a16z Podcast - a16z Podcast: The Fundamentals of Security and the Story of Tanium’s Growth
Episode Date: January 20, 2016The thing about enterprise security, from the outside at least, is it reads like a Hollywood thriller. Nation states are after your company’s most valuable assets and they must be stopped at all cos...ts. And yes, some nation state-sponsored hacks have caused tremendous damage. But the best course for most companies isn’t to focus on combatting Mission Impossible-like come through the vent break-ins, says Tanium co-founder Orion Hindawi. It’s the far less sexy practice of simply keeping the virtual windows and doors to your company locked. “It is the thing that will fix you,” Hindawi says. In a conversation from the firm’s Capital Summit event, Ben Horowitz and Orion discuss the state of enterprise security, and how Tanium’s block and tackle -- not cloak and dagger -- approach has defined the company’s technology and also led to its tremendous growth. The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business, tax, or investment advice, or be used to evaluate any investment or security and is not directed at any investors or potential investors in any A16Z fund. For more details, please see A16Z.com slash disclosures.
Welcome to the A16Z podcast. I'm Michael Copeland. The thing about enterprise security, from the outside at least, is it reads like a Hollywood thriller. A nation states are after your company.
most valuable assets, and they must be stopped at all costs.
And yes, some nation-state-sponsored hacks have caused tremendous damage.
But the best course for most companies isn't to focus on combating mission impossible-like
come-through-the-vent break-ins, says Tainium co-founder Orion Hindawi.
It's the far less sexy practice of simply keeping the virtual windows and doors to your company
locked. It is the thing that will fix you, Hindawi says. In a conversation from the firm's
capital summit event, Ben Horowitz and Orion discussed the state of enterprise security and how
tanyum's block and tackle, not cloak and dagger, approach has defined the company's technology
and also led to its tremendous growth. Ben Horowitz starts things off. Hello, everybody. So,
patch management and these kinds of things have been around for quite a while in fact big fix did
patch management um why is what you do hard so why is it that like clearly you meet a need but like
why is it hard why do the old solutions not work what's different about taneum so if you look at
every solution in our space that's targeting large enterprise and you look at the way they designed it
it's the same so we call it a hub and spoke but basically it means there's a central server and then
you've got potentially hundreds of thousands of servers sprinkled around an environment,
and they talk to every computer, and they try and fix things.
That was designed when, as I said, 10,000 computers was a lot.
And now you look at some of our big banking customers.
They have 500,000 computers, and they have thousands of branches, and they're all connected,
and they need to be able to manage them.
And the hub and spoke is literally still the way that people have approached it since, you know, 1970 to the day, other than Taney.
We had to take a completely refactored approach to the problem.
We actually had to go from the ground up and spent five years building a completely different topology to do this because we realized that that approach, the core approach, was the problem.
The fact that you have hundreds of thousands of things that are going up and down constantly, that you've got VMs that are starting up, that you've got cloud environments, those are all new facets that have been entered into this problem in the last 10, 15 years, and just coordinating hundreds of thousands of anything is really hard.
I mean, it takes them days to do what we can do in seconds because they're still doing it the way that you,
would if you had 5,000 things instead of 500,000.
Right, right.
And what about it kind of makes it a five-year R&D project?
Like what are, is the dynamic?
Because scale, like scale itself, one costs you five years,
particularly if you already built the thing once before at Big Fix.
So like, is it the dynamic nature of the virtualization environment?
Is it mapping?
Like, how do you get to, like, such a big investment to solve what people really thought they already had solved?
Sure. So people have optimized that hub and spoke as much as they possibly can. And it's a known problem.
We realized that we had to change that topology so profoundly that basically every problem that had to be solved in the hub and spoke had to be re-solved in a different way.
So I'll give you an example. Security. Right. So security in a standpoint.
standard model, you secure the pipe that data is going down and you know which server is talking
and it's really easy to know, this server is supposed to encrypt the data, this guy's supposed
to receive it, we're going to exchange a key and we're going to do that.
In a model where clients are talking to each other, you don't know who's going to be talking
to the client and you can't pass out keys to every one of them and exchange keys, so you
have to do it a different way.
