Shape Security operates behind locked doors in a bland Mountain View, Calif., office building, but its founders -- including a former high-ranking Pentagon official -- have developed a new approach to fighting the kinds of malware attacks that have brought down the White House computer network and cost consumers and e-tailers hundreds of millions of dollars each year in bogus charges.
And they do it by turning hackers' own techniques against them.
"It can be a game-changer," said Gartner Research vice president Avivah Litan, a security consultant who previously was director of financial systems at the World Bank.
She and other experts say security software is often handicapped because it fights reactively: A virus or bit of malicious software may not be discovered until long after it's begun to work.
"There are armies of 'bots' sitting on user machines that quietly take over for a few unnoticed moments, then go back to sleep," Shape co-founder Sumit (pronounced "summit") Agarwal said recently from the company's compact offices.
Those so-called bots, or automated programs, can scour a person's computer for passwords and other information such as birthdates and Social Security numbers. Often, they steal that data from websites the person has visited.
"This problem is bigger today than it's ever been because every American household is wired," Agarwal said.
An Air Force cyberwarfare veteran and MIT graduate, he spent six years in product management roles at Google before the Obama administration named him deputy assistant secretary of defense.
Like this story? If so, subscribe to Government Technology's daily newsletter.
The federal government is increasingly keen to stop cyberassaults; former Defense Secretary Leon Panetta, in a recent speech in San Jose, said the agency is hit more than 100,000 times each day. Many of those are "distributed denial of service" attacks, in which a network of bots use stolen user IDs to flood a site with billions of clicks.
At the Pentagon, Agarwal got to know another tech refugee: Derek Smith, who had founded security startup Oakley Networks and sold it to defense contractor Raytheon.
Agarwal and Smith came to believe the key to warding off attacks via websites was to change the nature of the sites themselves. So in late 2011, they headed back to Silicon Valley.
When a bot scours a website, the software is looking for telltale fields such as "username" and "password." Shape's solution: Passing sites through a second server that replaces those fields with constantly changing bits of gobbledygook. The bots can't tell which code to zero in on, but to the user, the website appears unchanged.
Those rapid changes are called "real-time polymorphism," a technique traditionally used by malware to rewrite its code every time a new machine is infected.
Shape's approach wouldn't stop scams like the massive theft of shopper credit card numbers from Target; that attack wasn't launched through the retailer's website but via malware placed on card-swiping devices in stores.
But what Shape's technology conceivably could do is stop fraudsters from using those stolen card numbers to order things on Amazon.com and other websites. Using stolen cards to buy gift cards or other items, then quickly resell them, is a key strategy behind credit card theft, Agarwal said.
Litan, who's spoken to users of Shape's fledgling service, said it would virtually eliminate malware takeovers of a user's computer and the kinds of denial-of-service attacks that crashed federal websites in 2009 and those of major U.S. banks last year.
Shape's software has been used for the past six months by about a dozen Fortune 200 companies, though the startup isn't identifying them because, Agarwal said, they don't want attention drawn to potential data vulnerabilities.
He did disclose that the software's not cheap: Each contract costs more than $1 million.
Shape first set tongues wagging around Silicon Valley a year ago by landing more than $20 million from some of the venture capital industry's leading security experts -- without saying just what the company did.
"What Shape does is to take a static target -- the website -- and make it very much a moving target," said investor Bob Ackerman of Allegis Capital. Others backing the company include Google Ventures, former Symantec CEO Enrique Salem and Kleiner, Perkins, Caufield and Byers.
The 55-person startup has hired high-profile executives like Shuman Ghosemajumder, Google's former "click-fraud czar." Others have been wooed from rivals including Palo Alto Networks, whose soaring 2012 IPO illustrated the demand for next-generation Internet security.
Even security analysts who know nothing about the product are bullish on Shape simply because of the team that's behind it.
"It's almost the wild west in security, because threats are happening at so many levels," said Daniel Ives, a security analyst with FBR Capital Markets. "Every enteprise and every government agency in the world is trying to figure out what's the next shiny toy in security software."
While Litan reckons Shape's approach would shut down "well over 50 percent of all cyberattacks," she also warned that large companies might be reluctant to turn over control of their websites to an outside vendor. And Litan believes hackers eventually will find ways to outfox any new technology -- a point Agarwal also concedes.
Still, Litan said, "You don't run across something this radical very often."
©2014 the San Jose Mercury News (San Jose, Calif.)
