[{"command":"settings","settings":{"basePath":"\/","pathPrefix":"","ajaxPageState":{"theme":"bvp_2015","theme_token":"qtK2ybWW0ERPCevV-NMokBOkimCj5x5GVMNKXGNbHX8"}},"merge":true},{"command":"modal_display","title":"Cyber Security","output":"\n\u003Cdiv class=\u0022field field-name-body field-type-text-with-summary field-label-hidden\u0022\u003E\n\n \n \u003Cdiv class=\u0022field-items\u0022\u003E\n\n \n \u003Cdiv class=\u0022field-item even\u0022 property=\u0022content:encoded\u0022\u003E\u003Cp\u003E\u00a0\u003C\/p\u003E\n\u003Cp\u003EOrigin of Our Cyber Practice:\u00a0 Our Earliest Road Map\u003C\/p\u003E\n\u003Cp\u003EBessemer Venture Partners develops investment strategies based on internally developed road maps. Each road map documents important changes in the global economy (e.g. technological, geopolitical, regulatory, demographic, medical, perhaps soon climatic\u2026), and the entrepreneurial opportunities that arise from them. Road maps typically last between three and ten years.\u003C\/p\u003E\n\u003Cp\u003EThe firm\u2019s first formal road map meeting took place in December 1992, twenty years ago.\u00a0 At that first\u00a0meeting\u00a0we approved five technology road maps, one of which was cyber security.\u003C\/p\u003E\n\u003Cp\u003EIt was the dawn of the commercial internet, and although we couldn\u2019t appreciate just how important it was, we were intrigued with the implications of TCP\/IP networks spanning multiple enterprises. Although there was no HTTP protocol at the time, we saw Arpanet carrying more and more SMTP email traffic among agencies and businesses, so we decided to fund Performance Systems International (PSI), the first venture-backed Internet Service Provider.\u003C\/p\u003E\n\u003Cp\u003EFor the first time, a computer data network connected rivals and competing parties \u2013 before the spread of TCP\/IP, every computer network had been contained to a single government, university, or company. So there had never been much thought put into securing network protocols, and TCP\/IP was no exception, having been originally developed by DARPA strictly for US military use.\u003C\/p\u003E\n\u003Cp\u003EWe concluded that shared computer networks must somehow be enhanced to incorporate security. Although the problem was only theoretical at the time, we decided to bet on the inevitable value of cyber security. We commissioned a new road map in the space and in January 1993 we started looking for teams to back in cyber security for enterprise.\u003C\/p\u003E\n\u003Cp\u003EThis was a contrarian move, since there hadn\u2019t been any venture success in security. The exception was Motorola\u2019s acquisition of Codex, which sold encryption boxes to the government. David Cowan recalls a conversation in 1992 when the Codex CEO Per Suneby put his arm on David\u2019s shoulder, advising him, \u201cSon, don\u2019t ever invest in security.\u201d\u003C\/p\u003E\n\u003Cp\u003EFirewalls represented the first important security market for the enterprise. Unfortunately we passed on Checkpoint because the market was fragmented (PSI was using Morningstar) and we didn\u2019t expect Sun to be such a strong distribution partner. But we did fund\u00a0Altiga, a VPN firewall startup, which Cisco acquired and still uses today.\u003C\/p\u003E\n\u003Cp\u003EAuthentication\u003C\/p\u003E\n\u003Cp\u003EBy 1995 the web emerged, but without trust. A universal and understandable reluctance to share credit cards or other private data in a browser stymied the promise of e-commerce. So in January 1995 we founded and incorporated Digital Certificates International in our offices, cut a deal with RSA to exchange technology for equity, and later changed the name to VeriSign. VeriSign enabled the SSL encryption that we have all since relied upon for web security. We funded Valicert as well for SSL certificate validation, and more recently DocuSign to extend authentication to business documents.\u003C\/p\u003E\n\u003Cp\u003EVeriSign was the first security company to deliver its product purely as a service (SSL certificates sold as annual subscriptions), and so it also fit into our nascent road map for hosted services, or what today we refer to as Cloud Computing.