The race is on to get ahead of those looking to steal or damage computer information.

Cybersecurity is 
the business and personal information issue of our time. Massive incursions into the computer systems of retailer target, health insurer anthem and the U.S. government’s office of personnel management, where attackers made off with sensitive records of federal employees’ background checks, have underscored the enormity of the problem.

Finding solutions is made harder by a lack of experienced security professionals—surveys predict a shortage of 1.5 million cybersecurity workers by 2020. “Security is a challenging space,” says Alex Rice, cofounder and chief technology officer of San Francisco-based cybersecurity startup HackerOne. “Everyone who is trying to build out a security team is having a hard time, because there is a zero unemployment rate.”

But the constantly changing industry, with innovative startups challenging established firms, is making inroads. Following are 12 companies that have a technology, an approach or a philosophy that could change the security equation.

Security for Mid-Market Companies

ALIENVAULT
Founded: 2007 by Julio Casal and Dominique Karg
Headquarters: San Mateo, Calif. MISSION: Help companies pinpoint the extent of their cybersecurity threats
Mission: Help companies pinpoint the extent of their cybersecurity threats

AlienVault is a company with one goal: to give smaller companies the tools to fight off today’s security threats. To do so, AlienVault has integrated a collection of open-source security resources into a single system that allows companies to gauge their vulnerability—or “attack surface,” in industry parlance—and create a central hub for all security information, from vulnerabilities in existing devices to odd behavior on the network.

The company used the same philosophy in 2012 to create the Open Threat Exchange, a service that lets security professionals share information on current attacks and malware. The open-source intelligence derived from the service is integrated into the company’s core product. The result is the Ford Model T of information security—an affordable way for companies to get a better handle on their situation. “Our goal is to make threat response affordable to every company, because every company has an attack surface,” says Barmak Meftah, CEO. 

Credit Ratings For Corporate Security

BITSIGHT TECHNOLOGIES
Founded: 2011 by Nagarjuna Venna and Stephen Boyer
Headquarters: Cambridge, Mass.
Mission: Create objective, evidence-based security ratings to help companies gauge their cyber-risk

Data is a huge problem for the security industry: Company security teams are inundated with alerts that create work, while security companies produce few meaningful metrics of their products’ effectiveness or of the actual threat to their customers. BitSight aims to change this. The company uses publicly available sources of security information, from blacklists of suspicious internet addresses to information on who is sharing files over peer-to-peer services, to evaluate the security of any company with an IP address. BitSight then distills that information into a single number modeled after consumer credit scores. The company has documented correlations between its rating and security breaches, says COO and president Tom Turner.

BitSight says it has 250 customers, and seven of the 10 largest underwriters of cyber-liability insurance already use BitSight ratings as part of the process of evaluating a potential policyholder. The company sees two other major groups of customers using its service: large firms looking to evaluate the security of their third-party suppliers and any company looking to compare its security with industry peers. The rating system “allows security teams to get away from the emotional response and say, ‘Here is the data,’ and then have that risk-based discussion,” Turner says.

BlackHats_Spot1

Securing Software From The Inside Out

CONTRAST SECURITY
Founded2014 by Jeff Williams and Arshan Dabirsiaghi
HeadquartersPalo Alto, Calif.
MissionCreate a security platform that protects enterprise software against both vulnerabilities and attacks 

There is one commonality to such problems as attacks on websites, most of the malware that infects computer systems and device break-ins: The attacker uses software bugs to undermine the system’s or device’s security. Most developers use “static” analysis software to examine their code for known patterns of vulnerabilities, while security teams and quality-assurance testers hammer at applications with automated attacks, or “dynamic” analysis. Contrast Security espouses a third approach that uses a lightweight software program, or “agent,” on systems, and special code libraries to help developers track the behavior of programs. The system gathers data from the application as it’s running—a technique known as instrumentation—reducing false alerts, and can block attacks that it detects, says Jeff Williams, cofounder and chief technology officer.

