Mar 6, 2017 - but of its unique role in the global technology market. ... and best in all fields serve Israel in some ca
451 RESEARCH REPRINT
R E P O RT R E P R I N T
Cybertech 2017: Israel showcases security in the ‘startup nation’ SCOTT CRAW FORD, KAT HRY N BA LL 0 6 M AR 201 7 Israel is a hotbed of startup activity in information security with access to one-fifth of the world’s investment in the field. So it’s no surprise that Cybertech 2017 would attract thousands of attendees from around the world.
TH I S RE P O RT, LI C ENSED EXCLU SI V ELY TO YL VENT URES, DEVELOPED AND AS PROVIDED BY 451 RES E A RCH, LLC , SHALL BE OWNED I N I TS ENT IRET Y BY 451 RESEARCH, L LC. T HIS REPORT IS SOL ELY I N T E N D E D FO R U SE BY THE R EC I P I ENT AND MAY NOT BE REPRODUCED OR REPOST ED, IN W HOL E OR I N PA RT, BY THE R ECI P I ENT, WI THO U T EXPRESS PERMISSION FROM 451 RESEARCH.
©2017 451 Research, LLC | W W W . 4 5 1 R E S E A R C H . C O M
451 RESEARCH REPRINT
Israel is a hotbed of startup activity in information security, with access to one-fifth of the world’s investment in the field (quite a lot for a country that only makes up 0.1% of the globe’s population). It’s therefore no surprise that Cybertech 2017 – a conference aimed at one of the country’s leading industries – would bring to Tel Aviv a claimed crowd of 10,000 attendees from around the world, as well as an appearance and keynote by Israel’s own prime minister, Benjamin Netanyahu.
T H E 4 5 1 TA K E Israel’s investment in information security has become a principal manifestation not only of its history, but of its unique role in the global technology market. One has become a function of the other: the comprehensive commitment of the country to its own defense has cultivated a culture of expertise and innovation that have made Israel uniquely fertile ground for ventures aimed at mitigating technology risk and defeating exploits. Cybertech has grown as a conference that showcases this climate. In our attendance at this year’s event, we identified a number of areas where this investment is most visibly focused – as well as expectations of what we would hope to see in the future in this unique arena of early-stage activity.
CONTEXT The 80-plus startups and a further field of Israel-based vendors showcased at Cybertech 2017 reflect the pervasive influence of the country’s history with deep roots in vigilance and defense. Two factors in particular contribute to the depth and breadth of Israel’s investment. First, military service is compulsory in Israel, leading to many, if not all, founders in the broader market developing their information security backgrounds in the Israel Defense Forces (IDF). Second, compulsory means comprehensive, which means that national service embraces young people from all walks of life, not just those whose aptitudes that fit a more traditional military enlistment model. This means that the brightest and best in all fields serve Israel in some capacity at the outset of their careers – service which often defines those careers later on – further contributing to the strength of the Israeli market in the technologies of defense, including (and particularly) in the ‘cyber’ realm. Many stay on past the time of mandatory service to enhance the knowledge and expertise gained within organizations such as the IDF’s elite Unit 8200 signals intelligence group, to deepen insight into attacker tactics as well as to expand capabilities. The intensity of Israel’s cybersecurity focus was further illustrated at and around Cybertech in talks that highlighted the common interests of educational, military and commercial development centered in Beersheva. Located approximately 100km (roughly 60 miles) south of Tel Aviv, Beersheva is the home of Ben-Gurion University of the Negev, where research and education initiatives have formed the nucleus of broader investment from, and cooperation with, both military and commercial interests near the university’s campus. The area is the location of the Gav Yam Industrial Park, the focus of Beersheva’s Advanced Technologies Park, first introduced in 2013 shortly after the Israeli government announced that technology units of the Israel Defense Forces would be moved to the city. Early private-sector participants in the Beersheva ATP include EMC and Lockheed Martin. In 2014, a Beersheva focus specifically on cybersecurity research and development was introduced with the launch of the Cyber Spark initiative. These examples illustrate the extent to which Israel sees itself as the ‘startup nation,’ a term seen frequently at Cybertech 2017. Investment in Israeli security ventures was described in detail at a conference session presented by Yoav Leitersdorf, managing partner of Israel- and San Francisco-based VC firm YL Ventures, an early-stage investor focused on Israeli cybersecurity startups, and a Cybertech sponsor.
