The Mach37 Security Leader Dinner series has become a premier forum for discussing important topics in Information Security. On October 23, Philip Reitinger was the guest speaker. Although these discussions are non-attribution, and the philosophical musings, views, and opinions expressed are solely those of the author, a few of the ideas in this post are paraphrased from Mr. Reitinger's prepared remarks, and are used with his permission. Some other ideas presented are crowdsourced from the community discussion or represent my own ideas on various topics.Can we win the information security war? Currently the answer is no, and the situation is getting worse rather than better. It is getting worse for three reasons: complexity, connectivity, and criticality. The internet is so complex that nobody fully understands it, yet we are connecting everything to it, including all of our personal data and most critical infrastructure. At least we are finally paying attention to the issue, and our defensive technology is improving, so should we expect to be able to win in the long run? If winning means reasonable expectations of privacy, and reasonable expectations of protection for transactional information and intellectual property then the answer should be yes. So what would it take?First, the internet was designed for connectivity rather than security, so there are some fundamental flaws to be fixed. There is some hope that the transition to IPv6 will address many of these issues, if not subverted by the providers. Baseline strong encryption of all internet traffic with no back doors is currently feasible. Strong authentication, providing some assurance that you are who you claim to be as we interact remotely, is on the horizon.Second, the "edge of the network" is now every device, and the information and core computing resources (processor, storage, network interface) need to be encrypted and hardened. The move to stronger security by major device providers is a good step in this direction. Next comes automation. Procedures that involve highly skilled operators continuously monitoring for dangerous traffic simply cannot scale; they are orders of magnitude too slow and too expensive. The information security community is developing more automated processes and techniques which will help improve this situation.Finally for the U.S. comes the legal and social changes necessary to support the technological changes. Unlike some parts of the world, we have criminalized much of the behavior of the "hacker" community in identifying issues and fixes in various information services, even among that large majority of the community willing to use their skills for positive purposes; we need to find ways to enlist their support rather than suppress it. We have also built an ecosystem where service and application providers of all types have been given free license to trade on individual's data at the expense of privacy. Fixing these major legal/cultural loopholes is a key step in fixing the underlying security flaws, giving incentives for security rather than ignoring it.So, in spite of the complexity, connectivity and criticality issues that widen the gap if all we do is play catch up, the answer is yes, we are still in a position to win…IF we put our minds and technology to the task…IF we are able to change some of the legal and structural problems…and IF we accept a relative rather than absolute version of what it means to win.EPILOGUE (Call to Action): Phil Reitinger summarized the state of information security by re-telling the old tale of the two campers. As they get ready for bed, one starts putting on his sneakers, and the second one says “why bother; if a bear comes during the night, you won’t be able to outrun it”. To which the speedy camper replies “I don’t need to outrun the bear, I just need to outrun you”. We are very much under this type of extraordinary evolutionary pressure in cyberspace. The weak will continue as prey, and the predators will continue to roam. To survive in this new age the call to action is simple: Put on your sneakers and start running. Maybe if we all do it we might even starve a few dragons and bears along the way.
CTO SmackChat: So, what do you do?
