Stealthy Shape Security Lands $6 Million From Kleiner Perkins and Eric Schmidt
There’s an interesting new fundamental thought emerging among computer security companies. The logic goes like this: First, your digital assets are going to be attacked. Second, no matter what preparations you make to defend those assets, a determined attacker is going to find a hole or a method of penetrating your defenses that you didn’t think of.
Most attacks are relatively cheap to carry out, because they’re not that sophisticated. More often than not, attackers copy the methods they use from each other. Attacks are inexpensive, and most attackers have the luxury of limitless time.
The exception is attacks using so-called “zero day” vulnerabilities, where a previously unknown vulnerability, usually in the operating system, is used to gain access to a system. Most — but not all — of the time, once a zero-day vulnerability is seen and documented, the weaknesses it reveals are patched, making it the type of weapon that can be used only once.
As such, zero-day vulnerabilities are often traded on the black market and sold at a high price. For example, when the Stuxnet worm — the malware that was used to attack and sabotage the Iranian nuclear program — was first discovered, security researchers were impressed that it used no fewer than four distinct zero-day vulnerabilities in Microsoft Windows. So many used at once indicated that the cost to carry out the attack was high, leading to the conclusion that only a state-sponsored attacker would have the funds to carry it out. This led to the logical conclusion that either the U.S. or Israel had been behind Stuxnet.
I bring it up because Stuxnet is an example of the conclusion of this new fundamental thought I mentioned at the start. Why not make attacks expensive for the attackers? The early estimates on Stuxnet put its cost at $3 million, and it is believed that it required a team of 10 skilled programmers and as long as six months to develop. It was not a cheap attack. It was expensive.
That’s the idea behind Shape Security, which today announced that it has landed a $6 million Series A round of venture capital funding led by Kleiner Perkins Caufield & Byers and TomorrowVentures, the fund led by Google Chairman Eric Schmidt.
Peter Wagner, a former partner at Accel Partners, as well as executives from LinkedIn, Twitter, and Facebook, will also join the round. Ted Schlein, managing partner at Kleiner Perkins, has joined the board of directors, along with Gaurav Garg, a limited partner at Sequoia Capital and personal investor in the round.
We don’t as yet know a great deal about Shape Security or its intentions. But we do know who’s running it: According to this filing with the U.S. Securities and Exchange Commission, its CEO is Derek W. Smith. Another key exec and director is Sumit Agarwal, the former head of Google’s mobile product management, who in 2010 took a post in the Department of Defense as senior adviser for Cyber Innovation.
Another key exec is Troy Tribe, who appears to be the same person who used to be VP for business development at Solera Networks, which specializes in network-security analytics and forensics.
This is the second time in as many weeks that I’ve noticed a security company talking about changing the economics for attackers. The first was Crowdstrike, which announced that it had hired Shawn Henry from the FBI and landed a $26 million investment from Warburg Pincus. Neither has said yet exactly what you do to make launching a computer attack more expensive. I’m certainly eager to know more.