event coverage

Cyber Investing Summit 2017 Photo by the CyberWire.

Pitches: Innovation from Young Companies

The Pitch Panel was the Cyber Investing Summit's fast round of innovation pitches, moderated by Allegis's Bob Ackerman and Wells Fargo's Rich Baich. The pitches were interactive conversations as much as they were the sort of high-concept company introductions familiar from, for example, Shark Tank. Video of the pitch panel may be found here.

KnowBe4 and the creation of the human firewall

Stu Sjouwerman, CEO of KnowBe4, presented his company's approach to creating what he called "the human firewall," effective training to protect employees against social engineering attacks. This is the sort of approach Kevin Mitnick, KnowBe4's Chief Hacking Officer, had earlier called "inoculation."

Ackerman asked an obvious question about training. How do you make it stick? Do you shame employees with their results. Sjouwerman thought that was exactly the wrong use of training: "No--that's no way to a security culture," and training is effective if and only if it leads to the formation of a healthy security culture. Begin by establishing a baseline graph of employee susceptibility to social engineering. If the training is effectively conducted, you see over time the success of phishing go down.

KnowBe4's go-to-market approach is to sell first to IT departments, and only after those initial sales to move to human resource departments as customers. Given the role HR tends to play as company enforcers, that would seem consistent not only with reaching an informed audience likely to have assumed default responsibility for cybersecurity within an organization—that is, IT—but also with KnowBe4's commitment to non-punitive inoculation. KnowBe4's average customer size is curently in the 200-400 headcount range. 

BioCatch, who lets you know them by what they do

CEO Eyal Goldwerger described BioCatch's approach to behavioral biometrics. BioCatch operates with many financial service customers, for whom ID theft is rampant. Fraud and its anti-fraud counterpart have, Goldwerger said, been engaged in "a long race to the bottom." Anti-fraud measures have tended to look for the source of the threat. But BioCatch instead looks at the behavior of the user. 

The company's behavioral biometric approach doesn't assume a perfect system. Instead, it builds up an effective behavioral profile in a matter of weeks. "We defect fraud other solutions can't. We save companies millions." They also, Goldwerger said, reduce false positives that come with other fraud detection methods. 

BioCatch claims more than forty-five granted and pending patents. They use multiple modalities to develop a rich profile of individual users, with at least five-hundred metrics applied to the users' interactions with their devices.

MobileIron, from phones to the IoT

Simon Biddiscombe, MobileIron's CFO presented his company's data protection solution, which "protects data wherever it is." Employees demand a modern experience, he said, and as workloads have shifted, so have security paradigms. MobileIron saw the coming centrality of mobile devices to the enterprise, and their certifications have been critical to their success in a broad, integrated ecosystem.

They've also moved into security for the Internet-of-Things. As Biddiscombe put it, "IoT came to us; we didn't go after IoT." Companies in the oil and gas sector approached MobileIron about securing sensors on oil rigs—they perceived that this problem was essentially similar to securing mobile devices. MobileIron has worked successfully with customers in that sector, and that connected cars are now providing their second IoT use case.

We followed up with Simon Biddiscombe and his team after the pitch. We were particularly interested in how they saw IoT security. They protect corporate data on physical devices outside the firewall, Biddiscombe explained. Their approach has been particularly well-adapted to the growing bring-your-own-device culture. It helps enterprises manage how employees access data. 

MobileIron realized early the importance Android and iOS devices would assume within enterprises. They don't play in the pre-Windows 10 environment, but they do work in Windows 10 and it's projected successors. Their distinctive approach is effectively to divide a device in two: the enterprise gets one half, the personal user the other. "It's containerization at the base, but invisible to the user." They hold the patents on selective wiping, and certificates on mobile devices. 

They see Android as replacing older systems like XP Embedded in the industrial Internet-of-things. As he mentioned during his pitch, Biddiscombe said MobileIron's involvement in IoT issues began when the oil and gas sector wanted to backhaul sensor data from oil rigs from offshore to Houston. The sensor gateway is essentially a mobile device. MobileIron built a VPN tunnel from sensor to headquarters. 

Government is an important vertical for MobileIron, and the certifications they hold they see as an important competitive advantage. Their solution is, for example, an aide to GDPR compliance, a way of showing that an enterprise has done its GDPR compliance due diligence. Their solution has made, they believe, a contribution to the sector's still-emerging standards of care. HIPAA compliance affords similar use cases.

Since MobileIron works on devices outside the firewall, they see interesting security applications for enterprises that make use of the cloud. "Consider Salesforce," Biddiscombe said. "The disgruntled sales guy who intends to quit and take his contacts and other stuff with him." MobileIron's solution authenticates a user (and Biddiscombe noted in an aside that the solution also affords an additional layer of security in that it turns a device into a necessary physical token). The app a potential rogue user needs to employ must come from the corporate app store, and it must be accessed on the right physical device. 

In the end, everything on the device is encrypted and secure. They have more than three-hundred ecosystem partners. MobileIron is cash flow positive, and it's been publicly traded for three years. Biddiscombe said the company enjoys a $500 million market capitalization.

Uniken: verify, and then connect

Bimal Gandhi, CEO of Uniken, presented his company's REL-ID solution to a broad range of threats that include (but are not limited to) credential compromise, phishing, social engineering, and account takeover by fraudulent password reset. "We make connecting safe." Their clients, he said, "have sustained zero losses." As opposed to other solutions that connect and authenticate, Uniken first verifies, and then connects. 

Their platform is also attractive, Gandhi said, in that it's a low-payload, low-bandwidth solution. We heard from investors and buyers throughout the summit that they were looking for solutions that were easy to integrate and didn't enmesh them in other problems. In response to questions, Gandhi said REL-ID was that sort of enterprise solution: "Integration has been accomplished in as little as three hours."