DC
Uploaded byDave Cole
PPTX, PDF104 views

Security Snake Oil Cycle 2019

The document discusses the challenges in cybersecurity product development and evaluation, highlighting issues such as the difficulty of building secure products, the understaffing of security teams, and the pressure on professionals to make quick decisions amidst rising threats. It critiques the marketing and evaluation processes of security products, emphasizing the need for better testing environments and clearer communication of product benefits. Ultimately, the author suggests actionable steps for both security professionals and vendors to break the cyclical nature of these issues.

Business
Related topics:
Venture Capital

Embed presentation

Download to read offline
The Snake Oil Cycle Dave Cole, dave@openraven.com
OPEN RAVEN Modern Attack Surface Management
Meet Clark Stanley It’s not about Clark or even a type of person
Genuine problems lay beyond the
The obvious stuff If you did a great job, many times nothing bad will happen. Which is impossible to prove. The really compelling “before & after” stories are elusive.
I’m going to be unfair & pick on another product category & a single company as an example.
Imagine this in security, esp in the middle of an incident… measure progress in months!
Standard expectation: real- time or very close to it.
Our expected uninvited guests
I’m sure it’s hard to build an HRIS, but their Alice & Bob don’t have an Eve. Or a Mallory. Or a Trudy. Or re-architect because a new attack type changed their original assumptions. Or crank a new remediation engine because they can’t remove the latest threat. Or make sure that OS change didn’t just bust your behavioral defenses. Or properly identify every IoT device.
A short story.
Building security products is hard. Being a security professional is hard. Natural empathy should drive us together. It rarely does.
The U.S. employs nearly 716,000 people in cybersecurity positions, with approximately 314,000 current cybersecurity openings https://www.cyberseek.org/heatmap.html
Breach Level Index 2018
https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/
https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/
“7% of all S3 buckets have unrestricted public access, and 35% are unencrypted” SkyHigh Networks (now McAfee) September 2017… before Amazon changed policy settings to proactively warn users of public buckets
Who When What Booz Allen Hamilton May 2017 Battlefield imagery & admin credentials to sensitive systems Deep Root Analytics June 2017 Personal data about 198 million American voters Dow Jones & Co July 2017 Personally identifiable information for 2.2 million people WWE July 2017 Personally identifiable information of >3 million wrestling fans Verizon Wireless July/Sept 2017 Personally identifiable information of ~6 million people & sensitive corp. information about IT systems, incl. login creds Time Warner Cable Sept 2017 Personally identifiable information about 4 million customers, proprietary code & administrator creds Pentagon Exposures Sept/Nov 2017 TBs of info from spying archive, resume for intelligence positions—incl. security clearance & ops history, creds & metadata from an intra-agency intelligence sharing platform Accenture Sept 2017 Master access keys for Accenture's account w/ AWS Key Mgmt System, plaintext customer password DBs & proprietary API data Natl. Credit Federation Nov 2017 111GB financial info—incl. full credit reports-- ~47K people Alteryx Dec 2017 Personal info of ~123 million American households https://businessinsights.bitdefender.com/worst-amazon-breaches
On average, sec teams are understaffed, undertrained, under intense pressure from increasing threats & vulnerabilities with regulatory mandates to make fast decisions… & circumstances can change w/o warning. Let’s try to find them some help...
Security design can sometimes look like this
Which leads to this
Historically we have assumed the person behind the console is an expert
Increasingly, we have products designed for experts in the hands of novices. The bar must be lower.
Before we move on, a word on how products are evaluated prior to purchasing* *This is hard to generalize, your mileage may vary
Proof of Concept
Normal Operations
OMG Operations
What if someone had a solid test lab that we could all lean on for quality, unbiased product reviews?
There’s no genuine equivalent for the security community… why?
They are spread too thin, like every other journalist on the 24x7 coverage beat.
They also have the same pressures as political journalists– if you’re overly critical you lose access.
