Author: AllegisCap

CyberGRX Closes $20M Series B Funding to Accelerate Growth of World’s First Third-Party Cyber Risk Exchange

  |   Portfolio News, The Latest

 

Bessemer Venture Partners Leads Series B Round with Participation from Existing Investors; Funding Comes on Heels of Launch of CyberGRX Exchange

 

Business Wire | April 18, 2017 | 8am ET

 

DENVER – April 18, 2017 – CyberGRX, the provider of the most comprehensive third-party cyber risk management platform, today announced that it has raised $20 million in Series B funding led by Bessemer Venture Partners (BVP). CyberGRX’s existing investors also participated in the round, including Aetna Ventures, Allegis Capital, ClearSky, GV (formerly Google Ventures), MassMutual Ventures, Rally Ventures, TenEleven Ventures and several other strategic investors. CyberGRX will use the funding to accelerate adoption of the CyberGRX Exchange, the world’s first global third-party cyber risk management (TPCRM) exchange.

As enterprises’ digital ecosystems grow and become increasingly interconnected, the volume and complexity of security and resiliency risks from third parties, including contractors, vendors, partners and customers, only grows. According to PwC’s 2016 Global State of Information Security report, third-party contractors are the biggest source of security incidents outside of a company’s employees. At the same time, the third-party cyber risk management process is largely driven by sharing spreadsheets and trusting unvalidated assessments. Built in partnership with the chief security and risk officers from some of the world’s largest companies, including Aetna, ADP and MassMutual, the CyberGRX Exchange brings massive efficiency to this process while providing boardroom-level information about real-time cyber risk exposure across an enterprise’s entire ecosystem of third parties.

“For an enterprise today, managing cyber risk requires visibility into the extended network of vendors who store information about us,” said David Cowan, the BVP partner joining CyberGRX’s board of directors. “The CISO’s we surveyed overwhelmingly look to CyberGRX to help them identify, assess and remediate cyber risks in their extended networks.”

Launched in March 2017, the CyberGRX Exchange is designed to make it simple and cost effective for enterprises to get up-to-date, comprehensive, one-click access to their third parties’ cyber risk assessments. It is purpose-built to transform companies’ third-party cyber risk management processes from a compliance-based to a risk management-based approach. For third parties, the CyberGRX Exchange is designed to make it easy to complete one updated cyber risk assessment and share it with their many upstream partners. The CyberGRX Exchange delivers standardized assessments, actionable analytics, remediation management and real-time threat intelligence updates to enterprises and their third parties, enabling them to mitigate risk, reduce costs and manage process complexity.

“There’s a simple question at the heart of third-party cyber risk: which vendors, partners, suppliers or contractors pose the biggest threat to my organization?” said Fred Kneip, CyberGRX CEO. “The answer isn’t usually as simple because it’s constantly changing. We’ve developed the world’s first and only global third-party cyber risk exchange, which will continuously answer that question and provide actionable recommendations and the tools for companies to effectively manage that risk.  This capital from Bessemer Venture Partners and our existing investors will help us scale the business around the CyberGRX Exchange to meet growing demand from enterprises and third parties who’ve grown tired of the status quo. The relationships we have with key investors, customers and design partners puts CyberGRX in the pole position to be the new industry standard for third-party cyber risk management.”

Founded by former CISO’s and risk officers and backed by world-class investors, CyberGRX partners with some of the most trusted names and brands in cybersecurity. With this investment, David Cowan joins the CyberGRX board of directors. Also forming part of the board are: Bob Ackerman, founder and managing director at Allegis Capital; Jay Leek, managing director at ClearSky; Mark Hatfield, founder and general partner at TenEleven Ventures; Stuart McClure, CEO at Cylance and Fred Kneip, CEO at CyberGRX.   

For more information on CyberGRX or to join the CyberGRX Exchange, please visit https://www.cybergrx.com/.

About CyberGRX 

CyberGRX provides the most comprehensive third-party cyber risk management platform to cost-effectively identify, assess, mitigate and monitor an enterprise’s risk exposure across its entire partner ecosystem. Through automation and advanced analytics, the CyberGRX solution enables enterprises to collaboratively mitigate threats presented from their increasing interdependency on vendors, partners and customers. Based in Denver, CO, CyberGRX is backed by Allegis Capital, Bessemer Venture Partners, Blackstone, ClearSky, GV (formerly Google Ventures), MassMutual Ventures, Rally Ventures, TenEleven Ventures and several other strategic investors. For more information, visit www.cybergrx.com or follow @CyberGRX1 on Twitter.

 

Contact:

 

Ted Weismann

fama PR for CyberGRX

(617) 986-5009

CyberGRX@famapr.com

 

 

Read More

Security startup Synack scores $21M investment from Microsoft, HPE and Singtel

  |   Portfolio News, The Latest

 

 

 

Synack, a startup that combines software security tools with a network of white-hat hackers to help keep its customers secure, announced a $21.25 million Series C funding round today.

 

The round was led by Microsoft Ventures with participation from Hewlett Packard Enterprise and Singtel Innov8. Previous investors GGV Capital, GV (formerly Google Ventures) and Kleiner Perkins Caufield & Byers also participated. Today’s investment brings the total raised to $55 million, according to the company.

