The rash of headline-grabbing cyberattacks on major companies over the past few years has made one thing abundantly clear: it’s not enough to rely only on traditional security tools. To venture capitalists, that means there’s money to be made by betting on startups developing new ones.
VCs are hoping to get a piece of companies’ increased spending on cybersecurity. In 2014 Gregg Steinhafel, the CEO of Target, became the first head of a major company to lose his job over a data breach. Now, worried company leaders are giving their security units a “blank check,” says Scott Weiss, a general partner who specializes in security at the venture capital firm Andreessen Horowitz: “The CEO has said, ‘Look, whatever you need, you’ve got.’”
Today’s advanced threats are much too sophisticated for traditional tools like antivirus software and firewalls. Not wanting to buy obsolete products, security executives are increasingly venturing into agreements with cybersecurity startups. To Weiss and other venture investors, that kind of customer demand is an investment opportunity. According to CB Insights, the global VC community poured a record $2.5 billion into cybersecurity companies in 2014, a strong year for IT startups in general and software in particular. Security companies raised another $3.3 billion in 2015.
The problems these startups are trying to solve are complex. The bad guys do have better weapons, but business systems are also becoming vulnerable in new ways. Businesses are relying more on cloud services and connecting more “things” to the Internet, and their employees are using more connected devices.
Before a few years ago, the conventional approach to security entailed basically building a wall around valuable data and using software to detect known signatures of malicious code. Then security researchers began finding extremely complex malware, derived from government-designed exploits and sophisticated enough to circumvent traditional antivirus tools. This new generation of malware can be custom-built for a specific network and more precisely controlled by its human operators.
Dealing with such specialized, fast-evolving adversaries requires changing the security paradigm from prevention to “active cyberdefense,” says Nicole Eagan, CEO of Darktrace, a two-year-old company based in Cambridge, United Kingdom. Hackers are going to get in, so the trick now is to find them “in near real time as they are moving subtly and silently around your network” and catch them before they do any real damage, she says.
A number of companies, taking a range of different approaches, promise that their detection technologies can do this. Darktrace, which has raised $110 million in VC funding, relies on advanced machine-learning technology to analyze raw network traffic and, as Eagan explains, “determine a baseline for what’s normal” for every person using the network so that it can detect abnormal behavior.
Not only are the threats more numerous and advanced, but companies must also secure networks that are growing more complex and massive. Every device on a network is a potential target for hackers, and new security technologies focused on them are getting lots of attention from investors.
A company called Tanium, which is now valued at $3.5 billion after its most recent round of VC investment, has technology that allows network operators to ask questions about what’s happening in any one of millions of devices on a network. They get an answer within 15 seconds and can quickly take action—for example, by quarantining an infected computer.
Security investors are also focused on the fact that businesses and organizations are putting more and more data in the cloud. In response to this trend, a new breed of cloud security companies are offering services such as novel encryption schemes and technologies for continuously monitoring what goes on in a company’s cloud servers.
With so much funding available, the burgeoning cybersecurity startup scene is chaotic. Greg Dracon, a partner at .406 Ventures who has invested in several security companies, thinks a consolidation cycle may already be starting. Bigger companies are buying up individual technologies and could eventually offer suites of products, he says.
Dracon thinks all this investor attention is driving prices too high overall, and that the market has gotten ahead of itself, at least for the near term. However, the security market itself has another decade of growth at least, he believes. “The problem set is outpacing the solution set,” he says, “and I don’t think there’s any end in sight to that.”