SECURITY FOR STARTUPS White Paper
No business is too small to be targeted for attack, but clearly startups have limited time and capital to apply toward security. What's the right balance? At the request of our portfolio companies, BVP's cyber team researched and compiled the best security practices for startups, and now we're publishing our findings for everyone's benefit. Click here to download An Affordable 10-Step Plan to Survival in Cyberspace.
Origin of Our Cyber Practice
Our Earliest Road Map
Bessemer Venture Partners is a multi-national $4 billion venture capital firm that develops investment strategies based on internally developed road maps. Each road map documents important changes in the global economy (e.g. technological, geopolitical, regulatory, demographic, medical, perhaps soon climatic…), and the entrepreneurial opportunities that arise from them. Road maps typically last between three and ten years.
The firm’s first formal road map meeting took place in December 1992, twenty years ago. At that first meeting we approved five technology road maps, one of which was cyber security.
It was the dawn of the commercial internet, and although we couldn’t appreciate just how important it was, we were intrigued with the implications of TCP/IP networks spanning multiple enterprises. Although there was no HTTP protocol at the time, we saw Arpanet carrying more and more SMTP email traffic among agencies and businesses, so we decided to fund Performance Systems International (PSI), the first venture-backed Internet Service Provider.
For the first time, a computer data network connected rivals and competing parties – before the spread of TCP/IP, every computer network had been contained to a single government, university, or company. So there had never been much thought put into securing network protocols, and TCP/IP was no exception, having been originally developed by DARPA strictly for US military use.
We concluded that shared computer networks must somehow be enhanced to incorporate security. Although the problem was only theoretical at the time, we decided to bet on the inevitable value of cyber security. We commissioned a new road map in the space and in January 1993 we started looking for teams to back in cyber security for enterprise.
This was a contrarian move, since there hadn’t been any venture success in security. The exception was Motorola’s acquisition of Codex, which sold encryption boxes to the government. David Cowan recalls a conversation in 1992 when the Codex CEO Per Suneby put his arm on David’s shoulder, advising him, “Son, don’t ever invest in security.”
Firewalls represented the first important security market for the enterprise. Unfortunately we passed on Checkpoint because the market was fragmented (PSI was using Morningstar) and we didn’t expect Sun to be such a strong distribution partner. But we did fund Altiga, a VPN firewall startup, which Cisco acquired and still uses today.
By 1995 the web emerged, but without trust. A universal and understandable reluctance to share credit cards or other private data in a browser stymied the promise of e-commerce. So in January 1995 we founded and incorporated Digital Certificates International in our offices, cut a deal with RSA to exchange technology for equity, and later changed the name to VeriSign. VeriSign enabled the SSL encryption that we have all since relied upon for web security. We funded Valicert as well for SSL certificate validation, and more recently DocuSign to extend authentication to business documents.
VeriSign was the first security company to deliver its product purely as a service (SSL certificates sold as annual subscriptions), and so it also fit into our nascent road map for hosted services, or what today we refer to as Cloud Computing.
Follow the Hackers
The years 1999 to 2002 were good ones to be invested in enterprise security because the large integrators went on a buying spree. By late 2002 they all had Swiss Army knives with more products than any enterprise customer could actually deploy, and the acquisitions slowed down.
That’s about the time we noticed a rise in hacking for profit. Until then, cyber attacks had been committed for ego, mischief and occasionally political expression, but hackers were discovering profits in spam and phishing fraud. So at Bessemer, we shifted our attention from protecting enterprise assets to protecting consumer assets. We funded companies like Postini, Cyota, and SiteAdvisor. As hackers moved into identity theft, we funded Lifelock, Reputation, BillGuard and, recently, Dashlane.
- about the importance of multi-factor authentication Preventing Identity Theft
Bessemer’s leading Cloud Computing practice has led us to many successful enterprise investments like Keynote, Trigo, LinkedIn, Cornerstone, Eloqua and Box. Since we launched the Cloud road map in 1995, it has also informed our cyber strategy. We funded the earliest cloud-based security companies – VeriSign, Valicert, Counterpane, Qualys and Postini – because startups can use Cloud Computing to develop new and stronger defenses:
- They can migrate existing security products to the cloud, where they’re easier to deploy, correlate across customers, and update in real time with new attack signatures.
