The a16z Show - a16z Podcast: Barbarians at the Gate -- How to Think About Enterprise Security Today
Episode Date: May 7, 2015Enterprises large and small run their applications and infrastructure at a whole new level of agility and speed. But unfortunately, security doesn’t like speed. “The faster you go, the harder it i...s to understand what is happening and to protect your infrastructure,” says Andrew Rubin, CEO and co-founder of cloud security startup Illumio. So then how do we rethink the architecture of the past to acknowledge the way business happens today? If you want to start tackling the shifting landscape of business and security today, “Go become a student of the economics of war and crime,” suggests Gaurav Banga, CEO and co-founder of Bromium. If going slow is not an option, what can and should we do? The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information. Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business tax or
investment advice or be used to evaluate any investment or security and is not directed at any
investors or potential investors in any A16Z fund. For more details, please see A16Z.com slash
disclosures. Welcome to the A16Z podcast. I'm Michael Copeland. And we are continuing our discussion
of security. And we are lucky to have Andrew Rubin, CEO of Alumio and co-founder. And along with
Andrew, Goroff Banga, CEO and co-founder of Bromium. Welcome, guys. Welcome. Thank you so much.
We are happy to be here. Thank you very much. Gorf, I read something that you had said or written.
The Barbarians are at the gate. Am I being attacked? Yes, you are. And what Barbarians at the gate means that never before have we had so much online.
We have got to computerized our every existence, every aspect.
of our existence, how we invest, how we get paid, how we do healthcare, how do we deliver
power, everything.
And unfortunately, we have built that on a security platform which is not architecturally sound.
And we're getting attacked every day.
It says that war and crime just came online.
Andrew, how do you view that and how do you, the folks that you talk to kind of internalize
the fact that if I have stuff out there that's valuable, people are going to want to go after?
through it. So I completely agree with Garv that we're effectively digitizing everything and it's literally
everything. It's everything from the way that we bank to the way that we hail a taxi or a car to move from
point A to point B. So inherently there's a lot more digital and electronic to protect. I think the
aha moment for security and it's recent, it's measured probably in months or maybe a year or two,
is that this concept of being in a binary state of safe or breached
is no longer a viable way to look at the world
because with this much out there,
it's almost an assumption that you've already been breached
or you will be breached and you may not know it right away.
And what we're hearing more and more now
is this concept of how do I reduce the surface area of attack
when I'm breached?
That's a very different security conversation
than the one that we've had for the last 20 or 25 years.
So you're saying it was a matter of months
before that kind of mindset shift happened? Why finally do you think that occurred?
I don't think it's any one thing. I think it's a combination of a few things. So the first one is that
there's a lot more places to put stuff. I mean, if you think about five years ago, whether or not
we really would look at the public cloud as a truly viable alternative to your data center
that you built, owned, controlled for the 20 years before that, there was a debate. Now there's no longer
that debate. It doesn't mean everything will land in the public.
public cloud, but it means that it's a viable alternative. So we're more distributed and more
heterogeneous than we've ever been. I think the other thing that's going on is there's a shift in
the way that Enterprise is thinking about running their infrastructure and applications,
and the shift is all based on agility and speed. And unfortunately, security doesn't really
like speed. Those are two things that traditionally have been at war with each other. The faster you go,
the harder it is to understand what's happening and certainly the harder it is to protect it.
Unfortunately, that friction point is no longer tenable.
Enterprises are going to go fast, and they're going to need to do it with security at the same time.
So, Gav, for you guys, how do you address that tension between going fast, operations, and security?
We've been talking about this, how you know, you need to respect security, but you need to get things done.
So in that speed, in companies and an environment where speed is of the essence, how do you recognize that?
reconcile those things?
So to be able to reconcile, you first take a step back.
And just to add to what Andy said earlier, you know, so the world has changed, the world
is changing.
You start looking at, besides, so cloud is one very important development that has happened.
Another development that has happened is mobile, if you all know, right?
And then another one that has happened is that you're relying more and more on the internet,
which is not just cloud as in, you know, you do cloud computing,
but the fact that you're very content dependent,
you're generating large amounts of content,
and you're exchanging and sharing that content,
you're trusting each other over the internet.
