December 2016

Cybersecurity Investors Reset, Look at Changing 2017 Landscape

  |   Allegis News, The Latest

Consolidation of startups is set to repeat as venture firms take on cautious stance

In 2016 venture capitalists invested $1.6 billion in cybersecurity startups, as of mid-December, according to the most recent data available from Dow Jones VentureSource. That falls well short of the $3.4 billion take for all of 2015.
That deal-making highlighted investors’ “wait and see” approach as concerns grew about the lofty valuations companies drew in 2014 and early 2015. Cybersecurity enjoyed a boom following a series of high-profile breaches, with enterprises beefing up spending on security products as legacy security providers struggled to provide innovative services.
Publicly traded security companies had a shake-up of their own. One of the leaders, Symantec Corp., acquired Blue Coat Systems in a $4.65 million deal. Intel Corp. sold the majority stake in its security business to private-equity firm TPG.
“In 2016, you had the attempted rise of the establishment to reassert itself,” said Kleiner Perkins General Partner Ted Schlein. “You saw the old guys trying to be relevant.”
Additionally customers faced a dizzying number of startups releasing cybersecurity products. Don Dixon, a managing partner at Trident Capital, said chief security officers he speaks to want “fewer throats to choke” instead of spreading their expenses around a multitude of vendors.
“They would like to see products more integrated rather than spend a lot on systems integration,” Mr. Dixon said.
Several venture capitalists said the consolidation the industry saw in 2016 will continue into 2017, in part because of a higher number of potential acquirers.
Mature IT companies like Oracle Corp. have been active in cybersecurity for some time, but now financial acquirers like Vista Equity increasingly are raising their profile as buyers, according to Mr. Dixon. Moreover, he said industrial companies like General Electric Co. and Emerson Electric Co. are increasingly investing in “Internet of Things” software, and they could potentially become active in acquiring security startups.
Bob Ackerman, managing partner at Allegis Capital, said venture firms have grown more cautious as they learn that not all the capital has been smartly deployed.

“This stuff is really hard, and unless you know the difference, it’s easy to invest in things that are not well-differentiated,” Mr. Ackerman said.

How the industry’s later-stage companies perform in the public markets could also affect private fundraising. This year saw a dearth of cybersecurity IPOs, and investors are closely watching the likes of Okta, ForeScout and Carbon Black, all of whom have signaled they are considering public offerings in 2017.

Also looming large is how the Trump administration, as well as unforeseeable world events, may affect security trends. Venture investors said the president-elect’s muscular talk on security could translate into a boon for the industry.

“I think that you’re going to see an increase in government security spending,” said Enrique Salem, a managing director at Bain Capital Ventures. “It’s hard to imagine any way you wouldn’t, given the amount of attention it’s getting.”

But there’s a question as to how easily startups could take advantage of such government spending. Startups often have struggled to bring on federal agencies as customers because the lengthy process puts a strain on small sales teams. The Obama administration used programs such as the Pentagon’s DIUx initiative to help bridge the divide. It is unclear how the new administration will treat that issue.

Apart from federal spending on cybersecurity, investors say there are many new security concerns that startups are uniquely poised to take on. Several say they are closely watching platforms addressing new attack vectors, such as those that might affect the Internet of Things.

Others predict 2017 will be the year that automation makes significant strides in cybersecurity. Investors say they’re looking to make bets on software that could augment the limited number security professionals, who are in high demand and command high salaries.

Mr. Ackerman said that certain companies with very differentiated approaches will succeed in 2017 as cyberthreats grow and enterprises continue to increase spending on products. However he noted that beyond high-end financial service providers, many IT managers want security programs that are more integrated, and some companies may struggle in that new reality.

“It will be a tale of two markets,” he said.

Write to Cat Zakrzewski at cat.zakrzewski@wsj.com

Read More

Industry Needs Common Security Standards to Thwart IoT Attacks

  |   Allegis News, The Latest

 

 

XCONOMY | By Robert R. Ackerman Jr. | December 21, 2016

 

A silver lining has emerged in the wake of the massive and well-publicized denial-of-service attack launched less than two months ago by hackers using millions of IoT devices to cripple the websites of major companies like Amazon, Netflix and Twitter. This ambush has triggered a redoubling of efforts to focus on the need for industry-led cybersecurity standards for IoT devices.

Even some in Washington, such as U.S. Senator Mark Warner, favor an industry-based approach before seeking some sort of government IoT security standards implementation. Security-minded business coalitions are stepping up activity in this area— and the more, the merrier.

After all, it isn’t clear in the United States who is supposed to be protecting the Internet. Most IoT (Internet of Things) devices have been hooked up to the Web in recent years with little concern for security, with weak password protection or none at all. There is no formal watchdog — not the government, nor for that matter, anyone else.

