Barmak Meftah’s Keynote presentation at the AGC Partners 10th Annual West Coast Information Security and Technical Growth Conference.
As is with every security presentation, I’m going to start with statistics. You guys probably hear these statistics all over the place, you’re going to hear a good chunk of it at the RSA presentations, but there is no security preso without first putting the fear of God into you guys that if you don’t do something, you’re all going to be screwed and die a really sudden, bad death. But these stats by the way we pulled out from the Ponemon Institute, the Verizon report that comes up annually, IDC, Gartner, some of these stats are pretty interesting stuff. $11.6 million, annual cost of cybercrime to organization. By the way, this is a blended average. I’m sure if you look at the top end of the market, the annual cost to big financials or big DOD or big agencies is going to be a lot more. If you look at… about two thirds of the breaches actually go unnoticed altogether. So what we hear about is about a third of these breaches, and of those third, we only hear a subset of them that obviously get announced and become public information. Let’s see if I can switch through the slide here with a little bit of luck. There we go. About a month is the average number of days to actually resolve a cyber-attack. You guys have heard of this space called “incident response”, it takes that long for a company to find out and then be able to effectively respond to an attack. And the per-day cost to actually fix them is through the roof, it’s about $33,000 on average.
This Target attack, you guys heard, had exposure of about 110 million consumers that were compromised, and most interestingly, and perhaps this is a little self-served for the type of business that we run, about 50%+ of the attacks are actually targeted at what we would call an SME or an SMB market, which are companies with about 2500 employees or less, which is ironically the market segment that’s ignored the most because it’s hard to monetize that market segment, I’ll get into it a little bit. And then the federal government of course is a big target too - about $4 billion of bogus tax refunds in 2012. So with all of that said, we do agree the world is complicated, and I’ll run through a little bit of this chronology of how the world got more complicated. This is something my old company Fortify, we used to preach quite a bit, where if you look at the 60s and 70s, the mainframe era, you would notice that the attack surface was not that big, in that there was a couple of employees in a company that would access mainframe data. And so as long as you made sure that those 2 or 3 employees were authenticated, you knew who they were, your attack surface was covered. In the 80s, in sort of the mid-to-late 80s and early 90s, there was the advent of open systems and Client/Server computing if you guys recall, and the big thing with Client/Server computer was that you would put a client in every desktop and there would be a server - it was sort of the reinvention of the mainframe - and of course the attack surface increased in that now every employee in the company was a potential threat. You had to pay attention to who they were, what they were doing, and keep track of the insider activity because they could do malicious things.
Mid-to-late 90s and of course throughout the 2000s, the advent of the internet, web services, I’m sure, you know, the social movement and bring your own device, and suddenly the attack surfaces exploded and it’s not in our control anymore. So we do live in a complicated world, and of course you guys know that the more complicated the system, the bigger the attack surface, the more sophisticated an attack can be. And so we don’t have any control over the problem and it is pretty complicated. We as a high-tech industry, certainly security, love buzzwords, we absolutely love buzzwords, and I have a theory about why we love buzzwords: It’s because entrepreneurs make money off these buzzwords. The more of these we can throw out there, the higher the valuation of our company, and ultimately if we want to sell companies or have an IPO in the future, institutional buyers and acquirers love to hear these things. They might not mean anything - it doesn’t matter, as long as we throw them out there and we make money it’s cool. The problem though is the poor consumer is left with these buzzword and they rotate on an ongoing basis. So if one buzzword goes out of fashion, we’re sure to invent a new one pretty quickly. The CEO of the big company I used to work for that we left unnamed, which I admire quite a bit, had a pretty famous interview in 2009 talking about cloud computing. And basically his thing was “I don’t even understand what the cloud is.” I mean, I think about it for a second. A bunch of computers attached to a network on the internet with an underlying grid computing or utility computing infrastructure used to be called mainframes not too long ago, and we’ve reinvented it. But if we don’t call it cloud, it’s not very exciting and it’s not very sexy.”
And so the same thing with big data. Think about it for a second. I mean, we all use big data because we have to, but is it because relational data or structure data was small data? You know, that was a lot of data there too. We really mean unstructured data, but we call it big data because it’s cool. So the problem is we invent these buzzwords, you have a world that’s complicated. The result of it is our security solutions tend to solve technology problems rather than business problems. We tend to be very myopically focused on each of these areas for our end-users, and the problem is security is a holistic problem, is a real business problem. And so you’re going to hear a lot about these buzzwords at RSA I’m pretty sure. So what that has resulted in is that our focus as a vendor ecosystem has become the big enterprises. Why? Because the only set of companies that have the human capital and the financial capital wherewithal to be able to consume all of these buzzwords, be able to pay for them separately, be able to pay for systems integrated, to come glue it together are the big enterprises. If you click down from the big enterprises, the small-to-medium size businesses don’t have that human and financial capital wherewithal to understand these and then hire, obviously, big services firms to come do it for them.
