a16z Podcast - a16z Podcast: Barbarians at the Gate -- How to Think About Enterprise Security Today
Episode Date: May 7, 2015Enterprises large and small run their applications and infrastructure at a whole new level of agility and speed. But unfortunately, security doesn’t like speed. “The faster you go, the harder it i...s to understand what is happening and to protect your infrastructure,” says Andrew Rubin, CEO and co-founder of cloud security startup Illumio. So then how do we rethink the architecture of the past to acknowledge the way business happens today? If you want to start tackling the shifting landscape of business and security today, “Go become a student of the economics of war and crime,” suggests Gaurav Banga, CEO and co-founder of Bromium. If going slow is not an option, what can and should we do? The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business tax
or investment advice or be used to evaluate any investment or security and is not directed
at any investors or potential investors in any A16Z fund. For more details, please see A16Z.com
slash disclosures. Welcome to the A16Z podcast. I'm Michael Copeland. And we are continuing our
discussion of security. And we are lucky to have Andrew Rubin, CEO of Alumio and co-founder. And along
with Andrew, Goraf Banga, CEO and co-founder of Bromium. Welcome, guys. Welcome. Thank you so much.
We are happy to be here. Thank you very much. Goraf, I read something that you had said or written.
The Barbarians are at the gate. Am I being attacked? Yes, you are. And what Barbarians at the gate
means that never before have we had so much online. We have, quote, and code, computerized our every existence,
every aspect of our existence, how we invest, how we get paid, how we do health care,
how do we deliver power, everything.
And unfortunately, we have built that on a security platform which is not architecturally sound.
And we're getting attacked every day.
It says that the war and crime just came online.
Andrew, how do you view that and how do the folks that you talk to kind of internalize the fact
that if I have stuff out there that's valuable, people are going to,
want to go after it. So I completely agree with Garv that we're effectively digitizing everything and
it's literally everything. It's everything from the way that we banked to the way that we hail a taxi
or a car to move from point A to point B. So inherently there's a lot more digital and electronic to
protect. I think the the aha moment for security and it's recent, it's measured probably in months or
maybe a year or two, is that this concept of being in a binary state of safe or breached
is no longer a viable way to look at the world. Because with this much out there, it's almost
an assumption that you've already been breached or you will be breached and you may not know it
right away. And what we're hearing more and more now is this concept of how do I reduce the surface
area of attack when I'm breached? That's a very different security conversation than the one that we've
had for the last 20 or 25 years. So you're saying it was a matter of months before
that kind of mindset shift happened? Why, why finally do you think that occurred? I don't think
it's any one thing. I think it's a combination of a few things. So the first one is that there's a lot
more places to put stuff. I mean, if you think about five years ago, whether or not we really
would look at the public cloud as a truly viable alternative to your data center that you
built, owned, controlled for the 20 years before that, there was a debate. Now there's no longer
that debate. It doesn't mean everything will land in the public cloud.
but it means that it's a viable alternative.
So we're more distributed and more heterogeneous than we've ever been.
I think the other thing that's going on is there's a shift in the way that Enterprise is thinking about running their infrastructure and applications.
And the shift is all based on agility and speed.
And unfortunately, security doesn't really like speed.
Those are two things that traditionally have been at war with each other.
The faster you go, the harder it is to understand what's happening and certainly the harder it is to protect it.
unfortunately that that friction point is no longer tenable right enterprises are going to go fast
and they're going to need to do it with with security at the same time so goreve for you guys
how do you address that tension between going fast operations and you know security we've
been talking about this how you know you need to respect security but you need to get things done
so in that speed in companies in an environment where speed is of the essence how do you
reconcile those things? So to be able to reconcile, you first take a step back. And just to add
to what Andy said earlier, you know, so the world has changed, the world is changing. You start
looking at, besides, so cloud is one very important development that has happened. Another
development that has happened is mobile, if you all know, right? And then another one that has
happened is that you're relying more and more on the internet, which is, you know, not just cloud,
as in, you know, you do cloud computing,
but the fact that you're very content dependent,
you're generating large amounts of content,
and you're exchanging and sharing that content,
you're trusting each other over the Internet.
So if you look at all these friends,
the first thing you do is you take a step back
and you examine how the security architecture must change.