\u003C\/p\u003E\n\u003Cp\u003EFollow the Hackers\u003C\/p\u003E\n\u003Cp\u003EThe years 1999 to 2002 were good ones to be invested in enterprise security because the large integrators went on a buying spree. By late 2002 they all had Swiss Army knives with more products than any enterprise customer could actually deploy, and the acquisitions slowed down.\u003C\/p\u003E\n\u003Cp\u003EThat\u2019s about the time we noticed a rise in hacking for profit. Until then, cyber attacks had been committed for ego, mischief and occasionally political expression, but hackers were discovering profits in spam and phishing fraud. So at Bessemer, we shifted our attention from protecting enterprise assets to protecting consumer assets. We funded companies like\u00a0Postini,\u00a0Cyota, and\u00a0SiteAdvisor. As hackers moved into identity theft, we funded\u00a0Lifelock,\u00a0Reputation,\u00a0BillGuard\u00a0and, recently,\u00a0Dashlane.\u003C\/p\u003E\n\u003Cp\u003EFurther Reading:\u003C\/p\u003E\n\u003Cp\u003Eabout the importance of multi-factor authentication\u00a0\u003Ca href=\u0022http:\/\/whohastimeforthis.blogspot.com\/2006\/11\/preventing-identity-theft.html\u0022 target=\u0022_blank\u0022\u003EPreventing Identity Theft\u003C\/a\u003E\u003C\/p\u003E\n\u003Cp\u003EBessemer\u2019s leading Cloud Computing practice has led us to many successful enterprise investments like \u003Ca href=\u0022\/node\/312\u0022 target=\u0022_blank\u0022\u003EKeynote\u003C\/a\u003E, \u003Ca href=\u0022\/node\/294\u0022 target=\u0022_blank\u0022\u003ETrigo\u003C\/a\u003E, \u003Ca href=\u0022\/node\/56\u0022 target=\u0022_blank\u0022\u003ELinkedIn\u003C\/a\u003E, \u003Ca href=\u0022\/node\/240\u0022 target=\u0022_blank\u0022\u003ECornerstone\u003C\/a\u003E, \u003Ca href=\u0022\/node\/241\u0022 target=\u0022_blank\u0022\u003EEloqua\u003C\/a\u003E and \u003Ca href=\u0022\/node\/648\u0022 target=\u0022_blank\u0022\u003EBox\u003C\/a\u003E. Since we launched the Cloud road map in 1995, it has also informed our cyber strategy.\u00a0 We funded the earliest cloud-based security companies \u2013 \u003Ca href=\u0022\/node\/294\u0022 target=\u0022_blank\u0022\u003EVeriSign\u003C\/a\u003E, \u003Ca href=\u0022\/node\/459\u0022 target=\u0022_blank\u0022\u003EValicert\u003C\/a\u003E, \u003Ca href=\u0022\/node\/449\u0022 target=\u0022_blank\u0022\u003ECounterpane\u003C\/a\u003E, \u003Ca href=\u0022\/node\/1442\u0022 target=\u0022_blank\u0022\u003EQualys\u003C\/a\u003E and \u003Ca href=\u0022\/node\/172\u0022 target=\u0022_blank\u0022\u003EPostini\u003C\/a\u003E \u2013 because startups can use Cloud Computing to develop new and stronger defenses:\u003C\/p\u003E\n\u003Cul\u003E\u003Cli\u003EThey can migrate existing security products to the cloud, where they\u2019re easier to deploy, correlate across customers, and update in real time with new attack signatures.\u003C\/li\u003E\n\u003Cli\u003EStartups can harvest data from the Cloud to profile reputations, identify fraudulent transactions, and analyze bot traffic.\u003C\/li\u003E\n\u003Cli\u003EThey can use the cloud to operate on traffic in transit, which is how \u003Ca href=\u0022\/node\/1434\u0022 target=\u0022_blank\u0022\u003EDefense.Net\u003C\/a\u003E deflects DDoS attacks and \u003Ca href=\u0022\/node\/1334\u0022 target=\u0022_blank\u0022\u003EWandera\u003C\/a\u003E secures mobile devices.\u003C\/li\u003E\n\u003C\/ul\u003E\u003Cp\u003EIn the last couple of years, as Cloud Computing has altered the landscape of IT, we have followed the hackers into the cloud. Today it is commonplace for hackers to use cloud-based resources such as bot armies and virtual servers to launch their attacks. Also, they now routinely attack cloud-based service providers who store valuable data for their clients, but without a mature security infrastructure. Recently we funded \u003Ca href=\u0022\/node\/1571\u0022 target=\u0022_blank\u0022\u003ECloudlock\u003C\/a\u003E, which enables enterprises to easily extend their security policies to their cloud providers.