Security Opportunities A Silicon Valley VC Perspective
A Silicon Valley VC
The Facts of Life - 2015
Security “Nightmare Scenario” exists today
– State sponsored actors, also bespoke (custom), per corp customized attack vectors.
– Professional dev kits, release trains, PhD level knowledge being applied (MD6)
– Jumbled, confusing mish mash of Alerts, CVE’s, Patch Days, Vendor advice. Mess !
– Android ~2-4000 config settings/calls affect security of OS/device (!) across many
facets of the OS.
– 170 GB/s DDoS record in April 2015
– Anti virus and signature based approaches simply don’t cover enough any more
And it’s going to get a lot worse = IoT (Sensity)
We already have have numerous 5-8M node networks (Electric Utils -BitStew)
Device-Device autonomous communications proliferating
“Unexpected interactions” such as SCADA affecting AC power affecting health care
PLC’s made in the 80’s are out there.
Shodan is my friend You can’t hide
Certainly Not Confidential 2Almaz Capital Partners
Problem: Most Enterprises don’t understand
Security = Corporate DNA = Culture
Which Corp do you know which implements security as a ‘Culture’ ?
Which Corp stresses Security as its ‘primordial DNA’ ?
The practice of Security Culture is usually absent. Not Technical solution !
Which startup allows companies to easily inherit the above attributes ? NONE
(opportunity). I do not mean consulting companies.
Where is your “Response Book”, pre planned, pre-staged, ready to go plan, with
call up resources and policy ?
Having a non engr Senior person, with a pre-planned, multi pronged response
book, following all the steps for “Breakin Type 27” is what a Corp needs.
Responding after the fact, only by engrs, is wrong. Ask me why ?
Can this be fixed ? Is it what is holding back progress ? Certainly.
Certainly Not Confidential 3Almaz Capital Partners
State of the Industry - 2015
Anti Virus a dead or dying offering, everyone in A/V scrambling to position
themselves as “State Actor repellent” (APT) ! With a new Market Terminology.
The guy with the most monitoring nodes across the net wins: Think FireEye, F-
Secure et al. Catch it quickly, publish in near real time is the mantra.
Real Time vs Forensic response the trend, beyond AppFWs, dynamic response
Behavioral analytics of people, packets and services emerging. Huge interest
here. Heuristic monitoring. Correlation analysis across multiple axis. Rapidly
evolving. Firewalls becoming heuristics collectors.
Massive scale Visualization and graphic modeling tools will be a big opportunity
Certainly Not Confidential 4Almaz Capital Partners
2015 What’s Not Working
Giving an illusion of Security
Full Disk Encryption – TPM
Firewalls facing the wrong way, with no micro analytic feeds for heuristics.
Most anti virus SW, in fact, AV makers are searching for new business models,
it’s so bad that sales are rapidly declining !
Fiddling with PAM, Active Dir and permission based usage/access.
PCI, HIPPA, ISO 27002, NERC, GLPA, GPG13, FIPS 140 compliance mean little
to bad actors but give the illusion of progress to mgmt. An acronym never kept
Certainly Not Confidential 5Almaz Capital Partners
Crowded Market but many opportunities exist
Certainly Not Confidential
6Almaz Capital Partners
Craft your Pitch:
Using VC Evaluation Criteria (cheat sheet)
#1 TEAM – is the team world class ? have they done this before ? Before
anything else, TEAM is everything. Nothing can fix a poor team.
#2 Technology – is this world class thinking ? Are there Computer Science
fundamentals behind it ? It the IP patentable (but don’t get hung up on that)
#3 Market – How big, how much can they get, how much will that cost ? How
much to get noticed ? Is this an Enterprise Software sale, a Service, Consulting
or viral ? Can you guess which model VC’s like these days ?
#4 Finance – How many $$ to get to Goal 1, Goal 2 and have 6 mos reserve in
the bank. We can *always* find the money, get smart investors who will help.
Series A – make sure it doesn’t catch fire and burn up, Series B – Sales and
Mistakes: don’t worry about profit, take risks !
First mover usually wins, second mover watches first mover win.
Do you do Due Diligence on your VC’s ? You should !
Certainly Not Confidential 7Almaz Capital Partners
Pitches/Huge Opportunities we see
Golden Rule “Do something which the customer needs and can’t do themselves”
Solve their pain. Go for the largest market. Scale from there !
