Disrupting Security (2017)

Transcript

1. Disrupting
   Security
   Dug Song, CEO
   duo.com
   

   View Slide

2. Disrupting
   Security
   Dug Song, CEO
   duo.com
   

   View Slide

3. Disruptive Innovation
   An innovation that creates a new market
   by providing a different set of values,
   which ultimately (and unexpectedly)
   overtakes an existing market
   

   View Slide

4. w00w00: Disrupting Industries Since 1999
   

   View Slide

5. w00w00: Disrupting Industries Since 1999
   

   View Slide

6. w00w00: Disrupting Industries Since 1999
   

   View Slide

7. w00w00: Disrupting Industries Since 1999
   

   View Slide

8. w00w00: Disrupting Industries Since 1999
   

   View Slide

9. Best-In-Class SaaS Growth
   $15M
   $30M
   $45M
   $60M
   Q 1 Q 2 Q 3 Q 4 Q 5 Q 6 Q 7 Q 8 Q 9 Q 10 Q 11 Q 12 Q 13 Q 14 Q 15 Q 16 Q 17 Q 18 Q 19 Q 20
   

   View Slide

10. Best-In-Class SaaS Efficiency
    $150M
    $300M
    $450M
    $600M
    $60M
    $87M
    $90M
    $96M
    $99M
    $119M
    $143M
    $177M
    $347M
    $559M
    $49M
    Median
    

    View Slide

11. 1. Threats
    2. Architecture
    3. Market
    

    View Slide

12. 1. Threats
    2. Architecture
    3. Market
    

    View Slide

13. View Slide

14. View Slide

15. A Portrait Of The Hacker As A Young Man (ca. 1999)
    Break Build
    Authentication
    dsniff,

    Kerberos v4
    OpenSSH,

    RPCSEC_GSS (NFSv4)
    Firewalls Cisco PIX,

    Check Point FW-1
    pf (OpenBSD)
    VPN Check Point FW-1
    OpenBSD IPSEC,

    dsocks
    IDS / IPS Sourcefire, ISS, etc.
    Anzen/NFR (Check Point),

    Arbor Networks
    

    View Slide

16. View Slide

17. View Slide

18. “A lot of people think that nation-
    states are running on zero-days, but
    there are so many more vectors that
    are easier, productive, and less risky.”
    Rob Joyce, NSA TAO, Jan 2016
    

    View Slide

19. “In the world of advanced persistent
    threat actors, credentials are king for
    gaining access to systems.”
    Rob Joyce, NSA TAO, Jan 2016
    

    View Slide

20. “Better-defended networks require
    specific methods for accessing
    resources, monitoring credential use,
    looking for anomalous behavior, and
    two-factor authentication.”
    Rob Joyce, NSA TAO, Jan 2016
    

    View Slide

21. 95% OF BREACHES
    involve stolen credentials
    — Verizon 2015 Data Breach Investigations Report
    #1: Users
    

    View Slide

22. #2: Devices
    75% Of Breaches Involve Compromised Devices
    Source: Duo analysis of 2M+ devices, Jan 2016
    

    View Slide

23. #3: Access
    

    View Slide

24. Obama To Schmidt: Nation’s Cybersecurity Priorities?
    

    View Slide

25. Obama To Schmidt: Nation’s Cybersecurity Priorities?
    ✓ Strong Authentication
    ✓ Up-to-Date Devices
    ✓ End-to-End Encryption
    

