- Large number of devices and sensors
- Need for low power and low bandwidth connectivity and
- Fragmented nature of the vendor market
online e-commerce fraud has jumped 11% in the US. In monetary losses, that means that $4.79 out of every $100 are at risk of fraud. In 2016, fraud is predicted to hit 4 billion in losses and the expectation is that that number will reach 14 billion by 2020. In 2014, fraud caused 12% of losses in P2P online lending. The Financial Action Task Force (FATF) estimated that implementing AML regulations cost $7 billion annually in the U.S. alone. In addition, regulators are keeping close tabs on digital transactions. The resultant regulations mean more fines associated with non-compliance than ever before. (From ” Developments in Bank Secrecy Act and Anti-Money Laundering Enforcement and Litigation”, NERA June 2016) The Case for Automation Manual processes are effective at addressing risk and compliance only in a handful of use cases such as those with few recognizable patterns, those requiring unique expertise and the inspection of the human eye. Manual processes by their very nature are not able to scale. Why ? Because processing more volume manually means more employees, higher costs, and increased likelihood of inconsistencies and errors. While a computer can work around the clock with a level of accuracy that does not vary and capture large volumes of data effectively this is not possible with manual processes. This results in a far greater likelihood of being out of compliance. Further manual processes are more difficult to change. Far better results and greater efficiencies can be achieved by complementing automated processes alongside manual ones. Automated processes can replace some processes that don’t scale well when handled manually. For instance with high volume transaction monitoring, automation delivers efficiencies through the consistent application of software-based rules, alerts and case management. However, when there is a real exception and a transaction is flagged, people can be brought into the operational process, culminating in a report and a filing as appropriate. Automation can also supplement manual processes, e.g. prepopulating information for Suspicious Activity Reports before they are reviewed and manually sent. RegTech is the Disruptor RegTech is a set of technologies focused on the prevention of fraud, the management of risk and on complying with governmental regulations. RegTech provides the agility for organizations to:As transaction volumes grow exponentially in the digital world it is accompanied by a rapid increase in fraud, money laundering and the compliance costs. David Andrews, Director of Marketing at Identity Mind Global and Eric Buatois, General Partner at BGV are sharing their perspective. Since October 2015,
For banks, fintech companies and merchants looking to get more efficient and effective, RegTech is the new way. It offers a lower cost, agile solution that is focused on operational efficiency across high volume processing and regulatory compliance. It also provides analytics for decisions that helps close the gap with the best members of your team.
Areas where RegTech can be applied include:
|Reduce risk management and compliance costs||Expanding the team can significantly increase cost. Increasing capacity for an automated process is as simple as the elastic scaling capabilities of the risk management and compliance vendor|
|Increase compliance speed and accuracy||Manual transaction monitoring can be slow with the quality varying with the experience and expertise of the team. Automated processes are fast and consistent regardless of the volume.|
|More efficient access to data||Data can overwhelm manual systems where additional inputs and analysis can greatly slow processing speed. On the other hand, an automated system can capture data across multiple systems and analyze it regardless of volume. These systems can produce easier and faster access for information reporting from businesses through to their regulators.|
|Quickly address new regulations and process changes||Changing a manual process requires training and a period for the team to absorb the new process. Changing an automated process can be as simple as changing one or more business rules.|
- Automated onboarding
- Automated payment risk management
- Automated compliance monitoring and execution
- Automated reports generation
- Automated notifications
