cybercrime
Auto Added by WPeMatico
Auto Added by WPeMatico
Safe Security, a Silicon Valley cyber risk management startup, has secured a $33 million investment from U.K. telco BT.
Founded in 2012, Safe Security — formerly known as Lucideus — helps organizations measure and mitigate enterprise-wide cyber risk using its security assessment framework for enterprises (SAFE) platform. The service, which is used by a number of companies, including Facebook, Softbank and Xiaomi, helps businesses understand their likelihood of suffering a major cyberattack, calculates a financial cost to customers’ risks and provides actionable insight on the steps that can be taken to address them.
This funding round saw participation from Safe Security’s existing investors, including former Cisco chairman and chief executive John Chambers, and brings the total amount raised by Safe Security to $49.2 million.
BT said the investment, which is its first major third-party investment in cybersecurity since 2006, reflected its plans to grow rapidly in the sector. Philip Jansen, BT CEO said: “Cybersecurity is now at the top of the agenda for businesses and governments, who need to be able to trust that they’re protected against increasing levels of attack.
“Already one of the world’s leading providers in a highly fragmented security market, this investment is a clear sign of BT’s ambition to grow further.”
The startup’s co-founder and chief executive Saket Modi said he was “delighted” to be working with BT.
“By aligning BT’s global reach and capabilities with SAFE’s ability to provide real-time visibility on cyber risk posture, we are going to fundamentally change how security is measured and managed across the globe,” he said.
As part of the investment, which will see Safe Security double its engineering team by the end of the year, BT will combine the SAFE platform with its managed security services, and gain exclusive rights to use and sell SAFE to businesses and public sector bodies in the U.K. BT will also work collaboratively with Safe Security to develop future products, according to an announcement from the company.
Safe Security’s competitors include UpGuard, Exabeam and VisibleRisk.
Powered by WPeMatico
When it comes to meeting compliance standards, many startups are dominating the alphabet. From GDPR and CCPA to SOC 2, ISO27001, PCI DSS and HIPAA, companies have been charging toward meeting the compliance standards required to operate their businesses.
Today, every healthcare founder knows their product must meet HIPAA compliance, and any company working in the consumer space would be well aware of GDPR, for example.
But a mistake many high-growth companies make is that they treat compliance as a catchall phrase that includes security. Thinking this could be an expensive and painful error. In reality, compliance means that a company meets a minimum set of controls. Security, on the other hand, encompasses a broad range of best practices and software that help address risks associated with the company’s operations.
It makes sense that startups want to tackle compliance first. Being compliant plays a big role in any company’s geographical expansion to regulated markets and in its penetration to new industries like finance or healthcare. So in many ways, achieving compliance is a part of a startup’s go-to-market kit. And indeed, enterprise buyers expect startups to check the compliance box before signing on as their customer, so startups are rightfully aligning around their buyers’ expectations.
One of the best ways startups can begin tackling security is with an early security hire.
With all of this in mind, it’s not surprising that we’ve witnessed a trend where startups achieve compliance from the very early days and often prioritize this motion over developing an exciting feature or launching a new campaign to bring in leads, for instance.
Compliance is an important milestone for a young company and one that moves the cybersecurity industry forward. It forces startup founders to put security hats on and think about protecting their company, as well as their customers. At the same time, compliance provides comfort to the enterprise buyer’s legal and security teams when engaging with emerging vendors. So why is compliance alone not enough?
First, compliance doesn’t mean security (although it is a step in the right direction). It is more often than not that young companies are compliant while being vulnerable in their security posture.
What does it look like? For example, a software company may have met SOC 2 standards that require all employees to install endpoint protection on their devices, but it may not have a way to enforce employees to actually activate and update the software. Furthermore, the company may lack a centrally managed tool for monitoring and reporting to see if any endpoint breaches have occurred, where, to whom and why. And, finally, the company may not have the expertise to quickly respond to and fix a data breach or attack.
