In the rapidly changing cyber security market, what’s hot today can become cold tomorrow.
This has never been truer than today when major technology trends, such as cloud, mobile and the Internet of Things, are transforming the security landscape. Old-line vendors, such as Symantec and McAfee, are seeing their dominance threatened. A new generation of disruptive startups, such as Palo Alto Networks and FireEye, are fighting to remain relevant themselves.
With venture money flooding in, innovation in security is powering along at a fast pace. But a crowded market makes picking more and more tricky.
“Definitely, we need this investment in the security space,” said Pritesh Parekh, chief security officer at Zuora. But “one of the problems we are facing is overloading the security stack.”
Just how crowded the stack has become is difficult to overstate. In the past four years, more than 300 security companies have received venture funding in the United States, according to Thomson Reuters. As a result, corporate buyers struggle with a plethora of choices. Yet relatively unexplored and emerging areas remain ripe for investing.
Among those attracting the most attention today are micro-segmentation, where security is designed to guard individual workloads or small zones within a network, and app security, where companies such as tCell.io play and greater efforts are being made to build security into software applications.
Security Operation Center platforms that can make sense of the plethora of security alerts generated by detection products also are getting a close look. With millions of alerts flooding security dashboards, it’s hard for security staff to identify the most serious threats.
Another space drawing interest from VCs is behavioral analysis, where machine intelligence is harnessed to discover anomalies in network traffic, such as log-ins to a U.S. bank account from China. Two companies in the space, Elastica and Caspida, were acquired last year.
One area attracting the attention of Ariel Tseitlin, partner at Scale Venture Partners, is e-mail security. E-mail is still a primary vector for breaches, and “there is a great wave of innovation waiting to come to market,” Tseitlin predicts. The sector is likely to command more attention from investors in a year or two.
Tseitlin also is looking at cloud security, an area that is still likely underfunded despite money for companies such as CloudPassage.
“There is a complete retooling that is going to have to happen to protect your cloud infrastructure,” he said.
In security “there are going to be a lot more bets than there are going to be winners,” Tseitlin cautioned. But prices are becoming a lot more reasonable, so risk goes down.
Trident Capital Cybersecurity Managing Director Alberto Yépez is in turn interested in security for industrial controls, an area where products will need to bridge information technology and the operational systems at power plants, airports and elsewhere. Breeches can even enter through the HVAC equipment.
Yépez is also interested in external threat monitoring, where intelligence operations centers mine the deep and dark web for corporate information that has been compromised. He expects to see more activity in the space. Companies there include Flashpoint.
Another area worth exploring is mobile security, said Mark Fernandes, managing director at Sierra Ventures.
“There are lots of rules that change when you have to worry about mobile security,” he said. These stem from constraints due to battery life and needs for compelling user experiences. “It’s a new frontier that people have to get their heads around.”
He added: “The biggest question we ask when we look at cyber security investing is, ‘Feature or product or company?’ There are a bunch of new platforms that have come along that have created opportunities.”
Another area that stands out for VCs is run-time application security, where products are placed next to an app to detect vulnerabilities in real time. Companies in the space include Contrast Security and Prevoty.
Investors also have a growing sense that crowdsourcing can be a useful tool to connect white hat coders and clients for bug identification and repair. Companies such as HackerOne are in the space.
Gaurav Tuli, principal at F-Prime Capital Partners, said he takes a thematic approach to investing. “We’re not going to go into a space six years late and back the number three player.”
His present interests include human resources innovations, where hiring can be difficult because of a talent shortage. “I think this is an area that is emerging and exciting, and a big company can be built there,” he said. Phantom Cyber raised a Series A round last year.
In contrast, areas that have already received significant attention from investors include breach detection, next-generation identity platforms and incident response technologies.
Almost certainly there is a bubble of funding in endpoint security with as many as 40 companies now in the space and consolidation on the horizon. Interesting innovation continues, but many companies with narrow solutions probably won’t raise Series B and C rounds, some investors say.
Threat intelligence is another spot that has seen considerable funding and is likely to experience a shakeout. Corporate buyers say they see many me-too companies and too little actionable intelligence.
Despite the over funding, few investors see security innovation slowing. The rising complexity of security attacks requires more capable defenses.
The result is a market that evolves because it is so dynamic, said Joe Horowitz, managing general partner at Icon Ventures. “It’s this evolving complexity that lends itself to new companies in the space.”
Photo: An illustration picture shows a projection of binary code on a man holding a laptop computer. REUTERS/Kacper Pempel