Here are seven big data-inspired approaches to security that have piqued my interest lately. I know I’m leaving out a lot of other approaches and companies, so please fill in the blanks in the comments section.

Prioritizing threats

Software-as-a-Service security startup Risk I/O announced $5.25 million in venture capital funding on Tuesday, based in large part on its ability to simplify security administrators’ lives by telling them which vulnerabilities are best fixed now and which can wait a bit. Co-founder and CEO Ed Bellis first recognized the problem of information overload while serving as CISO at Orbitz, where he told me he was subsumed by the noise of dozens of products spitting out information on untold numbers of vulnerabilities, all in different formats and all without any guidance on what to do next.

And the problem is only getting worse as companies grow and inevitably roll out or acquire new security products along the way. “Nothing ever dies,” Bellis said, “it’s just one more thing you end up having to support.”

Risk IO tackles this complexity by taking in the data from all of a company’s security applications and analyzing the context around the threats they’ve discovered. (And because it’s a SaaS offering, Bellis said Risk IO can easily include crowdsource threat analysis to include intelligence gleaned from its 400-plus enterprise customers.) Once the data is analyzed, Risk I/O tells users which vulnerabilities they need to tackle immediately, basing its recommendations on many criteria, including how exposed a vulnerability is, whether there’s an exploit published somewhere online and how often other companies are getting burned by it.

Really, Bellis said, the goal is to let users sleep relatively easy knowing that of the 10 million vulnerabilities their system might have, perhaps only 50 or 60 are likely to result in a breach. “We’re here to help organizations make much better security decisions,” he said. “… They can’t fix everything and not everything needs to be fixed.”

Letting admins play C.S.I.

Sourcefire’s FireAMP product does detect malware, but it’s real magic comes into play when it’s time to do forensics. A cloud-based backend takes care of all that heavy lifting around processing, while security personnel can work their way through the data to determine everything from how a piece of malware moved through the system to whether the behavior or certain employees or departments is unduly exposing the company to attacks. This type of analysis lets a company identify the causes of attacks rather than just treating the symptoms, Sourcefire’s Zulfikar Ramzan told me in January.

Stopping crime in its tracks

For Silver Tail Systems, a four-year-old company that EMC purchased earlier this month, the focus is on building always-learning behavioral models for web visitors that let customers identify and thwart attacks as they’re happening. When its software spots activity from an untrusted source or that’s deviating too far from the norm for a given IP address, it can flag security personnel who can then respond as they see fit or it can just deny access outright. If there’s a question about a visitor is real or a bot, Silver Tail can deploy a CAPTCHA or other test to try validate its humanity.

Visualizing threats

PacketLoop is a security startup that was clearly born in the age of big data. The company touts its Hadoop- and NoSQL-based platform for its ability to store and process many terabytes of network packet data, and it’s all about presenting the results via visualizations that tell a story. From a functionality perspective, the company claims its big data architecture allows it to analyze every single packet every time its intrusion detection systems are updated, meaning its always on the lookout for nefarious activity, even in historical data.

Keeping BYOD in check

Tenable Network Security performs a lot of network security tasks for its customers, although one capability that recently caught sole investor Accel Partners’ eye — to the tune of $50 million — is its ability to identify in great detail the mobile devices on the corporate network. Tenable’s Nessus software can determine how many mobile devices are on their networks and just about everything about them — serial number, model, OS version, whether it’s jailbroken, when it last connected to the network, you name it.

As Tenable Founder and CEO Ron Gula told me at the time of its funding in September, “People say BYOD, but it’s really connect your own device to the network.” And when they’re doing that from any number of coffee shops and hotels across the country, it’s important to know who’s who and that they’re not bringing any hangers-on with them. A jailbroken phone that hasn’t had a software update in three years? Well, someone might want to address that.

Opening the data — lots of it

CloudFlare is a pretty impressive company, if only because of the sheer amount of data it collects trying to improve performance and security for the more than 500,000 websites that use its service. According to Founder and CEO Matthew Prince, the company handles between 75 billion and 80 billion pageviews a month, and its database now includes about 650 million IP addresses. Cloudflare’s system ingests 20GB of log data per minute, and the company is currently in the process of building a 20-petabyte cluster to store all that data (the fraction it retains) using its custom-built file system.

All that data means CloudFlare’s behavioral models are very good at detecting malware and bot activity, and it will only get better as more data gets added to the system, Prince said. And thanks to the service’s distributed architecture, the company claims it can fend off even large, persistent DDoS attacks without its users feeling a thing. But the company’s biggest contribution to the security space might be yet to come.