Therefore, although compliance standards are met, several security flaws remain. The end result is that startups can suffer security breaches that end up costing them a bundle. For companies with under 500 employees, the average security breach costs an estimated $7.7 million, according to a study by IBM, not to mention the brand damage and lost trust from existing and potential customers.
Second, an unforeseen danger for startups is that compliance can create a false sense of safety. Receiving a compliance certificate from objective auditors and renowned organizations could give the impression that the security front is covered.
Once startups start gaining traction and signing upmarket customers, that sense of security grows, because if the startup managed to acquire security-minded customers from the F-500, being compliant must be enough for now and the startup is probably secure by association. When charging after enterprise deals, it’s the buyer’s expectations that push startups to achieve SOC 2 or ISO27001 compliance to satisfy the enterprise security threshold. But in many cases, enterprise buyers don’t ask sophisticated questions or go deeper into understanding the risk a vendor brings, so startups are never really called to task on their security systems.
Third, compliance only deals with a defined set of knowns. It doesn’t cover anything that is unknown and new since the last version of the regulatory requirements were written.
For example, APIs are growing in use, but regulations and compliance standards have yet to catch up with the trend. So an e-commerce company must be PCI-DSS compliant to accept credit card payments, but it may also leverage multiple APIs that have weak authentication or business logic flaws. When the PCI standard was written, APIs weren’t common, so they aren’t included in the regulations, yet now most fintech companies rely heavily on them. So a merchant may be PCI-DSS compliant, but use nonsecure APIs, potentially exposing customers to credit card breaches.
Startups are not to blame for the mix-up between compliance and security. It is difficult for any company to be both compliant and secure, and for startups with limited budget, time or security know-how, it’s especially challenging. In a perfect world, startups would be both compliant and secure from the get-go; it’s not realistic to expect early-stage companies to spend millions of dollars on bulletproofing their security infrastructure. But there are some things startups can do to become more secure.
One of the best ways startups can begin tackling security is with an early security hire. This team member might seem like a “nice to have” that you could put off until the company reaches a major headcount or revenue milestone, but I would argue that a head of security is a key early hire because this person’s job will be to focus entirely on analyzing threats and identifying, deploying and monitoring security practices. Additionally, startups would benefit from ensuring their technical teams are security-savvy and keep security top of mind when designing products and offerings.
Another tactic startups can take to bolster their security is to deploy the right tools. The good news is that startups can do so without breaking the bank; there are many security companies offering open-source, free or relatively affordable versions of their solutions for emerging companies to use, including Snyk, Auth0, HashiCorp, CrowdStrike and Cloudflare.
A full security rollout would include software and best practices for identity and access management, infrastructure, application development, resiliency and governance, but most startups are unlikely to have the time and budget necessary to deploy all pillars of a robust security infrastructure.
Luckily, there are resources like Security 4 Startups that offer a free, open-source framework for startups to figure out what to do first. The guide helps founders identify and solve the most common and important security challenges at every stage, providing a list of entry-level solutions as a solid start to building a long-term security program. In addition, compliance automation tools can help with continuous monitoring to ensure these controls stay in place.
For startups, compliance is critical for establishing trust with partners and customers. But if this trust is eroded after a security incident, it will be nearly impossible to regain it. Being secure, not only compliant, will help startups take trust to a whole other level and not only boost market momentum, but also make sure their products are here to stay.
So instead of equating compliance with security, I suggest expanding the equation to consider that compliance and security equal trust. And trust equals business success and longevity.
Powered by WPeMatico
APIs make the world go round in tech, but that also makes them a very key target for bad actors: As doorways into huge data troves and services, malicious hackers spent a lot of time looking for ways to pick their locks or just force them open when they’re closed, in order to access that information. And a lot of recent security breaches stemming from API vulnerabilities (see here, here and here for just a few) show just how real and current the problem is.
