Draper Spinout Lexumo Looks to Secure IoT With $4.9M From Boston VCs

Get ready for an onslaught of companies peddling security software for the Internet of Things. It’s not for lack of substance: security experts say the spread of Internet-connected devices exposes major vulnerabilities that can be exploited by hackers.

One of the more serious efforts to combat these threats is called Lexumo. It’s a spinout company from Draper Laboratory—the not-for-profit R&D center next to MIT—and it’s targeting vulnerabilities in open-source software written for connected devices and embedded systems. That means basically anything with a chip in it (think consumer electronics, medical devices, network equipment, factory automation systems).

The Cambridge, MA-based startup says today it has closed $4.89 million in seed funding from Accomplice, .406 Ventures, and Draper. Lexumo’s venture-capital investors have experience with cybersecurity businesses, having backed the likes of Bit9 (now called Carbon Black), Veracode, Threat Stack, and Onapsis.

Lexumo is led by Draper veterans Brad Gaynor, Nathan Shnidman, and Richard Carback—three PhDs with expertise in cybersecurity, big-data analytics, and machine learning. They developed the company’s underlying technology at Draper, and the company was incubated there, with Draper getting an equity stake for its early investment.

“This is a new technology transition model for Draper,” says Gaynor, Lexumo’s CEO. (Draper is best known for providing engineering services and licensing intellectual property, not for investing in spinouts—perhaps that will change.)

What the startup is trying to do is pretty ambitious. As Gaynor explains: “The companies that make embedded devices tend to use a lot of open-source software to bring their products to market quickly, then move on to the next development once a product ships.”

The problem is that open-source software (indeed, any software, but especially open source) tends to develop security flaws over time. “Even when IoT products appear to be secure when they first hit the market, serious security vulnerabilities are often discovered later,” Gaynor says. That means your connected thermostat, kitchen faucet, or mobile device could potentially be hacked and become a conduit to all sorts of information—personal, corporate, or critical network infrastructure.

Brad Gaynor

Brad Gaynor

Lexumo’s approach is to “continuously index all of the world’s open-source code and identify open-source components in your code,” Gaynor says. In an automated way, the company’s cloud-based software platform tries to “keep products secure by identifying and helping eliminate security vulnerabilities from early development through a product’s end of life,” he says.

That sounds like a very hard problem—finding vulnerabilities at their root by matching them to what’s out in the world—and it requires Google-like indexed search capabilities, big-data analysis techniques, and proper communication and integration with developers. It will all depend on how well the technology works, of course, but Gaynor says Lexumo’s techniques are “much more granular and accurate than traditional approaches which rely on identifying vulnerable components based on metadata such as version strings and component names.”

Some people may think IoT security is a business problem for down the road. But Lexumo sees the market as here and now. “Our cloud platform serves the needs of IoT and embedded device manufacturers today,” Gaynor says, “and our early access customers are primarily in the IoT and embedded-device spaces.”

Lexumo is also going after the enterprise applications market—“especially those where the applications are Web facing and there is a constantly evolving attack surface as new vulnerabilities are found in open-source components,” Gaynor says. The enterprise market overlaps with that of some bigger software security companies like Veracode and Black Duck, though the methods are different.

On the Internet of Things side, you can name a security startup for almost every letter of the alphabet: Attify, Bastille, CyberCanary, and so on. But most of these companies have very different approaches as compared with Lexumo. (As for Lexumo’s name: Gaynor says it is loosely connected to the Latin roots for “code” and “fix.” Fair enough.)

Lexumo has four employees and says it’s looking to grow to 15 people this year. Gaynor and his team have been working on the underlying technology for three-plus years, and they are in the midst of trials with early-access partners, he says. The company is targeting a general release at the end of the first quarter.

Trending on Xconomy