Alumnus's new security company uses hacker tricks to evade attacks

Shuman Ghosemajumder, MBA ’02, talks about Shape Security, the transition from Google to a startup, and his AIDS education nonprofit

February 19, 2014

Shuman Ghosemajumder, MBA ’02

Shuman Ghosemajumder, MBA ’02

An MIT Sloan alumnus’s new web security company is turning hackers’ own tricks against them, constantly morphing the code of a website to stay one step ahead of malicious bots.

Shuman Ghosemajumder, MBA ’02, is vice president of strategy at Shape Security, the Mountain View, Calif. company that emerged from stealth mode last month to a torrent of buzz and media attention.

Some of the chatter can be attributed to the star power of the company’s C-suite. Ghosemajumder monitored click fraud at Google from 2003-2010. CEO and co-founder Derek Smith led network security company Oakley Networks. Co-founders Sumit Agarwal and Justin Call were big names at Google and Oakley, respectively. The company also raised $26 million in funding from firms including Google Ventures, Venrock, and former Google CEO Eric Schmidt’s TomorrowVentures.

“We have gotten a tremendous response coming out of stealth,” Ghosemajumder said. “The individual attack vectors and security problems that customers want us to solve for them are things that have gone unsolved even with all the security solutions that are out there.”

Shape’s product, called the ShapeShifter, is a networked box that constantly scrambles a website’s security code, a method called polymorphism. Botnets—collections of compromised computers controlled by a hacker—attacking from the outside are continually misinformed and redirected so they cannot penetrate the site’s security defenses.

Ghosemajumder said the ShapeShifter can be used to prevent hacker tricks such as man-in-the-browser attacks, in which malware installs itself on a user’s computer and compromises the user’s financial accounts by following him or her into an authenticated connection. It can also protect against cross-site request forgeries, in which a malicious website open in a user’s browser forces the browser to send fake requests to an otherwise secure website on behalf of the user. And Shape’s first customers are coming forward with even more use cases for the ShapeShifter.

It isn’t cheap. Initial customers are paying more than $1 million a year to implement and use ShapeShifters. Many of the first users are financial services companies and e-commerce sites, Ghosemajumder said. The recent security breaches at Target and Neiman Marcus have illustrated for potential customers just how valuable security technology really is, he said.

Ghosemajumder first joined Shape as an adviser in 2012, but signed on full-time after only a few months. The company today has just over 50 employees, many hailing from Google. The work culture at Shape shares characteristics with the search giant’s focus on smaller teams and product development, Ghosemajumder said.

“The massive infrastructure that we had at Google is obviously not directly present in the same way at Shape,” he said. “But it’s interesting to see how much of that infrastructure [such as cloud servers from Amazon Web Services] is available for purchase. There’s a lot of support that exists now for startups that didn’t exist even 10 years ago.”

The company has abundant MIT connections. Co-founder Sumit Agarwal, who also served as a deputy assistant secretary of defense in the U.S. Defense Department, is a 1998 graduate of the MIT School of Engineering. Shape’s Venrock investor, Ray Rothrock, is a 1978 graduate of the engineering school, with a degree in nuclear engineering. Rothrock sits on Shape’s board of directors.

Ghosemajumder said he remains connected with MIT Sloan alumni and faculty members, such as Information Technology Group professors Thomas Malone and Erik Brynjolfsson. He is also chairman at TeachAIDS, a nonprofit creating AIDS prevention software for countries where HIV/AIDS has long been considered a taboo subject—a situation that has resulted in high infection rates and little to no prevention or education measures. Ghosemajumder left Google to co-found TeachAIDS with his wife, Piya Sorcar, who was named to MIT Technology Review’s Innovators under 35 list in 2011. TeachAIDS currently operates in 78 countries, often with government support.