Today, a company that’s building a network of services to help those using and producing APIs to identify and eradicate those risks is announcing a round of funding to meet a growing demand for its services. Salt Security, which provides AI-based technology to identify issues and stop attacks across the whole of your API library, has closed $70 million in funding, money that it will be using both to meet current demand but also continue building out its technology for a wider set of services and use cases for API management.
The funding is being led by Advent International, by way of Advent Tech, with Alkeon Capital, DFJ Growth and previous backers Sequoia Capital, Tenaya Capital, S Capital VC and Y Combinator all also participating.
Salt, founded in Israel and now active globally, is not disclosing valuation, but I understand from a reliable source that it is in the region of $600-700 million.
As with many of the funding rounds that seem to be getting announced these days, this one is coming on the heels of both another recent round, as well as strong growth. Salt has raised $131 million since 2016, but nearly all of that — $120 million, to be exact — has been raised in the last year.
Part of the reason for that is Salt’s performance: In the last 12 months, it’s seen revenue grow 400% (with customers including a range of Fortune 500 and other large businesses in the financial services, retail and SaaS sectors like Equinix, Finastra, TripActions, Armis and DeinDeal); headcount grow 160%; and, perhaps most importantly, API traffic on its network grow 380%.
That growth in API traffic underscores the issue that Salt is tackling. Companies these days use a variety of APIs — some private, some public — in their tech stack as a way to interface with other businesses and run their services. APIs are a huge part of how the internet and digital services operate, with Akamai estimating that as much as 83% of all IP traffic is API traffic.
The problem, Roey Eliyahu, CEO and co-founder of Salt Security, told me, is that this usage has outpaced how well many manage those APIs.
“How APIs have evolved is very different to how developers used APIs years ago,” he said. “Before, there were very few, and you could say they were more manageable, and they contained less-sensitive data, and there were very few changes and updates made to them,” he said. “Today with the pace of development, not only are they always getting updated, but you have thousands of them now touching crown jewels of the company.”
This has made them a prime target for malicious hackers. Eliyahu notes Gartner stats that predict that by 2022, APIs will make up the largest attack vector in cybercrime.
Salt’s approach starts with taking stock of a whole network and doing a kind of spring clean to find all the APIs that might be used or abused.
“Companies don’t know how many APIs they even have,” Eliyahu said, noting that some 40%-80% of the APIs in existence for a typical company’s data are not even in active operation, lying there as “shadow APIs” for someone to pick up and misuse.
It then looks at what vulnerabilities might inadvertently be contained in this mix and makes suggestions for how to alter them to fix that. After this, it also monitors how they are used in order to stop attacks as they happen. The third of these also involves remediation “insights”, but carrying out the remediation is done by third parties at the moment, Eliyahu said. All of this is done through Salt’s automated, AI-based, flagship Salt Security API Protection Platform.
There are a number of competitors in the same space as Salt, including Ping, and newer players like Imvision and 42Crunch (which raised funding earlier this month), and the list is likely to grow as not just other API management companies get deeper into this huge space, but cybersecurity companies do, too.
“The rapid proliferation of APIs has dramatically altered the attack surface of applications, creating a major challenge for large enterprises since existing security mechanisms cannot protect against this new threat,” said Bryan Taylor, managing partner and head of Advent’s technology team, in a statement. “We continue to see API security incidents make the news headlines and cause significant reputational risk for companies. As we investigated the API security market, Salt stood out for its multi-year technical lead, significant customer traction and references, and talented team. We look forward to drawing on our deep experience in this sector to partner with Salt in this exciting new chapter.”
Powered by WPeMatico
Panaseer, which takes a data science approach to cybersecurity, has raised $26.5 million in a Series B funding led by AllegisCyber Capital. Existing investors, including Evolution Equity Partners, Notion Capital, AlbionVC, Cisco Investments and Paladin Capital Group, as well as new investor National Grid Partners, also participated. Panaseer has now raised $43 million to date.
