a16z Podcast - a16z Podcast: Barbarians at the Gate -- How to Think About Enterprise Security Today

Episode Date: May 7, 2015

Enterprises large and small run their applications and infrastructure at a whole new level of agility and speed. But unfortunately, security doesn’t like speed. “The faster you go, the harder it i...s to understand what is happening and to protect your infrastructure,” says Andrew Rubin, CEO and co-founder of cloud security startup Illumio. So then how do we rethink the architecture of the past to acknowledge the way business happens today? If you want to start tackling the shifting landscape of business and security today, “Go become a student of the economics of war and crime,” suggests Gaurav Banga, CEO and co-founder of Bromium. If going slow is not an option, what can and should we do? The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.

Transcript
Discussion (0)
Starting point is 00:00:00 The content here is for informational purposes only, should not be taken as legal business tax or investment advice or be used to evaluate any investment or security and is not directed at any investors or potential investors in any A16Z fund. For more details, please see A16Z.com slash disclosures. Welcome to the A16Z podcast. I'm Michael Copeland. And we are continuing our discussion of security. And we are lucky to have Andrew Rubin, CEO of Alumio and co-founder. And along with Andrew, Goraf Banga, CEO and co-founder of Bromium. Welcome, guys. Welcome. Thank you so much. We are happy to be here. Thank you very much. Goraf, I read something that you had said or written. The Barbarians are at the gate. Am I being attacked? Yes, you are. And what Barbarians at the gate
Starting point is 00:00:51 means that never before have we had so much online. We have, quote, and code, computerized our every existence, every aspect of our existence, how we invest, how we get paid, how we do health care, how do we deliver power, everything. And unfortunately, we have built that on a security platform which is not architecturally sound. And we're getting attacked every day. It says that the war and crime just came online. Andrew, how do you view that and how do the folks that you talk to kind of internalize the fact that if I have stuff out there that's valuable, people are going to,
Starting point is 00:01:29 want to go after it. So I completely agree with Garv that we're effectively digitizing everything and it's literally everything. It's everything from the way that we banked to the way that we hail a taxi or a car to move from point A to point B. So inherently there's a lot more digital and electronic to protect. I think the the aha moment for security and it's recent, it's measured probably in months or maybe a year or two, is that this concept of being in a binary state of safe or breached is no longer a viable way to look at the world. Because with this much out there, it's almost an assumption that you've already been breached or you will be breached and you may not know it right away. And what we're hearing more and more now is this concept of how do I reduce the surface
Starting point is 00:02:15 area of attack when I'm breached? That's a very different security conversation than the one that we've had for the last 20 or 25 years. So you're saying it was a matter of months before that kind of mindset shift happened? Why, why finally do you think that occurred? I don't think it's any one thing. I think it's a combination of a few things. So the first one is that there's a lot more places to put stuff. I mean, if you think about five years ago, whether or not we really would look at the public cloud as a truly viable alternative to your data center that you built, owned, controlled for the 20 years before that, there was a debate. Now there's no longer that debate. It doesn't mean everything will land in the public cloud.
