Breach analytics: The next billion-dollar investment opportunity

The security market is clearly red hot, as evidenced by the continued investment into — and related valuation of — numerous startups in the field.

However, while rapidly maturing segments, including the endpoint detection and response (EDR) space, have garnered most of the headlines, the more nascent area of breach analytics may harbor even greater potential.

Recent news that endpoint security darling Tanium closed out another $150 million in funding led some investors to value the company at $3.5 billion and defensibly label it as “the world’s hottest cybersecurity startup.”

Yet based on the very nature and prevalence of today’s data breach incidents, most of which go undiscovered for many months, the promise of breach analytics shouldn’t be underestimated.

The numbers don’t lie. Researchers at Verizon noted in the Data Breach Investigations Report 2015 that the volume of breaches rose by 55 percent overall in 2014, citing the average time necessary to detect these incidents at roughly 200 days.

While this research clearly highlights the dire need for more effective application, endpoint, and network defenses, the findings make an even greater case for solutions that can discover and investigate campaigns that have already circumvented such forms of protection. This is why I contend that the emerging breach analytics space represents the security market’s next billion-dollar investment opportunity.

Quite simply, the days of using mere prevention are long gone. Breach analytics solutions – which assume that attackers have already found a way into the environment, monitor for telltale signs of such activities, and then investigate those behaviors to inform response – are rapidly becoming the next must-have toolset.

Unlike segments such as endpoint, which has been around in some form for over two decades, breach analytics is an almost completely green field proposition for the investment community. Established vendors including FireEye, which added forensics capabilities to its network sandboxing technology in 2014 via the $1 billion acquisition of Mandiant, have attempted to address the post-breach investigation scenario, but the investment opportunity lies in a new crop of startups.

While none of the leading analyst firms have yet attempted to size the breach analytics market space, with both log-based and network-based solutions available, all of them, including Gartner, IDC, and Forrester, have acknowledged its massive potential. At Menlo Ventures, we believe there will be winners in both types of architectures, driven by adoption of solutions that offer reduction of false positives and workflow prioritization.

Among the early leaders in breach analytics are providers including Exabeam, LightCyber, BitSight Technologies, Niara, and Vectra Networks, of which only BitSight is a Menlo investment. Further highlighting the tremendous upside of breach analytics is the fact that each of these players approaches the issue in a very unique and differentiated manner, which could lead to acquisition of multiple solutions among adopting organizations.

It’s worth taking a closer look at these providers and their respective approaches:

• Exabeam markets “user behavior analytics” (UBA) that use network log data to detect ongoing attacks and automate incident response. Its “Stateful User Tracking,” which draws information from existing security information and event management (SIEM) tools, promises to identify critical security anomalies and piece those activities into a detailed “attack chain.”

• LightCyber offers what it calls “Active Breach Detection,” which also hinges on behavior-based profiling to identify and alert anomalous attack behavior. The company is unique in that its solution incorporates both network and endpoint analysis with the specific goal of reducing false positives. Alert overload and noisy systems are the bane of today’s security analysts.

• BitSight offers security ratings that enable organizations to objectively assess and mitigate cyber risk for benchmarking, vendor risk management, and cyber insurance. These ratings are generated from the outside-in, without any information needed from the rated company. Research demonstrates that companies with lower ratings are at greater risk of a breach.

• Niara has developed a security analytics platform that delivers contextually-relevant threat information by fusing network and security data to discover users that have been compromised and insiders that are malicious. The combination of machine learning and big data amplifies the capabilities of security personnel and is an open platform that can leverage and enhance existing infrastructure.

• Vectra takes the network analytics approach, proposing to weave together data via machine learning to surface anomalous behaviors and even anticipate an attacker’s next move. Through continuous analysis of both internal and Internet-bound network traffic, the company maintains that it can automatically detect all phases of ongoing campaigns.

And these are merely the solutions providers that have already begun to make a name for themselves. As with every segment of the market, there’s nothing to say that some additional player, or set of emerging startups, won’t arrive to completely redefine and disrupt the existing landscape.

After years of investment, and billions of dollars in capital, it’s amazing to think that the IT security market may only just be getting started. Based on the continued success of attackers and need for applicable solutions, there’s no question that breach analytics will grow into a huge segment in its own right.

Venky Ganesan is a partner at Menlo Ventures.