It’s hard not to notice that is an impressive combination of company and traditional venture capital attention.

Perhaps that’s because Synack takes an unusual approach to enterprise security, going on offense instead of defense, according to company CTO Mark Kuhr. He and his co-founder CEO Jay Kaplan might know a thing or two about going on offense, having previously worked for the NSA before starting Synack in 2013.

Kuhr says they decided to start the company when they saw the defensive tactics companies were using simply weren’t working — as Sony, JP Morgan Chase, OPM, Ashley Madison, Adobe, Target and many others can attest.

“Jay Kaplan and I left the NSA to come up with a different way for offensive security for the enterprise. We noticed at NSA that hackers were coming through all the defenses, taking data and putting malware on the systems,” he said.

Kuhr say his company uses a three-pronged strategy to help protect systems and IP — Command, control and action. “We couple the human element with machines. It’s a man and machine story. We bring in people when we need to,” he said.

In fact the command piece starts with a community of several hundred white-hat hackers from around the world whom the company has vetted to be sure they are ethical and pass a background check.

The control piece is their penetration testing service, which looks for vulnerabilities in an automated way. The action is the plan they come up with to help protect the system once they find a problem. For instance, if they find an open back door in the code, they would recommend that the client close it up.

Photo: Synack

Kuhr says it’s similar to the strategy they employed at the NSA where they went on offense, getting in the shoes of the adversary and trying to understand what they were doing. But he understands that most private companies don’t have access to the talent they had at the NSA. That’s why they are trying to package that kind of support and protection as a service.

They work on a flat-fee subscription model, running the automated systems and bringing in a team of expert hackers when necessary to root out vulnerabilities. While the friendly hacker approach sounds a lot like the HackerOne strategy, Kuhr says the difference is that HackerOne uses an open model and his company a private one.

The company has around 100 employees plus the network of hackers. That will probably increase this year with the new funding as they look to expand into new markets in Europe and Asia. Currently, they have 100 customers mostly in the enterprise. Kuhr says company revenue has been doubling every year and today’s investment is about keeping that momentum going.

Find more here: www.techcrunch.com

Read More

China-Based Threat Actor APT10 Ramps Up Cyber Espionage Activity

  |   Portfolio News, The Latest

 

 Customers of managed security service providers, website of U.S. trade lobby group targeted in separate campaigns
Dark Reading | Jai Vijayan | April 6, 2017

An unknown number of managed service providers and their customers are victims of a massive, global cyber espionage campaign by a China-based threat actor that this week was also fingered in another attack against a U.S. group involved in lobbying around foreign trade policy.

News of the campaigns coincides with Chinese President Xi Jinping’s first official visit to the U.S. to meet with President Trump. It suggests that cyber-enabled espionage out of China continues to be an issue, despite a September 2015 agreement between the U.S and Chinese governments not to support or engage in such activities.

“Even as IP-focused cyber-espionage has reduced since the Xi Jinping-Obama agreement, big business will continue to be targeted, if nothing else than for the influence they hold over governments,” warns Hardik Modi, vice president of threat research at Fidelis Cybersecurity.

Fidelis was one of the organizations that this week disclosed new cyber espionage activity by APT10, a well-known China-based advanced threat group that is also known as Stone Panda. The other warning about the APT10 group’s resurgent activity, after a period of relative quiet, came from PwC UK and BAE Systems.

‘TradeSecret’ campaign against National Foreign Trade Council

The Fidelis report involves “TradeSecret,” the company’s name for a targeted and strategic campaign directed at the website of the National Foreign Trade Council (NFTC), a trade lobby group representing some of America’s largest companies.

According to Fidelis, its security researchers in February discovered a reconnaissance tool called “Scanbox,” previously associated with China government-sponsored threat actors, embedded on specific pages of the NFTC site. Among the infected page were those that NFTC board members used to register for meetings.

The malware was configured to infect the systems of anyone that visited the pages and to collect credential and session information and also system-level data that could later be used in phishing attacks or for exploiting specific vulnerabilities. It’s unclear how the APT10 group initially breached the site in order to embed Scanbox on it.

“Scanbox is a robust framework that can include a variety of reconnaissance modules,” Modi says. It can, for instance, be used to determine the software running on a target system, the type and version of antivirus on it, and other details. “In some instances, it has been known to serve up a JavaScript keylogger that can be used to grab credentials that the target enters on the page,” he says.

NFTC members have been major contributors to the dialogue around the new U.S. trade policy framework being developed by the Trump Administration. It is highly likely the APT10 group will use data that Scanbox collected to craft targeted attacks against them.

‘Cloud Hopper’ campaign against MSPs

Meanwhile, in a separate advisory, PwC and BAE Systems warned about a systematic and widespread APT10 campaign they have dubbed “Cloud Hopper” to steal data from an unknown, but most likely large, number of organizations.

What makes the campaign scary and highly scalable, according to the two organizations, is the APT10 group’s tactic to target companies via their managed service providers, rather than directly.

 

Multiple MSPs have been hit since late 2016 and their infrastructure has been used to gain access to the networks of their customers. Typical attacks have involved APT10 gaining access to a MSP network, looking for customers that match its interests, and then breaking into their networks using the MSP’s legitimate access.