451 RESEARCH REPRINT
According to Leitersdorf’s data, overall funding for cybersecurity across all stages totaled $689m in 2016, a 23% increase from 2015’s $560m. Funding rounds for Israeli startups across all stages totaled 72 in 2016, showing steady growth over 62 rounds in 2015 and 52 in 2014. While seed rounds have grown modestly but steadily at a nearly constant 24% year-over-year for the past three years, A rounds nearly doubled from 2015 to 2016 ($133m to $255m). B rounds fell from $252.6 in 2015 to $121m in 2016, but growth rounds more than doubled ($107.6m in 2015 to $229m in 2016). The strong pace of new cybersecurity startups in Israel was also highlighted in Leitersdorf’s data. While 65 new Israeli companies emerged in 2014, that number jumped to 81 in 2015 and remained at that level in 2016, with 83 new companies making their debut. When compared with 451 Research data that saw approximately nine new security startups every month in 2015 – a trend that continued into 2016 – the dominant role Israeli startups continue to play in the security market is well illustrated.
THEMES Among themes prominent at Cybertech, threat detection and prevention were highly visible, as was the need for strong authentication of entities in sensitive environments, while the complexity and requirements of security highlight opportunities for automation – particularly to help answer the demand for security expertise. Numerous plays at Cybertech answered the first category, with malware and attack detection, prevention and containment – often with an endpoint emphasis in line with current demand for more modern endpoint security – represented by new entrants including BUFFERZONE, Cybellum, Deceptive Bytes, Deep Instinct, Fenror7, Metapacket, Morphisec, Nightingale and ReSec. Several startups on the floor were dedicated to the detection of anomalous (potentially malicious) activity in OT environments and industrial control systems (ICS): SCADAfence, SCADASudo, APERIO Systems, SigaSec, Perytons and ICS2, while security for the ecosystem of suppliers that contribute to OT was represented by Sepio Systems. Automotive security is another, and active, field beyond the realm of security for traditional IT, with a few dedicated startups representing the market at Cybertech including Vehicon and ProtectivX. Karamba Security also made an appearance with its focus on the hardening of the automotive environment for threat prevention rather than simple detection, while a conference session dedicated to complex requirements for securing various aspects of aviation highlighted issues in yet another intersection of transportation and operational security. Authentication for ‘things’ speaks to the need for confidence in interactions with more compute-capable endpoints in a variety of environments. Organizations seek to guard against ‘spoofing’ of legitimate endpoints as a potential path for exploit, while endpoints must have confidence in their sources of command and control. The data exchanged between endpoints and other resources, meanwhile, must be protected to guard against sensitive data breaches and to assure confidence in command-and-control, which points to the linkage between secure authentication and data security for such environments. These areas were strongly represented at Cybertech, with startups such as AGAT Software, Beame.io, Dyadic Security, Truly Protect, Veryifyoo and Secret Double Octopus (names that, just incidentally, suggest the challenges of unique branding in a field where a profusion of startups are the norm). Security automation also made its presence felt, with young companies targeting a variety of opportunities – from security orchestration and incident response automation to plays designed to enhance network visibility. Hexadite, for example, competes in the realm of security orchestration against the likes of Phantom Cyber and Invotas (acquired by FireEye in early 2016), and bases its R&D in Tel Aviv. New entrants making their appearance at Cybertech include Cymulate, representing the field of attack simulation that includes earlier Israeli ventures SafeBreach and Cronus Cyber, which compete with US-based plays including AttackIQ, Verodin and vThreat. Automation also plays a role in a different arena, in the toolchains increasingly relied upon in DevOps initiatives. Twistlock, for example, represents an Israeli startup that helps organizations define security policy, analyze images, implement runtime defense and other capabilities for container technologies often used to deliver modern functionality in the datacenter.
