Israel Cybersecurity Landscape — January 2018

Redefining the “Traditional” Enterprise Perimeter

Nothing is truly protected! However, cybersecurity solutions are developed to address the risks before, once or after they materialize, and Israel excels at developing cutting-edge, innovative solutions across the cyber-board.

In recent years, global-scale cyber attacks have become more frequent and hackers continue to discover new attack vectors in existing and evolving domains, forcing cybersecurity vendors to constantly reinvent solutions in this cat-and-mouse game. At the same time, the “traditional” enterprise network is expanding and becoming increasingly complex, undefined and diffuse, as the enterprise perimeter moves into the cloud. These unique dynamics, which keep the market in an ongoing explosive phase, are catalysts for cybersecurity related innovation and result in attractiveness for investments and M&A deals.

Chief Information Security Officers (CISOs) today also experience these dynamics and it makes their job much more challenging. They are desperate for tools that can grant them more visibility and an easy-way-to-govern security activities and products while, preferably, doing so with only handful of vendors (“one-stop shop”).

With that in mind, we examined the cybersecurity landscape from three different perspectives: entrepreneurs, investors and corporates.

Entrepreneurs, who are in the process of starting a cybersecurity company, developing their product or scaling their company up, confront a new reality — being a “single-feature” company is no longer sufficient. CISOs are looking for a one-stop shop vendor and from a potential investment perspective, being a cybersecurity niche or”single feature” company is just not enough.

From the investors’ perspective, one of the characteristics of the Israeli cybersecurity domain in the past two years is the early acquisition of startups, which set the median time-to-exit at less than 5.5 years and kept the exit size less than $450 million. Given that large VC funds are usually after exits that are over $500 million, the size of the opportunity is not big enough.

When wearing a corporate hat, one should distinguish between internal use (i.e. CISOs) and Corporate MSSPs (Managed Security Service Providers).

Just like a herder trying to safely lead his sheep through the open meadows, CISOs today need high visibility into their decentralized and complex perimeter to be able to account for their assets and gain a better understanding of their organization’s cyber risk profile. Given this reality, asset mapping is a necessary feature.

Another aspect of the ever-evolving complexity of the enterprise perimeter is the number of security products that CISOs manage. Their responsibilities include managing policies of numerous gateways and firewalls and dealing with the ‘bring your own device’ headache, not to mention tackling the weakest link — the ‘human factor.’ Additionally, they address endless alerts aggregated on multiple monitoring screens while simultaneously investigating and responding to the significant ones. Therefore, on the top of CISOs’ wish lists are orchestration, automation and consolidation solutions which can help them govern their perimeter, cover more ground faster and allow them to focus on the core SOC activities of investigation and response.

While the CISO’s objective is to protect the company perimeter, an MSSP organization has a different agenda — to generate revenues by building the best portfolio of cybersecurity partners. For this task, most of the above-mentioned CISO requirements apply. On top of that, since MSSPs commonly use two rev-share models to partner with cybersecurity startups, (1) becoming a channel and/or (2) integrating partners’ solutions and selling them as security services, they require the startup’s product to possess multitenancy capabilities and meet stronger product resilience requirements. In addition, MSSPs will insist on strict SLA terms, assistance in ramping up sales and technical support teams, and GTM support.

The Israeli Cybersecurity Ecosystem — Funding and Exit Trends

With the above in mind, we decided to examine the Israeli Cybersecurity ecosystem, which is considered a global leader in the Cyberspace. We created an updated infographic map of the Israeli cybersecurity landscape to highlight the top industry categories, startups, public companies and M&As. After many hours of analysis and numerous validation calls, over 500 companies were reduced to the 199 included on the map. It is important to note that we excluded companies specializing in offensive cybersecurity and security services. To qualify, companies must have raised at least $1 million of funding or generated at least $100,000 in annual revenues.

Furthermore, according to IVC-Meitar’s fundraising and exit report for 2017, there is a clear decline in both the number of financing deals and the amount raised in 2017 compared to 2016 and 2015.

On the M&A side — the market set a record in total exit volume in 2017, while the number of exits decreased dramatically. In theory — that means larger amounts per exit. However, a deeper look at the numbers shows that in practice, if you exclude outlier exists such as Argus Cybersecurity ($430 million), Skycure ($275 million) and FireGlass ($250 million) in 2017, and Cloudlock ($293 million) in 2016, the average exit size of cybersecurity companies in the past 2 years is less than $80 million. Although most of the exits have generated great returns, that might explain why there is a decline in investments, and why the local cybersecurity market in its current state is not attractive enough for large VC funds, that generally seek over $500 million exits.

See link to high-definition below

The map in high-definition can be found here.

