Shape Security: A better security mousetrap for the enterprise?

Shape Security: A better security mousetrap for the enterprise?

Summary: Shape Security has big backers, an appliance called Shape Shifter and big enterprise customers deploying beta tests of the company's bot walls and polymorphic code approach to deter cybercrime.


Shape Security has emerged with big backers, $26 million in venture funding from big names such as Kleiner Perkins Caufield Byers, Google Ventures and Venrock and, more importantly, what could be a better security mousetrap that's easy to deploy for the enterprise.

Special Feature

IT Security in the Snowden Era

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

Meet Shape Security. And welcome to the world of "bot walls" and real-time polymorphic code that's used to thwart cybercrime. The company was co-founded by Sumit Agarwal, Google's first mobile project manager. Shape's CEO Derek Smith used to be the chief of network security company Oakley Networks. Both Agarwal and Smith played key roles in U.S. cybersecurity policy and defenses.

I don't get wound up about companies too often. And I can barely stay awake for a lot of startup pitches since I know the majority of them will die anyway. Shape Security got my attention because it's approach is welcome, necessary and it has already enlisted some of the largest financial, e-commerce and healthcare companies as beta customers for the last six months. The deployment model also appears to be ready to scale in the enterprise.

Shape Security's approach revolves around disrupting the automation and scale of cybercrime. Cyberattacks have scaled better than the defenses have. By deploying automation via bots and the cloud---think crimeware as a service---hackers can exploit enterprise defenses easily. As documented in a recent Cisco Systems report: The attacks and bots just keep coming.

The big idea from Shape, which has 58 employees, is to use polymorphic code---what is used by malware for years to rewrite itself on infected machines to elude detection---on Web code. Every site with a user interface---basically all Web sites---have code that can be seen and dissected via view source on any browser. Cybercriminals can exploit that code easily with bots.

Shape Security takes polymorphism, revamps code into strings that are hard to attack and rewrites every page view without hurting functionality. Bottom line: Web sites can become moving targets for malware bots. At the very least, cybercriminals will have to work harder for their money---assuming Shape Security's approach gains traction.



In a nutshell, Shape is looking to shift the economic costs to the attackers instead of the hackers.

Shuman Ghosemajumder, Shape's vice president of product and former click fraud czar at Google, said automation has enabled cybercrime models to work and scale. "We can change the economics of cybercrime so it is not as easy to make money by disrupting automation," he said.

Among the key items driving automated cybercrime:

  • User interfaces can't be turned off;
  • So it's difficult to use security approaches on user interfaces without hurting engagement;
  • Bots look like real users since they all rely on the idea that Internet protocol addresses are all valid;
  • All Web sites are vulnerable;
  • Attackers don't even have to reverse engineer Web apps;
  • Botnets can be rented for about $1.50 an hour.

Shape Security works because it can detect real vs. bot traffic. Instead of letting all IP addresses in, Shape stops it all at the gate since 60 percent of Web traffic is automated.

The promise here is that Shape Security's approach could stop attacks relying on automation. For instance, account takeovers, advanced denial of service attacks, carding, automated scans, scraping and others could be derailed.

Now this approach from Shape Security wouldn't be as noteworthy to the enterprise if it didn't have a solid delivery model. The company plans to start with an appliance called ShapeShifter, which will plug into existing architecture and can be deployed in parallel. The appliance approach is a good way for Shape Security to get a large data center footprint in a hurry.

Ghosemajumder said the company determined that an appliance was "the fastest way to deployment."

shape shifter


From there, Shape Security, which launched prototypes on Amazon Web Services, plans to launch a cloud service. The appliance will capture the high end of the security market and the cloud will spread Shape's approach to the masses. By focusing on large enterprises first, Shape is hopping to get the intelligence to thwart the most complicated attacks.

As for the pricing of Shape's appliance and future services, Ghosemajumder said the following:

The pricing model is still being finalized, but we are considering a subscription model as well as an appliance sales model. For early adopters we have focused on an unlimited use model and seven figure enterprise-wide deals. We have achieved bookings in the low seven figures already and are estimating bookings of low eight figures in 2014.

Once the polymorphic approach gains traction the real security games begin. Initially, automated attacks will just move away from sites deploying Shape Security's approach. Once these bot walls are built everywhere, look for cybercriminals to come up with new tricks to keep the cash coming.

"We are populating our roadmap for the next five, six or seven steps cybercriminals will make and figuring out a countermove," said Ghosemajumder.

Topics: Security, Hardware, Start-Ups

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Minor correction...

    "In a nutshell, Shape is looking to shift the economic costs to the attackers instead of the hackers."

    Didn't you mean something else here? First term 'attackers' is right but second term 'hackers' probably should have been defenders or coders. I realize that hacker originally was a term for someone that coded but wasn't very skilled at it but in recent history, the term hacker has become more synonymous with the criminal element than the developer.

    Otherwise, excellent bit of news in your article!
    • Hak....

      Actually, I once saw a claim that 'Hak' was a old yiddish word to mean 'to make furniture with an axe.' - implying either great skill, or poor results - exactly in line with the two current interpretations.
  • Polymorphism could impede web application firewalls from working as well

    Polymorphism, like code obfuscation, should be useful. However web application firewalls, which monitor the websites they protect over time, could have a harder time developing behavior profiles. If this technology proves useful I'd expect it to be integrated within web application firewall products, in which case the two technologies can communicate and work together.
    • Um, just layer the technologies correctly.

      Put this technology ahead of your WAF, problem solved.
  • how sessions will work

    if names and id's keep changing?
    • Um....

      They'd be translated not only forwards, but backwards too - so the server applications don't see anything different. If it's done right, even Javascript apps should be fine - though YMMV.
  • Wouldn't this affect W3C compliance?

    Sorry if it is a stupid question.

    But W3C compliance relies on the tags too, especially 'alt' and 'title' among other things. There is also the emerging WAI-ARIA landmarks solution. What I'm getting at is whilst they change the 'id' and 'name' to something meaningless, the botnets could instead just look at the other tags used by the accessibility tools instead. Meanwhile, for those sites not using the other tags, the accessibility tools could be displaying garble to the user.
    • Um, so it just whitelists those tags, for those terms....

      I don't think it's changing *all* tags (color= !!!) as that would be silly, only those that are developer defined.
  • password managers?

    Seems like this kind of field obfuscation would break password managers as well, at least their autofill function (which is probably how most people use them).
    • Sortof good point...

      Good point - I'm sure password managers are spotting attributes with additional tags ('password' etc.) identify & store usernames/passwords - but good point, if web browsers are smart enough, so are the scanning tools.

      It's a flaw with all obfuscation that what you're hiding needs to be un-hidden somehow, so I'd say this is a stop-gap technology, but useful until fuzzers become as smart as web browsers. (obviously just by using the same libraries).

      But security is all about countermeasures, and none are 100% effective, so to that end, this is a useful countermeasure & technology at the moment.