Starting point is 00:02:54 but it means that it's a viable alternative. So we're more distributed and more heterogeneous than we've ever been. I think the other thing that's going on is there's a shift in the way that Enterprise is thinking about running their infrastructure and applications. And the shift is all based on agility and speed. And unfortunately, security doesn't really like speed. Those are two things that traditionally have been at war with each other. The faster you go, the harder it is to understand what's happening and certainly the harder it is to protect it. unfortunately that that friction point is no longer tenable right enterprises are going to go fast
Starting point is 00:03:27 and they're going to need to do it with with security at the same time so goreve for you guys how do you address that tension between going fast operations and you know security we've been talking about this how you know you need to respect security but you need to get things done so in that speed in companies in an environment where speed is of the essence how do you reconcile those things? So to be able to reconcile, you first take a step back. And just to add to what Andy said earlier, you know, so the world has changed, the world is changing. You start looking at, besides, so cloud is one very important development that has happened. Another development that has happened is mobile, if you all know, right? And then another one that has
Starting point is 00:04:15 happened is that you're relying more and more on the internet, which is, you know, not just cloud, as in, you know, you do cloud computing, but the fact that you're very content dependent, you're generating large amounts of content, and you're exchanging and sharing that content, you're trusting each other over the Internet. So if you look at all these friends, the first thing you do is you take a step back
Starting point is 00:04:38 and you examine how the security architecture must change. And one of the other requirements comes along is that the security architecture must also be responsive to the need to go faster. Right. Now you came up with a set of requirements. Your new security architecture or your modification to the existing security architecture must have these properties. It must deal with cloud. It must deal with mobile. It must deal with consumerization. It must deal with the fact that we are relying more and more in Internet content. It must deal with the fact that change is more common. Now, then it becomes a computer science, a computer architecture, software design problem. And it turns out that it is, I mean, we live the message of hope. It does turn out that, you know, it is possible for human innovation to come up with such a design, which is a more sophisticated, a more well-thought design on security, but you can put it just together. And I'll build on that. I just want to kind of add one thing
Starting point is 00:05:36 that, you know, when we launched Alumio into the market last October, so about six months ago, obviously the amount of feedback that we started to get because we were talking to more people and certainly talking more openly went up very dramatically. And one thing that's interesting is consistently across the board, customers are saying to us that they're finding that there isn't a natural or easy iterative path from the architecture of the past. What Groves said about having to rethink the problem from first principles, we're actually hearing customers say that. So despite the fact that you started off mentioning that everybody's dressed in black and so it must be security, what's interesting is that it actually doesn't seem that eerie for one very
Starting point is 00:06:13 simple reason. Because for the first time in decades, the customers are actually in a place where they're willing to truly rethink this from the very beginning. They understand that there's a new set of problems and a new set of challenges that security has to face that aren't built on the problems of the past, and therefore they're willing to look at a completely new way of solving it. That's a massive change in the enterprise of the customer mindset. That goes cheek and jow, I guess, with this shift to the cloud, right?
Starting point is 00:06:40 I mean, they're willing to look at that in terms of running a business, and so they're also willing to look at ways to change their security approach. Well, and I think if you look at it, some of the organizations that you would think are least likely to take advantage of things like public cloud or allow open access through mobility. If they're willing to do that, then it's not a leap or a very far step to imagine them being willing to look at security through a completely new lens for the first time and a long time. The challenge is that the industry has to respond by bringing things to market that actually start from a blank page and allow the customer to look at it not only is a new set of problems, but also, from a completely different way of trying to solve them. And so we have an obligation sitting on our side of the table, Garv and I and others,
Starting point is 00:07:25 to actually bring things to the customer that fundamentally start from a different place than just simply iterating on the architecture or the model of the past. So you guys have different philosophies in your companies about how to approach all this change. If barbarians are at the gate, they're trying to get in all sorts of different ways
Starting point is 00:07:45 and new ways all the time. How do you then anticipate kind of the new? You know, it's one thing to change my architecture and sort of head off in a new direction. But if I don't know where the next breach or attack or, you know, bad thing could come from, how do I, how do you approach that? So, I mean, this is, if you take a step back, and it's hard to take step back, because it's just life is so busy. But as you and we take a fresh step back,
Starting point is 00:08:12 the problem that we are trying to deal with, which is what you were terrified about, unseen and unknown, what you don't know, what you don't see, what you don't see coming. The instructive way to think about it is actually just go back to the drawing board again and say, what has happened? Two things have happened. The way we do IT is changing with cloud and mobile and all of that. That's one aspect. The other aspect is we have so much online, just forget.
Starting point is 00:08:41 So imagine we had none of that IT change, we still have so much online that it has so much online that it has become very rewarding for the bad guys or the adversary to come back and after you in the online space, right? Now, none of this is new. So shifts in IT have happened before, shifts in our way of life have happened before, and war and crime is as older than mankind,
Starting point is 00:09:05 as old as mankind, whatever, why do you want to look at it? So the way you want to think about this is go become a student in war and crime, how war and crime works, what are the economics of course, war and crime, and then go become a student of some of the computer science behind. That gives you the approach you need to take.
Starting point is 00:09:24 That gives you the approach. So for example, why would people come in and say, I'm going to spend $10,000 on just buying this software exploit so that I can hack this Fortune 500? Why? Because that $10,000 is a small fraction of the reward that you would earn from that. And it is much, much cheaper than trying to attack. the bank in the physical world. That's the reason why they do it.
Starting point is 00:09:49 What makes the job easier? What makes the job easier is the sheer complexity of IT, but also the fact that things are shifting and IT security is behind the shift, like the fact that you're flowed, the fact that you have. So now the best approach is first to recognize that this is happening and then to come back and design what your response to this is gonna be.
