Things move fast in information security. A decade ago antivirus was cool; today it is derided, its value questioned. A decade ago the perimeter was cool; today some say the edge is dead.
“This is an exciting space,” says Gartner’s Craig Lawson, a veteran of the Australian information security sector and the co-author of four reports into ‘cool’ vendors. Of the many diverse areas in security, the Brisbane analyst is most excited about cloud access security broker (CASB) technology.
It is a sector that went from “nothing” before 2012 to one that clocked up US$1 billion in acquisitions last year alone, Gartner estimates. By 2020, some 85 percent of large enterprises will run CASB. Right now about 5 percent do.
“CASB is mandatory,” Lawson says. “It’s the biggest security story in the last three years.”
From Silicon Valley to Tel Aviv to Sydney, the information security market is brimming with innovative startups that spell opportunity for savvy channel players.
Peering through clouds
While the broader tech sector celebrated the birth of the cloud, the security community feared it. This apprehension has broadly morphed into a realisation that a cloud giant has more resources, skills and incentive to secure data than the average enterprise.
Yet with so many clouds, visibility drops. Enter CASB, a platform to help information security professionals see security risks across their multiple cross-vendor data stores using a single, easy-on-the-eyes control point. It offers a way for security information officers to claw back visibility, be able to set policy, monitor activity and manage risk across fleets of enterprise cloud services.
Lawson sees gold in the CASB hills. He is not alone – Microsoft spent US$320 million buying Avalon, BlueCoat splurged US$300 million on Elastica and Perspecsys, Palo Alto Networks shelled out about $US20 million on CirroSecure. At the end of June, Cisco announced a US$298 million buyout of CloudLock.
Independent CASB players Skyhigh Networks, Netskope, Bitglass, CipherCloud, FireLayers and Palerra would represent another billion dollars in acquisitions if they were to be bought. Lawson estimates the first two each have market valuations of about US$300 million.
“There are still acquisitions to go and I don’t think the technology monsters are going to leave CASB unanswered,” he says. “I think it will break out to be a market in its own right.”
Skyhigh Networks’ regional director, Gareth Cox, says companies are moving “core assets” into the cloud, where security visibility is lacking.
“[CASB] will integrate frictionlessly with existing cloud infrastructure, with firewalls, SIEMs (security information and event management) and management servers without breaking apps, without breaking Salesforce,” Cox explains.
Skyhigh Networks set up shop in Australia about 18 months ago and has a local reseller network that includes Dimension Data, PwC, Es2, Airloom and Saltbush, with Datacom among those in New Zealand. “We are always open to new clients who can add value to the space,” Cox says.
Israel is an astonishing hub of cool information security startups. The nation is home to eight million people, yet boasts 7,000 startups – one of the highest concentrations anywhere. It pulls in more venture capital, per capita, than any other nation.
The Middle Eastern country is a formidable force in the information security space. “I don’t know what they put in the water in Israel, but the security startups that are coming out of there are off the charts,” Lawson says.
Of these, deceptive security is one of the most intriguing. It is seated in a World War II strategy, now throughly modernised and automated. Dean Sysman, co-founder and chief technology officer of deceptive security firm Cymmetria, recalls the counter-intelligence efforts of the war that ended in 1945.
“In order for the Allies to keep hidden [the fact] that they were able to decrypt Germany’s Enigma communications, they created an elaborate ruse of double-agent networks to make the Germans believe spies were the source of any leaked information.”
In this modern age of cyber conflict marked by huge asymmetry in favour of attackers, Sysman says from the firm’s Tel Aviv research facility, the defender’s best weapon is psychological warfare, not technology.
“No matter how much you spend – you could be the best in information security – you are still going to get hacked,” he says. “Deception is exploiting the only real advantage defenders have: the home court advantage.”
The technology is forward-thinking, geared to modern organisations which understand that the perimeter parapets have been breached and interior defences need hardening. It relies on leaving false information, such as fake credentials and server data, within corporate networks and staff endpoints to lead unnoticed hackers on a the proverbial wild goose chase.
Bad guys follow what appear to be realistic trails, wasting time and resources until they decide to run an exploit on a fake server, or honeypot, to gain deeper access.
This feat sounds alarm bells for security teams who can boot hackers out of their networks and use valuable indicators of compromise to ensure intruders must reinvent themselves if they want to attempt another breach.
Cymmetria, founded in 2014 and named by Gartner as one of a list of just five cool security infrastructure vendors this year, is actively seeking to establish a partner network Down Under. “We have an investor in Australia who serves as regional manager and are also looking for a reseller partner who we can work with,” Sysman says.
Banks, federal government agencies, hospitals and even police are using deception platforms, among them deception vendor TrapX. Gartner last year dubbed the then-nascent technology “game-changing”, reckoning that 10 percent of enterprises will use it by 2018.
Hackers can breach networks by exploiting decades-old dangerous software vulnerabilities. Much of this is possible because developers do not build secure code and often release products akin to cars without seat belts.
Secure Code Warrior hopes to change this by selling gamified developer training exercises that help teach developers to find and fix vulnerabilities.
“Under the old model it was very easy to outsource security,” says Pieter Danieux, founder and chief executive officer of the Sydney company. “Security came in at the end, but agile has changed that completely, which is why security must become a developer’s problem.”
Danieux is a firm believer in the DevSecOps movement, in which all developers are responsible for uploading security, not just a siloed group. The company’s training programs are geared to make learning security engaging and constructive, with developers tasked with finding vulnerabilities in sample code and the respective fix through courses and challenges available in multiple programming languages.
The company, founded in December 2014, has quietly chalked up considerable wins across Australia, including a big four bank, SportsBet and household finance and retail companies, with one recent deal tipping $1 million.
Secure Code Warrior has nine resellers around the world in Australia, the US, Britain, Spain, Belgium and Ireland. Locally it is represented by consultancies Asterisk Information Security, Hivint and SEER Security.
Nick Ellsmore, co-founder of Melbourne-based consultancy Hivint, says the training program is received well by enterprises.
“It is in a great space – the convergence of application security and security awareness,” Ellsmore says. “The gamification element is interesting, because the industry has been beating developers to death with boring security awareness for the past five years.”
Factfile: Hot tips for the future of security
Cloud access security brokers are Gartner analyst Craig Lawson’s odds-on favourite for the partner punter. But there are two other hotshots in his security startup race that are worth investigating.
User and entity behavior analytics (UEBA) is advanced analytics that is ‘correlation on steroids’. It will detect anomalies indicative of compromised staff accounts by way of machine learning. It will, for example, learn the type of content a user typically accesses and notice when a hacker uses that account to try unusual network shares. Here Splunk has bought Caspida, Arksight is reselling Securonix, while independents include Exabeam, Fortscale and Gurucul.
Security automation and orchestration is Lawson’s third contender. It is all about automation where events trigger a series of pre-programmed actions. A compromised machine could trigger triaging actions where malware is analysed, accounts are reset, boxes disconnected and IP addresses are blocked, and so on. It helps fight event fatigue, an ever-increasing problem. In this space IBM has bought Resilient Systems, FireEye acquired Invotas, while independent vendors Swimlane and Phantom Cyber are recommended reading.