Security Startups

Cyber Insurance

When most people think of cybersecurity, they think of IT departments protecting corporate networks, or individuals at home on their personal computers. But cybersecurity is differentiating rapidly as more people realize its actual goal is to improve the reliability of some other business process or product, and not an end in itself. Since these business processes vary widely from one industry to another it makes sense to talk about the unique issues and approaches faced by individual market verticals. One such vertical: Cyber Insurance.AOL FishbowlThe October 1 edition of the excellent Security Leaders dinner series conducted by @mach37cyber, cohosted by Mach37, AOL, and Marsh & Mclennan at the AOL Fishbowl, was a highly interactive, highly informative panel discussion with insurance industry and related legal professionals on the topic of Cyber Insurance. Cyber Insurance is designed to cover some of the costs in the aftermath of a cybersecurity incident, including items such as forensics to determine what happened and the extent of the damage, public relations to communicate with customers and other stakeholders, costs such as credit monitoring involved in the remediation, and legal costs for defending lawsuits that arise as a result of a breach or loss of data. These costs for businesses that experience a cyber incident continue to increase rapidly.It is clear that cyber insurance is still a very nascent but rapidly growing industry that faces some difficult challenges. Unlike more familiar life insurance, car insurance or hazard insurance, there is no long claims history to determine actuarial risk. There is no agreed set of standards or guidelines, analogous to "stop smoking", that are guaranteed to reduce risk for most customers. Every insurance need is essentially custom to the situation (the panelists all agreed businesses should pay attention to coverages and exclusions such as "acts of war"), with businesses handling health information or PII facing very different imperatives than those handling primarily credit card or other financial transactions. And the way that business is conducted, with online brokers promising several competitive quotes within a few hours, means that the due diligence to determine a business cyber posture or even whether they are already breached when the policy is written, is not practical. The remedy for the latter is an increasing reliance on third-party audits or certifications regarding the business practices of businesses seeking insurance.Cyber Ins panelInsurance claims start when an insured business has knowledge that something has happened, so for data breaches this means the company must be at least sophisticated enough to know that something is wrong. But as one panelist indicated, the most commonly reported incident is "hack" (not a very sophisticated description) counting for about 1/3, while lost laptops and even lost paper still account for significant portions of claims. The insurance company can help bring in forensics and other experts to determine the extent of losses and help stop further losses, and then supports later steps in the remediation and recovery process.In discussions after the panel, a couple interesting questions came up. First, is cyber insurance more like car insurance (where different skill levels are reflected in different accident rates, allowing lower premiums for good drivers) or more like life insurance (where every insured person experiences exactly one death and premiums are essentially financing the cost of activities around dying, requiring higher premiums for those with a shorter expected time period to do the financing)? Ideally this would look more like car insurance, with a set of specific steps to reduce chances of an accident, but most people seemed to believe it is currently more like life insurance, financing for that first event after which businesses take more extensive steps on their own to prevent a recurrence.A second interesting question was whether people in the crowd would want to be in this insurance business (an admittedly skewed sample, since the audience was mostly techies). The large majority of people I spoke with said "no", since it seems almost the luck of the draw which companies will survive in the market; if your business base doesn't experience many costly claims then you're probably ok, but the market dynamics make that extremely difficult to determine.The third interesting post-panel question revolved around the asymmetry in risk and damage in this ecosystem as a whole. The best example here is the loss of PII from a business with cyber insurance. While a business with poor cybersecurity practices certainly incurs costs related to a breach, the harm also falls extensively on the individuals whose PII has been compromised. But the harm to the business is mitigated by the insurance, while the harm to individuals is less well covered (hence, lawsuits). Credit monitoring is sort of like jail time...once you reach three or four life sentences, adding additional coverage doesn't really help very much. One could hope the cyber insurance industry is taking steps to help mitigate risks for businesses seeking good practices, while not protecting businesses who seek only to profit at individual expense.Finally, there are a variety of interesting conclusions for early stage companies looking to sell cybersecurity products to businesses in the age of cyber insurance. For entrepreneurs involved with forensics or risk management, it may be that the insurers are your primary market rather than companies directly. In the era of risk management, businesses are no longer seeking to drive their risk to zero. Instead this becomes a cost tradeoff; at what point does additional technology cost more than the insurance to protect the same level of risk. For a cybersecurity vendor not only are you competing with other equivalent vendors for a share of the fixed security pie, now you are competing with a range of alternatives some of which are not even technology-based.Cybersecurity insurance will continue to grow as a dynamic force in this market. It is unclear exactly how those dynamics will evolve however, so prudent companies should continue to watch this industry vertical carefully.