And so we had thousands of edge cases that we had to plow through.
And many of them are kind of theory edge cases.
Others are just practical, right?
We wanted to institute a different communications architecture.
And practically, you know, the things that we could rely on, the libraries weren't really designed to do that.
So we had to rebuild some of them.
And so there's a lot of kind of re-architecture from the ground up where you're absolutely right.
We had a team that had already done it the old way.
Right.
And so we knew the problems with the old way.
And they knew what they have to build.
And it still took us five years with 12 engineers to do it because there's a lot of grunt lifting in rebuilding something from a ground up.
You know, it is messy.
Sadly, I know well that that is a very messy problem.
Well, it's also a nice barrier to entry, but yes, it feels good at the end, yeah.
No doubt, no doubt.
So you spoke about the big attacks, the headline attacks that we've seen in the news
aren't kind of attacks by state actors other than Sony.
So what about, like, could you have helped Home Depot, you know, could you have prevented all those
guys from getting fired?
So I'll answer it slightly more
generally because I've already gotten in trouble using
customer names off stage.
Almost every big breach,
subsequent to the breach, the companies
typically will bring in a new set of players
and then they'll do an analysis of how the breach happened.
Out of the top 10 breaches that have happened in the last
year, we've been bought by eight of them
and we're in procurement with the other two.
And it's not because they're buying every solution,
it's because they're actually analyzing where did they fall
apart and what ended up happening was they realized they had indicators that told them they were
being attacked. They just didn't know how to figure out what to do with that. If you can't ask
your endpoints what they're experiencing and you think maybe it's happening somewhere, that would be
like me telling you, you know, God forbid, but you've got three cancerous cells somewhere in your
body. I don't know where they are and I don't know if they're going to metastasize. What are you
going to do with that? Yeah. What does that data do for you? And so they are able with Tainium
actually go and scan their entire body and see exactly what's not the way they expect it to
and deal with it before it can become emergent.
And so they ended up buying us because they realized that.
How does a big company have these vulnerabilities kind of approach the problem of
like what it's worth to them to buy Tainer?
So we have two luxuries there that I think are unusual.
So the first is we span security and operation.
and so security has a lot of urgency
and a lot of people are very interested in it
but the ROI is not there, the tangible hard ROI.
In operations, so things like
how much software you're licensing
or whether you're actually deploying that software correctly
there is real ROI but there isn't much urgency
because it's kind of the analogy somebody made was
my left arm, I have a cut on it, it's annoying me
but my right arm was cut off and it's bleeding profusely
I have to deal with the security problem
But, you know, so I'm not going to deal with the operations problem emergently.
But if I can give you a solution that does both, it becomes really interesting because we can take the ROI from operations, apply it to security, get the urgency there, and get some really enormous deals.
I mean, we've got now four or five, ten plus million dollar deals from very large environments who don't spend that much on software typically.
And the reason is we have a broad set of things that we do, and they span both operations and security.
But I'll take another approach to that question.
We decided to spend five years building this thing
and took it to market when we already had customers
using it on hundreds of thousands of computers.
We leveraged the relationships that we had from BigFix
to take some very big companies
and have them trust us enough
that they would deploy us into production in beta
and work with them to make sure it worked
before we ever took it to market.
And so one of the luxuries we have
is not having to worry that the thing doesn't scale
and trying to chase after a dream
in front of our customers.
And I don't think a lot of people have the patience to go through five years of development
without a salesperson on staff or a marketing person on staff and just have a bunch of engineers
in the boiler room in Berkeley and go and build something.
But once you do that, you've got something that you know works.
And then you can go prosecute the market with confidence instead of saying that, you know,
my prayer is that eventually I will get here and I want you guys to give me money so that
you can help me make my multi-billion dollar company.
It's just a very hard argument.