And one of the other requirements comes along
is that the security architecture must also be responsive
to the need to go faster.
Right. Now you came up with a set of requirements. Your new security architecture or your modification to the existing security architecture must have these properties. It must deal with cloud. It must deal with mobile. It must deal with consumerization. It must deal with the fact that we are relying more and more in Internet content. It must deal with the fact that change is more common. Now, then it becomes a computer science, a computer architecture, software design problem. And it turns out that it is, I mean, we live the
message of hope. It does turn out that, you know, it is possible for human innovation to come up
with such a design, which is a more sophisticated, a more well-thought design on security, but
you can put it just together. And I'll build on that. I just want to kind of add one thing
that, you know, when we launched Alumio into the market last October, so about six months ago,
obviously the amount of feedback that we started to get because we were talking to more people
and certainly talking more openly went up very dramatically. And one thing that's interesting is
consistently across the board, customers are saying to us that they're finding that there isn't
a natural or easy iterative path from the architecture of the past. What Groves said about
having to rethink the problem from first principles, we're actually hearing customers say that.
So despite the fact that you started off mentioning that everybody's dressed in black and so it
must be security, what's interesting is that it actually doesn't seem that eerie for one very
simple reason. Because for the first time in decades, the customers are actually in a place
where they're willing to truly rethink this from the very beginning.
They understand that there's a new set of problems
and a new set of challenges that security has to face
that aren't built on the problems of the past,
and therefore they're willing to look at a completely new way of solving it.
That's a massive change in the enterprise of the customer mindset.
That goes cheek and jow, I guess, with this shift to the cloud, right?
I mean, they're willing to look at that in terms of running a business,
and so they're also willing to look at ways to change their security approach.
Well, and I think if you look at it, some of the organizations that you would think are least likely to take advantage of things like public cloud or allow open access through mobility.
If they're willing to do that, then it's not a leap or a very far step to imagine them being willing to look at security through a completely new lens for the first time and a long time.
The challenge is that the industry has to respond by bringing things to market that actually start from a blank page and allow the customer to look at it not only is a new set of problems, but also,
from a completely different way of trying to solve them.
And so we have an obligation sitting on our side of the table,
Garv and I and others,
to actually bring things to the customer
that fundamentally start from a different place
than just simply iterating on the architecture
or the model of the past.
So you guys have different philosophies
in your companies about how to approach all this change.
If barbarians are at the gate,
they're trying to get in all sorts of different ways
and new ways all the time.
How do you then anticipate kind of the new?
You know, it's one thing to change my architecture and sort of head off in a new direction.
But if I don't know where the next breach or attack or, you know, bad thing could come from,
how do I, how do you approach that?
So, I mean, this is, if you take a step back, and it's hard to take step back,
because it's just life is so busy.
But as you and we take a fresh step back,
the problem that we are trying to deal with, which is what you were terrified about,
unseen and unknown, what you don't know, what you don't see, what you don't see coming.
The instructive way to think about it is actually just go back to the drawing board again
and say, what has happened?
Two things have happened.
The way we do IT is changing with cloud and mobile and all of that.
That's one aspect.
The other aspect is we have so much online, just forget.
So imagine we had none of that IT change, we still have so much online that it has so much online
that it has become very rewarding for the bad guys
or the adversary to come back and after you
in the online space, right?
Now, none of this is new.
So shifts in IT have happened before,
shifts in our way of life have happened before,
and war and crime is as older than mankind,
as old as mankind, whatever,
why do you want to look at it?
So the way you want to think about this
is go become a student in war and crime,
how war and crime works,
what are the economics of course,
war and crime, and then go become a student of some of the computer science behind.
That gives you the approach you need to take.
That gives you the approach.
So for example, why would people come in and say, I'm going to spend $10,000 on just
buying this software exploit so that I can hack this Fortune 500?
Why?
Because that $10,000 is a small fraction of the reward that you would earn from that.
And it is much, much cheaper than trying to attack.
the bank in the physical world.
That's the reason why they do it.
What makes the job easier?
What makes the job easier is the sheer complexity of IT,
but also the fact that things are shifting
and IT security is behind the shift,
like the fact that you're flowed, the fact that you have.