The China-based group has then been extracting data from the victim’s network, putting the data into compressed files, sending it back to the MSP network and from there to servers controlled by APT10.

The investigations by BAE and PwC show that the campaign is focused on extracting intellectual property and other sensitive data from organizations. “APT10 is known to have exfiltrated a high volume of data from multiple victims, exploiting compromised MSP networks, and those of their customers, to stealthily move this data around the world,” the two companies said in their report.

The Cloud Hopper campaign is a classic example of the evolution of third-party cyber risk, says Fred Kneip, CEO, CyberGRX. It takes advantage of the implicit trust that many organizations place on their cloud service providers and other third parties that they do business with.

“Although attacks via third parties are the second biggest source of security incidents, most organizations do not have a consistent process to help them understand which partners pose the most risk to their organization,” Kneip says. Organizations need to truly understand their residual risk from each third party, and perform their own validation of key controls as opposed to relying on self-assessments, he says.

“Customers need to ask relevant questions of their provider as to how they achieve customer segmentation and segregation,” advises Jim Reavis, executive director of the Cloud Security Alliance. “Customers also need to understand their own responsibilities and in many cases it is their job to add data protection controls like encryption or to use the provider’s logging capabilities to monitor access to their own cloud instances.”

Meanwhile, campaigns such as Cloud Hopper also highlight the need for cloud service providers to perform segmentation at multiple levels, including networks, users, applications and data, to mitigate the fallout from a data breach, Reavis says. “No company can prevent all breaches, but systems should be designed so that a single breach impacts a maximum of one customer.”

John Pescatore, director of emerging threats at the SANS Institute said that attacks targeting cloud service providers are nothing new. Edward Snowden’s leaks showed the US government was targeting IT service providers as far back as 2013. And attacks on Google and others in subsequent years have shown that Chinese threat actors have been doing the same for some time now, he says.

“The bigger suppliers are pretty good at protecting themselves, but they are rarely the low cost providers,” Pescatore says.  “All too often obtaining [specific security] certifications are all the lower cost providers have to show in order to win competitions,” he says. “There has been talk in the IT service provider industry association of raising the bar, like has been done in the UK, but not much movement forward.”

Read More

Is this the new normal? Bay Area startup fundings hit 6-year low in Q1

  |   Allegis News

 

Silicon Valley Business Journal | Cromwell Schubarth | April 5, 2017

 

Venture industry leaders say their world continued to “normalize” in the first quarter of this year as the gap between the haves and have-nots of the startup world widened.

But the kind of normal reported Wednesday by PitchBook Data and the National Venture Capital Association might not seem like a great thing to a lot of founders.

Funding deals in the Bay Area in the first three months of this year dropped to their lowest level since the end of 2010, PitchBook and the NVCA said.

That is a little more than six years ago, when many of today’s “unicorns” like Uber, Airbnb and Palantir Technologies had yet to raise a round at a private valuation of $1 billion or more. In fact, 15 of the 50 Bay Area venture-backed companies valued at the unicorn level today were founded in 2010 or later.

There were 386 deals done in the Silicon Valley and San Francisco regions between January and March, a drop of 28 percent from a year ago. That’s down by about 31 percent from the number of fundings done in the recent peak quarter of Q1 in 2015.

The $6.7 billion invested, however, remains in the $5 billion to $10 billion range it has hovered around since early in 2014. That’s not counting the outlier second quarter of last year when local companies raised more than $12.3 billion, fueled largely by a mega-funding of Uber.

“It’s harder for things to get funded and the bar is higher than it was a little while ago,” Bob Ackerman of Allegis Capital said in an interview. “In parallel to that there is a flight to quality. Larger checks are going into those companies where there is a proven use case and demonstrated traction.”

Bobby Franklin, CEO of the venture association, said VCs have plenty to invest. After raising a 10-year high of $41 billion in new capital last year, there was another $7.9 billion raised in the first quarter.

“The deceleration of investment activity that we experienced at the end of 2016 continued in the first quarter, signifying that we are in fact returning to a more rational level of investment activity more in line with the annual growth rate of the industry over the last ten years,” Franklin said in the report.

“After seeing large pools of capital raised in recent quarters, venture investors will continue to have dry powder to deploy to the entrepreneurial ecosystem, albeit with a more disciplined approach,” he said. “Combined with a positive outlook for a strengthening IPO environment for venture-backed companies, there is much to be optimistic about in 2017.”

There were 47 exits by IPO or M&A in the Bay Area in the first quarter, led by the $3.7 billion IPO eve acquisition of San Francisco-based AppDynamics by Cisco Systems. That’s down two from the fourth quarter of last year and is the lowest number recorded since the banking crisis years of 2008 and 2009.

The PitchBook report, however, sees promising signs of more exits in the future.

“The lack of available late-stage funding coupled with the initial success of the Snap and MuleSoft IPOs could result in more venture-backed companies following suit,” it said.

MuleSoft was the first Bay Area tech IPO in about six months when it went public last month. Its stock has remained up around 40 percent since. Another San Francisco company, Okta, is expected to make its Wall Street debut on Friday as the region’s second IPO for 2017.

Allegis Capital’s Ackerman agrees that more companies are likely to follow them this year.

