Boston Startups Combat New Threats in Cybersecurity “War Zone”
Ed Davis doesn’t look like he would be fazed by anything. The former commissioner of the Boston Police Department has seen the kind of horrors he can’t erase from his mind—including the Boston Marathon bombing and its aftermath—but he has moved on.
Now, a new type of threat has crept into his psyche. This one is more virtual in its approach, but the danger is as real as it gets. Davis runs a security consulting firm, and his clients—which include governments, healthcare organizations, and entertainment venues—tend to ask him about physical security. But then they quickly switch to the topic du jour.
“Their second question is, ‘What do you know about cyber?’” he says.
Davis, for one, has been learning a lot about the topic. His experience reflects what many experts already know—that cybersecurity is one of the grand challenges of our time, and it touches almost every industry. The field presents huge problems, of course, but it also holds opportunities for technology, business, and education leaders in New England and beyond.
The Boston area has amassed a great deal of expertise, making it one of the world’s top cybersecurity clusters, along with the San Francisco Bay Area, Washington, DC, and Tel Aviv. A snapshot of local security-related companies (see this map and list) shows they are advancing everything from ways to monitor networks and detect threats, to tools for analyzing and responding to breaches, to techniques for recovering data. Many are working on newer approaches—using machine learning, visualization tools, sensors, and cloud-based environments—to try to help customers develop a more unified security strategy.
One common theme: with the rise of attacks like ransomware—in which hackers hold an organization’s data or assets hostage until they are paid off—the lines between different types of security threats seem to be blurring.
Indeed, Davis points to what he calls a “convergence” of cyber and physical security. A hacker behind a laptop can shut down traffic to websites; so could someone who pours gasoline on an Internet hub’s physical location and sets it on fire, he says. But now, a hacker could also take control of a connected car—or worse—and demand a credit card number before unlocking it.
“The world is really changing for us,” Davis says.
A few years ago, a hacked computer system might disable IT operations or Internet traffic. Today, it could take down a transportation system, energy grid, or hospital network, causing chaos and potentially endangering lives. That’s in part because of the proliferation of connected devices and systems—anything with a chip that can communicate with a wireless network. Think phones, tablets, and watches, but also cars, thermostats, and faucets (yes, faucets) that connect to Wi-Fi or other networks. Any device could be a target, or act as a conduit to other targets or data.
The bad news is the problem is getting worse, fast. “Information technology is now moving into everything,” says Steve MacLellan, a 26-year veteran of Fidelity Investments, where he was senior vice president of security solutions and architecture. (He now advises and invests in security startups.)
MacLellan and other security experts at institutions ranging from Intel to Raytheon already see major threats to critical infrastructure worldwide such as water, gas, and electrical systems, as well as financial, insurance, and healthcare organizations.
What is needed are new approaches to combat hackers and recover from attacks. “In the past, people were thinking about security as part of an IT program—you have a virus on the machine, so you need to clean it,” says Lior Div, CEO and co-founder of Cybereason, a security-tech startup based in Boston and Tel Aviv. “Now there’s malware, but someone is behind it. You need to understand the tactics and techniques they’re using. It’s a completely different mentality—it’s a war zone.”
New Dollars, New Tech
Along with the societal stakes, investment in cybersecurity companies has been growing fast, according to data from CB Insights (see graph). In 2011, globally, there were 166 venture deals in security, for a total of $1.14 billion. In 2015, the number of deals doubled to 332, and the dollars invested more than tripled to $3.83 billion, with steady growth in both categories over the five years. (The great majority of companies in the study—77 percent—were based in the U.S.)
An Xconomy survey shows Boston-area cyber companies have raised at least $1.7 billion in total investment (counting only those that are independent and privately held). And the list of locally based companies that have raised money in 2016 includes Carbon Black, EiQ Networks, Hexadite, Lexumo, and Threat Stack. Those investment deals have totaled north of $50 million.
While the sector is seeing some hype, it’s also going through consolidation. Massachusetts-born Bit9 bought Carbon Black (based in Texas) in 2014 to expand its offerings; the merged company, one of Boston’s biggest in security, is now called Carbon Black. Late last year, Waltham, MA-based Digital Guardian bought Code Green Networks, a data-security firm in Silicon Valley. And in February, IBM Security acquired Resilient Systems, a 100-person startup in Cambridge, MA, focused on incident response.
Meanwhile, Rapid7 and Mimecast were the Boston area’s only tech-related IPOs in the past year, raising about $103 million and $78 million, respectively. Rapid7 is known for its suite of cybersecurity products, while Mimecast (based in London with North American headquarters in the Boston area) specializes in e-mail management and security.
Investors see a lot of noise in the sector. “Security is this gigantic spider web of point solutions. But at some point they need to be consolidated,” says Greg Dracon, a partner at .406 Ventures, which has invested in a number of cybersecurity startups. “A lot of companies are getting funded that can’t be standalone companies.”