CISO’s Don’t Want Your Analytical Tools

In his March 20th Cyber Intelligencer, Anup Ghosh nailed it with his description of the failure of our traditional Prevent, Detect and Respond strategy. As Anup proposes, given the state of our collective failure, a move toward a strategy that is focused on Containment, Identification (of compromised assets and adversaries), and regaining Control of compromised networks is a more sound approach.In his piece, Anup correctly indicts the purveyors of Detection tools, who:[have] only succeeded in producing prodigious alerts and data dumps that understaffed and over-worked security teams now have to wrestle with. Few organizations have enough resources to sort through the volume of alerts their solutions provide and the terabytes of log data required to derive actionable insight at the speed and scale that is required.As the industry and our customers move forward toward Identification and Control, information security capabilities will necessarily evolve away from emergency response and dispatch playbooks and toward more sophisticated analytical approaches. Unfortunately, given that the population of information security personnel with strong intelligence and analytical skills is about as abundant as valyrian steel, if we don’t alter the way these tools are delivered, we are destined to fail again.Of course, well-funded purveyors of analytical tools who have effective sales and marketing teams will be able to sell their expensive on-premise tools to large government information security organizations and the Fortune 100. But, given the volume of their data and the speed with which customers need to take action, they won’t be happy with their results.Ironically, the good news for these vendors is that the rest of the market can’t afford to deploy their capabilities. How many non-Fortune 100 companies do you know who have advanced threat intelligence cells and big data log analysis infrastructures? So at least they won’t be pissed.At the end of the day, I believe that even large company CISO’s really don’t want to buy analytical tools. Rather, they simply want prioritized recommendations and enough confidence in the analytical rigor behind those recommendations to confidently take meaningful action.To us, solutions that invert the analytical process – providing prioritized actions based on rigorous analysis and shared intelligence, and walking customers backwards through the analysis only if they care, are going to be winners. Using machines versus people to triage massive volumes of intelligence based on relevance and risk to an organization is inevitable. Solutions that leverage more affordable As-a-Service delivery models that enjoy economies of scale for both computational resources (i.e., elasticity) and analytical human capital make the most sense.At Mach37, we agree with Anup. We continue to prospect for and invest in solutions that will deliver affordable advanced intelligence and analytical capabilities to satisfy the growing need for Identification and Control.  We believe these solutions will allow us to avoid the mistakes of the Detection vendors, finally getting it right this time.

,

The Innovation Kill Chain

,

Caution: Satire AheadThere is a dangerous threat to our economy and way of life springing up in seemingly every industry. Almost half the Fortune 500 were booted from the list between 1999 and 2009. Some prognosticators say this threat could result in even more than half of the Fortune 500 going away over the next decade, with a conservative economic impact of more than $2 trillion to our current productive capacity. What is this threat? Disruptive Innovation and the provocateurs inflicting it upon us, the Disruptive Innovators, or Dis-sInners as I like to call them.Fortunately we are not helpless in the face of this scourge; we can fight back. The reason is that these Dis-sInners proceed, no matter the industry, in a very well-known set of steps before they can succeed. If we can disrupt their insidious designs at any step along the way, they will fail, and this is what I call "The Innovation Kill Chain."The seven steps of a typical Dis-sInner attack are as follows:

