Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security Opportunities
A Silicon Valley VC
Perspective
May 2015
Geoffrey Baehr
General Partner
The Facts of Life - 2015
 Security “Nightmare Scenario” exists today
– State sponsored actors, also bespoke (custom), per...
Problem: Most Enterprises don’t understand
Security = Corporate DNA = Culture
 Which Corp do you know which implements se...
State of the Industry - 2015
 Anti Virus a dead or dying offering, everyone in A/V scrambling to position
themselves as “...
2015 What’s Not Working
Giving an illusion of Security
 Full Disk Encryption – TPM
 Firewalls facing the wrong way, with...
Crowded Market but many opportunities exist
Certainly Not Confidential
6Almaz Capital Partners
The Secure
Enterprise
AAA
P...
Craft your Pitch:
Using VC Evaluation Criteria (cheat sheet)
 #1 TEAM – is the team world class ? have they done this bef...
Pitches/Huge Opportunities we see
 Golden Rule “Do something which the customer needs and can’t do themselves”
Solve thei...
Huge Opportunities (cont)
 Translating CVE’s, CERT’s etc to actionable intelligence for enterprises AND
applying it someh...
Who is doing interesting Sec work NOW
(startup wise)
 Automated code analysis with pointing to bad code, so less senior g...
Now for some Fun !
Certainly Not Confidential 11Almaz Capital Partners
As promised:
Who has the Worst Security in the World ?
Hint… think VC’s put their money in to … ?
Certainly Not Confidenti...
STARTUPS in Silicon Valley !
 Situation is laughable (maybe crying?) I have personally seen all of these….
 Ask yourselv...
The Result – An Example
 I was aware of an event where the bad guys came in, hit the server and thought
they got the code...
Thanks For Listening
Certainly Not Confidential 15Almaz Capital Partners
Upcoming SlideShare
Loading in …5
×

