Innovations In Cybersecurity At RSA 2016

At the 25th RSA 2016, it will be the year of Security + Machine Learning + Artificial Intelligence.

With global cyber spending expected to reach $170 billion by 2020, startups & legacy companies alike will be competing for this ever growing pie. And thanks to Obama’s latest push for $14 billion in new Federal spending on cybersecurity, even defense contractors like Raytheon, Lockheed Martin and General Dynamics want a seat at the table in this new arms race.

According to McKinsey, 74% of enterprise security spend is via procuring tools, technologies and services from outside vendors. New security solutions (possibly old wine in new bottle) is now available for automotive / autonomous vehicles/ drones / IoT / SCADA Systems and even hospital infusion pumps.

(Source: Beyond Cybersecurity - Protecting your digital assets by James Kaplan et al, McKinsey & Company - Wiley, 2015)

(Source: Beyond Cybersecurity – Protecting your digital assets by James Kaplan et al, McKinsey & Company – Wiley, 2015)

Over 500 cybersecurity exhibitors will be at Moscone Exhibition Center in San Francisco starting next week. A quick snapshot of exhibitors shows that DataSec (data security) is new wave. Data security means everything to everybody so let’s look at market pain points instead.

 RSA 2016 Exhibitors

Security markets can be tiered in a few categories, depending on the buyer’s and the budget. Let’s start at the top.

Pain points for “C” level executives / board room: Executives do not always understand the technicalities of a DDOS attack, PCAP, ML or east-west traffic. These bits and bytes are best understood by the heroes of this game. But executives understand risk, liability and budgets.

Companies that focus on helping executives understand their risk clearly will benefit from the growing spend. Companies like Bitsight and  Security Scorecard offer security ratings to assess risk posture. But what about the alleyways of the dark web? What threats lurk beneath?  Domenic Perri, VP Business Development, Flashpoint Intel says “The Deep & Dark Web is vast underground, where professional threat actors plot campaigns that can impact any company, executives and customers.

Here, criminals and hacktivists are able to find the skill sets, people, and tools they need to conduct wide-reaching campaigns against a brand for financial or political gains. Enterprises must see beyond Surface Web and social media searches, if they want to protect themselves against the threats actively being planned.” Darkweb hacktivism can impact major brands, financial institutions and all those who have the potential to cause ire to the hacktivists.

To take advantage of this opportunity,  iSight Partners was snagged by Fireye for $275 million recently. Board level tools to assess risk will evolve rapidly over the next few years. And the CISO will be the point person to bridge the business side with the technical.

Pain points for the CISO – Cloud and IoT:  For some CISOs, a big challenge is to stop being technologists and start being executives. This is a mind-shift that most techies hate – the world of people, politics, money is a messy world. Yet to be able to address the board of directors on security risks call for this mind-shift.

Automation and Machine Learning (ML) may be the RSA 2016 theme but ML has some ways to go. Vishwas Manral, CEO of NanoSec says “ML tools still not precise enough to be used broadly for security without human intervention. Security tools can become more precise by using models such as Deep Neural Networks. Enhancing ML results with multiple different sources of knowledge is necessary.”

Audits & compliance come first and beyond these are administration, setting policies, tracking and control of the environment. One of the reasons why Illumio has achieved such rapid growth is because of its ability to offer visibility and compliance. Having raised over $100 million, it’s a rare unicorn in the security arena with investors like A16Z, Accel, Formation8 and Data Collective.

The smart and delightfully crazy Securosis team is offering “aspirin-as-a-service” at their Disaster Recovery breakfast. A new category has thus been created!  At RSA 2016, all bleary eyed and hungover will have non-prescription solutions. But Securoris is planning a new offering in Cloud Security Automation – if I had a farm, I’d bet on them.

These guys know what they are doing. Speaking of automation, automated hacking is on the rise and thus, automated protection will soon follow. As the attack surface grows with IoT, we will see some Mobile and Endpoint security offerings morph to take advantage of this market opportunity. Bastille Networks and Zingbox are taking a shot at the Enterprise IoT with different approaches, while Cujo and Dojo are not my pet pigs pictured, but consumer IoT startups.