  1. First, they will conduct surveillance, to understand their target, evaluate competitive strengths and weaknesses, and position for the eventual attack. While this stage is hard to detect, we can take comfort that our highly efficient current business structure is very difficult to disrupt.
  2. At stage 2 the Dis-sInner will typically expose themselves by creating a legal paper trail (articles of incorporation and similar) that reveal both their true identity and business intent. Paranoid companies could develop a standing research capability to discover and track these perpetrators, but it is hardly worth the effort since they will never amount to a true threat to our overwhelming market share.
  3. The third step in the Innovation Kill Chain involves the Dis-sInners planning to undermine the value of your core Intellectual Property. Here the well-prepared defender can become more proactive by filing extensive patent coverage that will allow for future lawsuits should the Up-Startup ever amount to anything. Remember, you have deep pockets and they don't, so it does not matter whether there is actual economic value in your IP portfolio; all that matters is the ability to create expensive legal proceedings at critical times.
  4. Inevitably, some Dis-sInners actually start building prototype products and begin looking for "beta customers". By all means, this is your opportunity to appear forward leaning while still containing the threat. The most successful defenders step forward at every request...but then stretch out the process through the various tricks of bureaucracy we all know so well. Should a Dis-sInner persist, extensive product feedback involving meaningless features and tangential use cases is often an effective counter-measure.
  5. Only a few of the most Advanced Persistent Threats will make it to the point of seeking funding, but for these we recommend the essential Enterprise FiresaleWall. Your Corporate Venture Fund can be a key player in this process. Remember, that these early-stage APTs have not yet taken over key parts of your market, and a well-timed lowball offer can often shortcut their efforts at Escalation of Visibility.
  6. It is inevitable that your market position will eventually be breached. There are only two types of market leaders, those that know they have been disrupted and those that don't yet know it. This is where a top notch Chief Innovation Prevention Officer (CIPO) earns their keep. “Off the street and on the shelf” are truly words to live by. Early warning can give you plenty of time to squeeze every last penny out of those previously lucrative markets. And your best customers will surely want to stay with a market leader, even in the face of punitive long term contracts.
  7. Once a breach has occurred it is time for forensics and damage control. Here, behavioral indicators can be useful in ferreting out the Inside Your Market Threat. Do not succumb to the temptation to point fingers and re-organize; instead watch the Up-Startup and match their every move. One very effective defense, particularly in the Government space, is to partner with the enemy! As a prime contractor, you will have locked up the Dis-sInner market potential and control their destiny through the amount of business you let trickle-down their way.

Knowing your adversary, and the common steps they take in seeking to disrupt your business is the most effective way to stay prepared and stay ahead of this insidious threat.

Differentiating Cybersecurity Startups

A number of investors from around the country tell us they have a problem. When considering early stage investments in cybersecurity companies, whether at Mach37 or elsewhere, investors have a hard time telling the companies apart. One issue is that companies abstract away the technical jargon for their investor pitches, and at the buzzword level they really DO sound similar. However we know from the Mach37 portfolio, where we pay attention to competitive issues within cohorts and are always looking for new ideas, that each company is unique. The challenge then is making those differences clear in an easily comprehensible way. We were searching for a way to depict the entire portfolio on a one page graph with a modest number of categories; here it is.Company Differentiation v2.1 Across the bottom are the target users for each product, color coded and grouped into the corresponding market segments across the top. The technology categories on the vertical axis are based on our "Understanding the Technology" white paper, with a few additional categories added. This segmentation clearly gives a nice spread of the Mach37 companies, and corresponds well with our intuitive understanding of how the portfolio is beginning to meet the market needs. It also provides an interesting working definition of a company pivot, which we are beginning to see in a couple instances: a pivot is reflected by a company moving from one place on the graph to another.We are interested in your feedback. Does this provide a useful differentiation of companies in the space? Do the categories make sense? How does your portfolio stack up? Could a similar depiction work for other verticals with a different set of technology categories and users?

,

CTO SmackChat: So, what do you do?