So now the best approach is first to recognize
that this is happening and then to come back
and design what your response to this is gonna be.
Andrew, how do you guys approach that?
I know you talk about,
talk about reducing surface area. We do. So we talk a lot about reducing the surface area of attack
because there's a premise that security functioned in a very binary world for a long time.
Security's job was to keep you safe. And safe inherently meant that nothing was wrong. And of course,
when safe fails, then it seems like everything is wrong. The way we would say it is it felt like
you were either perfectly safe or catastrophically breached. And what we're finding is that
what customers are now working off of is just a fundamentally different assumption, which is I'm
probably breached. If I'm not already, I will be. And it's equally interesting and maybe even
more so to ask the question, when that happens, what is the surface area of attack? How much damage
will something inflict? What is the blast radius inside of my data center or cloud when something
goes wrong? So from an Illumio perspective, we really look at it in terms of mirroring the
compute environment, the infrastructure and application environment so that security doesn't feel
like a bolt on, doesn't feel like something that gets tagged on after the fact, but security
is from the very beginning built into the infrastructure and the applications and follows the
motion as things drift and change over time. And part of our story is to distribute the policy
and the enforcement out to all of the individual workloads so that the surface area of
attack is no longer the perimeter or all the things behind it, but the individual workload itself
and how it's talking to and communicating with other things inside of the environment.
So you get access to just this small slice, you know, if even that.
That's exactly right.
And actually, what's interesting is even the perimeter in its most traditional sense,
when we used to wrap a brick wall around an entire data center,
that really was effectively the same theory in that I was putting a brick wall around a group of assets,
a bunch of servers sitting inside, and therefore they were protected.
What we're doing is we're simply taking that and shrinking the surface area of attack down dramatically,
dramatically to the point where it could be a single server, a single VM,
and now with an announcement that we made last week, even a single process running on one of those
compute instances. But all of it comes back to the same thing. How do we have the ability to
distribute security dynamically, make sure that it's always provisioned correctly in a dynamic
world, and how do we reduce the surface area of attack?
Groff, do you guys, again, there's this idea that, wow, it's security, it's going to slow me
down, it's going to be a pain in my arse. You know, how do you make sure people use it? And how
do you advise, you know, your customers and folks in this world to make it easier?
So actually, you know, the thing that makes it easier is when you design with these
assumptions built in, when you design something where mobile is not excluded, the internet
is not excluded, the cloud is not excluded, and some of the tools that you use are, you know,
this whole idea that Andy talked about earlier, which is micro-segmentation, micro-work
which is what Promium does, whether you do it in the network in the data center or like what ProM does in the endpoint,
it gives you that exact tool. So why, what do people care about? People care about doing whatever they want to do.
That's really what it is.
They want to click on everything. They have serial clickers, if you will. Right.
So if you want to click on anything, if you want to run whatever you want to run and you cannot be told that you may not do that
that, then the question really becomes is how can we create the environment and the infrastructure
so that you can do that safely?
And the approach that bromium takes, the approach that we take, and a whole bunch of other,
and it's not very dissimilar, it's actually dual of what Andy just talked about, but just
from an end-user perspective, it is when you're running a piece of code and you don't
know about the origins of that piece of code, that it could be a website or whatever, one
thing would be to give it, give the website access to your entire computing environment.
Another way would be to create a virtual machine container
in which the website is allowed to run.
And this thing may not escape whatever the side effects
of this website are not allowed to escape
the virtual machine container.
Now, this is very powerful because you never say no.
Virtualization allows you to build boxes, tiny boxes,
around untrusted pieces of competition.
That means you never say no.
You always allow any kind of competition.
You just build boxes that,
control, what leaks out of that container, what is the scope of that competition.
So this becomes very empowering because in our system and the system that are built in
this way, you can literally do whatever you want to do.
It is just that when you are, it's like using burner cell phones, right?
You use the cell phone, you throw it away.
It's like using disposable gloves.
So if you have a thick enough disposable glove, you can touch anything.
Why?
Because you don't really care.
It's going to get dirty, you're going to throw it away.
Right.
But it gives you this power of being able to touch the dirtiest of things and the sickest of
patients and so on and so forth.
