The question is no longer who have hackers hit. It is who has not been hit.
The organizations attacked by pranksters, criminal syndicates or foreign governments include Google,LinkedIn and the Central Intelligence Agency.
Big companies are expected to spend $32.8 billion on computer security this year, up 9 percent from last year. Small and medium-size businesses will spend more on security than on other information technology purchases in the next three years, according to the research firm International Data Corporation.
Yet here in Silicon Valley, with all the feverish talk of innovation and billion-dollar start-ups, few entrepreneurs and venture capitalists have been eager to take on the security juggernauts Symantec and McAfee — and in many cases cybercriminals — for a piece of that action.
That has started to change. In the last 12 months, the initial public offerings of once obscure security start-ups have outperformed offerings from household names likeFacebook and Zynga. Imperva , a data security company that went public last year, finished 2011 among the year’s top offerings. Its shares jumped nearly 30 percent on their first day of trading, and remain 37 percent above the offering price. Zynga’s stock, by comparison, has plunged 73 percent since its offering last December.
Shares of Splunk, a data security company, jumped nearly 65 percent from its offering in April. It raised $331 million in a secondary offering. Most recently, shares of Palo Alto Networks, a security start-up, climbed 26 percent when they started trading in July.
The reason for the enthusiasm? “People are starting to realize that the billions of dollars that have been invested into traditional network security is not working for them anymore,” said Ted Schlein, a partner at Kleiner Perkins Caufield & Byers, the venture capital firm.
Security start-ups have also become red-hot takeover targets. Apple, which has avoided big-ticket deals, agreed to acquire AuthenTec for $356 million last month in its second-largest acquisition to date. And last year, the EMC Corporation, which already owned RSA, acquired NetWitness. The price was never disclosed but people close to the acquisition talks say NetWitness sold for $400 million, more than 10 times its 12-month trailing revenue.
Venture capitalists have taken notice.
Last year, they collectively poured $935 million into tech security companies, nearly double the $498 million they invested during 2010, according to a MoneyTree report compiled by PricewaterhouseCoopers, the National Venture Capital Association and Thomson Reuters.
“We’re seeing a flow of new entrepreneurs interested in the space,” said Asheem Chandna, a venture capitalist at Greylock who invested in Imperva and Palo Alto Networks.
The rise of security start-ups is the product of a confluence of new technology, fear and people with a lot of money to invest. Major technological shifts, like the move to mobile devices and cloud storage, have redirected and increased the flow of information — for both employees and hackers.
Hackers are becoming more sophisticated, too. Last year was the year of the “Advanced Persistent Threat,” or A.P.T., a computer attack in which hackers spend time researching a target and its intellectual property, figuring out who has access to it, and deploying any means necessary to steal it.
RSA was the victim of such an attack last year. So were the military contractors Lockheed Martin and Northrop Grumman. Speaking at a security conference last year, Timothy McKnight, Northrop Grumman’s chief security officer, said the company was fending off several such attacks a day.
“The vast majority of companies have already been breached,” Shawn Henry, the F.B.I.’s former top computer security official, said in a recent interview. “I’ve looked at all sectors and the depth, penetration and breadth of these attacks are substantial.”
The bulk of the attacks go undisclosed, either because companies don’t know they have been hit or because they fear what disclosure will mean for their stock prices. But the attacks that have surfaced have become headline-grabbing events, exposing the vulnerability of technology firms, government agencies and the security companies that people assumed were well protected.
Patrick Morley, chief executive of Bit9, a start-up that blocks malware, says the steady stream of “bad news” has been a boon for business.
Bit9 was founded a decade ago but was largely unknown until 2010, when Google’s password system was breached and top-level executives started to pay attention. “In boardrooms, executives lifted their heads and asked, ‘Are we O.K.?’ ” Mr. Morley said.
“We’ve grown 100 percent every year for the past two years. Before that, we didn’t see that kind of growth,” he said.
Bit9, which roughly tripled its client base in two years, announced last week that it had raised $34.5 million in an investment round led by Sequoia Capital, the venture capital firm.
Mr. Chandna of Greylock said the bulk of security start-ups that solicit his firm fall into one of four categories: mobile security, authentication, intrusion detection and “big data” security companies.
Several recently secured millions in financing. Lookout, a firm that blocks malware and spyware on consumers’ mobile devices, raised $78 million from top-tier firms like Accel Partners and Andreessen Horowitz. A range of new start-ups market a similar service to businesses that now must deal with the headache of employees’ bringing their iPhones and iPads to work and carting confidential intellectual property around with them.
Zenprise, a start-up that brings business-level security to consumer phones, recently raised $65 million. Appthority, a one-year-old start-up that tracks suspicious behavior by mobile apps, raised $6.5 million from Venrock, U.S. Venture Partners and others last May. Solera Networks, a security start-up that tracks intrusions in real time, has raised over $50 million from Intel Capital and others, and many say it is ripe for a nine-figure acquisition.
Investing in security can entail unusual challenges. In some cases, venture capitalists have received death threats from online criminals. In others, criminals have shut down their sites altogether.
Ray Rothrock, an investment partner at Venrock, said he had received threatening e-mails from such people. On occasion, his firm has hired security guards to protect its offices.
Blue Security, an Israeli start-up backed by Benchmark Capital and others, was forced to shut down its antispam service in 2006 after criminals responded to its filtering technology with an aggressive counterattack.
Spammers flooded its database servers with so much traffic that it took down Blue Security — and thousands of other Web sites with it — to the point that Internet service providers refused to host the service and it was forced to close.
“The thing about security investments is that sometimes you don’t know where you’re going to land in terms of attracting attention from the bad guys,” Mr. Rothrock said. But, he said, the risks are still worth the rewards. “Security is a growing market and it will grow forever.”