The a16z Show - a16z Podcast: The Fundamentals of Security and the Story of Tanium’s Growth
Episode Date: January 20, 2016The thing about enterprise security, from the outside at least, is it reads like a Hollywood thriller. Nation states are after your company’s most valuable assets and they must be stopped at all cos...ts. And yes, some nation state-sponsored hacks have caused tremendous damage. But the best course for most companies isn’t to focus on combatting Mission Impossible-like come through the vent break-ins, says Tanium co-founder Orion Hindawi. It’s the far less sexy practice of simply keeping the virtual windows and doors to your company locked. “It is the thing that will fix you,” Hindawi says. In a conversation from the firm’s Capital Summit event, Ben Horowitz and Orion discuss the state of enterprise security, and how Tanium’s block and tackle -- not cloak and dagger -- approach has defined the company’s technology and also led to its tremendous growth. The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information. Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business, tax, or investment advice, or be used to evaluate any investment or security and is not directed at any investors or potential investors in any A16Z fund.
For more details, please see A16Z.com slash disclosures.
Welcome to the A16Z podcast. I'm Michael Copeland.
The thing about enterprise security, from the outside at least, is it reads like a Hollywood thriller.
Nation states are after your company's most valuable assets, and they must be stopped at all costs.
And yes, some nation state-sponsored hacks have caused tremendous damage.
But the best course for most companies isn't to focus on combating mission impossible-like
come-through-the-vent break-ins, says Tanium co-founder Orion Hindawi.
It's the far less sexy practice of simply keeping the virtual windows and doors to your company locked.
It is the thing that will fix you, Hindawi says.
In a conversation from the firm's capital summit event,
Ben Horowitz and Orion discussed the state of enterprise security
and how Tanyam's block and tackle, not cloak and dagger,
approach has defined the company's technology and also led to its tremendous growth.
Ben Horowitz starts things off.
Hello, everybody.
So patch management,
and these kinds of things have been around for quite a while.
In fact, Vic Fixed Patch Management.
Why is what you do hard?
So why is it that, like, clearly you meet a need,
but why is it hard?
Why do the old solutions not work?
What's different about TAMium?
So if you look at every solution in our space
that's targeting large enterprise
and you look at the way they designed it, it's the same.
So we call it a hub and spoke,
but basically it means there's a central server,
and then you've got potentially hundreds of thousands of servers
sprinkled around an environment and they talk to every computer and they try and fix things.
That was designed when, as I said, 10,000 computers was a lot.
And now you look at some of our big banking customers.
They have 500,000 computers, and they have thousands of branches, and they're all connected,
and they need to be able to manage them.
And the hub and spoke is literally still the way that people have approached it since, you know,
1970 to the day other than Taney.
We had to take a completely refactored approach to the problem.
We actually had to go from the ground up and spend five years building
a completely different topology to do this
because we realized that that approach,
the core approach was the problem.
The fact that you have hundreds of thousands of things
that are going up and down constantly,
that you've got VMs that are starting up,
that you've got cloud environments,
those are all new facets
that have been entered into this problem
in the last 10, 15 years.
And just coordinating hundreds of thousands of anything
is really hard.
I mean, it takes them days to do what we can do in seconds
because they're still doing it the way that you would
if you had 5,000 things instead of 500,000.
Right, right.
And what about it kind of makes it a five-year R&D project?
Like, what are, is the dynamic?
Because scale, like, scale itself, one cost you five years,
particularly if you already built the thing once before at Big Fix.
So, like, is it the dynamic nature of the virtualization environment?
Is it mapping a lot?
Like, how do you get to, like, such a big investment to solve what,
people really thought they already had solved?
Sure. So people have optimized that hub and spoke as much as they possibly can,
and it's a known problem. We realized that we had to change that topology so profoundly
that basically every problem that had to be solved in the hub and spoke had to be re-solved in a
different way. So I'll give you an example. Security. So security in a standard model,
you secure the pipe that data is going down, and you know which server is talking, and it's
easy to know, this server is supposed to encrypt the data, this guy's supposed to receive it,
we're going to exchange a key and we're going to do that.