Prince said he’s on a mission to open up the company’s stockpiles of data on malicious traffic with the intent of letting even small companies get in on large-scale data sharing like large web companies already do among themselves. The bad guys share data like crazy, he said, and “only through coordinated efforts are the good guys going to be able to win. … Any individual site can only be as secure as the lens through which it sees.” CloudFlare’s data could help many companies open their apertures.

Of course, there are some complicating factors to Prince’s plan, including the possibility that cybercriminals would be able to learn from the data to further their own efforts. Even some of Prince’s colleagues don’t think widely releasing the company’s data is such a good idea without some serious thought into how to do so ethically and securely. So for now he’s going to start small by publishing a blog post identifying the global networks most often involved in DDoS attacks, although, he noted, “I could do down to the machine level.”

Playing petri dish

Although Bromium’s technology isn’t inherently data-centric (it’s more about using a novel approach to virtualization to isolate untrusted processes), the company is starting to let users capture some very interesting data. Similar in theory, if not architecture, to the virtual sandboxes that companies such as Palo Alto Networks employ at the network level, Bromium’s new Live Attack Visualization & Analysis (LAVA) feature lets malware run its course within an insulated micro-VM so security analysts can see how it plays out and what it’s trying to accomplish.

During a recent call, Bromium’s chief security architect, Rahul Kashyap, said LAVA could helps these analysts hone their definitions of what’s actually malware and what’s not. Whereas many network, web and endpoint security services gather lots of data about suspected malware activity from across their user bases (like, nearly everyone mentioned in this post), the log files and signatures they generally collect might not provide enough evidence to completely eliminate false positives. LAVA, he explained, gives analysts the ability to eliminate the doubt around whether something is malicious — even undocumented zero-day attacks — because they can watch it watch it run its course in the safety of the micro-VM like a biologist watches bacteria in a petri dish.

Feature image courtesy of Shutterstock user mkabakov.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A near-term outlook for big data
• Why service providers matter for the future of big data
• Dissecting the data: 5 issues for our digital future

Zscaler has been fairly successful in its four years building a significant base of clients including Crutchfield Corporation, La-Z-Boy and Telefonica. The company’s software as a service is hosted in more than 100 data centers around the world and essentially protects a company’s web traffic. It does this by routing requests through Zscaler’s software. But there’s no software for users to download on their clients and there’s also no appliance for corporate IT to worry about.

As the cloud and mobility do away with the perimeter model of security where a firewall may prevent harmful traffic from getting in and corporate secrets from getting out, Zscaler is one of several new companies trying to adapt security to a world where there is no perimeter. And even if the corporate IT thought it had a perimeter, the corporation may not own it or have a say in what runs on it. A perfect example of this might be the CEO’s iPad (a aapl).

Zscaler doesn’t solve all problems, but it’s certainly ahead of the pack in thinking about security in a forward-looking way. Other companies trying to address the changes in security required by BYOD and corporate access to the cloud applications are Bromium and CloudPassage. And by waiting to take on venture capital Zscaler’s CEO Jay Chaudhry has joined a select group of established companies who are finally succumbing to the lure of VC cash. For example Qualtrics, a ten-year-old company this year raised $70 million in its first round of outside investment. Another company, Code 42, avoided VC dollars for 11 years before this year raising $52.5 million.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A near-term outlook for big data
• Dissecting the data: 5 issues for our digital future
• What Amazon’s new Kindle line means for Apple, Netflix and online media

As more companies virtualize their workloads not only across servers but across data centers and organizations, the need to bolster security of the VMs is likewise growing. Bromium, a high-profile startup founded by Xen hypervisor co-creators Ian Pratt and Simon Crosby, is one example of this trend. Another startup, PrivateCore, is attacking this problem by securing the physical machinery on which VMs run.

The deal was disclosed in a blog post by Hilton Romanski, Cisco VP of corporate development on Monday. Romanski wrote:

Virtuata provides innovative capabilities for securing virtual machine level information in data centers and cloud environments. Together, Cisco and Virtuata will enable consistent and enhanced security for virtual machines allowing customers to accelerate the deployment of multi-tenant, multi-hypervisor cloud infrastructures.

Virtuata, a privately held company based in Milpitas, Calif., already works with Citrix to bolster the security of its XenClient. As Citrix explained it:

Virtuata uses the XenClient extensible virtualization Service VM architecture to establish a dynamic root of trust.  By design, the XenClient hypervisor acts as the Trusted Computing Base (TCB). It then enables Virtuata to extend the trust dynamically to loadable legitimate executable programs forming a dynamic root of trust. Once running, only the code belonging to those good programs can run.  By preventing good apps from getting infected, they lock out the sorts of advanced threats (like code exploitations and injection and return-oriented attacks) that have been leading headlines for the last couple of years. Thus, rather than waiting for the attack to happen and then reactively publishing signatures to detect that particular attack, they proactively protect known good and legitimate programs directly in memory.