So if you look at all these friends,
the first thing you do is you take a step back
and you examine how the security architecture must change.
And one of the other requirements comes along
is that the security architecture must also be responsive
to the need to go faster.
Right.
Now you came up with a set of requirements.
Your new security architecture
or your modification to the existing security architecture
must have these properties.
It must deal with cloud.
It must deal with mobile.
It must deal with consumerization.
It must deal with the fact that we are relying
more and more on internet content.
It must deal with the fact that change is more common.
Now, then it becomes a computer science,
a computer architecture, software design problem.
And it turns out,
out that it is, I mean, we live the message of hope. It does turn out that, you know, it is possible
for human innovation to come up with such a design, which is more sophisticated, a more well-thought
design on security, but you can put it just together. And I'll build on that. I just want to kind of
add one thing that, you know, when we launched Alumio into the market last October, so about six
months ago, obviously the amount of feedback that we started to get because we were talking to more
people and certainly talking more openly went up very dramatically. And one thing that's interesting
is consistently across the board, customers are saying to us that they're finding that there isn't
a natural or easy iterative path from the architecture of the past. What Gerv said about
having to rethink the problem from first principles, we're actually hearing customers say that.
So despite the fact that you started off mentioning that everybody's dressed in black and so it
must be security, what's interesting is that it actually doesn't seem that eerie for one very simple reason.
because for the first time in decades, the customers are actually in a place where they're willing to truly rethink this from the very beginning.
They understand that there's a new set of problems and a new set of challenges that security has to face that aren't built on the problems of the past.
And therefore, they're willing to look at a completely new way of solving it.
That's a massive change in the enterprise of the customer mindset.
That goes cheek and jow, I guess, with this shift to the cloud, right?
I mean, they're willing to look at that in terms of running a business,
and so they're also willing to look at ways to change their security approach.
Well, and I think if you look at it, some of the organizations that you would think are least likely
to take advantage of things like public cloud or allow open access through mobility.
If they're willing to do that, then it's not a leap or a very far step
to imagine them being willing to look at security through a completely new lens for the first time at a long time.
The challenge is that the industry has to respond by bringing things.
to market that actually start from a blank page and allow the customer to look at it not only
as a new set of problems, but also from a completely different way of trying to solve them.
And so we have an obligation sitting on our side of the table, Garvin I and others,
to actually bring things to the customer that fundamentally start from a different place
than just simply iterating on the architecture or the model of the past.
So you guys have different philosophies in your companies about how to approach all this change.
if barbarians are at the gate,
they're trying to get in all sorts of different ways
and new ways all the time,
how do you then anticipate kind of the new?
It's one thing to change my architecture
and sort of head off in a new direction,
but if I don't know where the next breach or attack
or, you know, bad thing could come from,
how do you approach that?
So, I mean, this is, if you take a step back,
and it's hard to take step back
because it's just life is so busy.
But as you may take a fresh step back, the problem that we are trying to deal with,
which is what you were terrified about, unseen and unknown, what you don't know, what you don't see,
what you don't see coming.
The instructive way to think about it is actually just go back to the drawing board again
and say, well, what has happened?
Two things have happened.
The way we do IT is changing with cloud and mobile and all of that.
That's one aspect.
The other aspect is we have so much online, just forget.
So imagine we had none of that IT change, we still have so much online that it has become
very rewarding for the bad guys or the adversary to come back and after you in the online
space.
Now this is none of this is new.
So shifts in IT have happened before, shifts in our way of life have happened before, and
warden crime is as older than mankind, as old as mankind.
whatever, why do you want to look at it?
So the way you want to think about this is go become a student in war and crime, how war and
crime works, what are the economics of war and crime, and then go become a student of some
of the computer science behind.
That gives you the approach you need to take.
That gives you the approach.
So for example, why would people come in and say, I'm going to spend $10,000 on just buying
this software exploit so that I can hack this Fortune 500?
Why? Because that $10,000 is a small fraction of the reward that you would earn from that.
And it is much, much cheaper than trying to attack the bank in the physical world.
That's the reason why they do it.
What makes their job easier?
What makes the job easier is the sheer complexity of IT, but also the fact that things are shifting.
And IT security is behind the shift, like the fact that you're plowed, the fact that you have.
