Embed Size (px)
Citation preview
1
2
Introduction ....................................................................................................................................................................................................................... 3
New-to-Market Vendors ................................................................................................................................................................................................ 3
Endpoint ......................................................................................................................................................................................................................... 3
User Behaviour Analytics ........................................................................................................................................................................................... 5
Threat Intelligence ....................................................................................................................................................................................................... 6
Security Awareness Training .................................................................................................................................................................................... 7
UK Vendors ................................................................................................................................................................................................................... 8
Established Vendors European Executive Leadership Summary ....................................................................................................................... 9
Predictions for 2017 ....................................................................................................................................................................................................... 10
Complete Analyst Comment ....................................................................................................................................................................................... 11
Next Generation Endpoint ....................................................................................................................................................................................... 11
User Behaviour Analytics/ Network Behaviour Analytics ............................................................................................................................... 13
Threat Intelligence ..................................................................................................................................................................................................... 14
About the Authors ......................................................................................................................................................................................................... 15
About Acumin Consulting....................................................................................................................................................................................... 15
3
There was a significant increase in the volume of cyber security vendors’ receiving venture funding in 2014/2015 with a
number of $100 million-plus rounds, which has resulted in the birth of some high profile cyber “unicorns”.
This increase in funding led to a number of cyber vendors expanding into EMEA for the first time, while vendors with existing
European operations experienced significant growth. UK vendors have also raised significant rounds and are expanding
throughout the continent and over to the US.
Given the market has been so buoyant, I have composed a summary document detailing some of the key areas of security;
whom the key investors are and which key executive hires they have made in EMEA in 2016. Also enclosed is analyst
comment on some of the key areas to add perspective from a technology viewpoint.
The endpoint market is being driven by a realisation that ‘traditional’ endpoint solutions are effective no longer. While
budgets have increased substantially over the past decade for network security solutions such as firewalls (and NGFW),
budgets for endpoint solutions have remained relatively static. It is fair to say that there has not been as much innovation in
this space. This is now changing as organisations realise endpoints are a weak chink in their armour.
The next generation endpoint market can be broken into two factions:
1. Endpoint Protection (EPP) - EPP solutions are prevention technologies, which customers have been accustomed to buying
for 20 years. These include firewalls, NGFW, traditional endpoint solutions etc. They are designed to block malware and
attacks at the ‘perimeter’ of the organisation.
2. Endpoint Detection & Response (EDR) - EDR solutions in comparison, assume that adversaries will evade perimeter
controls. EDR solutions are designed to detect and respond to adversaries that are already inside the customer environment.1
A security and systems management solution that allows real-time data collection at enterprise scale. $300m funding from
Andreessen Horowtiz, they hired Richard Olver as VP EMEA in March 2015, who had the same role at Ciphercloud - one of
Andreessen’s other portfolio companies. In late 2015 Tanium established operations in the UK, Germany and the Netherlands
and throughout 2016 hired sales and pre-sales talent from vendors such as Fireeye, Sailpoint, Veracode and Ciphercloud.
1 Analysts comment
4
Pioneering cloud delivered next-generation endpoint protection and services. Total Funding $156m from Accel Partners and
Google Ventures. Hired Mike East as VP EMEA in January 2016, East was previously the first European hire for Mandiant, who
were subsequently acquired by Fireeye, and his role transitioned into UK Country Manager. Crowdstrike have established UK
operations and have hired sales and pre-sales talent from cyber vendors such as Fireeye and Sourcefire.
The world's first next-generation antivirus built on artificial intelligence and machine learning. $177m funding from Teneleven
ventures, Khosla and Blackstone. Hired Evan Davidson as VP EMEA in March 2016. Davidson’s background were senior sales
roles helping to launch Ironport and Veracode in EMEA. Prior to Cylance he ran the UK+I Enterprise Sales teams for Fireeye,
reporting directly to Mike East, now VP EMEA of Crowdstike. Cylance have established operations in the UK, Germany and
Sweden, hiring sales and pre-sales talent from cyber vendors such as Fireeye, HP and Logrhythm.
