[tptacek]

Their "Security" section is a bit naive. The questions it poses go all the way back to the 1990s. If the Jericho Forum had started a VC fund, this page would be their investment thesis. The 2000s saw a wave of companies try to capitalize on "deperimiterization", some with huge capex requirements (one NAC startup had designed and contract fabbed their own MIPS core). They all flopped.

Maybe it's true that firewalls are less effective in 2015 than they were in 1998. The problem is: customers don't buy on effectiveness, they buy on cost-benefit. Firewall effectiveness can drop by 90% and they will still have a better cost-benefit than the alternatives. There's a reason for that: firewalls are the most straightforward network implementation of Saltzer & Schroeder's principles, and those principles are probably Right. Everywhere. In code. On the network. In identity and access management.

Why is 2015 different? "The cloud"? If "the cloud" is what's changed, that should be the thesis: we need security solutions for the cloud. Unfortunately, that is also a tired thesis.

Similarly: the shift from prevention to recovery seems like a manifestation of the narrative bias. Sure, there are lots of newsworthy cleanups, and one very successful consulting- to- product- to- consulting pivot company in that space. But customers don't derive the same value from recovery as from prevention. The dirty secret of "recovery" work --- forensics, attribution, &c --- is that it's driven largely by legal compliance concerns, and probably doesn't have a great intrinsic ROI.

Maybe there's an opportunity for a "full stack" vertically integrated insurer informed by a compliance and forensics practice.

There are markets that seem to work the way VCs want security to work. For instance, mobile happens, and all the sudden you can build and 10+x a company that just does for mobile apps what Google Analytics does for web pages. Security just doesn't get valued by customers that way.

Also: "if you fight fire with fire, you're just going to get burned"... what does that even mean? P(burn|fighting-with-fire) ≥ P(burn|fighting-without-fire).

[dsacco]

Yep. Information security is a nonalgorithmic problem. Much as people might like to disagree or pretend otherwise, it is fundamentally at odds with a service that can scale to meet the needs of clientele in an automated manner. The most successful companies in that space are consultancies that can deliver personalized results to every client on every engagement, and while they are very successful, they will never be what venture capitalists want.

It feels good to try and form a business model on prevalent security themes like, "Think like an attacker" and "How do we develop preventative measures before we get hacked?" but that doesn't actually stop incidents from happening. There's no perfect security, just good enough security based on what a company can invest and how much risk it wants to manage.

This is something I've found most startup folks are really resistant to, because it means that they can't commercialize security services in the same way you can commercialize web hosting. That's understandably upsetting to them, when you see how trendy security has become in the media, and how successful a company could become by capitalizing on it.

I think the section any VC or investor has on security potential is going to remain naive for a long time. Semantic desires like "I don't want my mail to be read by other people" simply don't map very well to purely mathematical operations encapsulating privacy and security in software. Organizing security vulnerabilities into neat taxonomies makes security folks sleep well at night and gives the appearance of an ordered checklist you can build a product on, but in practice that's never the case.

Personally, I don't think security should be the sole product or service anyone tries to base a startup on. I am really excited about virtual reality and machine learning companies, however. I'd really love to see some hard innovations and improvements in that space. It'd be nice to have more hardware companies in general.

[eldavido]

Something I used to think about during my tenure as a graduate student in computer security: has anyone written the definitive book/study/dissertation on why security incidents happen?

As mentioned elsewhere in this thread, it's a very complex problem involving operational, economic, and technical factors, suggesting (as others have mentioned) it's not something that really can be "sold". Watching bugtraq for a while, I saw a lot of pure tech exploits (buffer overflows, SQL injection, other silly things like that) but also quite a lot of misconfiguration -- insecure passwords, lack of an enforced password policy, employees leaving the company without revocation of their credentials, etc.

Maybe a good commercial opportunity would be policy compliance checking tools. Imagine a simple policy like "the corporate network should not be accessible from the outside world". Would it be possible to check all firewalls/routers/NATs/etc. for compliance with this policy?

[dsacco]

For your example, this happens to be relatively simple. The design is boolean - "Let the corporate network be accessible to the outside world? Y/N" and this is almost universal to implement because network access works the same way almost everywhere. What you're doing is essentially whitelisting access - you can simplify that to an algorithmic problem and solution space.