,

[Loosely adapted from an actual conversation with an investor at a networking event]“So, what do you do here?”[standing large] “I’m the CTO for Mach37”“No, I know your title, I want to know what you do”[uh-oh, better obfuscate] “I’m the Chief Envisionator of Strategery for Cyber-Futures”.“I don’t even know what that means. What I really want to know is what you do on a day to day basis to add value to this organization”-----Being the CTO or Technical Co-Founder of a startup company is a role that requires extraordinary flexibility and humility. Sure, the early days are obvious. You’re the developer of the first product, the first Product Manager, and critical for Marketing, Fund-raising, running the new business, and whatever else it takes to get that business going.With a little success though, an early round of funding, and employees five, six and seven are a Product Manager and two developers…what now? Still not too hard to envision, your role is less hands-on with the Product and more involved with the roadmap and the intellectual property and mediating customer feedback from sales and marketing with your development team.As success grows, and you add a VP of Technology to manage the technical team, your role continues to morph. Your CEO Co-founder has kept his roles and grown with them, while you have been busy giving your early roles away. So, what do you do? Is there still a place for you in the company you helped start?The answer comes down to Leadership. You are a Co-founder because you helped create the vision of product and market and the problems you knew you could solve. The technical team looks to your leadership even though you are not so directly connected as you once were. You know the market and you know many of the key customers. You play a key role managing the business while the CEO is out raising money.How that translates into day-to-day action varies with your personality, the company and the situation. I have found that letting other people take responsibility for the more detailed daily operations frees up time to build the longer term initiatives, those critical new areas for company growth that take time and patience to nurture. I enjoy being out in the community, a visible representative and spokesperson for the company. Thought leader in the market? Sure, that too.So, what do you do? Lead. Figure out what that means, and earn your place every day as a leader in the company you worked so hard to start.David Ihrie is CTO of MACH37 and has been the lead technical person for six startup companies. He has a BS in EE/CS and an MS in Management specializing in the Management of Technological Innovation, both from MIT.

,

You Don't Scale

,

The more that information security incidents are in the news, the more often we hear that there aren't enough people to do all of the work necessary to batten down the hatches against everyone who'd like to compromise our systems and networks. The U.S. Government has been particularly vocal in discussing a shortage of security talent, but it's not uncommon to hear this refrain in business circles as well.If these folks are as difficult to find, hire, and retain as we're told, then we only have a few choices:

  • Train them internally;
  • Automate as many security processes as possible;
  • Do things to make the people you have more effective

Most people choose door #2 as a way to get what's behind door #3.There is a common criticism of information security practitioners: that we depend too much on technology, even when the core problems may not be technical ones. Those critics have a point: effective security isn't something one can buy in a box and then proclaim victory afterward. However, in the face of limited talent, deploying a new technology may be the most straightforward way to attempt to address some risks.The reason is simple: many of the best security products tend to embody some very specific, reproducible, automation-friendly aspect of security expertise and perform it tirelessly, over and over.  You may have the best internal security people in the world, or the best  world-renowned consultants, but the bottom line is that humans don't scale particularly well.This is true whether you're the security manager with the responsibility to keep your network safe 24 hours a day, or the consultant who parachutes in to save the day when things look bleak. The former can only hire so many staff members, and the latter can only be billed for a finite number of hours in a day/week/year.If experts are in short supply, then one of the most scalable options is to encapsulate the expertise of rare, highly paid people and build it into a mechanism that can attempt to apply that expertise to real environments, be they network traffic flows, host configurations, or software updates.There has yet to exist a security product that solved all of the world's (or even one enterprise's) problems, but if we look at some things that made a difference in the state of the art when they arrived, they tend to fall into a few categories:

  • They allow less-senior people to do some work that used to be the province of a few
  • They help people to make better sense of information they (usually) already had somewhere
  • They help less-technical users to avoid inadvertently hurting themselves
  • They fundamentally changed some aspect of how we work or build systems to make them inherently more secure*

*This is where the most value is created, but it's also the most difficult.If you've gone to the trouble of building something to solve a problem for yourself, and believe that other people have the same problem, that's called a market opportunity.