Some of the brightest minds in security have hitched their wagons to new companies in recent months, and Dark Reading has come up with 10 of the hottest.
We mostly looked for the newest of the newbies -- those with promising tools and leaders with the potential to take their products to the next level. In fact, some of the names behind these startups are practically security brand names themselves -- HD Moore, Merrick Furst, David Dagon, Christien Rioux, Dave Jevans, Chris Wysopal, Halvar Flake, Robert Graham, and David Maynor.
These new companies give us fresh hope for finally inflicting some pain on botnets, making online banking safer, vetting security and network tools, and storing and securing files in inconspicuous slices -- as well as for injecting new life into the security market.
We didn't rank them, nor are we deluded enough to think these are the only hot startups out there. So if you think there are others who deserve a look, tell us about them via our message board.
And now it's time to meet the new faces of security (in alphabetical order): Agiliance, Armored Online, BreakingPoint Systems, Cleversafe, Damballa, Errata Security, IronKey, Provision Networks, Sabre Security, and Veracode.
- Page 2: Agiliance
- Page 3: Armored Online
- Page 4: BreakingPoint Systems
- Page 5: Cleversafe
- Page 6: Damballa
- Page 7: Errata Security
- Page 8: IronKey
- Page 9: Provision Networks
- Page 10: Sabre Security
- Page 11: Veracode
Next Page: Agiliance
Combine a dashboard GUI with compliance management and you get something along the lines of Agiliance Inc., a Mountain View, Calif.-based startup that launched its first product at the end of last year.
Actually, the company fancies itself as having integrated compliance, risk management, and governance, so companies know just how well (or badly) theyre doing vis-à-vis Sarbanes-Oxley or HIPAA requirements.
Agiliances IT GRC software lets users define their policies up front, using whatever framework they like -- COBIT, ISO or IEC, or NIST if youre a government agency, says vice president of marketing Anil Gupta. "Once youve defined them, our software then does two things: It allows assessments to see if youre in compliance, and also allows you to figure out your risk level."
The business case for IT GRC boils down to three related issues, according to Agiliance. First, its no secret that state and federal regulations for data privacy and archiving are on the rise. Secondly, threats and vulnerabilities -- internal and external -- show no signs of abating. And finally, managing all of this requires oversight and accountability, or whats come to be known in MBA circles as "governance." IT GRC is supposed to pull all of that together.
"Many companies do risk assessment manually, which limits the number of assets you can evaluate and the frequency with which you can do it," Gupta says.
Agiliance is not quite two years old, having received $3 million in its first round of funding in August 2005. In October 2006, Walden International and Red Rock Ventures invested $6.5 million, with Intel Capital adding $1 million at the same time.
Since then, the startup has landed six customers willing to pony up the $100,000+ (basic configuration) for the IT GRC. Gupta wont name names, but says theyre in the Fortune 1000, either in financial services or high-tech. There are also partnerships with unnamed auditors.
In addition to building out its direct sales force in North America, the companys also got its eye on European and Asian expansion, Gupta adds. Clearly, the need for compliance controls and governance tools isnt bound by geography.
Next Page: Armored Online
What if you could build a private Web connection to your customers and partners -- one that Internet hackers couldnt easily touch? Its not such a far-fetched idea: In fact, you can test-drive the technology right now through a startup called Armored Online.
Armored Online is helping banks -- and soon, other enterprises -- set up one-to-one, secure email and browser services, for their customers. The company offers software that creates a closed link between the enterprise and the end user -- a "private channel," officials say.
A privately-held startup just beginning to emerge from stealth mode, Armored Online is initially targeting the banking and financial services industry, where phishing and man-in-the-middle attacks have caused some customers to lose their trust in online transactions. But the company's software and services could eventually be used to create a trusted link between any enterprise and its end users, partners, or customers.
"We want to tackle the phishing problem first, particularly in the banking and financial services space," says Joe Sowerby, CEO of Armored Online.
In a nutshell, Armored Online is providing enterprises with services and software that allow them to distribute a secure client to their end users. The client includes email encryption via PKI, a hardened browser that works via SSL, digital signatures, digital certificates, and out-of-band authorization and authentication. The client software, which can be distributed over a standard Web connection, can interface only with the servers and applications owned by the enterprise.
