Shape Security: A better security mousetrap for the enterprise?

Shape Security has big backers, an appliance called Shape Shifter and big enterprise customers deploying beta tests of the company's bot walls and polymorphic code approach to deter cybercrime.
Written by Larry Dignan, Contributor

Shape Security has emerged with big backers, $26 million in venture funding from big names such as Kleiner Perkins Caufield Byers, Google Ventures and Venrock and, more importantly, what could be a better security mousetrap that's easy to deploy for the enterprise.

Meet Shape Security. And welcome to the world of "bot walls" and real-time polymorphic code that's used to thwart cybercrime. The company was co-founded by Sumit Agarwal, Google's first mobile project manager. Shape's CEO Derek Smith used to be the chief of network security company Oakley Networks. Both Agarwal and Smith played key roles in U.S. cybersecurity policy and defenses.

I don't get wound up about companies too often. And I can barely stay awake for a lot of startup pitches since I know the majority of them will die anyway. Shape Security got my attention because it's approach is welcome, necessary and it has already enlisted some of the largest financial, e-commerce and healthcare companies as beta customers for the last six months. The deployment model also appears to be ready to scale in the enterprise.

Shape Security's approach revolves around disrupting the automation and scale of cybercrime. Cyberattacks have scaled better than the defenses have. By deploying automation via bots and the cloud---think crimeware as a service---hackers can exploit enterprise defenses easily. As documented in a recent Cisco Systems report: The attacks and bots just keep coming.

The big idea from Shape, which has 58 employees, is to use polymorphic code---what is used by malware for years to rewrite itself on infected machines to elude detection---on Web code. Every site with a user interface---basically all Web sites---have code that can be seen and dissected via view source on any browser. Cybercriminals can exploit that code easily with bots.

Shape Security takes polymorphism, revamps code into strings that are hard to attack and rewrites every page view without hurting functionality. Bottom line: Web sites can become moving targets for malware bots. At the very least, cybercriminals will have to work harder for their money---assuming Shape Security's approach gains traction.



In a nutshell, Shape is looking to shift the economic costs to the attackers instead of the hackers.

Shuman Ghosemajumder, Shape's vice president of product and former click fraud czar at Google, said automation has enabled cybercrime models to work and scale. "We can change the economics of cybercrime so it is not as easy to make money by disrupting automation," he said.

Among the key items driving automated cybercrime:

  • User interfaces can't be turned off;
  • So it's difficult to use security approaches on user interfaces without hurting engagement;
  • Bots look like real users since they all rely on the idea that Internet protocol addresses are all valid;
  • All Web sites are vulnerable;
  • Attackers don't even have to reverse engineer Web apps;
  • Botnets can be rented for about $1.50 an hour.

Shape Security works because it can detect real vs. bot traffic. Instead of letting all IP addresses in, Shape stops it all at the gate since 60 percent of Web traffic is automated.

The promise here is that Shape Security's approach could stop attacks relying on automation. For instance, account takeovers, advanced denial of service attacks, carding, automated scans, scraping and others could be derailed.

Now this approach from Shape Security wouldn't be as noteworthy to the enterprise if it didn't have a solid delivery model. The company plans to start with an appliance called ShapeShifter, which will plug into existing architecture and can be deployed in parallel. The appliance approach is a good way for Shape Security to get a large data center footprint in a hurry.

Ghosemajumder said the company determined that an appliance was "the fastest way to deployment."

shape shifter


From there, Shape Security, which launched prototypes on Amazon Web Services, plans to launch a cloud service. The appliance will capture the high end of the security market and the cloud will spread Shape's approach to the masses. By focusing on large enterprises first, Shape is hopping to get the intelligence to thwart the most complicated attacks.

As for the pricing of Shape's appliance and future services, Ghosemajumder said the following:

The pricing model is still being finalized, but we are considering a subscription model as well as an appliance sales model. For early adopters we have focused on an unlimited use model and seven figure enterprise-wide deals. We have achieved bookings in the low seven figures already and are estimating bookings of low eight figures in 2014.

Once the polymorphic approach gains traction the real security games begin. Initially, automated attacks will just move away from sites deploying Shape Security's approach. Once these bot walls are built everywhere, look for cybercriminals to come up with new tricks to keep the cash coming.

"We are populating our roadmap for the next five, six or seven steps cybercriminals will make and figuring out a countermove," said Ghosemajumder.

Editorial standards