They typically do not have the lab environments they require. Most vendors have someone dedicated to lab ops at scale.
Even if they had the labs they need, the skill set required to test one product is not what you need to test the next product.
And if they truly were this skilled, they would be unlikely to remain a journalist for long.
So our security reviewers are unlikely to have the focus, objectivity, labs & skills they need to publish great reviews. And if they did, we would hire them in a heartbeat. What about the industry analysts?
Same • Increasingly spread too thin; lack of focus • Typically little or no experience as practitioner Worse • Purely anecdotal-- no real tests • $$$ of a subscription; not readily available Better • More direct customer feedback • In-depth reports w/ longer horizon
AntiVirus Industry – An Exception
What Opinion File scanning tests Worked fine until this was only a subset of defenses… early 2000s On access tests About the same as file scanning Retrospective tests Purgatory b/w file scanning & real world tests; misleading Real world tests When done properly, effective; rarely done properly Remediation tests Few and far in between… Performance tests Largely a success, materially improved the industry
At their best, public tests push vendors to make better products, but they are too often designed poorly or easily misunderstood. Usually, they simply don’t exist.
So what’s a security marketer supposed to do?
Hypothetical example: new scan engine
Product Person “Our year long effort to create an awesome network scanner that we can improve more rapidly and support better in the future just completed! In some instances, you’re going to see some nice speed improvements.”
Marketing “Our year long effort to create a strong network scanner that we can improve more rapidly and support better in the future just completed! In some instances, you’re going to see some nice speed improvements.” Customer value not readily apparent to many Vague
Post Marketing “New scan engine frequently boosts scans by 30%, reducing time needed to scan and easing network impact in many instances.”
Customer “New scan engine boosts scans by 30%,frequently reducing time needed to scan and easing network impact in many instances.”
Recap Opaque product benefit ↓ Well-intentioned attempt at clear message ↓ Misunderstanding due to nuance, pressure ↓ Disappointment & loss of trust
Marketing security products often requires a strong grasp of nuance, understanding not only the tech, but also how the customer will receive the message. These people are rare.
And even if they are really that good, things change quickly. And they change security markets… which changes everything.
Marketing is also affected by how dynamic security companies are– more so than other functions. And more so than other areas in software.
Often distracted (2018 #s) • 184 M&A transaction • 406 Financing transactions
Even if you can avoid the distractions, any company will change significantly as it briskly moves from start- up→growth→behemoth This often alienates employees & users
“I have never seen such a fast-growing market with so many companies on the losing side” David Cowan, Partner, Bessemer Venture Partners Under threat: Cyber security startups fall on harder times Reuters, January 17, 2018
If you knew you had to show strong sales performance to establish your company, but were unsure of its longevity, how would you build & sell your product?
Given the rough & tumble nature of the industry, far too often companies optimize for creating the “reach for your wallet” moment over establishing a strong foundation
Closing Thoughts Breaking the Cycle
It’s too easy to blame any one person or type of person, the problem is pervasive & self-reinforcing
Security Professionals 1. Do a process walk thru w/ vendor or 3rd party 2. Do whatever you can to best simulate genuine production conditions before purchasing 3. Ask for a “reverse roadmap” 4. Insist on references, preferably long-term ones 5. Take updates & new versions ASAP
Security Vendors 1. Definition of done: customer is successful 2. Hire & empower a real design team 3. Build out a complete customer feedback loop 4. If no one else will do it, produce your own metrics & be ready to share & explain them 5. Invite Sales & Marketing into “the factory”
Thanks Dave Cole, dave@openraven.com

More Related Content

PPTX
RSAC 2016: CISO's guide to Startups
byAdrian Sanabria
 
PPTX
Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...
byKaseya
 
PPT
Reading the Security Tea Leaves
byEd Bellis
 
PPTX
Evolving Cybersecurity Threats
byNevada County Tech Connection
 
PPTX
Merity (missapp) engr 245 lean launchpad stanford 2020
byStanford University
 
