BYOD devices

Data security is an ongoing game of cat and mouse between attackers on one side and CISOs and security software developers on the other. One consequence of this battle is that with each technical breakthrough, there comes an effort to obfuscate the details of the new solution, with the hope of maintaining an edge against adversaries and industry competition. This is why so many security companies today are raising round after round of venture capital while remaining “stealth” about the details of their product.

Bluebox Security is the latest such company, which today announced $18 million in new funding via a Series B round led by Tenaya Capital with participation from existing investors Andreessen Horowitz*, Sun Microsystems co-founder Andreas Bechtolsheim, and SV Angel. Tenaya’s Brian Melton will join the company’s board of directors. The company previously raised $9.5 million via a July 2012 Series A round led by Andreessen Horowitz.

Bluebox is a mobile security company focused on addressing the vulnerabilities introduced by the BYOD (bring your own device) trend in the enterprise. With users relying on the same devices for both business and personal use, data leakage has become a thorny issue for IT departments. Bluebox promises to solve this in a way that appeases both corporate IT and end users.

“This is the best team I’ve seen in this space in the last five to ten years,” says Andreessen Horowitz partner and Bluebox board member Scott Weiss. “They know security inside and out and understand the need to create solutions that work for both IT and end users, who of course don’t like to be inconvenienced by security.”

While details around Bluebox’s solution have been sparse, the company hasn’t been shy about putting its name out there. In July 2013, the company alerted Google it had found a vulnerability that allowed third-party apps to exploit the Android operating system. Google patched the vulnerability, but not all OEM device manufacturers were as quick to follow suit, so Bluebox released an app called Bluebox Security Scanner to help users identify installed apps trying to exploit this vulnerability.

Bluebox has also worked with a between 10 and 20 beta customers, according to Weiss, with Tenaya’s Melton adding that the company has received a “strong endorsement” of its solution and validation across this group. Bluebox is targeting what it calls Global 2000 enterprises.

The company was founded by Caleb Sima (its CEO), a former Chief Technologist within HP’s Application Security Center and Senior Security Consultant and X-Force Researcher at IBM Internet Security Systems, while an EIR at Andreessen Horowitz. Sima’s co-founder and Bluebox’s COO, Adam Ely, is a former Chief Information Security officer within Salesforce’s Heroku business unit, a former security and compliance lead at TiVo, and a security lead at The Walt Disney Company.

Bluebox’s founders are insistent that their solution is entirely unique within the industry and shouldn’t be confused with existing MDM (mobile device management) solutions. “Many companies have invested in mobile security solutions that focus on the device, but don’t address the core issue of mobile security,” Sima said in a statement today. “We founded Bluebox with a unique approach to mobile security that focuses on what really matters – data.”

“This is a larger, but crowded market,” Weiss says. “Most players are not doing BYOD mobile security right. There are large well funded companies that are nominally in this space but that aren’t nailing it. I’m not talking about the Symantecs of the world, but other startups like Good, MobileIron, and Zenpryes. We wanted to come up with something different than what’s out there, and we’re confident we’ve done that.”

There are other early stage companies promising game changing solutions to the BYOD problem in addition to those Weiss mentioned, including Bromium, which recently raised $40 million for a solution based on isolating tasks like clicking on links, and Confer, makers of an intelligence-driven security platform that just announced its own $8 million funding round last week. Expect to see a knock-down, drag-out fight for dominance in this sector over the next half-decade. To the winner will go billions of dollars in spoils.

According to Weiss, the primary concerns of most CISOs can be broken down into Stuxnet-like infiltrations and data walking out the building in employees hands. “Most breaches have some element of social engineering involved,” he says. “Our solution is right at the heart of these two vulnerabilities.”

Bluebox and its investors are confident that they’ve gotten the product right, according to Weiss. But the big challenge will be how to scale operations and how to break through the noise in this crowded category. And that’s where this round of funding will come in. The company’s founders may be technologists, not salesmen, but they have access to plenty of board-level experience with building out enterprise-grade sales and marketing organizations. And they’ve had little trouble recruiting for these departments, according to Weiss. “When two top security guys get together to solve a big problem, they attract an elite team,” he says.

We have little to go on to judge Bluebox today, other than the reputation of its founders and its VC backers. By those two metrics, the company appears to have a bright future. But hackers don’t care about pedigree. Bluebox will succeed or fail based on its ability to protect corporate data with limited disruption to the end-user experiences.

The company plans to launch its solution approximately one month from today, on February 19. At that point, there will be no more dancing around the details of the product. Bluebox will either be the best thing since security’s answer to sliced bread, or it won’t.

(* Disclosure: Andreessen Horowitz partners Marc Andreessen, Jeff Jordan, and Chris Dixon are individual investors in PandoDaily.)

[Image via GFI]