So this is a very different paradigm here, where you're designing the infrastructure from
the ground up in such a way that saying no to the end user is not an option.
You are going to be secure in spite of the user of being able to do one thing to do anything
and click on anything.
And go as fast as they want.
And go as fast as they want.
I see.
Let's talk about courage versus foolishness and take a step back.
You know, I'm going to have the courage to move to the cloud as a lot.
as a company, as a potential customer, you know, what's courageous and what's foolhardy?
You know, courageous is, I don't know what, but foolhardy is staying on Windows XP, for example.
How do you guys view that?
So it really is, you know, there's one of our friends, the CSO of Aetna, Jim Rout, he said just very famously,
you know, this is the top, this is the 10% of it.
What that really means, it's a CSO or the SISO, depending how you pronounce it,
the chief information security officer, that takes risk to reduce risk.
Here's the reality.
The world is changing.
If you say Statsco, you might think that your risk to your business is not increasing.
The reality is that increasing really, really, really fast, faster than you can control.
So in order to deal with the risk, in order to deal with the changing conditions, you have to take a risk.
And unfortunately, none of the existing big vendors is going to give you what you want.
You have to think about a new approach.
So foolhardy is going through the world thinking nothing has changed.
It's business as usual.
I can keep saying no to the end users until the such day that my company is going to get breached
or I'm going to get fired or I'm going to have to fire somebody.
Or smart is realizing that things are changing go through this process of selecting and deciding
what is good, what could be good, taking them to the paces and moving, it's moving, changing
to the adopt a new approach.
I'll add that I think, I think courageous in this case is actually responding to the needs
of the organization and being able and willing to look at any tool, any form of infrastructure,
any operating model that allows the enterprise to do what it needs to do.
It takes courage to actually say we're going to implement completely different things than
we have in the past, but we're doing.
it because the business requires it. I think foolhardy is assuming that the only thing that you
have to secure all these new things is what you've had in the past. And what we're finding,
like I said earlier, is that customers for the first time are actually very open to looking at
completely new and different things because they realize that they're solving for a new and
different set of problems. Let's talk about mobile a little bit. Garf, you brought it up and
Andrew, you've referenced it. Mobile malware, everybody's got a smartphone. Not all of us, you know,
snap them in half and throw them away after we're done with them.
What's new in the mobile world and what are you guys seeing and how people, how are people
responding? So our view of mobile is slightly nuanced than that. There is, there's a
laptop and a tablet, which is a real mobile vector. And it's, it's a vector of attack
primarily because it leaves the four walls of the enterprise and all of the traditional
defenses which rely on firewall and those are just out of line. Right. Right. So that's the
reason why these things are far easier to get to, far easier to attack and, you know, that's just the
economics of it. The world of mobile smartphones introduces, and also tablets, introduces a
different kind of problem, which is the problem of information management, right? These things
are bringing your own devices, consumerized devices, they're very primitive controls in terms of
information management. While there not much malware exists, some malware does exist, but not much
malware exists for attacking mobile devices themselves, like in the Android and the iOS case.
But the more important thing is that the CIO has very little visibility and very few
controls and towards that's going to happen. Now, there are companies that are doing the right
things and providing you with the right levels of control. And CIOs, some of them are trying
to adopt those controls and being successful. Of course, a lot more work needs to be done.
And what we're finding is that it's becoming, in a sense, just another act.
point. And the reason I say just another is not to diminish how important it is to understand
that I think every CIO's dream would be to really truly be able to have a perfect picture of
everything that can access every application and every piece of data in their environment no matter
where it is or who provided it. But it's, in a sense, it's a fool's mission. Number one, because
it's hard to drill that kind of control over an organization nowadays. And number two, because it's
somewhat antithetical to the way that the business is trying to operate to enable speed and
agility. What we're finding is that what customers are doing is they're actually identifying
what they consider to be their highest value targets. They're identifying the applications and specifically
the data that is the most important asset that they have. They're figuring out where those things
are and they're realizing that they have to protect those things at really all cost. Wherever it is,
however it gets accessed. That's exactly right. What about taking the offensive? We talk a lot about
gates and walls and perimeters and we know that those are being breached. But what about like rushing out
and going after folks or making sure that the attacks don't even happen in the first place?
