March 2016

1IT Enterprise | Why Protected Encryption Is Very Important

  |   Allegis News, The Latest

By Robert Ackerman Jr | Founder & Managing Director of Allegis Capital


As anybody familiar with the computer industry knows, the FBI wants Apple to break security protections on an iPhone linked to the deadly San Bernardino terrorist attacks — and a U.S. district court has ordered Apple to do just that.

Apple is fighting the decision for good reason. If it obeyed the court, the security of the iPhone could be compromised, helping to set in motion a trend that would materially undermine the effectiveness of cybersecurity in every conceivable venue.

Many law enforcement officials do not agree with this view; they believe encryption already allows far too many criminals to go scot free. But why lean on Apple to crack a phone they may able to crack themselves?

Authorities might be able to accomplish this, for example, by using a very precise atomic saw that can cut through the outer structures of the A6 microprocessor inside the phone, according to a recent story in The Wall Street Journal. They could target the portion of the chip that holds the user ID (the UID key). Then they could move the iPhone’s scrambled data to another computer and unlock it by using technology to guess the passcode of San Bernardo killer Syed Rizwan Farook.

It is true that this tactic would be risky and very expensive. And if anything goes wrong during the process, the data could be lost forever. But why is this a greater risk than forcing Apple to comply with authorities and possibly provide the essence of a “golden key” to unveil encrypted communications to help catch criminals and terrorists?

The authorities always sidestep one extremely important detail — in the domain of cybersecurity and encryption, the bad guys are just as smart as the good guys. Exploiting vulnerabilities is their expertise.  If there is a back door, they will find it, exploit it and seize valuable personal data. And how can we trust government entities, which are regularly breached, to keep such a golden key safe from criminals?

Data is the target of the vast majority of breaches of every stripe. Encryption is the last resort of data defense, one used to protect data 99.999 percent of the time. If encryption is penetrated, the cornerstone of defense disappears and the stage is set for even more hacking mayhem.

Two fundamental issues are at play in the Apple-FBI brouhaha. One is the Fourth Amendment of the Constitution, which protects against unreasonable searches and seizures. Isn’t this the point of encryption? The second issue is whether a back door would, in fact, improve the effectiveness of the FBI and other law enforcement agencies. FBI Director James Comey has suggested that police would have been able to track down the shooter of an Illinois man last year but for encryption built into both of the victim’s two phones. What he failed to mention was that one of the phones – a Samsung Galaxy S6 – isn’t encrypted by default.

Let’s return to the specifics of the dispute. For most iPhones, most danger is poised by criminals. If thieves can break into these phones, victims can easily be exposed to identity theft and perhaps even extortion. This is one of the main reasons Apple designed stronger encryption, starting on the iOS 8 operating system. Any software that by-passes those protections could materially hurt iPhone users.

It’s true that the FBI’s proposed system for Apple has protections to ensure its passcode hack can’t be used by anyone else.  Apple signs any automatic firmware updates before a given iPhone will accept them, and the FBI’s proposed update would be coded to an individual phone. The software wouldn’t install unless the phone’s serial number matches the serial number in the code. The method proposed by the FBI is also specific to iPhone 5c, the one in Farook’s possession. While this doesn’t have the Secure Enclave chip that ties lock screen protections to hardware in newer iPhones, it’s highly likely that the FBI would request similar methods for cracking Enclave-equipped phones if it is successful  in its current feud with Apple.

The software proposed by the FBI can be useful to thieves even though it can’t be used to unlock other phones. If the code falls into the wrong hands, it can potentially be reverse-engineered into a generic version, removing the code that ties the attack to a specific phone.

This reverse-engineered version would still need Apple’s signature before it could be installed – something, of course, thieves are unlikely to have. The fundamental point, however, is that that signature system would be the only thing protecting a stolen iPhone and the information inside it. By itself, this is a huge problem. New vulnerabilities pop up in software all the time, and no single system is ever considered entirely impenetrable. An undisclosed vulnerability could be used in a way that Apple and the FBI can’t predict.

Law enforcement and intelligence communities do important work, and new technology has made their jobs tougher. But the answer is not lowering standards for protecting data. The right answer is to work on new approaches to identify the bad guys. Innovation – not compromised security is the solution.

