Are there enterprise IT lessons to be learned from how the U.S. military approaches cybersecurity? Yes, according to a startup called Shape Security.
The co-founder of Shape Security, Sumit Agarwal, spent 14 years in the U.S. Air Force Reserve and was the deputy assistant secretary of Defense for the Obama administration in 2010. Agarwal's military experience led him to help found Shape Security, a company that today is announcing a new $20 million round of funding. In total, Shape Security has raised $26 million to bankroll its military-inspired view of Web security.
"We're taking major viewpoints of what the future will hold, from a Department of Defense, military perspective and recognizing that those are the same kinds of issues and challenges that regular businesses working on the Internet will face going forward," Agarwal told eSecurity Planet. "It's a much more sophisticated military-grade of security being made available to the business world."
In describing what Shape Security is trying to achieve, Agarwal commented that the Department of Defense does not expect Americans to defend the airspace above their places of business. "Ironically enough, the same is not true in cyberspace," he said. "On the Internet, you may be the target of organized crime or nation-state exploitation that is not reasonable for you as a business to defend against."
Agarwal argued that it's not reasonable to expect an average American business to defend itself against a nation-state attack. In his view, there is a need for more sophisticated cybersecurity with military levels of expertise.
New Attacks, New Cybersecurity Approach
Shape Security's technology is going after a number of different types of challenging attack vectors. At the top of the list are attacks that appear to be coming from legitimate sources of traffic. These could be attacks that come from end-points or customers that are unwitting participants. It's a type of attack where one moment the interaction is with the real customer and in the next moment it's with a malicious agent on the customer's machine.
"Distributed botnet-based attacks with large numbers of compromised end-points, many of which overlap with your current or future customers, are the most difficult types of attack to deal with, and that's where we're focused," Agarwal said.
The traditional sentries of enterprise IT defense, including firewall and IPS devices, are still essential in Agarwal's view. That said, he noted that both military and enterprise IT security experts have long preached the merits of an in-depth security strategy.
"We're looking at a new segment of attacks that look like normal expected user behavior," Agarwal said. "It's not jimmying the lock, it's walking in along with all of the other good traffic."
Shape Security is still mostly in stealth mode and is not yet publicly disclosing all the specific details of its solutions. The company does, however, have some customer deployments with broader availability set for the end of 2013 and early 2014.
Though he was not able to provide full details, Agarwal explained that from a deployment perspective, Shape Security offers a managed appliance that is installed on a customer's premises. In terms of what is in the appliance, Shape is building its technology on top of items that Agarwal considers to be non-core.
"We're not rebuilding our own operating system or hardware," Agarwal said. "The core security is all new and totally proprietary."
Agarwal said Shape Security is essentially trying to create a new category in the IT security market. In his view, his company is doing something that is fundamentally different from other vendors in the space. "I respectfully characterize a lot of other security offerings as better, faster, cheaper versions of the same thing," he said.
The Shape Security approach, in contrast, is about making it fundamentally more difficult to attack enterprises by addressing the underlying computer science problems of how attacks are created. The company is also focused on the economic perspective of attacks.
"There is an economic chain in attacks, where there has to be profit made at every step," Agarwal said. "We're very focused on introducing tremendous friction at multiple levels in that chain to cause attackers to go elsewhere."
The idea of making it more difficult for attackers is one that other technology startups have attempted. One such company, Mykonos Software, was acquired by Juniper Networks in 2012 for $80 million. Mykonos takes a pro-active approach to security attacks by luring bad guys into pre-set traps.
Shape Security is taking a different approach to making it difficult for attackers.
"My bias from the Department of Defense is that we don't think that any sort of legitimate business should be tangling with the adversary," Agarwal said. "Businesses in America don't need to ever do that. They need set-and-deflect strategies, as it isn't a high-value use of their energy to become criminal pursuing enterprises."