Uniquely integrated platform that combines behavioural-based detection, advanced mitigation, and forensics to stop threats
in real-time. $109m funding from Redpoint, Thirdpoint Ventures and Tiger Global Management. Hired Gareth Green as VP
EMEA in Dec 2016, Green was previously International Sales Director for Aerohive and was VP EMEA for Netscreen earlier in
his career. SentinelOne have established operations in UK and France, hiring sales and pre-sales talent extensively from
Exclusive Networks (and associated vendors) who are their distributor in EMEA.
Endpoint detection and response platform identifies in real time all the elements of cyber-attacks for effective response.
$86m funding from Softbank and Spark Capital. Hired Simon Sharp as VP EMEA in September 2016, Sharp was previously
Pindrop Security’s first hire in EMEA and was in a sales leadership position at RSA for 5 years prior to Pindrop. Cybereason
have established operations in the UK, hiring sales and pre-sales talent from vendors such as Veracode, Vectra Networks and
Fireeye.
Next generation endpoint detection and response. $191m funding from Redpoint, Sequoia, Atlas, 406 Ventures. Through the
acquisition of Bit9, Carbonblack had presence in Europe since 2010, however in July 2016 they appointed Mark Reeves as VP
EMEA, Reeves was previously in a global sales role at Entrust, and in EMEA Leadership roles at RSA and Promethean.
Carbonblack have established operations in the UK, Netherlands and Finland, hiring sales and pre-sales talent from vendors
such as Fireeye, Bluecoat and Tanium.
Malware isolation. $56m funding from General Catalyst, Sutter Hill Ventures. Hired Paul Davis in April 2015, Davis was previously
Fireeye’s first EMEA hire and built out the entire EMEA business before moving to Menlo. Prior to Fireeye, Davis was in a senior
5
leadership role with Ironport. Menlo have established operations in the UK and Germany, hiring sales and pre-sales talent
primarily from Fireeye and associated partners.
Anti-Malware software, $80m funding from Fidelity Investments and Highland Capital partners. Hired Anthony O’Mara in
January 2015 as VP EMEA, O’Mara spend 13 years in European leadership roles with Trend Micro prior to Malwarebytes. They
have established operations in the UK, Ireland, France and Estonia, hiring sales and pre-sales talent from vendors such as
Trend Micro and Fortinet.
As organisations have realised the extent to which insider threat is a risk, they have turned to UBA/NBA solutions to help
detect attacks perpetrated from within the organisation. Insider threats can be broken into two broad areas:
1. An internal employee using their access to the network to exfiltrate or corrupt data.
2. An attacker that has compromised user or service accounts and is accessing resources with those accounts.
In both cases it is very difficult to establish malicious behaviour with existing controls. UBA solutions are designed to establish
‘normal’ behaviour and flag up ‘abnormal’ behaviour. For example: compromise of a user account resulting in data
exfiltration from a database which the user account has legitimate access to.2
Big data security analytics. $35m funding from Norwest and Icon Ventures, Exabeam are a Schlomo Kramer (Founder of
Checkpoint and Imperva) cohort company and have hired extensively from Imperva globally. They hired Danny Adamson as
Sales Director in July 2015 to lead the EMEA team. Adamson was ex Splunk and Symantec. Exabeam have established
operations in the UK and Germany, aside from Adamson all other EMEA employees are ex-Imperva.
Enterprise security analytics, funding TBC. Hired John Handelaar as VP EMEA in June 2015, Handelaar was VP EMEA
previously for Passlogic, Sailpoint and Osirium. Securonix have established operations in the UK, hiring sales and pre-sales
talent from Centrify and HP. Their CEO is Sachin Nayyar, whose sister Saryu Nayyar is the CEO of direct competitor Gurucul.
2 Analyst Comment
6
Gurucul provides actionable risk intelligence to detect, prevent, and deter advanced internal and external threats and fraud,
funding TBC. Gurucul had 2 senior leaders in EMEA in 2015/2016 – Craig Stewart (ex VP EMEA for Bluecoat and Zscaler) was
at the helm for 5 months before leaving to lead Venafi, Simon Minton (ex Zenedge and Waratek) was there from January to
November 2016 before leaving for EDR vendor Cybereason. At time of writing Gurucul has no European leadership in place.