“We realized that instrumentation is a better way to find vulnerabilities,” he says. “We are transforming the application into something that protects itself against both vulnerabilities and attacks.” Several large companies already have pilot Contrast Security programs in the works.

Helping Firms Detect And Respond To the Bad Guys

CROWDSTRIKE
Founded2011 by George Kurtz and Dmitri Alperovitch
HeadquartersIrvine, Calif.
MissionFocus on better malware protection, faster response and improved hunting for the source of attacks through a cloud service

While antivirus software may be dead, the focus on the end users’ devices and systems—the so-called endpoint—is still very much alive. Yet managing thousands, or tens of thousands, of devices and the alerts from those devices can be overwhelming. CrowdStrike, founded by two former McAfee security experts, aims to help companies by combining a program that watches over the endpoint, called an agent, with a cloud service for continuously monitoring systems and managing response. The company’s approach is to center the technology in the cloud, says George Kurtz, cofounder and CEO. “We want to be the glue that helps all the other technologies stick together,” he says. “This is about building a platform that deals with the complexities” in security.

Perhaps the biggest impact CrowdStrike has had on the industry is through its focus on the people behind the attacks. Two years ago, Kurtz told anyone who would listen that their problem was not malware, but adversaries. The intelligence gathered from numerous attacks, and the names CrowdStrike has given the groups behind those attacks—such as Goblin Panda, Viceroy Tiger and Charming Kitten— have focused others in the industry and in government on the problem of nation-state hacking.

Securing the Mobile Web Ecosystem

GOOGLE
Founded1998 by Larry Page and Sergey Brin
HeadquartersMountain View, Calif.
MissionOffer secure online services and mobile software 

As the world becomes increasingly connected, the online services and applications offered by Google become more important. Google hosts the world’s largest collection of mobile applications in its Google Play store and has branched out into other markets, such as home automation and self-driving cars, that will make the company’s services even more pervasive.

It’s no surprise then that Google has taken a proactive approach to security. The company paid out more than $2 million in bounties to more than 300 researchers who found vulnerabilities in its products and services in 2015, up from $1.5 million in 2014. Google has also put pressure on other online services and software developers by creating a hub for reporting and disclosing vulnerabilities, known as Project Zero. “With an open approach, we’re able to consider a broad diversity of expertise for individual issues,” Eduardo Vela Nava, a security engineer for Google Security, says in a blog post summarizing the company’s progress. “We can also offer incentives for external researchers to work on challenging, time-consuming projects that otherwise may not receive proper attention.”

The company’s focus has paid dividends. While, for example, the openness of the Android mobile operating system has attracted the lion’s share of mobile attackers, Google sees only 0.5 percent of devices attempting to install a potentially unwanted program, much lower than the typical 10 to 15 percent of Windows systems affected by such programs.

The Gig Economy Meets Security Testing

HACKERONE
Founded2012 by Alex Rice, Merijn Terheggen, Michiel Prins and Jobert Abma
HeadquartersSan Francisco
MissionHelp customers run their own responsible disclosure or bug bounty program and tap the knowledge of security researchers worldwide 

For more than two decades, hackers and security researchers have discovered software bugs in products ranging from Microsoft Windows to Facebook to the industrial control systems that run electrical grids and power plants. What they do with those vulnerabilities often depends on how open the product maker is to engaging these third-party researchers. Over the past five years, scores of companies have launched efforts to convince security researchers to privately report vulnerabilities in their products, but HackerOne wants to make the process go more smoothly and predictably. Alex Rice, the firm’s cofounder and chief technology officer, estimates that more than 90 percent of companies do not have a process to allow researchers to contact their security teams and disclose vulnerabilities.