So now the best approach is first to recognize that this is happening and then to come
back and design what your response to this is going to be.
Andrew, how do you guys approach that? I know you talk about reducing surface area.
We do. So we talk a lot about reducing the surface area of attack because there's a premise
that security functioned in a very binary world for a long time. Security's job was to keep you
safe. And safe inherently meant that nothing was wrong. And of course, when safe fails, then it
seems like everything is wrong. The way we would say it is, it felt like you were either
perfectly safe or catastrophically breached.
And what we're finding is that what customers are now working off of is just a fundamentally different assumption, which is I'm probably breached. If I'm not already, I will be. And it's equally interesting and maybe even more so to ask the question, when that happens, what is the surface area of attack? How much damage will something inflict? What is the blast radius inside of my data center or cloud when something goes wrong? So from an Illumio perspective, we really look at it in terms of mirroring the compute environment.
the infrastructure and application environment,
so that security doesn't feel like a bolt on,
doesn't feel like something that gets tagged on after the fact,
but security is from the very beginning built into the infrastructure
and the applications and follows the motion
as things drift and change over time.
And part of our story is to distribute the policy
and the enforcement out to all of the individual workloads
so that the surface area of attack is no longer the perimeter
or all the things behind it,
but the individual workload itself
and how it's talking to and communicating.
with other things inside of the environment.
So you get access to just this small slice, you know, if even that.
That's exactly right.
And actually what's interesting is even the perimeter in its most traditional sense,
when we used to wrap a brick wall around an entire data center,
that really was effectively the same theory in that I was putting a brick wall around a group of assets,
a bunch of servers sitting inside, and therefore they were protected.
What we're doing is we're simply taking that and shrinking the surface area of attack down dramatically,
dramatically to the point where it could be a single server, a single VM, and now with an announcement that we made last week, even a single process running on one of those compute instances.
But all of it comes back to the same thing. How do we have the ability to distribute security dynamically, make sure that it's always provisioned correctly in a dynamic world, and how do we reduce the surface area of attack?
Garf, do you guys, again, there's this idea that, wow, it's security, it's going to slow me down, it's going to be a pain.
in my arse, you know, how do you make sure people use it? And how do you advise, you know,
your customers and folks in this world to make it easier? So actually, you know, the thing
that makes it easier is when you design with these assumptions built in, when you design something
where mobile is not excluded, the internet is not excluded, the cloud is not excluded. And some of the
tools that you use are, you know, this whole idea that Andy talked about earlier, which is
micro-segmentation, micro-virtualization, which is what Promium does, whether you do it in the
network and the data center or like what Promium does in the endpoint, is, it gives you that
exact tool. So why, what do people care about? People care about doing whatever they want to do.
That's really what it is. Exactly, right. They want to click on everything. They have serial
clickers, if you will. Right. So if you want to click on anything, if you want to run whatever you
want to run and you cannot be told that you may not do that, then the question really becomes
is how can we create the environment and the infrastructure so that you can do that safely?
And the approach that bromium takes, the approach that we take and a whole bunch of other
and it's not very dissimilar, it's actually a dual of what Andy just talked about,
but just from an end user perspective, it is when you're running a piece of code and you don't
know about the origins of that piece of code, that it could be a website or whatever.
One thing would be to give the website access to your entire computing environment.
Another way would be to create a virtual machine container in which the website is allowed to run,
and this thing may not escape, whatever the side effects of this website are not allowed to escape the virtual machine container.
Now, this is very powerful because you never say no.
Virtualization allows you to build boxes, tiny boxes around untrusted pieces of competition.
That means you never say no.
You always allow any kind of competition.
You just build boxes that control what leaks out of that container.
What is the scope of that competition?
So this becomes very empowering because in our system
and in the system that are built in this way,
you can literally do whatever you want to do.
It is just that when you are, it's like using burner cell phones.
You use it by cell phone, you throw it away.
It's like using disposable gloves.
So if you have a thick enough disposable glove,
you can touch anything.
Why?
Because you don't really care.
it's going to get dirty, you're going to throw it away.
Right.
But it gives you this power of being able to touch the dirtiest of things
and the sickest of patients and so on and so forth.
