Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Disrupting Security (2017)

D66a8b626a8a6e702319d52d8cc7c4e6?s=47 Dug Song
February 01, 2017

Disrupting Security (2017)

Keynote for AGC's annual security conference / meat market in San Francisco ahead of the RSA Conference, February 2017.

"This is your industry
I will not let inside me - NO
I steered clear, long (and hard) ago
I wiped the slate clean
As the whistle I hear
Downtown - noon
Within a visible distance
It's with invisible distance"

-- Universal Order of Armageddon, Baltimore, 1996
https://www.youtube.com/watch?v=yfi9dtZj6Y8

D66a8b626a8a6e702319d52d8cc7c4e6?s=128

Dug Song

February 01, 2017
Tweet

Transcript

  1. Disrupting Security Dug Song, CEO duo.com

  2. Disrupting Security Dug Song, CEO duo.com

  3. Disruptive Innovation An innovation that creates a new market by

    providing a different set of values, which ultimately (and unexpectedly) overtakes an existing market
  4. w00w00: Disrupting Industries Since 1999

  5. w00w00: Disrupting Industries Since 1999

  6. w00w00: Disrupting Industries Since 1999

  7. w00w00: Disrupting Industries Since 1999

  8. w00w00: Disrupting Industries Since 1999

  9. Best-In-Class SaaS Growth $15M $30M $45M $60M Q 1 Q

    2 Q 3 Q 4 Q 5 Q 6 Q 7 Q 8 Q 9 Q 10 Q 11 Q 12 Q 13 Q 14 Q 15 Q 16 Q 17 Q 18 Q 19 Q 20
  10. Best-In-Class SaaS Efficiency $150M $300M $450M $600M $60M $87M $90M

    $96M $99M $119M $143M $177M $347M $559M $49M Median
  11. 1. Threats 2. Architecture 3. Market

  12. 1. Threats 2. Architecture 3. Market

  13. None
  14. None
  15. A Portrait Of The Hacker As A Young Man (ca.

    1999) Break Build Authentication dsniff,
 Kerberos v4 OpenSSH,
 RPCSEC_GSS (NFSv4) Firewalls Cisco PIX,
 Check Point FW-1 pf (OpenBSD) VPN Check Point FW-1 OpenBSD IPSEC,
 dsocks IDS / IPS Sourcefire, ISS, etc. Anzen/NFR (Check Point),
 Arbor Networks
  16. None
  17. None
  18. “A lot of people think that nation- states are running

    on zero-days, but there are so many more vectors that are easier, productive, and less risky.” Rob Joyce, NSA TAO, Jan 2016
  19. “In the world of advanced persistent threat actors, credentials are

    king for gaining access to systems.” Rob Joyce, NSA TAO, Jan 2016
  20. “Better-defended networks require specific methods for accessing resources, monitoring credential

    use, looking for anomalous behavior, and two-factor authentication.” Rob Joyce, NSA TAO, Jan 2016
  21. 95% OF BREACHES involve stolen credentials — Verizon 2015 Data

    Breach Investigations Report #1: Users
  22. #2: Devices 75% Of Breaches Involve Compromised Devices Source: Duo

    analysis of 2M+ devices, Jan 2016
  23. #3: Access

  24. Obama To Schmidt: Nation’s Cybersecurity Priorities?

  25. Obama To Schmidt: Nation’s Cybersecurity Priorities? ✓ Strong Authentication ✓

    Up-to-Date Devices ✓ End-to-End Encryption
  26. President Obama’s $19 Billion Cybersecurity Proposal Calls for 35% Increase

    Over 2016 Enacted Level Major Pieces of the Cybersecurity National Action Plan Critiques from the Tech Industry • While many in the tech industry have applauded the president’s proposal for investment, many of the suggestions are seen as basic and a sign at how woefully behind our government is on cybersecurity. Brian Barrett, a writer for Wired magazine, compares the plan to “standard advice you’d give a tech novice”. • With the proposal coming from a “lame-duck” president nearing the end of his second term, there is a growing pessimism that pieces that require congressional action will go unfunded. • Despite being a basic tenet of internet security, encryption is notably absent from the president’s press release. While many in the tech community believe encryption is necessary for continued cyber safety, the topic remains controversial in Congress. Full Multi-Step Authentication Rollout While a large portion of the government uses 2-step or multi-step authentication for internal logins, the initiative plans to extend this extra layer of security to citizen-facing federal government digital services. The President hopes this switch will also increase public awareness of this identity proofing mechanism, encouraging more wide use among private online systems. $3.1 billion Information Technology Modernization Fund This fund enables the retirement, replacement and modernization of IT equipment throughout the government. Many see this initiative as overdue as some branches of the government are running antiquated as old as Windows XP which Microsoft stopped officially supporting in 2014. National Initiative for Cybersecurity Education $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in exchange for civil service in government. EINSTEIN and the Continuous Diagnostic and Mitigation Program The president proposes allocating increased funding to the government’s primary cyberdefense system: EINSTEIN, which has faced significant criticism since it is currently unable to dynamically detect new kinds of cyber intrusions, making it only useful against known threats.
  27. President Obama’s $19 Billion Cybersecurity Proposal Calls for 35% Increase