    View Slide

26. President Obama’s $19 Billion Cybersecurity Proposal
    Calls for 35% Increase Over 2016 Enacted Level
    Major Pieces of the Cybersecurity National Action Plan
    Critiques from the Tech Industry
    • While many in the tech industry have applauded
    the president’s proposal for investment, many
    of the suggestions are seen as basic and a sign
    at how woefully behind our government is on
    cybersecurity. Brian Barrett, a writer for Wired
    magazine, compares the plan to “standard
    advice you’d give a tech novice”.
    • With the proposal coming from a “lame-duck”
    president nearing the end of his second term,
    there is a growing pessimism that pieces that
    require congressional action will go unfunded.
    • Despite being a basic tenet of internet security,
    encryption is notably absent from the
    president’s press release. While many in the
    tech community believe encryption is necessary
    for continued cyber safety, the topic remains
    controversial in Congress.
    Full Multi-Step Authentication Rollout
    While a large portion of the government uses 2-step or multi-step
    authentication for internal logins, the initiative plans to extend this extra
    layer of security to citizen-facing federal government digital services. The
    President hopes this switch will also increase public awareness of this
    identity proofing mechanism, encouraging more wide use among private
    online systems.
    $3.1 billion Information Technology Modernization Fund
    This fund enables the retirement, replacement and modernization of IT
    equipment throughout the government. Many see this initiative as overdue
    as some branches of the government are running antiquated as old as
    Windows XP which Microsoft stopped officially supporting in 2014.
    National Initiative for Cybersecurity Education
    $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs
    include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in
    exchange for civil service in government.
    EINSTEIN and the Continuous Diagnostic and Mitigation Program
    The president proposes allocating increased funding to the government’s
    primary cyberdefense system: EINSTEIN, which has faced significant criticism
    since it is currently unable to dynamically detect new kinds of cyber
    intrusions, making it only useful against known threats.
    

    View Slide

27. President Obama’s $19 Billion Cybersecurity Proposal
    Calls for 35% Increase Over 2016 Enacted Level
    Major Pieces of the Cybersecurity National Action Plan
    Critiques from the Tech Industry
    • While many in the tech industry have applauded
    the president’s proposal for investment, many
    of the suggestions are seen as basic and a sign
    at how woefully behind our government is on
    cybersecurity. Brian Barrett, a writer for Wired
    magazine, compares the plan to “standard
    advice you’d give a tech novice”.
    • With the proposal coming from a “lame-duck”
    president nearing the end of his second term,
    there is a growing pessimism that pieces that
    require congressional action will go unfunded.
    • Despite being a basic tenet of internet security,
    encryption is notably absent from the
    president’s press release. While many in the
    tech community believe encryption is necessary
    for continued cyber safety, the topic remains
    controversial in Congress.
    Full Multi-Step Authentication Rollout
    While a large portion of the government uses 2-step or multi-step
    authentication for internal logins, the initiative plans to extend this extra
    layer of security to citizen-facing federal government digital services. The
    President hopes this switch will also increase public awareness of this
    identity proofing mechanism, encouraging more wide use among private
    online systems.
    $3.1 billion Information Technology Modernization Fund
    This fund enables the retirement, replacement and modernization of IT
    equipment throughout the government. Many see this initiative as overdue
    as some branches of the government are running antiquated as old as
    Windows XP which Microsoft stopped officially supporting in 2014.
    National Initiative for Cybersecurity Education
    $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs
    include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in
    exchange for civil service in government.
    EINSTEIN and the Continuous Diagnostic and Mitigation Program
    The president proposes allocating increased funding to the government’s
    primary cyberdefense system: EINSTEIN, which has faced significant criticism
    since it is currently unable to dynamically detect new kinds of cyber
    intrusions, making it only useful against known threats.
    ✓ Up-to-Date
    Devices
    