There would be an interesting assumption if you could actually work off of the premise that the
attack doesn't happen in the first place. I can only tell you anecdotally that in the customer
conversations I'm having, they're certainly coming out of from the opposite angle, which is
the attacks are not only persistent, they're not only growing in number and frequency, but in a lot
of cases, they're growing in severity. And so I think the question is, what is, what is
the definition of proactive if that's the premise of the question.
Right.
And what we're finding is that the definition of proactive is to actually understand exactly
what it is that you have, where it's running, how these things are talking to each other,
and then put a set of controls in place that actually allow you to ensure that the right
things are happening and thereby the wrong things if and when they do happen are immediately
flagged as out of profile and are either stopped or certainly responded to very quick.
Right. So it still doesn't sound like, you know, in that sort of offense versus defense kind of view of the world, you need to get, you know, your process used in place, know what you have, know what you're securing, know what's important. And then once that's done, and maybe that's never done, think about going after somebody or some next phase of security, I guess.
Well, and I'll add one other thing, which is that what we're finding more and more often now is that visibility leads to knowledge and knowledge actually allows you to secure whatever it is that you're trying to.
to protect. There's been a lot of security thrown at a lot of organizations without really truly
understanding what it is that it's protecting. Because as Garv mentioned a few moments ago,
you know, the world's gotten not only very scaled, but it's also become very dynamic and very
complex. And so the, what seems to be simple task of simply understanding where are all of my
assets? In the Illumial world, it would be where are all my compute instance is how are they
talking to each other? That's not a static problem any longer. It's not a snapshot where you,
you look at it at Monday morning at 8 o'clock, and that picture remains resident for the next two months
or six months or two years. That picture actually looks different 15 minutes later. And so just understanding,
being able to see and understand what's happening, if you have that, you're probably going to do a
much better job protecting yourself. But that's a very big challenge before you ever get to the
protection piece of the story. Yeah, I agree. I mean, attribution and then going after the bad guys,
I think we have ways to go. And it's just what we can go.
in terms of, you know, it's just very easy to misattribute something to somebody today.
It's, I think we have a lot of technical work to do in that.
And then also, we have, we have very primitive controls across countries.
We don't have the interpol equivalent, if you will.
Right.
If we don't have the nation state to nation state agreement that this is not done,
and this is we're going to, you know, extradite those people and bring them to a foreign jail if they do X, Y, and Z.
the legal systems around cybersecurity are much more improved now than, say, 10 years ago,
but they're still very primitive compared to, you know, murder and, you know,
physical extortion and physical theft and Glenn Lovsinia and all those guys' things.
I think we have ways to go before that will happen.
And maybe nation states can do this to each other,
but I doubt whether commercial enterprises should go over there.
They have a means to go over there successfully.
Right.
So based on what you guys have told me and discussed,
It doesn't sound like we should all light our hair on fire and go running into the streets.
No need to get hysterical.
But if I'm a chief security officer, if I'm a CEO, if I'm on a board, what is, you know, if we can't win against these attacks, what can we hope for and what does winning sort of look like, you know, and I'm doing air quotes around winning if it's not beating them?
I think winning is enabling the organization to do what it needs to do, to conduct business, to remain competitive, to grow.
and there's a whole series of things that we've done with the infrastructure and the applications
and really the entire IT model to allow that to happen better than it ever has. And then security
has to realize that its job is to protect that motion no matter what it looks like. And so the
reality is the answer for what does security look like today is probably going to be different
even a year from now and certainly five years from now. So it's not a fixed answer. It's not that
there is the right model and the right model is the only model. The model is that security has to evolve
as quickly and as dynamically as the infrastructure and applications that it's protecting.
And so long as those things keep changing, security, I better find the way to keep up and mirror it.
I think change is the answer. You have to, what is very obvious is the existing way of doing
things doesn't work. And if you are not impressing change, the right kind of change,
empowering someone who has, you know, got a lot of budget and money behind them,
a good clear charter, just what you want to do first and just what we're going to do second,
then you're not doing your job as CISO of a global company.
Well, change is going to happen and risk needs to be taken in a smart way it sounds like.
So we'll keep in eye on this and we'll keep talking to you guys.
Goroff, Andrew, thank you so much.
Thanks so much for having us.