- Startups can harvest data from the Cloud to profile reputations, identify fraudulent transactions, and analyze bot traffic.
- They can use the cloud to operate on traffic in transit, which is how Defense.Net deflects DDoS attacks and Wandera secures mobile devices.
In the last couple of years, as Cloud Computing has altered the landscape of IT, we have followed the hackers into the cloud. Today it is commonplace for hackers to use cloud-based resources such as bot armies and virtual servers to launch their attacks. Also, they now routinely attack cloud-based service providers who store valuable data for their clients, but without a mature security infrastructure. Recently we funded Cloudlock, which enables enterprises to easily extend their security policies to their cloud providers.
- about Cloud Security: The Coming Wave of Security Startups (MIT Technology Review)
By 2008, we noted another shift of hacker activity, this time into cyber warfare. About three years later the public started gaining visibility into the high level of cyber activity among governments, including attacks launched by the US, Israel, China, North Korea, Gaza and Iran. Cyber warfare has now become a fact of life, and a critical component of most military missions. Those nations with the best capabilities enjoy strategic advantages at a tiny fraction of the price paid by conventional militants in money and lives. Cyber warriors have emerged from the closet, as governments scramble to legislate and negotiate the rules of engagement for private companies, law enforcement, intelligence agencies, and the military. Based on trending military budgets in the US, for example, cyber startups will likely command an increasing share of the US defense industry.
Government networks require an “active defense” which includes a broad range of defensive and offensive capabilities, since attribution and retaliation are necessary for deterrence. ThreatTrack and Internet Identity are examples of BVP-funded active-defense companies that focused initially on US Homeland Security. Another exciting one is Endgame Systems, whose directors include industry luminaries like ISS founder Tom Noonan and General Ken Minihan, former NSA Director. BVP is the largest shareholder in Endgame, and BVP Operating Partner Nathaniel Fick joined the company as CEO.
The following section on Advanced Persistent Threats describes the impact of cyber warfare on businesses.
Advanced Persistent Threats
Nations have marshaled resources and highly sophisticated cyber techniques previously unavailable to hackers, developing the capabilities to specifically target any foreign agency, business or individual in order to steal information or disrupt operations. Instead of simply developing generic malware, they launch “manned missions” into enemy networks, remotely directing a campaign over weeks, months or years to worm their way from server to server, hunting for the crown jewels.
This patient, expensive and sophisticated approach to cyber conflict transformed both warfare and network security in general. Not only are nations attacking businesses and individuals (e.g. the North Korean attack on Sony, or the Iranian DDoS attack on Bank of America), but the offensive skills and techniques have migrated into criminal organizations. Governments, hacktivists and criminals now target the crown jewels of any business, such as product designs, embarrassing emails, financial reports, employee data, and customer credit cards.
The private sector is completely unprepared for this threat. For two decades now we’ve fortified network perimeters with firewalls, Intrusion Detection Systems and Malware filters to deflect malicious sessions, traffic and applications. We all ran the same anti-virus software, updated daily to prevent the equivalent of the common cold – annoying infections that might display ads, run spam bots, or crash our hard drives. We’ve relied on black lists and bot behaviors, which work well against generic malware, but not the targeted, zero-day, manned missions that have come to be called Advanced Persistent Threats (APTs).
APTs are smarter. Their IP addresses and custom malware show up on no black lists. All it takes is a re-used password from a breached web site or one employee’s click on the wrong hyperlink in a search result, tweet, or email for the campaign to begin, and once inside the enemy network, a manned mission will stealthily find its mark, inflicting damage far worse than common cold malware. JP Morgan, Sony, Target and Home Depot lost hundreds of millions of dollars from direct losses, forensic and remediation expenses, lawsuits, fines, and diminished brand.
