Oracle Whoopsie, Internet 2.0 Funded, Fortanix Series C, & Dig Security – ESW #289

In the first half of 2022, the market added 12 new cybersecurity unicorns, bringing the total to roughly 50. In the first 3 months of the second half... Nothing. Anyone who has followed our show or the financial news understands why, but I felt the need to check in on the unicorn stables and make sure I hadn't missed anything.

$90M Series C, led by Goldman Sachs. Fortanix appears to be doing mostly data-at-rest, but also does tokenization. Seems that compliance and privacy regs are their customers' key use cases.

$40M Series C, led by Koch Disruptive Technologies (Koch bros, I assume?). Is software created specifically for managed service providers a new category? I've seen a few companies that specialize in making SOC software and selling to MSSPs, and wonder how these products might differ from selling to an in-house SOC. Multi-tenancy would be a priority of course - keeping customer data separate...

$34M Series A led by SignalFire. "Dig uses a comprehensive threat model for cloud data attacks that detects, analyzes and instantly responds to cloud data threats to minimize business impact and damage with an average mean-time-to-detection (MTTD) of less than a minute." Huh? They're calling this Data Detection and Response, but honestly, they look VERY similar to other DSPM solutions. At least, until you get to the response bit. Like other DSPMs, they're going through the data discovery and classification process. Where the startups diverge is on the next step - some seem to focus on policy enforcement, while dig is suggesting it will detect and prevent attacks in near real time. This wouldn't be possible if they're depending on event logging - CloudTrail has a hard 10 minute delay that you can't really get around. The only other option would be placing themselves directly in-line with data flows, like an IPS or NDR appliance.

$21M Series A led by Craft Ventures, and with Martin Casado of A16Z also participating. SecurityPal's niche appears to be outsourcing completing security questionnaires to get sales deals closed more quickly. It seems to me that what folks really want (judging from the RSA talks I went to this year) is to reduce or even eliminate the questionnaire. There's no shortage of companies trying to make it easier to manage a SIG Lite though: RFPio, Loopio, VISO Trust, CyberGRX...

"Oversubscribed" $16.4M seed round led by Ridge Ventures. "Theom is pioneering a new method of securing data in the cloud and SaaS data stores by ensuring that protection always follows the asset, adapting the security as environments change." To quote GTA V, "Aw shit, here we go again." The data security market is well and truly alive again. We're starting to see more and more shades of cloud data security. It has _always_ been possible to do what Theom is proposing, but the challenge has always been the complexity, friction, and usability tradeoff. Data is no good to a business if it can't be used, and locking down access too tightly could have more of a negative impact on the business than a breach would!

$5M seed led by Ellerston Capital and Bondi Partners. Australian-based Internet 2.0 provides "Military Grade Cyber Protection". *sigh* It looks like their actual product is a "clean Internet as a service" type solution, but it appears they ship some sort of physical or virtual appliance, rather than go the purely route-based approach like Zscaler or Cato Networks. But let's touch a bit on the branding. So, the terms Web 3.0 and Web 2.5 are already a thing. Internet2 has been a thing since at least the mid-1990s. Where does someone arrive at the idea that Internet 2.0 would be a good name for a company? What's the website? It's internet2 DASH 0 dot com. Yeah, it's not ideal.

Fidelis has a bit of an odd history. It has been around since 2002, and for a while was owned by DoD contractor General Dynamics (2012-2015). In most of its early days, it sold XPS, an NDR product if memory serves, with a DLP component to detect data exfil. When I covered it as an industry analyst at 451 Research, it had also entered the EDR space. Marlin Equity acquired it in 2015, and brokered an acquisition of Resolution1 (<$50M), Access Data's own endpoint security solution (split out from AD's Forensics Software business). Later, in 2018, it acquired the deception vendor TopSpin. I suspect most of its customers are still large government entities, which is why we seem to only hear about it when there's an acquisition or fundraising event.

I almost didn't include this, because MarkMonitor is on the fringes of what you could call a "security vendor", but it is often tossed into the Digital Reputation Management ring along with folks like ZeroFox and RiskIQ.

KnowBe4 didn't go the SPAC route, so it's better off than other vendors that went public around the same time (ahem QOMPLX ahem). Still, it hasn't been a great performer and has received a $4.22B ($24/share) take private offer from Vista Equity.

"Kelly Shortridge just casually slinging wisdom bombs all over the place again." -- Allan Alford This is Kelly's rebuttal to the recently released, NSA-backed guide on "Securing the Software Supply Chain". She sums up her thoughts in ten objections: 1. Slowing down software delivery does not help security, it hurts it 2. There is an underlying paradox (the “Thinking Machine” paradox) 3. Most enterprises have no chance of implementing this 4. Most enterprises will not want to implement this 5. Security vendor bolt-on solutions are overemphasized 6. Relevant security and infrastructure innovation is omitted 7. Inaccuracies about software delivery practices and basic terminology 8. Confusing, contradictory messages from the authoring agencies 9. Omission of second order effects and underlying causal factors 10. Dangerous absolution of security vendors’ own software security