Social, the final frontier

Social channels are an oft-overlooked area when it comes to information security. Social channels are left in the hands of marketing departments for customer engagement purposes.

However, the adoption of social digital tools for the purposes of conducting business is widespread and largely unregulated, creating a major area of risk for organisations.

If we look at the social frontier, it encompasses mobile, desktop, and cloud. Due to the consumer focus many of these have, it is easy to deploy tools with no oversight.

Because of these risks, we see social media breaches on the rise. Social Safeguard seeks to address this risk blind-spot.


Charlottesville, Virginia-based Social Safeguard was founded in 2014 by CEO Jim Zuffoletti and CTO Otavio Freire. The company has about 30 staff, claims over 40 fortune 100 customers, and raised a $3.9m venture round since 2015.

Most recently, in April 2018, the company announced former FireEye, McAfee, and Documentum CEO, Dave DeWalt as Vice Chair and investor.


Social Safeguard is delivered as a cloud-based platform from where it can connect to over 50 digital channels such as WhatsApp, Twitter, Skype, Slack, Instagram, Jabber and others.

The product seeks out all corporate social assets across various channels, it then pulls in data to conduct risk assessments, secure the known assets, and finally provides assurance through a series of tests.

It is designed to be transparent to the end user and marketing departments, rather the SOC, or security analyst would be the primary user, responding to alerts – all of which can be exported to existing tools such as a SIEM.

The product offers a variety of features designed to bring enterprise-grade capabilities to consumer products. For example, it can synchronise with active directory, so when a user leaves and is removed from AD, their credentials are automatically removed from any corporate social media account they had access to.

Similarly, a company can create a ‘gold image’ as to what its corporate accounts should represent. In the event of a suspected account takeover, where the profile picture and description of a Twitter account is changed, the platform automatically takes action to change the profile back to the approved version.


Timing is key when it comes to security. As security controls increase, they push attackers out to other areas. Remote working and BYOD have several security offerings to choose from. Cloud security has also greatly increased as CASB and broader security providers have increased capabilities and enjoyed healthy M&A activity.

However, the social media space remains relatively under-served. Uniquely positioning Social Safeguard to address this area of growing concern for many companies.

Opportunities exist for Social Safeguard to increase partnerships with security vendors such as SIEM’s or DLP products. Additionally, its presence could compliment the security capabilities and offering of managed security service providers, or managed detection and response.

It wouldn’t be surprising to see a large security vendor, or even a social media company look to acquire Social Safeguard for its ability to bring enterprise-grade security to this sector.

The user awareness landscape

Overall, technologies can be pretty straightforward to secure. Teach software not to execute a certain command, block a port, or alert on a set of conditions, and it will abide.

Humans, on the other hand are not as easy to harden against attacks. These attacks are frequently delivered through emails, text messages, social media, or even infected USB drives left in a car park.

It’s no wonder that user behavior consistently remains a high priority for many enterprises.

Following the money

There has been much activity in the user awareness space in recent months. Money has poured in, in the form of investments and acquisitions.

Recent notable market transactions include

February 2018: PhishMe acquired by PE for $400m and rebranded as Cofense

February 2018: Proofpoint acquired Wombat Security for $225m

August 2017: Webroot acquired the assets of Securecast for an undisclosed amount.

October 2017: KnowBe4 raised $30m in a series B round, bringing total funding to date to $43.5m

A broader look at the market

Many years ago, the user awareness market was more fragmented. Each provider delivering a segment of the training. Some would focus only on phishing, others provided a learning management system, whereas others created specialist training content in the form of books, posters, or videos.

The recent trend indicates more providers want to move more towards a user awareness ‘platform’ as opposed to having a single product. It was one of the drivers behind the renaming of PhishMe to Cofense, to present and offer more than just phishing.

Alongside Cofense, ProofPoint (Wombat), Webroot (Securecast), and KnowBe4 are all examples of user awareness companies that have tried to consolidate the different aspects of user awareness to one platform.

But that’s not to say there isn’t still room for specialist providers. Twist & Shout Media has built a sizeable customer base with four seasons of its Restricted Intelligence of comedy-awareness series as well as a number of spin-offs. Similarly, Habitu8 seeks to bring a bit of Hollywood glamour to its Hashtag awareness videos.

Looking forward

Security awareness is a hot space as awareness (no pun intended) increases and money is entering the space faster than before.

But the biggest question that remains over user awareness is it’s ROI and means to measure its effectiveness. Although approaches are improving, the security culture framework tries to put some meaningful metrics around awareness.

The NCSC recently published a somewhat polarizing blog questioning the value of phishing.