In a model where clients are talking to each other, you don't know who's going to be talking
to the client and you can't pass out keys to every one of them and exchange keys, so you have
to do it a different way.
And so we had thousands of edge cases that we had to plow through, and many of them
are kind of theory edge cases.
Others are just practical, right?
We wanted to institute a different communications architecture, and practically, you know,
The things that we could rely on, the libraries weren't really designed to do that.
So we had to rebuild some of them.
And so there's a lot of kind of re-architecture from the ground up where you're absolutely right.
We had a team that had already done it the old way.
And so we knew the problems with the old way.
And they knew what they have to build.
And it still took us five years with 12 engineers to do it because there's a lot of grunt lifting in rebuilding something from a ground up.
It is messy.
Sadly, I know well that that is a very messy problem.
It's also a nice barrier to entry, but yes.
It feels good at the end, yeah.
No doubt, no doubt.
So you spoke about the big attacks, the headline attacks that we've seen in the news
aren't kind of attacks by state actors other than Sony.
So what about, like, could you have helped Home Depot, you know, could you have prevented
all those guys from getting fired?
So I'll answer it slightly more generally because I've already gotten in trouble using
customer names off stage.
Almost every big breach, subsequent to the breach, the companies typically will bring in a new set
of players, and then they'll do an analysis of how the breach happened.
Out of the top ten breaches that have happened in the last year, we've been bought by
eight of them, and we're in procurement with the other two.
And it's not because they're buying every solution, it's because they're actually analyzing
where did they fall apart, and what ended up happening was they realized they had indicators
that told them they were being attacked.
they just didn't know how to figure out what to do with that.
If you can't ask your endpoints what they're experiencing
and you think maybe it's happening somewhere,
that would be like me telling you,
God forbid, but you've got three cancerous cells somewhere in your body,
I don't know where they are,
and I don't know if they're going to metastasize.
What are you going to do with that?
Yeah. What does that data do for you?
And so they are able with Tainium to actually go and scan their entire body
and see exactly what's not the way they expect it to
and deal with it before it can be,
emergent. And so they ended up buying us because they realized that. How does a company,
how does a big company have these vulnerabilities kind of approach the problem of like what
it's worth to them to buy Tainer? So we have two luxuries there that I think are unusual. So the
first is we span security and operations. And so security has a lot of urgency and a lot of people
are very interested in it, but the ROI is not there. The tangible hard ROI.
in operations, so things like
how much software you're licensing
or whether you're actually deploying that software
correctly, there is real
ROI, but there isn't much urgency.
Because it's kind of the analogy somebody made was
my left arm, I have a cut on it,
it's annoying me, but my right arm
was cut off and it's bleeding profusely.
I have to deal with the security problem,
so I'm not going to deal with the operations
problem emergently. But if I can
give you a solution that does both, it
becomes really interesting because we can take
the ROI from operations
apply it to security, get the urgency there, and get some really enormous deals.
I mean, we've got now four or five, ten plus million dollar deals from very large environments
who don't spend that much on software typically.
And the reason is we have a broad set of things that we do, and they span both operations
and security.
But I'll take another approach to that question.
We decided to spend five years building this thing and took it to market when we already
had customers using it on hundreds of thousands of computers.
We leverage the relationships that we had from Big Fix to take some very big companies and have them trust us enough that they would deploy us into production in beta and work with them to make sure it worked before we ever took it to market.
And so one of the luxuries we have is not having to worry that the thing doesn't scale and trying to chase after a dream in front of our customers.
And I don't think a lot of people have the patience to go through five years of development without a salesperson on staff or a marketing person on staff and just have a bunch of engineers in the boiler room in Berkeley.
and go and build something.
But once you do that, you've got something
that you know works.
And then you can go prosecute the market with confidence
instead of saying that my prayer is that eventually
I will get here and I want you guys to give me money
so that you can help me make my multi-billion dollar company.
It's just a very hard argument.
Right.
And a lot of it was, you know, many companies
actually learn the requirements in market.
And since you had been in market with Big Fix,
you already knew all the requirements
so you could go into the lab and build the whole thing.