The secure connection enables banks and other institutions to exchange email with customers, or conduct secure Web sessions that don't use public email or off-the-shelf browsers, making it much more difficult for phishers or attackers to insinuate themselves into communications between the company and the customer, Armored Online says.
"The public email system has become a polluted river," Sowerby says. "So what we're doing is digging a well."
Under Armored Online, customers will download a "small" application that will reside on their desktops for interaction with their bank or other supplier, Sowerby says. By clicking on an icon, they invoke all of the secure applications, ensuring that their communication with that institution is encrypted and secured.
With the Armored Online service, banks will have the advantage of using the Internet for widespread access and software deployment, but the new software will enable them to create a one-to-one connection with the customer, Sowerby notes. The company still hasnt publicly released pricing for its products, but test-drives are available.
Next Page: BreakingPoint Systems
This is not your father's network analyzer or pen-test tool vendor. Austin, Tex.-based BreakingPoint Systems sells a combination network and security testing appliance that was built for speed, power, and user friendliness. Still, the company so far is best known for its in-house security rock star and director of security research, HD Moore. (See Startup Launches Breakout Testing Tool.)
"HD makes security hot. Everybody wants to take him to the prom," says Dennis Cox, BreakingPoint's CTO and formerly the director of engineering at TippingPoint.
Moore, who is also developer of the wildly popular open-source Metasploit tool, says Metasploit gave him the inspiration for the BPS-1000's exploit features, but the commercial tool takes it to a whole other level, with zero-day exploits and way more options and features.
BreakingPoint, which launched in the fall of 2005 but didn't start shipping products until this month, is not just a pure security company, however. "There's more than just the security aspect. We are a testing company," Cox says. The new BPS-1000 conducts performance, integrity, and security testing of the network and network devices. Unlike traditional penetration testing tools, it doesn't actually exploit systems, and it tests both sides of a connection.
Cox says the company's initial customers -- a combination of networking and security vendors and enterprises -- all have given the same basic feedback: "They've asked for a million [new] features, but they say if we change the UI [user interface], they won't like it," he says. "So we can't change the way it looks... They buy it because it's easy to use."
He admits it's been a bit intimidating running up against competitors that dwarf BreakingPoint, which has over 30 employees right now. "They may have a lot of bodies, but we move a lot quicker and have a lot of legroom and no distractions," Cox says.
Look for BreakingPoint to pump an additional 50 or so attacks a week into the appliance, which would dwarf any of its fat-cat competitors. "It's not going to be like anything you've seen before," he promises. "And we're going to go deep on fuzzing... Every week, we'll add multiple protocol fuzzers to the product."
This strategy hasn't been lost on industry analysts. "BreakingPoint hopes to crush [its competition] by combining its competence in different testing disciplines including fuzzing, penetration testing, and security assessment," says Nick Selby, senior analyst and director of the enterprise security practice at The 451 Group. "If the product does what it claims, it promises to change what we think of the fuzzing/testing appliance marketplace."
But whether mainstream enterprises are really interested in this type of testing is unclear, says Mike Rothman, president and principal analyst with Security Incite. "This focus on stretching the attack surface feels like a niche to me," perhaps for large network and systems providers and carriers.
Next Page: Cleversafe
They say the more places you leave things, the more likely you are to suffer loss or theft. But just dont expect to win that argument with Cleversafe CEO Chris Gladwin.
His company champions a cross between grid computing and virtualization, using a technique called information dispersal. With an 11-node worldwide network called the Cleversafe Dispersed Storage Project, client software disassembles data into "slices," which are then compressed, encrypted, and stored on multiple computers, disk arrays, or workstations. The same client software retrieves the data, using fragments. If one system in the dispersal network goes down, the data can still be regenerated from the remaining parts -- making security stronger than in other kinds of grids.
Dispersal has been around since the late 70s, Gladwin says, and scales better than encryption does when youre shoving around lots of data. "Encryptions fine for a file, but for billions of files and used by millions of computers, thats a very different problem than encryption was designed to handle," he says. "Encryption with dispersal eliminates the security problems of transport and storage of data," he says, in a nod to the data-at-rest, data-in-transit issues vendors and users are trying to address.
Besides developing its own network, Cleversafe offers open-source software to enable anyone looking to create their own dispersed storage grid. So far, Cleversafe's seen at least 6,000 downloads, its spokespeople say.
