Disrupting Security (2017)

Transcript

1. Disrupting Security Dug Song, CEO duo.com

2. Disrupting Security Dug Song, CEO duo.com

3. Disruptive Innovation An innovation that creates a new market by

   providing a different set of values, which ultimately (and unexpectedly) overtakes an existing market

4. w00w00: Disrupting Industries Since 1999

5. w00w00: Disrupting Industries Since 1999

6. w00w00: Disrupting Industries Since 1999

7. w00w00: Disrupting Industries Since 1999

8. w00w00: Disrupting Industries Since 1999

9. Best-In-Class SaaS Growth $15M $30M $45M $60M Q 1 Q

   2 Q 3 Q 4 Q 5 Q 6 Q 7 Q 8 Q 9 Q 10 Q 11 Q 12 Q 13 Q 14 Q 15 Q 16 Q 17 Q 18 Q 19 Q 20

10. Best-In-Class SaaS Efficiency $150M $300M $450M $600M $60M $87M $90M

    $96M $99M $119M $143M $177M $347M $559M $49M Median

11. 1. Threats 2. Architecture 3. Market

12. 1. Threats 2. Architecture 3. Market

13. None
14. None

15. A Portrait Of The Hacker As A Young Man (ca.

    1999) Break Build Authentication dsniff,
 Kerberos v4 OpenSSH,
 RPCSEC_GSS (NFSv4) Firewalls Cisco PIX,
 Check Point FW-1 pf (OpenBSD) VPN Check Point FW-1 OpenBSD IPSEC,
 dsocks IDS / IPS Sourcefire, ISS, etc. Anzen/NFR (Check Point),
 Arbor Networks
16. None
17. None

18. “A lot of people think that nation- states are running

    on zero-days, but there are so many more vectors that are easier, productive, and less risky.” Rob Joyce, NSA TAO, Jan 2016

19. “In the world of advanced persistent threat actors, credentials are

    king for gaining access to systems.” Rob Joyce, NSA TAO, Jan 2016

20. “Better-defended networks require specific methods for accessing resources, monitoring credential

    use, looking for anomalous behavior, and two-factor authentication.” Rob Joyce, NSA TAO, Jan 2016

21. 95% OF BREACHES involve stolen credentials — Verizon 2015 Data

    Breach Investigations Report #1: Users

22. #2: Devices 75% Of Breaches Involve Compromised Devices Source: Duo

    analysis of 2M+ devices, Jan 2016

23. #3: Access

24. Obama To Schmidt: Nation’s Cybersecurity Priorities?

25. Obama To Schmidt: Nation’s Cybersecurity Priorities? ✓ Strong Authentication ✓

    Up-to-Date Devices ✓ End-to-End Encryption

26. President Obama’s $19 Billion Cybersecurity Proposal Calls for 35% Increase

    Over 2016 Enacted Level Major Pieces of the Cybersecurity National Action Plan Critiques from the Tech Industry • While many in the tech industry have applauded the president’s proposal for investment, many of the suggestions are seen as basic and a sign at how woefully behind our government is on cybersecurity. Brian Barrett, a writer for Wired magazine, compares the plan to “standard advice you’d give a tech novice”. • With the proposal coming from a “lame-duck” president nearing the end of his second term, there is a growing pessimism that pieces that require congressional action will go unfunded. • Despite being a basic tenet of internet security, encryption is notably absent from the president’s press release. While many in the tech community believe encryption is necessary for continued cyber safety, the topic remains controversial in Congress. Full Multi-Step Authentication Rollout While a large portion of the government uses 2-step or multi-step authentication for internal logins, the initiative plans to extend this extra layer of security to citizen-facing federal government digital services. The President hopes this switch will also increase public awareness of this identity proofing mechanism, encouraging more wide use among private online systems. $3.1 billion Information Technology Modernization Fund This fund enables the retirement, replacement and modernization of IT equipment throughout the government. Many see this initiative as overdue as some branches of the government are running antiquated as old as Windows XP which Microsoft stopped officially supporting in 2014. National Initiative for Cybersecurity Education $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in exchange for civil service in government. EINSTEIN and the Continuous Diagnostic and Mitigation Program The president proposes allocating increased funding to the government’s primary cyberdefense system: EINSTEIN, which has faced significant criticism since it is currently unable to dynamically detect new kinds of cyber intrusions, making it only useful against known threats.