    View Slide

28. President Obama’s $19 Billion Cybersecurity Proposal
    Calls for 35% Increase Over 2016 Enacted Level
    Major Pieces of the Cybersecurity National Action Plan
    Critiques from the Tech Industry
    • While many in the tech industry have applauded
    the president’s proposal for investment, many
    of the suggestions are seen as basic and a sign
    at how woefully behind our government is on
    cybersecurity. Brian Barrett, a writer for Wired
    magazine, compares the plan to “standard
    advice you’d give a tech novice”.
    • With the proposal coming from a “lame-duck”
    president nearing the end of his second term,
    there is a growing pessimism that pieces that
    require congressional action will go unfunded.
    • Despite being a basic tenet of internet security,
    encryption is notably absent from the
    president’s press release. While many in the
    tech community believe encryption is necessary
    for continued cyber safety, the topic remains
    controversial in Congress.
    Full Multi-Step Authentication Rollout
    While a large portion of the government uses 2-step or multi-step
    authentication for internal logins, the initiative plans to extend this extra
    layer of security to citizen-facing federal government digital services. The
    President hopes this switch will also increase public awareness of this
    identity proofing mechanism, encouraging more wide use among private
    online systems.
    $3.1 billion Information Technology Modernization Fund
    This fund enables the retirement, replacement and modernization of IT
    equipment throughout the government. Many see this initiative as overdue
    as some branches of the government are running antiquated as old as
    Windows XP which Microsoft stopped officially supporting in 2014.
    National Initiative for Cybersecurity Education
    $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs
    include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in
    exchange for civil service in government.
    EINSTEIN and the Continuous Diagnostic and Mitigation Program
    The president proposes allocating increased funding to the government’s
    primary cyberdefense system: EINSTEIN, which has faced significant criticism
    since it is currently unable to dynamically detect new kinds of cyber
    intrusions, making it only useful against known threats.
    ✓ Up-to-Date
    Devices
    ✓ Two-Factor
    Authentication
    

    View Slide

29. President Obama’s $19 Billion Cybersecurity Proposal
    Calls for 35% Increase Over 2016 Enacted Level
    Major Pieces of the Cybersecurity National Action Plan
    Critiques from the Tech Industry
    • While many in the tech industry have applauded
    the president’s proposal for investment, many
    of the suggestions are seen as basic and a sign
    at how woefully behind our government is on
    cybersecurity. Brian Barrett, a writer for Wired
    magazine, compares the plan to “standard
    advice you’d give a tech novice”.
    • With the proposal coming from a “lame-duck”
    president nearing the end of his second term,
    there is a growing pessimism that pieces that
    require congressional action will go unfunded.
    • Despite being a basic tenet of internet security,
    encryption is notably absent from the
    president’s press release. While many in the
    tech community believe encryption is necessary
    for continued cyber safety, the topic remains
    controversial in Congress.
    Full Multi-Step Authentication Rollout
    While a large portion of the government uses 2-step or multi-step
    authentication for internal logins, the initiative plans to extend this extra
    layer of security to citizen-facing federal government digital services. The
    President hopes this switch will also increase public awareness of this
    identity proofing mechanism, encouraging more wide use among private
    online systems.
    $3.1 billion Information Technology Modernization Fund
    This fund enables the retirement, replacement and modernization of IT
    equipment throughout the government. Many see this initiative as overdue
    as some branches of the government are running antiquated as old as
    Windows XP which Microsoft stopped officially supporting in 2014.
    National Initiative for Cybersecurity Education
    $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs
    include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in
    exchange for civil service in government.
    EINSTEIN and the Continuous Diagnostic and Mitigation Program
    The president proposes allocating increased funding to the government’s
    primary cyberdefense system: EINSTEIN, which has faced significant criticism
    since it is currently unable to dynamically detect new kinds of cyber
    intrusions, making it only useful against known threats.
    ✓ Up-to-Date
    Devices
    ✓ Two-Factor
    Authentication
    X Encryption?!

    

    THANKS OBAMA
    

    View Slide

30. 1. Threats
    2. Architecture
    3. Market
    

    View Slide

31. View Slide

32. Security Bingo
    Network
    Firewall/
    VPN
    UTM
    IDS/IDP
    Data
    Messaging/
    Encryption
    DLP
    Web WAF/Fraud
    Endpoint
    Desktop
    Mobile
    Identity IAM/SSO
    Management
    SIEM/
    Analytics
    VA/GRC
    