Instead, every organization is responsible for defending its own tiny piece of the Internet landscape. Companies and social media hubs are supposed to invest in protecting their websites and often do, but that doesn’t accomplish much if the connections among them are severed, as was the case in the October attack.

There is no way to know for sure if an industry-based IoT unified security approach will work. But it is certainly worth a shot. We know that the highly fluid nature of cyber threats nearly guarantees that government’s traditional approach to regulation (fixed and inflexible) is almost certainly doomed to failure. I believe that the Trump administration must envision and enact a concerted initiative to insure that America is “cyber secure”—but in a broad sense, leaving the specific details to industry players. Industry participants and their suppliers should assume the actual responsibility for stitching together best practices by which to meet government mandates. Ultimately, they are in the best position to combat evolving threats.

The dearth of effective IoT security is no secret. A survey of 220 information security professionals who attended the Black Hat USA conference this year found that 78 percent are concerned about the weaponizaton of IoT devices for use in distributed denial-of-service attacks. Similarly, a survey by Tripwire, a digital security firm, found that only 30 percent of the organizations polled are prepared for security risks associated with IoT devices.

It makes sense for the business community to take the first swipe at resolving the IoT security issue. Some experts suggest some basic security safeguards that manufacturers should provide, such as a unique user name and password for each IoT device. Even more folks are talking about some sort of up-to-date industry “seal of approval” or comparative ratings system regarding the security readiness of IoT devices. The private sector also would do well to try to tap into the expertise of the U.S. intelligence and defense communities, which are rumored to have developed expertise in IoT security.

Separately, collaboration between industry experts and standards groups is already robust. The National Institute of Standards and Technology has a Communications Technology Laboratory examining security in the context of IoT and 5G networks. Other groups, such as the International Standards Organization, Underwriters Laboratory, ATIS, IEEE and the 3rd Generation Partnership Project are collaboratively working on similar issues.

At the same time, at least two industry groups — the Online Trust Alliance and a separate coalition of security firms, including Symantec and ARM Security Systems — have also stepped up to the plate to improve IoT security. The security firm coalition has developed the Open Trust Protocol to provide secure architecture and code management to protect connected devices. The OTP’s architecture uses technologies deployed in banking and for handling sensitive data on smartphones and tablets. It’s designed to work with security software to protect IoT and mobile devices from malicious attacks.

Meanwhile, the Online Trust Alliance, a non-profit with the mission to enhance online trust, has established the OTA Trust IoT Framework as the first global, multi-stakeholder effort to address IoT risks comprehensively. It includes a baseline of 31 measurable principles that device manufacturers and developers should follow to help maximize the security of devices and data collected for smart homes and wearable technologies.

What these consortiums know all too well is that a specific IoT device may not be the actual target of an attack. That device, however, might be highly attractive as a gateway to the network to which it is connected—the real targets being the valuable enterprise assets on that network.

This problem, I should add, isn’t limited to the enterprise. It can also impact home security.

Consider, for example, a smart home equipped with a garage door opener with the added ability to deactivate the home alarm upon entry. This is good for a homeowner entering his home in a hurry. The catch is that now the entire alarm system could potentially be deactivated when only the garage door opener is compromised.

The broad array of Web-connected home devices — including TVs, home thermostats, door locks and home alarms— creates myriad connection points for hackersto gain entry into IoT residential ecosystems.

While companies and industries unite to correct such shortcomings in the home and in the enterprise, individual corporate CIOs, in particular, must push to address the challenges associated with IoT security.

The most important interim step is for CIOs to create a strong governance framework for IoT devices to meet corporate security standards. Such devices, just like any other touch points, must fit within an organization’s security strategy as a whole to prevent data leakages and other privacy breaches. Proactive planning of network and infrastructure upgrades is essential to enable proactive defense.

Having taken meaningful steps already, hopefully the private sector will work toward a viable, agreed-upon solution to the current IoT security nightmare. I, for one, am confident this will happen, albeit with a time lag. Despite some shortcomings, cybersecurity overall has made substantial progress in recent years. It’s time that IoT joined the club.

Article found here: xconomy.com

Read More

Signifyd and ThreatMetrix® Combine Machine Learning and Digital Identities to Eliminate Online Payment Fraud

  |   Portfolio News, The Latest
 
SAN JOSE, Calif.–Leading ecommerce fraud prevention company, Signifyd and ThreatMetrix®, The Digital Identity Company® announced today they will combine efforts to eliminate online fraud for their customers. The partnership enables ecommerce merchants to remove the liability for fraud by leveraging the power of the ThreatMetrix Digital Identity Network® through Signifyd’s Guaranteed Payments solution.