And we knew the competitors.
I mean, so that's another real luxury we have, is we knew exactly who we would be competing with.
I mean, it's the same people we competed with in our last company.
I looked for a market that I knew well that had a really large tam that was underserved by its incumbents
and that I didn't see any good movement in.
I mean, everyone has left the endpoint for dead.
They all want to go work on cloud or on mobile or on some app.
And I want them to go do that.
I want them all to go do that because I like my $20 billion tam that's being prosecuted by like 70-year-old great.
hairs at IBM. It's fantastic for me.
Yeah, they haven't figured it out yet.
I don't think any of the large incumbent players are feeling threatened at all.
And for the simple reason that they're keeping most of what they're selling.
Like, I mean, you know, if you look at IBM, they used to sell into the customers
were selling to. Now they're selling into banks in Brazil because they're at the end of the
adoption curve and they continue monetizing that. They're just further along on the conversion
curve, you know, 10 years further, just kind of marching through. And they've recap their,
their recouped their purchase cost. They feel great about their purchase and eventually they'll
go buy something else and milk that dry. So is your main competitor actually IBM selling your old
software? It's one of them. It does give you an advantage. You kind of know what's wrong with it.
Well, I mean, so it's really hard to argue with the you're buying something if you buy it from IBM
that I invented when I was 18 years old and had absolutely no idea what I was doing. And you can either
do that or buy the product that I,
I had 15 years of learning that I put into with, you know, a much newer architecture.
It is really hard to compete, yeah.
That would suck with them.
The good news is their sales guys have plenty of other stuff to sell.
So, you know, you hear a lot about kind of M&M security,
and a lot of the big banks complain about, okay, like we've deployed the M&M security model,
hard candy shell on the outside, delicious chocolate center.
Tell us about what that is and how the market plays out between solutions that take that approach and what you're doing.
So, yeah, I mean, a different way to phrase that is there's a network and there's the end point.
And so many of our customers invested tremendously in this idea that they were going to figure out every way into their network
and that they were going to harden every one of those and that they didn't have to worry about what was inside because they'd hardened it.
And just to give you a story about that, we work with one of the biggest telcos in the world.
And when we got there, they told us they had exactly 22 ways into their network.
And they were spending $7 million a year protecting each one of them.
They'd bought every solution.
They'd layered it up.
It was impregnable.
There was no way in.
So 22 ways in.
22 ways in, but they protected each one to the point where it's Fort Knox.
One of the things you can do with Taneum is you can just figure out the way out to the Internet from every endpoint.
It's called a trace route.
You can just tell it.
You know, go figure out how you get to the Internet.
and tell me the last stage that was internal to the environment that you went out through.
Then 1,500 ways out.
This is the network provider that's probably providing the network to this place.
Well, no, they didn't.
So we told them, okay, well, you know about these 22, go check the 23rd.
And where did those other come from?
Like, how did they have an extra or whatever?
1,478?
They had my five points.
They had executives who were sitting in corner offices that had actually
bridged in the Starbucks network that was reachable from their corner office into their corporate
network because they didn't like web filtering. They had people in branches actually running
DSL lines back into the branches so that they could use the DSL line because they didn't like
having to use the corporate network because it was too slow. They had all kinds of it.
I mean, they're great ways to cheat this. And the problem is the perimeter has dissolved to the
point. So cloud by definition has no perimeter. Corporate networks they're finding out don't really
have a perimeter either. You know, you start looking at things like work from home. I mean,
one of our banks has 50,000 computers working from home at any given time, and they're not VPNed
and so they're literally just on the internet. And I think they've all realized that the perimeter
is not a protective mechanism. What it is useful for is reducing noise, and it's useful because
you can block a lot. You're not going to block everything, but you can block a lot. And it's
useful for being able to get indications of what you should look for internally.
So, you know, there are these sandboxes and they're really good at telling you, hey, you're getting
attacked in this way. Now you need to go figure out where that actually landed. And that's the
part most people didn't have before Taneum got there. They couldn't take that intelligence and
actually say, okay, well, where did that actually land? And did it succeed? And did it spread?