HackerOne helps businesses with software or a web service establish a system for handling bug reports. Once the process is in place, HackerOne helps the companies create their own bounty programs to attract bug reports, tapping the expertise of independent security researchers at a time when knowledgeable security professionals are in short supply. So far, programs created in partnership with HackerOne have resulted in 18,000 bug reports, paying out more than $6 million to about 2,300 researchers and hackers. The market is just starting to take off, says Rice. “The bounties that we are seeing getting paid today—while they are leaps ahead of what we saw in terms of bounties five years ago—are still well below what researchers’ knowledge and time is actually worth and what we expect to see in the future,” he says. Currently, about 60 percent of the company’s customers are offering money for information on vulnerabilities, while the other 40 percent have just established bounty programs.

Creating A Digital Maze To Fool Attackers

ILLUSIVE NETWORKS
Founded2014 by Ofer Israeli and cyber VC Team8 led by Nadav Zafrir
HeadquartersNew York and Tel Aviv, Israel
MissionUse deceptive technology to turn customers’ networks into a maze of illusory devices, systems and users to confuse attackers and act as an early-warning system 

Current common wisdom among security professionals and the security industry is that you cannot prevent attackers from getting into your network 100 percent of the time. Faced with that reality, Illusive Networks aims to confuse the attackers once they get in by creating large numbers of fake resources based on actual information technology and digital files already on the network. The goal is to make the attacker deal with determining what is fake and what is real, says CEO Shlomo Touboul. “We are forcing the attacker to take a bet on every step,” he explains. “It is like going to a casino and making $100 or $1,000 bets, and the attacker has to be successful with every one.”

Just as important, when the attacker guesses wrong, the system will alert the security team that someone tried to access a nonexistent resource—usually a sign that something malicious is going on. While such security canaries, called honeypots or honeynets, have been popular in the past, Illusive makes it easy to set up and scale to an entire network, Touboul says.

BlackHats_Spot2

Encrypt Everything And Secure The Keys

IONIC SECURITY
Founded2011 by Adam Ghetti
HeadquartersAtlanta
MissionCreate a pervasive encryption infrastructure with distributed key management that makes it easy to secure data even after it’s been stolen 

Whenever a company’s network is breached, attackers generally search out unencrypted data or find a way to decrypt sensitive information. The problem for most companies is that security is part of a system—once the attacker gets the information outside the business’ gated environment, they can do what they want with it. Ionic Security aims to make encryption pervasive and put control of the information in the hands of the owner. Authorized recipients can read the data, but a central management system can restrict rights to certain classes of users. “We really have this simple philosophy,” says Adam Ghetti, founder and CEO. “They have all this distributed information created by all these distributed systems, and now they have a centralized way to understand what is going on and centrally manage who gets to access to the data. They don’t have to predict the future.” In general, about 15 percent of data in a company is sensitive enough to require encryption and monitoring, Ghetti says. Of that, about two-thirds is unstructured data—the information that is not found in a database but in, for example, Word documents or email messages.

Ghetti originally came up with the idea for the system in 2011 when trying to create a way for social media users to retain control of their posts. The system, called Social Fortress, requires other users to have permissions—and a key—to read the information. Deleting the key effectively deletes the information, even if the social media service continues to store the user’s posts.

A Focus on Software Security and Defense

MICROSOFT
Founded1975 by Paul Allen and Bill Gates
HeadquartersRedmond, Wash.
MissionCreate secure software and services for consumers and enterprises 

When Microsoft entered the new millennium, the software giant continued to fight the need for security and routinely found itself at loggerheads with security researchers and hackers who had found vulnerabilities in its code. A series of viruses and worms—such as Code Red and Nimda in 2001 and Slammer and Blaster in 2003—convinced the company, and then-chairman Bill Gates, to put security front and center. A series of efforts followed, including the Trustworthy Computing Initiative to focus the company on security and undo the public-relations damage wrought by the successive malware, and the creation of a development process, the Security Development Lifecycle, to catch and weed out as many software defects as possible.

Today, Microsoft spends more than $1 billion on security each year, offers six-figure prizes for security researchers who find vulnerabilities and create defensive solutions for reducing risk, and holds an annual conference, BlueHat, that aims to keep internal development teams apprised of security risks. The company also pioneered the use of civil lawsuits to pursue cybercriminals with its Microsoft Active Response for Security (MARS) program through which it cooperates with competitors and law enforcement to identify bad actors. “I firmly believe that security is a journey and not a destination,” Bret Arsenault, chief information security officer, says in a blog post announcing the company’s security progress last year. “It’s also an issue that must be addressed holistically by the industry and not by a single vendor.”