Right. And a lot of it was, you know, many companies actually learn the requirements in market. And since you had been in market with Big Fix, you already knew all the requirements so you could go into the lab and build the whole thing. And we need the competitors. I mean, so that's another real luxury we have is we knew exactly who we would be competing with. I mean, it's the same people we competed with in our last company. I looked for a market that I knew well that had a really large TAM that was underserved by its incumbents and that I didn't see any good movement.
in. I mean, everyone has left the endpoint for dead. They all want to go work on cloud or on mobile
or on some app. And I want them to go do that. I want them all to go do that. Because I like my
$20 billion, tam that's being prosecuted by like 70-year-old gray hairs at IBM. It's fantastic
for me. They haven't figured it out yet.
I don't think any of the large incumbent players are feeling threatened at all. And for the
simple reason that they're keeping most of what they're selling. Like, I mean, you know, if you
look at IBM, they used to sell into the customers we're selling to. Now they're selling into
banks in Brazil because they're at the end of the adoption curve and they continue monetizing
that. They're just further along on the conversion curve, you know, 10 years further, just kind
of marching through. And they've recapped their, recoup their purchase cost. They feel great
about their purchase and eventually they'll go buy something else and milk that dry. So is your
main competitor actually IBM selling your old software? It's one of them. It does give you an
advantage. You kind of know what's wrong with it. Well, I mean, so it's really hard to argue with
the, you're buying something if you buy it from IBM that I invented when I was 18 years old and had
absolutely no idea what I was doing. And you can either do that or buy the product that I had
15 years of learning that I put into with, you know, a much newer architecture. It is really
hard to compete. Yeah. Yeah. That would suck with that. The good news is their sales guys have
plenty of other stuff to sell. So, you know, you hear a lot about kind of M&M security and
And a lot of the big banks complain about, okay, like we've deployed the M&M security model, hard candy shell on the outside, delicious chocolate center.
Tell us about what that is and how the market plays out between solutions that take that approach and what you're doing.
So, yeah, I mean, a different way to phrase that is there's a network and there's the end point.
And so many of our customers invested tremendously in this idea that they were going to,
figure out every way into their network and that they were going to harden every one of those
and that they didn't have to worry about what was inside because they'd hardened it.
And just to give you a story about that, we work with one of the biggest telcos in the world.
And when we got there, they told us they had exactly 22 ways into their network.
And they were spending $7 million a year protecting each one of them.
They'd bought every solution.
They'd layered it up.
It was impregnable.
There was no way in.
So 22 ways in.
22 ways in, but they'd protected each one to the point where it was Fort Knox.
One of the things you can do with Taneum is you can just figure out the way out to the internet from every end point.
It's called a trace route.
You know, you can just tell it, you know, go figure out how you get to the internet and tell me the last stage that was internal to the environment that you went out through.
They had 1,500 ways out.
This is the network provider that's probably providing the network to this place.
Well, no, they didn't.
So we told them, okay, well, you know about these 22, go check the 23rd.
And where did those other come from?
Like, how did they have an extra?
or whatever, 1,478.
They had my five points.
They had executives who were sitting in corner offices
that had actually bridged in the Starbucks network
that was reachable from their corner office
into their corporate network
because they didn't like web filtering.
They had people in branches
actually running DSL lines back into the branches
so that they could use the DSL line
because they didn't like having to use the corporate network
because it was too slow.
They had all kinds of it.
I mean, there are great ways to cheat this.
And the problem is the perimeter has dissolved to the point.
So cloud, by definition, has no perimeter.
Corporate networks, they're finding out, don't really have a perimeter either.
You know, you start looking at things like work from home.
I mean, one of our banks has 50,000 computers working from home at any given time,
and they're not VPN-D-in, so they're literally just on the Internet.
And I think they've all realized that the perimeter is not a protective mechanism.
What it is useful for is reducing noise.
And it's useful because you can block a lot.
You're not going to block everything, but you can block a lot.
And it's useful for being able to get indications of what you should look for internally.
So, you know, there are these sandboxes and they're really good at telling you, hey, you're getting attacked in this way.
Now you need to go figure out where that actually landed.
And that's the part most people didn't have before Taney even got there.
They couldn't take that intelligence and actually say, okay, well, where did that actually land?
And did it succeed?
And did it spread?
And without that, all they're doing is basically sending up a flare and saying, hey, another Trojan horse got in.
