing reliance on more and different types of connected devices from phones to cars to thermostats to insulin pumps. These new devices are open to exploitation in ways never seen before and can pose a significant risk if not protected.”— Hugh Brooks, President

Shape Security

Shape says it challenges the traditional “detect and fix” model by adding a foundational layer of security to protect Web applications at the user interface level. Its flagship product, ShapeShifter, is a botwall that disables attacks from malware, botnets and scripts by mimicking the way malware evades anti-virus software, turning websites into moving targets, rendering malware, botnets and scripts unable to interact with them.

Primary customers: Emphasis on Fortune 50 companies with early adopters in financial services, health care and retail.
Founded: Stealth launch in 2011, official launch in January 2014
Founders: Derek Smith, Justin Call and Sumit Agarwal

What’s the most dangerous threat affecting organizations?

“Automation is the most dangerous threat and is what all attacks ­— from malware, botnets and scripts — have in common. These sophisticated attacks — such as account takeovers, application DDoS, database scraping and fake account creation — use automation to evade even the best security defenses.”

What’s the biggest misconception about cybersecurity?
“There are many big misconceptions, but one of the most pervasive is that ‘fully patched’ applications [software that’s been updated with protection] are secure.”— Shuman Ghosemajumder, VP of Strategy

Cylance

Next-generation endpoint security technology detects and blocks viruses, malware and spyware through machine-learning algorithms. Cylance says it’s the first to bring a signature-less, 100 percent machine-learning cybersecurity product to market, using technology that spots previously undetectable advanced threats. The company calls itself proactive rather than reactive; its approach relies on advanced mathematics rather than reactive signature- or trust-based systems.
Primary customers: Focused on government, Fortune 1000 companies, tech-sector companies and enterprise-level financial services.
Founded: July 2012
Founders: Stuart McClure and Ryan Permeh

What’s the most dangerous type of malware today?
“Malware that is targeted to steal a specific set of data from a customer, not compromise an entire system. It’s the most dangerous type of malware today. Because it’s an under-the-radar attack with a smaller scope and customized to the targeted environment, it can be easily underestimated by the IT departments built to defend it. This is a common threat, especially from Chinese and Russian hackers, who are looking to compromise core American businesses with greater frequency.”— Jon Miller, VP of Strategy

Bitglass

Bitglass offers enterprise-level data security, touting its ability to secure corporate data anywhere it goes — from the cloud, to the mobile device, and anywhere on the Internet. Bitglass provides a combination of visibility and data security — access control, data leakage prevention, cloud encryption, file encryption, data tracking/fingerprinting, etc. — in order to provide the appropriate levels of access to cloud data.
Primary customers: Multiple industries with emphasis in government, health care, financial services and other heavily regulated environments.
Founded: January 2013
Founders: Nat Kausik, Anurag Kahol, Anoop Bhattacharjya and Chris Chan

What’s the biggest misconception about cybersecurity?
“That the cloud is insecure. It’s the job of software-as-a-service application providers to ensure that their products are as secure as possible. Many SaaS vendors hire the best and the brightest in IT security, and buy the best security products in order to ensure the security of their customers’ data. But they are solely focused on preventing breaches into their infrastructure — things like denial of service attacks, malware outbreaks and widespread data exfiltration events.

There’s another set of security risks that cloud app vendors are less concerned with, risks that involve leakage of sensitive corporate data. When sensitive data stored in SaaS apps is not properly controlled, the result can be an inadvertent or malicious leakage of company data, theft of user credentials, regulatory compliance failure, etc. These types of risks are outside of the control of the SaaS application provider.”— Nat Kausik, CEO

CloudLock

Offering cloud security for data in Google Apps, Salesforce and more, CloudLock bills itself as the world’s only cloud-to-cloud security provider, enabling organizations to enforce regulatory, operational and security compliance easily and effectively. The company extends enterprise security controls to the cloud, responds to next-generation cybersecurity risk within public cloud platforms and increases adoption of SaaS apps.
Primary customers: Government agencies include the U.S. Naval Academy, National Defense University and more than 15 other federal departments. Commercial customers include Whirlpool, HBO, Seagate Technology and Pandora.
Founded: 2011
Founders: Gil Zimmermann, Tsahy Shapsa and Ron Zalkind

What’s the most dangerous threat affecting organizations?
“The exponentially growing threat surface represented by mobile and cloud applications and services. Businesses are self-selecting cloud solutions and outpacing traditional IT and security. This means that there is a very large threat surface that is addressed with legacy mindset and solutions.”

What’s the biggest misconception about cybersecurity?
“That it is an inhibitor. Security is not just for saying no. When used correctly, security enables IT professionals to say yes, and ultimately leads to happier and more productive workforces.”
— Ron Zalkind, Co-Founder and CTO

FireEye

FireEye offers protection against targeted attacks aimed at individuals and companies for specific data assets such as national secrets and intellectual property. The company’s proprietary hypervisor identifies multistage, multivector attacks.
Primary customers: Data companies, retail, financial sector, U.S. government and other governments protecting national secrets.
Date founded: 2004
Founder: Ashar Aziz

What’s the most dangerous threat affecting organizations?
“I would say as you look across governments in general, not just the U.S. federal government, but when you go down to states and localities, the biggest problem they have is not understanding that the data they have is valuable. … Even if they think their data isn’t important, they may be a steppingstone to another environment [or target].”