Web applications are not the same way. For example, enforcing policy restrictions between users of different permission levels suddenly becomes a custom project depending on what each user can do, what the application does, what functionality is mapped to different permissions, etc...it is not as simple as whitelisting. It is highly contextual.

Unfortunately, web applications are also where most vulnerabilities are found, not the network (at least not anymore).

[meowface]

>Maybe a good commercial opportunity would be policy compliance checking tools. Imagine a simple policy like "the corporate network should not be accessible from the outside world". Would it be possible to check all firewalls/routers/NATs/etc. for compliance with this policy?

This is already a very big part of the security industry. Countless companies and products (claim to) do this.

[ig1]

CISO budgets are exploding at large companies; in '98 most of these companies didn't even have a CISO.

Firewalls have proven to be ineffective and companies are willing to pay for solutions that are more effective. Attackers have also gotten a lot more professional and sophisticated.

There's certainly been plenty of billion dollar security companies been built outside of the firewall space in recent years (FireEye, Varonis, Lifelock, Trusteer, Cloudflare, etc) and there's undoubtedly going to be many more.

Security also has played out in mobile the way you suggested can't happen. Companies like Lookout and BYOD management companies are well on the way to building billion dollar businesses in spaces traditionally controlled by entrenched vendors enabled by the shift to mobile.

(incidentally the security section was written by Scott Weiss who founded IronPort and later ran Cisco's Security Technology Group; so not someone unfamiliar with the security space)

[tptacek]

FireEye is the firm I alluded to in my comment.

Varonis, Lifelock, Trusteer, and Cloudflare aren't reactions to deperimeterization and the declining effectiveness of firewalls. (Ironically, Cloudflare is if anything a cause of the declining effectiveness of firewalls, not a solution). Also: my argument isn't that it's impossible to build a billion dollar security company! It's that the dynamics of doing so aren't isomorphic to those of other startups.

I think you missed the point of my comparison to mobile, which was not that there wouldn't be viable mobile security products, but rather than shifts in technology produce explosive returns for things like adtech and video, but tend not to do that for security. Lookout is I think the closest you come to an example of a breakout success for security, amidst the most important shift in computing since the personal computer, one that has minted a bigger number of larger successes outside security.

The STG has been beating the drum on post-firewall broad-scale deployment of security technology (= more blue pizza boxes) since Jayshree Ulal started it a decade ago. Have you read a lot of Jericho Forum stuff? If you found Weiss' piece interesting, I think you'd find Jericho especially interesting. Maybe even lucrative. ;)

(Voted you back up)

[ig1]

Varonis and Trusteer essentially deal with the issue of "the bad guys are already inside" and Lifelock the damage control element of post-compromise.

I'd say in mobile security space Good Techonologies, OpenPeak, Ionic, Telesign and Okta all probably have valuations in the mid-hundreds of million of dollars.

The big winners in mobile have been gaming and advertising, but I'd suspect that in terms of enterprise software security companies are probably out-performing the average.

[tptacek]

Which of Trusteer's product lines tapped a market opportunity that wasn't already addressed by RSA or Symantec in 2003? If the answer is "most of their revenue came from products that refined value propositions that RSA and Symantec already had products for", then what does Trusteer have to do with Weiss' investment thesis?

[walterbell]

What do you think of software like Bromium, Qubes, etc. which creates enclaves within endpoints?

[m0nastic]

I've worked implementing both, and Bromium is basically as good of a solution to this problem as you're going to get, in the sense that it requires the least modification of user behavior (the user's Windows machine mostly behaves like a normal one).

Even Bromium was pretty upfront about the use case for their product though (high-value targets like executives who travel to China). They were very honest about it being overkill for an entire enterprise.

I think securing endpoints is basically a lost cause though (I'm happy to consider that a minority opinion however). My company spent many years trying to get TPM's to be the solution to this problem, and I'm pretty sure that ship has now sailed; with the only 2 sectors of the industry that are continuing to grow being completely unsuited to TPMs (virtualization and mobile).

I think we'll eventually realize that much like networks, devices have to assumed to be untrustworthy, and we have to route accordingly.

[walterbell]

> the only 2 sectors of the industry that are continuing to grow being completely unsuited to TPMs (virtualization and mobile)

A counterpoint is that mobile platforms often have some form of secure enclave, but sadly not standardized. Even AMD's low cost x86 CPUs are adding an ARM coprocessor, which could in theory be used for functionality similar to TPM, DRM, or AMT. Some of those are more useful than others. On the Intel side, SGX will add more enclave options, and complexity, but hopefully will be open and well documented.

