The a16z Show - a16z Podcast: Taking the ‘Cyber’ Out of Cybersecurity
Episode Date: June 16, 2017Nearly every cybersecurity discussion/presentation follows this formula: We don’t know what we’re doing; the bad guys are getting smarter; our defenses are getting worse; everything's more connect...ed than ever; we’re heading towards a digital . But even though security itself has obviously changed in many ways and not in others, we — as an industry — have actually gotten pretty good at doing our jobs, argues a16z general partner Martin Casado in this segment excerpted from a talk he gave at our recent Tech Policy Summit in Washington, D.C. That’s not to minimize the seriousness or cost of cyber attacks! It’s just that changing the conversation here will let us pay attention to the fact that “cybersecurity” these days is really… “security”. Because we shouldn’t isolate the “cyber”; we need to always think of digital assets, physical assets, and human assets together. Especially as cyber — or rather, just security — has become more physical than ever (and not in the obvious Internet of Things sense). Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
Hi, everyone, welcome to the A6 and C podcast. Today's episode is one of our shorter one-voice
bites based on a longer presentation that was delivered recently at our tech policy summit in
D.C. General partner Martine Casato, who has long worked in the world of security from his days
and nights at the Lawrence Livermore National Laboratory and Department of Defense working
with the intelligence community to later serving as general manager at VMware of the
Networking and Security Business Unit. Martin shares a twist on the typical conversation around
cybersecurity because at the end of the day, it's really just security and third.
physical security is where it's at.
I've given a lot of security talks, and I've seen a lot of security talks being given,
and they all kind of follow, like, roughly the same formula.
By the way, this is going back until, like, the late 2000s,
there's all something of the following, which is, like, we don't know what we're doing,
the bad guys are getting worse, like, our defenses aren't keeping up,
and, you know, we're like kind of heading to a digital Pearl Harbor.
It's like, oh, critical infrastructure, and we're connecting more things,
and it's like the end of the world, and yada, yada, yada.
You know, and now, you know, we're 13 years later,
and, like, we're still standing and things are fine,
and things are progressing and so forth.
And so what I really want to do is I want to kind of have a different type of discussion here.
And to why I want to acknowledge, cybersecurity is an issue, for sure.
And like, as a civilization as a society, we're trying to understand what it means.
Certainly as a legal system, we're trying to understand what it means.
But the reality is we kind of have it handled too, like business is growing.
Like we're actually doing a pretty good job of staving off attacks.
We do see attacks and we're able to recover.
We're really on top of a lot of these things.
But I want to highlight why we're in a great position to keep track of that sophisticated
and get on top of it.
And then I actually want to flip the discussion a little bit
and say, you know what?
Cybersecurity really is just security these days.
Right?
Like, I know that we like to kind of myopically focus
on the notion of cyber,
but the reality is anytime you look at security,
you have to look at cyber assets,
you have to look at physical assets,
you have to look at human assets.
And I actually think that we're in a great position
for cyber to have a very, very positive impact
on physical security.
So I want to move there.
So I used to run networking and security for VMware
as of a year ago.
And so we ran all networking security, and I worked with a guy named Tom Corn, who was the chief security officer of RSA.
And so together, we actually went through a whole bunch of recent attacks, and we canonicalize them to give a sense of what, like, a common attack looks like.
And I think this provides a great framework of, like, what the challenges are.
And if you want, like, some high-level thought about how cyber has evolved, I would say it's the following.
It's like what used to be kind of in the domain of nation-states is now fairly routine.
That's it. That's the way to think about it. So, like, listen, we've been dealing with these types of attacks for a long time.
They certainly don't look very different than what I saw 15 years ago, but now you actually see them kind of out commonly.
I would say that actually we've got some pretty good mechanisms for finding and stopping attacks,
but this has kind of moved us into a new area of cybersecurity.
So if you want to look forward, I'd say, here's the trends that we're seeing going forward.
That's to say dealing with security overload. And that's that now we have so many boxes and so many mechanisms and so few trained security.
security professionals, I would say, you know what, we're pretty good on the mechanism side,
and we're pretty good at understanding the problem, but we've got this massive dearth in, like,
how you can understand all of these alerts and how you understand all of these messages and so forth.
And the problem is particularly acute at the security operations center.
So the way that many of these companies, that many large companies work or the government works is,
you know, everybody's doing their business.
You've got all of these boxes there that look for alerts.
And when those alerts happen, they come back to an operation center,
and then you have people looking at these operations center.
But from an industry perspective, the amount of alerts that they get
and the amount of boxes they can deploy and the amount of clue that's needed
is much, much higher than our ability to respond.
