Frankly Speaking 7/21/20 - Current and Future Trends in Cybersecurity
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.
If you were forwarded this newsletter, you can subscribe here. For more regular updates,
I have to say there’s something about IKEA furniture. Every box always has some problem… It’s frustrating like cybersecurity products. Every product does a good job in one area but always missing a small yet critical feature. I guess you get what you pay for.
Anyway, enough complaints. Thanks for all the new subscriptions! I’ve been sufficiently motivated to create an emerging cybersecurity index similar to the Bessemer cloud index. The concept is similar — focusing on the next-gen public cybersecurity companies and their performance in comparison to the broader market. It’s almost done, and there are some interesting insights. So, stay tuned!
LET’S BE FRANK
I’m doing a slightly different format this week. I moderated a webinar panel with some of our portfolio companies to get their thoughts on the cybersecurity market. You can view the recording here. Here is the whole transcript if you’re interested! Check back regularly as I’ll try to add more headings around the specific topics covered.
So, who was on this panel?
Balaji Parimi: founder, CEO of CloudKnox, VP of Engineering Cloudphysics, Staff Engineer at VMware
Avihai Ben Yossef: founder, CTO of Cymulate, former head of cyber research at Avnet Cyber & Information Security
Tim Keeler: founder, CEO of Remediant, leader of security incident response team at Genetech/Roche
Rich Seiersen: founder, CEO of Soluble, former CISO at LendingClub, Twilio, and GE Healthcare, Author of “How To Measure Anything In Cybersecurity Risk”
As you can see they come from various security background, representing the whole spectrum of security personas. We covered a bunch of topics, but here’s our conversation around cloud security, edited lightly for clarity.
As I talk with CISOs, the biggest concern they have is cloud security. And this will kind of be a big theme of this panel, so as you talk to customers what are some specific challenges that you hear they are facing?
Balaji Parimi: Yeah, I mean cloud-enabled, ubiquitous access to any computing power or data is what customers want. The cloud has eliminated the parameter or eliminated the boundary. So any employee or any contractor or any machine or board can get to the infrastructure.
That's been the biggest concern for pretty much every CISO we've been talking to. Combine that with the level of automation that is in place, all it takes is a one-liner, either accidentally or maliciously, to cause significant damage. So especially the cloud infrastructure layer level every CISO and every security organization is looking at, I need that visibility.
Today, every CISO is serially lacking that visibility in terms of what is going on. How many entities can get to my infrastructure? What are they actually entitled to do? What are they actually doing? That type of visibility and having the toolset to take actions to prevent any catastrophic event from happening, this has been predominantly dominating the thought process.
And these recent incidents have kind of prioritized, acted as a catalyst for customers to transform their workloads from private into public cloud even at a much faster pace. So, all this is kind of making them nervous about hey, I need to get this visibility, I need to get ahead of this problem, I need to go with the prevention first approach type of thing.
Avihai Ben-Yossef: I'll try to give my two cents about that. It also relates to what Balaji also said on his end, but at the end of the day I think there are so many different kinds of these configurations that can be used in cloud security. You really need to know what you're doing, and visibility will be a part of it.
But at the end of the day, attackers can leverage very specific and small things because an attack is, at the end of the day, a chain of events, it's not just something very, very specific. So the chain of events, definitely in cloud security is a different kind of misconfiguration on a web app, and it can be a misconfiguration on your cloud infrastructure, it can be a misconfiguration on the deployment, and when they all come together, that's it. You're out.
So every time visibility can be, I would say, enlightened here. I will say it will save a lot of the challenges and will give a lot of answers to a lot of challenges that people will probably be concerned about now that most services will be exported and outsourced to the cloud and the security will become a more major factor in those areas as well.
Tim Keeler: Yeah, I completely agree with both of the points that are covered. I mean taking a look at this specific pandemic situation, there's a lot of companies that had to scramble really quickly to put remote access tools, cloud platforms, all of these things into play. And as they were reacting to a sudden shift of the way people are working, security is not always at the forefront of that. So there are really two things to really make sure that you're doing well that's really important.
Because when we're looking at this from an attacker perspective, attackers were already seeing a lot of activity around this, trying to exploit some of these weaknesses in companies. So obviously we've seen an increase in spearfishing as targeting credentials and then also making sure it's understanding where different identities have privileged access as it relates to all of these solutions.
Because one of the points earlier was around visibility. I completely agree with that. The biggest challenge we have is understanding okay, who has privileged access, where? And if you go in with the mindset of assuming a credential is going to be compromised, right? The next question is, okay, how do we put in effective security controls? You really want to make sure you're tying in the principles of least privileged and coupling that with multi-factor authentication.
Richard Seiersen: Sure, and I might take this a little bit different direction. So what I'm hearing, particularly from my CISO friends, is that there's a lot of hastening of digital transformation happening. And I think particularly now in light of the pandemic, and also I just think everyone knew that a cost-out world was coming. I think we're all forecasting that.
So what that means is, own less, and develop more, practically speaking, right? So less cost more value. And I think this is what's hastening, really concretely, cloud-native development, right? That's the hope there. That we can scale a lot more and go from 100 releases or 1000 releases to 10,000 releases or more a year at even less the cost than what we're doing before.
But the challenge in getting there, and I think we all probably know that, is both technology and talent. And I think the top of mind in all those discussions, be it with my CEO or CISOs is really security.
So how do we scale security in a world that's expecting us to go from again, 100 releases to 10,000 releases or more? How do we scale security with actually fewer resources? And I think this is really one of the biggest problems they're really facing, us as an industry, and particularly us as CISOs, is how do we go about thinking about this? And how to be successful?
How do we be like DevOps and SRE? I mean SRE and DevOps, these are developers supporting developers, how does security become that? I think this is real. For me, this is the big challenge, this is what I'm hearing, and honestly, this is what Soluble is trying to hasten — that evolution.
Frank’s commentary
This conversation was very interesting. I feel like it has been capturing a couple of key points I’ve been talking about in my past blog posts. To summarize, it seems like a few general trends are taking place. Many of the problems in cloud security are the same as before, but the parameters of the problem have changed, requiring new solutions.
The cloud has eliminated the perimeter and shifted focus away from an enclosed network.
The focus has shifted to identity and endpoints.
Having visibility will solve a lot of cloud problems, but as before, you need visibility into the right assets.
Automation and speed of development in the cloud also complicates the visbility issue. How do we have the security teams support developers like SRE and DevOps support developers?
Open Questions
What assets should we be tracking in the cloud for visibility?
How do we better manage identity and endpoints in the cloud world?
How does the notion of identity change in the cloud?
TWEET OF THE WEEK
Only if you didn’t invest!