What’s the biggest misconception about cybersecurity?
“You hear the term ‘cyberwar,’ and regardless about how you think about it, it’s something that’s here, it’s not going to change and it’s going to be a continuous cat-and-mouse game for many years and for the foreseeable future. … We have to be diligent 24 by 7.”— Tony Cole, VP and Global Government CTO
 

ThreatStream

The company enables threat intelligence through actionable advice, priority ranking of an organization’s threat intelligence stream, real-time threat detection and algorithmic detection. Facilitating trusted collaboration between organizations, ThreatStream lets customers share threat intelligence findings both publicly or privately to better identify and defend against cyberattacks.
Primary customers: Fortune 2000 and government customers.
Date founded: 2012 launched in stealth mode, made public February 2014
Founder: Greg Martin

What’s the most dangerous type of malware today?
“Password stealers — the low-lying, advanced, persistent threat waiting to capture password information or credit card details. It is inactive for long periods of time while watching network traffic and gathering information. The recently discovered theft of 1.2 billion usernames and passwords [by Russian hackers in August] is a great example. If security teams had a way to share threat information more quickly, these problems would not become such great successes and never make such headlines.”— Greg Martin, CTO

BitSight

BitSight claims to secure corporate data anywhere it goes ­— from the cloud, to the mobile device and on the Internet. The company describes its approach as “quantified and evidence-based,” using globally placed Internet sensors to detect malicious activity coming out of an entity’s network.
Primary customers: Finance, retail, education, utilities, health care, insurance and more.
Founded: 2011
Founders: Stephen Boyer and  Nagarjuna Venna

What’s the biggest misconception about cybersecurity?
“Regularly updating [malware code] definitions in anti-virus and firewall systems will be enough to protect the organization from the changing threat landscape. Organizations need to have an active view of their security performance that tracks change over time and provides metrics that can be understood by business executives as well. This way, cybersecurity becomes a strategic business issue instead of a rote task of checking minimum requirements.”— Stephen Boyer, Founder and CTO
 

Confer

Confer protects servers, laptops, mobile devices and other endpoint users from sophisticated attackers through cloud-based behavioral tracking. The company’s advanced detection and incident response uses a single sensor and gives administrators detailed information on malware — how it got there, when it got there, what it did, etc.
Primary customers: Both enterprise and public-sector institutions with deployments ranging from 100-person companies to Fortune 50 companies.
Founded: 2013
Founders: Jeff Kraemer,  Paul Morville and Mark Quinlivan

What’s the most dangerous type of malware today?
“In the past, we worried a lot about destructive attacks such as fast-moving worms, but we don’t see these as much lately and they are easy to detect. We worry a lot more about custom-developed, targeted attacks that are remote-controlled. They fly past anti-virus protection and are very hard to detect from the network. Meanwhile, they provide unfettered access to any information on that machine and can be a leverage point for a broader attack.”— Paul Morville, VP of Products

VeraCode

Veracode provides a cloud-based platform for application risk assessment and management. The company delivers a widely used cloud-based service for securing a variety of enterprise applications, including Web, mobile, legacy and third-party; identifying application-level threats before they can be exploited by cybercriminals.
Primary customers: Global enterprise companies, including three of the top four banks in the Fortune 100 and more than 25 of the world’s top 100 brands.
Founded: 2006
Founders: Chris Wysopal and Christien Rioux

What’s the biggest misconception about cybersecurity?
“The biggest misconception is around the need to block attacks from threat actors such as organized crime and nation states, and that protection alone can secure an enterprise. This has created an over-dependence on firewalls and endpoint security, as well as other tool-based security approaches. The reality is, more than 50 percent of attacks target the vulnerabilities in the application layer.”— Chris Wysopal, Co-Founder and CTO
 

TrustWave

Trustwave has three main areas of expertise: compliance and risk management, managed security services and threat intelligence research and services. Its 50-plus patents legitimize the company’s security on demand services, offered through its cloud-based portal platform, Trustkeeper.
Primary customers: Small businesses to Fortune 500 companies across industries, including government, with services touching 2 million customers in more than 96 countries.
Founded: 1995
Founders: Robert McCullen and Andrew Bokor

What’s the most dangerous threat affecting organizations?

“Unfortunately there is no one single threat that affects all organizations. Every organization has its own unique threat profile based on its industry, business model, adoption of technology (for instance, an e-commerce presence) and internal security awareness. Some industries are more targeted than others, like retail and hospitality. According to Trustwave’s Global Security Report, retail was once again the top industry compromised, making up 35 percent of the attacks investigated in 2013. Food and beverage ranked second at 18 percent and hospitality ranked third at 11 percent.”— Karl Sigler, Threat Intelligence Manager  

Editor’s Note: Trustwave was named in multiple lawsuits by financial institutions related to the company’s relationship with Target during its massive data breach discovered late last year. While the claims point fingers at Trustwave for failing to spot the retailer’s security vulnerabilities, CEO Robert McCullen called the claims “without merit” in an open letter to customers and business partners. “... Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target,” he said. Further, the suits were dismissed April 2014 when the two banks involved, Trustmark National Bank and Green Bank,  filed to dismiss them.


Editor’s Note: Company responses have been edited for length.    

 

Jason Shueh is a former staff writer for Government Technology magazine.