And without that, all they're doing is basically sending up a flare and saying, hey, another
Trojan horse got in. We don't know what's in there. Like, there might be some soldiers.
it might be a bomb, whatever.
But like another one came in, you go figure it out.
So it's in there.
So you're telling me that if I buy state-of-the-art firewall
from a great company that may have like a South Bay name
since we're not naming names,
all I'm really going to know is something about how I am,
people are trying to attack me.
But I'm not going to know that like they didn't succeed
because I'm not going to be securing necessarily all the ways into my company,
and I'm not going to be able to know how far along it is or any of those kinds of things.
So if you look at the design of those tools, they're designed to let the first attack through.
Right.
So the first attack comes in, and it takes them five or ten minutes to test whether that is actually an attack.
So they let it through it lands on the endpoint, then they process for five minutes,
and then if it's a problem, they send up a flare.
So they don't let the second attack in.
Or the 20th attack, if it was not.
19 of them that got through in the first five minutes.
But yeah, I mean, essentially it's to reduce the noise.
But then you need to go clean up what got through.
And the problem for many of our customers is they're playing whack-a-mole, right?
They're chasing attackers, and they're using three-day-old data to chase attackers
that are moving every five minutes.
And with a kind of gigantic increase of spend on security tools and with a number of
really smart people building them, how is it that everybody is attacking the perimeter,
problem and nobody's tacking the endpoint, security problem.
So I'll give you my opinion, but that may not be completely true for everybody.
The problem that we solve, this hygiene problem of you need to apply patches, in our environment
is boring.
Most companies consider that, like, if you're a founder and you're looking at it, you're like,
I don't want to figure out how to apply patches.
I want to go figure out how to find the Russians.
I want the NSA to use my stuff to kill bin Laden.
That's really exciting, right?
the problem is
that's not actually what most of our customers
are facing day in and day out
and we focused on this problem
because we knew it was actually really important
rather than that it was super exciting
and we made it cutting edge
by taking a different approach to it
but you look at a lot of companies
if you look at the cyber spend of a company
that's spending a lot on cyber
and you cut out all the analytics stuff
which is super fluffy
like we're just going to take a bunch of data
and we're going to show you outliers
and I can't even tell you how we're going to do it
but I promise it's going to be really interesting.
You cut that out.
You cut out antivirus and all the legacy stuff that's 20 years old, right?
You cut out the network side.
You're looking at, you know, whatever it is, 5% of the spend that's left.
And if that's what you look like, you are failing.
Because it should be a big investment in that area of hygiene.
And most people just don't look at that as like the new, exciting thing,
but it is actually the thing that will fix you.
And how do the customers look at it?
You know, how hard is it to get more than 5% of their spend to solve that problem,
given they purchased all these other products?
And they've justified them and had business cases and told their CEO,
look, I bought this awesome firewall.
Like, what are you talking about?
We're totally safe.
So five years ago, that would have been really hard
because people were still hoping that would work.
I think a lot of people are now cognizant that it's not working.
And if it's not working and you get attacked,
you probably got fired.
And then your replacement is probably looking for an answer for this fundamental question
if we're spending a lot of money and it's not getting better.
And so what we're finding actually is very open ears from our customers who want us to explain
to them the answer to that question.
And what we now have is the preponderance of the Fortune 100 who are using us who can demonstrate
that they're becoming more secure by falling really block and tackle things.
Not, you know, cloak and dagger come through the vent.
Like close your doors, close your windows.
Like make sure that you actually know how much.
many rooms you have in your house.
I was talking to a CIA recently.
I was talking to a CIA recently, and he was telling me, you know, I asked him how
many computers he had.
He said between 100 and 200 and 200, which is my normal answer, 100 to 200,000 computers,
and I have no idea where they are.
And please help me.
And I was kind of, I was smiling because that's like somebody coming in and saying you
want to do construction in your house, and they ask you how big is the house, and they're
expecting you to say, you know, it's exactly this number of square feet.
And you say between two and seven bedrooms.
How am I supposed to even price that?
Like, what am I supposed to do for you?
You don't even know how big your house is
and you want me to tell you exactly
how someone's going to break in.