Starting point is 00:10:12 Andrew, how do you guys approach that? I know you talk about, talk about reducing surface area. We do. So we talk a lot about reducing the surface area of attack because there's a premise that security functioned in a very binary world for a long time. Security's job was to keep you safe. And safe inherently meant that nothing was wrong. And of course, when safe fails, then it seems like everything is wrong. The way we would say it is it felt like you were either perfectly safe or catastrophically breached. And what we're finding is that what customers are now working off of is just a fundamentally different assumption, which is I'm
Starting point is 00:10:44 probably breached. If I'm not already, I will be. And it's equally interesting and maybe even more so to ask the question, when that happens, what is the surface area of attack? How much damage will something inflict? What is the blast radius inside of my data center or cloud when something goes wrong? So from an Illumio perspective, we really look at it in terms of mirroring the compute environment, the infrastructure and application environment so that security doesn't feel like a bolt on, doesn't feel like something that gets tagged on after the fact, but security is from the very beginning built into the infrastructure and the applications and follows the motion as things drift and change over time. And part of our story is to distribute the policy
Starting point is 00:11:27 and the enforcement out to all of the individual workloads so that the surface area of attack is no longer the perimeter or all the things behind it, but the individual workload itself and how it's talking to and communicating with other things inside of the environment. So you get access to just this small slice, you know, if even that. That's exactly right. And actually, what's interesting is even the perimeter in its most traditional sense, when we used to wrap a brick wall around an entire data center, that really was effectively the same theory in that I was putting a brick wall around a group of assets,
Starting point is 00:11:58 a bunch of servers sitting inside, and therefore they were protected. What we're doing is we're simply taking that and shrinking the surface area of attack down dramatically, dramatically to the point where it could be a single server, a single VM, and now with an announcement that we made last week, even a single process running on one of those compute instances. But all of it comes back to the same thing. How do we have the ability to distribute security dynamically, make sure that it's always provisioned correctly in a dynamic world, and how do we reduce the surface area of attack? Groff, do you guys, again, there's this idea that, wow, it's security, it's going to slow me
Starting point is 00:12:35 down, it's going to be a pain in my arse. You know, how do you make sure people use it? And how do you advise, you know, your customers and folks in this world to make it easier? So actually, you know, the thing that makes it easier is when you design with these assumptions built in, when you design something where mobile is not excluded, the internet is not excluded, the cloud is not excluded, and some of the tools that you use are, you know, this whole idea that Andy talked about earlier, which is micro-segmentation, micro-work which is what Promium does, whether you do it in the network in the data center or like what ProM does in the endpoint, it gives you that exact tool. So why, what do people care about? People care about doing whatever they want to do.
Starting point is 00:13:24 That's really what it is. They want to click on everything. They have serial clickers, if you will. Right. So if you want to click on anything, if you want to run whatever you want to run and you cannot be told that you may not do that that, then the question really becomes is how can we create the environment and the infrastructure so that you can do that safely? And the approach that bromium takes, the approach that we take, and a whole bunch of other, and it's not very dissimilar, it's actually dual of what Andy just talked about, but just from an end-user perspective, it is when you're running a piece of code and you don't
Starting point is 00:13:54 know about the origins of that piece of code, that it could be a website or whatever, one thing would be to give it, give the website access to your entire computing environment. Another way would be to create a virtual machine container in which the website is allowed to run. And this thing may not escape whatever the side effects of this website are not allowed to escape the virtual machine container. Now, this is very powerful because you never say no.
Starting point is 00:14:21 Virtualization allows you to build boxes, tiny boxes, around untrusted pieces of competition. That means you never say no. You always allow any kind of competition. You just build boxes that, control, what leaks out of that container, what is the scope of that competition. So this becomes very empowering because in our system and the system that are built in this way, you can literally do whatever you want to do.
Starting point is 00:14:45 It is just that when you are, it's like using burner cell phones, right? You use the cell phone, you throw it away. It's like using disposable gloves. So if you have a thick enough disposable glove, you can touch anything. Why? Because you don't really care. It's going to get dirty, you're going to throw it away. Right.