Behavioural attack detection $32m funding from Battery Ventures and Access Industries, Shlomo Kramer is an early investor
and sits on the board. Lightcyber hired Paul Couturier to build out their European operations from the Netherlands. Couturier
was an early investor/VP EMEA for Tipping Point and was VP EMEA at Bluecat and Cyan prior to joining Lightcyber. They
have established operations in the UK and the Netherlands, hiring sales and pre-sales talent from vendors such as Fireeye
and Checkpoint.
Automated threat management, $86m from Accel, Intel, Juniper, Khosla amongst many others. Vectra took the unusual step
of hiring a European lead based in Switzerland – Gerard Bauer, who worked in Central and Southern European roles
previously for Riverbed. They have established operations in the UK and Germany, hiring sales and pre-sales talent from
vendors such as Fireeye, Tenable Network Security and Darktrace.
Insider threat management, $21m funding from Blackstone. Hired Peter Heim as VP EMEA in June 2015, Heim was previously
EMEA Sales Director for Secureworks for 6 years prior to joining Redowl. They have established operations in the UK and
hired a pre-sales lead from Imperva.
According to our contacts, customer interest in threat intelligence has ‘exploded’ in the past few months - at least in Western
Europe. Organisations are taking threat intel feeds from multiple sources (including governments and intelligence agencies)
as well as from numerous other sources.
Threat intel at its most basic are feeds of known bad IP addresses, URL/ domains and file hashes (of known bad malware).
More sophisticated threat intel might include intelligence about likely adversaries and their attack tactics, as well as intel about
compromised user accounts being purchased on the ‘dark web’ for the purpose of infiltrating a network.
Some ‘humint’ threat intel comes from agents posing as hackers within hacker groups. 3
3 Analyst Comment
7
Advanced threat intelligence platform, $22m funding from Grotech. Threatconnect’s first EMEA hire was Richard Betts (Ex
Moka5 and Tanium) who joined in June 2015 and left in July 2016 to join direct competitor Anomali in a EMEA Business
Development role. Threatconnect have established operations in the UK and currently have one sales head (ex HP) and one
pre-sales (ex Corero).
$56m funding from Paladin and General Catalyst. CEO and CTO were the founders of Arcsight. Hired Jamie Stone as VP
EMEA and Jonathan Martin as EMEA CTO in February 2016 – both are ex Arcsight. They have established operations in the
UK, Belfast and Germany, other notable hires include Richard Betts from Threatconnect and they have hired sales and pre-
sales talent from HP and Cloudera.
Real time threat intelligence, $32m funding Google Ventures, REV Accomplice. Hired Dan Buckley as EMEA Sales Director in
April 2016 who is ex Bigfix, Core Security and SPI Networks. They have established operations in the UK and Sweden and
have recently hired sales talent from Secureworks and iPass.
Threat intelligence platform, $24m funding from Silicon Valley Bank and New Enterprise Associates. The majority of
leadership globally are ex-Sourcefire including all European staff – Anthony Perridge joined as regional sales director EMEA in
March 2016. Threatquotient have established operations in both the UK and France.
As we know billions of dollars have been invested into highly technical solutions aimed at protecting companies’
infrastructures, however these complex controls can often be undermined by human error. One of the greatest threat vectors
can actually come from within the company or organisation. In simple terms a multi-million dollar network solution cannot
protect against employees negligently leaving an unencrypted laptop containing sensitive information on a train or in an
airport lounge, downloading malware-laden email attachments, or clicking on deceptive links.
Often these threats are not due to malicious behaviour from disgruntled employees, but more so from misinformed workers
who may respond to phishing e-mails, by sharing login details when in an unsecured location, or giving out sensitive
information when exposed to social engineering.