Panaseer’s special sauce and sales pitch amount to what it calls “Continuous Controls Monitoring” (CCM). In plainer English that means correlating a great deal of data from all available security tools to check assets, control gaps, you name it.
As a result, the company says it can identify zero-day and other exposures faster, or exposure to, say, FireEye or SolarWinds vulnerabilities.
Jonathan Gill, CEO, Panaseer said: “Most enterprises have the tools and capability to theoretically prevent a breach from occurring. However, one of the key reasons that breaches occur is that there is no technology to monitor and react to failed controls. CCM continuously validates and measures levels of protection and provides notifications of failures. Ultimately, CCM enables these failures to be fixed before they become security incidents.”
Speaking to me on a call he added: “The investment, allows us to scale our organization to meet those demands of customers with a team of people to implement the platform and help them get tremendous value and to evolve the product. To add more and more capability to that technology to support more and more use cases. So they’re the two main directions, and there’s a market we think of tens of thousands of organizations of a certain size, who are regulated or they have assets worth protecting and a level of complexity that makes it difficult to solve the problem themselves. And our Advisory Board and the customers I’ve spoken with think maybe there are barely 20 companies in the world who can solve this problem. And everybody else gets stuck on the fact that it’s a really difficult data science problem to solve. So we want to scale that and take that to more organizations.”
And why did they pick these investors: “I think we picked them and they picked us, we’ve been on that journey together. It takes months to find the best combination. The dollars are all the same when it comes to investors, but I think they can help improve as an organization and grow just like the existing investors do. They give us access and reach into parts of the market and help make us better as organizations as well.”
Bob Ackerman, founder and managing director of AllegisCyber Capital, and co-founder of DataTribe said: “The emergence of Continuous Controls Monitoring as a new cybersecurity category demonstrates a ‘coming of age’ for cybersecurity. Cyber is the existential threat to the global digital economy. All levels of the enterprise, from the CISO, to Chief Risk Officer, to the Board of Directors are demanding comprehensive visibility, transparency and hard metrics to assess cyber situational awareness.”
Powered by WPeMatico
With the increase of digital transacting over the past year, cybercriminals have been having a field day.
In 2020, complaints of suspected internet crime surged by 61%, to 791,790, according to the FBI’s 2020 Internet Crime Report. Those crimes — ranging from personal and corporate data breaches to credit card fraud, phishing and identity theft — cost victims more than $4.2 billion.
For companies like Sift — which aims to predict and prevent fraud online even more quickly than cybercriminals adopt new tactics — that increase in crime also led to an increase in business.
Last year, the San Francisco-based company assessed risk on more than $250 billion in transactions, double from what it did in 2019. The company has over several hundred customers, including Twitter, Airbnb, Twilio, DoorDash, Wayfair and McDonald’s, as well a global data network of 70 billion events per month.
To meet the surge in demand, Sift said today it has raised $50 million in a funding round that values the company at over $1 billion. Insight Partners led the financing, which included participation from Union Square Ventures and Stripes.
While the company would not reveal hard revenue figures, President and CEO Marc Olesen said that business has tripled since he joined the company in June 2018. Sift was founded out of Y Combinator in 2011, and has raised a total of $157 million over its lifetime.
The company’s “Digital Trust & Safety” platform aims to help merchants not only fight all types of internet fraud and abuse, but to also “reduce friction” for legitimate customers. There’s a fine line apparently between looking out for a merchant and upsetting a customer who is legitimately trying to conduct a transaction.
Sift uses machine learning and artificial intelligence to automatically surmise whether an attempted transaction or interaction with a business online is authentic or potentially problematic.
Image Credits: Sift
One of the things the company has discovered is that fraudsters are often not working alone.
“Fraud vectors are no longer siloed. They are highly innovative and often working in concert,” Olesen said. “We’ve uncovered a number of fraud rings.”
Olesen shared a couple of examples of how the company thwarted fraud incidents last year. One recently involved money laundering through donation sites where fraudsters tested stolen debit and credit cards through fake donation sites at guest checkout.