Of course as we know, for every one of those big commercial banks or federal agencies, there are thousands of what we would call a SME or a mid-market company, and there are probably tens of thousands of what we would call sort of small-to-medium size businesses or small office/home office. And of course as you know, they’re equally the target of attacks as the big commercial vendors. Why? Because a lot of these guys store credit card data, PII information. And so the attack surface is the same and the type of data that they have is as interesting to the attacker as it is with companies like Credit Suisse and Wells Fargo Bank. Unfortunately though, the solutions that we provide as vendors are not very well-suited for these guys. And this is a glimpse into the security market, which is you’ve got the big enterprises sort of in the center, and the way… if you’re an entrepreneur and you want to start a security business, you first want to find yourself a hacker, you ideally want to have the hacker sort of breach, there has to be some sort of a breach or some sort of an attack vector, you’re the good guy, the entrepreneur, you go get some money from venture capital, there’s plenty of them here in the Bay area - If you guys don’t know any, I’ll be happy to introduce you to a bunch of them. You’ll create a protective control for that specific target customer and that technology stack, and you’d protect that specific instance of what you’re trying to do. And of course, if I can get this bill slide to work here again, 2 seconds, here we go. And a new product is created which collects threat data, and this is where I segue into threat intelligence sharing, and it’ll create the threat data, but that threat data is very myopically focused on that product, on that specific industry segment, and the cost is out of the reach of many people, and the complication is super high and concentrated to the big enterprises. Sorry guys this…
And then of course what happens is that once that’s protected, there’s going to be a new hacker and there’s going to be a new attack vector, and we go through this cycle over and over again, thus just the sheer number of ISVs and vendors you’re going to see at RSA. So one thing I want to impart on you humbly is we need to simplify the business of security. It’s a form of madness guys. It’s like this: It’s like if you want to buy a car, and as a consumer you are okay with the car manufacturer giving you guys a door, a stick shift, a steering wheel, and then introducing you to a systems integrator that would glue that car together and you would part with $2 million or $3 million to get the car, as long as the consumer market was okay with it, I could guarantee you guys that the car manufacturers and the service providers would be happy charging you $3 million and selling you complicated solutions. What happened was the consumer market couldn’t afford that. That’s why cars are integrated vehicles, you know. It all comes together in one package. For some reason we don’t do it in high tech. We certainly don’t do it in security. We love complication. And so one thing we want to espouse is: A. Let’s all get together and make security simple, B. Let’s make security affordable and available to all companies of all market segments rather than this borderline Obsessive Compulsive Disorder we have which is complicated solutions at a very expensive price sold to the top end of the market, leaving the vast majority of the market open to attacks. So as much as I love these buzzwords, they honestly don’t solve a business problem. They make entrepreneurs rich, and it’s not good for the consumer, it’s not good for businesses.
So let me segue into this threat data sharing. So first assertion or first idea is let’s simplify technology, let’s simplify security solutions and think about it as a business problem, as a risk problem not a tech stack problem. The other one is we need to share threat data folks, we really do need to share our threat data. Just imagine for a second if you had a world, which we do, and that world had collection points, which in a second I’m going to get to, and these collection points, just remember everybody’s getting breached and as a result of these breaches they create log data, event data, there’s a lot of great information that resides as a by-product of breach, and just imagine if we could somehow interconnect these collection points around the world and we had an effective way for that interconnect to start sharing this threat data amongst each other. The problem though has been that although threat data sharing has been around for a long period of time, it has lacked a couple of key adjectives: openness and collaboration, and I’ll get into that in a second when I talk about the code of ethics. But what difference will this make? Let me use some analogies and examples of where threat data is effectively used. If you look at Interpol, it’s become increasingly difficult if not impossible for a criminal to pass a state border or a federal border or country borders without triggering Interpol. So if you go from here to the UK or Germany, if you’ve committed a crime, you’re known for something and they want to catch you, they will, because there’s very effective threat data sharing between the various agencies around the world. If you look at the Federal Bureau of Investigation and the collaboration that the FBI does with local law enforcement agencies, it’s extremely effective, it’s real-time, and it’s become increasingly difficult to escape from these guys.
