The document discusses 10 emerging security product categories that are growing rapidly but may not be widely known. These include cloud infrastructure security, cloud application control, browser isolation, endpoint security for web apps, software-defined perimeter, detection through deception, incident response automation, automated public threat assessments, self-guided incident response testing, and virtual mobile infrastructure. Each category is briefly described along with example vendors in the space.

1. Ten security product categories you’ve
probably never heard of
Adrian Sanabria, analyst at 451 Research

2. What does an analyst do?
In short: We’re the FAQ or missing manual to clients for our respective markets.
Who are our (451’s) clients?
1. Vendors (biggest chunk)
2. End users (enterprises, practitioners)
3. Investors (VCs, PE firms, Investment bankers, etc)
2

3. The pace of the security industry… is staggering.
• 9 new security startups… every month
• 5 new security categories... every six months
• 1238 enterprise security companies in our vendor database as of 1/18/2016
• 134 security M&A deals in 2015…
• …worth $9.98 billion…
• …with an average value of $192 million.
• Perspective: We estimate security product revenue to be worth $18 billion
annually
3

4. The security industry moves fast
WE SEE… WE HAD…
4
9 new startups
every month
5
new
categories
every six
months
1238
enterprise
security
companies in our
database
134
security M&A
deals in 2015,
worth…
$9.98 billion, with an
average of…
$192m paid by
acquirers

5. Ten $&%^#* BILLION? What? How?
• 15 of these deals were worth $100m or more
• The top 15% of the deals account for 90% of the value
5
1. Bain - Blue Coat ($2.4bn)
2. Raytheon - Websense ($1.3bn)
3. Singtel - Trustwave ($810m)
4. Cisco - OpenDNS ($635m)
5. Cisco - Lancope ($452m)
6. Thales - Vormetric ($400m)
7. Trend Micro – TippingPoint ($300m)
8. Blue Coat - Elastica ($280m)
9. Microsoft - Adallom ($250m)

6. I mentioned 5 new categories every 6 months…
...and promised 10 categories you’ve never heard of...
BS? Let’s find out.
6

7. #1 – Cloud Infrastructure Security
The idea: Workloads in the cloud don’t
work with traditional security products
and need their own purpose-built
solutions.
The customer: Anyone running
production workloads in the cloud
How does it work? Half the market uses
tiny agents and VMs that can be
automatically provisioned – the other
half are agentless - API-only.
7
The vendors:
• Jumpcloud
• Palerra
• CloudPassage
• Alert Logic
• Illumio
• Dome9
• FortyCloud
• Conjur
• BitSight
• ThreatStack
• AWS
• Evident.io
• Splunk (app for AWS)
• CloudCheckr

8. #2 – Cloud App Control (aka ‘CASB’)
The idea: NGFWs gave us the ability to
allow/deny use of SaaS apps, but we still
need visibility into what users are doing
in those apps.
The customer: Anyone that has SaaS
app use within an organization and is
concerned about security (pretty much
everyone).
How does it work? Kinda like a firewall
for SaaS app features, but much much
more than that.
8
The vendors:
• SkyHigh
• Netskope
• Adallom (MSFT)
• BitGlass
• Skyfence (Imperva)
• FireLayers
• CloudLock
• Managed Methods
• Intermedia
• CensorNet
Pseudo-CAC
• CipherCloud
• Perspecsys
• Vaultive
• IBM CSE
• Palo Alto (Aperture)
• Zscaler
• CloudMask
• Palerra
• Harvest.ai
• Saviynt
• StratoKey
• Avepoint

9. #3 – Browser Isolation
The idea: Most of the malware infections come in
through the web browser – if we move browsing
sessions off the endpoint, we remove a ton of risk
The customer: Any vertical without strict browser
requirements looking for a low-maintenance way
to cut down on infections.
How does it work? The browser session lives on
a highly locked down server on premise or in the
cloud. Only a stream of the session reaches the
endpoint (think publishing an app using Citrix
MetaFrame)
9
The vendors:
• Spikes Security
• Authentic8
• Light Point Security
• FireGlass
• Niantic
• Menlo Security
• Armor5 (Digital Guardian)

10. #4 – Endpoint Security for Web Apps (RASP)
The idea: Network security is always easier to
evade, making the most ideal scenario to put the
security control as close to the focus of the threat
as possible. Think ‘web app HIPS’.
The customer: Enterprises that feel their network
WAF isn’t doing a good enough job, or requires
too much work to maintain.
How does it work? The agent/engine either lives
on the same host as the webapp, and inspects
requests. Unlike traditional IDS/IPS, most of these
build behavioral models and look for anomalies.
10
The vendors:
• Shape Security
• Immunio
• Prevoty
• HP App Defender
• Contrast Security
• Waratek

