The Real Threat of Security Inequality
It’s Not Enough for the 1% to be Secure
As our world has gone more and more online, security has become an increasingly acute issue. It’s easy to think that the “big internet” companies have the most to risk when it comes to security, but the reality is, Facebook and Google are not the only ones with masses of information about us. Increasingly, everyone has rich customer data.
In fact, I think of the big internet companies and other well-funded, sophisticated, security teams as the privileged “1%” of the security space. Companies like Google and Facebook — and even some defense/intelligence groups, SaaS vendors and large financials — face unique security issues, but with access to unique resources. They have large, talented security engineering organizations, scale that defies existing commercial offerings, strong control of their generally more-homogeous environments, and a heavy responsibility to safeguard ever-growing volumes of user information from many smart and motivated attackers.
Very few other businesses have the talent or the tooling to address their security problems the way the security 1% can. But with this increase in rich customer data across many organizations, there is systemic risk to security weakness from the 99%. Consider:
- The large bank that has acquired several other companies over the years (each with heterogenous environments and varying levels of security sophistication), and thus lacks both visibility and control to rationalize and unify those environments in the short-medium term, if ever
- The mid-sized retailer building many applications that are core to their business, but can’t hire enough developers that understand how to build secure software. What can they do if there have massive backlogs of vulnerabilities in their legacy code?
- A large university with sensitive data on hundreds of thousands of students, and a total team of 4 (generalist) staff in security and networking
While the 1% huddle in the relative safety of their elegantly conceived IT fortresses, with “engineering focused incident response” and “zero trust architectures,” the 99% are left out in the cold, exposed to the elements. Their crown jewels are only superficially shielded from the ever-strengthening bad actors. They have little understanding of, much less true control of their environments.
These are the realities of security for most of “the 99%” today. (Alex Stamos from Facebook has previously talked about a similar bifurcation within even the Fortune 500.) We are too interconnected, and increasingly so. Even the strongest IT fortresses have vendors, partners, contractors, customers and employees that use shared, credentials across multiple systems.
The trends are not good. When you talk confidentially to experts on the customer side, they feel the vulnerabilities are such that things may get worse before they get better.
Thinking about Solutions
Some of the security leads at the “security 1%” companies have condemned commercial security vendors. At their best, the 1% see them as ineffective practitioners (whose products can be engineered around by sophisticated attackers). More often though, they consider commercial security vendors as snake-oil alchemists and used-car salesmen. Many of the 1% instead drive innovation internally (and they are helpfully sharing some of that innovation — see projects like OSquery, ThreatExchange, and Safe Browsing).
And, yes, I think the security leads at the “security 1%” are partly right. There are a lot of crappy vendors out there with janky and ineffectual products.
But there are plenty of reasons why I’m still investing in new security startups. We certainly can’t train enough developers to understand security in the near term, nor can we get every non-security-focused developer to optimally balance security with delivery velocity.
Better technology and supportive user experience in security is what we can do for the 99% — to help keep us all safer.
What can we learn from the “Security 1%”?
I’m still incredibly interested in what security teams at internet-scale companies work on, because it often hints at what will be useful to build and adapt — just as hadoop and container architectures were used first narrowly, then broadly. But I think the right framework is not trickle down, but “trickle sideways security.” The enriching of the 99% will not happen without focused efforts and adaptation.
- Openness will be an important part of the solution. Actually, OSS already has been — exhibit A being Snort, (still widely deployed and useful) the adoption of which was supported by the backing of a commercial software, sales and support organization
- Collaboration is more than just emailed IP-address lists. Cloud services with a global view (in the form of shared rich intelligence, but also and likely more importantly in the form of globally-trained models and cross-organization user/device visibility) provide leverage
- Behavioral monitoring should be a foregone conclusion (over traditional black/white signature-based solutions)
- Automated, deeper, machine-learning based analysis of larger and richer security datasets should take the place of humans trying to put individual data points in context of an attack
- Continuous defensive work — measurements around vulnerabilities, ongoing discipline in network hygiene, patching and internal software quality, and a focus on the likely vectors of attack (generally email, malicious websites, removable media) is productive, where an emphasis on “zero-day” vulnerabilities is often misguided
The “security 1%” have done things that scale and stand up to sophisticated attackers, building tooling when necessary to help them do so. We should seek to do the same. Along with what we can learn, here’s some of what I think is different about what the 99% need:
- Operational leverage, especially in detection and response, without in-house security engineering
- Incremental deployability within heterogeneous infrastructures
- Technologies that account for the reality of existing environments: a weakened, extended perimeter and an imperfectly segmented network
- Products that are dual-use and solve common IT as well as security use cases have been impressively successful — pre-supposing high levels of sophistication / security staffing locks startups out from many of those customers that most need them
Where can we apply this framework?
Here’s my shortlist of “99% problems” I’m keeping an eye on for 2016 and the following few years:
- Critical data is moving to cloud vendors at both the SaaS and infrastructure levels (see: SkyHigh)
- Connecting people with devices and applications is increasingly painful (see: Okta)
- It is very difficult to get consumable visibility into network behavior without deep security, development and analytics expertise (coming soon: Awake)
- Connectivity to environments you do not control and have little confidence in (i.e., partners, vendors) will only increase
- Internally developed application surface area is increasing massively for average business, but developers not becoming more secure
- Security tools not keeping pace with modern development workflows
- Many existing security solutions do not fit modern application architectures (containers, microservices)
- The internet-of-crap has arrived — a wider variety of devices/infrastructure with poor manageability, worse security and the ability to harm us physically
- Fraudulent/abusive activity in web services with valid credentials is a real and growing cost to many business
- Fundamentally, there are lots of reasons to feel that we are just at the beginning of figuring out how to make environments secure
Call me a (venture) capitalist, but I think that great technologists getting paid to solve customer problems will continue to be a key driver of innovation in the security field — along with attacker innovation, and important thought leadership from big tech. I’m an investor at Greylock active in security, and I would love to hear if you’re working on one of these areas — or if you have another, better way to enrich the 99%.