“Same procedure as last year, Miss Sophie?” – “Same procedure as every year, James!”
In line with this mantra, this year’s RSA Conference was kicked off again with the – by now pretty much established – ISBC startup contest. Same format (10 contestants pitch for 3 minutes, followed by 3 minutes of Q&A), same rules and conditions (pre-selected companies with maximum B round funding, investors and advisors excluded from voting), almost the same judges (this time including Shlomo Kramer, the industry guru known for his work at Check Point, Imperva and Cato Networks) and even the same jokes by the moderator.
To get into the groove, moderator Hugh Thompson interviewed jury member and tech investor Niloo Howe in regard to innovation in cyber, VC money and the most relevant criteria for selecting the ISBC winner: Cyber security “never needed innovation more than now” with respect to changes in the threat landscape and the increased attack surface in general, especially due to hybrid cloud architectures, the advent of containers and APIs but also the growing number and diversity of connected devices. This list already provided a quick summary of what was to be expected from this year’s competition. Discussing the sheer number of cyber security companies (somewhere between 3,000 and 100,000 – depending on how you count), the question arose whether there is even enough money to fund all those aspiring companies. Niloo clarified that “VC money over-exists” and it is more a problem of finding the right investment. With a slightly ironic “Quantum, Blockchain, AI – that’s what we’re focused on”, she provided the quote of the day, highlighting that buzzwords alone do not suffice to win this competition (even though we all know that it is frequently enough to ensure some decent funding).
“Quantum, Blockchain, AI – that’s what we’re focused on”
Regarding the actual competition, the field showed a broad range of capabilities and solutions. While there were no obvious trend topics (probably also due to the pre-screening of the competitors), Application Security and Secure DevOps clearly is gaining more traction. Still, more traditional security aspects such as Asset Management, Threat Prevention, Authentication and Authorization, were represented as well. Slightly surprising was the absence of Email Security, with Phishing in particular, as well as the trending topics of both Deception and Breach Simulation. Less surprising: All of the vendors were either from the United States or from Israel.
Trying to be objective and in order not to repeat all the pitches, below is a short summary of all the competitors (more information can be found all around the internet, especially at the official RSAC website):
- Wirewheel: Privacy management platform for conducting privacy programs, identifying violations in data usage or storage as well as assessing third party risks relating to data privacy. Defining what is private and what is allowed per use case or per regulation remains a major challenge that is primarily solved with manual tagging.
- ShiftLeft: Automated code analysis and runtime protection solution that introduces a graphical representation in order to identify and prioritize vulnerabilities quickly. It also promises to identify flaws in business logic and compliance violations. At least the second part needs to be done manually, though. With $30m already raised (within two years), it was the best funded company at this year’s competition.
- Salt Security: AI-powered API protection for protecting against the ever-present “unknown threat” leveraging behavior analysis and risk scores per user.
- Eclypsium: Firmware integrity protection that addresses the “layers below the OS” and protects against implants and backdoors, and rides the wave of the Spectre/Meltdown fallout. At least one of the judges couldn’t help but question the relevance for most companies since it was focusing on “tomorrow’s problems but not today’s”.
- Duality: Homomorphic encryption to solve the conflict between data privacy and data analytics. With a Turing award winning professor and backing by Team8, the company is almost pre-destined to succeed, although it is not yet clear whether non-PhDs will have a chance to understand what they are really doing and how to apply the approach to company’s daily businesses.
- DisruptOps: Cloud infrastructure management and governance, also bringing automation and orchestration capabilities to actively remedy issues. Faced with major competitors offering similar solutions, having a “world-class team” might not have been the most convincing reaction.
- CloudKnox: Authorization and Privilege Management using an activity-based model over long-standing role-based access control (RBAC), reducing the attack surface by removing unused admin privileges for both on-premises and cloud components. With ClearSky as active investor, one of the judges was excluded from Q&A and voting as well – which once again raises the question regarding the contest’s neutrality.
- Capsule8: Threat detection and protection platform for Linux-based server systems, geared heavily to improving security while keeping operations staff happy. Leveraging decentralized analysis, the solution is supposed to be faster than EDR tools while not creating “tons of additional network traffic” to be inspected “somewhere in the cloud”. Also, another participant funded by one of the judges …
- Axonius: Asset management solution addressing “the least sexy part of cyber security”. Integrating into already deployed solutions, Axonius correlated information to come up with the single truth about what does actually live in one’s infrastructure. The only company that let its Chief of Marketing do the pitch.
- Arkose Labs: Fraud Prevention solution using a combination of telemetry data to identify potentially malicious behavior and so-called enforcement challenges to validate legitimate users. Whether the “100% attack remediation with a 100% SLA” is more of a marketing gag than an actual proof for the system’s reliability could not be demonstrated, though.
“The Holy Grail” versus “The Toyota Camry” of Cyber Security
After a little more than an hour of discussions behind the scenes – which also gave the audience a chance to talk with the competitors in person – the jury came back on stage. The final decision came down to Duality versus Axonius and ultimately fell in favor of Axonius as this year’s “Most innovative startup”. Providing some insight into their reasoning, the jury explained that they see a trend towards doing the foundations right instead of focusing on “cyber ninjas with APTs and zero days” all the time. Also, improving a capability that is relevant (and oftentimes painful) for almost every organization provides significantly more market options than highly targeted niche solutions. As Axonius put it, being “the Toyota Camry of cyber security” is not necessarily a bad thing: Nobody had a poster of a Camry on their wall, but it’s still the best-selling car in the United States because it does best what most of the people need. Amidst all the “Quantum, Blockchain, AI”, this should be seen as a positive sign in terms of more realism.
And because startup contests are so much fun, the organizers of the RSA conference decided to add a second format, following more of a “Shark Tank” approach, called the “RSA Launch Pad”. This time, all judges are venture capitalists. So we’ll see how this plays out – and whether we finally get to see some blockchain in action!
Who we are
The „Technology Scouting & Evaluation“ (TSE) service identifies and evaluates promising IT security solutions. With this service, DCSO supports companies in staying ahead of a dynamic and ever-changing market. The centralized and unbiased evaluation process is supplemented with the experience of all community members.