Trends and Insights

Through the process we uncovered several new cybersecurity findings that we would like to highlight:

• Security integration and orchestration should be considered key criteria of any new technology investment since the product’s ability to integrate and orchestrate with other products in the target environment is elementary.
• There is a shift away from using AI-based solutions, which suffer from high false-positive rates and indeterminate results, to a whitelisting-based approach, which is more accurate, non-statistical and in most cases, enhances protection.
• Budgets and VC investments are shifting in emphasis from prevention solutions to incident investigation and response to overcome the cyber-talent shortage in SOCs and enable quick and effective responses.
• Emerging new technologies and frameworks, such as serverless and docker/containers, are quickly being adopted, driving tailor-made cybersecurity solutions that operate on a micro-service level.
• Industrial Control System (ICS) security has experienced a recent increase in demand, but in terms of market adoption, there is a long way to go, probably due to the conservative nature of the customers.
• A new domain, healthcare security, is on the rise, driven by the recent WannaCry attack, which shut down the UK National Healthcare Service (NHS), as well as by increased demand for Electronic Medical Records (EMR) on the DarkNet.
• The area of automotive security is seeing divergent trends. Solutions deployed outside the vehicles’ network are gaining momentum (e.g. cloud-based solutions for fleet protection), but in-vehicle security adoption is relatively slow, perhaps because the industry is awaiting regulation — and because OEMs are taking the time to assess different solutions, trying to find the best fit.
• Many companies use buzzwords to make their value proposition more appealing, but it seems to create more confusion than clarity. Our advice is, be accurate, coherent, and concise.
• The General Data Protection Regulation (GDPR) will raise the stakes for companies who suffer from cyber breaches causing privacy-related data loss. Those who experience these breaches or fail to meet GDPR requirements could face serious fines. To prepare, companies’ cybersecurity budgets are expected to increase.

Cutting Through the Mapping Challenges

Disclaimer: When we first thought about mapping the Israeli cybersecurity space, we did not expect it to be THAT HARD.

Facing the drawing board, our biggest challenges were (a) deciding whether the commonly-used security categories are still relevant today, and if not, defining new ones, and (b) classifying each company under the most appropriate category.

Though defining the cybersecurity categories might seem straightforward, it is not. As mentioned, the environment that CISOs need to protect has changed dramatically, as it now includes an increased number of networks, public/hybrid cloud environments and thousands of endpoints, mobile devices and IOT devices. This complex setting ultimately creates a high degree of overlap between the security categories. To overcome this predicament, we came to a conclusion that “traditional” enterprise perimeter should be redefined to include solutions that not only overlap with the perimeter but can also “extend” it, such as containers and serverless security. Once defined, we applied its categories and decided which can stand alone outside of the perimeter yet still interact with it (e.g. cloud SaaS platforms, IOT platforms and devices). Vertical-focused categories such as automotive, industrial and UAVs were placed outside of the perimeter.

Satisfied with the defined baseline, we addressed our second challenge — classifying the companies. While sorting through companies, we quickly realized that (1) early stage companies are relatively easy to classify because they mostly offer one product or focus on solving one security problem; (2) classifying later stage companies is complicated since they usually offer more than one product for different attack vectors and provide a “full suite.“ Therefore, we decided to classify the companies by either the core product/main offering or the target they are protecting. One example is Web Security, in which companies were classified by server protection (e.g. DDOS) or end-user protection (e.g. Phishing). Another example is cloud-related categories, where we drew a line between Cloud Application Security, like native applications (e.g. containers and serverless) or cloud applications (e.g. office 365), and Cloud SaaS Platforms Security (e.g. SD-WAN).

Additional categorization and classifying decisions

While it is common to treat “Deception” as a standalone category, we perceive it as a technology enabler/approach rather than a core-product since the goal is endpoint or network protection. For that reason, we decided to add another dimension to our map and highlight companies who use deception.

Gartner’s SOAR (Security Orchestration, Automation and Response) is a new category making its first appearance in an Israeli landscape mapping. Essentially, this category groups together tools that support Security Operations Center (SOC) activities, such as governing the security environment and reacting quickly to incidents by streamlining workflows and products (Orchestration), reducing manual procedures (Automation) and enabling investigation, mitigation and remediation (Response).

It is worth highlighting that Next-Gen AV and/or other solutions which utilize machine learning to proactively protect the endpoint are classified under Endpoint Protection, while EDR (Endpoint Detection and Response) solutions, which are more focused on enabling investigation and response, are classified under SOAR.

In conclusion, our main goal of this process was to provide an updated perspective of the Israeli cybersecurity ecosystem based on Entrepreneurs’, Investors’ and Corporates’ point of view; and correlate these with our thesis of the redefined enterprise perimeter to address questions such as what types of solutions are out there? What are the most up to date security categories which group those solutions? Where are the blue/red oceans? While highlighting high profiled companies and recent M&As.

If you liked what you read, go ahead and “Clap” below so others will see it too (up to 50 claps allowed!).

About the writers:

Gal Ringel, Investment Manager at Verizon Ventures. Gal brings over 12 years of experience as hands-on cyber technologist (8200, Israeli Elite Intelligence Unit alumni), an entrepreneur, and an investment professional.

Nir Donitza, Senior Manager of Business Development and Partnering at Deutsche Telekom AG. Nir brings over 12 years of experience as a business development and cyber professional, a financial expert and hands-on hardware technologist (Lotem, Israeli Elite Communication Unit alumni).