If you look at our streets and these neighborhood watch efforts that we have, if a home gets attacked or broken into in a neighborhood, the information is disseminated fairly quickly so other homes can protect themselves against the same type of attack. Somehow it doesn’t happen very effectively in the world of cyber-security. Let’s see if we can… So we need to share our threat data. And if we do, what happens is a bad guy will breach one company in one geography in one industry at best and that company will do everything they need to protect themselves against it, but fairly quickly share what they did across the board with all geos, all industries, all companies, and if the same type of attack were to happen in other companies, they would be protected almost immediately against it because they’ve learned from what has happened to that one company. And the problem with Bill’s slide guys is… there we go. So what’s next? Let me propose a code of ethics for the limited time I have here, in another 10 minutes. So there are 6 guiding principles that I want to talk about around what makes an effective threat sharing network, because again, as we know, these threat sharing networks have been around for a long period of time. If you remember the early days of the antivirus, the signature definitions are a form of threat sharing. And if you look at closed threat sharing networks like FSISAC if you guys have heard about the financial services industry, this very effective threat sharing that happens in the commercial financial sector among the top end of the financial institutions, but of course it’s not opened, it’s not available to everybody.
So the first sort of guiding principle is as vendors, we can still be effective in competing with each other, but let’s not make the customers, sort of the victim’s breach data part of our competitive factor, and hopefully this is becoming clear. So when I talk to a lot of my peer vendors and I put out this concept of “Look, as a vendor community, we should get together and collaborate so we can get customer breach data and effectively share it amongst each other.” The first reaction I get is “There’s no way in hell that I’m going to share my customer’s breach information or threat intelligence with you”. And the first question is “Why?” And the answer is “Well, because we own that”. And just think about it for a second - We provide automation frameworks to catch the bad guys and capture threat information. As soon as we do that, we allow ourselves to coopt that information. That threat data and that threat information belongs to our end-users not us, and it’s incumbent upon us to share that threat data amongst each other and not coopt it and make it an advantage to us as a vendor against the other vendors. So there is a way, guys, for us as vendors to compete effectively against each other but not make the customers’ threat data one of those competitive angles.
The second is the power of peer groups. I think no matter how hard we try as vendors and how big our security labs and how sophisticated our security research, the amount that we can get through a crowdsourced peer-to-peer network around the world still overshadows the outreach and the richness of the data that we create as vendors. So there is this notion of connecting peer networks together around the world. The third guiding principle is if we want this to be effective, we have to have an opt-in model, in that we can’t force our customers to share their threat data. However, what we can offer up is “If you submit your threat data to a crowdsourced network, in return you’re going to get the crowdsourced threat data back”. So there’s some goodness that comes around this one-to-many relationship that you can put in place where sharing your threat data allows you access to everybody else’s. Let’s see if we can move this slide here. There we go. Then of course the other one is when proprietary information is shared, there might be some negative connotations, there might be cases or instances where somebody might put malicious data in the content that they contribute, but our belief is that the overall goodness that comes out of an effective threat sharing network overshadows the potential badness that might come out of it.
And of course the most important thing is a commitment to a crowdsource network requires a real-time commitment in that any propagation delay or asynchronicity in sharing threat data could potentially be an attack service, could potentially expose our peer groups to the same type of attack during the time that we’re trying to propagate that threat data. So an effective synchronous threat data sharing is an absolute must. Then… let’s see if we can… still work, yeah, there we go. And then the last is we must absolutely respect the privacy and anonymity of the folks that are submitting that threat data. In our company we take great strides in ensuring that if somebody’s offering their threat information that we anonymize their identity and provide full privacy for the folks that want to opt-in to the network. And so that, in our opinion, if we can do those 6 things effectively, we can create an open and collaborative threat sharing network around the world that really doesn’t have any constraints applied to it. It’s not necessarily focused on a certain view of the type of threats that you’re going after. For instance if your vendor in intrusion detection, or you’re a vendor in SIEM, oftentimes what you’re exposed to is just the type of data that you collect. And yet there’s so much to threat data outside of what we do as vendors. And so if we have that openness and collaboration around offering this threat exchange platform, we can gather threat exchanges across the world that is shared between all peers. And I promised the event coordinators that I wouldn’t pitch our company, but there is one thing I want to throw out there which is it’s not an asset that we own, but we’ve offered up to the industry a network called Open Threat Exchange, which is essentially an exchange platform that facilitates threat data sharing around the world, and we invite, obviously, everybody to join it.