“As online fraud evolves at an ever-increasing pace, merchants need new ways to mitigate risk. Signifyd’s use of the ThreatMetrix Digital Identity Network in its Guaranteed Payments solution allows merchants to aggressively grow their business and accept more legitimate customers without risk”

Signifyd’s VP of Partnerships, Skye Spear, summarizes what the partnership means for ecommerce merchants, “ThreatMetrix provides global shared intelligence on more than a billion digital identities. The ThreatMetrix Digital Identity Network provides additional insights for Signifyd’s machine learning capabilities enabling us to authenticate orders from customers who may have previously been denied. We’re able to incorporate additional data in real-time to identify and mitigate sophisticated fraud scenarios across one or more of our customers emulating multiple buying identities. Our goal is to increase decision confidence for online merchants through a managed service that’s backed by a financial guarantee.”

Through the partnership, Signifyd will leverage the ThreatMetrix Digital Identity Network to further enhance Signifyd’s Guaranteed Payments, which provide a 100% financial guarantee against fraud on every approved order. This new intelligence and subsequent guarantee allows merchants to accept more orders without the risk of chargebacks as the liability of fraud losses are shifted to Signifyd. Guaranteed Payments are ideal for fast-growing businesses, merchants in fraud-prone industries and those looking to expand overseas or in new markets and segments previously considered too risky.

“As online fraud evolves at an ever-increasing pace, merchants need new ways to mitigate risk. Signifyd’s use of the ThreatMetrix Digital Identity Network in its Guaranteed Payments solution allows merchants to aggressively grow their business and accept more legitimate customers without risk,” commented Leah Evanski, ThreatMetrix VP Strategic Alliances.

Signifyd and ThreatMetrix together provide a winning alternative to merchants using restrictive platforms that decline legitimate orders, delay shipments and are unable to eliminate chargebacks. Even other fraud prevention platforms with machine learning lack the closed loop for data feedback that Signifyd and ThreatMetrix provide with Guaranteed Payments and the Digital Identity Network. This partnership allows Signifyd and ThreatMetrix to leverage extensive fraud data and expertise to stop subsequent attempts at fraud, regardless of merchant size, industry or value of transaction. With more data and complete transparency, Signifyd and ThreatMetrix can significantly reduce financial losses from fraud for merchants.

About Signifyd

Signifyd was founded on the belief that e-commerce businesses should be able to grow without fear of fraud. Signifyd solves the challenges that growing e-commerce businesses persistently face: billions of dollars lost in chargebacks, customer dissatisfaction from mistaken declines, and operational costs due to tedious, manual transaction investigation. Signifyd Guaranteed Payments protect online retailers against fraud and chargebacks with a 100% financial guarantee against fraud for every approved order. Signifyd’s full-service machine-learning engine automates fraud prevention allowing businesses to increase sales and open new markets while reducing risk. Signifyd is in use by multiple companies on the Fortune 1000 and Internet Retailer Top 500 list. Signifyd was recognized as one of the 50 most innovative Fintech companies of 2016 by Forbes and is headquartered in San Jose, CA. For more information, please visit www.signifyd.com.

About ThreatMetrix

ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches. Key benefits include an improved customer experience, reduced friction, revenue gain and lower fraud and operational costs. The ThreatMetrix solution is deployed across a variety of industries, including financial services, ecommerce, payments and lending, media, government and insurance. ThreatMetrix is headquartered in San Jose, CA. For more information, please visit www.threatmetrix.com.

Contacts

VSC for Signifyd
Kayla Abbassi, 562-412-2038
kayla@vscpr.com
or
ThreatMetrix
Upright Position Communications
Paul Wilke, 415-881-7995
paul@uprightcomms.com

Find article here businesswire.com

Read More

Building a New Cybersecurity Startup Platform: DataTribe

  |   Allegis News, Portfolio News, The Latest

 

 

National Venture Capital Association | By Robert R. Ackerman Jr.

 

If you want to get a sense of the size and significance of the U.S. cybersecurity ecosystem in one location, a must-visit is the National Business Park at Fort Meade in Maryland. It is highly impressive and may someday serve as a stellar example of an effective new way to participate in the startup ecosystem and its venture capital brethren.

Fort Meade has been transformed from an Army base into a sprawling cyber city. Thirteen years ago, the young park had 10 buildings. Today, the square footage of the 28-building complex is roughly half the size of the Pentagon, and it is completely full. Tenants include the National Security Agency, the U.S. Cyber Command, the Defense Information Systems Agency and the cybersecurity businesses of Boeing and General Dynamics, among others.