All in, we’ll probably continue to see more consolidation in the user awareness space in the coming months, not just to create user awareness platforms, but to truly embed user awareness as a security layer within organizations.



M&A Mania

2018 has kicked off with a flurry of M&A activity in the infosec space. There have been four that I’ve been aware of,

Barracuda acquired Phishline
Cyxtera acquired Immunity Inc
Verizon acquired Niddel
Threatcare acquired Savage Security

I wonder how many more deals will be announced between now and RSA. Either way, it looks like it could be a busy year ahead.

Threatcare secures $1.4m seed funding

Threatcare has announced a $1.4m seed round led by Moonshots Capital and includes Flyover Capital and Firebrand Ventures.

The Austin-based company was founded in 2014 by CEO Marcus Carey. Its flagship product, Violet, is a SaaS-based offering that enables continuous security validation through attack simulations.

For many security departments, the question they are often faced with is, “are we secure?” While that may be a loaded question, there isn’t usually a satisfactory answer.

Security assurance is an established discipline, but is often limited in scope, either by business or technology. The advantage that a product like Threatcare brings is that it can provide broad assurance across multiple technologies. By simulating attacks, Violet is able to see the forest for the trees, and rather than getting tied down with one particular vulnerability, it can be used to assess the overall security effectiveness of an organisation. In that way, it can perhaps be thought of more as a security assurance orchestration offering – tying together multiple technologies and processes.

This is an area we’ll likely see rapid growth in over the coming years as companies stop layering technologies, and stop to see if what they already have is functioning adequately.

Competition in this space is heating up, both from a technology perspective, and the funding competitors have raised, most notably Safebreach raised $19m in mid 2016, while AttackIQ raised a $8.8m series A, and UpGuard raised a $17m series B at the end of 2016.

Other vendors in this space include Picus Security and Cybric.


Analyst Vendor Briefings

Fuelled by a twitter conversation both Adrian Sanabria and Anton Chuvakin posted articles here and here, sharing some good tips on what makes a good briefing and common pitfalls to avoid.

As a former (recovering?) analyst, I thought it only right that I jump on the bandwagon and share my thoughts on the topic.

What is a vendor briefing?

If you’re not familiar with vendor briefings, it’s basically where a vendor will speak to an analyst and explain what their product does, how the company is structured, financials, and so forth. The analyst will then, depending on how the analyst firm operates, will either write up a piece on the company, reference it as part of a broader piece of research, or maintain the details in their database of companies they are tracking.

Analyst tips

Both Anton and Adrian were very thorough in their advice to vendors on how to deliver a good briefing. But I’d like to shift focus and point out a few things analysts could be mindful of during such briefings.

1. You don’t know everything. Yes, you speak to very smart people every day and your reports are widely read. But it’s very easy to get on a high horse and think you are all-seeing all-knowing. If that were the case you’d have raised millions in funding and solved all technology problems by now.

2. Let the vendor make their point. You may not agree with them, but let them present their perspective and give the courtesy of hearing them out.

3. A briefing isn’t a fight – it’s not an argument that needs to be “won”. If putting others down makes you sleep better at night that’s cool. But chill out a little, you’re meant to be impartial and balanced.

4. Set expectations – let the vendor know up front what you are hoping to get out of the call. Be open about whether you’re more interested in the product, or the company strategy, or the numbers. Vendors aren’t mind-readers.

5. One of the most useful phrase I learnt as an analyst was, “Can you help me to understand…” It’s a simple and effective line that can mean so many things such as, “I don’t believe you”, “too many buzzwords”, “maybe you need to think this through”. Whatever it may mean, it doesn’t come across as confrontational – it puts you on the same page trying to work through a problem.

6. Be organised – be on time, have your notes in order, don’t just blunder through the briefing. Yes, you’re a busy analyst that has to do many of these a week – but a little organisation can go a long way.

7. Share your plans – be clear as to what the vendor can expect. Do you plan on covering their company, will you include them in a larger piece of research. How frequently would you like them to keep in touch with you. All this can go a long way in ensuring a long and meaningful relationship.

The numbers don’t lie

If I were to add to Adrian and Antons respective blogs as a tip to vendors, that is that while an analyst may disagree on the effectiveness of your product, or its value, the numbers don’t lie. Analysts have a lot of numbers – they spend a lot of time sizing markets, analysing competitors growth projections and targets, most will be able to analyse your numbers, or infer them very quickly. So please don’t try and impress by claiming huge numbers or ridiculous growth. Don’t claim your TAM is your SAM or SOM.

I’ll digress and give an example of what I mean.

Say you are a producer of bottled water.