PPTX
ElectionWatch H4D 2020 Lessons Learned
byStanford University
 
PDF
State of Endpoint Security: The Buyers Mindset
byCrowdStrike
 
PDF
Invessed Webinar: Investor Portals are not Rocket Science
byTheo Paraskevopoulos
 
RSAC 2016: CISO's guide to Startups
byAdrian Sanabria
 
Kaseya Connect 2013: Becoming A Trusted Security Advisor - It’s Easier Than Y...
byKaseya
 
Reading the Security Tea Leaves
byEd Bellis
 
Evolving Cybersecurity Threats
byNevada County Tech Connection
 
Merity (missapp) engr 245 lean launchpad stanford 2020
byStanford University
 
ElectionWatch H4D 2020 Lessons Learned
byStanford University
 
State of Endpoint Security: The Buyers Mindset
byCrowdStrike
 
Invessed Webinar: Investor Portals are not Rocket Science
byTheo Paraskevopoulos
 

What's hot

PPTX
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
PPTX
PredictiMx H4D Stanford 2019
byStanford University
 
PDF
Ops Happen: Improve Security Without Getting in the Way
bySeniorStoryteller
 
PDF
Big Bang Theory: The Evolution of Pentesting High Security Environments
byChris Gates
 
PPTX
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
byguest3af00b8
 
PDF
Business Continuity for Humans: Keeping Your Business Running When Your Peopl...
byRundeck
 
PPTX
Salus H4D 2021 Lessons Learned
byStanford University
 
PDF
How to Replace Your Legacy Antivirus Solution with CrowdStrike
byAdam Barrera
 
PPT
PCI DSS Myths 2009: Myths and Reality
byAnton Chuvakin
 
PDF
What we learned from three years sciencing the crap out of devops
byNicole Forsgren
 
PPTX
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
byAdrian Sanabria
 
PPTX
Управление рисками: как перестать верить в иллюзии
byPositive Hack Days
 
PPTX
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
byAnton Chuvakin
 
PDF
Challenge_Opp_Usha
byUsha Krishnan
 
PPTX
The R.O.A.D to DevOps
bySeniorStoryteller
 
PDF
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
byMITRE - ATT&CKcon
 
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
PredictiMx H4D Stanford 2019
byStanford University
 
Ops Happen: Improve Security Without Getting in the Way
bySeniorStoryteller
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
byChris Gates
 
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
byguest3af00b8
 
Business Continuity for Humans: Keeping Your Business Running When Your Peopl...
byRundeck
 
Salus H4D 2021 Lessons Learned
byStanford University
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
byAdam Barrera
 
PCI DSS Myths 2009: Myths and Reality
byAnton Chuvakin
 
What we learned from three years sciencing the crap out of devops
byNicole Forsgren
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
byAdrian Sanabria
 
Управление рисками: как перестать верить в иллюзии
byPositive Hack Days
 
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
byAnton Chuvakin
 
Challenge_Opp_Usha
byUsha Krishnan
 
The R.O.A.D to DevOps
bySeniorStoryteller
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
byMITRE - ATT&CKcon
 

Similar to Security Snake Oil Cycle 2019

PDF
Security Hurts Business - Don't Let It
byPeak 10
 
PPTX
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
PDF
Tech Talent Meetup Hacking Security Event Recap
byDominic Vogel
 
PDF
Anatomy of a cyber attack
byMark Silver
 
PPTX
Janitor vs cleaner
byJohn Stauffacher
 
PDF
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
byMichael Davis
 
PDF
IDC Best Practices in Private Sector Cyber Security
byinside-BigData.com
 
PPTX
A guide to Sustainable Cyber Security
byErnest Staats
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
PPTX
NZISF Talk: Six essential security services
byHinne Hettema
 
