In his March 20th Cyber Intelligencer, Anup Ghosh nailed it with his description of the failure of our traditional Prevent, Detect and Respond strategy. As Anup proposes, given the state of our collective failure, a move toward a strategy that is focused on Containment, Identification (of compromised assets and adversaries), and regaining Control of compromised networks is a more sound approach.In his piece, Anup correctly indicts the purveyors of Detection tools, who:[have] only succeeded in producing prodigious alerts and data dumps that understaffed and over-worked security teams now have to wrestle with. Few organizations have enough resources to sort through the volume of alerts their solutions provide and the terabytes of log data required to derive actionable insight at the speed and scale that is required.As the industry and our customers move forward toward Identification and Control, information security capabilities will necessarily evolve away from emergency response and dispatch playbooks and toward more sophisticated analytical approaches. Unfortunately, given that the population of information security personnel with strong intelligence and analytical skills is about as abundant as valyrian steel, if we don’t alter the way these tools are delivered, we are destined to fail again.Of course, well-funded purveyors of analytical tools who have effective sales and marketing teams will be able to sell their expensive on-premise tools to large government information security organizations and the Fortune 100. But, given the volume of their data and the speed with which customers need to take action, they won’t be happy with their results.Ironically, the good news for these vendors is that the rest of the market can’t afford to deploy their capabilities. How many non-Fortune 100 companies do you know who have advanced threat intelligence cells and big data log analysis infrastructures? So at least they won’t be pissed.At the end of the day, I believe that even large company CISO’s really don’t want to buy analytical tools. Rather, they simply want prioritized recommendations and enough confidence in the analytical rigor behind those recommendations to confidently take meaningful action.To us, solutions that invert the analytical process – providing prioritized actions based on rigorous analysis and shared intelligence, and walking customers backwards through the analysis only if they care, are going to be winners. Using machines versus people to triage massive volumes of intelligence based on relevance and risk to an organization is inevitable. Solutions that leverage more affordable As-a-Service delivery models that enjoy economies of scale for both computational resources (i.e., elasticity) and analytical human capital make the most sense.At Mach37, we agree with Anup. We continue to prospect for and invest in solutions that will deliver affordable advanced intelligence and analytical capabilities to satisfy the growing need for Identification and Control. We believe these solutions will allow us to avoid the mistakes of the Detection vendors, finally getting it right this time.
The Innovation Kill Chain
Caution: Satire AheadThere is a dangerous threat to our economy and way of life springing up in seemingly every industry. Almost half the Fortune 500 were booted from the list between 1999 and 2009. Some prognosticators say this threat could result in even more than half of the Fortune 500 going away over the next decade, with a conservative economic impact of more than $2 trillion to our current productive capacity. What is this threat? Disruptive Innovation and the provocateurs inflicting it upon us, the Disruptive Innovators, or Dis-sInners as I like to call them.Fortunately we are not helpless in the face of this scourge; we can fight back. The reason is that these Dis-sInners proceed, no matter the industry, in a very well-known set of steps before they can succeed. If we can disrupt their insidious designs at any step along the way, they will fail, and this is what I call "The Innovation Kill Chain."The seven steps of a typical Dis-sInner attack are as follows:
- First, they will conduct surveillance, to understand their target, evaluate competitive strengths and weaknesses, and position for the eventual attack. While this stage is hard to detect, we can take comfort that our highly efficient current business structure is very difficult to disrupt.
- At stage 2 the Dis-sInner will typically expose themselves by creating a legal paper trail (articles of incorporation and similar) that reveal both their true identity and business intent. Paranoid companies could develop a standing research capability to discover and track these perpetrators, but it is hardly worth the effort since they will never amount to a true threat to our overwhelming market share.
- The third step in the Innovation Kill Chain involves the Dis-sInners planning to undermine the value of your core Intellectual Property. Here the well-prepared defender can become more proactive by filing extensive patent coverage that will allow for future lawsuits should the Up-Startup ever amount to anything. Remember, you have deep pockets and they don't, so it does not matter whether there is actual economic value in your IP portfolio; all that matters is the ability to create expensive legal proceedings at critical times.
- Inevitably, some Dis-sInners actually start building prototype products and begin looking for "beta customers". By all means, this is your opportunity to appear forward leaning while still containing the threat. The most successful defenders step forward at every request...but then stretch out the process through the various tricks of bureaucracy we all know so well. Should a Dis-sInner persist, extensive product feedback involving meaningless features and tangential use cases is often an effective counter-measure.
- Only a few of the most Advanced Persistent Threats will make it to the point of seeking funding, but for these we recommend the essential Enterprise FiresaleWall. Your Corporate Venture Fund can be a key player in this process. Remember, that these early-stage APTs have not yet taken over key parts of your market, and a well-timed lowball offer can often shortcut their efforts at Escalation of Visibility.