Cleversafe's goal is to spread the word, proving its concept and enlisting service providers. The firm hopes these providers will interact with grids from other providers to create a secured, storage Internet -- with Cleversafe acting as paid helper. "Our focus is on getting the technology started," Gladwin tells sister publication Byte and Switch.
The company won't disclose the amount of its funding, but the founders invested their own money to start the company in 2005. Cleversafe raised an angel round in April 2006, which included funds from tech entrepreneur Casey Cowell. A venture round followed in December 2006, in which Alsop-Louie, New Enterprise Associates, and OCA Venture Partners chipped in.
Next Page: Damballa
Can botnet armies be stopped? One startup thinks it has found a way.
Damballa, a new venture spun off from research conducted at the Georgia Institute of Technology, is working on products that can recognize the online transmissions used to form botnets. It can tell you which systems are being conscripted, and by what army, so that you can quarantine or reformat them.
The company is doing "a limited number" of engagements with government agencies, ISPs, and a few large enterprises, officials say, but it is ready to offer a test drive to a few more commercial customers.
Named after a powerful voodoo snake god, the startup received $2.5 million in Series A funding last June from several venture capital companies, including Sigma Partners, Noro-Moseley Partners, and Imlay Investments. Damballa has been in stealth mode for more than six months, and if anybody knows exactly how its technology works, they aren't telling yet.
So how can a company that no one knows anything about be one of securitys hottest startups? Because its founded on technology developed by three of the foremost botnet researchers on the planet.
The company is being built on the research conducted by Merrick Furst, an associate dean at Georgia Tech's College of Computing and one of the industrys most widely-recognized researchers on bot behavior. Furst, who is president of the new company, worked with Wenke Lee, an associate professor in the same department, and David Dagon, another well-known bot expert who is also affiliated with Georgia Tech. The founders named a CEO earlier this year: Steve Linowes, who co-founded Web access software developer Encompass in 1999 and later sold it to Yahoo!
Linowes, who has been mostly silent to the press during the company's stealth period, spoke with Dark Reading in a brief interview earlier today. "There's still a lot I can't say about what we're doing and how it works, because we don't want the bad guys to latch on."
Linowes did say the company is offering a product that may be delivered as software only, or as software running on another vendor's hardware. The goal of the product is to identify anomalous traffic that points to botnet formation, and then give users the information they need to quarantine or remediate the involved devices, he says.
"We're not offering proprietary hardware. We will work with the other security tools the user already has in place -- we're not replacing anything they already have," he says.
In an interview with Red Herring last January, Furst noted the rapid rise in bot armies and suggested that about 80 percent of spam is created by botnets. More than 250,000 new machines are conscripted each day, he said.
"We [Damballa] have taken a nonconventional approach," Furst said in the interview. "We studied how these bot armies communicate with each other and the patterns they have. We have been monitoring networks so we can pick up the formation of these armies. Imagine if you could listen in on all the interactions that computers are having and recognize that some of those are about forming a bot army."
Next Page: Errata Security
Psst: Want a hacker-for-hire? Errata Security, co-founded last fall by former chief scientist for Internet Security Systems (ISS) Robert Graham and former SecureWorks researcher David Maynor (of Apple WiFi hacking fame), sells a vulnerability analysis service called Hacker Eye View, as well as consulting and architecture review services for enterprises and security vendors. (See Startup to Take Measure of Security and Errata Debuts Security Services.)
The two-man company was self-funded by Graham's sale of the BlackICE IPS he built to his former employer. "I earned enough selling that to ISS to fund Errata," says Graham, CEO of Errata. He says the company will eventually solicit venture capital funding, once it has enough customers to "prove the model."
"Without a proven model, VCs take control of most of the company and they will warp your vision to their vision," he says.
And vision is key to Errata -- the hacker's vision, that is. Most of Errata's customers so far are large multinational enterprises that need help prioritizing vulnerabilities -- such as when and if to patch -- but they've seen a surprising uptick in medium-sized companies. "The value-add is that we can tell them when we're auditing a product what a hacker is going to find, and what he'll attack, and where he'll be successful," Maynor says. That's where Errata's independent research comes in handy, he adds.
Errata made a splash both at Black Hat DC and Black Hat Europe recently with its latest research project, Ferret, a tool that "sniffs" traffic flying around an unsecured WiFi network, capturing logons and other embarrassing data from some unsuspecting attendees, and projecting it on a big screen during their presentations. (See Tool Uncovers Inadvertent 'Chatter' and Joke's on Me.)