“You look at the public markets today and you have to think they are pretty fully valued,” he said. “What tends to happen when you have a more mature public market is investors start looking for growth and that tends to favor the IPO market.”

Find Article Here: www.bizjournals.com

Read More

Bridging the gap between government and Silicon Valley

  |   Uncategorized

 

DataTribe pairs up, invests in experts from public, private industry

 

Third Certainty | Rebecca Theim | April 3, 2017

 

If you know where to look, there is a rich vein of venture capital looking to back innovative cybersecurity technologies.

One hot spot is the “Cyber Corridor” around Washington, D.C., where venture capitalists are looking to combine Silicon Valley startup know-how with cybersecurity advances coming out of the country’s military industrial complex.

Bob Ackerman, Allegis Capital founder and DataTribe co-founder

“When you hear the term ‘government innovation,’ it sounds like an oxymoron, except when you’re talking about cybersecurity capabilities and data analytics,” says Bob Ackerman, founder of Allegis Capital. “In those arenas, government is five to seven years ahead of private industry.”

Allegis is a backer of DataTribe, which seeks out government experts with special security know-how and pairs them with mentors from the defense and intelligence communities, as well as from the world of Silicon Valley’s venture capitalists.

Finding a niche

Rather than taking the shotgun approach of traditional start-up incubators, Ackerman said DataTribe looks “down the road and anticipates market needs and identifies where appropriate and relevant technology has been developed. We’ve created a watering hole for the deep technology thinkers.”

Ackerman co-founded DataTribe with former CIA information technology officer Steve Witt, founder and former CEO of Onyara, a data analytics firm that was acquired by Hortonworks in 2015, and Mike Janke, a former Navy SEAL and founder and former CEO of secure communications service Silent Circle.

DataTribe will invest between $1 million and $1.5 million in seed money and another $600,000 in operating support in the startups it backs, and up to an additional $1.5 million in later-stage, Series A funding. The average seed round capital is usually about $225,000, and a Silicon Valley investment is, on average, about $1 million, Ackerman says.

DataTribe’s portfolio includes:

Dragos, which was created by three former U.S. intelligence analysts to develop software to protect critical, privately owned infrastructure, such as the electric grid. Dragos’ CEO was part of the response team to the 2016 attack on Ukraine’s power centers—the first confirmed hack to disable a power grid.

Enveil, which uses homomorphic encryption that allows the processing of data without ever decrypting it. It was the runner-up among the 10 companies that presented at RSA’s 2017 Innovation Sandbox in February. Enveil was launched by a team of doctorate-level mathematicians and computer scientists from the U.S intelligence community.

Kesala, which draws on recent U.S intelligence community advancements to provide VPN-level security through its cloud security and data analytics software.

“There’s some really great stuff in government labs, but there’s no commercial infrastructure around it,” Ackerman says, “If we can find a way to bridge government innovation with Silicon Valley, we have a business.”

Another player active in the Cyber Corrider is MACH37, a Herndon, Virginia-based cybersecurity accelerator.

Trial by fire

Twice annually, MACH37 competitively selects eight start-ups willing to participate in an intense 14-week program in which founders are mentored and coached into creating a sustainable company. They interact with domain experts, successful security entrepreneurs, buyers and cybersecurity investors.

The start-ups also receive a $50,000 investment and access to mentors throughout the life of their companies.

Rick Gordon, MACH37 managing partner

“We help them define what the minimum viable product needs to be, and what the backlog needs to be,” says MACH37 managing partner Rick Gordon. This is done before the focus shifts to the business model, pricing, go-to-market strategy, and developing a compelling proposition for seed investors.

MACH37 has graduated 40 start-ups in its three-year existence.

These start-ups include:

Virgil Security, which develops cryptographic software for developers. It raised $4 million in October, led by KEC Ventures, founded by Jeff Citron, founder of internet telephony company Vonage and other technology companies.

Atomicorp, a cloud-based server security software developer, which has 2,000 customers in sectors including universities, consumer products, medical devices and the U.S. government. It raised $1 million in seed funding late last year, led by Washington, D.C.-based VC Blu Ventures.

Cyber Algorithms, which develops behavioral analytics that dramatically reduce how long it takes to detect cyber attacks. It was acquired in December by enterprise password management provider Thycotic, whose 7,500-client roster includes Chevron, Gap, Deloitte and Adobe.

Both DataTribe and MACH37 are working diligently to overcome geographic and cultural hurdles that tend to separate the rigid world of government contracting from the fast-moving technology industry.

“There’s this incredible disconnect between this intellectual capital base and the people who know how to scale a commercial software business,” Gordon says. “We still have to work very hard to get institutional venture capital to invest. You have to be involved, and it’s not easy to do from Palo Alto.”

Find article here: www.thirdcertainty.com

Read More

RSA Conference | Cybersecurity Jobs Go Begging

  |   The Latest

 

By Robert R. Ackerman Jr. | Founder & Managing Director of Allegis Capital | March 27, 2017

 

In an era in which we chronically hear about a profusion of new low-paying jobs, there is a challenging and diversified specialty – the cybersecurity professional– that pays well and offers good advancement potential. And yet, we can’t come close to filling the demand for these types of workers.