Starting point is 00:15:01 But it gives you this power of being able to touch the dirtiest of things and the sickest of patients and so on and so forth. So this is a very different paradigm here, where you're designing the infrastructure from the ground up in such a way that saying no to the end user is not an option. You are going to be secure in spite of the user of being able to do one thing to do anything and click on anything. And go as fast as they want. And go as fast as they want.
Starting point is 00:15:25 I see. Let's talk about courage versus foolishness and take a step back. You know, I'm going to have the courage to move to the cloud as a lot. as a company, as a potential customer, you know, what's courageous and what's foolhardy? You know, courageous is, I don't know what, but foolhardy is staying on Windows XP, for example. How do you guys view that? So it really is, you know, there's one of our friends, the CSO of Aetna, Jim Rout, he said just very famously, you know, this is the top, this is the 10% of it.
Starting point is 00:15:58 What that really means, it's a CSO or the SISO, depending how you pronounce it, the chief information security officer, that takes risk to reduce risk. Here's the reality. The world is changing. If you say Statsco, you might think that your risk to your business is not increasing. The reality is that increasing really, really, really fast, faster than you can control. So in order to deal with the risk, in order to deal with the changing conditions, you have to take a risk. And unfortunately, none of the existing big vendors is going to give you what you want.
Starting point is 00:16:34 You have to think about a new approach. So foolhardy is going through the world thinking nothing has changed. It's business as usual. I can keep saying no to the end users until the such day that my company is going to get breached or I'm going to get fired or I'm going to have to fire somebody. Or smart is realizing that things are changing go through this process of selecting and deciding what is good, what could be good, taking them to the paces and moving, it's moving, changing to the adopt a new approach.
Starting point is 00:17:06 I'll add that I think, I think courageous in this case is actually responding to the needs of the organization and being able and willing to look at any tool, any form of infrastructure, any operating model that allows the enterprise to do what it needs to do. It takes courage to actually say we're going to implement completely different things than we have in the past, but we're doing. it because the business requires it. I think foolhardy is assuming that the only thing that you have to secure all these new things is what you've had in the past. And what we're finding, like I said earlier, is that customers for the first time are actually very open to looking at
Starting point is 00:17:41 completely new and different things because they realize that they're solving for a new and different set of problems. Let's talk about mobile a little bit. Garf, you brought it up and Andrew, you've referenced it. Mobile malware, everybody's got a smartphone. Not all of us, you know, snap them in half and throw them away after we're done with them. What's new in the mobile world and what are you guys seeing and how people, how are people responding? So our view of mobile is slightly nuanced than that. There is, there's a laptop and a tablet, which is a real mobile vector. And it's, it's a vector of attack primarily because it leaves the four walls of the enterprise and all of the traditional
Starting point is 00:18:19 defenses which rely on firewall and those are just out of line. Right. Right. So that's the reason why these things are far easier to get to, far easier to attack and, you know, that's just the economics of it. The world of mobile smartphones introduces, and also tablets, introduces a different kind of problem, which is the problem of information management, right? These things are bringing your own devices, consumerized devices, they're very primitive controls in terms of information management. While there not much malware exists, some malware does exist, but not much malware exists for attacking mobile devices themselves, like in the Android and the iOS case. But the more important thing is that the CIO has very little visibility and very few
Starting point is 00:19:05 controls and towards that's going to happen. Now, there are companies that are doing the right things and providing you with the right levels of control. And CIOs, some of them are trying to adopt those controls and being successful. Of course, a lot more work needs to be done. And what we're finding is that it's becoming, in a sense, just another act. point. And the reason I say just another is not to diminish how important it is to understand that I think every CIO's dream would be to really truly be able to have a perfect picture of everything that can access every application and every piece of data in their environment no matter where it is or who provided it. But it's, in a sense, it's a fool's mission. Number one, because
Starting point is 00:19:42 it's hard to drill that kind of control over an organization nowadays. And number two, because it's somewhat antithetical to the way that the business is trying to operate to enable speed and agility. What we're finding is that what customers are doing is they're actually identifying what they consider to be their highest value targets. They're identifying the applications and specifically the data that is the most important asset that they have. They're figuring out where those things are and they're realizing that they have to protect those things at really all cost. Wherever it is, however it gets accessed. That's exactly right. What about taking the offensive? We talk a lot about gates and walls and perimeters and we know that those are being breached. But what about like rushing out
Starting point is 00:20:20 and going after folks or making sure that the attacks don't even happen in the first place? There would be an interesting assumption if you could actually work off of the premise that the attack doesn't happen in the first place. I can only tell you anecdotally that in the customer conversations I'm having, they're certainly coming out of from the opposite angle, which is the attacks are not only persistent, they're not only growing in number and frequency, but in a lot of cases, they're growing in severity. And so I think the question is, what is, what is the definition of proactive if that's the premise of the question. Right.