Use recent VM work (Docker, Jelastic) to use rapid spinup VM’s for isolation
Continuous randomized testing. Single Sweeping is dead. Chaos Monkey, Janitor
Monkey, Security Monkey, Doctor Monkey – ‘Simian Army’ for continuous
pounding and testing, thanks to Adrian and Netflix crew.
Multi Tenant Cloud crypto, data comingling, data hotel = Key Mgmt opportunity
Intent Analysis, Behavioral Profiling.
Behavioral Analytics, app/svc/connection/flow. Where’s OpenStack Behavioral
Unstructured data analytics, eventual consistency (cassandra) use for Sec
Internet <-> Data Center perimeter changing to top of rack, what does this imply?
In memory networking and computation (think VM’s, GridGain, Mongo) no pkts on
the wire. Now what ? “In Memory firewall” ? A generic issue. NOT solved.
Did you know that just DLP alone was a $665M market in the USA alone 2014
(Gartner) ? Go for the big $$.
Certainly Not Confidential 8Almaz Capital Partners
Huge Opportunities (cont)
Translating CVE’s, CERT’s etc to actionable intelligence for enterprises AND
applying it somehow.
Device-Device IoT traffic analysis. Super Proxy, Super Tunnels (M’s) ? CPU
crypto load vs power, solve that equation.
IoT sensor fencing, distance vector too.
Plenty of OS and BIOS work to go around. Probability you can get your sec
product on to the motherboard is unfortunately, Zero. A real problem.
Many IPv6 related problems, esp in Mobile Operators networks (major users)
Certainly Not Confidential 9Almaz Capital Partners
Who is doing interesting Sec work NOW
Automated code analysis with pointing to bad code, so less senior guys can
handle the fix. As a Service for DevOps.
– Tinfoil Security. A step beyond nessus, thinks “nessus plus the fix”. Cute !
Encryption of all data at rest, with selective reading/revocation:
– WatchDox (used a lot in Hollywood for screenplay protection)
Secure private cloud within any cloud, multi tenancy, unstruct data protection:
Secure enterprise collaboration, used by drug discovery pharma,finance
Network+VM+app+traffic analysis and microsegmentation: Illumio
Non signature, zero day, heuristic tool: Cylance
Behavioral Analysis: Veracode.
Behavorial Analytics: Fortscale
Certainly Not Confidential 10Almaz Capital Partners
Now for some Fun !
Certainly Not Confidential 11Almaz Capital Partners
Who has the Worst Security in the World ?
Hint… think VC’s put their money in to … ?
Certainly Not Confidential 12Almaz Capital Partners
STARTUPS in Silicon Valley !
Situation is laughable (maybe crying?) I have personally seen all of these….
Ask yourselves, do YOU say these words:
– “Of course it’s ok that all the source code is on every laptop all the time ! How silly to
– I am an ENGINEER (Cymbals Crashing sound!), I don’t maintain ….. Servers/AWS!
– We have no money for a sys Admin, I am busy coding, go away !
– Password on our AP’s is same as company name or “12345” or blank
– Log, what logs ? I don’t need no stinkin’ logs, besides I am too busy to read them
– Engineering will rebel if they don’t have root access to everything and every router!
– Locks ? Doors wide open 24x7, machines being physically stolen
– Distributed teams with collaboration tools, code repos – Why of course everyone needs
full access to the entire code base. GROAN !
Even more astounding is that Dumb VC’s watch their $20M investment like a
hawk, but not that their precious product output is being stolen under their noses
US Senate Judiciary Committee – Estimate 1-3% US GDP trade secret theft
every year via net (5/1/2015 New York Times). Try 3% of $14T = $420B.
2014 – 18% of 1598 breaches examined were used for Trade Secret theft.
Certainly Not Confidential 13Almaz Capital Partners
The Result – An Example
I was aware of an event where the bad guys came in, hit the server and thought
they got the code base.
They missed and hit the wrong server, so they came back 2 nights later and did
$20M investment… poof ! Did those guys get funded the 2nd
time around ?
So – think it through, if you include your good Sec hygiene practices to investors,
it might make the difference about funding (at least to us !)
Certainly Not Confidential 14Almaz Capital Partners
Thanks For Listening
Certainly Not Confidential 15Almaz Capital Partners