- It is inevitable that your market position will eventually be breached. There are only two types of market leaders, those that know they have been disrupted and those that don't yet know it. This is where a top notch Chief Innovation Prevention Officer (CIPO) earns their keep. “Off the street and on the shelf” are truly words to live by. Early warning can give you plenty of time to squeeze every last penny out of those previously lucrative markets. And your best customers will surely want to stay with a market leader, even in the face of punitive long term contracts.
- Once a breach has occurred it is time for forensics and damage control. Here, behavioral indicators can be useful in ferreting out the Inside Your Market Threat. Do not succumb to the temptation to point fingers and re-organize; instead watch the Up-Startup and match their every move. One very effective defense, particularly in the Government space, is to partner with the enemy! As a prime contractor, you will have locked up the Dis-sInner market potential and control their destiny through the amount of business you let trickle-down their way.
Knowing your adversary, and the common steps they take in seeking to disrupt your business is the most effective way to stay prepared and stay ahead of this insidious threat.
Differentiating Cybersecurity Startups
A number of investors from around the country tell us they have a problem. When considering early stage investments in cybersecurity companies, whether at Mach37 or elsewhere, investors have a hard time telling the companies apart. One issue is that companies abstract away the technical jargon for their investor pitches, and at the buzzword level they really DO sound similar. However we know from the Mach37 portfolio, where we pay attention to competitive issues within cohorts and are always looking for new ideas, that each company is unique. The challenge then is making those differences clear in an easily comprehensible way. We were searching for a way to depict the entire portfolio on a one page graph with a modest number of categories; here it is.
Across the bottom are the target users for each product, color coded and grouped into the corresponding market segments across the top. The technology categories on the vertical axis are based on our "Understanding the Technology" white paper, with a few additional categories added. This segmentation clearly gives a nice spread of the Mach37 companies, and corresponds well with our intuitive understanding of how the portfolio is beginning to meet the market needs. It also provides an interesting working definition of a company pivot, which we are beginning to see in a couple instances: a pivot is reflected by a company moving from one place on the graph to another.We are interested in your feedback. Does this provide a useful differentiation of companies in the space? Do the categories make sense? How does your portfolio stack up? Could a similar depiction work for other verticals with a different set of technology categories and users?
Information Security: Can We Win?
The Mach37 Security Leader Dinner series has become a premier forum for discussing important topics in Information Security. On October 23, Philip Reitinger was the guest speaker. Although these discussions are non-attribution, and the philosophical musings, views, and opinions expressed are solely those of the author, a few of the ideas in this post are paraphrased from Mr. Reitinger's prepared remarks, and are used with his permission. Some other ideas presented are crowdsourced from the community discussion or represent my own ideas on various topics.Can we win the information security war? Currently the answer is no, and the situation is getting worse rather than better. It is getting worse for three reasons: complexity, connectivity, and criticality. The internet is so complex that nobody fully understands it, yet we are connecting everything to it, including all of our personal data and most critical infrastructure. At least we are finally paying attention to the issue, and our defensive technology is improving, so should we expect to be able to win in the long run? If winning means reasonable expectations of privacy, and reasonable expectations of protection for transactional information and intellectual property then the answer should be yes. So what would it take?First, the internet was designed for connectivity rather than security, so there are some fundamental flaws to be fixed. There is some hope that the transition to IPv6 will address many of these issues, if not subverted by the providers. Baseline strong encryption of all internet traffic with no back doors is currently feasible. Strong authentication, providing some assurance that you are who you claim to be as we interact remotely, is on the horizon.Second, the "edge of the network" is now every device, and the information and core computing resources (processor, storage, network interface) need to be encrypted and hardened. The move to stronger security by major device providers is a good step in this direction. Next comes automation. Procedures that involve highly skilled operators continuously monitoring for dangerous traffic simply cannot scale; they are orders of magnitude too slow and too expensive. The information security community is developing more automated processes and techniques which will help improve this situation.Finally for the U.S. comes the legal and social changes necessary to support the technological changes. Unlike some parts of the world, we have criminalized much of the behavior of the "hacker" community in identifying issues and fixes in various information services, even among that large majority of the community willing to use their skills for positive purposes; we need to find ways to enlist their support rather than suppress it. We have also built an ecosystem where service and application providers of all types have been given free license to trade on individual's data at the expense of privacy. Fixing these major legal/cultural loopholes is a key step in fixing the underlying security flaws, giving incentives for security rather than ignoring it.So, in spite of the complexity, connectivity and criticality issues that widen the gap if all we do is play catch up, the answer is yes, we are still in a position to win…IF we put our minds and technology to the task…IF we are able to change some of the legal and structural problems…and IF we accept a relative rather than absolute version of what it means to win.EPILOGUE (Call to Action): Phil Reitinger summarized the state of information security by re-telling the old tale of the two campers. As they get ready for bed, one starts putting on his sneakers, and the second one says “why bother; if a bear comes during the night, you won’t be able to outrun it”. To which the speedy camper replies “I don’t need to outrun the bear, I just need to outrun you”. We are very much under this type of extraordinary evolutionary pressure in cyberspace. The weak will continue as prey, and the predators will continue to roam. To survive in this new age the call to action is simple: Put on your sneakers and start running. Maybe if we all do it we might even starve a few dragons and bears along the way.
