Think of the way most cyber security software works: it's akin to putting up a big fence around your business (a firewall) and putting a guard at the gate who tries to detect threats by scanning the IDs of anyone who wants to come in. As malicious software gets more sophisticated--it could look like an innocent email from a friend--that guard is more easily fooled.
Bromium, a Cupertino, California-based start-up, thinks it has found a better way to keep devices safe--and some high-profile VC firms would seem to agree. The company recently closed a $40 million Series C round, bringing its total funding to date to $75.7 million from Andreessen Horowitz, Ignition Partners, Highland Capital Partners, Intel Capital, and Meritech Capital Partners.
"Every one is trying to fight advanced malware," CEO and co-founder Gaurav Banga says. "You can click on anything on your computer, tablet, or smartphone, and despite your best efforts to protect against bad clicks, your entire system can get infected. It can happen anytime, and it happens with frightening frequency."
Customers like the New York Stock Exchange, three of the world's top private companies, and a few government agencies use Bromium's two products, designed to work together to tag-team the task of securing a computer. vSentry sets up micro-virtual machines to house and record each task employees perform on a computer--from individual emails to Internet browsing. If one of those tasks becomes compromised through malware or a virus it is completely isolated from the rest of the computer and gets discarded automatically, protecting the machine and the rest of the network. After the attack, LAVA automatically conducts forensic analysis to find out what the attack was trying to accomplish.
In light of the company's recent cash infusion, Inc.com caught up with Banga to talk about Bromium's technology and what businesses need to know about the changing security landscape. Here's an edited and condensed version of the conversation.
What's different about Bromium's approach to cyber security?
When we looked at the existing security practice, we saw it's all based on detection [of threats]. It will get better each year, but only by 10 to 20 percent. It will still always be behind, a kind of cat-and-mouse game. But we realized to get ahead we have to get away from this practice. We flipped the paradigm: We protect through isolation first, then detect, and provide information on what actually happened. We assume that malware will defeat detection, so our goal is to limit the impact of malware in time and space and reduce the cost to our customers. And we have achieved our objectives--the malware cannot spread out of the micro-VMs.
What will this latest round of funding enable you to do?
We have spent our first two and a half years developing the product and deployed it last September. Now, we have taken it to our first 30 customers and solidified our business model. The goal of the recent fundraising is to scale up our operations, hit the gas pedal, and start selling and marketing our product to get more customers. It'll fund more sales people, more support and marketing for our growing business to double revenue.
I noticed Bromium is not compatible with Apple iOS. How has this affected sales?
It doesn't. The nature of security is that the bad guys tend to focus on where the biggest hole is, where the pickings are the easiest. Right now, the legacy of Windows, networks, and websites is that they are very easy to attack. Trying to attack through iOS is much harder. This has never been an issue and has never come up with our customers. No one has said they won't buy our products because we aren't compatible with iOS.
Still, the security space is ever-changing. What are some other myths about cyber attacks that might be hurting business owners?
I think the biggest myth in security that people believe is that advanced detection works. If you think you have anti-virus or a firewall, and think it's good enough, just ask yourself a question: How many times has my anti-virus alerted me in the last five years? How many newspaper articles have you read about people like yourself being compromised? If you rely on a firewall, where it that firewall when you're in a coffee shop? Is it between you and the Internet?
What else do small businesses need to know about cyber threats?
Drive-by downloads and phishing emails continue to be traps, but they just have become more sophisticated and increased their impact on systems. For businesses, they tend to attack payroll systems for the sensitive information. This is the one person that must be consolidated, especially if you have public dealings. An attack can come in the form of a fake invoice. And Java continues to be a problem with drive-by downloads. We also expect to see a lot more attacks coming through PDF documents and Adobe.