We don't know what's in there.
Like, there might be some soldiers.
There might be a bomb, whatever.
But, like, another one came in.
You go figure it out.
So it's in there.
So you're telling me that if I buy state-of-the-art firewall from a great company that may have like a South Bay name since we're not naming names.
All I'm really going to know is something about how people are trying to attack me
but I'm not going to know that they didn't succeed
because I'm not going to be securing necessarily all the ways into my company
and I'm not going to be able to know how far along it is or any of those kinds of things.
So if you look at the design of those tools,
they're designed to let the first attack through.
So the first attack comes in and it's,
It takes them five or ten minutes to test whether that is actually an attack.
So they let it through, it lands on the endpoint, then they process for five minutes,
and then if it's a problem, they send up a flare.
So they don't let the second attack in.
Or the 20th attack, if it was 19 of them that got through in the first five minutes.
But, yeah.
I mean, essentially it's to reduce the noise.
But then you need to go clean up what got through.
And the problem for many of our customers is they're playing whack-a-mole, right?
They're chasing attackers, and they're using three-day-old data to chase attackers
that are moving every five minutes.
And with a kind of gigantic increase of spend on security tools
and with the number of really smart people building them,
how is it that everybody is attacking the perimeter problem
and nobody's attacking the endpoint security problem?
So I'll give you my opinion,
but that may not be completely true for everybody.
This problem that we solve, this hygiene problem of you need to apply patches,
in our environment
is boring. Most companies
consider that, like if you're a founder
and you're looking at it, you're like, I don't want to figure out how
to apply patches. I want to go figure out how
to find the Russians. Like, I want the NSA
to use my stuff to kill bin Laden.
That's really exciting, right?
The problem is
that's not actually what most of our customers
are facing day in and day out.
And we focused on this problem
because we knew it was actually really important
rather than that it was super
exciting and we made it cutting edge by taking a different approach to it. But you look at a lot
of companies. I mean, if you look at the cyber spend of a company that's spending a lot on cyber
and you cut out all the analytics stuff, which is super fluffy, right? Like, we're just going to
take a bunch of data and we're going to show you outliers. And I can't even tell you how
we're going to do it, but I promise it's going to be really interesting. Cut that out. You
cut out antivirus and all the legacy stuff that's 20 years old, right? You cut out the network
side. You're looking at, you know, whatever it is, 5% of the spend that's left. And if
that's what you look like, you are failing, because it should be a big investment in that
area of hygiene.
And most people just don't look at that as like the new, exciting thing, but it is actually
the thing that will fix you.
And how do the customers look at it?
You know, how hard is it to get more than 5% of their spend to solve that problem, given
they've purchased all these other products, and they've justified them and had business cases
and told their CEO, look, I bought this awesome firewall.
like, what are you talking about?
We're totally safe.
So five years ago, that would have been really hard
because people were still hoping that would work.
I think a lot of people are now cognizant
that it's not working.
And if it's not working and you get attacked,
you probably got fired.
And then your replacement is probably looking
for an answer for this fundamental question
if we're spending a lot of money
and it's not getting better.
And so what we're finding actually
is very open ears from our customers
who want us to explain to them
the answer to that question.
And what we now have is
the preponderance of the Fortune 100 who are using us who can demonstrate that they're becoming
more secure by falling really block and tackle things. Not, you know, cloak and dagger come through
the vent. Like, close your doors, close your windows. Like, make sure that you actually know how many
rooms you have in your house. Like, I was talking to a CIA recently. I was talking to a CIA
recently and he was telling me, you know, I asked him how many computers he had. He said between
100 and 200, which is my normal answer, 100 to 200,000 computers.
and I have no idea where they are, and please help me.
And I was kind of smiling because that's like somebody coming in and saying you want to do construction in your house,
and they ask you how big is the house, and they're expecting you to say, you know, it's exactly this number of square feet.
And you say between two and seven bedrooms.
How am I supposed to even price that?
Like, what am I supposed to do for you?
You don't even know how big your house is and you want me to tell you exactly how someone's going to break in.
And so we need to figure out where all the rooms are.