Cisco did not disclose terms of the acquisition.

Photo courtesy of Flickr user Sultry on the move, but stuck in a hotel

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A near-term outlook for big data
• WAN design for the cloud age
• The promise of SDNs in the enterprise

CTO Crosby explained to me the thinking behind Bromium like this: Human beings don’t do well when they’re fortified within the walls of a city. They want to go out, explore the world around them and click on shiny attachments. This means constantly entering into “areas of unfathomable trust” where it’s easy to get hurt if they’re not careful.

However, when employees are doing this exploring on computers that also store and have access to corporate data, the real concern is they’ll meet a nefarious but cunning stranger and bring him back into the city’s fortified walls. In fact, Crosby said, that will happen, which is why “any approach that says we can stop the bad guys is basically a lie.” What you need is a way to make sure that stranger sees as little as he needs to, and is shown the door in a hurry.

So what’s Bromium’s secret?

To some degree, Bromium’s product, called Microvisor, is like a traditional hypervisor that’s installed on a server or desktop’s operating system and divvies it into several smaller virtual machines, or VMs. Only whereas traditional VMs are full versions of an operating system complete with full suites of applications, Microvisor uses the hardware virtualization present on Intel desktop processors to create what Bromium calls micro-VMs. Microvisor creates micro-VMs immediately whenever someone opens a new application, clicks on a link or downloads an attachment (and destructs them when those tasks end). And each micro-VM gets only the operating system resources and file system access it needs to do its job.

Because micro-VMs exist at the hardware level and not within a hypervisor installed on the host operating system, they go a long way toward limiting unwanted intrusions into sensitive data by operating in isolation from one another. Bromium calls this “the principle of least privilege.” Essentially, if I’m a piece of malware, I can’t infect areas of the physical machine’s OS or those of any other micr0-VMs, and whatever damage I might do within my micro-VM becomes moot when the micro-VM shuts down, never again to exist.

This approach, Crosby said, solves one of the primary problems with virtual desktops and desktop virtualization products that view VMs as a value proposition rather than the problem that needs solving. For user endpoints rather than servers, he explained, “the abstraction that is a virtual machine is of no use whatsoever” because if an attacker targets someone’s corporate email address or otherwise infiltrates the “business” VM, he’s in. “God, how stupid is that?” Crosby joked.

To make itself as impenetrable as possible, Bromium has a small code base — presently around 100,000 lines — that will only get smaller in time. Less code, said Crosby, should mean fewer vulnerabilities. “Throw away a line of code every day,” he said. “If you can, throw away 10.”

I’m an end-user, how does Bromium improve my life?

Simon Crosby, co-founder and CTO, Bromium
(c)2012 Pinar Ozger pinar@pinarozger.com

From a user’s perspective, Crosby said, one of the best parts about Bromium Microvisor is that the user just goes about business as usual. Whitelisted applications provisioned by the IT department aren’t affected at all, and even applications and tasks that run in micro-VMs do so transparently to the user. Employees don’t want multiple operating systems running on the same device, he said, they just want one experience that works.

Plus, Crosby said, because micro-VMs are so lightweight, they do their job with the performance lag often associated with other types of desktop virtualization products and antivirus programs. And a standard laptop can support hundreds of micro-VMs.

However, while it all sounds great in theory, there is one catch that end-users might not like — for now, Microvisor only runs on Intel processors running Microsoft Windows. Until it supports different OSes and processor architectures (which it will in time), Microvisor is no cure-all that will have employers embracing BYOD because iPads and Android tablets will suddenly be deemed safe.

Oh, and CIOs and IT departments still have to decide to go with Microvisor over the virtual desktops and client-side hypervisors that so many other IT vendors are pushing. Given Bromium’s executive pedigree and the general malaise over the alternatives, one has to think it will get plenty of consideration. But until it’s proven out in the wild, the decision to deploy something as unique as Microvisor is itself a decision of unfathomable trust.

Check out the rest of our Structure 2012 coverage, as well as the live stream, here.

Feature image courtesy of Shutterstock user StillScott; Simon Crosby image by Pinar Ozger.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Quality of the cloud: best practices for ISVs
• WAN design for the cloud age
• Cloud and data third-quarter 2012

Here’s what we do know about Bluebox: the company is targeting the security of enterprise data on mobile devices and was co-founded by Caleb Sima and Adam Ely. Sima comes from HP, which acquired SPI Dynamics — the company he co-founded along with investor Cohen — in 2007. Ely was previously CISO at Heroku and security head at TiVO.