PPTX
Information Security and your Business
byCyberCon Security Solutions, LLC
 
PDF
Hard Truths your CISO won’t tell you.pdf
byTravisMcPeak1
 
PPTX
Security Transformation
byFaisal Yahya
 
PPTX
Digital Product Security
bySoftServe
 
PPTX
11 19-2015 - iasaca membership conference - the state of security
byMatthew Pascucci
 
PPTX
A6 pragmatic journey into cyber security
byJorge Sebastiao
 
PDF
Biggest info security mistakes security innovation inc.
byuNIX Jim
 
PDF
Measures to Avoid Cyber-attacks
bySkillmine Technology Consulting
 
PDF
Measure To Avoid Cyber Attacks
bySkillmine Technology Consulting
 
PDF
Fall2015SecurityShow
byAdam Heller
 
Security Hurts Business - Don't Let It
byPeak 10
 
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
Tech Talent Meetup Hacking Security Event Recap
byDominic Vogel
 
Anatomy of a cyber attack
byMark Silver
 
Janitor vs cleaner
byJohn Stauffacher
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
byMichael Davis
 
IDC Best Practices in Private Sector Cyber Security
byinside-BigData.com
 
A guide to Sustainable Cyber Security
byErnest Staats
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
NZISF Talk: Six essential security services
byHinne Hettema
 
Information Security and your Business
byCyberCon Security Solutions, LLC
 
Hard Truths your CISO won’t tell you.pdf
byTravisMcPeak1
 
Security Transformation
byFaisal Yahya
 
Digital Product Security
bySoftServe
 
11 19-2015 - iasaca membership conference - the state of security
byMatthew Pascucci
 
A6 pragmatic journey into cyber security
byJorge Sebastiao
 
Biggest info security mistakes security innovation inc.
byuNIX Jim
 
Measures to Avoid Cyber-attacks
bySkillmine Technology Consulting
 
Measure To Avoid Cyber Attacks
bySkillmine Technology Consulting
 
Fall2015SecurityShow
byAdam Heller
 

Recently uploaded

PDF
Decoded: The Mystery of Life and the Begining of Time
byanyebepeter
 
PDF
Top 4.4 Sites To Buy Edu Emails Accounts in 2026.pdf
by8rn3l6efpnommwzc7r29
 
PDF
Raman Bhaumik - A Licensed Pharmacist In Multiple States
byRaman Bhaumik
 
PPTX
Production and operations Unit 2 Unit II Plant Location and Layout.pptx
byDavies Chacko
 
PDF
IFS state pension.pdf From IFS and Oxford
byHenry Tapper
 
PDF
Ultra Map Section I Interface Virtual.pdf
byBrij Consulting, LLC
 
PDF
Impact of Earnings Surprises on Short Term Asset Prices.pdf
bybharadwajduggarajupr
 
DOCX
Best Platforms for Acquiring Aged LinkedIn Accounts Effectively.docx
byBusiness
 
PDF
15 Smart Hacks for Repurposing Forgotten Buy Gmail Profiles This Year.pdf
byBuy Old Gmail Accounts
 
PDF
India-EU Deal 2026: The $27 Trillion Opportunity
byStellarix
 
PDF
Mesh WiFi for Mine: Reliable and Secure Wireless Connectivity for Mining Oper...
byAeroMesh Systems
 
PPTX
PRELIMS for PES on world businesses.pptx
bySureshGKPESUniversit
 
PDF
Derek Maxfield - A Founding Board Member Of Saprea
byDerek Maxfield
 
PPTX
Enterprise-Grade Remote Desktops Why Businesses Choose BuyRDPAdmin.pptx
bybuyrdpseo1
 
PDF
Optimizing Buy Old Gmail Accounts Security – Academic & Professional Guide 20...
byBuy iCloud Email Accounts
 
PDF
Top 10 Trusted Places to Buy Verified Airbnb Accounts Today.pdf
byriwansavage
 
PPTX
Thermal Energy International - TMG - Q2 2026 Earnings Call
byMarketing847413
 