We need to figure out what's happening in each one of them.
You know, what's its purpose?
What should it look like?
And does that basically enable the product to sell itself?
So can you just walk in and say, oh, you don't know how many rooms you have?
Like, let me on your network and I'll tell you.
And then they go.
Every customer goes through a pilot.
We force them to.
Even if they don't want to, we encourage them to.
Because we have modules that sit on top of this platform.
And if they don't know how many rooms they have, they definitely don't know what kind of furniture they want to buy.
Right.
So we need to tell them what they look like and show them where the lowest kind of effort,
highest yield areas are for them to start fixing and how we can help them do that.
And so we asked them to do a pilot.
And, you know, it's interesting.
We had a credit card processor recently go to 100,000 computers in three days in pilot.
They basically said, you know, we'll push it out until we run into roadblocks.
They globally deployed in three days.
And then we could give them perfect data on where their vulnerabilities were.
But interestingly, we could also show them that they had 100.
hundreds of copies of SQL server that were installed that they weren't using, that they were paying for.
Hundreds of copies of SQL server is hundreds of thousands of dollars a year of spend.
And they started really delving into it and seeing that they were actually wasting millions and millions of dollars with that vendor
and potentially millions and millions of dollars with other vendors.
And the ROI justification became trivial, right?
I'll go save the money over here.
And then I will prevent the existential threat that is going to potentially kill me over there with that money.
So it's basically free.
So if I stop using my idle versions of SQL server, I can secure myself now.
I mean, it's free for the customer.
It's good money for us and it's really bad for Microsoft.
But yes.
So the firewall guys can't keep people out.
The first person comes through and then anywhere where there's not a firewall.
So the 22 spots where they have firewalls, they can get through the 1,478 spots where they didn't have firewalls, doesn't matter.
matter. How about you, can you stop all malware from coming in? And if not, then like,
at what point do you deal with it and how does the customer know? And, you know, how do they feel
about that that the bad guys do get in somehow before you can catch them? So we don't prevent
attack. There are ways that you can do that, but they all rely on you first getting an indication
of what you should be preventing.
So let's take a step back.
20 years ago, used to be the same virus
that hit every single company in the world.
It's a slammer and blaster,
and there were these examples of viruses
where everybody got the exact same copy
and you could prevent it with ADAT.
So that's where antivirus came from, right?
You take a step forward today.
Most companies are being attacked
by variants of malware
that are specifically targeted to them.
You've got a level of sophistication
that is definitely higher
than just set it and forget it,
throw it at the internet and figure it out.
you can't prevent those things effectively
because essentially prevention is assuming
that the guy who wrote the prevention tool
is smarter than all the attackers in the world.
Right, right.
And what we're seeing is that even
not that sophisticated attackers
have copies of the software in their environment.
They're QAing their attacks against the software, right?
So if I had some kind of tool
that was supposed to be preventing attack
and I, as a programmer of an exploit,
wanted to sit there and bang against it
until I found a hole,
no one's smart enough to write something
that doesn't have a whole.
And so you look at Fire Eye,
there are five lines of code
that are well known to get you around Fire Eye.
You look at Emmett,
you look at a lot of these tools
that are preventative.
There are known ways to get around them.
And the idea is not to actually prevent.
It's to be able to tell you
that there are differences
in the behavior in your environment
that are interesting.
So there's a new process
we've never seen before.
And it's touching your DLP protective data,
your sensitive data.
And it's talking outside of your network.
That's an interesting
combination. And what's novel about Taneum is we can tell you that in seconds instead of five
days later. Right. And so when you, how much do your customers think of it as kind of, because
you can't be so secure that nobody ever gets in, you can't be faster than the bear, so to speak,
like how much of it is just being faster than their peers? That's exactly what it is. I mean,
so there are some very specific attacks like Sony and Las Vegas Sands and OPS and OPS.
that were very targeted.
Joint staff, it didn't matter how secure everybody else was.
They were going to go after that target.
For every one of those that are 100,
where it was just a crime of convenience.
And so getting a lot more secure than your peers is very important.