And so we need to figure out where all the rooms are.
We need to figure out what's happening in each one of them.
You know, what's its purpose?
What should it look like?
And does that basically enable the product to sell itself?
So can you just walk in and say,
oh, you don't know how many rooms you have?
Like, let me on your network and I'll tell you.
That's exactly right.
every customer goes through a pilot.
We force them to.
Even if they don't want to, we encourage them to.
Because we have modules that sit on top of this platform,
and if they don't know how many rooms they have,
they definitely don't know what kind of furniture they want to buy, right?
So we need to tell them what they look like
and show them where the lowest kind of effort,
highest yield areas are for them to start fixing
and how we can help them do that.
And so we asked them to do a pilot.
And, you know, it's interesting.
We had a credit card processor recently.
Go to 100,000 computers in three days in pilot.
They basically said, you know, we'll push it out until we run into roadblocks.
They globally deployed in three days.
And then we could give them perfect data on where their vulnerabilities were.
But interestingly, we could also show them that they had hundreds of copies of SQL server
that were installed that they weren't using, that they were paying for.
Hundreds of copies of SQL server is hundreds of thousands of dollars a year of spend.
And they started really delving into it and seeing that they were actually wasting
millions and millions of dollars with that vendor and potentially millions and millions of dollars
with other vendors.
and the ROI justification became trivial.
I'll go save the money over here,
and then I will prevent the existential threat
that is going to potentially kill me
over there with that money.
So it's basically free.
So if I stop using my idle versions of SQL server,
I can secure myself now.
I mean, it's free for the customer.
It's good money for us,
and it's really bad for Microsoft.
But yes.
So the firewall guys can't keep people out.
that the first person comes through
and then anywhere where there's not a firewall
so the 22 spots where they have
firewalls they can get through the
1,478 spots where
they didn't have firewalls doesn't matter
how about you
can you stop
all malware
from coming in and if not
then like at what point do you deal with it
and how does the customer know
and how do they feel
about that that the bad guys do
get in somehow
before you can catch them.
So we don't prevent attack.
There are ways that you can do that,
but they all rely on you first getting an indication
of what you should be preventing.
So let's take a step back.
20 years ago, used to be the same virus
that hit every single company in the world.
It's a slammer and blaster,
and there were these examples of viruses
where everybody got the exact same copy
and you could prevent it with a dat,
so that's where antivirus came from, right?
you take a step forward today, most companies are being attacked by variants of malware that
are specifically targeted to them. You've got a level of sophistication that is definitely higher
than just set it and forget it, throw it at the internet and figure it out. You can't prevent
those things effectively because essentially prevention is assuming that the guy who wrote the
prevention tool is smarter than all the attackers in the world. Right, right. And what we're seeing
is that even not that sophisticated attackers have copies of the software in their environment,
and they're QAing their attacks against the software.
So if I had some kind of tool
that was supposed to be preventing attack,
and I, as a programmer of an exploit,
wanted to sit there and bang against it
until I found a hole,
no one's smart enough to write something
that doesn't have a hole.
And so, you know, you look at Fire Eye,
there are five lines of code
that are well known that get you around Fire Eye.
You look at Emmett,
you look at a lot of these tools that are preventative.
There are known ways to get around them.
And the idea is not to actually prevent.
It's to be able to tell,
you that there are differences in the behavior in your environment that are interesting. So there's a
new process we've never seen before. And it's touching your DLP protective data, your sensitive data,
and it's talking outside of your network. That's an interesting combination. And what's novel
about Taneum is we can tell you that in seconds instead of five days later. Right. And so when you,
how much do your customers think of it as kind of, because you can't be so secure that
nobody ever gets in. You can't be faster than the bear, so to speak. Like, how much of it is
just being faster than their peers? That's exactly what it is. I mean, so there are some very
specific attacks like Sony and Las Vegas Sands and OPM that were very targeted, joint staff. It didn't
matter how secure everybody else was. They were going to go after that target. For every one of
those that are 100, where it was just a crime of convenience. And so getting a lot more secure than
your peers is very important. Learning from your peers about the attacks that they suffered from
so that you can protect against them is important. And being able to learn patterns so that you're
able to be more proactive about them. You look at FSISEC, the financial services has a really,
really good kind of group where they share information. It's been really effective at stopping attacks.
