a16z Podcast - a16z Podcast: Taking the ‘Cyber’ Out of Cybersecurity
Episode Date: June 16, 2017Nearly every cybersecurity discussion/presentation follows this formula: We don’t know what we’re doing; the bad guys are getting smarter; our defenses are getting worse; everything's more connect...ed than ever; we’re heading towards a digital . But even though security itself has obviously changed in many ways and not in others, we — as an industry — have actually gotten pretty good at doing our jobs, argues a16z general partner Martin Casado in this segment excerpted from a talk he gave at our recent Tech Policy Summit in Washington, D.C. That’s not to minimize the seriousness or cost of cyber attacks! It’s just that changing the conversation here will let us pay attention to the fact that “cybersecurity” these days is really… “security”. Because we shouldn’t isolate the “cyber”; we need to always think of digital assets, physical assets, and human assets together. Especially as cyber — or rather, just security — has become more physical than ever (and not in the obvious Internet of Things sense).
Transcript
Discussion (0)
Hi, everyone. Welcome to the A6 and C podcast. Today's episode is one of our shorter one-voice
bites based on a longer presentation that was delivered recently at our tech policy summit in
D.C. General partner Martine Casato, who has long worked in the world of security from his days
and nights at the Lawrence Livermore National Laboratory and Department of Defense working
with the intelligence community to later serving as general manager at VMware of the
networking and security business unit. Martine shares a twist on the typical conversation around
cybersecurity because at the end of the day, it's really just security and
physical security is where it's at.
I've given a lot of security talks, and I've seen a lot of security talks being given,
and they all kind of follow, like, roughly the same formula.
By the way, this is going back until, like, the late 2000s,
there's all something of the following, which is, like, we don't know what we're doing,
the bad guys are getting worse, like, our defenses aren't keeping up,
and, you know, we're like kind of heading to a digital Pearl Harbor.
It's like, oh, critical infrastructure, and we're connecting more things,
and it's like the end of the world, and, you know, yada, yada, yada.
You know, and now, you know, we're 13 years later,
and, like, we're still standing, and things are fine, and things are progressing, and so
forth. And so what I really want to do is I want to kind of have a different type of discussion
here. And to I want to acknowledge, cybersecurity is an issue, for sure. And like, as a civilization,
as a society, we're trying to understand what it means. Certainly as a legal system,
we're trying to understand what it means. But the reality is we kind of have it handled,
too, like business is growing. Like, we're actually doing a pretty good job of staving off
attacks. We do see attacks and we're able to recover. We're really on top of a lot of these
things, but I want to highlight why we're in a great position to keep track of that sophistication
and get on top of it. And then I actually want to flip the discussion a little bit and say,
you know what, cybersecurity really is just security these days, right? Like I know that we like to
like kind of myopically focus on the notion of cyber, but the reality is anytime you look at security,
you have to look at cyber assets, you have to look at physical assets, you have to look at
human assets. And I actually think that we're in a great position for cyber to have a very,
very positive impact on physical security. So I want to move there. So I used to run. So I used to
networking and security for VMware as of a year ago.
And so we ran all networking security,
and I worked with a guy named Tom Korn,
who was the chief security officer of RSA.
And so together, we actually went through a whole bunch
of recent attacks, and we canonicalize them
to give a sense of what, like, a common attack looks like.
And I think this provides a great framework
of, like, what the challenges are.
And if you want some high-level thought
about how cyber has evolved, I would say it's the following.
It's like, what used to be kind of in the domain of nation states
states is now fairly routine. That's it. That's the way to think about it. So, like, listen,
we've been dealing with these types of attacks for a long time. They certainly don't look very
different than what I saw 15 years ago, but now you actually see them kind of out commonly.
I would say that actually we've got some pretty good mechanisms for finding and stopping attacks,
but this has kind of moved us into a new area of cybersecurity. So if you want to look forward,
I'd say, here's the trends that we're seeing going forward. That's just say dealing with
security overload. And that's, is that now we have so many boxes and so many
mechanisms and so if you train security professionals, I would say, you know what, we're
pretty good on the mechanism side and we're pretty good at understanding the problem, but we've
got this massive dearth in like how you can understand all of these alerts and how you understand
all of these messages and so forth. And the problem is particularly acute at the security
operation center. So the way that many of these companies, that many large companies work or the
government works is, you know, everybody's doing their business. You've got all of these boxes there that
look for alerts, and when those alerts happen, they come back to an operation center,
and then you have people looking at these operations center.
But from an industry perspective, the amount of alerts that they get
and the amount of boxes they can deploy and the amount of clue that's needed
is much, much higher than our ability to respond.