Graham and Maynor lament the difficulty of juggling their multiple hats in a two-man business. There's the day-to-day business, plus their need to continue conducting independent research to keep their edge. "We were meeting [on Tuesday], and Dave had to drop off and analyze the Microsoft Super Tuesday patches," Graham says. "The upshot is we had to break our meeting short because it's only the two of us."
Their star power certainly helps when they walk into a potential account, Graham acknowledges. "We can walk in and automatically win technical due diligence," he says. "And we're untainted by product sales."
The challenge for Errata is that the vulnerability assessment space is already mighty crowded. But Graham and Maynor say that unlike vuln assessment tool vendors or other security companies, they're a relatively unbiased third-party with no product to peddle -- just their hacker expertise (and their own custom exploits).
"The industry is full of rumors," Graham says. "When we say we research something, we are not reading what everyone else did. We research it independently."
Outsourcing vulnerability research is an interesting concept, says Michael Rothman, president and principal analyst of Security Incite. "It's very time-consuming and expensive to do [your own] top-flight security research."
Next Page: IronKey
IronKey, a stealth-mode startup, might be the industrys worst-kept secret. But there still are many unanswered questions about the companys product, which is expected to be unveiled very soon.
The companys CEO, Dave Jevans, is a highly-visible industry figure who became well-known as chief marketing officer at messaging security vendor Tumbleweed Communications. His fame led him to become chair of the Anti-Phishing Working Group, which has thrust him even further into the public eye. And a $1.4 million grant from the federal government -- in addition to about $6 million more in venture funding -- makes it clear that IronKey is on to something.
But although IronKey maintains a high profile for a stealth-mode startup, the exact nature of its technology is still unclear. A recent article about Jevans describes the product as a high-speed encrypted flash drive device. A public beta is available on the companys Web site, but we couldnt look at it without agreeing not to disclose what we found, and so far, none of the beta testers has posted anything on the Web.
Alarm:Clock, a high-tech investment site, published the following about IronKey in late January: It would seem to compete with Israel's Yoggie, a mobile security startup that we profiled earlier. Unlike Yoggie, Ironkey appears to be 100 percent software. IronKey is a program for encrypting files so that you can safely send them over the Internet. The encrypt file is a self-extracting executable -- your correspondent must run it and enter the right password for decrypting. No crypto software needs to be installed on the receiving side.
With the government grant, it seems clear that IronKey will go after federal customers in its earliest stages. But when the company will roll out a commercial product -- and just what that product will look like -- is still anybodys guess.
Next Page: Provision Networks
Virtualization. On-demand computing. Hosted desktops. These are all innovations that are available only to large enterprises, right? Surely no vendor could offer a secure, virtualized desktop for a mom-and-pop shop.
Wrong, says startup Provision Networks, which launched a virtual access suite for the SMB market late last fall. A spin-off of reseller Emergent Online, Provision Networks announced the Virtual Access Suite (VAS), an end-to-end solution based on VMware's Virtual Desktop Infrastructure (VDI) framework that converts the PC desktop and applications into on-demand services.
The suite, which is priced at $50 per hosted desktop, is built around the Virtual Access Broker for managing and monitoring virtual machines and handling client connections. It also offers desktop and application publishing and on-demand access to VDI-based desktops and applications using AppPortal.
Provision Networks was launched in 2004 to bring Citrix-like virtualization technology to SMBs. By supporting VMWare's VDI and hosted desktop model, the ISV aims to deliver the PC desktop and applications as hosted services to a variety of customers.
"We are changing the way organizations look at VDI," says CEO and founder Paul Ghostine, who also founded Emergent Online. "Not only are we enabling a simpler method for consolidating, provisioning, deploying, and managing desktops and applications, we are transforming the hosted desktop infrastructure into a complete server-based access solution for true enterprise deployment."
The virtualization service helps secure remote desktops through a sophisticated access portal that includes a Web interface and SSL gateway, enabling any PC or thin client to securely connect and access a VAS-enabled Virtual Desktop Infrastructure, Provision Networks says.
One reseller says it sees a strong market for the virtualization technology already. "We have seen overwhelming enterprise demand for hosted desktops, says said Christopher Boone, president and CEO of Util-IT, a VAS reseller. Small and medium businesses were the early adopters of such a service. Now we are seeing demand for our product, from Fortune 100 companies to leading technology companies to smaller businesses."