“By making small donations to themselves, they laundered that money and at the same tested the validity of the stolen cards so they could use it on another site with significantly higher purchases,” he said.
In another case, the company uncovered fraudsters using Telegram, a social media site, to make services available, such as food delivery, with stolen credentials.
The data that Sift has accumulated since its inception helps the company “act as the central nervous system for fraud teams.” Sift says that its models become more intelligent with every customer that it integrates.
Insight Partners Managing Director Jeff Lieberman, who is a Sift board member, said his firm initially invested in Sift in 2016 because even at that time, it was clear that online fraud was “rapidly growing.” It was growing not just in dollar amounts, he said, but in the number of methods cybercriminals used to steal from consumers and businesses.
“Sift has a novel approach to fighting fraud that combines massive data sets with machine learning, and it has a track record of proving its value for hundreds of online businesses,” he wrote via email.
When Olesen and the Sift team started the recent process of fundraising, Insight actually approached them before they started talking to outside investors “because both the product and business fundamentals are so strong, and the growth opportunity is massive,” Lieberman added.
“With more businesses heavily investing in online channels, nearly every one of them needs a solution that can intelligently weed out fraud while ensuring a seamless experience for the 99% of transactions or actions that are legitimate,” he wrote.
The company plans to use its new capital primarily to expand its product portfolio and to scale its product, engineering and sales teams.
Sift also recently tapped Eu-Gene Sung — who has worked in financial leadership roles at Integral Ad Science, BSE Global and McCann — to serve as its CFO.
As to whether or not that meant an IPO is in Sift’s future, Olesen said that Sung’s experience of taking companies through a growth phase such as what Sift is experiencing would be valuable. The company is also for the first time looking to potentially do some M&A.
“When we think about expanding our portfolio, it’s really a buy/build partner approach,” Olesen said.
Powered by WPeMatico
If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.
Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.
Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.
The current risks aren’t just technology problems; they’re also problems of people and processes.
Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.
Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the midpandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.
It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.
Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.
Powered by WPeMatico
Polish video game maker CD Projekt, which makes Cyberpunk 2077 and The Witcher, has confirmed it was hit by a ransomware attack.
In a statement posted to its Twitter account, the company said it will “not give in nor negotiate” with the hackers, saying it has backups in place. “We have already secured our IT infrastructure and begun restoring data,” the company said.
According to the ransom note, the hackers said they would release the company’s stolen source code and other internal files if it did not pay the ransom, since the company would “most likely recover from backups.”
But the company said for now that no personal data was taken. “We are still investigating the incident, however at this time we can confirm that — to our best knowledge — the compromised systems did not contain any personal data of our players or users of our services.”
It’s an increasingly hostile tactic used by ransomware actors: Hackers target high-value businesses and companies with file-encrypting malware and hold the files for a ransom. But since many companies have backups, some ransomware groups threaten to publish the stolen files unless the ransom is paid.
CD Projekt Red did not immediately respond to TechCrunch’s questions, including what kind of ransomware was used to attack its systems.
It’s thought to be the second time in recent years that the company has been hit by ransomware. The game maker confirmed in 2017 that a hack resulted in the compromising of early work related to the Cyberpunk 2077. Weeks following the game’s launch Sony and Microsoft offered gamers refunds, citing bugs and poor performance on older consoles.
Powered by WPeMatico
From COVID-19’s curve to election polls, public temperature checks to stimulus checks, 2020 was dominated by numbers — the guiding compass of any self-respecting venture capital investor.
As a VC exclusively focused on investments in Israeli cybersecurity, the numbers that guide us have become some of the most interesting to watch over the course of the past year.
The start of a new year presents the perfect opportunity to reflect on the annual performance of Israel’s cybersecurity ecosystem and prepare for what the next twelve months of innovation will bring. With the global cybersecurity market outperforming this year’s panic-stricken expectations, we carefully combed through the figures to see how Israel’s market, its strongest performer, compared — and predict what it has in store.