PDF
Trusted Online Sources for Acquiring Verified Wise Business Accounts
byusaseoshops
 
DOCX
Best 4 Websites to Buy Verified Stripe Accounts in USA.docx
bypvatopone43
 
PDF
Reliable Coolrooms for Commercial Kitchens
byCool Fast Refrigeration
 
Decoded: The Mystery of Life and the Begining of Time
byanyebepeter
 
Top 4.4 Sites To Buy Edu Emails Accounts in 2026.pdf
by8rn3l6efpnommwzc7r29
 
Raman Bhaumik - A Licensed Pharmacist In Multiple States
byRaman Bhaumik
 
Production and operations Unit 2 Unit II Plant Location and Layout.pptx
byDavies Chacko
 
IFS state pension.pdf From IFS and Oxford
byHenry Tapper
 
Ultra Map Section I Interface Virtual.pdf
byBrij Consulting, LLC
 
Impact of Earnings Surprises on Short Term Asset Prices.pdf
bybharadwajduggarajupr
 
Best Platforms for Acquiring Aged LinkedIn Accounts Effectively.docx
byBusiness
 
15 Smart Hacks for Repurposing Forgotten Buy Gmail Profiles This Year.pdf
byBuy Old Gmail Accounts
 
India-EU Deal 2026: The $27 Trillion Opportunity
byStellarix
 
Mesh WiFi for Mine: Reliable and Secure Wireless Connectivity for Mining Oper...
byAeroMesh Systems
 
PRELIMS for PES on world businesses.pptx
bySureshGKPESUniversit
 
Derek Maxfield - A Founding Board Member Of Saprea
byDerek Maxfield
 
Enterprise-Grade Remote Desktops Why Businesses Choose BuyRDPAdmin.pptx
bybuyrdpseo1
 
Optimizing Buy Old Gmail Accounts Security – Academic & Professional Guide 20...
byBuy iCloud Email Accounts
 
Top 10 Trusted Places to Buy Verified Airbnb Accounts Today.pdf
byriwansavage
 
Thermal Energy International - TMG - Q2 2026 Earnings Call
byMarketing847413
 
Trusted Online Sources for Acquiring Verified Wise Business Accounts
byusaseoshops
 
