Every year, a few thousand early-arriving RSA Conference attendees queue up to get a good seat for what has become a fabulous conference kick off: the annual Innovation Sandbox competition.
A carefully selected lineup of 10 tantalizing cyber security startups square off against each other in a series of three-minute, venture capital-style elevator pitches. Then a panel of distinguished judges asks each of the presenting entrepreneurs some questions, and after brief deliberations, a standout company is awarded the top prize. After hearing all 10 mini-presentations, it feels as if one has been through a primer on the most pressing cyber security issues.
Despite the abbreviated time presenting companies have to make their cases, the format has always proven to be a fascinating way to gauge up-and-coming security vendors. Not only does the format force them to present concise descriptions of their companies' value propositions, it provides a great window into which entrepreneurs can inspire and breed confidence.
It also gives the conference program chairman, Hugh Thompson, an annual opportunity to expertly frame the cyber security challenges of the day, and this year he opened the proceedings with a simple statement that security has become one of the world's most innovative industries out of necessity.
"We have adversaries," Thompson said, "and they have no rules."
He then brought up one of the judges, tech investor and entrepreneur Niloofar Razi Howe, to help make his point. Howe proceeded to share this disturbing fact: The Dark Web is 50,000 times bigger than what she called "the surface web." No wonder, then, that there are as many as 100,000 cyber security companies raking in $110 billion a year in spending on their products, or that venture capitalists are investing about $6 billion a year in security startups. (Howe's numbers.)
"You have a situation where the threat landscape is expanding," she said. "The market recognizes the need for innovation."
Hence the growing interest in an annual competition pitting innovators against each other. Which brings us to the strong field of competitors that no doubt had the judges considering simply drawing straws.
Down the line, every one of the presenting companies shared solutions that promised innovative solutions to problems both old and new. For instance, Manish Gupta, CEO of ShiftLeft, called his company's approach to continuous application security as being akin to "Google Maps for your source code."
After suggesting that the fact that code analysis hasn't changed in the last 20 years may be the reason code has become one of the largest attack surfaces, Gupta claimed that ShiftLeft is able to protect vulnerabilities that haven't been fixed, detecting backdoors, data leakage and other app vulnerabilities before they're exploited.
Meanwhile, Alon Kaufman, CEO of Duality Technologies, caused a stir by claiming that the company has broken through a critical cyber security barrier and is using homomorphic encryption — which Kaufman called the "holy grail of information security" — to enable collaborative analysis of sensitive data without violating privacy. When one of the judges expressed disbelief that Duality had achieved such a significant breakthrough, Kaufman simply said he'd be happy to demonstrate at the company's booth.
To be fair, every presenter had something groundbreaking to share:
-Axonius CMO Nathan Burke proudly claimed that his company is solving the least-sexy problem in security by helping organizations get a handle on their assets. "Everything we do in a security program is built on a foundation of knowing your assets," said Burke.
-Justin Antonipillai, founder and CEO of WireWheel, said the company has created an interface that converts a company's privacy stack into usable information.
-Salt Security CEO Roey Eliyahu said his company can eliminate blind spots in security APIs, preventing attacks with something he called "behavioral protection."
-Yuriy Bulygin, CEO of Eclypsium, presented a solution that secures the firmware running components of devices, protecting them from tampering and other compromises.
-DisruptOps CEO Jodi Brazil likened his company's approach to automating the securing of cloud assets with guardrails to Henry Ford's invention of the modern assembly line.
-Declaring that identities have "become super powers," CloudKnox Security CEO Balaji Parimi said his company provides visibility into who can touch a company's infrastructure. "It all starts with properly identifying identity privileges," said Parimi.
-Capsule8 seeks merely to secure Linux production environments, detecting and preventing attacks in real time, providing alerts that evolve along with attackers' methods. CEO John Viega called it a "solution built by black hats to stop black hats."
-Finally, Kevin Gosschalk, CEO of Arkose Labs, quoted Sun Tzu's "Art of War" in describing the strategy of his company's technology, which seeks to discourage attackers by using telemetry to create models that machine learning algorithms can't identify. "Convince your enemy that he'll gain very little by attacking you," the quote reads. "This will diminish his enthusiasm," the quote went.
"Make no mistake about it," Gosschalk said in justifying his use of Tzu's philosophy. "This is war."
No one in the room would have disputed the notion of cyber security as war, but the judges' ultimate choice — Axonius, which edged out runner-up Duality — was somewhat of a surprise in that it seeks to tackle such a long-standing issue. Then again, that's exactly what impressed the judges, who indicated that they were swayed by the promise of a solution to a problem that CISOs have struggled with for so many years.
Not that there wasn't a little warfare in coming to that decision.
"No blood was shed," Thompson said of the judges' deliberations. "But I heard it was very contentious."
There will no doubt be more contentiousness next year when a new cast of startups dukes it out at the 2020 Innovation Sandbox.