Security pros protect critical information, which means they have an immediate impact on the businesses in which they work.  Cybersecurity is also a challenging puzzle and one that changes all the time, eradicating boredom. Because cybersecurity touches virtually every other IT discipline, cyber pros are also constantly learning.

As previously mentioned, the pay is good, too. According to New Horizons Computer Learning Centers, the median wage exceeds $90,000 annually, 9 percent more than other IT workers overall. In addition, the number of cyber jobs is projected to grow 18 percent annually through 2024, much faster than the average for all occupations. In fact, U.S. News & World Report ranked a career in information security analysis eighth on its list of the 100 best jobs for 2015.

1.5 Million Job Shortfall in Five Years

Nonetheless, nowhere near a sufficient number of qualified job applicants are biting. About 210,000 cybersecurity jobs are unfilled today, according to the Bureau of Labor Statistics, a number widely expected to keep growing. Frost & Sullivan has estimated that the global shortfall of information security work will reach 1.5 million workers in five years.

What is the problem?

Nobody knows for sure, but it appears to be part of the general reluctance among young Americans and their global counterparts to pursue STEM careers, a reflection of their perceived inability to master math and science and related disciplines. Companies sometimes will hire people with the right skill sets without a college degree, but a STEM bachelor’s degree is preferred and usually essential. Typically, certifications are also required down the road, especially the CISSP (Certified Information Systems Security Professional).

Another smaller but still prickly problem is that cybersecurity is not the same as computer science, another technical pursuit that also offers ample jobs — and greater job diversity. Computer science courses are helpful, but insufficient to crack stubborn encryption cyber professionals also need to learn how systems work. Computer science doesn’t always explore this.

Boot Camps Help Ease the Challenge

Those with computer science degrees and other non-cybersecurity backgrounds can sometimes sidestep the cybersecurity job hurdle by enrolling in boot camps – intensive programs that accept non-programmer, train them in key skills and help them land jobs. In Denver, for example, startup SecureSet Academy is among the latest organizations to use the boot camp model to prepare cybersecurity job seekers for the career of their choice. Launched a year ago, SecureSet has since graduated 16 cyber pros and placed all of them in solid cybersecurity jobs. A similar number of fresh graduates are expected to join them shortly in the workforce.

Doing much the same thing is the City Colleges of Chicago (CCC), which recently became the first community college system to partner with the Department of Defense on a cybersecurity training program — and one not limited to members of the military. The CCC program is becoming a model for other community college programs and, among other things, is helping prepare students for entry-level analyst positions.

This program happens to be free. But this is the exception, not the rule. More typically, SecureSet charges thousands of dollars for its 20-week program. And while their graduates have gotten jobs so far, they’re still likely to find themselves shut out of many other cybersecurity positions because they lack degrees.

Given the severe shortage of cybersecurity talent, a key question inevitably arises: Is this the way things should be? As businesses face ever-growing cyber threats, the lack of cybersecurity talent is downright dangerous. A recent report by Intel Security – “Hacking the Skills Shortage” – polled 775 IT decision-makers and found that 82 percent reported a lack of cybersecurity skills within their businesses. One in three said this makes them hacking targets.

Hiring Standards May Be Too High

Given the backdrop, I believe cybersecurity applicants are being judged too harshly. Some on-the-job training makes sense given the rapid growth of cybersecurity. So, too, would corporate partnerships with local colleges to create cybersecurity programs.

Companies also need to do a much better job providing adequate cybersecurity training. That way, the cyber pros they have on board can maintain their skills. This won’t bring in fresh talent but might prolong the stay of current cybersecurity employees, who constantly attract job offers. A survey of more than 430 security professionals by the Enterprise Strategy Group found that 56 percent believed their company did not provide adequate training to keep their skillset current.

For now, and the foreseeable future, there is no shortage of specialties for appropriately skilled cybersecurity pros. Seven come to mind:

  • Security analysis. This is the first job for many cyber pros. These analysts plan and activate computer system security measures.
  • Risk mitigation. This entails tracking security risks that have been identified, discovering new risks, and tracking risk throughout select projects. This position also involves brainstorming what might happen if there is a breach.
  • Data security. This has become a common job as organizations move to cloud computing. The job of data security pros is to protect company information from threats.
  • Network monitoring. This requires professionals who know what they’re looking for in networks and can make decisions rapidly when suspicious behavior is detected. They work in concert with advanced network monitoring apps.
  • Cloud security. Cloud security specialists analyze threats particular to cloud security. Dangers include data breaches, system vulnerability exploits, hijacked accounts, inadequate diligence and malicious insiders.
  • Intrusion detection. Experts in this area search for potentially harmful activity that could undermine the confidentiality, integrity or availability of information.
  • Secure software development. Most data breaches are successful because of vulnerabilities or flaws in software code. Specialists in this area patch code on a routine basis.

Cybersecurity Automation

While all these positions are crucial, it’s also important to note that cybersecurity automation has begun to play a role in coping with the shortage of skilled security professionals Increasingly common advanced persistent threats (APTs), for example, are spearheaded by automated bots, not human assailants, and, in fact, IT personnel are no match for such intensive, sustained attacks. Most humans do not have the ability to make quick decisions to manually address such attacks.