But to answer your question, I mean, the goal is to narrow down the amount of time that an attacker's
in your network and narrow down the scope of what they are attacking so that they can't get
your most sensitive data.
It's not to prevent people from coming in.
I mean, you know, look, even Taneyum has to worry about people being planted in by people
that we don't like in our own company, right?
A big company, a big bank, has hundreds, if not thousands of people who are not really
employees of the bank.
They know that.
trying to prevent every angle in
is not a valuable way to spend your time.
The right way to spend your time is
instrument your environment so that you can see
that things are going wrong
before they become really damaging.
And we can help them do that.
And how, when you look at the balance
of kind of
the classic freedom versus security balance
and how inconvenient
these solutions can become,
and you think about securing
an environment like at what point does it just get too inconvenient for the customer to have
like that level of security? Like are there solutions that would work but are too inconvenient?
How does Tanyam foot into that? How do you think about that?
So there are definitely solutions that are so constraining that they're undeployable.
I mean the reality is nobody can deploy them because as soon as somebody can't do their job,
they call their boss who calls their boss who calls a CEO who calls a CIO and tells them to
stop doing that.
And, you know, it's kind of a little bit of, you know, the frog boiling in water is kind
of the analogy.
You know, we've got a lot of our customers who deploy antivirus and that takes up 10% of their
CPU and deploy another thing and it takes up five and it takes up three and it takes up two.
And then they realize that their computers are spending 50% of their time doing things that
are not actually productive for work but protecting them.
And somebody gets angry and then they rationalize the environment and go back down to 15%
and start over again.
The answer for you is we don't think that the hygiene that we implement is invasive at all.
I mean, a user does not benefit from having a vulnerable machine that didn't get patched.
The user is not going to pay a penalty for a patch to be deployed.
There are some things that we can enforce like multifactor authentication
that do require the user to be involved.
They're good practice, and they should be done, and they're justifications for them.
But a lot of this stuff is just comply with all the standards that you already thought you were complying with.
But they were ineffectively deployed, so they're not actually comprehensively done.
Right.
And how long, how hard is Taneum itself to deploy?
So if you want to roll it out, secure the environment, have it running in the right way,
and kind of get the operational benefits of knowing how many copies of SQL server that you have that are no good.
Like, what does that take?
What's involved in a deployment?
So our biggest deployments take a few weeks.
So you look at 450 or 500,000 endpoints,
they typically take a few weeks, less than a month.
If you look at 100,000 seats,
it's common to be less than a week.
And if you look at a 50,000 seat environment,
it might be a day.
So then what is kind of your license to services mix
and what are the services that you guys do?
Because deployment's obviously small.
We refuse to sell services.
None.
This is another one of those really bad things about our industry, right?
So if you come from a services background, you treat services as a revenue stream.
You start building products that require lots of services, and that's a bad product.
Like, it turns out that that's almost the definition of a bad product, because it's really heavy to lift it in, and it takes a ton of care and feeding.
That's basically a buggy product.
And you actually have incentive.
That's IBM's entire business model that you're.
They're turning big fix slowly, slowly.
You're absolutely right.
I'm watching it in slow-mo.
But the net of it is if we insist on not having services, two-night.
things happen. One is we build products that are designed to be deployed in days, not years,
because we're not making money from the years. In fact, we're losing money, right? We're putting
people in for free who are helping you do things that are taking way too long. And so it eliminates
moral hazard. But the second one is we have a lot of partners who love providing services.
And even if Taneym isn't a heavy services thing, the ongoing kind of recommendations and helping
the customer use it better, there is a service this opportunity. And if I compete with my
my partner, who's my channel, or maybe who's an OEM, they're not as excited to get in business with me.
And so we've got a lot of partners who sell TANium and then layer on recommendation services,
helping the customer actually put hands on keyboard.
I don't want to be in competition with my partner.