\u003C\/p\u003E\n\u003Cp\u003E\u003Cu\u003E\u003Cem\u003EFurther Reading:\u003C\/em\u003E\u003C\/u\u003E\u003C\/p\u003E\n\u003Cul\u003E\u003Cli\u003Eabout Cloud Security: \u003Ca href=\u0022http:\/\/www.technologyreview.com\/view\/518771\/the-coming-wave-of-security-startups\/\u0022 target=\u0022_blank\u0022\u003EThe Coming Wave of Security Startups\u003C\/a\u003E (MIT Technology Review)\u003C\/li\u003E\n\u003C\/ul\u003E\u003Ch3\u003ECyber Warfare\u003C\/h3\u003E\n\u003Cp\u003EBy 2008, we noted another shift of hacker activity, this time into cyber warfare. About three years later the public started gaining visibility into the high level of cyber activity among governments, including attacks launched by the US, Israel, China, North Korea, Gaza and Iran. Cyber warfare has now become a fact of life, and a critical component of most military missions. Those nations with the best capabilities enjoy strategic advantages at a tiny fraction of the price paid by conventional militants in money and lives. Cyber warriors have emerged from the closet, as governments scramble to legislate and negotiate the rules of engagement for private companies, law enforcement, intelligence agencies, and the military. Based on trending military budgets in the US, for example, cyber startups will likely command an increasing share of the US defense industry.\u003C\/p\u003E\n\u003Cp\u003EGovernment networks require an \u201cactive defense\u201d which includes a broad range of defensive and offensive capabilities, since attribution and retaliation are necessary for deterrence. \u003Ca href=\u0022\/node\/1449\u0022 target=\u0022_blank\u0022\u003EThreatTrack\u003C\/a\u003E and \u003Ca href=\u0022\/node\/1488\u0022 target=\u0022_blank\u0022\u003EInternet Identity\u003C\/a\u003E are examples of BVP-funded active-defense companies that focused initially on US Homeland Security. Another exciting one is Endgame Systems, whose directors include industry luminaries like ISS founder Tom Noonan and General Ken Minihan, former NSA Director. BVP is the largest shareholder in Endgame, and BVP Operating Partner Nathaniel Fick joined the company as CEO.\u003C\/p\u003E\n\u003Cp\u003EThe following section on Advanced Persistent Threats describes the impact of cyber warfare on businesses.\u003C\/p\u003E\n\u003Ch3\u003EAdvanced Persistent Threats\u003C\/h3\u003E\n\u003Cp\u003ENations have marshaled resources and highly sophisticated cyber techniques previously unavailable to hackers, developing the capabilities to specifically target any foreign agency, business or individual in order to steal information or disrupt operations. Instead of simply developing generic malware, they launch \u201cmanned missions\u201d into enemy networks, remotely directing a campaign over weeks, months or years to worm their way from server to server, hunting for the crown jewels.\u003C\/p\u003E\n\u003Cp\u003EThis patient, expensive and sophisticated approach to cyber conflict transformed both warfare and network security in general. Not only are nations attacking businesses and individuals (e.g. the North Korean attack on Sony, or the Iranian DDoS attack on Bank of America), but the offensive skills and techniques have migrated into criminal organizations. Governments, hacktivists and criminals now target the crown jewels of any business, such as product designs, embarrassing emails, financial reports, employee data, and customer credit cards.\u003C\/p\u003E\n\u003Cp\u003EThe private sector is completely unprepared for this threat. For two decades now we\u2019ve fortified network perimeters with firewalls, Intrusion Detection Systems and Malware filters to deflect malicious sessions, traffic and applications. We all ran the same anti-virus software, updated daily to prevent the equivalent of the common cold \u2013 annoying infections that might display ads, run spam bots, or crash our hard drives. We\u2019ve relied on black lists and bot behaviors, which work well against generic malware, but not the targeted, zero-day, manned missions that have come to be called Advanced Persistent Threats (APTs).\u003C\/p\u003E\n\u003Cp\u003EAPTs are smarter. Their IP addresses and custom malware show up on no black lists. All it takes is a re-used password from a breached web site or one employee\u2019s click on the wrong hyperlink in a search result, tweet, or email for the campaign to begin, and once inside the enemy network, a manned mission will stealthily find its mark, inflicting damage far worse than common cold malware. JP Morgan, Sony, Target and Home Depot lost hundreds of millions of dollars from direct losses, forensic and remediation expenses, lawsuits, fines, and diminished brand.