E N D
1. 0 DEFCON 2005 Good afternoon and welcome to Americas Costliest Security Bloopers! Im David Cowan and Ill be your host
I decided to make the VC talk a bit more provocative since the bar has been raised this yearfor a talk to be interesting you have to generate at least a couple of lawsuits. Good afternoon and welcome to Americas Costliest Security Bloopers! Im David Cowan and Ill be your host
I decided to make the VC talk a bit more provocative since the bar has been raised this yearfor a talk to be interesting you have to generate at least a couple of lawsuits.
2. 1
3. 2 Why Dwell on the Mistakes? 10 years ago Dan popularized the notion that you cant secure networks without an open scrutiny of vulnerabilities and errors. This week, Michael Lynn reminded us of the same thing.10 years ago Dan popularized the notion that you cant secure networks without an open scrutiny of vulnerabilities and errors. This week, Michael Lynn reminded us of the same thing.
4. 3 This presentation is for Plus, for anyone who wishes to kill an hour between the two big Fed talks.Plus, for anyone who wishes to kill an hour between the two big Fed talks.
5. 4 To inspire innovation, Ill occasionally inject interstitial slides with inventive ideas.To inspire innovation, Ill occasionally inject interstitial slides with inventive ideas.
6. 5 BESSEMER VENTURE PARTNERS Location California, NY, Boston, Bangalore, Shanghai
Founded 1911
Investor Phipps Family
Non-Tech Portfolio
Manufacturing WR Grace, International Paper, Ingersoll Rand, Fort James
Retail Staples, Sports Authority, Eagle Hardware, Dicks, Blue Nile
Biotech Myco, PerSeptive Biosystems, Isis Pharmaceuticals
Other Gartner Group, VistaCare
Tech Portfolio
Software Parametric, Veritas, SystemSoft, SMARTS
Systems Ungermann-Bass, Cascade, Ciena, P-Com, Omnia, Flarion
Services Keynote, PSI-Net, Verio, Mindspring, Hotjobs, Telocity, Skype
Chips American Superconductor, QED, Maxim, C-Port, DSP Group
7. 6 BESSEMER IS THE MOST ACTIVE EARLY-STAGE VENTURE FIRM IN INFORMATION SECURITY. All but our 3 recent early-stage investments have run rates above $10mm
5 IPOs, 1 acquired by Cisco
Not a single Realized or Unrealized Loss One of our active practices since 1993 has been information security. In fact Bessemer has funded 17 security startupsmore than any other early stage venture capital firm.
This practice has been very successful for us.
[click]
Of the 17 companies, all but the most recent Series A investments are running at revenue rates well above $10 million per year.
[click]
Weve had 5 IPOs and one acquisition.
[click]
And weve never had a loss, realized or unrealized, across the entire security portfolio.One of our active practices since 1993 has been information security. In fact Bessemer has funded 17 security startupsmore than any other early stage venture capital firm.
This practice has been very successful for us.
[click]
Of the 17 companies, all but the most recent Series A investments are running at revenue rates well above $10 million per year.
[click]
Weve had 5 IPOs and one acquisition.
[click]
And weve never had a loss, realized or unrealized, across the entire security portfolio.
8. 7 David Cowan
Co-Founder and former Chairman, VeriSign
Devesh Garg
Former GM, Broadcoms Security BU
Chini Krishnan
Founder, Valicert
Peter Watkins
Former President, Network Associates
Chris Risley
CEO, ON and Nominum
Jeremy Levine
Director of Determina and eEye
Justin Label
Director of Tripwire and Finjan OUR IT SECURITY TEAM We regularly meet with CIOs and CSOs to solicit input on long term needs, to get their feedback on specific companies, and to engage them during product development. We meet one on one and we host dinners and roundtables to maintain a pulse on the marketplace on behalf of our companies.We regularly meet with CIOs and CSOs to solicit input on long term needs, to get their feedback on specific companies, and to engage them during product development. We meet one on one and we host dinners and roundtables to maintain a pulse on the marketplace on behalf of our companies.