Read more>>

Ackerman, Jr., Robert. “Why Protected Encryption Is Very Important.” 1ITEnterprise. 30 March 2016. Web. 



Read More

Financial News | Goldman-backed startup aims to finally get finance into the cloud

  |   Portfolio News, The Latest

By: Anna Irrera | Financial News | Posted: 29 March 2016


GoldmanSachs_USAflagIn the past few years, Goldman Sachs has been very active in making investments in young technology companies. Banks make many of these investments to learn about important areas of technology, including cloud computing.


In October Goldman Sachs joined a $45 million investment round in Silicon Valley-based cloud computing startup Bracket Computing. Investors also included Fidelity Management, Andreessen Horowitz, Allegis Partners, GE and Qualcomm.


Founded in 2011, Bracket seeks to allay security worries about cloud technology, one of the reasons why financial institutions have been slower to move to the cloud than other industries. Bracket has developed software, called the Computing Cell, that essentially wraps an additional security layer around both public and private clouds. This additional layer encrypts the data going through it and is controlled by the user.

This means that banks and other large firms can take advantage of the benefits of moving their applications to public cloud providers such as Amazon Web Services, while applying their own advanced security controls. Bracket’s technology is used by Goldman Sachs and other financial firms including the Blackstone Group.

Tom Gillis, the chief executive of Bracket, said: “You get the physical controls that Amazon and Google put in place, which are world-class because they are so big, while we put in place logical controls. That combination is very strong.”

Gillis believes Bracket’s technology will lead more businesses to use the cloud and eventually to a transformation of data centres. As more and more large companies move their applications onto public clouds operated by large technology firms, their own data centres will shrink and so will their demand for hardware, Gillis believes.

Gillis said: “This is the blueprint of how data centres will be built in the future. In the new world where the physical comes from Amazon and other large providers, implications on the wider IT industry will be profound. The landscape for anyone who sells boxes [hardware] is going to change.”

Read more>>

Irrera, Anna. “Goldman-backed startup aims to finally get finance into the cloud.” Financial News. 29 March 2016. Web. 30 March 2016.

Read More

RSA Conference | The Cybersecurity Act of 2015 is a Necessary Stake in the Ground

  |   Allegis News, The Latest
By: Robert R. Ackerman Jr. | Founder & Managing Director, Allegis Capital


The Cybersecurity Act of 2015 is approaching its three-month birthday, but you can be excused if you’re oblivious to that. After all, many people probably don’t know it even exists. Very quietly, the law—the first major piece of Congressional cybersecurity legislation, one designed to address the explosive growth of successful cyberattacks—was signed into law in mid-December 2015 by President Obama.security_pixels

The act didn’t attract much attention because it was embedded in a $1.1 trillion omnibus spending bill to fund the government. The dim spotlight aside, what is the verdict on this historic legislation—a compromise bill based on competing cybersecurity information sharing bills that passed the House and Senate earlier in 2015?

It has some strengths and some weaknesses. Overall, what can be said is that it has insufficient teeth but nonetheless is a good starting point in getting the government involved in the global cybersecurity war—and yes, it is a war. The good guys need all the help they can get against the bad guys. The cost of global cyber espionage has soared to about $500 billion annually, and when you add in the cost of stolen intellectual property, it tops $1 trillion annually. Unfortunately, the bad guys are winning.

Bear in mind that this act is a product of Washington, and so, of course, it is a patchwork of compromise. The victory is modest and lies mostly in the passage itself. The day that occurred—December 18—even President Obama conceded “I’m not wild about everything in it . . .”

As a venture capitalist, I would like to see this legislation become the first step toward a broader and more sophisticated cybersecurity sharing network. That’s because I want the startups I back to push the cybersecurity envelope—and to correctly anticipate the future course of attacks—as much as possible. An improved sharing network would help achieve that goal because a better job could be done protecting against many standard attacks, allowing young cybersecurity companies to focus more on chronically evolving state-of-the-art attacks.