Next Page: Sabre Security
Reverse-engineering expert Thomas Dullien, better known as Halvar Flake, wanted nothing to do with venture capital when he launched Sabre Security out of Bochum, Germany, two years ago. And he still steers clear of VC today, which he considers too restrictive.
"We wanted to decide what we want to work on, and we didn't want someone breathing down our neck all the time," he says. "So we preferred to finance ourselves out of the existing cashflow instead." (See X-Ray Vision for Bug Finders.)
That takes some ingenuity. So Dullien last fall applied for and won one of Germany's biggest research prizes -- $100,000 EU -- for Sabre's malware-classification technology, beating out major companies like Siemens, which came in second place. That money has helped seed Sabre's growth, although Dullien admits that growing from product sales and prize money alone doesn't exactly propel rapid growth.
Still, the company now has five full-time employees (plus some part-timers) and is at about a half-million dollars in revenue (including the prize money) as of last year.
Sabre's newest tool, BinNavi, has won over researchers who have called it X-ray vision for finding vulnerabilities in closed-source software. It basically lets them quickly debug and analyze code or malware, with some hot graphics that make inspecting code simple (for techies, anyway). "Our customers are government/military, IPS/IDS vendors, other security researchers, and some financial institutions that deal with phishing trojans," says Dullien, CEO and head of research for Sabre.
The 451 Group's Selby says products like BinNavi -- those that separate the GUI from the debugger -- are likely the next wave in debugging and reverse engineering. "BinNavi lets users graphically trace the paths of executables and do 'what-if' scenarios to determine how divergence from a given pathway would affect things. This is, at the very least, a seriously cool way to look at code."
Sabre is currently working on converting its prize-winning malware classification technology into VxClass, a new product it will release this summer. "VxClass is radical," Selby says. "It promises to let customers -- like banks seeking custom-written banking trojans -- examine files that appear somehow suspicious, but which were not caught by current anti-malware programs."
Next Page: Veracode
How do you know if that software you just purchased is really secure, and won't blow up your existing apps?
"When you buy software, you're taking on an unknown risk to the operations of the business," says Chris Wysopal, CTO and co-founder of Veracode, a Burlington, Mass.-based application security service provider that came out of stealth mode in January. (See Security Startups Make Debut and Q&A: 'Weld Pond' Talks Secure Software.)
"You wouldn't buy a house without a home inspection," so why would you buy software without a third-party inspection as well, says Wysopal, a.k.a. "Weld Pond" and a former member of the famed hacker group the L0pht and a co-founder of @stake.
Wysopal's company is riding the software-as-a-service model wave and converted software security testing into an automated service as an alternative to heavy tools and in-house or third-party expertise. Veracode checks for software flaws from coding mistakes as well as malicious code. It also checks the status of security functionality in the software, so you know what you're up against before you install it. Unlike most software analysis, however, Veracode investigates the binary code, which it considers a more thorough approach.
Veracode is selling its products to enterprises that want regular analysis of their software's security, as well as to software developers that want security reviews and analysis of products and third-party apps.
Wysopal helped develop the initial binary analysis tools -- which later became the foundation for Veracode's SecurityReview services -- while he was at @stake, a consulting firm that was purchased by Symantec in 2004 and later spun off into Veracode. Veracode initially raised $19.5 million in venture capital, with Symantec holding a small equity. The creator of the software is the renowned Christien Rioux, Veracode's chief scientist.
While Veracode has touted binary code analysis as its bread-and-butter, the company recently added source code analysis and manual penetration testing to its service offerings through some strategic partnerships. And Wysopal says Veracode will continue to team up with boutique security firms that can fill gaps in Veracode's automated services with human intervention for the "ultimate security analysis."
He admits he and his colleagues initially thought their automated binary analysis tool alone was the silver bullet -- but they since have changed their tune a bit. "There's not one technology that can solve the software security problem. It's too big and complicated," he says. "Ours is the best thing to do if you are doing just one thing."
Security Incite's Rothman says the fact that the service doesnt really impact the development process itself much is interesting. "But ultimately, it [the service] has to work."
Meanwhile, Veracode's services stop short of actually fixing flaws or holes they detect in software, although they provide reports with remediation recommendations. What you do with that information and advice is up to you.
The Staff of Dark Reading