I Interview Shadow Networks’ Founder/CEO Eric Winsborrow: Cybersecurity Newsletter Week of 4/20

Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.

This week I was lucky enough to interview Eric Winsborrow, cofounder, president and CEO of Shadow Networks. Shadow Networks focuses on mitigating advanced persistent threats (APTs)–the next-gen, super-sophisticated attacks that legacy security systems won’t protect. Shadow raised a $14mm series A in 2014 from Crosslink, Yaletown and Paladin Capital Group. Eric gave me some incredibly detailed answers and the interview proved extremely informative for me. Check out the awesome interview below and please let me know if you have any feedback on the newsletter. Thanks!

Thought leaders in the cybersecurity space such as Ted Schlein at KPCB and Adam Ghetti at Ionic Security have said that hackers are going to breach organizations’ networks and so the focus of organizations should be on securing the endpoint rather than the network. How do you think about network security in its current state?

I’m surprised that people as smart as Ted would say to focus on endpoints. He must have meant more than that. He often said (and others have quoted as their own) that there are two types of companies, those that know they’ve been breached and those that don’t – but make no mistake that all have been breached. I suppose that’s why some would say to focus on endpoints, since attacks are already inside, but that’s rather myopic. As a person who ran Product Mangement for Symantec’s core enterprise business, including all endpoint antivirus and Symantec Client Security, as well as McAfee’s Total Protection Solutions, endpoints are just as fallible as network security. Even the latest endpoint security approaches, while better than my old products, see only part of the picture. I think the days of just trying to stop attacks as they cross a perimeter OR land on an endpoint are over – you need to assume they’ve bypassed that and start looking beyond the initial phases of the attack kill chain – assume they are inside and are laterally moving.

You’ve worked at both Symantec and McAfee. Why did you choose to leave and start Shadow Networks? What are you able to do at Shadow Networks that you weren’t able to do at those larger companies?

It was my experience at these traditional security vendors that illustrated the need to use disruptive technology like Software Defined Networking to change the game and try a different approach. Our entire industry for the past two decades has been built on the premise that you “block” attacks as they enter networks or land on endpoints. Problem is, once advanced attacks bypass that first (and only) line of defense, they live in networks for an average of 6-8 months. I founded Shadow Networks on the assuming that attacks would already be inside the networks, and ignored the first couple stages of the Attack Kill Chain to focus on the behaviors of attacks ONCE INSIDE a network. It’s lateral movement, communication to Command and Control and Exfiltration techniques etc.. Our goal is to DECEIVE attacks to take them away from the real network, but rather than kill them on contact, let them safely play out in a Deception Network to reveal intent, while keeping them from finding the real network.

The press has talked a lot about the “virtual honey net” that you create to trap hackers in a sort of virtual environment separate from the organization’s assets. How similar is this technology to the containerization technology used by companies like Invincea?

A “virtual honey net” is a nice start, but you need them to be more dynamic, scalable, and responsive. Typical honeynets are often statically deployed and pray something lands, rather than dynamically deployed to where the action is suspected to be going on at that moment. Honeynets are also often used as the launch point for a pivot and attack, since they don’t really control where attacks can go after they land. Use of SDN and flow control in a true Deception Network can do what a honeynet can do, but can respond quickly to attacks in networks, and contain them to allow the attack to go where you want them to, and not to where you don’t. That’s the difference between a static honeynet and a dynamic Deception Network.

What areas or problems in cybersecurity should up and coming entrepreneurs be focusing on?

The market needs to shift. It’s now painfully obvious. It was blasphemy a few years ago when we started, but today it’s a foregone conclusion. Entrepreneurs cannot try to repeat the approaches of past security. We don’t need a fifth generation firewall. We need the market to be more “Active Defense” in nature. Not Active Defense in the military term (the best defense is a good offense – which is illegal for businesses), but active in terms of dynamic and responsive. Assume they are inside. Assume they aren’t known (zero day). And rather than “allow or deny”, why not “allow or divert”, or “allow or deceive”. If you’re lucky enough to see anything, let it safely play out and determine intent. It won’t be the only attack moving through your customer’s newtork.

How did you choose Crosslink, Paladin and Yaletown as your investors and how do you look for VCs to add value to your company?

I was working as an EIR at one of these invetsors when I saw the scientists in the National Labs using SDN and virtualization technology to create realistic networks on the fly. My mind instantly saw the value applying to security. Yaletown and Crosslink were already on board, and Paladin has the mandate following 9/11 to find technology suitable for national security purposes. Our original customers were the US Government departements and agencies, so Paladin was a natural choice. Our focus is now on enterprise, but as often happens with advanced cyber security efforts, it is born of investments into advanced security for national defense. We’ve since had other Valley investors join as well.


Raytheon buys 80% of WebSense from Vista Equity Partners for $1.9bn

  • The move will bolster Raytheon’s foreign presence and add commercial and civil markets to Raytheon’s already-strong position in the military and intelligence markets.
  • In 2015 Websense will contribute just 5% of Raytheon’s revenues, “the growth rates and margins are so much better than in defense” that executives expect that number to grow significantly.
  • Vista purchased Websense for just $1bn in 2013.

Blackberry buys WatchDox for $100-150mm

  • WatchDox is a secure, file sync/share company that will be integrated into Blackberry’s MDM portfolio.

Matt Cohler on Benchmark’s Investment in Duo Security

  • Benchmark makes “bottom-up” bets rather than making sector-level bets. They liked Duo because of the awesome team but also because it speaks to one of the biggest tech trends right now–consumerization of the enterprise. Cohler argues that the experience of using Duo is like that of a consumer product–unique for an enterprise security app.

The “Protecting Cyber Networks Act” and the “National Cybersecurity Protection Advancement Act” both passed this week with bipartisan support

  • These bills will create a kind of “cyber-negligence liability.” They will force private companies to acknowledge shared threat information and act upon it. 

The VCs who Most Frequently Appear on Cybersecurity Boards of Directors

  • The list includes Ted Schlein of KPCB, David Cowan of BVP, Ray Rothrock of Venrock, and Steve Herrod of General Catalyst.

Cloud security investments spike prior to RSA Conference 2015

  • Great overview of the cyber security financings and financiers of that past few months.
  • Jim Reavis, co-founder and CEO of the Cloud Security Alliance, believes that cloud access security brokers will remain hot throughout 2015.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s