http://www.survela.com), anti-fraud/identity management (e.g. Identity Mind Global, http://www.identitymind.com), encryption, next generation end point, network visibility and isolation (e.g. Spikes Security, http://www.spikes.com) and automated incidence response (e.g. Packet Sled, http://www.packetsled.com) This rate of innovation is fueling a leadership shift amongst the vendors in the cyber security industry. Old guard companies like Symantec, HP, Cisco, Dell/EMC, Trend Micro, Blue Coat and Intel/Mcafee are scrambling to stay relevant in the rapidly changing market. New guard larger companies like Palo Alto Networks, Cyber Ark, Palantir and FireEye are staking out a lead along. Finally startups like Cylance, Illumuo, SkyHigh Networks and Tanium are poised to transform sub segments of the industry. In summary strong sector growth and an industry structure ripe for change is attracting innovation and capital at unprecedented levels. Why it’s NOT ? The cyber security sector has attracted more than $3.3Bn in funding in 2015 across 130+ deals. The practical reality today is that CISOs cannot absorb and deploy anywhere close to the amount of new cyber technologies getting funded. In other words, there is a cyber tools saturation phenomenon which will force out all but the very best and most critical new cyber technologies — those most critical to their cyber security priorities and which can best be integrated in their existing environments. We believe that only very large enterprises will be able to invest in internal capabilities to vet and integrate a variety of best of breed startup technologies while other Enterprises will rely on their trusted security vendors and or MSSP’s to vet, source and integrate best of breed innovation. Valuations are at all time highs – early stage pre revenue series A companies are being valued at pre-money valuations of $20-30M. Late stage companies like Tanium, Illumio, Okta and Zscaler with revenues in the tens of millions are being valued in excess of $1bn, multiples that could be difficult to maintain in public markets. However recent public market volatility is leading investors to a “back to basics” mentality in venture and late stage funding – looking at growth coupled with profitability and cash flow generation. Companies like FireEye that were enjoying lofty valuations based on growth alone have seen their valuations come down reflecting the “back to basics” mentality. Companies like Palo Alto and Cyber Ark that are delivering growth and profitability are being valued at far higher multiples. CISO’s at enterprises are becoming more cautious when working with startup cyber vendors making ambitious claims or pricing assumptions that are inconsistent with the value they deliver – they are increasingly seeking a level of vetting that is creating extended POC’s and long sales cycles for these startups competing for mindshare. Furthermore many CISO’s are increasingly looking to their trusted vendors and MSSP partners to vet best of breed products and deliver integrated security solutions. Finally strategic acquirers are also becoming more cautious with respect to paying the frothy valuations seen in recent year – preferring instead to work with the startups over a period of time, either through an investment or through their accelerator programs. In summary the cyber security sector is overfunded with troubling signs of valuation froth with startups struggling to compete for mindshare with Enterprise CISO’s leading to extended POC’s, sales cycles and ultimately increased capital intensity. BGV Conclusion We believe that cyber threats are endemic and the demand for effective counter measures is strong. This combined with an industry leadership structure in flux and scarce cyber talent represents the best of times – opportunities to invest in and create young innovative companies. However capital being available at unprecedented levels coupled with frothy valuations and “noise levels” competing for enterprise CISO mindshare represent the worst of times. Investing to build strong companies in such an environment requires a thoughtful and disciplined approach to investing while seeking to create eco-system alignment with CISO “trusted” strategic security vendors and or MSSP’s. One that discerns between investing in technologies that will create successful companies valued on fundamental metrics (customer value, growth and profitability) versus “quick flip expensive” bets that will deliver good returns predicated only on frothy strategic M&A valuations. BGV remains disciplined on valuations (have walked away from several cyber deals when valuations approached unjustifiable levels). We also continue to invest time in validating customer value (ROI), the technology and technical teams (with the expertise to tackle complex cyber problems) by leveraging our privileged relationships with ex CTO’s of cyber portfolio companies, with trusted strategic security vendors (eg Palo Alto Networks) and trusted MSSP’s (eg Cap Gemini).Anik Bose, BGV General Partner shares his perspective on the state of the cyber security sector. “It was the best of times and it was the worst of times, it was the age of wisdom, it was the age of foolishness.” I believe that these lines from Charles Dickens Tale of Two Cities are an accurate description of the state of the cyber security sector today. Why it’s HOT ? Security budgets are increasing across the board. Gartner is predicting that enterprise security budgets are shifting towards an increased focus on detection and response, and 60% of security budgets will be allocated to these two areas by 2020. PWC Security Survey states that information security budgets increased by 24% in 2015 as a response to 38% YoY increase in security incidents. IDC predicts that Security Analytics, threat intelligence, Mobile Security and Cloud Security will be hot areas of growth. Additionally we believe that IoT security a relatively new market will be a significant growth area in the future. Consistent with the above we continue to see market pain points attracting innovation and VC funding in areas such as threat intelligence (e.g. Survela,