[m0nastic]

I take issue with "often", as the vast majority of mobile phones don't have anything (even if there exist specific models which could have them).

There was a brief window in time when you had to go out of your way to buy an Intel laptop "without" a TPM (even Macs had them for a time, even if Apple never made use of them). The Trusted Computing Group failed to capitalize on that timeframe by providing both a "reason" and decent solutions to that problem.

There's a lot of reasons why that was, if I've been drinking I'd happily go into many of them.

On the mobile side, I agree, it's a hodgepodge. Apple has their secure enclave (which doesn't quite act like a TPM, even though it theoretically could), and there exist vendors who could theoretically include a TEE in their phones (right now they're almost entirely limited to special "government-specific" use cases).

And I'm ignoring Samsung's solution (which is basically snake oil).

Intel's SGX would be great, provided that the industry suddenly switches to X86 for mobile (which I don't think is going to happen).

The mobile industry is way too fragmented from a hardware perspective for any type of trusted computing platform to achieve even a modicum of install base. That might change in the future, but I wouldn't bet on it.

[tptacek]

Secure enclaves are very useful tools for OS design, but that's not the kind of security we're talking about here. Enterprises can't easily exploit processor protected VMs and address spaces to, say, prevent PII from leaking. By and large, companies aren't losing data to VMWare jailbreaks; they're losing it to much, much more prosaic attacks.

[tptacek]

Very cool and very difficult to operationalize. If I was a VC, I would (cruelly) sum them up as "features of Citrix". Also, if you want to sell an enterprise security team a security product, saying that it reduces the need for stuff like Citrix would be a pretty good pitch.

[beat]

In '96 or so, I went to my first Internet security conference. The attendees were a motley crew - junior programmers like myself, schoolteachers, old-school sysops, etc. Lots of us worked for companies that wanted unfettered access to this new Internet thing, but it had to be absolutely secure - and of course, it can't cost anything! There was hardly such thing as a network security professional then.

Things have changed a lot.

[larrys]

What bothers me are things like this which appear to be marketing messages aimed at CYA types or to simply lather up grandpa and the media:

"The threat of people getting into our systems today is so great that every company in the world has to embrace the notion that not only are they going to get hacked, there’s a good chance hackers are already inside … and they just don’t know it."

...and this:

"This set of companies comprise a very interesting category because everybody’s going to get hacked, so now it’s just a question of how quickly we respond when we see odd stuff going on within the company."

Specifically "everybody" and "every company". [1]

The idea that "everybody" is going to get "hacked" reminds me of the early days of the internet when newspapers were confused by what a "hit" to a website was. Not only would they print whatever you told them but they didn't recognize that serving up a graphic file which created a log entry wasn't significant in the way they thought it was. So we can just change the definition of "company" to suit our purpose and goal.

The fact is not even close to "everybody" is going to get hacked at least in a way that actually matters. Correct me if I am wrong (you would know the answer to this better) but are there even enough bodies to take advantage of all the targets assuming they had the skills and motivation to break into the targets and do something with the information?

[1] Is this the Valley's idea of saying that they can define things in a way that suits their purpose in other words only what they think is a company is a company?

[crdb]

Well, customer data isn't stolen by actual hacking, in my experience it's humans.

So many companies, particularly younger ones, have zero interest in putting up barriers to access as the company grows because in the early days, everybody was trustworthy and "because bureaucracy bad". So all the customer emails, phones, addresses, birth dates (and, I'm guessing, in the US SSNs) routinely fly around in Excel files called something like "Order Metadata Report" and sent to 50 people in 5 departments each of whom has their own use for it (like counting customers). Judging by the Sony hack it's not just SMEs.

If you want to steal data from a company, just pay a student a few hundred bucks to take up an unpaid internship in marketing (particularly anything to do with emails or customer segmentation) and give him a USB key and teach him some VBA and basic SQL (making him useful for reporting). The interns always end up running the reports so have a lot of access, usually complete access - financial information is the only thing that's not shared around. More advanced companies have a shared database access built into the excel files with a single login for everybody which never changes (hello 300 angry users) so with a copy of this file, you have perpetual up to date information long after you're gone.

