The Cigent team at the company headquarters. Cigent emerged from stealth this morning with $7.6 million in funding.
Cigent might be the only cybersecurity startup where the founders proudly tell you how disinterested they are in designing products that prevent threat actors from breaking into your systems.
This is not due to naïveté, or some failure to appreciate the threat landscape – many of the founders and executives have backgrounds founding or leading successful cybersecurity companies – but rather because of those experiences. The attack surface is too large and the underlying technologies used today are so complex and insecure that if there isn’t already a devastating, known security vulnerability affecting the hardware or software used, it’s probably just because security researchers haven’t found and written a CVE entry for it yet.
Cigent CEO Brad Rowe said in an interview, “is not about keeping people out of your network,” because that is virtually impossible for many organizations in today’s threat environment, no matter how much money or time they invest.
The company emerged from stealth this morning with $7.6 million in funding from a number of parties, most notably In-Q-Tel, a non-profit venture capital firm funded by the Central Intelligence Agency to develop cutting edge, national security technologies. The startup actually raised the money last year but held off on publicly announcing it until their data defense products were ready and the sponsoring intelligence agency signed off on disclosing In-Q-Tel’s backing. Other investors include CyberJunction, Westwave Capital, former Apple chief technology officer Avie Tevanian, Netscape and Mozilla co-founder Tom Paquin and others.
Cigent’s data defense tech has a software and hardware component. First, it leverages a solution called Dynamic Data Defense Engine to build in zero trust access policies at the individual file level, encrypting each one and building in a number of ways that employees can authenticate their device or identity before accessing. It can group and set policies depending on the type of file, user, device or other conditions, and has certain triggers – like, say, someone turning off the software or an antivirus program – that can indicate a threat actor is executing an ongoing attack and automatically shifts to a higher level of access requirements.
Second, it pairs that software with a custom-built, dual-sided K2 secure solid-state storage drive (SSD) that encrypts every stored file at the hardware level and is “completely hidden” from the operating system, requiring elevated authentication to mount on your hard drive. A feature called KeepAlive is designed to detect when a user disables Cigent’s software, locking the drives and making the secure side invisible and inaccessible to anyone without further authentication.
Some companies will roll out separate or distinct products to help protect clients against different threats, like ransomware, insider threats and data exfiltration. But the minds behind Cigent think that by focusing on incorporating zero trust principles down to the individual file and storage level, that their data defense technologies can be used to protect data from being exploited or monetized by all of these threats, even after they’ve been stolen or exfiltrated by hackers.
Rowe traced the origins of Cigent to another company, CPR Tools, which focuses on data recovery and deletion services and has a history of working with the U.S. military and intelligence agencies. After the Edward Snowden disclosures, national security officials were searching for a way to get a handle on the “spiraling data exfiltration crisis” that exists both in government and industry. After developing a number of prototype solutions for the Department of Defense and intelligence agencies, the founders were approached by In-Q-Tel with the prospect of creating a new spinoff company that would work on developing the technology for the broader commercial market. That company was Cigent.
In-Q-Tel’s backing, its relationship to the federal government and its reputation as a savvy technology investor carry certain reputational benefits to a small, nascent start up.
“Once or twice, we’ve run into some barriers with some big commercial companies just getting to the right person or taking too long” to hear back, said Rowe. “In-Q-Tel places a call and it’s like ‘snap,’ we get an immediate call back; likewise with introductions within the federal government.”
Greg Scasny, one of those former CPR Tools executives who jumped ship to Cigent, described the mindset of the team as wanting to move away from the endless “cat and mouse game” between malicious hacking groups and IT security teams that plays out over and over again in the cybersecurity space. Trivial tweaks to malware code thwarts expensive detection tools and platforms, that respond by incorporating new indicators, only to be foiled by more tweaks and so on.
Breaking into a network is not the primary end-goal of most hacking groups; often it’s stealing and leveraging the sensitive data those systems hold. Cigent has tried to break that cycle by throwing all its resources into architecting protection schemes that could render stolen data useless to the attacker.
“Now we’re not telling people you shouldn’t do preventative things; preventative things are good,” said Scasny. “But if you put all your money into just [tools] to keep people out, you’re going to lose.”
Right now, Data Defense is developed primarily for Windows-based PCs, but the company is working on support for Linux and Mac operating systems. Despite their belief that their Data Defense tech represents a truly novel approach to security, it’s one that can still fit into existing IT and security architectures. Eventually, Rowe said he can envision the company shifting to a business model where they license their underlying software to threat intelligence or antivirus providers and work with major manufacturers to build the company’s dual-sided SSD directly into their hardware.
Rowe said the Fort Myers, Florida-based startup currently has around 30 employees, most of whom work on the technology side or in research and development. Even with plans to expand headcount to 100 employees in the next 12-18 months and bring in more sales and marketing employees, the bulk of those new hires will likely continue to skew towards product development.