9. 8 Spreads easilySpreads easily
10. 9 A VERY GOOD REASON TO BUY FROM BIG COMPANIES Biggest challenge to startups: enterprises like to buy product suites, with good reasonBiggest challenge to startups: enterprises like to buy product suites, with good reason
11. 10 SYMANTEC Examples of how big players have staked out product claims (as of Dec 2004)Examples of how big players have staked out product claims (as of Dec 2004)
12. 11 McAFEE
13. 12 ISS
14. 13 COMPUTER ASSOCIATES
15. 14 CISCO
16. 15 Inventive Cold RemedyInventive Cold Remedy
17. 16 BUT SECURITY IS FLUID, AND A CONSTANT BATTLE.RAPID INNOVATION IS NEEDED, EVEN TO TREAD WATER. Adoption of new protocols, apps and platforms constantly call for new security solutions.
Plus, the enemies constantly adapt to security solutions, quickly rendering them obsolete. Attackers used to do it for ego, politics and mischief, but now its for profit (spam, extortion, ID theft), so they are far more resourced, patient and resolute to escalate.
Unlike other technology areas, it is a battle of Man v Man, not Man v Nature. It takes constant innovation just to tread water.Adoption of new protocols, apps and platforms constantly call for new security solutions.
Plus, the enemies constantly adapt to security solutions, quickly rendering them obsolete. Attackers used to do it for ego, politics and mischief, but now its for profit (spam, extortion, ID theft), so they are far more resourced, patient and resolute to escalate.
Unlike other technology areas, it is a battle of Man v Man, not Man v Nature. It takes constant innovation just to tread water.
18. 17 NO SECURITY IPOS IN 2003, 2004 or 2005. BUT All those startups, and no IPOS!
But M&A activity is growing, and will remain a fixture of the industry. The suite providers are great at integrating, and the startups are great at innovating. As security technologies mature from invention to scalable deployment, the market will force the integrators to acquire the innovators. All those startups, and no IPOS!
But M&A activity is growing, and will remain a fixture of the industry. The suite providers are great at integrating, and the startups are great at innovating. As security technologies mature from invention to scalable deployment, the market will force the integrators to acquire the innovators.
19. 18 No muss, no waste.No muss, no waste.
20. 19 Reasons People Buy Security Technology Each enterprise represents a unique set of assets, threats, enemies and resources. Crafting the right security mix is a highly complex and difficult task. What motivates us to select particular products?
Working the rooms here at DEFCON, youd think that that theres only 1 reason:
[click]
People buy security technology that affordably defends assets from an entire class of attack. Indeed, that is a sensible reason to buy.
But wait! People usually buy security technology for entirely different reasons
[click]
-- Lots of other people seem to think this stuff works. We must need it, too. Such weak-minded disposition to suspend skepticism explains a lot of the problems in our world beyond information security. Not only might others be wrong (and Ill point out some doozies today) but there simply is no one-size-fits-all security mix. Nonetheless, this kind of thinking drives a lot of purchasing from the big security companies.
-- Heres another brain malfunction that drives sales for Symantec and Cisco:
[click]
If an attack brings our network down, Ill be okay so long as it brought down everyone elses network as well. So Ill just hide in the safety of the herd, and buy whatever seems to be selling well. Never mind that were seeing more targeted attacks today, or, more importantly, that the consequences of any attack to one enterprise are pretty much the same regardless of whether it hit others.
-- Why else might buyers flock to the Symantec and Cisco?
[click]
I got a good deal on a bundle! When I bought that big router or appliance, the vendor threw in some cheap, or even free, licenses. It may not work, it may inconvenient users, it may suck up IT resources, it may even be another vector of attack, but it was cheap! My favorite example of cheap, bundled nonsense is Anti-Virus licenses for serversyou know: those computers that nobody ever uses for email or browsing.