So this is a very different paradigm here,
where you're designing the infrastructure from the ground up
in such a way that saying no to the end user is not an option.
You are going to be secure in spite of the user
of being able to want to do anything and click on anything.
And go as fast as they want.
And go as fast as they want.
I see.
Let's talk about courage versus foolishness and take a step back.
You know, I'm going to have the courage to move to the cloud as a company as a potential customer.
You know, what's courageous and what's foolhardy?
You know, courageous is, I don't know what, but foolhardy is staying on Windows XP, for example.
How do you guys view that?
So it really is, you know, there's one of our friends, the CISO of Aetna, Jim Raute,
he said just very famously, you know, this is the top, this is the 10% of it.
What that really means, it's a C-So or the CISO, depending how you pronounce it,
the chief information security officer that takes risk to reduce risk.
Here's the reality.
The world is changing.
If you say Statsco, you might think that your risk to your business is not increasing.
The reality is that increasing really, really, really fast, faster than you can control.
So in order to deal with the risk, in order to deal with the changing conditions, you have to take a risk.
And unfortunately, none of the existing big vendors is going to give you what you want.
You have to think about a new approach.
So foolhardy is going through the world thinking nothing has changed, it's business as usual,
I can keep saying no to the end users until the such day that my company is going to get breached
or I'm going to get fired or I'm going to have to fire somebody.
Right.
or smart is realizing that things are changing, go through this process of selecting and deciding
what is good, what could be good, taking them to the paces and moving, it's moving, changing
to the adopt a new approach.
I'll add that I think, I think courageous in this case is actually responding to the needs
of the organization and being able and willing to look at any tool, any form of infrastructure,
any operating model that allows the enterprise to do what it needs to do.
It takes courage to actually say we're going to implement completely different things than we have in the past,
but we're doing it because the business requires it.
I think foolhardy is assuming that the only thing that you have to secure all these new things
is what you've had in the past.
And what we're finding, like I said earlier, is that customers for the first time are actually very open to looking at completely new and different things
because they realize that they're solving for a new and different set of problems.
Let's talk about mobile a little bit.
Gorff, you brought it up, and Andrew, you've referenced it.
Mobile malware, everybody's got a smartphone.
Not all of us, you know, snap them in half and throw them away after we're done with them.
What's new in the mobile world and what are you guys seeing and how are people responding?
So our view of mobile is slightly nuanced than that.
There is a laptop and a tablet, which is a real mobile vector.
And it's a vector of attack primarily because it's a vector of attack primarily because,
it leaves the four walls of the enterprise and all of the traditional defenses which rely
on firewalls and those are just out of line.
Right.
So that's the reason why these things are far easier to get to, far easier to attack and
that's just the economics of it.
The world of mobile smartphones introduces and also tablets introduces a different kind
of problem which is the problem of information management, right?
These things are bringing your own devices, consumerized devices, they're very
primitive controls in terms of information management. While there not much malware exists,
some malware does exist, but not much malware exists for attacking mobile devices themselves,
like in the Android and the iOS case. But the more important thing is that the CIO has very
little visibility and very few controls into what that's going to happen. Now, there are
companies that are doing the right things and providing you with the right levels of control
and CIOs, some of them are trying to adopt those controls and being successful.
for, of course, a lot more work need to be done.
And what we're finding is that it's becoming, in a sense, just another access point.
And the reason I say just another is not to diminish how important it is to understand
that I think every CIO's dream would be to really truly be able to have a perfect picture
of everything that can access every application and every piece of data in their environment,
no matter where it is or who provided it.
But it's, in a sense, it's a fool's mission.
Number one, because it's hard to drill that kind of control over an organization nowadays.
Number two, because it's somewhat antithetical to the way that the business is trying to operate to enable speed and agility.
What we're finding is that what customers are doing is they're actually identifying what they consider to be their highest value targets.
They're identifying the applications and specifically the data that is the most important asset that they have.
They're figuring out where those things are and they're realizing that they have to protect those things at really all cost.
Wherever it is, however it gets accessed.
That's exactly right.
What about taking the offensive?
We talk a lot about gates and walls and perimeters, and we know that those are being breached.
But what about, like, rushing out and going after folks or making sure that the attacks don't even happen in the first place?
