Warning: everything you thought you knew about corporate cybersecurity is about to change.
That’s according to Paul Paget, the CEO of Pwnie Express, a Boston-based startup that makes software and hardware for detecting unauthorized devices in the vicinity of a corporate network.
Paget came up through IBM and Lotus before heading up two previous companies, Savant Protection and Core Security, as CEO. “Everything we learned about how to secure an organization is being totally undermined by this shift in the ownership of computer assets,” he says. “It’s going to change dramatically, in the next three to five years, how security is done inside organizations.”
He’s talking about employees bringing their own devices to work, the rise of the Internet of things, and everything from printers to drones to “rogue devices” like wireless routers and keystroke loggers being used by hackers to infiltrate networks and steal data. Not surprisingly, Paget thinks Pwnie Express can help solve these security problems. And now the company has more cash to do just that.
Pwnie (“Pony”) Express said today it has raised a $12.9 million Series B funding round led by Ascent Venture Partners, a new investor in the company. Ascent’s Matt Fates led the deal, and he’s joining the startup’s board. MassMutual Ventures, .406 Ventures, Fairhaven Capital, and the Vermont Center for Emerging Technologies also participated in the round, which brings Pwnie’s total VC funding to about $20 million.
The 40-person company was founded in 2010, and its main product has been in the field for about a year. It consists of a sensor (or multiple sensors for a big office) to detect wired or wireless rogue devices on or near a customer’s network, plus a software interface that shows where these devices are and what they’re doing. The software then alerts the customer’s team or security system if it detects a threat.
Paget says his startup now has 100 customers, ranging from local banks, healthcare, and government organizations to distributed companies in hospitality, retail, and entertainment. He gives an idea of the scope of rogue threats that Pwnie can expose: branch-level banks can detect someone next door or in the parking lot trying to hack into their Wi-Fi; stores can detect Bluetooth card skimmers near credit card machines; and a large stadium or venue can check for rogue access points in its wireless network.
But the most common device threat isn’t even malicious, Paget says. It’s a standard HP office printer, which is not usually configured for security, and whose default settings make it an open access point. “The Wi-Fi connection serves as a bridge into the network,” he says. “IT sends you a printer, you plug it in, it works, you give it an IP address, but you forget to turn the Wi-Fi off.” That means hackers can use the printer as a backdoor into the corporate network (not to mention seeing any sensitive print jobs).
This sort of connected-device hacking is becoming more prevalent. “For bad guys, this is much easier than breaking into a website or other system. You don’t have to be a sophisticated attacker,” Paget says. “This will become a dominant attack vector.”
Some other companies trying to make connected devices more secure include Lexumo, which helps software developers find open-source vulnerabilities, and Resin.io, which helps developers manage code updates on devices in the field. But Pwnie Express is different in that it’s trying to help organizations monitor and identify the threats from such devices.
Bottom line: the market seems to be growing for security-tech companies that are adjusting to a more chaotic world of cyber threats. For his part, Paget sees a big demand for three things: visibility into networks and devices, encryption of network connections, and user identification and authentication. (The flipside to all this would seem to be user privacy, which is all but dead.)
Until recently, Paget says, “security products have been developed with the expectation that you own all the assets and you control the networks. That’s all changed now.”