-- Heres another driver of industry concentration:
[click]
We need to convince someone--our CSO, CIO, CEO, Board, Auditors, Regulators, Customers, Congress--that we have best practice security, where someone else, of course, has defined what best practices are. Sometimes best practice security implies working technology, but not necessarily.
[click]
-- A nasty attack crashed our network, and so I have budget to deploy a defense. You can always spot these folks because they dont want to hear about what the product doesthey just want to run a battery of tests against the product. It doesnt occur to them that their enemies are adaptive human beings, and that the next attack might look slightly different than the last one.
-- And finally, theres always relationship selling.
[click]
Like the wild party some vendor threw at Olympic Garden Okay so maybe that ones not such a bad reason
[click]
Each enterprise represents a unique set of assets, threats, enemies and resources. Crafting the right security mix is a highly complex and difficult task. What motivates us to select particular products?
Working the rooms here at DEFCON, youd think that that theres only 1 reason:
[click]
People buy security technology that affordably defends assets from an entire class of attack. Indeed, that is a sensible reason to buy.
But wait! People usually buy security technology for entirely different reasons
[click]
-- Lots of other people seem to think this stuff works. We must need it, too. Such weak-minded disposition to suspend skepticism explains a lot of the problems in our world beyond information security. Not only might others be wrong (and Ill point out some doozies today) but there simply is no one-size-fits-all security mix. Nonetheless, this kind of thinking drives a lot of purchasing from the big security companies.
-- Heres another brain malfunction that drives sales for Symantec and Cisco:
[click]
If an attack brings our network down, Ill be okay so long as it brought down everyone elses network as well. So Ill just hide in the safety of the herd, and buy whatever seems to be selling well. Never mind that were seeing more targeted attacks today, or, more importantly, that the consequences of any attack to one enterprise are pretty much the same regardless of whether it hit others.
-- Why else might buyers flock to the Symantec and Cisco?
[click]
I got a good deal on a bundle! When I bought that big router or appliance, the vendor threw in some cheap, or even free, licenses. It may not work, it may inconvenient users, it may suck up IT resources, it may even be another vector of attack, but it was cheap! My favorite example of cheap, bundled nonsense is Anti-Virus licenses for serversyou know: those computers that nobody ever uses for email or browsing.
-- Heres another driver of industry concentration:
[click]
We need to convince someone--our CSO, CIO, CEO, Board, Auditors, Regulators, Customers, Congress--that we have best practice security, where someone else, of course, has defined what best practices are. Sometimes best practice security implies working technology, but not necessarily.
[click]
-- A nasty attack crashed our network, and so I have budget to deploy a defense. You can always spot these folks because they dont want to hear about what the product doesthey just want to run a battery of tests against the product. It doesnt occur to them that their enemies are adaptive human beings, and that the next attack might look slightly different than the last one.
-- And finally, theres always relationship selling.
[click]
Like the wild party some vendor threw at Olympic Garden Okay so maybe that ones not such a bad reason
[click]
21. 20 Bloopers, Blights & Blunders As you saw on my title slide, there are three types of mistakes that account for the billions of dollars lost annually in developing, deploying, and mopping up the mess from security technologies that dont work. Let me distinguish these classes of mistake for you.
[click]
We saw on the previous slide all the reasons why people buy security technology that doesnt work. As a result, we can look at two distinct classes of security technology:
[click]
There are technologies that work. And there are technologies that sell. These sets are not equivalent. Sure, they intersect, and thats where great companies thrive. In fact, my job is to find teams with technologies that work
[click]
And help build them into companies with technologies that sell.
Too often though, I see startups getting funded
[click]
With technologies that never work, and never sell. They suck up most of the $700 million invested by VCs each year.
[click]
These are what I call Bloopers.
Next we have technologies
[click]
That sell well even though they dont work.