It’s hard to verify, but the general sense is that most security-tech companies aren’t making money. Venture-backed startups tend to build for growth, not profitability. “The market wants cutting-edge solutions, but for a new company to cut through the noise and be able to sell, this is a huge jump,” Div says.
Div’s startup, Cybereason, seems to be gaining some traction. Founded in 2012, the 110-person company has secured several big customers, including SoftBank and Lockheed Martin. Cybereason has raised about $90 million in venture capital, making it one of the better-funded tech startups in the region. (Its investors include CRV, Spark Capital, SoftBank, and Lockheed Martin.)
It has gotten there by pushing a new approach. The company’s technology creates a deep statistical model of what normal operations look like in an organization—how files, machines, and users are related, for example, and who uses what, when. Then it tries to detect “malicious operations” in progress and suggest ways to stop them. Using machine learning, it tries to adapt to new hacking behaviors and anomalous activity—and it also tries to help customers visualize the full scope of an attack.
Div says in the past year his company has discovered more than 10 “full-blown attacks,” involving what’s known as advanced persistent threats and adversaries on the other side (some of them previously unknown). He says he’s hearing about ransomware from every customer. “The first [case], we managed to find it and stop it, and we didn’t know it was ransomware. We found it by behavioral analysis,” he says.
And that’s a key to stopping future attacks: defense systems need to be adaptive and resilient. “Companies are still thinking about it as an IT problem,” Div says. Today it’s ransomware, and “tomorrow it will be something else.”
Rogue Devices, Shadow Environments
In the Internet of Things era, that “something else” will have billions more devices to target. Part of the idea of virtual and physical security converging is that all these devices and their networks can get hacked from the real world, not just from behind computers.
Hackers can drop so-called “rogue” devices into a wireless network to gain unauthorized access to private information—passwords, credit card numbers, and so forth—or allow them to connect other devices to the system. And given the phones, tablets, and other gizmos that employees bring to the workplace, it’s getting harder to track all the vulnerabilities in corporate networks (think printers and older devices that don’t get updated, too).
That’s where a company called Pwnie Express comes in. The Boston startup was founded in 2010 by chief technology officer Dave Porcello, who originally developed a device to do penetration testing for his Vermont insurance company’s IT system. Pwnie (pronounced “Pony”) Express now sells portable hardware and software that detects unauthorized or suspicious devices that are on or near a company’s network, and displays any trouble spots on a cloud-based dashboard.
That includes things like keystroke loggers, card skimmers, and anything else that shouldn’t be near a network or access point. The technology acts sort of like a surveillance “video camera for the digital domain,” says .406 Ventures’ Dracon, whose firm was an early investor in the startup. (Pwnie Express appears to have closed $6.9 million in new funding this week, according to a regulatory filing; the company has raised at least $12 million to date.)
As Dracon and others point out, all these vulnerabilities and proposed solutions are causing confusion for customers, who just want their security problem solved, whether it originates from a nearby device or a hacker across the globe.
“There are 1,400 products on the market, and they all do similar things,” says Ernesto DiGiambattista, the CEO and co-founder of Cybric, a Boston security company that’s just ramping up in the crowded market.
Founded last year, Cybric is the latest example of a company trying to unify cybersecurity offerings and help organizations manage their overall security strategy. In a nutshell, the startup is trying to “virtualize” security and separate it from the business operations and software development units of a company—similar in spirit to the virtualization of servers, storage, and operating systems in enterprise IT.
Cybric does this by spinning up a “shadow” environment in the cloud that replicates an organization’s network and processes—everything from source code to perimeter security—and runs tests on that to detect threats, says Andrew Gilman, Cybric’s co-founder and chief operating officer. The startup helps aggregate best-of-breed tools from outside to do the testing. The goal is to be comprehensive and continuous about scanning for vulnerabilities and updating the security system, without disrupting the business, he says.
In theory, a customer could use tools from a Veracode or Black Duck Software, say, to scan code for vulnerabilities, and also use a Rapid7 or IBM Security tool for penetration testing or incident detection. Cybric says it has its own software for those purposes, too. The company notes that it helps customers apply security policies automatically—things like not letting developers merge code until it passes a test. The technology tries to be “adaptive and proactive” about fixing vulnerabilities and ensuring compliance, DiGiambattista says.
It’s still early for the 15-person company, which has raised $1.3 million in seed funding led by Petrillo Capital. Cybric will have to prove that its system really makes it easier for customers to manage their security needs—and that it can help them detect threats and ward them off as effectively as it claims. But there seems to be a need for “security as a service.” And if the company can land some big customers and show that its approach reduces cyber risk, the market could be wide open.
“Security has become a mainstream problem,” Dracon says. “It used to be the only people who cared were in a back closet wearing hoodies. Now, everyone from the office manager up to the chairman of the board are aware of the problem.” He adds, with some understatement, “It’s going to be a big industry over the next decade.”