    Over 2016 Enacted Level Major Pieces of the Cybersecurity National Action Plan Critiques from the Tech Industry • While many in the tech industry have applauded the president’s proposal for investment, many of the suggestions are seen as basic and a sign at how woefully behind our government is on cybersecurity. Brian Barrett, a writer for Wired magazine, compares the plan to “standard advice you’d give a tech novice”. • With the proposal coming from a “lame-duck” president nearing the end of his second term, there is a growing pessimism that pieces that require congressional action will go unfunded. • Despite being a basic tenet of internet security, encryption is notably absent from the president’s press release. While many in the tech community believe encryption is necessary for continued cyber safety, the topic remains controversial in Congress. Full Multi-Step Authentication Rollout While a large portion of the government uses 2-step or multi-step authentication for internal logins, the initiative plans to extend this extra layer of security to citizen-facing federal government digital services. The President hopes this switch will also increase public awareness of this identity proofing mechanism, encouraging more wide use among private online systems. $3.1 billion Information Technology Modernization Fund This fund enables the retirement, replacement and modernization of IT equipment throughout the government. Many see this initiative as overdue as some branches of the government are running antiquated as old as Windows XP which Microsoft stopped officially supporting in 2014. National Initiative for Cybersecurity Education $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in exchange for civil service in government. EINSTEIN and the Continuous Diagnostic and Mitigation Program The president proposes allocating increased funding to the government’s primary cyberdefense system: EINSTEIN, which has faced significant criticism since it is currently unable to dynamically detect new kinds of cyber intrusions, making it only useful against known threats. ✓ Up-to-Date Devices
  28. President Obama’s $19 Billion Cybersecurity Proposal Calls for 35% Increase

    Over 2016 Enacted Level Major Pieces of the Cybersecurity National Action Plan Critiques from the Tech Industry • While many in the tech industry have applauded the president’s proposal for investment, many of the suggestions are seen as basic and a sign at how woefully behind our government is on cybersecurity. Brian Barrett, a writer for Wired magazine, compares the plan to “standard advice you’d give a tech novice”. • With the proposal coming from a “lame-duck” president nearing the end of his second term, there is a growing pessimism that pieces that require congressional action will go unfunded. • Despite being a basic tenet of internet security, encryption is notably absent from the president’s press release. While many in the tech community believe encryption is necessary for continued cyber safety, the topic remains controversial in Congress. Full Multi-Step Authentication Rollout While a large portion of the government uses 2-step or multi-step authentication for internal logins, the initiative plans to extend this extra layer of security to citizen-facing federal government digital services. The President hopes this switch will also increase public awareness of this identity proofing mechanism, encouraging more wide use among private online systems. $3.1 billion Information Technology Modernization Fund This fund enables the retirement, replacement and modernization of IT equipment throughout the government. Many see this initiative as overdue as some branches of the government are running antiquated as old as Windows XP which Microsoft stopped officially supporting in 2014. National Initiative for Cybersecurity Education $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in exchange for civil service in government. EINSTEIN and the Continuous Diagnostic and Mitigation Program The president proposes allocating increased funding to the government’s primary cyberdefense system: EINSTEIN, which has faced significant criticism since it is currently unable to dynamically detect new kinds of cyber intrusions, making it only useful against known threats. ✓ Up-to-Date Devices ✓ Two-Factor Authentication
  29. President Obama’s $19 Billion Cybersecurity Proposal Calls for 35% Increase

