Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Disrupting Security (2017)

Dug Song
February 01, 2017

Disrupting Security (2017)

Keynote for AGC's annual security conference / meat market in San Francisco ahead of the RSA Conference, February 2017.

"This is your industry
I will not let inside me - NO
I steered clear, long (and hard) ago
I wiped the slate clean
As the whistle I hear
Downtown - noon
Within a visible distance
It's with invisible distance"

-- Universal Order of Armageddon, Baltimore, 1996
https://www.youtube.com/watch?v=yfi9dtZj6Y8

Dug Song

February 01, 2017
Tweet

More Decks by Dug Song

Other Decks in Technology

Transcript

  1. Disruptive Innovation An innovation that creates a new market by

    providing a different set of values, which ultimately (and unexpectedly) overtakes an existing market
  2. Best-In-Class SaaS Growth $15M $30M $45M $60M Q 1 Q

    2 Q 3 Q 4 Q 5 Q 6 Q 7 Q 8 Q 9 Q 10 Q 11 Q 12 Q 13 Q 14 Q 15 Q 16 Q 17 Q 18 Q 19 Q 20
  3. Best-In-Class SaaS Efficiency $150M $300M $450M $600M $60M $87M $90M

    $96M $99M $119M $143M $177M $347M $559M $49M Median
  4. A Portrait Of The Hacker As A Young Man (ca.

    1999) Break Build Authentication dsniff,
 Kerberos v4 OpenSSH,
 RPCSEC_GSS (NFSv4) Firewalls Cisco PIX,
 Check Point FW-1 pf (OpenBSD) VPN Check Point FW-1 OpenBSD IPSEC,
 dsocks IDS / IPS Sourcefire, ISS, etc. Anzen/NFR (Check Point),
 Arbor Networks
  5. “A lot of people think that nation- states are running

    on zero-days, but there are so many more vectors that are easier, productive, and less risky.” Rob Joyce, NSA TAO, Jan 2016
  6. “In the world of advanced persistent threat actors, credentials are

    king for gaining access to systems.” Rob Joyce, NSA TAO, Jan 2016
  7. “Better-defended networks require specific methods for accessing resources, monitoring credential

    use, looking for anomalous behavior, and two-factor authentication.” Rob Joyce, NSA TAO, Jan 2016
  8. President Obama’s $19 Billion Cybersecurity Proposal Calls for 35% Increase

    Over 2016 Enacted Level Major Pieces of the Cybersecurity National Action Plan Critiques from the Tech Industry • While many in the tech industry have applauded the president’s proposal for investment, many of the suggestions are seen as basic and a sign at how woefully behind our government is on cybersecurity. Brian Barrett, a writer for Wired magazine, compares the plan to “standard advice you’d give a tech novice”. • With the proposal coming from a “lame-duck” president nearing the end of his second term, there is a growing pessimism that pieces that require congressional action will go unfunded. • Despite being a basic tenet of internet security, encryption is notably absent from the president’s press release. While many in the tech community believe encryption is necessary for continued cyber safety, the topic remains controversial in Congress. Full Multi-Step Authentication Rollout While a large portion of the government uses 2-step or multi-step authentication for internal logins, the initiative plans to extend this extra layer of security to citizen-facing federal government digital services. The President hopes this switch will also increase public awareness of this identity proofing mechanism, encouraging more wide use among private online systems. $3.1 billion Information Technology Modernization Fund This fund enables the retirement, replacement and modernization of IT equipment throughout the government. Many see this initiative as overdue as some branches of the government are running antiquated as old as Windows XP which Microsoft stopped officially supporting in 2014. National Initiative for Cybersecurity Education $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in exchange for civil service in government. EINSTEIN and the Continuous Diagnostic and Mitigation Program The president proposes allocating increased funding to the government’s primary cyberdefense system: EINSTEIN, which has faced significant criticism since it is currently unable to dynamically detect new kinds of cyber intrusions, making it only useful against known threats.
  9. President Obama’s $19 Billion Cybersecurity Proposal Calls for 35% Increase