Starting point is 00:20:54 And what we're finding is that the definition of proactive is to actually understand exactly what it is that you have, where it's running, how these things are talking to each other, and then put a set of controls in place that actually allow you to ensure that the right things are happening and thereby the wrong things if and when they do happen are immediately flagged as out of profile and are either stopped or certainly responded to very quick. Right. So it still doesn't sound like, you know, in that sort of offense versus defense kind of view of the world, you need to get, you know, your process used in place, know what you have, know what you're securing, know what's important. And then once that's done, and maybe that's never done, think about going after somebody or some next phase of security, I guess. Well, and I'll add one other thing, which is that what we're finding more and more often now is that visibility leads to knowledge and knowledge actually allows you to secure whatever it is that you're trying to. to protect. There's been a lot of security thrown at a lot of organizations without really truly
Starting point is 00:21:56 understanding what it is that it's protecting. Because as Garv mentioned a few moments ago, you know, the world's gotten not only very scaled, but it's also become very dynamic and very complex. And so the, what seems to be simple task of simply understanding where are all of my assets? In the Illumial world, it would be where are all my compute instance is how are they talking to each other? That's not a static problem any longer. It's not a snapshot where you, you look at it at Monday morning at 8 o'clock, and that picture remains resident for the next two months or six months or two years. That picture actually looks different 15 minutes later. And so just understanding, being able to see and understand what's happening, if you have that, you're probably going to do a
Starting point is 00:22:36 much better job protecting yourself. But that's a very big challenge before you ever get to the protection piece of the story. Yeah, I agree. I mean, attribution and then going after the bad guys, I think we have ways to go. And it's just what we can go. in terms of, you know, it's just very easy to misattribute something to somebody today. It's, I think we have a lot of technical work to do in that. And then also, we have, we have very primitive controls across countries. We don't have the interpol equivalent, if you will. Right.
Starting point is 00:23:09 If we don't have the nation state to nation state agreement that this is not done, and this is we're going to, you know, extradite those people and bring them to a foreign jail if they do X, Y, and Z. the legal systems around cybersecurity are much more improved now than, say, 10 years ago, but they're still very primitive compared to, you know, murder and, you know, physical extortion and physical theft and Glenn Lovsinia and all those guys' things. I think we have ways to go before that will happen. And maybe nation states can do this to each other, but I doubt whether commercial enterprises should go over there.
Starting point is 00:23:42 They have a means to go over there successfully. Right. So based on what you guys have told me and discussed, It doesn't sound like we should all light our hair on fire and go running into the streets. No need to get hysterical. But if I'm a chief security officer, if I'm a CEO, if I'm on a board, what is, you know, if we can't win against these attacks, what can we hope for and what does winning sort of look like, you know, and I'm doing air quotes around winning if it's not beating them? I think winning is enabling the organization to do what it needs to do, to conduct business, to remain competitive, to grow. and there's a whole series of things that we've done with the infrastructure and the applications
Starting point is 00:24:22 and really the entire IT model to allow that to happen better than it ever has. And then security has to realize that its job is to protect that motion no matter what it looks like. And so the reality is the answer for what does security look like today is probably going to be different even a year from now and certainly five years from now. So it's not a fixed answer. It's not that there is the right model and the right model is the only model. The model is that security has to evolve as quickly and as dynamically as the infrastructure and applications that it's protecting. And so long as those things keep changing, security, I better find the way to keep up and mirror it. I think change is the answer. You have to, what is very obvious is the existing way of doing
Starting point is 00:25:05 things doesn't work. And if you are not impressing change, the right kind of change, empowering someone who has, you know, got a lot of budget and money behind them, a good clear charter, just what you want to do first and just what we're going to do second, then you're not doing your job as CISO of a global company. Well, change is going to happen and risk needs to be taken in a smart way it sounds like. So we'll keep in eye on this and we'll keep talking to you guys. Goroff, Andrew, thank you so much. Thanks so much for having us.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.