[Loosely adapted from an actual conversation with an investor at a networking event]“So, what do you do here?”[standing large] “I’m the CTO for Mach37”“No, I know your title, I want to know what you do”[uh-oh, better obfuscate] “I’m the Chief Envisionator of Strategery for Cyber-Futures”.“I don’t even know what that means. What I really want to know is what you do on a day to day basis to add value to this organization”-----Being the CTO or Technical Co-Founder of a startup company is a role that requires extraordinary flexibility and humility. Sure, the early days are obvious. You’re the developer of the first product, the first Product Manager, and critical for Marketing, Fund-raising, running the new business, and whatever else it takes to get that business going.With a little success though, an early round of funding, and employees five, six and seven are a Product Manager and two developers…what now? Still not too hard to envision, your role is less hands-on with the Product and more involved with the roadmap and the intellectual property and mediating customer feedback from sales and marketing with your development team.As success grows, and you add a VP of Technology to manage the technical team, your role continues to morph. Your CEO Co-founder has kept his roles and grown with them, while you have been busy giving your early roles away. So, what do you do? Is there still a place for you in the company you helped start?The answer comes down to Leadership. You are a Co-founder because you helped create the vision of product and market and the problems you knew you could solve. The technical team looks to your leadership even though you are not so directly connected as you once were. You know the market and you know many of the key customers. You play a key role managing the business while the CEO is out raising money.How that translates into day-to-day action varies with your personality, the company and the situation. I have found that letting other people take responsibility for the more detailed daily operations frees up time to build the longer term initiatives, those critical new areas for company growth that take time and patience to nurture. I enjoy being out in the community, a visible representative and spokesperson for the company. Thought leader in the market? Sure, that too.So, what do you do? Lead. Figure out what that means, and earn your place every day as a leader in the company you worked so hard to start.David Ihrie is CTO of MACH37 and has been the lead technical person for six startup companies. He has a BS in EE/CS and an MS in Management specializing in the Management of Technological Innovation, both from MIT.
Why Mach37 Loves the Hacker Community
When I speak with investors about the information security market and the advantages of partnering with a vertically focused accelerator, they typically ask me to characterize our ideal opportunity for investment. My canned response is almost always that we look for teams whose founders embody two targeted sets of skills: 1) deep technical and analytical security domain expertise; and 2) strong entrepreneurial and communication skills.
However, as an accelerator that invests at the very beginning of a start-up’s lifecycle, we often find entrepreneurs before they have had the opportunity to build out their teams. Generally, that one founder frequently only embodies the first of the two target characteristics.Honestly, that’s just fine with us.The truth is that we are overwhelmingly biased toward investing in those entrepreneurs who have the technical and analytical depth and operational experience required to understand the most challenging security problems we face today. We believe that depth and experience can be found more abundantly in the security researcher, or hacker, community, than anywhere else on the planet.If you believe security industry analyst Keren Elazari as we do, hackers are the immune system for the information age. The hacker community is driven by the desire to understand how things work and, importantly, how to break them and make them better. The innovators in this community spend years developing a depth of understanding that is required to birth the next generation of disruptive information security products.My observation is that our focus may be slightly contrarian, as early-stage investors often overlook the hacker community as an attractive source for investment opportunities. (I’ll concede that there are several exceptions to this observation, but since Bruce Schneier and Dan Kaminsky had already achieved rock star status, I view them as outliers.) If I were to contrast hackers with the legions of entrepreneurs filling the ranks of accelerators worldwide, I do think they are different.As one would expect, hackers are focused on those activities that leverage the first set of target skills mentioned above. Hackers solve difficult technical challenges that underlie vexing security problems. They are driven by a desire to see their hard work make a significant impact, versus being satisfied by a quick financial flip of their intellectual property. They invest their time inventing things, versus polishing a presentation to convince you why you need to buy the thing they invented.We think most angels and institutional VC’s are perilously biased toward the second set of target skills and often lack the patience and technical depth required to ferret out the most compelling security innovations. Said differently, for most early-stage investors, a flashy PowerPoint presentation from a recently minted MBA with strong communication skills carries more weight than a technologist with a decade of technical experience in the security domain.However, the dirty little secret in start-updom is that while it can take years of technical and analytical experience to inspire truly disruptive security innovation, technical founders can buy, borrow, partner with or be taught the second set of target skills within a few months. Our strategy at Mach37 is to identify the best technical founders and reinforce their deep technical expertise with the curriculum, co-founders, mentors, advisors, and capital they need to be successful.Next week, Black Hat and DEF CON will mark the largest annual gathering of the U.S. hacker community and will showcase the work of several of the community’s brightest. Within this gathering, Mach37 will likely identify several founders for future cohorts. Perhaps ironically, most early-stage investors will not be there.Honestly, that’s just fine with us.