451 RESEARCH REPRINT
S TA R T U P C O M P E T I T I O N Among the highlights of Cybertech was the highly anticipated startup competition hosted by YL Ventures, which included a variety of represented fields and maturity levels among the startups themselves. The competition’s panel of judges represented a wide range of expertise among US-based investors (Jacques Benkoski of US Venture Partners, Alex Doll of TenEleven Ventures, MassMutual Ventures’ Doug Russell); established as well as disruptive technology companies (David Cross of Google and Rich Telljohann of IBM, as well as Cylance CTO Glenn Chisholm); and international security practitioners (Jay Leek of ClearSky Venture Fund, formerly CISO and managing partner with Blackstone Group, and Citigroup’s Bob Blakely). This panel faced a daunting task in weighing the appeal of a variety of techniques against the challenges of communicating their value effectively in just a few minutes, but APERIO Systems was declared the winner by a majority of the panel. APERIO represents ICS security with its ability to validate the integrity and authenticity of data within the environment. The process determines a baseline of data activity within the system by applying machinelearning techniques to historical server data and alerts administrators when activity strays from the norm. Contenders in the competition included Cybellum and what it calls its ‘Zero-Day Prevention Platform’; Cymulate’s SaaS-based cyber-attack simulation system; Intezer and its technology for mapping code in an environment to provide visibility into the presence of potentially malicious software; and Sepio Systems’ supply chain security offering based on a USB tool that detects and blocks potentially malicious activity on a device and reports to existing monitoring systems.
W H AT W E ’ D L I K E T O S E E , A N D W H AT T H E F U T U R E M AY H O L D The nature of the security ‘arms race’ – where defenders seek to gain an advantage over adversaries that regularly get past defenses – is well suited to a culture where defense has long been a top priority. Yet the factors that fuel innovation and drive the growth of new startups also mean that enterprises must sift through a daunting number and variety of vendors to identify those that can have the greatest positive impact on their strategies. Enterprises desperately seek to streamline and simplify their security portfolios as much as possible. How can startups respond to this clear customer demand and still make a positive impact where there is need? These were among the topics raised at Cybertech and surrounding events. At a Tel Aviv ‘fireside chat’ organized by YL Ventures during Cybertech week, panelists representing seasoned international investors and CISOs (including David Cross, Glenn Chisholm and Jay Leek from the Cybertech startup competition panel, as well as USVP’s Steve Krausz, TenEleven’s Mark Hatfield and MassMutual Ventures’ Mark Goodman) spoke to these issues to help guide startups in better addressing market needs. Among their observations: Rather than trumpeting features and differentiation, show us how you listen to your customers. Too many vendors are caught up in the ‘glitz’ of their technology. How does your offering acknowledge and embrace what customers really need? How well have you packaged that appeal such that new prospects will recognize your ability to clearly identify and respond to that need? In a market populated by hundreds of startups and incumbents alike, it’s inevitable that a number of segments actually represent what should be features of a more comprehensive offering. But it’s not necessarily a bad thing for a company to come to market as a ‘feature’ – so long as the company recognizes that this is what it is doing, and develops its strategy accordingly. (At 451 Research, we have seen this particularly pronounced in markets such as security analytics, where in the past we have used terms such as ‘SIEM for your SIEM’ to describe technologies that supplement – if not supplant – legacy approaches to monitoring and alerting for security operations.) The latter point speaks to a particularly felt need among security teams: the need to alleviate information overload and ‘alert fatigue’ for SOC operations. A profusion of security vendors too often leads to silos where tools simply don’t talk to one another. Valuable data is too often lost because tools are too isolated from each other, and aren’t designed to ‘play well with others.’ Given the (often) dozens of security products in use in the enterprise, we would expect to see integration across tools a more prominent capability.
451 RESEARCH REPRINT
The ability to act on this information is another need – and not just to help relieve an expertise crunch. Threat detection was prominent at Cybertech – but detection is only the beginning. Threat prevention is more realistically in view with many of today’s antimalware technologies. Security-automation plays represent a further evolution of this demand – but more is expected, both on the ‘supply’ side of IT (in the development and deployment of applications, for example) and in the ‘demand’ sphere (in better integrating security into IT consumption and security response actions). One of the more positive takeaways from DevOps trends is increased emphasis on building security into IT functionality from the outset. Approaches that enable developers and operations teams to craft and deploy more secure technologies without the need to add security as if it were an aftermarket accessory would help further this cause, and would be expected to play a role in future startups. The expertise crunch is a symptom of complexity not only in cybersecurity, but in IT itself. Security tools receiving a favorable hearing today often make much of simplifying existing approaches and consolidating multiple aspects of areas such as secure connectivity from any device, on any network, to any application or resource, whether on-premises or in the cloud. These are among the qualities we would expect to see in future security startups – and at Cybertech in particular, given that the conference represents a climate highly amenable to their development. The positive impression left by Cybertech, and the innovation-fostering culture it highlights, make clear that both the expertise and investment on display are more than ready to respond.