    Over 2016 Enacted Level Major Pieces of the Cybersecurity National Action Plan Critiques from the Tech Industry • While many in the tech industry have applauded the president’s proposal for investment, many of the suggestions are seen as basic and a sign at how woefully behind our government is on cybersecurity. Brian Barrett, a writer for Wired magazine, compares the plan to “standard advice you’d give a tech novice”. • With the proposal coming from a “lame-duck” president nearing the end of his second term, there is a growing pessimism that pieces that require congressional action will go unfunded. • Despite being a basic tenet of internet security, encryption is notably absent from the president’s press release. While many in the tech community believe encryption is necessary for continued cyber safety, the topic remains controversial in Congress. Full Multi-Step Authentication Rollout While a large portion of the government uses 2-step or multi-step authentication for internal logins, the initiative plans to extend this extra layer of security to citizen-facing federal government digital services. The President hopes this switch will also increase public awareness of this identity proofing mechanism, encouraging more wide use among private online systems. $3.1 billion Information Technology Modernization Fund This fund enables the retirement, replacement and modernization of IT equipment throughout the government. Many see this initiative as overdue as some branches of the government are running antiquated as old as Windows XP which Microsoft stopped officially supporting in 2014. National Initiative for Cybersecurity Education $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in exchange for civil service in government. EINSTEIN and the Continuous Diagnostic and Mitigation Program The president proposes allocating increased funding to the government’s primary cyberdefense system: EINSTEIN, which has faced significant criticism since it is currently unable to dynamically detect new kinds of cyber intrusions, making it only useful against known threats. ✓ Up-to-Date Devices
  10. President Obama’s $19 Billion Cybersecurity Proposal Calls for 35% Increase

    Over 2016 Enacted Level Major Pieces of the Cybersecurity National Action Plan Critiques from the Tech Industry • While many in the tech industry have applauded the president’s proposal for investment, many of the suggestions are seen as basic and a sign at how woefully behind our government is on cybersecurity. Brian Barrett, a writer for Wired magazine, compares the plan to “standard advice you’d give a tech novice”. • With the proposal coming from a “lame-duck” president nearing the end of his second term, there is a growing pessimism that pieces that require congressional action will go unfunded. • Despite being a basic tenet of internet security, encryption is notably absent from the president’s press release. While many in the tech community believe encryption is necessary for continued cyber safety, the topic remains controversial in Congress. Full Multi-Step Authentication Rollout While a large portion of the government uses 2-step or multi-step authentication for internal logins, the initiative plans to extend this extra layer of security to citizen-facing federal government digital services. The President hopes this switch will also increase public awareness of this identity proofing mechanism, encouraging more wide use among private online systems. $3.1 billion Information Technology Modernization Fund This fund enables the retirement, replacement and modernization of IT equipment throughout the government. Many see this initiative as overdue as some branches of the government are running antiquated as old as Windows XP which Microsoft stopped officially supporting in 2014. National Initiative for Cybersecurity Education $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in exchange for civil service in government. EINSTEIN and the Continuous Diagnostic and Mitigation Program The president proposes allocating increased funding to the government’s primary cyberdefense system: EINSTEIN, which has faced significant criticism since it is currently unable to dynamically detect new kinds of cyber intrusions, making it only useful against known threats. ✓ Up-to-Date Devices ✓ Two-Factor Authentication
  11. President Obama’s $19 Billion Cybersecurity Proposal Calls for 35% Increase