Picture caption: Got Iot? Not Cujo nor Dojo - just two happy pigs (Picture Credit - Anastasia Van Wingerden)

Picture caption: Got Iot? Not Cujo nor Dojo – just two happy pigs (Picture Credit – Anastasia Van Wingerden)


Thwarting intruders via deception networks (or the nextgen Honeypots) has also attracted attention from leading VCs.  Illusive Networks (backed by NEA), TrapX (backed by Intel Capital) and Cymmetria (YC alum, backed by Sherpa Ventures) are a few that are aiming to be the category killers in this landscape.

Pain points for developers:

Former CEO of Microsoft, Steve Ballmer expressed his love for developers in a very unique manner. But at RSA, we ain’t be seeing such ‘developers developers’ chants of  love yet. Classical security companies can ignore this rapidly growing audience to their own peril. Of course, this audience does not tolerate the usual sales /BS tactics, can see through vaporware and demands a very high standard.

So the rest of the industry needs to catch up. Budgets are a challenge and buying power can be questioned, but these are the early adopters. Those cut from the same cloth are making the most of this opportunity. 

AppSec, DevSecOps & Container Security: Appsec solutions that drive speed without compromising security are on the rise. Andrew Petersen, CEO of Signal Sciences (backed by Index Ventures) was frustrated. At Etsy, he and his team tried to find some existing solutions that would enable security without compromising speed.

No good solutions existed.  They engineered their own in-house solutions and shared it with the world. The feedback was rich, indicative of pen-up demand and Signal Sciences was born. “With the rise of agile development and the devops movement, security teams must evolve both culturally and technologically.

There’s not an engineering team on the planet that’s doesn’t have the goal of deploying their applications faster. The challenge for security teams is to enable rapid deployment, not slow it down.  DevOps teams care more than ever about security and are involved in both selection and implementation of security tools.

Application security solutions that don’t address all of these constituents will not get adopted” he says.  Indeed, cloudsecurity startup (backed by True Ventures, Bain Capital) announced the marriage of DevOps and SecOps – we celebrated this new era of security. There is no SecDevOps exhibitor category at RSA yet but this is a growing pain in the market.

This audience also cares about container security, which aims to address kernel exploits, breakouts, compromised secrets and poisoned images. Container security startup  Stackrox co-founder Sameer Bhalotra will be speaking at RSA 2016 on futuristic panel “Cybersecurity in 2020.” Innovators to watch in this space include Scalock & Twistlock and of course, the big boys – Docker Content Trust and CoreOs Tectonic.

Security for Big Data: Cloudera and Hortonworks have built identity / authentication and encryption solutions. Access control, Code-signing, Governance and encryption are ongoing challenges with new solutions under various stages of development.

Pratik Verma, Founder of Blue Talon (backed by Data Collective) says “Rapid, organic evolution of the data ecosystem makes it really difficult for businesses to specify what data should be protected.  Security teams cannot become data scientists overnight. And with security controls siloed in different parts of the data stacks,  this problem can become intractable. Decisions like “who can do what with which data” should be made easily. Centralized enforcement with clarity on protection of data in use can make their life a lot easier.”

What about Blockchain: RSA 2016 underestimates the impact blockchain could have on the world of security.  Chris Finan, Co-founder and CEO of Manifold Technology is bringing private blockchain to financial universe. He says “The potential for blockchain in the financial universe will impact multi-signature contracts, real time APIs to assess financial health, ledger for recording all transactions. This can lead to innovation in areas like crypto, key management, identity and access management.”

The Final word – Innovate or die/go private: 2016 could well be the last year of Symantec as public company. If Silverlake puts $500 million in Symantec, closely followed by an investment from activist investor Elliott Management, the writing’s on the wall.  Thank you, Symantec – it’s been a great run. Even as we approach the biggest spend increase in cyber security, you missed the boat. Which is OK. We need to make some room for the new!