As our use of technology has evolved, so have the threats that can derail and even destroy a business or even a country. Remember December 2013 when credit card information from 40 million users were stolen a few days before Christmas in a major attack on Target? Or the power outage (allegedly triggered by Russia) which lasted six to nine hours in Ukraine during Christmas season last year?
Cyber attacks are more of a threat to companies and governments today than they were yesterday, and will become even more so tomorrow.
There are more security solutions available today than ever before, and IT budgets in this category are certainly on the rise. But you know what else is rising? Not just the number of attacks, but the losses associated with those attacks.
Reported losses from attack outpaced spend by more than 6X in 2016, and that gap is expected to widen to 16X by 2018. This paradox demands that a robust digital resilience strategy be put in place across the entire IT infrastructure. Core to this strategy must be a complete understanding of all devices in the infrastructure.
RedSeal aims to ensure that companies and government agencies have the most sophisticated analysis of their assets and vulnerabilities possible by offering a digital map of all devices as well as a comprehensive understanding of the relationships and behaviors between the devices.
It is the relationships between the devices that hackers can exploit – configuration issues, open ports and more. RedSeal can actually measure the overall resilience of an infrastructure and provide a score – equipping companies with the knowledge to provide constant vigilance against the dearth of threats that loom large over them.
And when there is a breach, it alerts and identifies where the attackers have penetrated and exactly how to respond. Many solutions today can identify a breach, and some can quickly identify where it occurred. Knowing exactly what patch to apply is the hard part, especially in today’s virtualized hybrid cloud world.
RedSeal was founded in 2004, and started with an appliance offering. But it was given a fresh breath of life ten years later, when Ray Rothrock, formerly Managing Partner of Venrock, the VC company which was one of the security company’s founding investors, agreed to become CEO. Rothrock had a track record of investing in successful security companies, and had a vision and a mission to improve cyber security for everyone.
Since he joined Rothrock has set ambitious targets for the company, and hit them. “I’d been here around two weeks and posted four targets for 2014, 2015, and 2016. We hit all the targets in 2014 and 2015 and we’re on track in 2016,” Rothrock tells Red Herring. “We’ve recovered customers and improved the product. We’ll do $30m plus this year and we’re building a cyber security armory.”
Per Rothrock, RedSeal is able to understand all of the elements of a network, just as an operating system understands a computer. “There is a tremendous difference between simply knowing where all the devices are, and what the relationships might be”, says Rothrock.
“Knowing where all the train stations, airports and stadiums are in a city map is interesting – but what is relevant when thinking about security is realizing that the trains run past the airport or stadium and could be used to blow them up.”
Rothrock now has ambitious revenue goals for the company. “The company can be $100 million in revenue by 2018. The market is $2-3 billion, and that’s just the Fortune 500.” It has solid backers which include Icon Ventures, Sutter Hill Ventures and of course Venrock with seasoned venture capitalists supporting Rothrock’s ride as a CEO.
Currently, a third of RedSeal’s U.S. business is in government, and two thirds is commercial. Financial industries, insurance and medical sectors have secured their ecosystem with the Silicon Valley software. It is adding up new logos every quarter: Morgan Stanley, PG&E, Payless, the intelligence community in America.
Customers are leveraging the solution to help them with everything from audit and compliance, to incident response to understanding risks associated with integrating networks from potential M&A targets.
The company also has big plans for international expansion, a road which it has already begun traveling. “About 60% of the world’s tech is outside the U.S. One of the patterns I observed when I was investing was that companies grow fast when they go international early. So, we’re going for speed there,” says Rothrock. RedSeal has customers in Russia and Saudi Arabia and is targeting China.
The security industry has been kept busy in 2016. A wave of high publicity cyber breaches has shaken consumer confidence in the ability of big corporations to keep their data and information safe. The most recent divulgence of a major leak was at Yahoo in September, when it was revealed that more than 500 million customers’ details had been compromised in a cyber attack dating back to 2014.
Rothrock’s reaction to the attack was one of familiar despair. “Here we go again,” he says. “These things are preventable. By understanding the entire infrastructure and being able to immediately respond the breach before it got out of hand – a loss of that magnitude may not have happened.”
In reaction to the ever-changing nature of cyber threats, the security industry has had to evolve over the years. As the threat landscape grew, more and more products were thrown into the mix – firewalls, anti-virus, intrusion detection and more, according to Rothrock. The evolution went on and on from there, but up to that point all of the protection was focused on detection and prevention.
Now the industry has recognized that there is no such thing as perfect protection, and that resilience is the key word. “The world will get there very fast or we’ll have a Yahoo every week. We sort of do already,” says Rothrock. “At Sony” (whose data were stolen and leaked in 2015), “they turned off all their servers because they didn’t know what the problem was. You still need protection but resilience is where its headed.”
One of the major problems is a lack of awareness of the scope of the problem at a board level of major organizations all over the world. Rothrock believes that the decision makers at larger companies need to be educated so they fully appreciate what a huge issue cyber security is.
“Cybersecurity may be a hot topic, but awareness about it at the board or CEO level is smaller than you would think,” says Rothrock. “Last year McKinsey published a book on cyber security, it’s a damn good book, on what it means to really protect your digital business. These things help. Executives are coming along: they don’t need to be technologists but they need to know the vocabulary.”
Some companies are even buying cyber insurance, believing themselves to be covered against an attack. But, according to Rothrock, this insurance will pay the expenses of notifying people of the attack, but won’t give a dollar towards rebuilding a compromised network. “A conversation has started but awareness is low. I’m an evangelist about this. I wish I could get other CEOs in our industry to be as evangelical as I am,” Rothrock adds.
Cyber breaches have become an increasingly visible and problematic issue. Unless some of the CEOs of major organizations take note, those hacking and compromising the networks of major companies and governments will continue to do so with little resistance.
The types of attackers are also becoming more serious. Whereas a decade or two ago a hacker was more likely to be a young person testing out their skills, today nations launch cyber attacks on other countries, and criminal enterprises are funded from illegal cyber activity.
For Rothrock and RedSeal, the job ahead is a tough one, but they aren’t daunted by the prospect. “In the ‘30s banks were being robbed left, right and center, but we got control of it. We’re a long way from that but we need to get there pretty fast because the world is going digital faster than expected,” says Rothrock.
RedSeal will be on the front line of the cyber battle for many years to come, and many a company and government agency will be all the better for it.