Shape Security, the hot startup with a new approach to protecting websites from automated attacks, has raised new funding less than a month after coming out of stealth mode.
The company announced this morning that it had landed a $40 million Series C led by Norwest Venture Partners; Sierra Ventures also joined as a new investor. Previous investors Kleiner Perkins, Venrock, Google Ventures, Allegis Capital and TomorrowVentures (the fund run by Google Chairman Eric Schmidt) all participated in the round. Shape has now raised a combined $66 million in three rounds.
Shape has a new approach to security that is intended to fix one of the most basic, and yet most pernicious, problems facing Web security. It comes down to this: Every website, Web service, pretty much anything worth protecting from theft or vandalism on the Web has a sign-in screen somewhere, where authorized users type in user names and passwords.
While it’s one thing to steal a password and sign in by impersonating one of those authorized users, by and large the bigger threat to Web security is automated attacks that take advantage of technical weaknesses to get around the sign-in process, allowing attackers to force their way in.
There are thousands of different kinds of attacks, and they’re changing all the time. That makes it difficult to screen for them, which is what a lot of security products do.
What makes it worse is that it’s trivial and cheap to hire an army of “bots,” compromised computers, in order to carry out attacks on websites on a large scale. Solid statistics are hard to come by but these “botnet” machines number in the millions.
Shape has created a piece of hardware it calls the Shapeshifter, which it has come to describe as a “botwall,” borrowing from the well-known name for a network security appliance known as a firewall.
What it does is constantly change the source code of the sections of a website that are responsible for creating a sign-in interface. What human users see is no different. They can sign in with known user names and passwords like normal. But a lot of complicated work in the background makes the interface more or less invisible to a bot attempting to carry out an automated attack.
The technique is called polymorphism, and it’s borrowed from the virus world, where a virus changes its appearance in order to avoid detection.
As Ted Schlein, a partner at Kleiner Perkins who led that firm’s investment in Shape Security, told me, it amounts to a fundamental rethinking of Web security. “They have invented a way to tell that a bad thing is coming in from automated traffic apart from something coming in from a human,” he said. “If it’s automated, it doesn’t get allowed through or at least it gets flagged for attention. On the other end of the spectrum, if it’s from a human, it gets through. And it does this in real time.”
In the end, he says, the website becomes a moving target, and bots can’t adapt to the constantly changing conditions, rendering their attacks useless.
It doesn’t do much for human attackers, who can still get in with, say, a stolen password. But bot attacks are far more numerous and far more dangerous to companies, Schlein said. “When you look at the recent high-profile breaches, the Target breach or the Neiman Marcus breach or whatever, it’s really not the breach that is the worst thing, it’s what happens to the data afterward. Once a breach occurs, then the bots come in to see what they can mine. We can can stop them from doing that.”