The legislation calls on businesses, government agencies and other organizations to share information about cybersecurity threats with each other. The belief is that, overall, this will help them prepare themselves better to identify and defend against cyber attackers. The Department of Homeland Security is the ring leader and can share the information with other government agencies and companies. It isn’t clear how this information will be shared, however, and, with the notable exception of IBM, some technology companies have said they will not participate because they don’t think there is sufficient consumer identity protection. This is a reasonable concern given the government’s own challenges in protecting sensitive data. The provisions of the law are voluntary.

People can debate the latter point endlessly and reach no clear-cut conclusion. What is much more significant, in fact, is that this legislation is behind the times.

By itself, sharing information about new types of malware, suspicious network activity and other indicators of cyber attacks won’t thwart much cybercrime. Given that the vast majority of cyber attacks are focused on data, what is really needed is the implementation of encryption to secure that data. Also crucial eventually is diligence in patching of outdated software. These steps can go a long way in making systems less vulnerable and lay the foundation for innovation focused on hardening next-generation IT infrastructure against cyberattacks.

As things stand today, even the sponsors of the legislation admit that the new law would not have helped against the highly destructive, allegedly North Korean-orchestrated attack against Sony Pictures Entertainment in 2014. Why? That attack, like many today, was not based on previously known computer viruses or other malicious tools that companies and the government could warn each other about.

Similarly, this law would not have fended off the theft of millions of personnel records from the U.S. Office of Personnel Management. In that case, the government failed to install sufficient cybersecurity protection in the first place. Poor computer hygiene, in fact, is rampant.

Businesses are encouraged to share more information about cyberattacks because the law minimizes the threat of private lawsuits, such as suits over violations of electronic privacy protections. In addition, companies are generally required to strip personal information about customers out of the shared data so that the government cannot amass records on individual behavior. The government is also required to ensure that all personal information, such as customer records, has been scrubbed.

While the law in its current form is lacking, it isn’t altogether ineffective. Take, for example, lower-level cyber-attacks. The notion of companies and governments sharing data about the “signatures” of cybersecurity thieves is worthwhile. This is the digital trail that shows where the attackers came from and what their code looks like. Given that most cyber-attacks are lower-caliber attacks assembled from non-proprietary code or programs and from off-the-shelf components on the black market, how can this not be helpful?

We have to start somewhere to begin improving U.S. cyber defenses. Washington, despite its foibles, has managed to do that. I prefer to look at this ultimately as something good, not bad, and that a stake has been put in the ground in the nation’s capital to step up the U.S. counter-attack against cyber intruders.

Robert Ackerman Jr. is founder and managing director of Allegis Capital, a Palo Alto-based early stage venture capital firm specializing in cybersecurity. Some of Allegis Capital’s cybersecurity investments include Shape Security, vArmour, and Red Owl. 

Find more>>

Ackerman Jr., Robert. “The Cybersecurity Act of 2015 is a Necessary Stake in the Ground.” RSA Conference, 18 March 2016. Web. 



Read More

WSJ | Under Pressure, Cybersecurity Market Is Ripe for M&A in 2016

  |   The Latest

WSJ_circuitboardCybersecurity, in recent years among the strongest segments of the tech sector, now is feeling the effects of the downturn.

Over the last two years, investors have poured capital into private security companies. Twelve security companies have raised more than $100 million each from venture capitalists, according to Dow Jones VentureSource. It’s fitting that the industry’s largest annual conference, which started Monday in San Francisco, is held just two blocks from the former sand dunes where Gold Rush-era prospectors encamped in an area known as Happy Valley.

At the RSA Conference this year, the mood may not be quite as happy. Along with the broader tech market, the cybersecurity sector has cooled. One basket of cybersecurity stocks, an exchange traded fund called HACK that trades like a stock, is down more than 30% since June 2015 compared to an 11% decline in the NASDAQ  composite index during the same period. Private companies have put IPO plans on the back burner. Instead, many venture capitalists and investment bankers expect 2016 to be a year of mergers and acquisitions for some companies. For other companies it will be the death knell, say experts.

“Two months ago, I would have said we were 18 months away from going public but now, with the market the way it is, it’s more like 36 months,” said Matthew Prince, CEO of CloudFlare Inc., which raised $110 million in 2014. Still, Mr. Prince said that of all the money his company has raised, 80% is still in the bank and his company is profitable.

