This week I was lucky enough to speak to Deepak Jeevankumar. Deepak is a principal at General Catalyst and is very involved with the firm's investments in Illumio, ThreatStream and Menlo Security. I was really excited to talk to him and hear how he and General Catalyst are thinking about the cybersecurity space.
2015: “We are in a global cyber cold war"
In 2013 you wrote an article in Forbes predicting that the app economy would be the next big target for cyber criminals. 2 years down the road, has that view come to fruition?
I think we have gone far beyond that. Probably every famous app vendor has been a target of cyberattacks: Twitter, Evernote, linkedin etc. What I really meant in that article is that smaller app vendors who can’t afford big security teams will be under attack as well. In many cases, such app vendors do not even know they are being attacked. There is a second even bigger risk surface in the app economy. Due to the rise of ‘as a service' models, hackers can attack apps indirectly, because the number of "central nodes” has increased dramatically. For example, the recent github DDOS attack affected thousands of other companies.
In that same article you mentioned that you weren't especially optimistic about the government's ability to stop cybercrime through legislation, however more recently you lauded the president for bringing cybersecurity to the forefront of discussion; how will Obama's recent threat information sharing legislation play out?
I think the role of government has to evolve just as the type of cyberattacks have evolved. The recently disclosed massive breach on the Office of Personnel Management and the Sony cyberhack of 2014 are actually very different from most of the cyberattacks we have experienced in the last 2 years. The other attacks are cyberthefts of data or DDOS attacks. These attacks lead to economic disruption, however these recent 2 attacks have changed the game. In both cases, hackers stole sensitive information with potential malintent in the physical world (“if you release the movie, we will bomb cinema halls”). The link between physical terrorism and cyber terrorism is getting stronger. We are in a global cyber cold war. The government has no choice but to intervene and act, however as studies have shown, neither the public nor the private sector trusts the government. The first act of the government should be to rebuild trust to enable sharing of information. The bad guys share information but the good guys do not share information due to lack of trust.
It seems like the insider threat that you predicted in 2013 has proven accurate. How should companies be thinking about and combating this threat?
I think this will be one of the fastest growing areas in cybersecurity. Currently, existing cybersecurity vendors do not provide a employee-centric view of risks. There is a new crop of companies that enable customers to pivot threats around users in an organization (Exabeam, RedOwl etc). After the Sony threat and other hacks, employees are asking companies to protect their information better. In fact, a few Sony employees sued the company for not protecting their sensitive data. Companies should educate their employees on what is being monitored and share information with their employees if they notice what appears to be malicious activity. Most of these acts are unintentional or involuntary (due to account takeovers), but if it is voluntary that means there is an insider threat issue unfolding. Security awarness training should be part of any HR orientation trainings for new and existing employees of G2000.
"Can we have expiring data based on time and need? Can an employee revoke access given to his company for his/her personal data once he leaves the company? Can the keys to the data be handed to the employee and not the employer? Again this is an area screaming for startup innovation."
How does the functionality that you describe compare with current permissions management tools?
The core question is who owns the data. With the current permissions management tools, the administrator who has root access is the ultimate owner. However, if an employee controls his private key and does not share it with his employer, she can be the ultimate owner. There are many split-key technologies that actually make this a reality. We store all our data on 3rd party servers even in our personal lives and we lose control the moment we do it. This is a a sad reality!
You've mentioned that you think threat sharing will be big--are there any other core theses that guide your investments in cybersecurity companies? In contrast, are there any sub-sectors of the industry that you specifically avoid investing in?
The challenge in the cybersecurity industry is that there are only a very few billion dollar TAM subsectors (firewalls, APT/IDS/IPS, web proxy/web security, endpoint anti-virus, authentication, etc). Most VC investments tend to be concentrated in these sectors due to expectations of big returns. I expect a few other sub-sectors to turn into billion dollar TAM sub-sectors. These include threat intelligence+threat sharing, user behavior analytics+insider threat management, 3rd party vendor risk exposure, next gen DLP, security automation, runtime application self-protection etc. These emerging cybersec sub-sectors include some of our new theses.
Deepak Jeevankumar is a Principal at General Catalyst Partners where he focusses on cybersecurity, big data and cloud infrastructure. He has been closely involved in the firms investments in Illumio, ThreatStream and Menlo Security.
This is down from $1.4B in the first half of last year, but way up from the $770M invested in the first half of 2013.
Everyone is trying to get in on the action; Blackstone now has 7 cybersecurity investments (up from none 3 years ago), Menlo Ventures has devoted 20% of its latest fund to cybersecurity, Allegis just raised a $100M fund devoted entirely to cybersecurity and Andreessen acknowledged that they've changed their mind about cybersecurity, which they used to view as necessary but not as profitable as other enterprise sectors.
Founder George Kurtz claimed that the deal valued CrowdStrike at "near unicorn" status. Forbes claimed that revenue as of January 2015 was just $13.8mm (though growing at nearly 150% YoY). Assuming a $1B valuation, the most recent round would value them at more than 70x revenue. Something's off there.
The company looks for behavioral anomalies across a company's network to attempt to detect insider threats from rogue, sloppy, or compromised employees. The company competes with bit data analysis companies such as Palantir and Splunk. Last week Splunk bought Caspida, a similar company, for $190M.
Blackstone led the round and Allegis Capital participated. The company has raised earlier rounds from SalesForce founder Marc Benioff and In-Q-Tel, the CIA's venture arm.
The company allows people to easily send encrypted messages to people you're friends with on social media. The round was led by Andreessen Horowitz and A16Z partners Chris Dixon and Marc Andreessen will join the board.
Founder David Vincenzetti claims that “This kind of cyber attack could only be carried out by government operatives. This wasn’t spontaneous. The attack was planned months before with considerable resources. The extraction of the data took a very long time.”