So if you're just licensed and you're solving this, you know, rather hard security problem,
like how big do you see the market is?
How like two, four or five years, like how big is the endpoint security and operations market?
And then how does that change as people go more to cloud computing and, you know, maybe go more to mobile devices and these kinds of things?
So I guess it's worth defining what we consider to be our TAM.
Right. So today we sell global 2,000 companies on their desktop laptops.
server, VM, physical, we don't really care.
If it has an operating system on it,
putting aside mobile for a second,
we'll cover it. Virtual
machines in the cloud are actually a very
comprehensive use case for us. Most of our
customers deploy everything that they own in
the cloud.
So when you say deploy, so basically
you're
talking about their
server environment, all their backend stuff. So you're
securing that as well as the endpoint
desktop machines that people
have and whatnot? Sure, as well as the things
that they deploy into Amazon and the AWS
as well as the things that they deploy
that work from home.
Basically, it's any operating system that their data
is going to be resident on, whether it's cloud or on
prem or at home or whatever it is.
We see about $20 billion being
spent in what we do today.
But what's nice about Taneum is this
platform actually is extensible to do
probably another 40 things we don't do
today because we haven't productized them.
Our strategy is to actually start
releasing modules and we're already doing this
once per quarter that are targeted toward use cases that today require point solutions.
So to give you an example, there's this market for unmanaged assets.
So Cisco has something called NAC, and there are little companies like Fourscout that are
designed to do this one thing.
We don't believe that that's a market that should stand alone.
And why not?
So, you know, you spoke earlier about, oh, you know, customers don't want these point solutions.
But, you know, the point solution vendors would argue, look, there's like, there's
out of depth of these problems. We're going to have a dedicated team on them. They're going to be
really good. Why do you argue that a platform approach is superior to that? For two reasons.
One is they're not actually that complicated problems. They just want to make them sound
complicated because that validates their existence. It turns out that we built a forensics product
with four engineers in six months. The reason is 95% of the work was already done when we
architected the platform. The forensics module is just basically a workflow on top of that same
data that you're gathering for things like asset
inventory or for patch management or for
compliance monitoring. And so each
one of those that I just mentioned is
a point solution market. They're all gathering
the same data. They're just presenting it
slightly differently and they want to justify
that difference as some kind of cataclysmic
change between them and it turns out it's not.
And so we've had enormous
adoption amongst our customers
because the second reason, they don't want
to deploy 20 agents. They don't
want to deploy 50 boxes into
every span port area. They don't
to have all these different things that are essentially doing the same thing with a different
logo on them, setting up a new MLA with a different vendor, having a different throat to choke,
having to try and integrate all those data streams into kind of a contiguous fabric.
The analytics product, right.
Which it turns out is extremely difficult to do when you have a vendor who doesn't understand
what an API should be used for.
And like, you look at this really hard problem that they've put themselves in and they're fed
up with it.
They don't want to do it anymore.
And they're telling us that every day.
And so if we can deliver best of breed solutions in these point solutions,
spaces. They're happy to rip out their point solution vendors. And what we're seeing is immediately
as we're entering into some of these spaces, they're shutting down every project that they have
internally that's related. Because if Taneum can deliver it and we have one MLA and it's half the cost
because it's a module on top of a platform and we don't have to buy 100 servers and put them in
house and we don't have to train on a new console, it's so attractive that they're willing to go
on faith. And then we have to deliver. Right. Right. And so if the current market is 20 billion,
million dollars and it's essentially broken.
Like the products don't work, you've got many vendors involved and so forth.
Does the market get bigger because you actually solved the problem in the same way that
the MP3 market got a lot bigger when the iPod came out?
Or does it get smaller because you're just not going to charge for so many individual things?
Sure. So I guess what I would say is we don't see a static tam.
We see it enlarging because we're going to be able to add modules that expand.
what we can do. But I would also say the number of endpoints people are trying to protect
is actually going up. We track it in every one of our customers. Most of them are growing 10 to 15
percent per year. The data they're storing is becoming more and more painful for them to lose.