Best 4 Websites to Buy Verified Stripe Accounts in USA.docx
bypvatopone43
 
Reliable Coolrooms for Commercial Kitchens
byCool Fast Refrigeration
 

Security Snake Oil Cycle 2019

  • 1.
    The Snake OilCycle Dave Cole, dave@openraven.com
  • 3.
    OPEN RAVEN Modern AttackSurface Management
  • 10.
    Meet Clark Stanley It’snot about Clark or even a type of person
  • 11.
  • 13.
    The obvious stuff Ifyou did a great job, many times nothing bad will happen. Which is impossible to prove. The really compelling “before & after” stories are elusive.
  • 14.
    I’m going tobe unfair & pick on another product category & a single company as an example.
  • 15.
    Imagine this insecurity, esp in the middle of an incident… measure progress in months!
  • 16.
  • 17.
  • 18.
    I’m sure it’shard to build an HRIS, but their Alice & Bob don’t have an Eve. Or a Mallory. Or a Trudy. Or re-architect because a new attack type changed their original assumptions. Or crank a new remediation engine because they can’t remove the latest threat. Or make sure that OS change didn’t just bust your behavioral defenses. Or properly identify every IoT device.
  • 19.
  • 22.
    Building security productsis hard. Being a security professional is hard. Natural empathy should drive us together. It rarely does.
  • 23.
    The U.S. employs nearly716,000 people in cybersecurity positions, with approximately 314,000 current cybersecurity openings https://www.cyberseek.org/heatmap.html
  • 25.
  • 26.
  • 27.
  • 31.
    “7% of allS3 buckets have unrestricted public access, and 35% are unencrypted” SkyHigh Networks (now McAfee) September 2017… before Amazon changed policy settings to proactively warn users of public buckets
  • 32.
    Who When What BoozAllen Hamilton May 2017 Battlefield imagery & admin credentials to sensitive systems Deep Root Analytics June 2017 Personal data about 198 million American voters Dow Jones & Co July 2017 Personally identifiable information for 2.2 million people WWE July 2017 Personally identifiable information of >3 million wrestling fans Verizon Wireless July/Sept 2017 Personally identifiable information of ~6 million people & sensitive corp. information about IT systems, incl. login creds Time Warner Cable Sept 2017 Personally identifiable information about 4 million customers, proprietary code & administrator creds Pentagon Exposures Sept/Nov 2017 TBs of info from spying archive, resume for intelligence positions—incl. security clearance & ops history, creds & metadata from an intra-agency intelligence sharing platform Accenture Sept 2017 Master access keys for Accenture's account w/ AWS Key Mgmt System, plaintext customer password DBs & proprietary API data Natl. Credit Federation Nov 2017 111GB financial info—incl. full credit reports-- ~47K people Alteryx Dec 2017 Personal info of ~123 million American households https://businessinsights.bitdefender.com/worst-amazon-breaches
  • 34.
    On average, secteams are understaffed, undertrained, under intense pressure from increasing threats & vulnerabilities with regulatory mandates to make fast decisions… & circumstances can change w/o warning. Let’s try to find them some help...
  • 36.
    Security design cansometimes look like this
  • 37.
  • 38.
    Historically we haveassumed the person behind the console is an expert
  • 39.
    Increasingly, we haveproducts designed for experts in the hands of novices. The bar must be lower.
  • 40.
    Before we moveon, a word on how products are evaluated prior to purchasing* *This is hard to generalize, your mileage may vary
  • 41.
  • 42.
  • 43.
  • 44.
    What if someonehad a solid test lab that we could all lean on for quality, unbiased product reviews?
  • 48.
    There’s no genuineequivalent for the security community… why?
  • 49.
    They are spreadtoo thin, like every other journalist on the 24x7 coverage beat.
  • 51.
    They also havethe same pressures as political journalists– if you’re overly critical you lose access.
  • 52.
    They typically donot have the lab environments they require. Most vendors have someone dedicated to lab ops at scale.
  • 53.
    Even if theyhad the labs they need, the skill set required to test one product is not what you need to test the next product.