    Over 2016 Enacted Level Major Pieces of the Cybersecurity National Action Plan Critiques from the Tech Industry • While many in the tech industry have applauded the president’s proposal for investment, many of the suggestions are seen as basic and a sign at how woefully behind our government is on cybersecurity. Brian Barrett, a writer for Wired magazine, compares the plan to “standard advice you’d give a tech novice”. • With the proposal coming from a “lame-duck” president nearing the end of his second term, there is a growing pessimism that pieces that require congressional action will go unfunded. • Despite being a basic tenet of internet security, encryption is notably absent from the president’s press release. While many in the tech community believe encryption is necessary for continued cyber safety, the topic remains controversial in Congress. Full Multi-Step Authentication Rollout While a large portion of the government uses 2-step or multi-step authentication for internal logins, the initiative plans to extend this extra layer of security to citizen-facing federal government digital services. The President hopes this switch will also increase public awareness of this identity proofing mechanism, encouraging more wide use among private online systems. $3.1 billion Information Technology Modernization Fund This fund enables the retirement, replacement and modernization of IT equipment throughout the government. Many see this initiative as overdue as some branches of the government are running antiquated as old as Windows XP which Microsoft stopped officially supporting in 2014. National Initiative for Cybersecurity Education $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in exchange for civil service in government. EINSTEIN and the Continuous Diagnostic and Mitigation Program The president proposes allocating increased funding to the government’s primary cyberdefense system: EINSTEIN, which has faced significant criticism since it is currently unable to dynamically detect new kinds of cyber intrusions, making it only useful against known threats. ✓ Up-to-Date Devices ✓ Two-Factor Authentication X Encryption?!
 
 THANKS OBAMA
  30. 1. Threats 2. Architecture 3. Market

  31. None
  32. Security Bingo Network Firewall/ VPN UTM IDS/IDP Data Messaging/ Encryption

    DLP Web WAF/Fraud Endpoint Desktop Mobile Identity IAM/SSO Management SIEM/ Analytics VA/GRC
  33. Security Flipped! (˽°□°҂˽Ɨ ˍʓˍ Network Firewall/ VPN Cloud & SaaS

    Microsoft, Amazon, Google, Salesforce, Box, etc. UTM IDS/IDP Data Messaging/ Encryption DLP Web WAF/Fraud Endpoint Desktop Modern Devices iOS, Android, Windows 10, OS X, ChromeOS Mobile Identity IAM/SSO Management SIEM/ Analytics VA/GRC
  34. From Bolt-On To Built-In Security

  35. 1. Threats 2. Architecture 3. Market

  36. Defense
 in Depth

  37. Defense
 in Depth Expense
 in Depth

  38. Better Security, Not Just More

  39. Goldilocks Strategy

  40. Goldilocks Strategy Solve for Time, Value, Access, & Skill

  41. Enterprise-Grade Security + Consumer-Grade Design

  42. Mission DEMOCRATIZE SECURITY by making it easy & effective

  43. 2

  44. 7 7

  45. Siloed Point Solutions Siloed Point Solutions Users Devices Network Apps

    13
  46. Modern Access Security Modern Access Security Users Devices Network Apps

    Trusted Access 14
  47. Trusted Access Ensure only trusted users & devices
 can access

    protected applications
  48. 2017 Duo Product Line Duo Free Easy two-factor authen1ca1on, free

    for up to 10 users. $0 Duo MFA Easy, best-of-breed two- factor authen1ca1on for cloud and on-premise applica1ons. $3 Duo Beyond Our next-genera1on security control pla?orm for modern, perimeter-less organiza1ons. $9 Duo Access Our essen1al security suite to manage trust and address risks from mobile, BYOD, and cloud adop1on. $6
  49. Inbound Marketing: 93% of Leads, 75% of ACV

  50. 1/12 3/12 5/12 7/12 9/12 11/12 1/13 3/13 5/13 7/13

    9/13 11/13 1/14 3/14 5/14 7/14 9/14 11/14 1/15 3/15 5/15 7/15 9/15 11/15 1/16 3/16 5/16 7/16 9/16 11/16 High-Velocity, High-Volume, Predictable Growth ‣ Time: 75% of customers up and running in < 1 day ‣ Value: 50%+ new ACV from expansion & upsell ‣ Access: 25% SMB, 25% Mid-Mkt, 50% Enterprise ‣ Skill: Most buyers IT, not security ‣ Love: 70 NPS, 1000+ New Logos/Qtr Series A Series B Series C
  51. 1/12 3/12 5/12 7/12 9/12 11/12 1/13 3/13 5/13 7/13

    9/13 11/13 1/14 3/14 5/14 7/14 9/14 11/14 1/15 3/15 5/15 7/15 9/15 11/15 1/16 3/16 5/16 7/16 9/16 11/16 High-Velocity, High-Volume, Predictable Growth ‣ Time: 75% of customers up and running in < 1 day ‣ Value: 50%+ new ACV from expansion & upsell ‣ Access: 25% SMB, 25% Mid-Mkt, 50% Enterprise ‣ Skill: Most buyers IT, not security ‣ Love: 70 NPS, 1000+ New Logos/Qtr Series A Series B Series C
  52. duo.com Moscone South #1247