8
Cybercriminals will almost always seek to utilise the easiest attack methods, and as such CISO’s are increasingly looking to
invest in Security awareness training aimed at influencing end user behaviour, which will boost security performance as well
as supporting productivity, accountably and compliance.
SaaS based Security Awareness Training for End Users, $10.85 million funding from Level Equity and Pittsburgh Equity
Partners. Hired Colin McTrusty as Sales Director EMEA in July 2016, McTrusty was ex Threatmetrix, RSA and McAfee. Wombat
have established operations in the UK and have hired sales and marketing talent from Blueliv, Websense and Easy solutions.
Phishing Threat Management, $58m from Paladin Capital, PhishMe hired David Janson as VP EMEA in September 2016.
Janson was ex Firescope and NetIQ. PhishMe have established operations in the UK since early 2015 and now have a team of
over 30 in the UK, hiring sales and pre-sales talent from Cryptzone, Experian and Core Security.
In 2015, the UK Government announced a 5 year plan to invest £1.9bn over 5 years into cyber security, the majority of this
investment was into GCHQ and also into hiring large teams of cyber experts at the NCA to help protect the UK against cyber
warfare. Some of the £1.9bn is also being used as an “innovation fund” to help UK entrepreneurs commercialise, grow and
scale cyber businesses to compete with the vast number of vendors originating from the US and Israel.
Recently the UK has seen the launch of privately held cyber security incubators aimed also at aiding and supporting the
growth of UK cyber starts ups, these include Cylon and Restoration Partner’s Virtual Technology Cluster.
In addition, there has been some high profile UK based cyber security specific investment funds, these include C5 Capital,
Amadeus Capital, Summit Partners and Paladin Capital who have all invested in a number of UK cyber businesses.
Threat intel/maps digital footprint - $22m funding from TenEleven Ventures, Passion Capital). Founders - CEO Alastair
Patterson and CTO James Chappell are both ex BAE Systems Detica (Large UK Defence organisation). HQ is Canary Wharf
London, and in 2016 opened a US HQ in San Francisco. Cylance CEO Stuart McClure is on the BOD. Hired sales talent from
Alert Logic, Symantec, Bluecoat and Hortonworks.
9
Immune system detection/attack detection – $104m funding from TenEleven Ventures, Summit Partners, KKR and Invoke
Capital. Invoke Capital’s CEO is Mike Lynch, ex Autonomy CEO. Practically every senior positon is filled by ex-Autonomy
alumni, they have hired very few people from within cyber security for Commercial positions, generally only entry level
graduate sales reps aside from ex-Autonomy. Launched US operations in 2016.
Next generation cloud security solution, $3m funding from Talis Capital. CEO is Ed Macnair, who was the ex-CEO of Marshall
who merged with 8e6 to form M86 Security who were subsequently acquired by Trustwave. Censornet’s HQ is in Basingstoke
and they have recently opened a US office based in Austin, Texas. In December 2016 Censornet acquired Danish
Authentication vendor SMS passcode. They have made a number of senior hires recently, notably Sarah Woods in Nov 2016
as VP of Global Marketing, Woods was previously Senior Director of Marketing EMEA for Fireeye for 5 years. They have
established operations in the UK, Germany, Denmark and the US.
Identity and access management, $94m funding from Accel Partners and Index Ventures – Hired Andy Heather as VP EMEA
in July 2016, Heather was the ex VP of EMEA for Tripwire, and Voltage (Acquired by HP).
Cloud access security broker, $131m funding from Accel Partners, Lightspeed Ventures and ICONIQ. Hired Andre Stewart as
VP EMEA in December 2016, Stewart was previously the ex VP EMEA for Fortinet, A10 Networks, Corero and OpenDNS
Network security, went public on NASDAQ in 2009 - number of internal changes with successful Europeans promoted to
global roles, Andy Travers (Was VP EMEA, now SVP of US and Canada), Patrice Perche (Was VP International now SVP Global
Sales). Yann Pradelle is now VP EMEA based from France.