Spikes Security says its browser-isolation technology protects computers from malware and Internet-borne attacks by creating a virtual machine that isolates the user’s own browser from the Internet. Infographic: Just browsing? Malware shops for data Company founder Branden Spikes came up with the idea in 2008 from the need to protect rocket scientists. He since has launched a startup that recently rolled out its first commercial version—and has sparked interest from several sectors, including credit unions. Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction The technology, called AirGap, works by using secure Linux appliance hardware that renders Web pages outside of the user’s network. The browser’s session is streamed back to the user through a high-performance, remote desktop connection of sorts—think of it like streaming a very high-quality video. “We come at it from a preconceived assumption that all browsers are malware by their very nature,” says Spikes, who serves as company CEO and CTO. A recent Ponemon Institute study sponsored by Spikes Security found that 81 percent of the 645 surveyed IT practitioners consider unsecured Web browsers as a primary attack vector. The same number found that Web-borne malware could be completely undetectable despite various security tools. “I feel like most of the other attack vectors have been solved or can be shut off,” Spikes says. “A Web browser cannot be turned off.” From rocket science to Silicon Valley Spikes was a consultant who installed firewalls when he met a guy named Elon Musk, who was working on an Internet startup. Musk went on to co-found PayPal, and later founded the aerospace developer and manufacturer SpaceX. At PayPal, Spikes oversaw cybersecurity, along with Web systems, databases and “all the sort of blinking lights that sit in the data center.” When Musk moved on to focus on SpaceX, he brought Spikes along. Spikes, who spent 10 years as CIO at SpaceX, was exposed to all sorts of network attacks there. But despite state-of-the-art defenses, one type consistently got through. “There’s one thing that was always able to defeat my defense mechanisms, and that was end users’ Web browsers,” he says. When Musk announced in the mid-2000s that he wanted to launch astronauts into space, Spikes says he started to lose sleep. “(I) had to defend the livelihoods of human beings with my network. …If I was unable to stop browser malware, I would really likely fail,” he says. Spikes’ job at SpaceX, essentially, was to not allow the bad guys to hack the network. That high bar, he says, meant he had to solve the challenge of protecting intellectual property that resided entirely on laptops and desktops. Spikes invented AirGap in 2008 while at SpaceX, but maintained the intellectual property rights. Four years later, he spun off his own startup. Today, Spikes Security employs 30 people in Los Gatos, Calif. The company received an $11 million Series A investment last fall that has allowed it to expand its engineering team and accelerate the development of new features. After a couple of years perfecting the technology and extensive beta testing, the product was rolled out officially earlier this year. About two dozen customer deployments are in place, with another two dozen in various testing stages. “When you’re building an innovative product like this, it requires a lot of ongoing education and collaboration with customers to ensure the product is meeting and exceeding expectations,” says Chief Marketing Officer Franklyn Jones. Challenging the competition The idea of browser isolation technology is not new. Several other vendors are offering isolation technology, including some big players. Typically, they’re trying to solve this through a sandbox or micro virtual machine. The problem, Jones says, is that if malware escapes the sandbox or VM, the network becomes affected. “We keep all the bad stuff outside the network,” he says. The company is having some early success with credit unions. “Small banks and credit unions are prime targets for cyber criminals because, very often, these firms do not have the IT staff or budget to build state-of-the-art security infrastructure,” Jones says. The company plans to launch a mobile version this year, and another major product announcement is due in a couple of months. “One of our long-term goals is to ensure that the Web is safe for everyone, everywhere, all the time,” Jones says. “We are on track to meet that objective before the end of the year.Websites infected with malware are a major culprit behind cyber attacks, and unsecured Web browsers are a common attack vector for hackers. A growing Silicon Valley startup is trying to solve that problem—by taking the Web browser out of the equation.
