Silicon Valley firm's stumble signals chill in cybersecurity market

Norse Corp. generated buzz with provocative threat reports but now appears to be on its last leg. Its downfall could signal that investors are cooling on the once-frothy cybersecurity market.

For a firm that has all but closed shop, Norse Corp. had a strikingly high-profile presence at last week's RSA Conference, the cybersecurity industry's premier annual gathering in San Francisco.

Last month, influential cybersecurity blogger Brian Krebs broke news that Norse had run out of money, fired most of its employees, and was dangerously close to collapsing. It was a stunning turn of events for the Silicon Valley startup that had raised some $25 million in venture capital and generated headlines with its flashy and provocative reports on international cyberthreats and digital crime syndicates.

For this year's RSA Conference, Norse paid some $90,000 to put its logo on this year's RSA badge that hung on the necks of more than 40,000 attendees. But instead of dazzling conference-goers with its latest products and technology, Norse was a conspicuous reminder that the exuberance that investors have shown for both early-stage cybersecurity firms and public companies is quickly cooling.

"It's not enough to have the word cyber in your name," said Eric Davis, a partner at the investment firm America’s Growth Capital.

Indeed, Wall Street is approaching digital security firms much more cautiously. Stock prices of publicly traded firms have fallen precipitously in the past six months. FireEye, a bellwether of sorts among a new breed of security companies, is down almost 60 percent from this time last year. The firm Rapid7, which generated plenty of investor excitement when it went public last July, is down 43 percent from the closing price from its opening day of trading.

An issue facing many security firms is redundancy in the marketplace, said Wendy Nather, research director at the Retail Cyber Intelligence Sharing Center and a former industry analyst. When it comes down to it, she said, company chief information security officers, or CISOs, are drowning in too many security products.

"CISOs are tired of endlessly layering products one on top of the other, and are taking a hard look at their portfolios to see what they can reduce," said Ms. Nather. 

What's more, she said, corporate buyers are no longer impressed with slick marketing campaigns and reports from cybersecurity threat intelligence companies that make corporate data security seem like a military exercise. 

Norse strongly denied the allegations made by Mr. Krebs. In a statement released Feb. 17, the company said his report "includes factual errors, and 'guilt by association' inferences that collectively offer an inaccurate perception of the company’s strengths, abilities, and standing in the information security industry."

In an interview, Norse's interim CEO Howard Bain said that Norse's creditor, WTI, foreclosed on it last week after the company's board concluded that the firm was "no longer viable."

"Norse Corp right now is a bag of liabilities," Mr. Bain said. "WTI is actively looking for a buyer for [Norse's] assets." 

He said that Norse continues to service its customers and will continue to do so until a buyer is found for Norse's technology and other assets, which Bain said he expected in the near future.As for the company's sudden demise and its presence at the RSA Conference, Bain said he appreciated the gallows humor that accompanied the company's sponsorship."I actually kind of enjoyed that," he said. The badge sponsorship was paid for long ago, said Bain, and Norse received a large number of conference badges with it that were distributed to its employees. "What better place to look for a job," he said. Norse was emblematic of that breed of security startup. It made a name for itself with expensive marketing and a Hollywood style cyberattack visualization (derisively dubbed the "pew pew map" by security industry pros) which purported to show real-time digital attacks being carried out around the world with video game slickness.

Like many firms in the emerging threat intelligence sector of the cybersecurity industry, Norse collected data from a global network of honey pots, or computers that posed as legitimate targets for malicious hackers.

"You could see at RSA that there are a ton of companies in threat intel space, but they're incomprehensible in terms of their market message," said Bain. "They're all over the map, and there's no clear idea of what threat intelligence is or how it's deployed."

Norse’s honey pots posed as all manner of systems, from Web applications to e-mail and file servers to ATMs. As the security blogger Mr. Krebs noted, the company wasn’t unique in the kind of data it collected so much as for where it collected it from: less traveled corners of the Internet, including countries in the Middle East and Asia.

In a 2015 interview with this reporter, the company claimed to have a network of 8 million honey pots in 50 countries giving it "the most powerful threat intelligence feed in the world."

But while Norse made headlines in The New York Times for its reports on Iran's cyber capabilities, it also drew much criticism within the cybersecurity community (including this piece in Passcode) for emphasizing marketing over solid research.  For instance, after 2014 Sony Pictures hack, the firm generated buzz with a report suggesting that a disgruntled former employee may have been the source of the compromise. Norse briefed the FBI and law enforcement on its findings, but never provided strong evidence to support its conclusions. 

 As with its fast rise since it was founded in 2010, Norse's downfall has been equally as attention grabbing – and talked about – within the cybersecurity community. On the conference floor of the RSA Convention, the company’s booth was practically deserted, but for a large video monitor running a loop of the company's cyberattack visualization map.

Norse did not respond to a request to comment for this story. A spokesperson for a public relations firm that has worked with the company said that she had not been in contact with Norse recently and could not comment on the company's current status or its plans for the future. 

In the meantime, RSA Attendees (including this reporter) tweeted photos of Norse’s logo on the badge. Others made pilgrimages to Norse’s booth on the RSA Conference floor and snapped selfies in front of the Norse banner.

“I visited the Zombie @NorseCorp booth at #RSAC today," tweeted Electronic Frontier Foundation attorney Nick Cardozo. "Good to see they still had their pew-pew map going strong!"

Tech analysts say that Norse's stumble indicates that investors are increasingly attracted to companies dealing with more concrete issues – such as vulnerable systems – than abstract pursuits like threat intelligence. 

In short, said Mr. Davis of Americas Growth Capital, the industry is going "back to basics."