“Enterprise security on mobile is an unsolved problem, and, frankly, is in need of innovation. Bluebox is developing a solution that will change the way enterprises think of how to successfully and seamlessly protect their data,” Bechtolsheim, who co-founded Sun Microsystems and Arista Networks, is quoted a saying in the Bluebox press release.

Here’s what else we know: Bluebox isn’t the only hotly anticipated startup with an impressive security pedigree targeting the mobile space. At our Structure conference on Wednesday, Xen creator and former Citrix virtualization CTO Simon Crosby will unveil the the technology behind Bromium, the startup he founded last year along with Xen co-creator Ian Pratt and and former Phoenix Technologies CTO and SVP Guarav Banga. In the meantime, my weekend profile of Crosby gives a few details of Bromium, and the company has a fantastic placeholder website.

Of course, the inherent security issues around bring-your-own-device (BYOD) workplaces have companies of all types worried about securing their data. I don’t think it’s going out on a limb to suggest Bluebox, Bromium and anyone else currently targeting the BYOD movement will have a lot more company in the years to come.

Feature image courtesy of Shutterstock user Denis Vrublevski.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• What Amazon’s new Kindle line means for Apple, Netflix and online media
• Bluetooth to Feel Blue as Personal Area Network Battles Loom
• The Internet of Things: What It Is, Why It Matters

Speaking at the GigaOM Structure conference in San Francisco, Crosby noted that enterprise employees will find ways to use the public cloud and skirt I.T. policies through the use of services such as Dropbox, Box.net, Amazon Web Services and others. And it’s essentially a losing battle to fight the tide. Crosby pointed to the “cloud in your pocket,” alluding to smartphone apps that already leverage cloud services.

Think Digg, Twitter, Facebook, and LinkedIn to name a few. There are no I.T. operations for the cloud-based bits of these apps and mobile app usage is already leapfrogging that of the mobile web: a trend unlikely to reverse. Crosby emphasized the point, saying this type of cloud is “growing faster than in the data center, laying waste to the notion of the PC and changing the enterprise I.T. segment faster than anything in a data center.”

The key challenge, according to Crosby, is how to securely deliver enterprise data and services to employees that have a tendency to go anywhere outside I.T. and violate corporate policy? Centralizing data and building protected clients is one answer, while specialized virtual machines that can wall off data is another. Crosby thinks there’s an even better solution out there that can offer continuous protection in a virtualized state, but it’s just a concept for now. He’s working on the implementation of the idea, however. Today, Crosby announced he’ll be leaving Citrix to found Bromium to bring just such a solution in the future.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Social 2013: The enterprise strikes back
• Cloud computing 2013: how to navigate without a map
• How emerging technologies will influence collaboration

The company has raised $9.2 million in a Series A funding round from Andreessen Horowitz, Ignition Partners and Lightspeed Venture Partners.

Bromium will launch in the second half of this year, although exact details are vague. During a phone call on Tuesday, Crosby hinted at how the company will address cloud security, explaining that cloud computing is innately vulnerable not only at the system level, but also because it involves employees accessing corporate systems from insecure devices. Click on an infected link in an e-mail and — voila! — the company’s system is compromised.

Although cloud computing itself hasn’t suffered from a public security breach the likes of which other large web properties have, Crosby said the threat it to everything under the umbrella of the public web. “[U]nless we solve some of these problems,” he said, “the whole cloud thing is just a big waste of time for everybody.”

As for how Bromium utilizes virtualization, Crosby was willing to divulge a bit of the strategy. Essentially, he explained, the hypervisor is very useful because it can monitor and control activity across the physical server and any virtual machines running across it. Additionally, he noted how, when properly engineered, hypervisors have a very small code base that’s inherently less vulnerable to attack because there are fewer potential holes to exploit.

When asked about the name Bromium, Crosby only suggested to think about another technology product with which it rhymes. It’s easy to see the Chromium connection as it relates to protecting client devices tied to cloud-based resources, but whether there’s a deeper connection to Google’s web operating system remains to be seen.

Crosby shares some more insights behind the creation of Bromium on his blog this morning, and also will discuss the new company during a morning talk at our Structure conference.

Feature image courtesy of Flickr user subcircle.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A field guide to cloud computing: current trends, future opportunities
• Infrastructure Q1: IaaS Comes Down to Earth; Big Data Takes Flight
• Cloud computing 2013: how to navigate without a map