- Big Data: we need the right data and it needs to be clean and timely
- Big Analytics: we need the right analytics and lots of them running continuously
- Visualization: we need fast and intuitive interfaces for human analysts
- Surprisingly, iOS apps exhibit more risky behaviors than Android apps (91% of the top 200 iOS apps exhibit at least 1 risky behavior as compared to 83% of the top 200 Android apps)*
- Free apps are riskier than paid apps: 95% of the top 200 free iOS and Android apps exhibit at least one risky behavior vs 80% of the top 200 paid apps.*
Neil Daswani shares his perspective on this important topic. He is currently at Twitter, serves on the faculty of Stanford’s Advanced Computer Security Program, and is a friend of BGV. Chief Security Officers (CSOs) have a tough job. They need to protect an organization against many, many different forms of attack, and need to do their best to close as many vulnerabilities as possible if not all of them. Attackers, on the other hand, need to find just one vulnerability to get their foot in the door. As such, it is important for CSOs to employ a well-thought-out, multi-pronged strategy based on an understanding of what are the most significant risks and threats to their organization. Just as Anik Bose mentions in his blog post on more general Strategy in Start-Ups, thinking about the “who, what, and where” is just as important for the CSO as it is the CEO — in particular, for the CSO, strategic questions that need to be tackled are:Developing a multi-pronged Cybersecurity strategy is a critical job for CSOs today.
- Who are you trying to defend your organization against?
- What are the attackers after?
- Where is the attack emanating (or going to emanate) from?
|Time Period||Typical Attackers||Typical Goals / Motivations||Examples|
|Mid 1980’s to Early 2000’s||Mostly “one-man” shows or small teams||Disruption / Defacement||Worms (Morris, Nimbda, Code Red, SQL Slammer), Activism / Hacktivism|
|Early to mid 2000’s||Organized groups of cybercriminals||Steal money / conduct fraud||Phishing, Identity Theft, Data Theft, Click Fraud, Pharming|
|Mid 2000’s to present||Nation-states||Steal intellectual property, Identify dissidents, Disrupt nuclear arms development||Operation Aurora, Stuxnet, Watering Holes|
Summary of attacker types and motivations from mid-1980s to presentToday, organizations also face the threat of nation-state attacks, in which governments or groups hired by governments are the “who” behind the attacks. Such groups are typically very well-funded, patient (may conduct their attacks over a period of years), and sophisticated (may manufacture zero-day vulnerabilities as well as new technology to conduct their attacks). They have a variety of motivations, of which corporate espionage is one. Stealing the intellectual property of foreign corporations and replicating products without having to incur the cost or time involved in R&D may be a quick path that a government could pursue to enable its constituents to compete. Operation Aurora, in which Google as well as three dozen other corporations were targeted, as well as APT1, in which over 150 organizations were victimized over a 7 year period were examples of “advanced persistent threat” types of attacks in which corporate espionage was a suspected or likely goal. In these types of attacks, spear phishing, malware drive-by-downloads, social engineering, and watering hole websites are common mechanisms used as part of the attack. In addition to corporate espionage, nation-states may also conduct attacks to attempt to degrade an adversary’s capability to manufacture weapons. In the Stuxnet attack discovered in 2010, for instance, malware that targeted centrifuges that could be used to enrich uranium infected 60% of the computers in Iran. By speeding up or slowing down centrifuges, the malware interfered with the enrichment process that could be used to develop weapons-grade uranium and manufacture nuclear weapons. Note that as time has progressed, attacks have only gained in volume, diversity, and sophistication giving truth to the saying that “attacks only get better.” It is also interesting to note that malicious software, or malware, has been a common thread across attacks and has been used as a key tool used in conducting progressively more sophisticated attacks over time. In this article, while we have focused on the “who” and “what,” the “where” is equally important. Attacks on the Internet can, of course, emanate from anywhere, and often cannot be prevented from emanating, but the “where” can be extremely important for detection, containment, and recovery. It is important to prevent attacks whenever possible, but preventing every possible form of attack is usually cost prohibitive. Corporations need to determine what their highest, most significant risks are, and invest resources to prevent those, while, at the same time, investing in countermeasures that allow them to detect, contain, and recover from medium and low priority risks. (Corporations also need to invest in detection, containment, and recover for high priority risks, just in case they don’t get prevented.) The origin from which web traffic, emails, phone calls, and other communications emanate from can often provide a signal of how suspicious the communication is. Even when attackers “proxy” their communications or obscure their actual source, any signal that indicates that the original source is being obscured can also serve as a signal. In this article, I have mainly discussed general security trends in the “who” and “what” that have affected many organizations over the past few decades. That said, each organization is unique and must put in the appropriate effort to determine the “who” and “what” they need to be the most concerned about as a paramount step in their cybersecurity strategy formulation.