Cloud security, $148m funding from Lightspeed, TBG and CapitalG. Hired Matt Piercy as VP EMEA in January 2016, Piercy was
the Ex VP of Northern Europe at VMware
Automated keys and certificates, $56m funding Intel Capital and Questmark. Hired Craig Stewart as VP EMEA in February
2016, Stewart was the ex VP EMEA for Bluecoat, Zscaler and Gurucul.
10
Network security, $30m funding from Marker and Vintage Fund. Hired Ian Rigby as VP EMEA in January 2016, Rigby held
leadership roles previously at Fidelis and NTT Europe.
Given that VC funding has significantly slowed in 2017, it is unlikely that you will continue to see the volume of vendors
entering the EMEA market that we experienced last year.
Most security solutions are silo’d and do not share data or integrate well, therefore the market is moving towards
automation/orchestration platforms which stitch together security systems to create a connected, process driven security
architecture. We expect to see vendors such as DF Labs, Phantom Cyber, Hexadite and Resilient Networks (IBM) all looking to
increase their presence in EMEA in 2017.
Considering the level of investment, particularly within the endpoint and threat intel space, 2017 will be hugely competitive
with significant growth in EMEA demanded by vendors and VC’s alike. For the successful vendors this will result in continued
growth in hiring.
It is likely that you will see a number of leadership changes in EMEA for vendors who are not scaling effectively, as the
pressure is so intense that even some of the successful solutions will struggle to acquire market share. This will lead to fire
sale acquisitions, restructuring, and consolidation, which will have a detrimental effect of hiring.
Given the small number of cyber vendors that are currently IPO’ing, it is highly likely that you will see some significant
acquisitions occur in 2017, particularly within the endpoint space
11
The endpoint market is being driven by a realisation that ‘traditional’ endpoint solutions are effective no longer. While
budgets have increased substantially over the past decade for network security solutions such as firewalls (and NGFW),
budgets for endpoint solutions have remained relatively static. There has not been as much innovation in the endpoint
space.
This is now changing as organisations realise endpoints are a weak chink in their armour.
The next generation endpoint market can be broken into two factions:
1. Endpoint Protection (EPP) - Cylance, SentinelOne
2. Endpoint Detection & Response (EDR) - Carbon Black, Crowdstrike, Cybereason, CounterTack
The market, most customers, and even the channel partners who sell the technology are generally confused about the
differences between EDR and EPP. Yet there are significant differences.
EPP solutions are Prevention technologies, which customers have been accustomed to buying for 20 years. This includes
firewalls, NGFW, traditional endpoint solutions etc. They are designed to block malware and attacks at the ‘perimeter’ of the
organisation.
Organisations who are currently evaluating EPP solutions tend to be looking for a replacement for their traditional endpoint
vendors (SYMC, MFE, Sophos, Trend Micro etc). There is intense competition within the EPP space.
Some customers are buying EPP solutions in addition to their existing endpoint solution, as they may require functionality
which ‘next-gen’ vendors do not yet have - such as endpoint encryption.
We hear that the ASP for next-gen AV is around $70k, at least in the UK.
EDR solutions, in comparison, assume that adversaries will evade perimeter controls. EDR solutions are designed to detect
and respond to adversaries that are already inside the customer environment.
More sophisticated APT attacks now use TTP (Tactics, Techniques and Procedures) which are very difficult to detect, and
virtually impossible with existing endpoint or even with the EPP solutions.
12
This may include malicious use of legitimate and widely used IT admin tools (like Powershell or WMI) which is invisible to most
security controls.
EDR solutions can detect these types of attacks, and have the ability to respond by quarantining and cleaning endpoints or
killing processes.
Organisations who are currently evaluating EDR solutions tend to be more mature in their security posture, likely already
have a SOC and security analysts, and may already have internal security controls to detect and respond to attacks within
their network.
These organisations may have invested in network tools like SIEM (Splunk, QRadar, Logrhythm, ArcSight etc) and other
network tools.