[click]
These are the blights on the security landscape, costing businesses a billion dollars per year in license fees, costs of ownership, and damages from successful attacks.
[click]
And finally we have the security companies with technologies that dont work and dont yet sell, but theyre growing fast.
[click]
These are the Blunders of the industryhot products that enterprises are buying for the wrong reasonsand destined to become tomorrows blights.
By illustrating some of these bloopers, and exposing the blights and blunders, I hope to assist you in avoiding the mistake of making a bad investment, a doomed career choice, a wasted product purchase, or a dangerous choice of online bank.
As you saw on my title slide, there are three types of mistakes that account for the billions of dollars lost annually in developing, deploying, and mopping up the mess from security technologies that dont work. Let me distinguish these classes of mistake for you.
[click]
We saw on the previous slide all the reasons why people buy security technology that doesnt work. As a result, we can look at two distinct classes of security technology:
[click]
There are technologies that work. And there are technologies that sell. These sets are not equivalent. Sure, they intersect, and thats where great companies thrive. In fact, my job is to find teams with technologies that work
[click]
And help build them into companies with technologies that sell.
Too often though, I see startups getting funded
[click]
With technologies that never work, and never sell. They suck up most of the $700 million invested by VCs each year.
[click]
These are what I call Bloopers.
Next we have technologies
[click]
That sell well even though they dont work.
[click]
These are the blights on the security landscape, costing businesses a billion dollars per year in license fees, costs of ownership, and damages from successful attacks.
[click]
And finally we have the security companies with technologies that dont work and dont yet sell, but theyre growing fast.
[click]
These are the Blunders of the industryhot products that enterprises are buying for the wrong reasonsand destined to become tomorrows blights.
By illustrating some of these bloopers, and exposing the blights and blunders, I hope to assist you in avoiding the mistake of making a bad investment, a doomed career choice, a wasted product purchase, or a dangerous choice of online bank.
22. 21 Maybe this mobile computing device is a blooperMaybe this mobile computing device is a blooper
23. 22 Bloopers EDRM: Authentica and Alchemedia made some great product, but users arent changign their behavior to protect docs. Microsoft will end up providing good enough product in Office.
Applet Signing; an example of Too Much Useless Information. So I have a name who wrote the appso what?EDRM: Authentica and Alchemedia made some great product, but users arent changign their behavior to protect docs. Microsoft will end up providing good enough product in Office.
Applet Signing; an example of Too Much Useless Information. So I have a name who wrote the appso what?
24. 23 Blights IDS hopeless barrage of alerts and growing, as each product improves
Unmgd Firewalls: Counterpane finds that most firewalls are unconfigurednearly half have default passwords.
Server A/V: as if you read email on your websphere server blade.
Single Sign On: equivalent to that universal remote control you bought, and now sits on the table next to all the others!IDS hopeless barrage of alerts and growing, as each product improves
Unmgd Firewalls: Counterpane finds that most firewalls are unconfigurednearly half have default passwords.
Server A/V: as if you read email on your websphere server blade.
Single Sign On: equivalent to that universal remote control you bought, and now sits on the table next to all the others!
25. 24 Blunders Assumes that every anomaly indicates an attack, and every attack shows an anomaly.
As soon as you get false positives, it gets switched to Monitor mode, which makes it an IDS. Assumes that every anomaly indicates an attack, and every attack shows an anomaly.
As soon as you get false positives, it gets switched to Monitor mode, which makes it an IDS.
26. 25 Ineffective Ways to Secure Online Transactions Phishing defenses: lists are too slow to adapt, rules wont work because the emails look real, and mechanisms like URL masking are too narrow to slow down ID thieves.
Empower: tells the user whose domain? Whose email domain? Whose certificate? Whose applet? Did cert expire? Did you navigate out of SSL? User doesnt understand what to do! All useless data.
Educate: last resort of the negligent and incompetent. How to educate a user to avoid pharming or browser redirecting malware or slipstreaming malware? Ridiculous.