In addition, even the most skilled cyber professional tends to make occasional mistakes, which can be very costly. Automation helps mitigate this by removing the human element in appropriate circumstances.

A new cohort of orchestration/automation and analytics companies have begun filing the cybersecurity gap with technology solutions that confront automated attacks and/or materially increase the productivity of cybersecurity analysts. This helps address analyst shortages.

As cybersecurity issues continue to grow, it’s natural to wonder whether the salaries of cyber pros will climb still higher. This seems to be inevitable because there aren’t enough professionals to go around. And fatter compensation packages might begin to attract candidates from other disciplines, such as electrical engineering. For the foreseeable future, this might be the best possible way to address the talent shortfall.

 

Robert Ackerman Jr.

By Robert Ackerman Jr. | Founder and Managing Director, Allegis Capital

See more at: www.rsaconference.com/blogs

Read More

Cybersecurity startups start to see slump in VC spending

  |   Allegis News, The Latest

 

 

 

Third Certainty | Roger Yu | March 20, 2017

 

Venture capital funding in cybersecurity is cooling. And it’s show-me time for startups battling for the dwindling pool of funds.

While the cybersecurity market is maturing, startups are still innovation drivers and venture capitalists are keen on finding the next big unicorns. Large enterprises’ tendency to juggle products from multiple vendors—despite their wishes for seamless, one-vendor-only solutions—leave the market perpetually fragmented. And the fact that cybersecurity threats are evergreen enables venture capitalists who specialize in the sector to operate with little regard for broader macroeconomic conditions.

Still, the ample opportunities afforded by the fragmented, constantly shifting market have bred too many me-too companies and fast followers, driving some venture capitalists to pause and reflect on the next phase. “It’s definitely overfunded, massively so,” Ravi Viswanathan of New Enterprise Associates told a panel at CB Insights’ Future of Fintech Conference last year.

Bob Ackerman, Allegis Capital founder and managing director

 

“You saw a material pause in the fourth quarter,” says Bob Ackerman, founder and managing director of Allegis Capital, which specializes in the sector. “You have too many undifferentiated companies. There’s a level of noise that develops as a result of that. … Cybersecurity is one of those areas where experience and domain knowledge matter a great deal.”

After growing steadily since 2012, venture capital funding in cybersecurity dipped in 2016, alarming entrepreneurs. The cybersecurity market captured roughly $3.1 billion of venture funding in 2016, down from $3.8 billion a year earlier, according to research firm CB Insights. The cybersecurity market will undergo a few years of retrenchment with a host of companies shutting down, VCs say.

More judicious spending

But the market is hardly mature. Money will still be spent, just more selectively. At this phase, fewer deals will be struck. But those deals will be reserved for larger companies, with proven products further along in development.

“The deal size and valuation is coming down a bit,” says Sean Cunningham, managing director of Trident Capital Cybersecurity, which raised $300 million this month for a fund to invest in cybersecurity startups. “I don’t think there’s any shortage of capital for the right type of companies. But the dollars being invested are smaller.”

Appthority is one of the companies that made Trident’s cut. Appthority, which develops mobile threat protection software for corporations, didn’t land its first paying customer until more than a year after it was founded in 2011.

Four years later, its customer renewal rate stands at 98 percent, with about 20 percent of its revenue coming from the government sector. Heartened by solid proof of growth, venture capitalists poured in another $7 million in Series B funding last July, led by Trident Capital Cybersecurity.

Sean Cunningham. Trident Capital Cybersecurity managing director

 

“You’re going to see a lot of startups out there, and good ones will rise to the top,” Cunningham says. “There’s ample supply of capital to fund them. They can get traction.”

Innovation niches

As seen in the early days of the internet, the cybersecurity market is recalibrating for a second wave of innovative technology that’s more comprehensive and cohesive. And that means more seamless products for large clients who are eager to cut down on the number of vendors.

“Companies that can stand on their own two feet, deliver value, and have deep knowledge will do fine,” Ackerman says, citing one of the companies he’s invested in, EnVeil, which uses “homomorphic encryption” to secure data in operation.

As more companies employ automation and “big data” to enhance efficiency and find new markets, data encryption products will continue to be in heavy demand.

The emergence of the industrial internet—the integration of complex machines to network sensors and software—also will breed startups eager to provide cybersecurity solutions to power and water grids, refineries and pipelines.

In May, Trident helped raise $6.6 million in Series A funding for Bayshore Networks, which develops cloud-based software that offers “visibility” into operational technology infrastructure, networks, machines and workers.

Meanwhile, the proliferation of enterprise mobile devices will continue to see vulnerabilities and pose a ripe market for startups like Appthority, Cunningham says.

Early investors haven’t gone away

That VC dollars are chasing more evolved companies doesn’t mean early-stage investing is passé, Ackerman says. “That’s where the new things get started.”

But cybersecurity, unlike more consumer-oriented technology sectors, is a competitive and difficult market, rife with startups struggling to recruit and market products.

That’s partly why Allegis funded DataTribe, a startup studio based in Fulton, Maryland. It was designed to tap into the wealth of cybersecurity-savvy technologists in the region with experience or ties to the federal government and intelligence agencies.

Ackerman also anticipates more mergers and acquisitions activity from large cybersecurity companies that may find it easier to acquire smaller niche players as they seek to add new product lines.

