It’s estimated that there were some 50 billion connected devices globally in 2020, and while that really says a lot about how far we’ve come in tech, for many it also speaks to a big issue: security vulnerabilities, with the devices themselves, plus all the components and services running on them, all potential targets for anything from malicious hackers to not-so-intentional data leaks.
Today, Israeli startup Vdoo — which has been developing AI-based services to detect and fix those kinds of vulnerabilities in IoT devices — is announcing $25 million in funding, money that it plans to use to help it better address the wider issue as it applies to all connected objects.
With its initial focus on large industrial deployments, medical systems, communications infrastructure and automotive, Vdoo also is looking more deeply now at the wider network of devices that use communications chips, providing quick (as in minutes) assessments to identify and remediate or directly fix various issues: it cites zero-day vulnerabilities, CVEs, configuration and hardening issues, and standard incompliances among them.
The funding — an extension to the $32 million round that Vdoo announced in April 2019 — is coming from two investors, Israel’s Qumra Capital and Verizon Ventures (the investing arm of Verizon, which — by way of its acquisition of Aol many years ago — also owns TechCrunch).
Verizon’s interest in Vdoo is strategic and speaks to the opportunity in the market.
As CEO Netanel Davidi (who co-founded the company with Uri Alter and Asaf Karas) describes it, operators like Verizon are interested because of their role as a distributer and reseller of hardware as part of their wider services play, be it for broadband access, or a telematics service or something for the connected home or connected office.
“They sell connected devices to enterprises and home users that are not made by them, yet the carriers are responsible for the security,” he said, “so the solution is to bake that into devices” to make it work more seamlessly, he said.
Verizon is not the startup’s only strategic backer. Others in the first tranche of this round included another carrier, Japan’s NTT Docomo, MS&AD Ventures (the venture arm of the global cyber insurance firm) and Dell Technology Capital, the VC arm of Dell.
The company has now raised around $70 million, and while it’s not disclosing valuation, Davidi confirmed that it has more than doubled this year.
(In April 2019, PitchBook estimated that it was just under $100 million, which would make it now at over $200 million if that figure is accurate.)
Davidi said that the decision to raise this money as an extension to the previous round rather than a new round was strategic: it gave the company the chance to raise funding more quickly, and to take more time to prepare for a bigger funding round in the near future.
And the reason for raising quickly was to address what was a quickly moving target: One of the by-products of the COVID-19 pandemic has been a dramatic shift to people working from home, buying new devices to enable that and in general using their communications networks much more heavily than before.
Connected-device security typically focuses on monitoring activity on the hardware, how data is moving in and out of it. Vdoo’s approach has been to build a platform that monitors the behavior of the devices themselves, using AI to compare that behavior to identify when something is not working as it should.
“For any kind of vulnerability, using deep binary analysis capabilities, we try to understand the broader idea, to figure out how a similar vulnerability can emerge,” is how Davidi described the process when we talked about the first part of this round back in 2019.
Vdoo generates specific “tailor-made on-device micro-agents” to continue the detection and repair process, which Davidi likens to a modern approach to some cancer care: preventive measures such as periodic monitoring checks, followed by a “tailored immunotherapy” based on prior analysis of DNA.
As Davidi described it to me this week, the platform “analyzes the device software, uncovers all of its security flaws, weaknesses, and vulnerabilities, prioritizes them by their criticality, and offers ways to remediate them.” Vdoo’s analysis considers the complete device context and treats several other factors like configuration, OS, drivers, etc. to accurately reflect a holistic view of the device’s security posture. Then, based on the results of the analysis, “it can automatically generate an on-device agent that provides ongoing monitoring and protection.”
Vdoo is a play on the Hebrew word that sounds like “vee-doo” and means “making sure”, and points to the basic idea of how it approaches the verification around its device monitoring. It also feels somewhat like the next step in endpoint security, which was the focus of Davidi and Alter’s previous startup, Cyvera, which was eventually acquired by Palo Alto Networks.
The focus on devices, in some ways, is a significantly more complex approach, given that it’s not just about the device, but the many components that go into them. As we have seen with Meltdown and Spectre, vulnerabilities might exist at the processor level.
And as Davidi pointed out to me this week, at times those issues aren’t even intentional but still mean data can leak out, and at worst that can be exploitable by bad actors.
“Backdoors are being built into many devices, and some are not even intentional,” he said. “It may be that the developer wanted to create a shortcut to make something else easier in the future. Some will see that as a back door, and some will not.”
The fractal-like nature of the issue is what Vdoo is digging into with its widening approach.
“Initially we wanted to serve the ecosystem of manufacturers, since they are the cause of the problem and the origin of the security issues,” he said. “We started there with Fortune 500 customers in areas like automotive and industrial and medical and telco and aviation. The idea was to make a platform that could serve and protect security stakeholders. But then we saw that this was a big unserved market.”
Indeed, Vdoo quotes figures from research firm MarketsandMarkets that forecast that the global device security market will grow to $36.6 billion by 2025 from $12.5 billion in 2020.
“The number of connected IoT devices is rapidly growing, creating greater opportunities for security breaches,” said Boaz Dinte, managing partner of Qumra Capital, in a statement. “Vdoo’s unique device-centric, deep technology automated approach has already brought immediate value to vendors in a very short period of time. We believe the market opportunity is huge, and with newly infused growth capital, Vdoo is well-positioned to become the leading global player for securing connected devices.”
“With the expansion of 5G networks and mobile edge compute, there’s a need for an end-to-end, device-centric security approach to IoT,” added Verizon Ventures MD Tammy Mahn in a statement. “As the venture arm of a leading telco, Verizon Ventures is proud to invest in Vdoo and its world-class team on their journey to solve this global need, while ushering in a new era of security by design in our increasingly connected world.”