They are buying EDR solutions because:
1. They have very poor visibility of what is happening on their endpoint estate
2. Most attacks involve the compromise of endpoints
3. It’s very difficult to piece together an attack without the context provided by an endpoint solution
The ASP for EDR solutions tends to come from a different budget (and decision makers) than EPP and is generally higher -
closer to $200k+ (in the UK)
The intense competition for budget is driving next-gen vendors to build out their solutions to include both EDR + EPP
functionality. At the same time, the traditional endpoint vendors are developing their own capabilities in order to compete.
The scene is set for a battle royale.
13
As organisations have realised the extent to which insider threat is a risk, they have turned to UBA/NBA solutions to help
detect attacks perpetrated from within the organisation.
Insider threat can be broken into two broad areas:
1. An internal employee using their access to the network to exfiltrate or corrupt data
2. An attacker that has compromised user or service accounts and is accessing resources with those accounts
In both cases, it is very difficult to establish malicious behaviour with existing controls.
UBA solutions are designed to establish ‘normal’ behaviour and flag up ‘abnormal’ behaviour. For example: Compromise of a
user account resulting in data exfiltration from a database which the user account has legitimate access to.
Exabeam, Gurucul, Securonix
Lightcyber, Vectra Network, Darktrace
The difficulty that most customers have had with UBA/NBA is that it is generally complex to deploy, tune and manage. Feeds
from multiple sources have to be fed in (from SIEM, network logs, Active Directory, HR logs etc). The more feeds, the better
the correlation.
To build up a baseline of ‘normal’ behaviour can take weeks or months, and often has to be further tuned or
configured. POCs can take months and even then do not always result in a sale.
Vendors that integrate tightly into SIEM solutions (exabeam & Splunk) have probably seen the most traction, because they
already have much of the data already.
However, the market for UBA/NBA in both NA and EMEA has not yet taken off as many thought it would. This is possibly
due to:
1. The complexity
2. Perhaps because we are still early in the market and the Early adopter customers are still evaluating
3. It could be that organisations are waiting for their SIEM or EDR vendors to incorporate UBA/NBA type analytics into their
solutions
It is likely to be a combination of all three.
14
According to our contacts, customer interest in Threat intelligence has ‘exploded’ in the past few months - at least in Western
Europe. Organisations are taking Threat Intel feeds from multiple sources (including their governments and intelligence
agencies) as well as from numerous other sources.
Threat intel at its most basic is feeds of known bad IP addresses, URL/ domains and file hashes (of known bad malware).
More sophisticated threat intel might also include intelligence about likely adversaries and their attack tactics, as well as intel
about compromised user accounts being purchased on the ‘dark web’ for the purpose of infiltrating a network.
Some ‘humint’ threat intel comes from agents posing as hackers within hacker groups.
Many organisations struggle to operationalise the flood of data these Threat Intel feeds provide, so are turning to Threat Intel
Platforms (TIP) such as Anomali, Recorded Future, EclecticIQ and Threatconnect to help them normalise, enrich and prioritise
the data for their customers.
Customers then typically ingest these data into their SIEMs (and increasingly EDR platforms) to look for known bad Indicators
of Compromise (IOCs) in their environment.
Threat Intel is a rapidly evolving market and it is likely that other ecosystem players (like SIEM, NGFW and EDR vendors) will
look to establish integrations and partnerships, in order to operationalise the use of threat intel.
15
Recruiter: Matthew Smith is a principal consultant at Acumin Consulting and has worked in cyber security recruitment for 7
years. Matthew works with high growth, VC backed, cyber security vendors helping them enter, build and scale into EMEA
through the provision of senior leadership and commercial roles throughout the region.
For more information, please contact Matthew on [email protected]
Analyst: Simon Minton spent 5 years as a cyber security market analyst. He continues to work with high growth Cyber Security
vendors and is an active mentor for new-to-market UK vendors.
Established in 1998, Acumin is the leading specialist for cyber security and business protection recruitment. Operating across
EMEA and the USA, we have provided our niche expertise to a multitude of end user organisations, security vendors, systems
integrators, and consultancies.
Our unique understanding of the market and specific requirements across disciplines means we provide effective services
across permanent, contract and retained assignments. For more information visit http://www.acumin.co.uk