11. #5 – Software-Defined Perimeter (SDP)
The idea: Manage users like any other host coming
from an untrusted network (like the Internet). Have
little to no Internet attack surface.
The customer: Anyone that feels like they’re
fighting a losing battle keeping endpoints secured
and under control.
How does it work? Like the idea of NAC, users have
no access by default. Access is granted to apps from
anywhere and any device through an authentication
gateway. Successful authentication creates an IPSEC
tunnel or reverse proxy to the app.
11
The vendors:
• Soha
• Verasynth
• Vidder
• CryptZone
• Safe-T
Kinda/not really
• FortyCloud
• Pertino
• Hamahi
• Unisys Stealth

12. #5 – Software-Defined Perimeter (SDP)
12‘Borrowed’ from: https://www.vidder.com/precisionaccess/precisionaccess-architecture.html

13. #6 – Detection through Deception (D&D)
The idea: Seed fake hosts, credentials and/or data
throughout your network to discover attacks.
The customer: Anyone looking for ways to discover
attacks that don’t use malware or evade typical
detection (especially insider threats).
How does it work? This ‘fake’ infrastructure (think
honeypots/honeynets) never has any valid reason to
be touched or used. 100% of alerts coming from this
infrastructure should indicate a true threat (as long as
you are aware of all authorized pentest activity)
13
The vendors:
• TrapX
• Guardicore
• Attivo Networks
• Shadow Networks
• Illusive Networks
• Thinkst Canary
• Perception Point
• ForeScout

14. #6 – Detection through Deception (D&D)
14
Stolen from https://canary.tools/#how-it-works

15. #7 – Incident Response Automation
The idea: Incident response doesn’t
have to be an entirely manual affair,
especially with incidents that are false
alarms or routine infections that must be
dealt with, but aren’t real threats.
The customer: Companies that spend
an inordinate amount of time in “IR
mode”.
How does it work? Network and
endpoint agents that integrate with
other products to automate remediation
workflows.
15
The vendors:
• Hexadite
• CSG Invotas
• Resilient Systems
• Phantom Cyber
• Cybersponse
• Dell SW ECIR
• Proofpoint Netcitidel
• ForeScout
Automated
Endpoint
Remediation:
• Hexadite
• Triumfant
• Webroot
• Guidance
Software
Snagged from
http://www.hexadite.com/wp-
content/uploads/2014/11/Hexadite-3-

16. #8 – Automated Public (OSINT) Threat Assessments
The idea: Discovering, quantifying and
prioritizing threats to your business that
are outside your network and control.
The customer: Anyone with brand
reputation concerns or issues. Anyone
that stands to lose big if a breach occurs.
How does it work? Largely using OSINT
data and sources, determine if brand is
being abused or used for fraud. Hash
corporate sensitive data and determine
if it has been leaked to known
dark/deepweb, forums, paste sites or
other likely places for stolen data to turn
up. Some vendors do anti-phishing
takedown assistance also.
16
OSINT-focused:
• RiskIQ
• Area 1 Security
• ZeroFox
• Palantir (Kinda)
• Maltego (manual)
• BrandProtect
• Recorded Future
• Intrigue.io
• DarkWebID
• Surfwatch
DataLoss Detection
• Digital Shadows
• Terbium Labs
• Survela

17. #9 – Self-guided Incident Response Testing
The idea: In theory, our annual pentests
should be the key opportunity to
determine how good we are at detecting
attacks. Once a year isn’t enough for
training and continuous improvement
though…
The customer: Anyone serious about
really getting good at incident response.
How does it work? These products
simulate real attacks, allowing your IR
team to practice responding; fix gaps in
awareness, monitoring, alerting; do
more effective proof-of-concept testing
on new products; verify products are
working correctly; etc.
17
The vendors:
• Stratum Security
• vThreat
• SafeBreach
• AttackIQ
More exploit or anti-
phishing focused
• Metasploit
• Pwnieexpress
• Wombat
• PhishMe
Lifted from
https://vthreat.com

18. #10 – Virtual Mobile Infrastructure
The idea: Separating work and personal on a mobile
device is still a challenge. Two phones fixes this, but is
physically inconvenient. Why not virtualize your work
phone?
The customer: Companies that don’t like existing
MDM/container options or have had little success with
them.
How does it work? Like with browser isolation, a
virtualized Android instance houses all your work stuff,
and you stream it remotely to your personal
iPhone/Android/whatever.
18
The vendors:
• Hypori
• Remotium (Avast)
• Nubo
• Raytheon
• Trend Micro
• SierraWare

19. #10 – Virtual Mobile Infrastructure
19
Lifted from https://nubosoftware.com/vmi.html

20. Crazy one-off bonus round: Power Fingerprinting
1. “You can’t put software on those systems”
2. “You can’t put anything on the network, either”
3. ???
20

21. Crazy one-off bonus round: PrivateCore
1. Service providers encrypt our data when stored.
2. What if someone dumped RAM in a multi-tenant environment?
3. ???
21

22. Thanks! Questions?
Adrian Sanabria (@sawaba)
22