Then you try to stop them from doing this and the C-level folks will say something like "it's OK just this time" and "please stop slowing us down". Most of them will be gone to the next thing by the time the black swan lawsuit hits - if there even is one. How would customers know? Why would they care?

Cf http://xkcd.com/538/ and http://www.commitstrip.com/en/2014/10/28/security-checklist/

[aragot]

So genuine question: How should one manage their marketing intern so data doesn't leak?

[crdb]

Well, the simple answer is don't have marketing interns. Really, you should not have people in the company manually doing work that could be automated in minutes - I've even seen people manually do joins (yes, two Excel sheets open, look up one product manually on the right, copy the value over on the left, next product, next, next...). It's bewildering that tech companies who should know better and who have people who know better still insist that there be people who day in, day out, 6 hours a day, process files by hand.

Next best thing is to sanitize your data; hash any personal information like emails or phones, take a day or two to build a rudimentary BI database that has sanitized information on it before giving people access, use work emails to manage access to everything and log it (my team built https://github.com/zalora/sproxy for this purpose), silo access, teach people SQL, and so on.

But honestly, to most management teams security is dead last on the list of priorities; it's just another tail risk that probably won't happen, if it happens it doesn't matter that much, doesn't cost that much, and there are a thousand other things on their mind like growing the company which are more important ('compliance is for when we'll be profitable' or 'we're not a bank, it's ok'). You can't do very much when working in such a company.

[freehunter]

The idea is that you shouldn't focus on making yourself "unhackable", because that is not possible. It's not possible to have 100% security. A skilled and determined attacker will likely get inside to some extent, even if it's just malware or access to an old unused server.

The point is to make detection and remediation important parts of risk management as well, not just prevention. Prevention is spell check, it's not always going to catch everything. Because the reality is, anyone (to your point, not necessarily everyone, but certainly anyone) can be hacked. Rather than focusing exclusively on a hard crunchy shell, make sure you can detect someone already inside and lock them down when you do. Corporate security needs to be right 100% of the time. The attacker only needs to be right once.

But yes, it's certainly possible that everyone can be hacked, and for certain definitions, it's completely likely that every company will or has been hacked (if you include malware, and information disclosure). How much malware is on your network that you don't know about?

[ironchef]

Couldn't the view simply be one of pragmatism? That one can't ONLY focus on prevention, but look at the full lifecycle of prevention, detection, response / remediation, etc.?

Kind of an electronic view of "it won't happen to me"?

[walterbell]

Assuming it's not everybody, are consumers/enterprises equipped with the risk management and actuarial tools to assess and influence their chances of being attacked?

[ironchef]

"Assuming it's not everybody, are consumers/enterprises equipped with the risk management and actuarial tools to assess and influence their chances of being attacked?"

I think those are separate questions. Consumers largely are not.

Enterprises are getting wiser on the risk management side and are starting to use things like "Factor analysis of information risk" (FAIR) to create a framework around the effect of various incidents. Assessing chances of being attacked quantitatively is probably much more difficult than influencing their chances of being attacked (which includes the various best practices tptacek alludes to such as firewalls, having a SOC, utilizing proper controls, AV, etc. (the implementations of the S&S 8 principles.))

As to chances of being attacked, I think it could be examined similar to something like a health issue. What are my chances of getting cancer? Well, I can read the literature and follow behaviors which should reduce my chances of getting it (in the risk world that would things such as using antivirus, not sharing passwords / SSNs / etc in plaintext, over the phone, etc.); however, I should also be preparing for what do should I contract cancer.

[curun1r]

> Why is 2015 different?

NSA/North Korea/China/Eastern Europe/Anonymous and Sony/Target/Home Depot.

I think far less has changed about what we're trying to secure. Far more has changed about who we're trying to secure it from and, as others have pointed out, the consequences of not securing it. In 1998, hackers didn't represent an existential threat to the company. I'm not sure you can say the same today.

[wcummings]

>The dirty secret of "recovery" work --- forensics, attribution, &c --- is that it's driven largely by legal compliance concerns, and probably doesn't have a great intrinsic ROI.

This is true of a lot of security work. Maybe even most of it.

[WillNotDownvote]

What's changed is the Benefit side of Cost/Benefit.

Now the leading Benefit is "not having embarrassing company documents on the front page of newspapers every day for a month".

That's quite a "new" Benefit.

[hamiltonkibbe]

P(burn|fighting-fire-with-fire) ≥ P(burn|fighting-something-else-with-fire).?