Last year, there were 133 security M&A deals, up from 105 in 2014, according to 451 Research’s February report on the tech outlook for 2016.  Its recent survey of investment bankers showed that security is expected to have the most M&A activity this year, surpassing mobile technology for the first time in six years. International Business Machines Corp., Monday, said it will acquire Resilient Systems, which sells an incident response platform. Other large tech companies such as Microsoft Corp. are adding security capabilities too.

Cloud security, identity management and security analytics are likely to be in demand as consolidation continues, according to 451 Research. Centrify, which helps companies manage security for employee logins internally and across a range of external cloud services, could be a target if it skips an IPO this year, according to the report.

“We’re confident that we’ll have options in respect to the future of the company – whether it be a possible IPO or being acquired by a strategic company,” said Centrify CEO Tom Kemp in an email.

Larger companies also may be interested in buying security analytics companies to fill holes in their security information and event management systems. Exabeam and Fortscale, among several potential targets cited, specialize in identifying authorized users based on their typical behavior as they use software and websites.

Exabeam did not respond to a request for comment.

“We didn’t build Fortscale to be acquired, but we certainly appreciate the increased attention, resources and brainpower that’s being brought to bear to a security space that we’ve always thought of as pivotal,” said Fortscale CEO Idan Tendler in an email.

The share price of some security companies has fallen sharply, which can make an IPO unattractive.  Rapid7, for example, went public in July 2015, and its price has fallen nearly 50% to $13.73 per share as of February 26.

Rapid7 declined to comment.

“With the sheer number of new venture capitalists who have gotten into cybersecurity in the last couple years, I would predict that there’s going to be a few of those that do really great, really cool things and there’s going to be a large number of them that just fail,” said Jason Witty, chief information security officer at U.S. Bancorp. That’s because many startups are focusing on problems that are too niche.

Cybersecurity is a highly fragmented market and many of the products are niche products that don’t talk to one another, said Brenon Daly, research director of financials at 451 Research. His company currently tracks about 1200 security firms. “A CIO or a CISO is tasked with stitching together a number of different products and it’s inefficient,” he said. Larger enterprises typically want to buy platforms that can do more than one thing and work with other products, he added. A startup whose products don’t work with others is limiting its potential customer base and its potential for an IPO.

In 2015, worldwide spending on information security reached $75.4 billion, an increase of 4.7% over 2014, according to research firm Gartner Inc. The increased spending was driven by government programs, increased legislation and high-profile data breaches.

The market is expected to grow at a compound annual growth rate of 9.8% between 2015 and 2020, according to a report from Markets and Markets.

Last year, venture-backed cybersecurity companies raised $3.3 billion, up from $2 billion in 2014. A few of those companies scored outsized deals. In 2015, Palantir Technologies which specializes in security analytics, raised $879.3 million. Tenable Network Security raised $250 million in November.

Palantir did not respond to a request for comment.

Tenable Network Security said it benefits from offering a comprehensive security platform rather than a single product. “CIOs don’t want to work with multiple vendors, they want their security teams to work with one platform,” Ron Gula, CEO of Tenable, said in an email.

A company that raises hundreds of millions of dollars is better positioned to ride out a weak market, said Mr. Daly at 451 Research. “You have a suitable cushion to weather this storm – it is a tough market,” he added.

Over the last two years, investors who did not understand cybersecurity have jumped into the market, said Bob Ackerman, founder and managing director of Allegis Capital.  Investors tend to fall back to markets they’re most comfortable with during markets like this and the ones who don’t understand cybersecurity will flee the market, he said.

Mr. Ackerman, who has been investing in cybersecurity for 15 years, said he’s still optimistic about the sector due to projected spending increases by companies that need to counter growing threats. “I don’t think we’ll see a significant drop off in activity, but I think what we will see are investors being more selective,” he said.

Read more:

King, Rachael. “Under Pressure, Cybersecurity Market Is Ripe for M&A in 2016.” Wall Street Journal. Feb 29, 2016. Web. March 1, 2016.


Read More