The Cyber Security Market Is Hot! Here’s Why
By any credible account, the cyber security market is hot. According to Gartner analysts, in 2014 worldwide information security market growth will accelerate to 8.6% and exceed $73 billion. Cyber-related M&A activity and trading multiples are indicative of customer and investor markets that are demanding much more innovation, faster.It has not always been that way.In 2002, I briefly abandoned the then information security market. Frankly, it sucked. I can remember more times than I care to admit saying, "This is just too hard." Or, "There’s no money in information security." We all knew the problems for the solutions we were building existed, but back then, the market simply didn’t care.In 2002, the minimum standard of care for enterprises was limited to anti-virus, firewalls, intrusion detection, and, later, if you were in a regulated industry, SIEM or some sort of log aggregation solution. Enterprise executives lived in ignorant bliss, believing that their biggest risks were related to being out of compliance with their respective regulatory authorities.In 2002, Gartner estimated the worldwide security software market to be an anemic $3.5 billion -- a market that was dominated by five vendors that owned approximately 60% marketshare -- Symantec, Network Associates, IBM, TrendMicro, and Check Point.Fast-forward to 2014. New product categories abound, with Gartner covering too many cyber security-related magic quadrants to list (with more on the way). Investors are enthusiastically entering the market, with VCs investing $1.4 billion in 230 cybersecurity companies in 2013 alone.So, what has fundamentally changed since 2002? What are the factors that are driving cyber security market growth? Here are four fundamentals that we at Mach37 continue to think about.First: The obvious. The threat continues to accelerate in capability and scale. Cybercrime is big business and has finally reached the tipping point where consumers and regulators are demanding that businesses deploy effective solutions.Second: The Internet-of-Things is exacerbating the problem. Now, we have laptops, iPhones, wearable computers, gaming systems, other mobile devices… the list is boundless. Many of these devices are either themselves untrustworthy or are interacting with untrustworthy mobile networks. Few have the computing horsepower to perform traditional security functions of familiar desktops and laptops -- making them even easier targets. As difficult as the security problem was before, it just got a lot worse.Third: Cyber security is now a Main Street issue. Every one of us is affected -- and now we finally realize it. Retail-related breaches, such as the recent Target breach, have hit tens of millions of consumers. Cyber security stories are now common in all mass media outlets.Fourth: The competitive market is finally rewarding innovation. For many years, the information security market was dominated by large security platform companies that milked their antivirus cows and had very little incentive to innovate. Because of incumbent supply chain dominance, new entrants were often forced to battle over a very small number of early adopters or to sell to or through these powerful few to reach the broader market.Over the past few years, new entrants have emerged and are challenging the fat incumbents… and the financial markets are rewarding them. As I write this, FireEye enjoys a market cap of $5.7 billion, with an astounding 35x (yes, I said 35) enterprise value to revenue multiple. Similarly impressive, although more modest, Palo Alto Networks trades at roughly 9x revenue with a $5 billion market cap.Conversely, historical incumbent Symantec is trading at paltry 2x revenue and recently fired its CEO and executive management team.I am sure there are many other factors, but whatever has changed in cyber security, the need for continued innovation has remained constant. Similarly, the fundamentals described above are not likely to change for at least a generation. And, speaking for those of us who lived through 2002, I am really glad to be in this market.