\u003C\/p\u003E\n\u003Cp\u003EIronically, businesses today have too much security infrastructure, spewing out so many alerts that most of them elude investigation. A recent \u003Ca href=\u0022http:\/\/arstechnica.com\/security\/2015\/01\/survey-says-security-products-waste-our-time\/\u0022 target=\u0022_blank\u0022\u003Estudy\u003C\/a\u003E showed that security teams on average can investigate only 4% of the 17,000 alerts they see every week. \u201cAll of these security products are spitting out more alerts than humans have time to deal with,\u201d observed Damballa\u2019s CTO Brian Foster. \u201cAnd at the end of the day, if your software is overwhelming the analysts, you are part of the problem, not part of the solution.\u201d\u003C\/p\u003E\n\u003Cp\u003EWe need a new generation of security services and technology that incorporate cyber ops expertise and counter-intelligence to focus security analysts on the important alerts. Internet Identity provides personalized alerts based on threat indicators at similar companies, and iSIght Partners provides customized intel to highlight alerts from the most dangerous adversaries.\u003C\/p\u003E\n\u003Cp\u003E\u003Cu\u003E\u003Cem\u003EFurther Reading:\u003C\/em\u003E\u003C\/u\u003E\u003C\/p\u003E\n\u003Cul\u003E\u003Cli\u003Eabout APT\u2019s: \u003Ca href=\u0022http:\/\/www.bvp.com\/blog\/failure-cyber-security-and-startups-who-will-save-us\u0022 target=\u0022_blank\u0022\u003EThe Failure of Cyber Security and the Startups Who Will Save Us\u003C\/a\u003E\u003C\/li\u003E\n\u003C\/ul\u003E\u003Ch3\u003ESecurity for Developers\u003C\/h3\u003E\n\u003Cp\u003ESince 2007 BVP has had an active practice investing in the Developer Economy, funding startups who deliver functionality in the form of APIs. This practice has informed our Cyber practice as well. Application developers now appreciate that trust is a necessary component of any application, even though they lack the time and expertise to code modules such as secure logins, encryption, access rights and fraud prevention.\u003C\/p\u003E\n\u003Cp\u003ERecently we funded Auth0, whose API handles all the security and complexity associated with user logins, such as multi-factor authentication and integration with an enterprise\u2019s Active Directory credentials. We look forward to funding other security startups focused on developer needs.\u003C\/p\u003E\n\u003Cp\u003ERead more about this opportunity at \u003Ca href=\u0022http:\/\/www.bvp.com\/blog\/developer-love-signal-bvp%E2%80%99s-investment-auth0\u0022 target=\u0022_blank\u0022\u003EDeveloper Love: The Signal for BVP\u2019s Investment in Auth0\u003C\/a\u003E.\u003C\/p\u003E\n\u003Ch3\u003ESecurity for Startups\u003C\/h3\u003E\n\u003Cp\u003ETrust is now a critical part of any new application or service, and even startups need to safeguard employee data, financial reports, and IP. Practically speaking, how can startups with limited resources and intense product focus, incorporate cyber security into their operations?\u003C\/p\u003E\n\u003Cp\u003EBVP has also invested in Spire Global, which operates the largest general-purpose cubesat constellation in space. Spire Global\u2019s constellation includes dozens of Lemurs with sensors that track ships, planes and weather.\u003C\/p\u003E\n\u003Cp\u003EBVP has surveyed over a dozen CTO\u2019s and CISO\u2019s to synthesize the most recommended guidelines for entrepreneurs. We invite you to start fortifying your venture by downloading our white paper \u003Ca href=\u0022http:\/\/clearslide.com\/view\/mail?iID=N9LMR7HUW6KF3HFVLDAJ\u0022 target=\u0022_blank\u0022\u003ESecurity for Startups: The Affordable Ten Step Plan to Surviving in Cyberspace\u003C\/a\u003E.\u003C\/p\u003E\n\u003Cp style=\u0022text-align:center\u0022\u003E\u003Ca href=\u0022http:\/\/clearslide.com\/view\/mail?iID=N9LMR7HUW6KF3HFVLDAJ\u0022 target=\u0022_blank\u0022\u003E\u003Cimg alt=\u0022\u0022 src=\u0022\/sites\/default\/files\/legacy_files\/img\/cybersecurity.jpg\u0022 style=\u0022width:635px; height:774px\u0022 \/\u003E\u003C\/a\u003E\u003C\/p\u003E\n\u003C\/div\u003E\n\n \n \u003C\/div\u003E\n\n\u003C\/div\u003E"}]