CTO SmackChat: So, what do you do?
[Loosely adapted from an actual conversation with an investor at a networking event]“So, what do you do here?”[standing large] “I’m the CTO for Mach37”“No, I know your title, I want to know what you do”[uh-oh, better obfuscate] “I’m the Chief Envisionator of Strategery for Cyber-Futures”.“I don’t even know what that means. What I really want to know is what you do on a day to day basis to add value to this organization”-----Being the CTO or Technical Co-Founder of a startup company is a role that requires extraordinary flexibility and humility. Sure, the early days are obvious. You’re the developer of the first product, the first Product Manager, and critical for Marketing, Fund-raising, running the new business, and whatever else it takes to get that business going.With a little success though, an early round of funding, and employees five, six and seven are a Product Manager and two developers…what now? Still not too hard to envision, your role is less hands-on with the Product and more involved with the roadmap and the intellectual property and mediating customer feedback from sales and marketing with your development team.As success grows, and you add a VP of Technology to manage the technical team, your role continues to morph. Your CEO Co-founder has kept his roles and grown with them, while you have been busy giving your early roles away. So, what do you do? Is there still a place for you in the company you helped start?The answer comes down to Leadership. You are a Co-founder because you helped create the vision of product and market and the problems you knew you could solve. The technical team looks to your leadership even though you are not so directly connected as you once were. You know the market and you know many of the key customers. You play a key role managing the business while the CEO is out raising money.How that translates into day-to-day action varies with your personality, the company and the situation. I have found that letting other people take responsibility for the more detailed daily operations frees up time to build the longer term initiatives, those critical new areas for company growth that take time and patience to nurture. I enjoy being out in the community, a visible representative and spokesperson for the company. Thought leader in the market? Sure, that too.So, what do you do? Lead. Figure out what that means, and earn your place every day as a leader in the company you worked so hard to start.David Ihrie is CTO of MACH37 and has been the lead technical person for six startup companies. He has a BS in EE/CS and an MS in Management specializing in the Management of Technological Innovation, both from MIT.
Why Mach37 Loves the Hacker Community
When I speak with investors about the information security market and the advantages of partnering with a vertically focused accelerator, they typically ask me to characterize our ideal opportunity for investment. My canned response is almost always that we look for teams whose founders embody two targeted sets of skills: 1) deep technical and analytical security domain expertise; and 2) strong entrepreneurial and communication skills.
However, as an accelerator that invests at the very beginning of a start-up’s lifecycle, we often find entrepreneurs before they have had the opportunity to build out their teams. Generally, that one founder frequently only embodies the first of the two target characteristics.Honestly, that’s just fine with us.The truth is that we are overwhelmingly biased toward investing in those entrepreneurs who have the technical and analytical depth and operational experience required to understand the most challenging security problems we face today. We believe that depth and experience can be found more abundantly in the security researcher, or hacker, community, than anywhere else on the planet.If you believe security industry analyst Keren Elazari as we do, hackers are the immune system for the information age. The hacker community is driven by the desire to understand how things work and, importantly, how to break them and make them better. The innovators in this community spend years developing a depth of understanding that is required to birth the next generation of disruptive information security products.My observation is that our focus may be slightly contrarian, as early-stage investors often overlook the hacker community as an attractive source for investment opportunities. (I’ll concede that there are several exceptions to this observation, but since Bruce Schneier and Dan Kaminsky had already achieved rock star status, I view them as outliers.) If I were to contrast hackers with the legions of entrepreneurs filling the ranks of accelerators worldwide, I do think they are different.As one would expect, hackers are focused on those activities that leverage the first set of target skills mentioned above. Hackers solve difficult technical challenges that underlie vexing security problems. They are driven by a desire to see their hard work make a significant impact, versus being satisfied by a quick financial flip of their intellectual property. They invest their time inventing things, versus polishing a presentation to convince you why you need to buy the thing they invented.We think most angels and institutional VC’s are perilously biased toward the second set of target skills and often lack the patience and technical depth required to ferret out the most compelling security innovations. Said differently, for most early-stage investors, a flashy PowerPoint presentation from a recently minted MBA with strong communication skills carries more weight than a technologist with a decade of technical experience in the security domain.However, the dirty little secret in start-updom is that while it can take years of technical and analytical experience to inspire truly disruptive security innovation, technical founders can buy, borrow, partner with or be taught the second set of target skills within a few months. Our strategy at Mach37 is to identify the best technical founders and reinforce their deep technical expertise with the curriculum, co-founders, mentors, advisors, and capital they need to be successful.Next week, Black Hat and DEF CON will mark the largest annual gathering of the U.S. hacker community and will showcase the work of several of the community’s brightest. Within this gathering, Mach37 will likely identify several founders for future cohorts. Perhaps ironically, most early-stage investors will not be there.Honestly, that’s just fine with us.