The Future of Cyber Security

I’m willing to bet that cyber security conference attendance is a lagging indicator of the number of high-profile attacks perpetrated in the prior twelve months. That’s the only explanation I can think of for the record 33k+ attendees at this year’s RSA Conference: scared IT teams, eager security vendors and curious investors like myself (plus the always-amusing smattering of government spooks) swarmed Moscone for the better part of a week in April, trying to understand the technology market’s reaction to the Target credit card hack and Anthem database breach, and figure out what they need to do to avoid becoming the next victim.

Each year I attempt to parse the hundreds of new security vendors I saw and distill from them a handful of themes. The value to me is knowing what questions to ask the major security buyers to forecast interest in a startup’s solution. It also helps to predict future competitive convergence among different solutions — essential when managing a portfolio of security investments. Here are a few of those themes, as well as an investor’s perspective on them:

Big data analytics meets security: By far the most common theme this year was the use of big data collection and analytics for security-specific purposes. Some companies focused on the hard task of collecting, storing and making accessible the vast amounts of data from network logs, packet flows, and application logs. Others focused their efforts on providing detecting threats and providing actionable intelligence after the information was collected.

Trinity has made several bets leveraging this trend. Cyphort utilizes a combination of sandbox and machine learning to identify advanced persistent threats on a real-time basis. Protectwise leverages a cloud analytics platform to record, retain and retrospectively analyze full-fidelity network data. Harvest.AI offers a next-generation data-loss prevention (DLP) solution leveraging machine learning that automatically discovers the value of enterprise documents and files located both in the cloud and on-premise. Other companies including Caspida, Exabeam, Fortscale, and RedJack are attempting to disrupt the SIEM market by better leveraging user behavior data and drawing faster and more actionable insights from disparate data. We are bullish about opportunities pursuing this theme as evidenced by our investments here.

Threat intelligence on the rise: With the increase of sophisticated zero-day attacks and advanced persistent threats, a number of new companies have emerged to tackle the issue of providing threat intelligence feeds to enterprises. Abusix has deployed a network of their own sensors collecting data about botnet activity and providing analytics against that data. They have traction with service providers and SaaS vendors with a plan to expand into the enterprise. ThreatStream also appears to be gaining momentum as well in this market, with an approach that utilizes inputs from a trusted community of enterprise customers. This is an interesting area that we’re following, though have some concerns about how large a business you can build in this area.

Revenge of the endpoints: Historically, there was a great resistance to deploying endpoint software given the work required of IT. That friction was one of the biggest challenges one of our previous companies, Sygate (acquired by Symantec), faced in scaling their business. In the age of the downloadable mobile app, there appears to be more willingness to deploy endpoint software, and you now see rapid adoption of endpoint-based solutions like Tanium and Bit9. Other up-and-comers focused on end-point security include Cyvera, which appears to be starting with the Microsoft ecosystem, Cylance, which positions itself as next generation anti-virus, and Sentinel Labs, which leverages a predictive execution inspection engine. This is an area that can create some large outcomes, though looks more like a “winner-take-all” type of market.

Emergence of active defense: We saw some early signs of companies focusing on active defense, providing interception of intrusions and providing ways to deceive the attacker into thinking they’ve found valuable digital assets when really they’re chasing shadows. Cymmetria has an interesting approach that provides a deception “stack” to confuse the attacker. Shadow Networks has a similar approach that marries advanced threat detection with decoys of enterprise assets. Early growth of software-defined networking (SDN) usage is making this dream a reality, though we’re far from any large-scale production implementations. This is an emerging area that we are tracking closely.

There is a lot of noise and activity in the security market, but I am excited about the quality of the new technologies and teams addressing this growing and critical problem of cyber security that businesses are facing today.