27. President Obama’s $19 Billion Cybersecurity Proposal Calls for 35% Increase

    Over 2016 Enacted Level Major Pieces of the Cybersecurity National Action Plan Critiques from the Tech Industry • While many in the tech industry have applauded the president’s proposal for investment, many of the suggestions are seen as basic and a sign at how woefully behind our government is on cybersecurity. Brian Barrett, a writer for Wired magazine, compares the plan to “standard advice you’d give a tech novice”. • With the proposal coming from a “lame-duck” president nearing the end of his second term, there is a growing pessimism that pieces that require congressional action will go unfunded. • Despite being a basic tenet of internet security, encryption is notably absent from the president’s press release. While many in the tech community believe encryption is necessary for continued cyber safety, the topic remains controversial in Congress. Full Multi-Step Authentication Rollout While a large portion of the government uses 2-step or multi-step authentication for internal logins, the initiative plans to extend this extra layer of security to citizen-facing federal government digital services. The President hopes this switch will also increase public awareness of this identity proofing mechanism, encouraging more wide use among private online systems. $3.1 billion Information Technology Modernization Fund This fund enables the retirement, replacement and modernization of IT equipment throughout the government. Many see this initiative as overdue as some branches of the government are running antiquated as old as Windows XP which Microsoft stopped officially supporting in 2014. National Initiative for Cybersecurity Education $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in exchange for civil service in government. EINSTEIN and the Continuous Diagnostic and Mitigation Program The president proposes allocating increased funding to the government’s primary cyberdefense system: EINSTEIN, which has faced significant criticism since it is currently unable to dynamically detect new kinds of cyber intrusions, making it only useful against known threats. ✓ Up-to-Date Devices

28. President Obama’s $19 Billion Cybersecurity Proposal Calls for 35% Increase

    Over 2016 Enacted Level Major Pieces of the Cybersecurity National Action Plan Critiques from the Tech Industry • While many in the tech industry have applauded the president’s proposal for investment, many of the suggestions are seen as basic and a sign at how woefully behind our government is on cybersecurity. Brian Barrett, a writer for Wired magazine, compares the plan to “standard advice you’d give a tech novice”. • With the proposal coming from a “lame-duck” president nearing the end of his second term, there is a growing pessimism that pieces that require congressional action will go unfunded. • Despite being a basic tenet of internet security, encryption is notably absent from the president’s press release. While many in the tech community believe encryption is necessary for continued cyber safety, the topic remains controversial in Congress. Full Multi-Step Authentication Rollout While a large portion of the government uses 2-step or multi-step authentication for internal logins, the initiative plans to extend this extra layer of security to citizen-facing federal government digital services. The President hopes this switch will also increase public awareness of this identity proofing mechanism, encouraging more wide use among private online systems. $3.1 billion Information Technology Modernization Fund This fund enables the retirement, replacement and modernization of IT equipment throughout the government. Many see this initiative as overdue as some branches of the government are running antiquated as old as Windows XP which Microsoft stopped officially supporting in 2014. National Initiative for Cybersecurity Education $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in exchange for civil service in government. EINSTEIN and the Continuous Diagnostic and Mitigation Program The president proposes allocating increased funding to the government’s primary cyberdefense system: EINSTEIN, which has faced significant criticism since it is currently unable to dynamically detect new kinds of cyber intrusions, making it only useful against known threats. ✓ Up-to-Date Devices ✓ Two-Factor Authentication