Security Opportunities A Silicon Valley VC Perspective

488 views

Published on

Security Opportunities A Silicon Valley VC Perspective

Published in: Business
  • Be the first to comment

  • Be the first to like this

Security Opportunities A Silicon Valley VC Perspective

  1. 1. Security Opportunities A Silicon Valley VC Perspective May 2015 Geoffrey Baehr General Partner
  2. 2. The Facts of Life - 2015  Security “Nightmare Scenario” exists today – State sponsored actors, also bespoke (custom), per corp customized attack vectors. – Professional dev kits, release trains, PhD level knowledge being applied (MD6) – Jumbled, confusing mish mash of Alerts, CVE’s, Patch Days, Vendor advice. Mess ! – Android ~2-4000 config settings/calls affect security of OS/device (!) across many facets of the OS. – 170 GB/s DDoS record in April 2015 – Anti virus and signature based approaches simply don’t cover enough any more  And it’s going to get a lot worse = IoT (Sensity)  We already have have numerous 5-8M node networks (Electric Utils -BitStew)  Device-Device autonomous communications proliferating  “Unexpected interactions” such as SCADA affecting AC power affecting health care  PLC’s made in the 80’s are out there.  Shodan is my friend  You can’t hide Certainly Not Confidential 2Almaz Capital Partners
  3. 3. Problem: Most Enterprises don’t understand Security = Corporate DNA = Culture  Which Corp do you know which implements security as a ‘Culture’ ?  Which Corp stresses Security as its ‘primordial DNA’ ?  The practice of Security Culture is usually absent. Not Technical solution !  Which startup allows companies to easily inherit the above attributes ? NONE (opportunity). I do not mean consulting companies.  Where is your “Response Book”, pre planned, pre-staged, ready to go plan, with call up resources and policy ?  Having a non engr Senior person, with a pre-planned, multi pronged response book, following all the steps for “Breakin Type 27” is what a Corp needs.  Responding after the fact, only by engrs, is wrong. Ask me why ?  Can this be fixed ? Is it what is holding back progress ? Certainly. Certainly Not Confidential 3Almaz Capital Partners
  4. 4. State of the Industry - 2015  Anti Virus a dead or dying offering, everyone in A/V scrambling to position themselves as “State Actor repellent” (APT) ! With a new Market Terminology.  The guy with the most monitoring nodes across the net wins: Think FireEye, F- Secure et al. Catch it quickly, publish in near real time is the mantra.  Real Time vs Forensic response the trend, beyond AppFWs, dynamic response  Behavioral analytics of people, packets and services emerging. Huge interest here. Heuristic monitoring. Correlation analysis across multiple axis. Rapidly evolving. Firewalls becoming heuristics collectors.  Massive scale Visualization and graphic modeling tools will be a big opportunity Certainly Not Confidential 4Almaz Capital Partners
  5. 5. 2015 What’s Not Working Giving an illusion of Security  Full Disk Encryption – TPM  Firewalls facing the wrong way, with no micro analytic feeds for heuristics.  Most anti virus SW, in fact, AV makers are searching for new business models, it’s so bad that sales are rapidly declining !  Fiddling with PAM, Active Dir and permission based usage/access.  PCI, HIPPA, ISO 27002, NERC, GLPA, GPG13, FIPS 140 compliance mean little to bad actors but give the illusion of progress to mgmt. An acronym never kept anyone safe. Certainly Not Confidential 5Almaz Capital Partners
  6. 6. Crowded Market but many opportunities exist Certainly Not Confidential 6Almaz Capital Partners The Secure Enterprise AAA Perimeter Control Internal/ File Integrity Authentication Intrusion Detection Vulnerability Assessment Threat Management Administration Authenti- cation Authorization Application Security Kernel Security IDVA Security Antivirus VPN Firewall Entegrity Content Inspection DENIAL OF SERVICE $ $ $ $ $ $ $ $ $ $ $ $ $
  7. 7. Craft your Pitch: Using VC Evaluation Criteria (cheat sheet)  #1 TEAM – is the team world class ? have they done this before ? Before anything else, TEAM is everything. Nothing can fix a poor team.  #2 Technology – is this world class thinking ? Are there Computer Science fundamentals behind it ? It the IP patentable (but don’t get hung up on that)  #3 Market – How big, how much can they get, how much will that cost ? How much to get noticed ? Is this an Enterprise Software sale, a Service, Consulting or viral ? Can you guess which model VC’s like these days ?  #4 Finance – How many $$ to get to Goal 1, Goal 2 and have 6 mos reserve in the bank. We can *always* find the money, get smart investors who will help.  Series A – make sure it doesn’t catch fire and burn up, Series B – Sales and Marketing expansion.  Mistakes: don’t worry about profit, take risks !  First mover usually wins, second mover watches first mover win.  Do you do Due Diligence on your VC’s ? You should ! Certainly Not Confidential 7Almaz Capital Partners
  8. 8. Pitches/Huge Opportunities we see  Golden Rule “Do something which the customer needs and can’t do themselves” Solve their pain. Go for the largest market. Scale from there !  Use recent VM work (Docker, Jelastic) to use rapid spinup VM’s for isolation  Continuous randomized testing. Single Sweeping is dead. Chaos Monkey, Janitor Monkey, Security Monkey, Doctor Monkey – ‘Simian Army’ for continuous pounding and testing, thanks to Adrian and Netflix crew.  Multi Tenant Cloud crypto, data comingling, data hotel = Key Mgmt opportunity  Intent Analysis, Behavioral Profiling.  Behavioral Analytics, app/svc/connection/flow. Where’s OpenStack Behavioral Analysis ?  Unstructured data analytics, eventual consistency (cassandra) use for Sec  Internet <-> Data Center perimeter changing to top of rack, what does this imply?  In memory networking and computation (think VM’s, GridGain, Mongo) no pkts on the wire. Now what ? “In Memory firewall” ? A generic issue. NOT solved.  Did you know that just DLP alone was a $665M market in the USA alone 2014 (Gartner) ? Go for the big $$. Certainly Not Confidential 8Almaz Capital Partners
  9. 9. Huge Opportunities (cont)  Translating CVE’s, CERT’s etc to actionable intelligence for enterprises AND applying it somehow.  Device-Device IoT traffic analysis. Super Proxy, Super Tunnels (M’s) ? CPU crypto load vs power, solve that equation.  IoT sensor fencing, distance vector too.  Plenty of OS and BIOS work to go around. Probability you can get your sec product on to the motherboard is unfortunately, Zero. A real problem.  Many IPv6 related problems, esp in Mobile Operators networks (major users) Certainly Not Confidential 9Almaz Capital Partners
  10. 10. Who is doing interesting Sec work NOW (startup wise)  Automated code analysis with pointing to bad code, so less senior guys can handle the fix. As a Service for DevOps. – Tinfoil Security. A step beyond nessus, thinks “nessus plus the fix”. Cute !  Encryption of all data at rest, with selective reading/revocation: – WatchDox (used a lot in Hollywood for screenplay protection)  Secure private cloud within any cloud, multi tenancy, unstruct data protection: Varonis  Secure enterprise collaboration, used by drug discovery pharma,finance – IntraLinks  Network+VM+app+traffic analysis and microsegmentation: Illumio  Non signature, zero day, heuristic tool: Cylance  Behavioral Analysis: Veracode.  Behavorial Analytics: Fortscale Certainly Not Confidential 10Almaz Capital Partners
  11. 11. Now for some Fun ! Certainly Not Confidential 11Almaz Capital Partners
  12. 12. As promised: Who has the Worst Security in the World ? Hint… think VC’s put their money in to … ? Certainly Not Confidential 12Almaz Capital Partners
  13. 13. STARTUPS in Silicon Valley !  Situation is laughable (maybe crying?) I have personally seen all of these….  Ask yourselves, do YOU say these words: – “Of course it’s ok that all the source code is on every laptop all the time ! How silly to ask !” – I am an ENGINEER (Cymbals Crashing sound!), I don’t maintain ….. Servers/AWS! – We have no money for a sys Admin, I am busy coding, go away ! – Password on our AP’s is same as company name or “12345” or blank – Log, what logs ? I don’t need no stinkin’ logs, besides I am too busy to read them – Engineering will rebel if they don’t have root access to everything and every router! – Locks ? Doors wide open 24x7, machines being physically stolen – Distributed teams with collaboration tools, code repos – Why of course everyone needs full access to the entire code base. GROAN !  Even more astounding is that Dumb VC’s watch their $20M investment like a hawk, but not that their precious product output is being stolen under their noses  US Senate Judiciary Committee – Estimate 1-3% US GDP trade secret theft every year via net (5/1/2015 New York Times). Try 3% of $14T = $420B.  2014 – 18% of 1598 breaches examined were used for Trade Secret theft. Certainly Not Confidential 13Almaz Capital Partners
  14. 14. The Result – An Example  I was aware of an event where the bad guys came in, hit the server and thought they got the code base.  They missed and hit the wrong server, so they came back 2 nights later and did succeed.  $20M investment… poof ! Did those guys get funded the 2nd time around ?  So – think it through, if you include your good Sec hygiene practices to investors, it might make the difference about funding (at least to us !) Certainly Not Confidential 14Almaz Capital Partners !
  15. 15. Thanks For Listening Certainly Not Confidential 15Almaz Capital Partners

×