Every human needs to drink water, so the total available market (TAM) is around 7 billion.

But you’re restricted by geographical reach. Say you can only ship your bottled water to the whole of England , then that is your serviceable available market (SAM).

However, there are other competitors in England, and there are many people who won’t buy bottled water, maybe they drink tap water, or boil their own water, or have their own water filters. So, in reality you’re looking at a much smaller serviceable obtainable market (SOM).

Maybe you’re a vendor that secures IoT devices. Don’t start your pitch by saying that your market is 22billion devices (or whatever the number of estimated IoT devices is) because it’s not. That may be the TAM, but your SOM will be much smaller. So think about how you will convince the analyst your product has the right strategy to get there.

In my opinion, recklessly throwing around numbers is worse than buzzword bingo – you could end up in the vapour-ware category of my vendor heirarchy pyramid.



Market sizing

Seeing as I’ve kicked the hornets nest about numbers – I guess it’s a good time to talk about market sizing. I see a lot of weird and wonderful numbers thrown about and sometimes I’m left scratchiing my rapidly-balding head as to how markets are sized up. Many times I’ll see claims that the {small infosec segment} industry will be worth {huge} billions by 2020 according to {analyst firm}.

I have typically been drawn more towards the bottom-up approach to market sizing, it can be more time consuming, but gives a more sane answer.

It’s rather simple in that you basically take the collective revenue of the current vendors in a given market segment to get todays market size. If you know the rate at which each of the vendors is growing, or predicting to grow, you can estimate how large the market will be in the future.

For example, if you take a list of security awareness providers and calculate their turnover (I’ll save that for another post), and add it all together, maybe the answer will be $200m (as an example). So that’s our market size.

On average, all the companies may be growing sales at 25% every year. Which means that, barring any major disruptions, in two years time – the market size would grow to $300m.

So, if a new security awareness vendor comes onto the scene, they shouldn’t make claims that the market is worth 5bn because every employee in every company in the world needs training, or that they plan on growing to $500m in revenue in five years – an analyst will be justified in rolling their eye and being skeptical.




Thales splashes out $5.7bn for Gemalto

M&A in the infosec world has waited for the holiday season to go all out splashing its cash. A flurry of activity has occurred at the tail end of the year with considerable consolidation.

Proving that encryption and identity management is no slouch, Thales has made an eye-watering bid of $5.7bn to acquire Gemalto, a few days after Atos failed to make a successful bid.

The merged entity will create a near monopoly in encryption, key management, and HSMs. There is overlap between the two companies, and a fair amount of time will likely be spent picking apart the threads, de-duplicating services, and consolidaing divisions.

While there are alternative HSM offerings in the market, the combined presence of Thales and Gemalto will eclipse all others, both in general purpose, and payment processing HSMs.

The new company will also have a significant play in the identity as a service space. Although, it will remain to be seen if Gemalto will be content in dominating the areas it has greater presence in, or expand its offerings to broader cloud encryption, authentication, identity, and tokenization services.

Subject to regulatory approval, the deal is expected to close in the second half of 2018. Thales was advised by Lazard, Messier Maris & Associés, and Société Générale. Gemalto was advised by Deutsche Bank and JPMorgan.

A tale of two public companies

Infosec companies don’t always get the love they deserve from the markets once they IPO. As Barracuda Networks discovered despite posting respectable profitable growth.

PE firm Thoma Bravo stepped in, paying $27.55 per share for Barracuda in a $1.6bn move taking it private.

The market can be unforgiving, even when a company like Barracuda is profitable, it may not be profitable ‘enough’. One of the main contributing factors in the slower growth was Barracuda’s shift to a more cloud-focussed business model.

While the transition from legacy on-premises billing models to a subscription-based cloud model makes sense in the long run, it does include a degree of disruption – particularly on how the financial numbers are reported.

From that perspective, the deal makes a lot of sense. Thoma Bravo acquires a company that the market isn’t fully in-love with. Helps it get through the transition period to a cloud-based model, and see the value shoot up.

On the other end of public infosec companies lies Proofpoint. A company that has continued to grow through acquisition buying companies like FireLayers, Cloudmark, and most recently

Weblife is a browser isolation provider and makes an almost perfect fit for a company like Proofpoint which has a broad array of security capabilities but had a blind spot around BYOD or personal use of company-issued devices. Weblife provides an answer that may appease many an enterprise wrestling with personal / corporate monitoring and segregation.

The $60m acquisition of Weblife falls within the average purchase price for Proofpoint. Founded in 2013, Weblife had raised $3.5m, so the deal resulted in just over 17x multiple of invested capital.