    View Slide

33. Security Flipped! (˽°□°҂˽Ɨ ˍʓˍ
    Network
    Firewall/
    VPN
    Cloud & SaaS
    Microsoft, Amazon, Google, Salesforce, Box, etc.
    UTM
    IDS/IDP
    Data
    Messaging/
    Encryption
    DLP
    Web WAF/Fraud
    Endpoint
    Desktop Modern Devices
    iOS, Android, Windows 10, OS X, ChromeOS
    Mobile
    Identity IAM/SSO
    Management
    SIEM/
    Analytics
    VA/GRC
    

    View Slide

34. From Bolt-On To Built-In Security
    

    View Slide

35. 1. Threats
    2. Architecture
    3. Market
    

    View Slide

36. Defense

    in Depth
    

    View Slide

37. Defense

    in Depth
    Expense

    in Depth
    

    View Slide

38. Better Security,
    Not Just More
    

    View Slide

39. Goldilocks Strategy
    

    View Slide

40. Goldilocks Strategy
    Solve for Time, Value, Access, & Skill
    

    View Slide

41. Enterprise-Grade Security + Consumer-Grade Design
    

    View Slide

42. Mission
    DEMOCRATIZE SECURITY
    by making it easy & effective
    

    View Slide

43. 2
    

    View Slide

44. 7 7
    

    View Slide

45. Siloed Point Solutions
    Siloed Point Solutions
    Users Devices Network Apps
    13
    

    View Slide

46. Modern Access Security
    Modern Access Security
    Users Devices Network Apps
    Trusted Access
    14
    

    View Slide

47. Trusted Access
    Ensure only trusted users & devices

    can access protected applications
    

    View Slide

48. 2017 Duo Product Line
    Duo Free
    Easy two-factor
    authen1ca1on, free for up
    to 10 users.
    $0
    Duo MFA
    Easy, best-of-breed two-
    factor authen1ca1on for
    cloud and on-premise
    applica1ons.
    $3
    Duo Beyond
    Our next-genera1on
    security control pla?orm
    for modern, perimeter-less
    organiza1ons.
    $9
    Duo Access
    Our essen1al security suite
    to manage trust and
    address risks from mobile,
    BYOD, and cloud adop1on.
    $6
    

    View Slide

49. Inbound Marketing: 93% of Leads, 75% of ACV
    

    View Slide

50. 1/12
    3/12
    5/12
    7/12
    9/12
    11/12
    1/13
    3/13
    5/13
    7/13
    9/13
    11/13
    1/14
    3/14
    5/14
    7/14
    9/14
    11/14
    1/15
    3/15
    5/15
    7/15
    9/15
    11/15
    1/16
    3/16
    5/16
    7/16
    9/16
    11/16
    High-Velocity, High-Volume, Predictable Growth
    ‣ Time: 75% of customers up and running in < 1 day
    ‣ Value: 50%+ new ACV from expansion & upsell
    ‣ Access: 25% SMB, 25% Mid-Mkt, 50% Enterprise
    ‣ Skill: Most buyers IT, not security
    ‣ Love: 70 NPS, 1000+ New Logos/Qtr
    Series A
    Series B
    Series C
    

    View Slide

51. 1/12
    3/12
    5/12
    7/12
    9/12
    11/12
    1/13
    3/13
    5/13
    7/13
    9/13
    11/13
    1/14
    3/14
    5/14
    7/14
    9/14
    11/14
    1/15
    3/15
    5/15
    7/15
    9/15
    11/15
    1/16
    3/16
    5/16
    7/16
    9/16
    11/16
    High-Velocity, High-Volume, Predictable Growth
    ‣ Time: 75% of customers up and running in < 1 day
    ‣ Value: 50%+ new ACV from expansion & upsell
    ‣ Access: 25% SMB, 25% Mid-Mkt, 50% Enterprise
    ‣ Skill: Most buyers IT, not security
    ‣ Love: 70 NPS, 1000+ New Logos/Qtr
    Series A
    Series B
    Series C
    

    View Slide

52. duo.com
    Moscone South #1247
    

    View Slide