Learning from your peers about the attacks that they suffered from
so that you can protect against them is important.
And being able to learn patterns so that you're able to be more proactive about them.
You look at FSISC, the financial services,
has a really, really good kind of group
where they share information,
it's been really effective at stopping attacks.
But to answer your question, I mean,
the goal is to narrow down the amount of time
that an attacker is in your network
and narrow down the scope of what they are attacking
so that they can't get your most sensitive data.
It's not to prevent people from coming in.
I mean, you know, look,
even Taneyum has to worry about people being planted in
by people that we don't like in our own company, right?
A big company, a big bank, has hundreds, if not thousands of people who are not really
employees of the bank.
They know that.
Trying to prevent every angle in is not a valuable way to spend your time.
The right way to spend your time is instrument your environment so that you can see that
things are going wrong before they become really damaging.
And we can help them do that.
And how, when you look at the balance of kind of the class, the class, you know, the class
freedom versus security balance and how inconvenient these solutions can become.
And you think about securing an environment like at what point does it just get too
inconvenient for the customer to have like that level of security? Like are there solutions
that would work but are too inconvenient? How does tanyum foot into that? How do you think about
that? So there are definitely solutions that are so constraining that they're undeployable.
I mean, the reality is nobody can deploy them because as soon as somebody can't do their job,
they call their boss, who calls their boss, who calls a CEO, who calls a CIO, and tells them to stop doing that.
And, you know, it's kind of a little bit of, you know, the frog boiling in water is kind of the analogy.
You know, we've got a lot of our customers who deploy antivirus, and that takes up 10% of their CPU,
and deploy another thing, and it takes up five, and it takes up three, and it takes up two.
And then they realize that their computers are spending 50% of their time doing things that are not actually productive for work,
but protecting them
and somebody gets angry
and then they rationalize the environment
and go back down to 15%
and start over again.
The answer for you is
we don't think that the hygiene
that we implement is invasive at all.
I mean, a user does not benefit
from having a vulnerable machine
that didn't get patched.
The user's not going to pay a penalty
for a patch to be deployed.
There are some things
that we can enforce
like multi-factor authentication
that do require the user to be involved.
They're good practice
and they should be done
and their justifications for them.
But a lot of this stuff is just comply with all the standards that you already thought you were complying with, but they were ineffectively deployed, so they're not actually comprehensively done.
Right.
And how long, how hard is Tainium itself to deploy?
And so if you want to roll it out, secure the environment, have it running in the right way, and kind of get the operational benefits of knowing how many copies of SQL server that you have that are no good, like what does that take, what's involved in a deploy?
deployment? So our biggest deployments take a few weeks. So you look at 450 or 500,000 endpoints. They
typically take a few weeks less than a month. If you look at 100,000 seats, it's common to be less
than a week. And if you look at a 50,000 seat environment, it might be a day. So then what is kind of
like your license to services mix? And what are the services that you guys do? Because deployment's
obviously small. We refuse to sell services. So none. This is a
another one of those really bad things about our industry, right? So if you come from a
services background, you treat services as a revenue stream. You start building products that
require lots of services, and that's a bad product. Like, it turns out that that's almost
the definition of a bad product, is it's really heavy to lift it in, and it takes a ton of
carrot and feeding. That's basically a buggy product. And you actually have incentives.
That's IBM's entire business model that you're just a fashion. They're turning big fix,
slowly, slowly. You're absolutely right. I'm watching it in slowmo, but the net of it is,
If we insist on not having services, two nice things happen.
One is we build products that are designed to be deployed in days, not years,
because we're not making money from the years.
In fact, we're losing money, right?
We're putting people in for free who are helping you do things that are taking way too long.
And so it eliminates moral hazard.
But the second one is we have a lot of partners who love providing services.
And even if Taneum isn't a heavy services thing,
the ongoing kind of recommendations and helping the customer use it better,
there is a serviceist opportunity.
And if I compete with my partner, who's my channel, or maybe who's an OEM, they're not as excited to get in business with me.
And so we've got a lot of partners who sell tanyum and then layer on recommendation services, helping the customer actually put hands-on keyboard.