The cybersecurity market continues to draw the confidence of investors, who appear to recognize its heightened importance during times of crisis.
The “cyber nation” not only remained strong throughout the pandemic, but even saw a rise in fundraising, especially around application and cloud security, following the emergence of remote workflow security gaps brought on by social distancing. Encouraged by this, investors have demonstrated committed enthusiasm to its growth and M&A landscape.
Emboldened by the sector’s overall strength and new opportunities, today’s Israeli visionaries are developing stronger convictions to build larger companies; many of them, already successful entrepreneurs, are making their own bets in the industry as serial entrepreneurs and angel investors.
Image Credits: YL Ventures (opens in a new window)
The numbers also reveal how investors are increasingly concentrating their funds on larger seed rounds for serial entrepreneurs and the foremost industry trends. More than $2.75 billion was poured into the industry this year to back companies across all stages, a 97% increase from last year’s $1.39 billion. If its long-term slope is any indication, we can only expect it to continue to grow.
However, though they clearly indicate progress, the numbers still make the need for a demographic reset clear. Like the rest of the industry, Israel’s cybersecurity ecosystem must adapt to the pace of change set out by this year’s social movements, and the time has long passed for true diversity and gender representation in cybersecurity leadership.
As the market’s biggest leaders garner experience and expertise, the bar for entry to Israel’s cybersecurity startup ecosystem has gradually risen over the years. However, this did not appear to impact this year’s entrepreneurial breakthroughs. 58% of Israel’s newly founded cybersecurity companies received seed rounds this year, totaling 64 seeded companies in 2020 compared with last year’s 61. The total number of newly founded companies increased by 5%, reversing last year’s downward trend.
The amount invested at seed hit an all-time high as average deal size in 2020 increased by 11%, amounting to an average of $5.2 million per deal. This continues an upward trend in average seed rounds, which have surged over the last four years due to sizable year-on-year increases. It also provides further support for a shift toward higher caliber seed rounds with a strategically focused and “all-in” approach. In other words, founders that meet the new bar for entry are raising bigger rounds for more ambitious visions.
Image Credits: YL Ventures
2020 proved an exceptional year for application security and cloud security startups. Perhaps the runaway successes of Snyk and Checkmarx left strong impressions. This year saw an explosive 140% increase in application security company seed investments (such as Enso Security, build.security and CloudEssence), as well as a whopping 200% increase in cloud security seed investments (like Solvo and DoControl), from last year.
Powered by WPeMatico
Now more than ever, IT teams play a vital role in keeping their businesses running smoothly and securely. With all of the assets and data that are now broadly distributed, a CEO depends on their IT team to ensure employees remain connected and productive and that sensitive data remains protected.
CEOs often visualize and measure things in terms of dollars and cents, and in the face of continuing uncertainty, IT — along with most other parts of the business — is facing intense scrutiny and tightening of budgets. So, it is more important than ever to be able to demonstrate that they’ve made sound technology investments and have the agility needed to operate successfully in the face of continued uncertainty.
For a CEO to properly understand risk exposure and make the right investments, IT departments have to be able to confidently communicate what types of data are on any given device at any given time.
Here are five questions that IT teams should be ready to answer when their CEO comes calling:
Or, more specifically, exactly how many assets do we have? And, do we know where they are? While these seem like basic questions, they can be shockingly difficult to answer … much more difficult than people realize. The last several months in the wake of the COVID-19 outbreak have been the proof point.
With the mass exodus of machines leaving the building and disconnecting from the corporate network, many IT leaders found themselves guessing just how many devices had been released into the wild and gone home with employees.
One CIO we spoke to estimated they had “somewhere between 30,000 and 50,000 devices” that went home with employees, meaning there could have been up to 20,000 that were completely unaccounted for. The complexity was further compounded as old devices were pulled out of desk drawers and storage closets to get something into the hands of employees who were not equipped to work remotely. Companies had endpoints connecting to corporate network and systems that they hadn’t seen for years — meaning they were out-of-date from a security perspective as well.