Authenticate everyone: Better to profile and focus dollars and inconvenience on a few people.
Login: Why focus attention at this step? Its the least risky. Focus on cash withdrawals and changes of address.
Last 3 are all subject to man-in-the-middle attack, and slipstreaming.Phishing defenses: lists are too slow to adapt, rules wont work because the emails look real, and mechanisms like URL masking are too narrow to slow down ID thieves.
Empower: tells the user whose domain? Whose email domain? Whose certificate? Whose applet? Did cert expire? Did you navigate out of SSL? User doesnt understand what to do! All useless data.
Educate: last resort of the negligent and incompetent. How to educate a user to avoid pharming or browser redirecting malware or slipstreaming malware? Ridiculous.
Authenticate everyone: Better to profile and focus dollars and inconvenience on a few people.
Login: Why focus attention at this step? Its the least risky. Focus on cash withdrawals and changes of address.
Last 3 are all subject to man-in-the-middle attack, and slipstreaming.
27. 26 Effectively, Affordably Secure Online Transactions
28. 27
29. 28 Security Opportunities Im Wondering About
30. 29 To a large extent, Venture Capitalists play a distinct role in the security ecosystem, serving as gatekeepers of R&D capital. We need to spot the blunders, but we also need to appreciate the great market need for innovative security solutions.
Id like to close this talk with a short anecdote about the need for rapid innovation, and healthy skepticism, in information security.
The night I closed our investment in my 12th data security deal, Cyota, my wife Nathalie took me to see the Bourne Supremacy in Mountain View. On the way, she asked why I seem to keep investing in what sounds like the same company over and over. Obviously, a fair question. As we approached the theater, I tried to think of how to explain the fluid nature of the data security threat. Walking in (and, thanks to Fandango, righteously bypassing the long lines of teenagers), I noticed that the theater had just implemented its own security program to mitigate Movie View Theft by patrons who would watch a second film without paying. Instead of collecting tickets at the front door, tickets were now collected at the two hallways off the lobby, to where customers were ushered out as each film ended. No ticket, no second movie.So I said: watch this. I stood by the front door, waited for a lull in traffic, and then nonchalantly proferred my hand toward the next approaching bevy of teenagers. I murmured, Tickets.
The first victim handed me his ticket, the rest were cake. As my victims jabbered on about football games and SAT prep, their tickets accumulated in my handhalf a dozen before I stopped. It took them a good 5 minutes to make their way over to the hallway, encountering the legitimate ticket stand. Another 2 minutes passed as they tried to figure out which of them had the tickets! When it finally dawned on them that they had been phished, I was standing right there and returned their assets (and thankfully they didn't kick mine).
My wife understood that security is hard, which his why I, and likley most of the people in this room, find it so interesting.
So keep in mind that as we craft new technologies, were all going to make some mistakes now and thenwhich is okay so long as we criticallly assess our bloopers before they bloom into full-blown blunders.
To a large extent, Venture Capitalists play a distinct role in the security ecosystem, serving as gatekeepers of R&D capital. We need to spot the blunders, but we also need to appreciate the great market need for innovative security solutions.
Id like to close this talk with a short anecdote about the need for rapid innovation, and healthy skepticism, in information security.
The night I closed our investment in my 12th data security deal, Cyota, my wife Nathalie took me to see the Bourne Supremacy in Mountain View. On the way, she asked why I seem to keep investing in what sounds like the same company over and over. Obviously, a fair question. As we approached the theater, I tried to think of how to explain the fluid nature of the data security threat. Walking in (and, thanks to Fandango, righteously bypassing the long lines of teenagers), I noticed that the theater had just implemented its own security program to mitigate Movie View Theft by patrons who would watch a second film without paying. Instead of collecting tickets at the front door, tickets were now collected at the two hallways off the lobby, to where customers were ushered out as each film ended. No ticket, no second movie.