I don't want to be in competition with my partner.
So if you're just licensed and you're solving this, you know, rather hard security problem, like how big do you see the market is?
How like two, four or five years, like how big is the endpoint security and operations market?
And then how does that change as people go more to cloud computing and, you know, maybe go more to mobile devices and these kinds of things?
So I guess it's worth defining what we consider to be our TAM, right?
So today we sell global 2,000 companies on their desktop laptops.
server, VM, physical. We don't really care. If it has an operating system on it,
putting aside mobile for a second, we'll cover it. Virtual machines in the cloud are actually
a very comprehensive use case for us. Most of our customers deploy everything that they own
in the cloud. So when you say deploy, so basically you're talking about their server environment,
all their back end stuff. So you're securing that as well as the endpoint,
the stop machines that people have and whatnot? Sure, as well as the things.
that they deploy in Amazon and the AWS
as well as the things that they deploy
that work from home.
Basically, it's any operating system that their data
is going to be resident on, whether it's cloud or
on-prem or at home or whatever it is.
We see about $20 billion
being spent in what we do today.
But what's nice about Taneum is this
platform actually is extensible to do
probably another 40 things we don't do
today because we haven't productized them.
Our strategy is to actually start
releasing modules and we're already doing this
once per quarter that are targeted
toward use cases that today require
point solutions. So to give you an example,
there's this market for unmanaged assets.
So Cisco has something called NAC
and there are little companies like
For Scout that are designed to do this one
thing. We don't believe that that's
a market that should stand alone.
And why not? So, you know, you spoke
earlier about, oh, you know, customers
don't want these point solutions.
But, you know, the point solution
vendors would argue, look,
There's a lot of depth to these problems.
We're going to have a dedicated team on them.
They're going to be really good.
Why do you argue that a platform approach is superior to that?
For two reasons.
One is they're not actually that complicated problems.
They just want to make them sound complicated
because that validates their existence.
It turns out that we built a forensics product
with four engineers in six months.
The reason is 95% of the work was already done
when we architected the platform.
The forensics module is just basically a workflow
on top of that same data that you're gathering
for things like asset inventory or for patch
management or for compliance monitoring.
And so each one of those that I just mentioned
is a point solution market.
They're all gathering the same data.
They're just presenting it slightly differently
and they want to justify that difference
as some kind of cataclysmic change between them
and it turns out it's not.
And so we've had enormous adoption amongst our customers
because the second reason,
they don't want to deploy 20 agents.
They don't want to deploy 50 boxes
into every span port area.
they don't want to have all these different things
that are essentially doing the same thing
with a different logo on them,
setting up a new MLA with a different vendor,
having a different throat to choke,
having to try and integrate all those data streams
into kind of a contiguous fabric.
Which it turns out is extremely difficult to do
when you have a vendor who doesn't understand
what an API should be used for
and you look at this really hard problem
that they put themselves in and they're fed up with it.
They don't want to do it anymore.
And they're telling us that every day.
And so if we can deliver best of breed solutions,
in these point solution spaces,
they're happy to rip out their point solution vendors.
And what we're seeing is immediately
as we're entering into some of these spaces,
they're shutting down every project
that they have internally that's related.
Because if Tainium can deliver it,
and we have one MLA, and it's half the cost,
because it's a module on top of a platform,
and we don't have to buy 100 servers
and put them in-house.
And we don't have to train on a new console.
It's so attractive that they're willing to go on faith.
And then we have to deliver.
Right. Right.
And so if the current market,
market is $20 billion and it's essentially broken.
Like the products don't work, you've got many vendors involved and so forth.
Does the market get bigger because you actually solved the problem in the same way that
the MP3 market got a lot bigger when the iPod came out?
Or does it get smaller because you're just not going to charge for so many individual things?
So I guess what I would say is we don't see a static tam.
We see it enlarging because we're going to be able to add models.
that expand what we can do.
But I would also say the number of endpoints people are trying to protect is actually going up.
We track it in every one of our customers.
Most of them are growing 10 to 15% per year.
The data they're storing is becoming more and more painful for them to lose.
The number of attacks that they're seeing is growing.