    Over 2016 Enacted Level Major Pieces of the Cybersecurity National Action Plan Critiques from the Tech Industry • While many in the tech industry have applauded the president’s proposal for investment, many of the suggestions are seen as basic and a sign at how woefully behind our government is on cybersecurity. Brian Barrett, a writer for Wired magazine, compares the plan to “standard advice you’d give a tech novice”. • With the proposal coming from a “lame-duck” president nearing the end of his second term, there is a growing pessimism that pieces that require congressional action will go unfunded. • Despite being a basic tenet of internet security, encryption is notably absent from the president’s press release. While many in the tech community believe encryption is necessary for continued cyber safety, the topic remains controversial in Congress. Full Multi-Step Authentication Rollout While a large portion of the government uses 2-step or multi-step authentication for internal logins, the initiative plans to extend this extra layer of security to citizen-facing federal government digital services. The President hopes this switch will also increase public awareness of this identity proofing mechanism, encouraging more wide use among private online systems. $3.1 billion Information Technology Modernization Fund This fund enables the retirement, replacement and modernization of IT equipment throughout the government. Many see this initiative as overdue as some branches of the government are running antiquated as old as Windows XP which Microsoft stopped officially supporting in 2014. National Initiative for Cybersecurity Education $62 billion is requested to invest in educating the nation’s next generation of cybersecurity personnel. Proposed programs include the CyberCorps Reserve which would offer scholarships for Americans who wish to obtain cybersecurity education in exchange for civil service in government. EINSTEIN and the Continuous Diagnostic and Mitigation Program The president proposes allocating increased funding to the government’s primary cyberdefense system: EINSTEIN, which has faced significant criticism since it is currently unable to dynamically detect new kinds of cyber intrusions, making it only useful against known threats. ✓ Up-to-Date Devices ✓ Two-Factor Authentication X Encryption?!
 
 THANKS OBAMA
  12. Security Bingo Network Firewall/ VPN UTM IDS/IDP Data Messaging/ Encryption

    DLP Web WAF/Fraud Endpoint Desktop Mobile Identity IAM/SSO Management SIEM/ Analytics VA/GRC
  13. Security Flipped! (˽°□°҂˽Ɨ ˍʓˍ Network Firewall/ VPN Cloud & SaaS

    Microsoft, Amazon, Google, Salesforce, Box, etc. UTM IDS/IDP Data Messaging/ Encryption DLP Web WAF/Fraud Endpoint Desktop Modern Devices iOS, Android, Windows 10, OS X, ChromeOS Mobile Identity IAM/SSO Management SIEM/ Analytics VA/GRC
  14. 2

  15. 7 7

  16. 2017 Duo Product Line Duo Free Easy two-factor authen1ca1on, free

    for up to 10 users. $0 Duo MFA Easy, best-of-breed two- factor authen1ca1on for cloud and on-premise applica1ons. $3 Duo Beyond Our next-genera1on security control pla?orm for modern, perimeter-less organiza1ons. $9 Duo Access Our essen1al security suite to manage trust and address risks from mobile, BYOD, and cloud adop1on. $6
  17. 1/12 3/12 5/12 7/12 9/12 11/12 1/13 3/13 5/13 7/13

    9/13 11/13 1/14 3/14 5/14 7/14 9/14 11/14 1/15 3/15 5/15 7/15 9/15 11/15 1/16 3/16 5/16 7/16 9/16 11/16 High-Velocity, High-Volume, Predictable Growth ‣ Time: 75% of customers up and running in < 1 day ‣ Value: 50%+ new ACV from expansion & upsell ‣ Access: 25% SMB, 25% Mid-Mkt, 50% Enterprise ‣ Skill: Most buyers IT, not security ‣ Love: 70 NPS, 1000+ New Logos/Qtr Series A Series B Series C
  18. 1/12 3/12 5/12 7/12 9/12 11/12 1/13 3/13 5/13 7/13

    9/13 11/13 1/14 3/14 5/14 7/14 9/14 11/14 1/15 3/15 5/15 7/15 9/15 11/15 1/16 3/16 5/16 7/16 9/16 11/16 High-Velocity, High-Volume, Predictable Growth ‣ Time: 75% of customers up and running in < 1 day ‣ Value: 50%+ new ACV from expansion & upsell ‣ Access: 25% SMB, 25% Mid-Mkt, 50% Enterprise ‣ Skill: Most buyers IT, not security ‣ Love: 70 NPS, 1000+ New Logos/Qtr Series A Series B Series C