No longer in stealth, Shape Security reveals its method for camouflaging websites from cybercriminals

By Michael Carney , written on January 21, 2014

From The News Desk

One year ago, almost to the day, Shape Security announced a $20 million Series B funding round. At the time, the company was approaching two years old and yet no one outside of a close group of advisors and early employees knew anything about what the stealthy company was building. Kleiner Perkins partner and Shape board member Ted Schlein told PandoDaily at the time that the company “has the promise to be one of the more disruptive forces in the security industry ‘since the early days of anti-virus technology.’”

Fast forward to today, and Shape is finally peeling back the kimono and hoping to add some substance to that heaping pile of bravado it’s served over the last three years.

At its most basic level, Shape has created what it believes will be the next generation of Web security. Eventually, the company believes that its technology, which amounts to anti-bot and anti-malware camouflage for the code underlying websites, will be used by every site on the internet. But initially the company is going after large enterprises and high value targets like financial services companies, public and private defense sector organizations, and other online giants.

“Everything in last 15 years of security has relied on the fact that bad actors are identifiable,” Shape co-founder and VP of Product Sumit Agarwal tells me in an interview. “But the new MO is to selectively and discretely use unwittingly compromised machines [aka, bots] belonging to individual users to conduct attacks. We’ve been heads down for the last two years and have $15 to $18 million worth of R&D invested to date focused on stopping all forms of these automated attacks.”

To offer an example, when a large list of usernames and passwords is stolen, like was the case with 2 million Google, Facebook, Twitter, and Linkedin accounts in recent weeks, savvy cybercriminals immediately look to use these same credentials for payment accounts like those for banks, Amazon, or iTunes. To do so, they create scripts, or small snippets of code that automate the entry of these millions of pieces of data into the login field of such websites in search of a matching account. These criminals typically rely on botnets, or large numbers of corrupted PCs belonging to unsuspecting users to trick the website into thinking these are millions of individual users trying to log in, rather than a coordinated attack from a single nefarious source.

“For this type of attack to be effective, it needs to be cheap and efficient for the attackers to execute at scale,” Agarwal says. “We make it so that it’s much more difficult and thus much more expensive.”

The key to Shape’s script-busting system is to make any website using its security technology appear different every time it loads, rather than the static target that malware now encounters. At its most basic level, Shape replaces bits of text in a website’s code with random characters before serving the website to the visitor. In this way, for example, the attacker’s script cannot find the “username” and “password” fields (or the corresponding variables) into which to ender the stolen data. These changes are unwound as data is sent by the user back to the Web application.

In effect, Shape turns a website into a moving target.

The company calls this product ShapeShifter, and it’s actually based on a technique borrowed from the hacker’s playbook. Malware designers have used what’s called real-time polymorphism to rewrite and mask their code every time a new machine is infected, thus avoiding detection by antivirus libraries.

“ShapeShifter focuses on deflection, not detection,” Shape co-founder and CEO Derek Smith said in a statement. “Rather than guessing about traffic and trying to intercept specific attacks based on signatures or heuristics, we allow websites to simply disable the automation which makes these attacks possible.”

“Imagine if every day, the blueprint for the building you want to attack changes,” Agarwal adds. “It would be much more costly to plan an attack on such a building using robots. Regular people can see where the door is, but machines cannot.”

Of course, a hacker could still manually enter each username and password combination, or develop a much more robust script, but neither is as economically feasible as the current option.

“If the market value of 10 million stolen passwords is $10,000, then our goal is to make the cost of testing those passwords $10,001,” Agarwal says.

“For many years now, I have said that what the world needs is a botwall – a new tier of your security architecture that blocks all commands from bots, malware, and scripts, which are the source or enabler of nearly all attacks,” said Kleiner Perkins’ Schlein said in a statement. “Shape has successfully created the world’s first botwall. The Internet badly needs this. This is a game-changing technology which every major company will quickly adopt.”

Enterprise CSOs (chief security officers) are well aware of the threat they face from automated attacks and have thus been quick to grasp the concept of Shape solution, Agarwal says. “We often hear, ‘It should work in theory, so if it works in practice, I’m ready to go,” he explains.

Another advantage of the product is that it adheres to what Agarwal calls his two flavors of security religion: Never ask for help from developers, and never ask for ongoing configuration. Unlike other tools on the market which require two to three people to manage year round, Shape asks that IT departments to direct traffic to their system one time and has no ongoing requirements.

Shape was founded by a team that previously worked at Google, the Pentagon, VMware, Cisco, Mozilla, and Palo Alto Networks. The company’s $26 million in Series A and Series B funding includes Kleiner Perkins Caufield & Byers, Venrock, Google Ventures, Wing Venture Partners, Allegis Capital, Google Executive Chairman Eric Schmidt’s TomorrowVentures, and former Symantec CEO Enrique Salem. In other words, this is no wet-behind-the-ears operation. Shape is bringing real experience and real credibility to bear on this important problem.

The company has been in private beta for much of 2013 with what Agarwal describes as “twenty-ish Fortune 200 customers.” The company plans to slowly roll out access to a larger number of clients and eventually incorporate ShapeShifter within CDNs, ISPs, and hosting companies to reach a mass-market audience.

“This is truly a horizontal technology,” Agarwal says. “The bar is like, ‘Do you have a website, and do you care about protecting it?’ But we’re getting the most traction where the pain is most measurable and where the penalty is the greatest for failing to solve it, which really means banking and ecommerce.”

One of the company’s beta customers is an online ticket marketplace that loses between $100,000 to as much as $1 million per day through fraud, he adds. Talk about motivation.

While the company has not published pricing, Agarwal calls it a fairly expensive enterprise license. Judging by the above example, many companies likely can’t afford not to buy it – that is assuming it delivers as promised. The company will pursue a combination direct and channel model and recently hired former Palo Alto Networks Regional VP Mark Rotalo to as its VP of Worldwide Sales.

The security sector is a never ending game of leapfrog in which the “good guys” and “bad guys” continuously try to one up each other with new and innovative ways to thwart one another. Real-time polymorphism isn’t new, but it has never been applied in this way before.

It’s still early days for Shape and its all-star security team. Agarwal predicts that the company’s security industry competitors will soon adopt similar technology, but points out that Shape has a two year head start and is quickly building a reputation among the top dogs on the enterprise food chain.

“The mark of the greatest success is that your approach becomes the de facto standard,” he says.

Similarly, Agarwal expects cybercriminals will eventually find ways around ShapeShifter as well – at least as it’s currently designed – but he believes that the product could have five to seven years as the state of the art before this becomes an issue. That should be plenty of time for Shape to build a large business.

“The big problem in the security space is that adversaries find vulnerabilities at a rate which is fundamentally faster than developers can fix them,” Agarwal says. “We’ve tried to solve that problem by taking away that front door where people target their attacks.”

[Image source whopulledtheplug]