So again, why I think we've got good mechanisms and good technologies,
our ability to actually consume them is hampered.
And so I think we're in this era that we need to create kind of like this self-driving security operation center.
That, like at a macro view, if you want to look at kind of what's driving a lot of
of security investment and security movement is that.
So here's the good news.
The good news is, like, over the last decade,
this is exactly the types of problems
we've gotten really good at,
especially from, like, the consumer internet companies.
We're really good at managing large amounts of data.
We're certainly good at AI and automation,
and we're very good at actually handling,
lots of very distributed components.
So I want to talk very particularly about what we're seeing
as far as the emerging trends.
So, again, if I was to encounter,
where the security industry is, the attack got much more sophisticated, the actual
industry responded, I think, in a very positive way for every part of the kill chain, but
now we're kind of in this proliferation of responses, and now we're starting to see this
massive simplification start happening. So you see companies that are like, you know, attacking
the problem from like a big data problem, like we're going to look at all of the alerts that
we can possibly can and create a giant funnel and only pop out the ones that are important.
We're definitely doing like user behavior where you're taking like a,
to try and understand normative behavior for users is a big one.
Of course, automation, which is you've got people in security operation centers that are hunting and trying to figure out what's going on.
It turns out you can automate a lot of that or at least scale out a single user.
I don't believe you'll ever replace the security automation engineer,
but you can certainly automate a lot of the tasks that they do and scale them out.
And then we've also very, very good at creating global abstractions.
We're very, very good at building systems that are Google size or Amazon size or Facebook size,
which allows you to take kind of these high-level security ideas
and proliferate them through an entire deployment.
So I know this is very, very high-level,
but I just wanted to give you an idea of,
like, when we look at trends and what we fall in the security industry,
our goal is not, I mean, at this point, like,
necessarily new mechanism, new type of firewall,
but, like, how do you make what we have fully consumable?
All right, so I want to shift gears here
and talk about how Axi Software, I think,
is making the world a safer place.
And so the more I look at security room,
And the more we look at security, the more it seems that cyber security is security.
And I said this before.
And what I mean by that is, let's say that you were going to do a security operation outbound.
Like you're going to go break into something.
And I gave you a dollar to fund that operation with.
Like how much that dollar do you think you're going to actually spend on cyber?
So my contention is probably not a lot, right?
I mean, you'll spend it on physical assets.
You'll spend it on internal assets.
You'll spend it on a bunch of stuff.
And some of it will be cyber.
So cyber, to me, is just one part of an outbound operation.
Often, if you look at attacks that happen in the cyber world, it's one of many things that
happen.
And so more and more, we're seeing that the cyber problem is becoming the physical security
problem.
But again, good news is I think actually we're able now to apply cyber concepts to the physical
world and actually improve physical security in meaningful ways.
The oldest physical access mechanism on the planet is a key, right?
It probably hasn't changed in 3,000 years.
You've got some set of atoms like this physical thing that's hopefully non-forgeable that
that will uniquely fit into a lock, and then only that holds it can open it.
And then it has all of the problems, which is if you give it to somebody else, then they
have access, you can't take it away from them unless you physically take it away from them.
You never know when it's used.
You don't know if they can delegate it, et cetera.
I mean like physical access controls incredibly crude.
And cyber versions of access controls are very sophisticated.
So in the cyber world for a file, for example, I know exactly who's accessing it.
I can tell when they can access it.
I can tell how they can access it.
I can say you can read it but not write it, et cetera.
And so what we're seeing now, for example,
is concepts around the cyber world,
like sophisticated access being applied to physical access control.
Like even smart locks at homes.
You can say, like, listen, you know,
this person can only access it two days a week.
This person I'm going to revoke their access,
you know, log every time anybody accesses it,
no delegation, and so forth.
So that's just an example of how we're seeing
the cyber world and cyber concept impact the physical world.
I kind of want to reset the conversation broadly
around security. And I think actually the bigger influence is not that, oh, like, internet of things
we're all connected, we're all going to die. I think actually the bigger trend that's going
on is that cyber's potential for impacting physical security is unbelievable. I mean, we've had
these epochs and physical security in the past that totally changed the game that created
misalignments, whether it's like the dissolution of all states or whether it's airplane flight.
I actually think we're going to see like a very similar misalignment that happens because of what
we're able to do with these things. And you know what? I think that's going to require all of us to
like rethink all of our strategies and rethink all of our tactics. And I actually think we as an
industry, certainly we as a society should think about those implications as much as we get worried
about kind of like the lone hacker on our infrastructure. And so with that, thanks very much.