The number of attacks that they're seeing is growing. The recognition that these attacks are
costing them enormous amounts of money is growing. And they're not seeing any competition
detainium today. That's the thing that really kind of baffles me on one side,
that I understand is these big players, as I mentioned earlier, they don't really want to go through
the five years of hard development where they refactor everything and throw away their old architectures
and tell the hundreds of thousands of people who have been trained on tools like SCCM to just forget
everything they learned and start over. They don't want to do it, but if they don't do it, they really are
leaving that tan for us. And I think it'll grow because the number of endpoints is growing,
the amount of data is growing, and the severity of the problem is growing. And then you look at the
operation side, I mean, most people didn't believe that.
that what we could do is even possible.
Once I show it to you and I say,
hey, you can actually save millions of dollars
on this vendor and that vendor,
I can claim
a lot of that portion of that value
that really right now is dead weight loss.
It's not in our TAM.
It's in someone else's TAM, right?
I mean, Microsoft says the database market
is worth X billion dollars.
It really should be half of X because half of it's not being
used. Nobody can identify
the half that's not being used. It's like that, you know,
old adage about marketing. I know I'm wasting half my
money, I just don't know which have.
That's the same with database markets, but we can identify which half.
Right, right.
Because you're actually getting, it's an operational readout on everything, not just the bad
software, but the good software that just isn't being used.
You're overpaying for it.
That's great.
Perhaps we can open some questions to the audience, future of security and Tanyum.
And they said you were going to tell us how you secure mobile endpoints, too.
I was looking for your app at my Android store to get secure.
I won't find that.
So I'll just tell you, I mean, unless you have like 50,000 mobile devices in your home,
you're probably not a good candidate for TANAM anyway.
But the answer for you is that MDM, at least in my estimation, is a pretty broken market today.
And the reason it's broken is the vendors of the platforms that provide, you know, Google, Microsoft, Apple.
Really Apple is kind of the real, real offender here.
they don't believe in management the way that our enterprise customers want them to.
So enterprise customers want to be able to see, for example, what's using the power on a device that they provided a user.
They want to see where the data is and what applications are running,
and that's completely orthogonal to Apple's view on management,
which is here is your sandbox enterprise, and the user can do anything they want on the same machine,
and you shouldn't be able to control it, and you shouldn't even know kind of the underlying state of the device.
You should maybe just know what's happening in that little sandbox that you control.
And their operating system was built that way.
And the other vendors have different problems.
But the net of it is, I haven't seen an MDM solution that really is great,
that I would look at and say, I would love deploying that at Taneum,
or if I were a customer, I'd love deploying that.
And so the way we're looking at it actually is let's go a level deeper.
So Intel, Qualcomm, and it's not just mobile, but it's, you know, IoT potentially,
are going to win a lot of this market.
And we've actually got projects with both of them to embed,
Tanyam's communications architecture directly into the chip.
So rather than trying to go in software where it's pretty inefficient, you've got power
issues, you've got wireless issues, let's go a level deeper and figure out how we can instrument
a quark processor from Intel where they have 64K of space with Tanyum's code base so that we can
actually communicate off that.
And what's interesting about it is you look at a light bulb and they want to sell billions
of connected light bulbs.
They don't actually have an answer for how to manage billions of anything.
today. Containium is the closest they can get, right? The hub and spoke architecture is completely
broken for that, and that's what they tried and they failed. And so if we can actually get that
to work well, then I think that's a good approach to mobile. If that doesn't work, then I think we're
going to have to see where iOS and Android and Windows phone go, because they continue to be unmanageable,
our customers, continue to be frustrated, they continue not to replace their desktops and laptops
with them, and until they actually solve this problem, I don't think they will.
And do you see, have you seen any change in the vendors along this journey as Apple softened at all?
Are they still just as hard noses ever?
My personal belief is that Apple is paying lip service to enterprise and not really doing anything that my customers are asking for.
I mean, the point solutions that they're making for different industries to allow airline pilots and not have to carry a book onto every plane is awesome.
That's great.
That's not the concern that my customer.
have as a generalized concern, and I'm not seeing them solving it.
Well, thank you, Ryan. This has been great. Thank you, everybody.