This represents a snapshot of the breadth of the U.S. cybersecurity industry today, albeit only one relatively small piece because the private sector has come to dwarf the size of the government sector. In 2004, the global cybersecurity market was $3.5 billion. This year, it’s expected to exceed $122 billion, according to Research and Markets, which also projects that it will exceed $202 billion by 2021. Cybersecurity has become by far the fastest-growing sector of information technology. The growth of the sector is also apparent from the recent increase in cybersecurity acquisitions.

The venture capital ecosystem has responded accordingly and, along the way, has had to develop its own cyber experts internally to separate the wheat from the chaff among cybersecurity startups – a world immersed in the domain of deep science and advanced engineering and one in which expertise is essential. VCs also have to approach potential cybersecurity startup investments gingerly because too many “me-too” companies are being funded by a venture community eager to participate in one of the hottest sectors of IT innovation.

Nonetheless, the cybersecurity investment picture remains very bright. Last year, VCs invested $3.2 billion in 219 cyber startups, more than double the total funding in 2012, according to CB Insights. Last year, five of the seven (seven confirmed, nine rumored) private cybersecurity unicorns reached their required $1 billion valuations. This year, while cooling a bit, cybersecurity VC funding remains vibrant.  As the founder of Allegis Capital, a Silicon Valley early-stage cybersecurity venture firm, it’s no surprise that I enjoy the proliferation of cyber startups in the Valley. At the same time, the cyber expertise around Fort Meade has always been impressive and so I’ve invested in Maryland-based cyber startups over the years. To put things in context, Maryland has more than three times as many cyber engineers as the rest of the country combined, and many work at the cutting edge, out of the necessity that comes with national defense imperatives.

Despite this wealth of engineering and technical expertise, start-up success in the Washington D.C. Beltway has faced a series of obstacles. No startup succeeds solely on the strength of its technological prowess. Also essential to success is entrepreneurial experience, startup “know how” and a broad cross section of commercial skills, contacts and customer and partner relationships. In other words, the cyber community around the Washington Beltway has needed a mini Silicon Valley ecosystem and the Silicon Valley “playbook”.

That’s why DataTribe was created—to merge the cyber security innovation of Maryland with the startup building expertise and resources of Silicon Valley. DataTribe is a cybersecurity startup platform – a crucible in which to forge start-ups – co-based in Fulton, Md., and Silicon Valley – and one dedicated to leveraging the expertise created from working with the most advanced information technologies forged by the NSA and related institutions, as well as national laboratories.

DataTribe focuses on those areas of innovation in which government labs, out of necessity, have been innovating in cybersecurity, data and analytics well in advance of the commercial market. DataTribe’s business model is unique, partly because it is an operating company, not a venture firm, although it can provide startups with up to $1.5 million in seed capital (with follow-on participation in subsequent rounds).  It’s also unique in that DataTribe itself creates the concept for each startup and co-founds each company with a team of technologists with deep, relevant technical expertise and experience. These are teams that have “been there and done that” in production environments.  Supporting these efforts on a daily basis is an operating team of highly experienced, dedicated executives with decades of successful start-up experience in Silicon Valley and Boston.

DataTribe will co-found and launch three start-ups a year. The first three startups came on board in this inaugural year and are already gaining market traction…

Dragos — recently named one of Cybersecurity Ventures “Cybersecurity 500” top companies  — was the first of the startups. It specializes in network mapping, detection and remediation of cybersecurity problems in industrial control systems. The second, Enveil, is developing the first commercial solution for end-to-end lifecycle encryption; including data-in-use (homomorphic encryption based Cloud Security). The third company, Kesala, is developing lightweight solutions for low cost and ad-hoc, secure virtual private networks as well as cloud-based security monitoring of large-scale traffic.

The cybersecurity market is large, rapidly growing and driven by non-stop innovation. It is enormously complex at every level – within its individual components, in its connection to complex networks and in its relationship to data in all its forms and flows. You simply can’t learn fast enough from a standing start.

DataTribe is bringing the Silicon Valley playbook to the nation’s center of innovation excellence in cyber-related domains to forge a new generation of cyber security startups.  In time and with success, we expect to see the emergence of a self-sustaining cybersecurity startup ecosystem, fueled by an unusually deep reservoir of relevant U.S. technical talent. In a broader sense, this is how Silicon Valley started, and there is no reason why a smaller, more concentrated version can’t take root on the other side of the country.

Robert R. Ackerman Jr. is founder and managing director of Allegis Capital, a Palo Alto, Calif.-based early stage venture capital firm specializing in cybersecurity.  Ackerman is a co-founder of DataTribe and Allegis Capital is a strategic partner.

allegis

datatribe

Article found here: nvcaconnection

 

Read More