Industrial Cyber Espionage
According to published news reports this morning covering a press conference by Attorney General Eric Holder, “The United States has for the first time filed criminal charges against foreign government officials in connection to cyberspying allegations.” The grand jury indictment charges five men with “conspiring to commit computer fraud and accessing a computer without authorization for the purpose of commercial advantage” according to the New York Times. In the press conference, the Assistant Attorney General provided specifics related to the case examples of companies affected and the types of information stolen from them.Officials mentioned the Mandiant Report, last year’s watershed public exposure of this type of activity. In that report, Mandiant describes the theft of hundreds of terabytes of data from more than one hundred companies in twenty major industries since 2006. On average, a target company was attacked and then remained exposed for a year or more while information such as technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists were targeted. Many of the targets turn out to be major companies such as Westinghouse, US Steel and Alcoa.But this is just the tip of the iceberg. In the U.S., much of the innovation and many of the jobs come from small or startup companies who don’t grab the headlines and who may not know that they are targets. In the manufacturing sector, for example, data from the NIST Manufacturing Extension Partnership (MEP) indicate that something like 80% of current U.S. manufacturing jobs are with companies of fewer than 50 people. Most of these companies spend a large majority of their time simply trying to grow the business and stay ahead of the competition through innovation, and may not have either the expertise or resources to adequately protect their intellectual property from cyber attack. These companies are perhaps the most underserved segment of the industrial base with current large enterprise cybersecurity solutions, and the largely invisible damage inflicted here represents a particularly corrosive threat to legitimate areas of competitive advantage for the country.Indeed, we know they are a target. According to the NetDiligence 2013 report Cyber Liability & Data Breach Insurance Claims, 63% of US Secret Service forensics investigations are at companies of fewer than 100 employees, and 45% of insurance claims paid are to companies in the small-cap (less than $2B revenue) or nano-cap categories (less than $50M revenue), split about evenly. According to Rep. Frank Wolf (R-VA), chairman of the House Appropriations subcommittee that funds NASA and many of the nation's science programs, "I have seen up close how certain countries...have targeted federal agencies, contractors and law firms to steal billions of dollars of cutting-edge technology that diminishes our national security and undermines job creation."There may be some hope however, creating sector-focused markets of small and mid-tier companies for a new generation of emerging cybersecurity solutions such as those at Mach37. We are in active discussions with manufacturing organizations and other industry alliances, regional threat-sharing groups, and similar partnerships that can bring appropriately scaled technologies to groups facing a common set of threats. We are also fostering a set of potentially disruptive technologies that can help fill this dire need. To name a few:- Pierce Global Threat Intelligence provides a new mechanism for real-time sharing of threats- Identia provides one approach to securing supply chains by simplifying identity management across organizations- MSB Cybersecurity provides support for cybersecurity standards compliance along with actionable recommendations- Axon Ghost Sentinel detects unusual behaviors in distributed device environments- Disrupt6 is on the leading edge of new security paradigms for the emerging world of the production internet (IPv6)To be sure, nobody has the silver bullet to “fix cybersecurity”. But, active promotion of the next generation of cybersecurity solutions and companies, and accelerated connection of those solutions with the groups that need them most, can go a long way to effectively dealing with the high stakes world of cybersecurity in which we live.
CTO SmackChat: The Dreaded “Pivot”
Your startup is a success! Family and friends have seen you through to the point where an angel investor got excited, and your first alpha customer really likes where you are heading. The beta tests are under way and the feedback is coming in.One customer says he would be interested in buying if your product could provide two additional capabilities not in the beta version. Another indicates her problem is not exactly the one you are addressing but she sees how it could apply by changing the domain slightly and taking some additional inputs into account. Some feedback says it seems similar to what they are already using. There is a request to show the output on a map background. And, your marketing guru says that several customers are really struggling to solve a problem that one component of your solution could make dramatically easier. Should you pivot, or stay the course? Add features or simplify? Expand to related problem areas? What feedback do you rely on to make those decisions?A couple things are clear. As a startup your resources are stretched way too thin simply trying to address one market. Expanding to a second problem area before succeeding in the first one makes it much more likely that neither will succeed. The second notion is integrity of a core product offering. If every customer has a different set of implemented features, your business is really a service business built around customizing features rather than a product business.But the harder trap for most entrepreneurial technologists is falling in love with your own ideas. After all, you thought it up, and your whole career has been built on confidence in your technical ideas. You probably know better than the customer what is really possible from a technical standpoint, and what the hard problems are that you know how to solve. In the end though, the right answer is always what customers will pay for. And in our example above I would be inclined to listen to the marketing guru who seems to be close to some potentially paying customers: perhaps it is time to change the product idea, get rid of a bunch of the features that are not helping differentiate it, and focus on the one core bit that could help several customers solve a critical problem.There is no science behind when to pivot and when to stay the course. An important indicator is slow or flat sales (or interest) combined with some customer pull along a different development vector than the one you are following. As the divergence grows that market signal gets stronger that the pivot is upon you, but in the end you need to make a judgment call and work with your own company leadership to ensure it is the right one.