As venture capitalists squeeze their wallets, startups lucky enough to land Series A funding also will have to justify more vigorously their pursuit of Series B funding, Cunningham says. “And unicorns are in trouble,” he says, referring to startups valued at over $1 billion.

The Trump factor

Meanwhile, venture capitalists are hopeful that the federal government, with President Trump at the helm and promising a rollback in regulations, will cut steps in federal procurement and stay engaged in securing networks.

“We think the administration understands the value of national cybersecurity,” Cunningham says. “We’re not counting on incremental increases in spending. But we’re excited about the awareness level.”

Article found here: Thirdcertainty.com

Read More

Exclusive: Blackstone-Backed Network for Cyber Risk Launches Today

  |   Portfolio News, The Latest
 
Fortune | Jeff John Roberts | 7:40 AM Pacific

Financial firms have long used rating agencies like Moody’s or S&P to judge the risk of bonds. Now, companies that face risk from cyber attacks—which these days is almost everyone—have a tool to do the same.

On Wednesday, CyberGRX unveiled a platform that acts as a clearinghouse for cyber risk. Developed by a group of blue chip security pros from companies like Blackstone and Aetna, CyberGRX promises to make the process of flagging cyber dangers from their vendors dramatically more efficient.

The risk posed by vendors has been top of mind for many companies ever since the infamous hack on Target (TGT, +0.40%) in 2013, which saw attackers compromise the computer systems of Target’s HVAC supplier in order to steal credit card information from 40 million customers.

According to Jay Leek, the former chief security officer of Blackstone, the idea for a clearinghouse came about because companies spend enormous amounts of time filling out check-lists to assess the security risks posed by their vendors. Many of Blackstone’s portfolio companies, for instance, were all conducting the same compliance tests to see if vendors—which can include anyone from software giants like Salesforce (CRM, +0.86%) or Workday (WDAY, +0.65%) to catering companies—had programs in place to defend against cyber-attacks.

This process, says Leek, resulted in a lot of duplicated efforts and security officers spending their time on checklists rather than on mitigating cyber dangers.

In response, Leek and others realized the approach was to build what they call a “third party global cyber risk exchange” that will let companies assess vendors in the same way banks rely on ratings agencies to assess bonds. Leek likens it to performing cyber-risk by means of a Turbo Tax method, rather than doing it by hand.

“The inherent efficiency of the CyberGRX Exchange eliminates the waste in today’s approach—largely based on sharing spreadsheets—in a way no one in the market does. For the first time, companies will know which of their third parties pose the greatest risk to their organizations,” says Fred Kneip, CyberGRX CEO.

The process has been in the works since last year when CyberGRX raised $9 million from investors that include Allegis Capital, Blackstone, TenEleven Ventures, Rally Ventures, GV (formerly Google Ventures), and MassMutual Ventures.

To building process has relied on what CyberGRX calls its “design partners” like Aetna, and their existing dossiers of tens of thousands of vendor reports.

Now, the tool is ready for primetime as CyberGRX (GRX is for global risk exchange) invited other companies to take part. Here is how CyberGRX described it in a release announcing the news:

Built in partnership with chief security and risk officers from Aetna, Blackstone, MassMutual, ADP and other large companies with a combined network of more than 40,000 companies in their digital ecosystems, the CyberGRX Exchange brings together enterprises and their third parties and creates massive efficiency to a process that has largely been driven by sharing spreadsheets and trusting unvalidated self-assessments.

While the plan will provide a way for big companies to speed up their cyber risk assessments, it will also help hundreds of thousands of vendors who currently must wait for a cyber seal-of-approval before they can start providing their services.

As for the risk assessments the platform provides, those are compiled from the reports provided by the member companies but also from a host of outside signals. These include threat reports from security companies as well as news reports from Thomson Reuters and others.

The other advantage of the service, according to CyberGRX, is that it will continually update the security profiles of all the companies on the exchange. This means companies will no longer need to rely on an annual checklist system to confirm a vendor can still be trusted.

The idea for a cyber risk clearinghouse is not a new one. According to Leek, S&P tried unsuccessfully to come up such a service way back in 2006. Goldman Sachs(GS, +0.23%), meanwhile, tried to create a risk standard with Moody’s in 2015 but was likewise unable to pull it off.

If CyberGRX is a success, its backers say the service could save companies billions in legal and compliance costs, and allow security executives to devote far more time to threat mitigation rather than bureaucratic measures.

The new service may also jumpstart the market for cyber-insurance, which has been expanding in light of the ongoing number of high profile data breach incidents. But that is far from mature—in large part because of a lack of information on how to price cyber risk.

Article found here: www.fortune.com

Read More

G6 Hospitality Leverages RedOwl to Prevent Insider Threats

  |   Portfolio News, The Latest
RedOwl Analytics, Inc.

 

 

Top Lodging Company Boosts Protection of Sensitive Data of Company and Guests

 

Marketwired | March 07, 2017 11:00 ET

 

SAN FRANCISCO, CA–(Marketwired – March 07, 2017) – RedOwl, the leading provider of insider risk solutions, today announced that G6 Hospitality, known for its iconic economy lodging brands, Motel 6 and Studio 6 in the U.S. and Canada, has deployed the RedOwl Insider Risk Management platform to mitigate the risk of negligent, compromised and malicious employees leaking sensitive company intellectual property or customer data.

