It doesn’t take much more than a casual glance at the headlines to get the idea that there’s a lot going on in the area of Internet security these days. Between hacking attacks by the Chinese Army, revelations of overly aggressive snooping by the National Security Agency, or questions about how to make cloud computing secure enough that big companies can trust it, security is top of mind for CIOs and other decision makers more than ever before.
It’s against that backdrop that venture capitalists like Ted Schlein see opportunity. As a general partner at Kleiner Perkins Caufield & Byers, he has led several of the firm’s investments in security companies, and was the founding CEO of Fortify Software, the company that’s now part of Hewlett-Packard.
I caught up with him while he was in New York for a meeting of the board of Chegg, the digital hub for students that recently filed for an IPO.
My first question was the one I always tend to ask at the outset of conversations about security.
AllThingsD: Ted, there’s a lot of interest in security companies lately, but I’m always a little skeptical because over the years, there have been so many companies focused on security that make such broad promises about being the last, best solution. As an investor, how do you see that?
Schlein: Threat vectors change. The natures of threats change, and the bad guys themselves change. And when those things change, the protection mechanisms have to change along with them. What we’ve seen in a rise in the sophistication of the bad guys. What is at stake has gone up tremendously. When we started 30 years ago, we were dealing with amateur hackers who wanted to mess around with you. It has evolved into really big money and/or nation-state espionage. And now that has strategic implications. I used to be the implications were tactical, in that you might have to spend some money to clean up your systems. Now a breach can have a fundamental impact on your business. So you have to constantly be fundamentally rethinking how you approach it.
The old thinking was that you had to put up a wall around your perimeter and keep making it stronger and stronger. So what has changed?
Now there is no perimeter. The perimeter has been extended by definition. Now we’re operating in a cloud-ready, highly mobile, highly distributed environment. Good luck protecting that. It complicates the security picture a lot. But where there’s complication, there’s also opportunity. Think about this: Most of the things we’ve done around security during the last 30 years have been about finding bad on the network. The challenge there is that you only know something is bad once it’s been bad. You’re in this constant rat race to define what bad is. It’s not very effective. So now we’ve had to come up with some new heuristics to do behavior-based detection. The idea there is less about defining what’s bad and viewing behaviors suspiciously. It’s more akin to saying: Whatever this is, it’s not right on my system.
So where does this sort of approach show up in your investment portfolio?
I’m involved with a company called Mandiant. And its founder and CEO Kevin Mandia says, and I agree with him, that there are only two kinds of companies: Those that have been breached and know it, and those who have been breached and don’t yet know it. What that tells you is that our prevention mechanisms aren’t working so well. So what’s needed now are ways to tell when you’ve been breached, what’s been breached, and contain it and remediate it. That’s a shift, but most security practitioners don’t think that way. It’s why Mandiant is doing so well.
Indeed, Mandiant’s profile was certainly raised by its work on naming the Chinese Army as behind several high profile breaches.
Yes, they’re the ones that have positive attribution to the APT-1 attack, which was carried out by the Chinese military. It was really the first time the Chinese were named. Mandiant is sort of the tip of the arrow because they get called in to every major breach in the country, so they know more about these advanced persistent threats than anyone. So their knowledge base is unparalleled. So they’ve taken that and turned it into software, and now about half its revenue comes from software.
So that’s one example. I’m hearing a lot these days about securing the cloud, especially the virtual machine layer. Are you involved with any companies in that space?
It’s kind of exciting. I think there are going to be some fundamental issues around security in the cloud. I think you have an issue with data at rest. All this information is sitting there. You have to get your information from the cloud and you have to do it in a safe and secure manner. And then finally you need to authenticate the person. Are you who you say you are, so you can have access to the cloud. Those are the three fundamental issues in how you secure the cloud. There are different approaches. Some think you should do it all through a gateway, a box that protects what’s on the other side of that box. Architecturally I don’t think that will work.
So what will?
I believe you need an encryption mechanism that encrypts the data all the way to the browser and then that browser has to be 100 percent authenticated, and the whole thing has to be seamless, because you as an end user are not going to tolerate having to mess around with keys and all that. So I’ve been working with this company called Ionic that has put it all together.
That’s one way to secure how we use the cloud. Are there new ways to actually fight the bad guys?
A lot of attacks are automated in that they’re carried out by armies of bots. I think you’d be appalled if you knew how many systems had been compromised and were made part of a bot army. It’s in the millions. What happens is that a command and control server will command an army of 100,000 or so bots, and go attack a bank or something like that. So these automated attacks are prolific, they’re dangerous and they happen all the time. I don’t think you can stop the bot armies from being created, but I do think you can prevent them from having any efficacy, so that their attacks don’t do anything. So we’ve been working on a concept – for lack of a better phrase I’ll call it a bot wall. It’s similar to a firewall but for bots. We think we can make a bot attack ineffective. If we can make it work, it would be fundamental. I’ve been working on it with a company called Shape Security.
So when you think about new security companies and approaches, what’s an important quality you look for?
You have to look at the attack vectors of the day, challenge the norms, and then create a different approach. I sold a company to Hewlett-Packard a few years ago called Fortify. I did ArcSight, too. But the concept at Fortify was to challenge the norm. In the past, security had been a network operations person’s problem. Fortify treated it like an engineers problem. People coding their systems have to think about security while they’re building them and writing the code. And that is what Fortify was all about. Building security in the system just as you’re writing the code. It’s not too dissimilar from the auto-manufacturing industry, where if you can eliminate a defect early on the assembly line, it’s a lot better before finding out about it after you’ve shipped a few hundred thousand cars. The way we’ve done software and systems in the past is that we’ve thrown them over the wall, and then told the customer to build a moat around them.