This level of uncertainty is obviously unsustainable and introduces a tremendous amount of security risk. Every endpoint that goes unaccounted for not only means wasted spend but also increased vulnerability, greater potential for breach or compliance violation, and more. In order to mitigate these risks, there needs to be a permanent connection to every device that can tell you exactly how many assets you have deployed at any given time — whether they are in the building or out in the wild.
Device and data security go hand in hand; without the ability to see every device that is deployed across an organization, it becomes next to impossible to know what data is living on those devices. When employees know they are leaving the building and going to be off network, they tend to engage in “data hoarding.”
Powered by WPeMatico
Cybersecurity firm Dragos has raised $110 million in its Series C, almost triple the amount that it raised two years ago in its last round.
Dragos was founded in 2016 to detect and respond to threats facing industrial control systems (ICS), the devices critical to the continued operations of power plants, water and energy supplies, and other critical infrastructure. The company’s threat detection platform — its moneymaker — helps companies with industrial control systems defend against hackers trying to get into important operational systems. Its platform kicks out hackers that could shut down manufacturing lines or control energy supply systems, while its research arm keeps tabs on the hackers that can break into these highly complex and segmented industrial networks in the first place.
The startup’s latest round was led by National Grid Partners and Koch Disruptive Technologies, with both firms adding a member each to Dragos’ board. The round also saw participation from Saudi Aramco Energy Ventures and Hewlett Packard Enterprise, as well as return investors Allegis Cyber, Canaan Partners, DataTribe, Energy Impact Partners and Schweitzer Engineering Labs.
This latest round of funding will help the company with its go-to-market efforts, as well as growing its customer support team with 30 staff and building up its sales and marketing team. Lee said the company’s priority had been to work on its threat platform, and less selling it.
About one-third of the company’s employees work in software engineering to build its threat platform.
Dragos founder and chief executive Robert Lee said the pandemic, which forced vast swathes of the world to work remotely from home under lockdown restrictions, served as a wake-up call for companies with critical infrastructure.
“When you’re talking about critical infrastructure sites and people’s utilities, you need to put your best foot forward on the tech first,” he said.
Many companies were already trying to adapt with the digital age, but Lee said many companies realized they had underinvested in ICS security.
A team photo of Dragos employees. Image Credits: Dragos
Based just outside Washington D.C., Dragos now has over 220 employees and will be adding more, close to doubling its headcount since last year, and adding new offices in Melbourne, Dubai and in the United Kingdom.
Lee said the U.K.’s transition out of the European Union would all but ensure that the new U.K. office could not serve as an EU hub for the company, but that it was necessary to “to go where the problems are.”
Another one of those places is Saudi Arabia, one of the world’s largest oil and gas producers, where Dragos has an office and now draws an investment. Saudi oil and gas manufacturing plants have been the target of several cyberattacks, including the Trisis malware in 2017 that shut down one of the kingdom’s biggest petrochemical plants. But the country has faced extensive criticism for its human rights record by international rights groups. Lee said the company works to protect infrastructure that serves civilians and has actively rejected military contracts that would fall afoul of those values. “I don’t want to put asterisks on that mission,” he said.
Lee told TechCrunch that the company has grown at a rapid pace since it was founded four years ago.
“Our goal was never to get acquired,” he said. Echoing remarks he made last year, Lee said that the company’s plan was to continue growing and investing in the problems that Dragos sees — with an eventual goal to take the company public. “But we’re not rushed,” he said.
“The hallmark of Dragos being successful won’t be a successful IPO,” said Lee. “The hallmark will be having validated and built the market large enough that there can be other companies that come behind us serving the other more niche aspects of the ICS market and building out the community, and making sure our infrastructure is safer.”
Powered by WPeMatico