  • 54.
    And if theytruly were this skilled, they would be unlikely to remain a journalist for long.
  • 55.
    So our securityreviewers are unlikely to have the focus, objectivity, labs & skills they need to publish great reviews. And if they did, we would hire them in a heartbeat. What about the industry analysts?
  • 56.
    Same • Increasingly spreadtoo thin; lack of focus • Typically little or no experience as practitioner Worse • Purely anecdotal-- no real tests • $$$ of a subscription; not readily available Better • More direct customer feedback • In-depth reports w/ longer horizon
  • 61.
  • 62.
    What Opinion File scanningtests Worked fine until this was only a subset of defenses… early 2000s On access tests About the same as file scanning Retrospective tests Purgatory b/w file scanning & real world tests; misleading Real world tests When done properly, effective; rarely done properly Remediation tests Few and far in between… Performance tests Largely a success, materially improved the industry
  • 63.
    At their best,public tests push vendors to make better products, but they are too often designed poorly or easily misunderstood. Usually, they simply don’t exist.
  • 64.
    So what’s asecurity marketer supposed to do?
  • 66.
  • 67.
    Product Person “Our yearlong effort to create an awesome network scanner that we can improve more rapidly and support better in the future just completed! In some instances, you’re going to see some nice speed improvements.”
  • 68.
    Marketing “Our year longeffort to create a strong network scanner that we can improve more rapidly and support better in the future just completed! In some instances, you’re going to see some nice speed improvements.” Customer value not readily apparent to many Vague
  • 69.
    Post Marketing “New scanengine frequently boosts scans by 30%, reducing time needed to scan and easing network impact in many instances.”
  • 70.
    Customer “New scan engineboosts scans by 30%,frequently reducing time needed to scan and easing network impact in many instances.”
  • 71.
    Recap Opaque product benefit ↓ Well-intentionedattempt at clear message ↓ Misunderstanding due to nuance, pressure ↓ Disappointment & loss of trust
  • 72.
    Marketing security productsoften requires a strong grasp of nuance, understanding not only the tech, but also how the customer will receive the message. These people are rare.
  • 73.
    And even ifthey are really that good, things change quickly. And they change security markets… which changes everything.
  • 74.
    Marketing is alsoaffected by how dynamic security companies are– more so than other functions. And more so than other areas in software.
  • 77.
    Often distracted (2018#s) • 184 M&A transaction • 406 Financing transactions
  • 78.
    Even if youcan avoid the distractions, any company will change significantly as it briskly moves from start- up→growth→behemoth This often alienates employees & users
  • 79.
    “I have neverseen such a fast-growing market with so many companies on the losing side” David Cowan, Partner, Bessemer Venture Partners Under threat: Cyber security startups fall on harder times Reuters, January 17, 2018
  • 80.
    If you knewyou had to show strong sales performance to establish your company, but were unsure of its longevity, how would you build & sell your product?
  • 81.
    Given the rough& tumble nature of the industry, far too often companies optimize for creating the “reach for your wallet” moment over establishing a strong foundation
  • 82.
  • 83.
    It’s too easyto blame any one person or type of person, the problem is pervasive & self-reinforcing
  • 84.
    Security Professionals 1. Doa process walk thru w/ vendor or 3rd party 2. Do whatever you can to best simulate genuine production conditions before purchasing 3. Ask for a “reverse roadmap” 4. Insist on references, preferably long-term ones 5. Take updates & new versions ASAP
  • 85.
    Security Vendors 1. Definitionof done: customer is successful 2. Hire & empower a real design team 3. Build out a complete customer feedback loop 4. If no one else will do it, produce your own metrics & be ready to share & explain them 5. Invite Sales & Marketing into “the factory”
  • 86.

