Ambuj Kumar says he’ll face a higher hurdle than the other nine finalists in the RSAC Innovation Sandbox Contest on Monday, when he’ll have three minutes to convince judges that his startup, Fortanix, deserves to win the prestigious competition. The Sandbox contest is one of the kick-off events at RSA Security’s huge annual conference in San Francisco.
Kumar says Fortanix’s approach to cybersecurity is unique, so he’ll first have to explain what it is before he can persuade the judges that his company can make it work. (In less than three minutes: Fortanix foregoes trying to secure whole computer networks, and instead encases individual apps in an encrypted bubble, where the app can also process data in encrypted form. More to come.)
Kumar’s challenge is emblematic of the bustling swirl of presentations, private meetings, panel discussions, exhibition booths, and demos that will fill San Francisco’s Moscone Center buildings for most of next week. Startups like Mountain View, CA-based Fortanix are competing for the attention of bigger firms, potential partners, and customers, while major security firms are hunting among the startups for the innovative features that could build out their services for clients. Established companies are also watching out for up-and-coming companies that might someday displace them.
At stake is a share of the burgeoning global market for security products and services, spurred by news about high-profile cyberattacks such as WannaCry, high-profile victims such as credit reporting agency Equifax, and an underground economy of cybercriminals reaping millions by using cheap, off-the-shelf tools. The European Union’s stringent General Data Protection Regulation (GDPR) with its whopping fines for privacy violations, adds another concern to the mix as the beginning of its enforcement scheme approaches in May.
Gartner estimated in December that worldwide spending by businesses on cybersecurity in 2018 could reach a total of $96 billion, an increase of 8 percent over 2017’s total.
Kumar says companies are now using dozens of tools to fend off attacks on their networks, “yet security remains elusive.” He co-founded Fortanix in early 2016 to try a new tack, by extending encryption into the realm where data is most vulnerable—that is, where the data is being processed by an application. Tools already exist to keep data encrypted when it’s being stored, and when it’s en route to an application, he says. But when it arrives, it has had to be de-encrypted, so the program can use it to make conclusions, do calculations, or perform other tasks.
Fortanix, with its Runtime Encryption tool, offers app operators the ability to process data while it’s still encrypted. The startup also encrypts the app’s own data and software, to insulate it from intrusions that may have infected the larger environment the app operates in, Kumar says. For example, hackers may have tunneled into the operating system of a Web-based data storage and computing service where the app resides. Or, crooked host administrators might hold the passwords that let them into all regions under their domain. But even if a cloud computing host were served with a government subpoena, Kumar says, it couldn’t surrender the readable contents of an app encapsulated in Fortanix’s encrypted bubble. (This approach seems related to another startup called Enveil, based in the DC area.)
Kumar says Fortanix’s “app-centric” security system could also benefit an app’s end users by protecting their data privacy, Kumar says. An app can process data, and produce the end result of its task, without having meaningful access to the information it drew from, such as a social media profile. For example, a marketer on Salesforce might learn that you’d be receptive to a certain ad, without finding out whether you subscribe to Cat Fancy magazine or Muscle & Fitness.
“Facebook definitely needs us,” Kumar says, envisioning Fortanix’s technology as a possible layer between social media users and Facebook, which would still be able to help advertisers target relevant ads to its users, without holding unencrypted reams of their personal information. “It would have to be integrated at Facebook scale,” Kumar muses.
In June, Fortanix raised $8 million from Foundation Capital and NeoTribe in a Series A fundraising round.
Prospecting at the Innovation Sandbox contest
Amid the Monday audience listening to Kumar’s three-minute pitch—and his rivals’— will be Lior Div, CEO and co-founder of Cybereason, which was a finalist in the RSAC Innovation Sandbox Contest in 2015. The company had just started commercial marketing of its cybersecurity service that year, and had 20 employees then, a few more than Fortanix does now.
Boston-based Cybereason is now a global company, with 350 employees and a fundraising total of $189 million since it was founded in 2012. It scored $100 million in June from Japanese tech titan SoftBank, which was also an early investor in the company. Cybereason says it has more than 300 businesses as customers—with nearly 50 of them added in the first quarter of this year.
Div is now prowling for startups he might like to acquire, to augment Cybereason’s in-house R&D.
“To be relevant, you have to look at what others are doing,” Div says.
Cybereason aims to be a comprehensive security system, using artificial intelligence, behavioral analysis, and ransomware protection among its collection of tools. Its signature strategy is to hunt constantly for cyber attackers across the full array of potentially vulnerable client devices, and detect intrusions as soon as possible based on a growing knowledge of their malicious behaviors.
From the vantage point of a security company that surveils the entire attack surface, Div says, it’s intriguing to look at startups like Fortanix that are concentrating on guarding low-level targets. “It’s interesting to see a different approach, like encrypting apps,” he says.
Participants in the RSA conference may all see the safeguarding of data security as an urgent mission, but their individual views of the most serious challenges can vary.
For Kumar, it’s the sheer scale of exponential growth in new connected machines, cloud servers, infrastructure elements, and the interactions among them, that pile up the workload needing to be met by security companies.
“If the number doubles every year, then every year the new devices equal the entire count of devices [that existed before] in history,” Kumar says.
Div’s view, meanwhile, reflects his experiences in national defense as the former commander of a cybersecurity team for the Israeli Intelligence Corps—the kind of background he shares with other leaders at Cybereason.
Div says he hears too little talk at the RSA conferences about the shift of war-fighting and international conflict to the digital arena. He points to Russia’s interference with