The recognition that these attacks are costing them enormous amounts of money is growing.
And they're not seeing any competition detainium today.
That's the thing that really kind of baffles me on one side, but that I understand is these big players, as I mentioned earlier, they don't really want to go through the five years of hard development where they refactor everything and throw away their old architectures and tell the hundreds of thousands of people who've been trained on tools like SCCM to just forget everything they learn and start over like they don't want to do it. But if they don't do it, they really are leaving that tan for us. And I think it'll grow because the number of endpoints is growing, the amount of data is growing and the severity of the problem is growing. And then you look at the
operation side, I mean, most people didn't believe that what we could do was even possible.
Once I show it to you and I say, hey, you can actually save millions of dollars on this vendor and that vendor,
I can claim a lot of that portion of that value that really right now is dead weight loss.
It's not in our tan. It's in someone else's tam, right?
I mean, Microsoft says the database market is worth X billion dollars.
It really should be half of X because half of it's not being used.
Nobody can identify the half that's not being used
It's like that old adage about marketing
I know I'm wasting half my money
I just don't know which half
That's the same with database markets
But we can identify which half
Right, right
Because you're actually getting
It's an operational readout on everything
Not just the bad software
But the good software that's just
It isn't being used
You're overpaying for that's great
Perhaps we can open some questions to the audience
Future of Security and Tanyam
You said you were going to tell us how you secure mobile endpoints too.
I was looking for your app at my Android store to get secure here.
I won't find that.
So I'll just tell you, I mean, unless you have like 50,000 mobile devices in your home,
you're probably not a good candidate for Taneum anyway.
But the answer for you is that MDM, at least in my estimation, is a pretty broken market today.
And the reason it's broken is the vendors of the platforms that provide, you know, Google, Microsoft, Apple.
really Apple is kind of the real, real offender here.
They don't believe in management the way that our enterprise customers want them to.
So enterprise customers want to be able to see, for example, what's using the power on a device
that they provided a user.
They want to see where the data is and what applications are running, and that's completely
orthogonal to Apple's view on management, which is here is your sandbox enterprise, and the
user can do anything they want on the same machine, and you shouldn't be able to control it,
and you shouldn't even know kind of the underlying state of the device.
you should maybe just know what's happening
in that little sandbox that you control.
And their operating system was built that way.
And the other vendors have different problems,
but the net of it is I haven't seen an MDM solution
that really is great,
that I would look at and say,
I would love deploying that at Taneum,
or if I were a customer, I'd love deploying that.
And so the way we're looking at it, actually,
is let's go a level deeper.
So Intel, Qualcomm, and it's not just mobile,
but it's, you know, IoT potentially,
are going to win a lot of this market.
And we've actually got projects with both of them to embed Tainium's communications architecture directly into the chip.
So rather than trying to go in software where it's pretty inefficient, you've got power issues, you've got wireless issues, let's go a level deeper and figure out how we can instrument a quark processor from Intel where they have 64K of space with Taneum's code base so that we can actually communicate off that.
And what's interesting about it is you look at a light bulb and they want to sell billions.
of connected light bulbs, they don't actually
have an answer for how to manage billions of anything
today. Containium is the closest
they can get. The hub and spoke
architecture is completely broken for that,
and that's what they tried, and they failed.
And so if we can actually get that to work
well, then I think that's a good approach to
mobile. If that doesn't
work, then I think we're going to have to see where
iOS and Android and Windows
phone go, because they continue
to be unmanageable. Our customers continue
to be frustrated. They continue not to
replace their desktops and laptops with them,
And until they actually solve this problem, I don't think they will.
And do you see, have you seen any change in the vendors along this journey?
As Apple softened at all, are they still just as hard noses ever?
My personal belief is that Apple is paying lip service to enterprise and not really doing anything that my customers are asking for.
I mean, the point solutions that they're making for different industries to allow airline pilots to not,
have to carry a book onto every plane is awesome. That's great. That's not the concern that my
customers have as a generalized concern. And I'm not seeing them solving it. Well, thank you,
Ryan. This has been great. Thank you, everybody.