29. President Obama’s $19 Billion Cybersecurity Proposal Calls for 35% Increase

    Over 2016 Enacted Level Major Pieces of the Cybersecurity National Action Plan Critiques from the Tech Industry • While many in the tech industry have applauded the president’s proposal for investment, many of the suggestions are seen as basic and a sign at how woefully behind our government is on cybersecurity. Brian Barrett, a writer for Wired magazine, compares the plan to “standard advice you’d give a tech novice”. • With the proposal coming from a “lame-duck” president nearing the end of his second term, there is a growing pessimism that pieces that require congressional action will go unfunded. • Despite being a basic tenet of internet security, encryption is notably absent from the president’s press release. While many in the tech community believe encryption is necessary for continued cyber safety, the topic remains controversial in Congress. Full Multi-Step Authentication Rollout While a large portion of the government uses 2-step or multi-step authentication for internal logins, the initiative plans to extend this extra layer of security to citizen-facing federal government digital services. The President hopes this switch will also increase public awareness of this identity proofing mechanism, encouraging more wide use among private online systems. $3.1 billion Information Technology Modernization Fund This fund enables the retirement, replacement and modernization of IT equipment throughout the government. Many see this initiative as overdue as some branches of the government are running antiquated as old as Windows XP which Microsoft stopped officially supporting in 2014. National Initiative for Cybersecurity Education $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in exchange for civil service in government. EINSTEIN and the Continuous Diagnostic and Mitigation Program The president proposes allocating increased funding to the government’s primary cyberdefense system: EINSTEIN, which has faced significant criticism since it is currently unable to dynamically detect new kinds of cyber intrusions, making it only useful against known threats. ✓ Up-to-Date Devices ✓ Two-Factor Authentication X Encryption?!
 
 THANKS OBAMA

30. 1. Threats 2. Architecture 3. Market

31. None

32. Security Bingo Network Firewall/ VPN UTM IDS/IDP Data Messaging/ Encryption

    DLP Web WAF/Fraud Endpoint Desktop Mobile Identity IAM/SSO Management SIEM/ Analytics VA/GRC

33. Security Flipped! (˽°□°҂˽Ɨ ˍʓˍ Network Firewall/ VPN Cloud & SaaS

    Microsoft, Amazon, Google, Salesforce, Box, etc. UTM IDS/IDP Data Messaging/ Encryption DLP Web WAF/Fraud Endpoint Desktop Modern Devices iOS, Android, Windows 10, OS X, ChromeOS Mobile Identity IAM/SSO Management SIEM/ Analytics VA/GRC

34. From Bolt-On To Built-In Security

35. 1. Threats 2. Architecture 3. Market

36. Defense
 in Depth

37. Defense
 in Depth Expense
 in Depth

38. Better Security, Not Just More

39. Goldilocks Strategy

40. Goldilocks Strategy Solve for Time, Value, Access, & Skill

41. Enterprise-Grade Security + Consumer-Grade Design

42. Mission DEMOCRATIZE SECURITY by making it easy & effective

43. 2

44. 7 7

45. Siloed Point Solutions Siloed Point Solutions Users Devices Network Apps

    13

46. Modern Access Security Modern Access Security Users Devices Network Apps

    Trusted Access 14

47. Trusted Access Ensure only trusted users & devices
 can access

    protected applications

48. 2017 Duo Product Line Duo Free Easy two-factor authen1ca1on, free

    for up to 10 users. $0 Duo MFA Easy, best-of-breed two- factor authen1ca1on for cloud and on-premise applica1ons. $3 Duo Beyond Our next-genera1on security control pla?orm for modern, perimeter-less organiza1ons. $9 Duo Access Our essen1al security suite to manage trust and address risks from mobile, BYOD, and cloud adop1on. $6

49. Inbound Marketing: 93% of Leads, 75% of ACV

50. 1/12 3/12 5/12 7/12 9/12 11/12 1/13 3/13 5/13 7/13

    9/13 11/13 1/14 3/14 5/14 7/14 9/14 11/14 1/15 3/15 5/15 7/15 9/15 11/15 1/16 3/16 5/16 7/16 9/16 11/16 High-Velocity, High-Volume, Predictable Growth ‣ Time: 75% of customers up and running in < 1 day ‣ Value: 50%+ new ACV from expansion & upsell ‣ Access: 25% SMB, 25% Mid-Mkt, 50% Enterprise ‣ Skill: Most buyers IT, not security ‣ Love: 70 NPS, 1000+ New Logos/Qtr Series A Series B Series C

51. 1/12 3/12 5/12 7/12 9/12 11/12 1/13 3/13 5/13 7/13

    9/13 11/13 1/14 3/14 5/14 7/14 9/14 11/14 1/15 3/15 5/15 7/15 9/15 11/15 1/16 3/16 5/16 7/16 9/16 11/16 High-Velocity, High-Volume, Predictable Growth ‣ Time: 75% of customers up and running in < 1 day ‣ Value: 50%+ new ACV from expansion & upsell ‣ Access: 25% SMB, 25% Mid-Mkt, 50% Enterprise ‣ Skill: Most buyers IT, not security ‣ Love: 70 NPS, 1000+ New Logos/Qtr Series A Series B Series C

52. duo.com Moscone South #1247