So again, while I think we've got good mechanisms and good technologies,
our ability to actually consume them is hampered.
And so I think we're in this era that we need to create kind of like this self-driving security
operation center.
That, like at a macro view, if you want to look at kind of what's driving a lot,
of security investment and security movement is that.
So here's the good news.
The good news is, like, over the last decade,
this is exactly the types of problems we've gotten really good at,
especially from like the consumer internet companies.
We're really good at managing large amounts of data.
We're certainly good at AI and automation,
and we're very good at actually handling lots of very distributed components.
So I want to talk very particular about what we're seeing
as far as the emerging trends.
So again, if I was to encapsulate where the security industry is, the attack got much more sophisticated.
The actual industry responded, I think, in a very positive way for every part of the kill chain.
But now we're kind of in this proliferation of responses, and now we're starting to see this massive simplification start happening.
So you see companies that are like, you know, attacking the problem from like a big data problem.
Like we're going to look at all of the alerts that we can possibly can and create a giant funnel and only pop out the ones that are important.
We're definitely doing like user behavior where you're taking like AI to try and understand normative behavior for users is a big one.
Of course, automation, which is you've got people in security operation centers that are hunting and trying to figure out what's going on.
It turns out you can automate a lot of that or at least scale out a single user.
I don't believe you'll ever replace the security automation engineer, but you can certainly automate a lot of the tasks that they do and scale them out.
And then we've also very, very good at creating global abstractions.
We're very, very good at building systems that are Google size, or Amazon size, or Facebook size,
which allows you to take kind of these high-level security ideas and proliferate them through an entire deployment.
So I know this is very, very high level, but I just wanted to give you an idea of, like, when we look at trends and what we fall in the security industry,
our goal is not, I mean, at this point, like, necessarily new mechanism, new type of firewall, but, like, how do you make what we have fully consumable?
All right, so I want to shift gears here and talk about how Axi Software I think is making the world a safer place.
And so the more I look at security and the more we look at security, the more it seems that cyber security is security.
And I said this before.
And what I mean by that is let's say that you were going to do a security operation outbound.
Like you're going to go break into something.
And I gave you a dollar to fund that operation with.
Like how much of that dollar do you think you're going to actually spend on cyber?
So my contention is probably not a lot, right?
I mean, you'll spend it on physical assets, you'll spend it on internal assets,
you'll spend it on a bunch of stuff, and some of it will be cyber.
So cyber, to me, is just one part of an outbound operation.
Often, if you look at attacks that happen in the cyber world,
it's one of many things that happen.
And so more and more, we're seeing that the cyber problem is becoming the physical security problem.
But again, good news is I think actually we're able now to apply cyber concepts to the physical world
and actually improve physical security in meaningful ways.
The oldest physical access mechanism on the planet is a key, right?
It probably hasn't changed in 3,000 years.
You've got some set of atoms like this physical thing that's hopefully non-forgeable
that will uniquely fit into a lock, and then only that holds it can open it.
And then it has all of the problems, which is if you give it to somebody else,
then they have access, you can't take it away from them unless you physically take it away from them.
You never know when it's used.
You don't know if they can delegate it, et cetera.
I mean, like, physical access control is incredibly crude.
And cyber versions of access controls are very sophisticated.
So in the cyber world, for a file, for example, I know exactly who's accessing it.
I can tell when they can access it.
I can tell how they can access it.
I can say you can read it but not write it, et cetera.
And so what we're seeing now, for example, is concepts around the cyber world like sophisticated access being applied to physical access control.
Like even smart locks at homes.
You can say, like, listen, you know, this person can only access it two days a week.
person, I'm going to revoke their access, you know, log every time anybody access it,
no delegation and so forth.
So that's just an example of how we're seeing the cyber world and cyber concept impact the physical
world.
I kind of want to reset the conversation broadly around security.
And I think actually the bigger influence is not that, oh, like internet of things we're all connected,
we're all going to die.
I think actually the bigger trend that's going on is that cyber's potential for impacting
physical security is unbelievable.
I mean, we've had these epochs and physical security in the past that totally changed the game,
that created misalignments, whether it's like the
dissolution of wall states or whether it's airplane flight. I actually think we're going to see
like a very similar misalignment that happens because of what we're able to do with these things.
And you know what? I think that's going to require all of us to like rethink all of our strategies
and rethink all of our tactics. And I actually think we as an industry, certainly we as a society
should think about those implications as much as we get worried about kind of like the loan hacker
on our infrastructure. And so with that,
Thanks very much
Thank you.