Ironically, businesses today have too much security infrastructure, spewing out so many alerts that most of them elude investigation. A recent study showed that security teams on average can investigate only 4% of the 17,000 alerts they see every week. “All of these security products are spitting out more alerts than humans have time to deal with,” observed Damballa’s CTO Brian Foster. “And at the end of the day, if your software is overwhelming the analysts, you are part of the problem, not part of the solution.”
We need a new generation of security services and technology that incorporate cyber ops expertise and counter-intelligence to focus security analysts on the important alerts. Internet Identity provides personalized alerts based on threat indicators at similar companies, and iSIght Partners provides customized intel to highlight alerts from the most dangerous adversaries.
- about APT’s: The Failure of Cyber Security and the Startups Who Will Save Us
- about security collaboration: The Internet’s Neighborhood Watch.
Security for Developers
Since 2007 BVP has had an active practice investing in the Developer Economy, funding startups who deliver functionality in the form of APIs. This practice has informed our Cyber practice as well. Application developers now appreciate that trust is a necessary component of any application, even though they lack the time and expertise to code modules such as secure logins, encryption, access rights and fraud prevention.
Recently we funded Auth0, whose API handles all the security and complexity associated with user logins, such as multi-factor authentication and integration with an enterprise’s Active Directory credentials. We look forward to funding other security startups focused on developer needs.
Read more about this opportunity at Developer Love: The Signal for BVP’s Investment in Auth0.
Bessemer’s Cyber Team
We believe that Bessemer’s cyber team is uniquely positioned to identify and develop the best cyber security startups. Not only do we have experienced cyber entrepreneurs and investors, but we also have deep experience investing in Healthcare IT and Financial IT, two key verticals for cyber. At least six different partners at BVP have led investments in cyber security companies.
Our cyber investment team includes:
|David Cowan||Cowan, a Partner in Menlo Park, founded VeriSign in 1995, Good Technology in 1996, and Defense.Net in 2014, and holds multiple U.S. patents. He has also led investments for Bessemer in Postini (acquired by Google), Lifelock (NYSE:LOCK), Cyota (acquired by RSA), Tumbleweed (acquired by Axway), ON (IPO, acquired by Symantec), Worldtalk (IPO, acquired by Tumbleweed), Valicert (IPO, acquired by Tumbleweed), Tripwire (acquired by Thoma Bravo), SilverSky (acquired by BAE), Finjan (XOTC:FNJN), Counterpane (acq. by BT), Qualys (NASDAQ:QLYS), iSight and Endgame.|
|Chini Krishnan||BVP Operating Partner Chini Krishnan is CEO of GetInsured, the leading provider of secure health exchanges. Krishnan serves on the board of Lifelock, and in 1995 he founded Valicert to commercialize his patented inventions in Public Key Cryptography.|
|Nate Fick||BVP Operating Partner Nate Fick is CEO of Endgame Systems. Prior he was CEO of the Center for a New American Security, and a Marine Officer recognized for utilizing innovative technology in Iraq and Afghanistan.|
|Bob Goodman||Bob has served on the boards of SilverSky (acquired by BAE) and Cloudlock.|
|Alex Ferrara||Alex represents BVP on the boards of ThreatTrack, DashLane and Wandera.|
|Sunil James||Prior to joining BVP’s Menlo Park office, Sunil James built cyber security products for iDefense, Mandiant, Arbor, Amazon AWS and Google.|
|Sunil Nagaraj||Sunil served on the board of DefenseNet, and contributed to BVP’s investments in Auth0 and Virtru.|
|Amir Orad||Amir is an EIR in our New York office. Amir co-founded Cyota, and served as VP Marketing at RSA and CEO at Actimize.|
Security for Startups
Trust is now a critical part of any new application or service, and even startups need to safeguard employee data, financial reports, and IP. Practically speaking, how can startups with limited resources and intense product focus, incorporate cyber security into their operations?
BVP has surveyed over a dozen CTO’s and CISO’s to synthesize the most recommended guidelines for entrepreneurs. We invite you to start fortifying your venture by downloading our white paper Security for Startups: The Affordable Ten Step Plan to Surviving in Cyberspace.