With the move to the cloud and the increasing popularity of the company’s Azure service and Office 365 software-as-a-service offering, Microsoft is again rethinking security, but the company has shown that it has the ability, and the will, to do so.

What Security Experts Use At Home

OPENDNS
Founded2006 by David Ulevitch
HeadquartersSan Francisco
MissionAugment the internet’s domain name system to add security, speed and safety 

When security professionals need to secure their home networks, many start with a free service from OpenDNS. The company, which started in 2006 as a way to speed and filter the internet, allows any user to simply start using OpenDNS’ domain-name servers—the computers that turn a domain name, such as worth.com, into a numerical internet address. In return, the service filters out known malicious websites, phishing servers and the command-and-control systems that criminals use to remotely control victims’ systems, as well as inappropriate parts of the web.

Those same capabilities convinced companies to try out the service as well. Now, more than 65 million internet users, including those from 10,000 organizations, have replaced their DNS servers with OpenDNS’ system and have gained the security benefits. With the move from computers and networks to mobile devices and roaming, building security into the network becomes even more important, David Ulevitch, founder and CEO of the company, bought by Cisco in August, says in a 2014 blog post on the service. “We’re helping to solve the challenges created by the eroding network perimeter and the rise of the sophisticated attacker,” he says. “We attack both problems by looking at the last 35 years of enterprise security best practices and applying them to the world we work in today.”

BlackHats_Spot3

Privacy For Mobile Users

SILENT CIRCLE
Founded2012 by Mike Janke, Jon Callas and Phil Zimmermann
Headquarters: Geneva
Mission: Build a privacy-centric communications system for workers and consumers to keep business and private citizens safe and secure

Since the leak of information from the National Security Agency by Edward Snowden in 2013, the extent of government surveillance has become a growing concern. While many governments are forcing telecommunications carriers to allow access in response to lawful requests for communications data, some technology firms are creating systems to keep conversations and messages secure and away from prying eyes. Silent Circle went a step further and built a phone, the Blackphone, that brings together a suite of applications to make privacy-enhanced calls and messaging easier. The effort is important as more communications move from an analog to a digital medium, says Bill Conner, Silent Circle’s president and CEO. “Increasingly we are using the cloud and mobile for our personal lives and our work lives—there is no boundary,” he says. “The next generation of how you work and play is done globally and through cloud applications and through mobile devices. So the question becomes how do you secure that.”

Silent Circle has also broken out its offerings as stand-alone applications and services to provide privacy to any iPhone or iOS user. While other services exist, such as Wickr and RedPhone, Silent Circle’s combination of hardware and software—and its efforts to keep data out of reach of government hands—has put it in the lead of privacy-focused companies.

Using The Cloud To Deliver Security

ZSCALER
Founded2008 by Jay Chaudhry
Headquarters: San Jose, Calif.
MissionProvide users with cloud-based security to protect the mobile worker and cloud-based data 

With security professionals in high demand, companies must increasingly find ways to secure their employees without relying on a large security team. At the same time, the way that employees work has changed, with more using mobile devices connected to the cloud, making security more complex. Zscaler uses the cloud to help companies secure devices through their network connection, in the same way that a water utility makes water safe from the tap, says CEO Jay Chaudhry. “If applications are moving to the cloud, security should too,” he writes in an email. “Traditional security deployed on the corporate perimeter falls woefully short in protecting companies from today’s advanced threats.”

While other companies have moved to providing security from the cloud, Zscaler jumped into the business early. Cloud-based security provides three major benefits: Corporate customers do not have to buy new hardware or devices for the service to work, making deployment easy; the service can bring a great deal of security knowledge to bear on problems; and it can be updated quickly.