I, there would be an interesting assumption if you could actually work off of the premise that the attack doesn't happen in the first place.
I can only tell you anecdotally that in the customer conversations I'm having, they're certainly coming out of from the opposite angle, which is the attacks are not only persistent, they're not only growing in number and
frequency, but in a lot of cases, they're growing in severity. And so I think the question is,
what is the definition of proactive if that's the premise of the question? And what we're finding
is that the definition of proactive is to actually understand exactly what it is that you have,
where it's running, how these things are talking to each other, and then put a set of controls in place
that actually allow you to ensure that the right things are happening and thereby the wrong things
if and when they do happen are immediately
flags as out of profile and are either
stopped or certainly responded to very quickly.
Right. So it still doesn't sound like, you know,
in that sort of offense versus defense
kind of view of the world,
you need to get, you know,
your process used in place, know what you have,
know what you're securing, know what's important.
And then once that's done,
and maybe that's never done,
think about going after
somebody or some next
phase of security, I guess.
Well, and I'll add one other thing, which is that
what we're finding more and more often now is that visibility leads to knowledge and knowledge
actually allows you to secure whatever it is that you're trying to protect. There's been a lot of
security thrown at a lot of organizations without really truly understanding what it is that it's
protecting. Because as Garv mentioned a few moments ago, you know, the world's gotten not only
very scaled, but it's also become very dynamic and very complex. And so the, what seems to be
simple task of simply understanding where are all of my assets? In the Illumial world, it would be
where are all my compute instance is how are they talking to each other? That's not a static problem
any longer. It's not a snapshot where you look at it at Monday morning at 8 o'clock and that picture
remains resident for the next two months or six months or two years. That picture actually looks
different 15 minutes later. And so just understanding, being able to see and understand what's
happening, if you have that, you're probably going to do a much better job protecting yourself.
But that's a very big challenge before you ever get to the protection piece of the story.
Yeah, I agree. I mean, attribution and then going after the bad guys, I think we have ways to go.
And it's just what we can do in terms of, you know, it's just very easy to misattribute something to somebody today.
I think we have a lot of technical work to do in that.
And then also, we have very primitive controls across countries.
We don't have the interpol equivalent, if you will.
Right.
If we don't have the nation state to nation state agreement that this is not done and this is we're going to, you know, extradite those people and bring them to a foreign jail if they do X, Y, and Z.
The legal systems around cybersecurity are much more improved now than, say, 10 years ago.
But they're still very primitive compared to, you know, murder and, you know, physical extortion and physical theft and Glenn Loves and Ian and all those guys things.
I think we have ways to go before that will happen.
And maybe nation states can do this to each other.
but I doubt whether commercial enterprises should go over there.
They have a means to go over there successfully.
Right. So based on what you guys have told me and discussed,
it doesn't sound like we should all light our hair on fire and go running into the streets.
No need to get hysterical.
But if I'm a chief security officer, if I'm a CEO, if I'm on a board,
what is, you know, if we can't win against these attacks,
what can we hope for and what does winning sort of look like, you know, and I'm doing air quotes around winning if it's not beating them.
I think winning is enabling the organization to do what it needs to do to conduct business, to remain competitive, to grow.
And there's a whole series of things that we've done with the infrastructure and the applications and really the entire IT model to allow that to happen better than it ever has.
And then security has to realize that its job is to protect that motion no matter what it looks like.
And so the reality is the answer for what does security look like to.
today is probably going to be different even a year from now, and certainly five years from now.
So it's not a fixed answer. It's not that there is the right model and the right model is the only
model. The model is that security has to evolve as quickly and as dynamically as the infrastructure
and applications that it's protecting. And so long as those things keep changing, security,
I better find the way to keep up and mirror it.
I think change is the answer. You have to, what is very obvious is the existing way of doing
doesn't work. And if you are not impressing change, the right kind of change, empowering someone
who has, you know, got a lot of budget and money behind them, a good, clear charter, just
what you want to do first and just what you're going to do second, then you're not doing
your job as CSO of a global company. Well, change is going to happen and risk needs to be taken
in a smart way, it sounds like. So we'll keep in eye on this and we'll keep talking to you guys.
Garoff, Andrew, thank you so much.
Thanks so much for having us.
Thank you.