In terms of interest and investment, cybersecurity has exploded. Just this week, a pair of local security-tech companies have raised a total of more than $100 million. But the broader story is much more interesting—and crucial to the field.
First, the new money. Waltham, MA-based Bit9—which officially goes by Bit9 + Carbon Black—has raised $54.5 million in Series F funding from its previous investors, .406 Ventures, Accomplice, Highland Capital Partners, Kleiner Perkins, and Sequoia, and new investors Evolution Equity and Founders Circle. The company has raised $175 million since its founding in 2002, making it one of the biggest technology bets in New England.
Earlier this week, Boston-based Cybereason raised $59 million in Series C financing led by SoftBank, with previous backers CRV and Spark Capital also participating. That brings Cybereason’s total venture haul to some $90 million—quite a bit for a three-year-old startup. But this company has a pretty different approach to security (more on that below).
The deals come amid some consolidation and exits in the industry. In the Boston area, Bit9, CyberArk, Digital Guardian, and Rapid7 all recently have acquired other companies (some in security, some not). Rapid7 went public in July—still the only local tech IPO of the year. Meanwhile, Bit9, Veracode, and Mimecast are talked about as IPO candidates, but seem to be biding their time.
And why not? Business has been good, and getting better. Bit9 says it will end 2015 with $70 million-plus in annual revenue, an increase of 70 percent over last year. Cybereason is much smaller but expects its 2015 revenue to be 10 times last year’s. Resilient Systems, another young company (formerly known as Co3 Systems), says its annual revenue has grown by about a factor of 6 this year. And so on, down the line.
These companies are cashing in on increasing demand from organizations, big and small, that are looking to protect against and respond to cyber attacks. But even with all the tech companies’ different approaches and products, one thing is clear: it isn’t enough.
Now there’s a push to unify the major aspects of security—from protecting endpoint devices (computers and cell phones) to covering networks, from detecting problems in files and operating systems to tracking vulnerabilities in the cloud, from responding to data breaches to handling privacy regulations and contacting law enforcement. And the unification is happening not just within technology providers, but between them and other organizations. “Customers are wary of point solutions,” says Michael Daly, the chief technology officer at Raytheon Cybersecurity and Special Missions. “They need something more holistic.”
Daly has seen the rise of “unified threat management” platforms—basically ways to stitch together firewalls, virtual private networks, URL and antivirus filtering, and messaging security. But Raytheon and other companies are trying to go far beyond that, by screening everything from external intelligence feeds to corporate data sources such as human resources and travel records.
The challenge is that “cyber touches everything,” Daly says. On the computing side, there are things like processors, operating systems, data storage, networks, and the cloud. On the human side, there are all the touch points and interactions with employees, administrators, and end users—some of which can be safeguarded through education.
“There’s no singular solution for all of it,” he says.
Yet through acquisitions and partnerships, companies are trying to piece together more of the puzzle. In April, Raytheon bought Websense, a Texas-based provider of Internet data-security software, in a deal valued at $1.9 billion. That massive integration process is one of the areas under Daly’s supervision. (One of his more recent headaches involves thinking about how to secure the emerging Internet of Things—a very real problem.)
Bit9’s acquisition of Carbon Black last year is another example of unification. Bit9 was a veteran company known for its endpoint protection approach, but where it needed help was on the detection and response side—what to do after an attack has already been successful. Since adding Carbon Black (another Texas company), Bit9’s business has boomed, and it says it has added 900 new customers this year.
Bit9 says its technology is available via open APIs (application programming interfaces), so that customers can integrate the software with offerings from Palo Alto Networks, Splunk, IBM, McAfee, and other security and analytics companies. “One vendor won’t solve the complete problem,” Bit9’s chief executive, Patrick Morley, says. “The only model that works long-term is the model that enables security professionals to connect the pieces so they can automate the workflow and focus on the important stuff.”
“We are still very early in the global change in the dynamics of security,” Morley adds.
Resilient Systems is another local company that’s part of that change. Back in 2010, co-founder and CEO John Bruce, a 25-year security tech veteran, saw an opportunity to “build the first company whose center of gravity was response,” he says. As Bruce saw it, there were plenty of products that tried to prevent attacks, and in recent years more software became available to detect attacks—but once you knew you’d been hacked, you were basically in trouble.
Yet that was the position a lot of companies were already in. “It’s medieval compared to the ‘Star Wars’ technology people usually have for prevention and detection,” Bruce says.
So Cambridge, MA-based Resilient set out to build