G6 Hospitality owns, operates and franchises over 1,300 lodging locations and employs more than 10,000 team members across the U.S. and Canada. Like many organizations, at G6, email is how business is done — both internally and with its franchisees who still at times maintain their own email systems. The company selected RedOwl specifically because it is the leading solution for electronic communication content and behavioral analytics as well as having the capability to integrate other critical streams of activity and employee-specific characteristics.

“One of the biggest strains on resources within our security team is ensuring all of our employees across North America are aware of how email should and shouldn’t be used and are educated on the risks of phishing and other types of external attacks and internal risky behavior that could result in critical data loss for our organization,” said Harvey Ewing, chief information security officer (CISO) of G6 Hospitality. “With RedOwl, our team no longer has that burden, as the platform can analyze and alert potential threats before they become incidents.”

RedOwl combines content and behavioral analytics to identify both acts of exfiltration and the potential precursor activities that indicate unwanted behavior in the enterprise, such as data theft and even employee flight risk. Critical to the team at G6 is RedOwl’s ability to reduce the noise and false positives typically seen in monitoring as well as to be able to quickly go from alert to in-depth investigation.

“Insider threats can no longer be ignored by organizations looking to protect their intellectual property and customer data,” said Guy Filippelli, founder and CEO of RedOwl. “RedOwl is proud to be G6’s partner as they work to further protect themselves and their customers from insider threats.”

In the year ahead, G6 Hospitality will continue to strengthen its defenses by leveraging more insider risk management capabilities offered on the RedOwl platform.

ABOUT REDOWL
RedOwl helps large enterprise and government organizations mitigate insider threats with technology designed for the modern workplace. Information security and regulatory surveillance teams trust our behavioral analytics platform to provide holistic and actionable visibility of all human risk, ranging from common employee data leaks to malicious insider attacks. With offices in Baltimore, New York City, San Francisco, and London, RedOwl’s investors include the Blackstone Group, Allegis Capital, and Conversion Capital. To learn more about RedOwl, visit: https://redowl.com.

ABOUT G6 HOSPITALITY
G6 Hospitality LLC owns, operates and franchises more than 1,350 economy lodging locations under the iconic Motel 6 and the extended stay Studio 6 brands in the U.S and Canada, and Hotel 6 and Estudio 6 brands in Latin America. Headquartered in Dallas (Carrollton), Texas, G6 Hospitality was rated one of the top ten hospitality companies according to the Hotel Management 2015 Top Hotel Companies rankings list, which evaluated over 260 hotel companies. For more information please visit G6Hospitality LLC.

Article found here: www.marketwired.com

Read More

RedOwl Enters Agreement with immixGroup to Reduce Insider Threat Risks for Government

  |   Portfolio News, The Latest

 

 

 

 

New Relationship to Strengthen Agencies’ Risk Management Posture

 

Marketwired | February 21, 2017

 

 

SAN FRANCISCO, CA–(Marketwired – February 21, 2017) – RedOwl, the leading provider of insider risk solutions, today announced an agreement with immixGroup, an Arrow company that helps technology companies do business with the government. Through immixGroup contracts with governments at the federal, state and local levels, agencies will be able to purchase RedOwl’s behavior risk analytics to avoid insider threats to mitigate classified information leaks, intellectual property loss, data theft and employee flight risk. In addition, government organizations can use RedOwl to comply with the Presidential Order for agencies to implement an insider threat program, in addition to meeting compliance standards set by National Industrial Security Program Operating Manual (NISPOM) for government contractors.

“Major cyber espionage and data leaks affecting the U.S. government over the past few years are proof that, more so than ever before, the public sector has the huge responsibility to protect against insider threats within their own organizations, but also the societal imperative to respect the privacy of employees,” said Guy Filippelli, CEO of RedOwl. “With its deep-rooted commitment to providing governments with reliable access to the enterprise software and hardware solutions they need to achieve mission success, our agreement with immixGroup aims to do just that. Only RedOwl can help governments and enterprises monitor and detect precursor behavior in a comprehensive, unbiased, systematic and automated way while ensuring employee privacy.”

RedOwl unlocks the power of existing enterprise data to identify and mitigate unwanted behavior. Only RedOwl ingests and combines structured, unstructured and business data to analyze interactions between employees, contractors, devices, files and applications. Using a combination of statistical pattern matching, machine learning and content analytics to profile user behavior, RedOwl gives risk management professionals the in-depth narratives required to effectively pinpoint and distinguish negligent, compromised and malicious employees.

ABOUT REDOWL
RedOwl helps large enterprise and government organizations mitigate insider threats with technology designed for the modern workplace. Information security and regulatory surveillance teams trust our behavioral analytics platform to provide holistic and actionable visibility of all human risk, ranging from common employee data leaks to malicious insider attacks. With offices in Baltimore, New York City, San Francisco, and London, RedOwl’s investors include the Blackstone Group, Allegis Capital, and Conversion Capital. To learn more about RedOwl, visit: https://redowl.com.

Article found here: marketwired.com

Read More