Editor's Notes

  • #11 The oil came from Chinese Water Snakes, which were somewhat lacking on the North American continent, so later on when Americans tried to sell off fraudulent cures, snake oil was one of the go-to products to try and reproduce. Starting with rattlesnake oil. Clark Stanley was one such entrepreneur who, at a Chicago exposition: ...reached into a sack, plucked out a snake, slit it open and plunged it into boiling water. When the fat rose to the top, he skimmed it off and used it on the spot to create 'Stanley's Snake Oil,' a liniment that was immediately snapped up by the throng that had gathered to watch the spectacle. Kinda wish I was there to see... The problem was that rattlesnake oil wasn't even nearly as effective as Chinese water snake, and Stanley's product wasn't even using oil to begin with. What investigators eventually found was that it contained: ...mineral oil, a fatty oil believed to be beef fat, red pepper and turpentine. From that day forward, Stanley's scam made snake oil symbolic of fraud. Stanley was charged $20 for his crime (a little under $500 equivalent now).
  • #25 Hits sec vendors too… need them to do a good job building products
  • #28 There are currently 90,000 published CVE’s 2017 alone saw a 100% increase in added CVE’s from the previous year A record-breaking number of 20,832 vulnerabilities were discovered in total in 2017, but only 13,160 of these received an official CVE identifier last year*
  • #29 There are currently 90,000 published CVE’s 2017 alone saw a 100% increase in added CVE’s from the previous year A record-breaking number of 20,832 vulnerabilities were discovered in total in 2017, but only 13,160 of these received an official CVE identifier last year*
  • #32 Anyone with a credit card can create a data center. New reality of the pub cloud world Really basic problems like simply knowing what servers you have (even what data centers) are back What could possibly go wrong? Previous research carried out by experts from Skyhigh Networks found that 7% of all Amazon S3 buckets are publicly accessible. Over the past few months, security researchers have found a large number of companies that leaked sensitive data this way, via S3 buckets left exposed online. A (most likely incomplete) list of the most notable incidents is included below. ⬨ Top defense contractor Booz Allen Hamilton leaks 60,000 files, including employee security credentials and passwords to a US government system. ⬨ Verizon partner leaks personal records of over 14 million Verizon customers, including names, addresses, account details, and for some victims — account PINs. ⬨ An AWS S3 server leaked the personal details of WWE fans who registered on the company's sites. 3,065,805 users were exposed. ⬨ Another AWS S3 bucket leaked the personal details of over 198 million American voters. The database contained information from three data mining companies known to be associated with the Republican Party. ⬨ Another S3 database left exposed only leaked the personal details of job applications that had Top Secret government clearance. ⬨ Dow Jones, the parent company of the Wall Street Journal, leaked the personal details of 2.2 million customers. ⬨ Omaha-based voting machine firm Election Systems & Software (ES&S) left a database exposed online that contained the personal records of 1.8 million Chicago voters. ⬨ Security researchers discovered a Verizon AWS S3 bucket containing over 100 MB of data about the company's internal system named Distributed Vision Services (DVS), used for billing operations. ⬨ An auto-tracking company leaked over a half of a million records with logins/passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships.
  • #40 Re-order
  • #49 Bought off via ads…
  • #54 They typically do not have the lab environments they require. Most vendors have someone dedicated to lab ops at scale.
  • #73 frequently boosts scans by 30%, reducing time needed to scan and easing network impact in many instances.”
  • #82 Beyond normal s/w pressures
  • #84 How different from normal s/w… more losers, more dynamic
  • #86 The oil came from Chinese Water Snakes, which were somewhat lacking on the North American continent, so later on when Americans tried to sell off fraudulent cures, snake oil was one of the go-to products to try and reproduce. Starting with rattlesnake oil. Clark Stanley was one such entrepreneur who, at a Chicago exposition: ...reached into a sack, plucked out a snake, slit it open and plunged it into boiling water. When the fat rose to the top, he skimmed it off and used it on the spot to create 'Stanley's Snake Oil,' a liniment that was immediately snapped up by the throng that had gathered to watch the spectacle. Kinda wish I was there to see... The problem was that rattlesnake oil wasn't even nearly as effective as Chinese water snake, and Stanley's product wasn't even using oil to begin with. What investigators eventually found was that it contained: ...mineral oil, a fatty oil believed to be beef fat, red pepper and turpentine. From that day forward, Stanley's scam made snake oil symbolic of fraud. Stanley was charged $20 for his crime (a little under $500 equivalent now).
  • #87 Care and feeding…. After care Cats and dogs w/ IDS and FW
  • #88 Understand the solution versus the feature… know the problem that product is trying to solve
  • #89 The oil came from Chinese Water Snakes, which were somewhat lacking on the North American continent, so later on when Americans tried to sell off fraudulent cures, snake oil was one of the go-to products to try and reproduce. Starting with rattlesnake oil. Clark Stanley was one such entrepreneur who, at a Chicago exposition: ...reached into a sack, plucked out a snake, slit it open and plunged it into boiling water. When the fat rose to the top, he skimmed it off and used it on the spot to create 'Stanley's Snake Oil,' a liniment that was immediately snapped up by the throng that had gathered to watch the spectacle. Kinda wish I was there to see... The problem was that rattlesnake oil wasn't even nearly as effective as Chinese water snake, and Stanley's product wasn't even using oil to begin with. What investigators eventually found was that it contained: ...mineral oil, a fatty oil believed to be beef fat, red pepper and turpentine. From that day forward, Stanley's scam made snake oil symbolic of fraud. Stanley was charged $20 for his crime (a little under $500 equivalent now).