Over the past 20 years, cybersecurity has played an unwinnable game. In this game, the attackers make all the rules, score all the points, and can quit anytime without losing.

Meanwhile, the defenders are encumbered with a cavalcade of rules, tools, and fools: insidious compliance rules that drag down progress, a messy assortment of security tools that never work together, and company executives that dismiss security as a nuisance inhibiting their success.

If you have ever had to implement enterprise information security you know that it is not merely difficult, it is profoundly difficult. However, what is the alternative? Companies must defend themselves. And so, security professionals diligently persevere. They buy new tech, hire more people, and fight enemies inside and out. After a while, the virtuousness of their perseverance becomes indistinguishable from insanity.

Beyond Human

The crux of this Unwinnable Game is that protecting modern IT systems exceeds human cognitive abilities. Information security, even for a modest sized organization, is insanely complex, volatile, and error-prone. This has left CISOs playing a game they can never win. See more about What is Wrong with CISOs.

If humans cannot handle security, then who or what can? Automation? Artificial Intelligence (AI)?

AI and automation both have tremendous potential to make security less complex and more reliable. Automation tools can repeatedly (and tirelessly) analyze data to identify outliers and potential attacks. AI can, theoretically, adapt to changing environments.

Unfortunately, these tools have massive hurdles to adoption.

First, implementing AI and automation are well beyond the technical capabilities of most security teams. Most security teams struggle to maintain basic hygiene. Expecting them to install, tune, and manage complex AI technologies is unrealistic.

Second, these tools demand standardization. Environments with disparate systems are impossible to automate and confound AI engines.

Lastly, AI engines demand vast amounts of data to build accurate propensity models. This means the engine must have both abnormal and normal data (and anything in between). Most security technologies discard or ignore normal data, favoring the abnormal. This is because the humans who manage those security products cannot handle the onslaught of both normal and abnormal data.

Introducing Platformization

This is the point when cloud providers, like AWS, Microsoft, and Google, as well as large SaaS providers, like SalesForce and ServiceNow join the chat. Cloud providers have huge advantages in regard to automation and AI. They are skilled at taking technologies and processes, and transforming them into standardized, easy to implement, and automated services. AWS has the people, purpose, and scale to build AI engines. Mostly, cloud providers have a huge advantage over the point players, like Crowdstrike or Splunk. Cloud providers can see everything, normal and abnormal. This makes them a logical place to implement security.

The reason computing workloads are moved to the cloud is because the cloud providers simplify complex technology into standardized services. Cloud and SaaS have already consumed entire markets, such as email. Ten years ago, if you needed an email server, you had to setup, manage, and secure your own. Today, with a few clicks and a script you can have an enterprise class email system at Microsoft or Google, pre-configured and secured correctly. There are few reasons to run your own mail server these days.

Security is no longer an add-on product. It is inside the platforms companies already use.

The New Cloud Order

By 2030, security will inside the platform, not outside it. These integrated services will extend out to endpoints and IoT devices as well. What we know today as the security industry, with thousands of vendors all selling point products will dramatically change. It will be more about integrating capabilities into existing cloud and SaaS platforms.

This trend is already in motion. The impact of this shift will be felt far and wide. Some of the things we can expect include:

• The demand for point security products will not disappear, rather it will move down-market to SMB and laggard industries that refuse to adopt the cloud.
• The market valuations for security point solutions will decline as they run out of customers.
• The demand for in-house security expertise will decline. With cloud services and AI doing much of the dirty work, in-house teams will have less to do. This will make the security roles less about twiddling with tools and more about managing risk posture throughout the organization. This will also fuel expansion in the managed security segment.
• Since everything in the cloud can be automated through an API, a new class of value-added resellers will emerge: automation integrators. These providers will repackage automations between different providers. They will offer pre-built architectures, with your preferred vendors (like ServiceNow or Salesforce) pre-integrated. With a few clicks you will be able to build an entire enterprise infrastructure with everything tightly integrated.
• The market for managed security providers (MSSP) will grow, however they must adapt to work with the cloud. The traditional MSSP, with a big SOC managing hardware devices, will be less relevant. MSSP will also move down-market into SMB environments. It will be less expensive and simpler for organizations to outsource security monitoring than attempting to do it in-house.
• Demand for stand-alone security awareness and application code scanning solutions will remain stable or increase. These services are difficult for cloud providers to adopt, due to the customized nature of them. However, security awareness training has already moved to cloud-delivery. Likewise, most application code scanners have SaaS delivered versions as well.
• Hardware security products must refocus on access, with tight integration to cloud services. Many of the hardware vendors, like Palo Alto Networks and Fortinet have already begun this transition.
• Compliance will be devalued. Compliant environments can be built, certified, and authorized through automated means. Compliance bodies will resist this at first, but the cloud providers will strong-arm them into adopting. You already see the beginnings of this, with the FedRAMP office push their standardized OSCAL language.
• Multi-cloud will become more difficult as cloud providers find more ways to create lock-in strategies. This will also increase the need for automation integrators, which can smooth out multi-cloud adoption complexities.
• Attacks and ransomware will shift focus to “softer” targets such as laptops and IoT devices.
• AI engines will become increasingly more capable at identifying new attacks. However, people will need to manage the response and remediation.
• Automation will extend to remediation tools. Cleaning up an intrusion will no longer require expensive engagements with outside consultants. Rather, automation tools will gather evidence, wipe out affected systems, and rebuild from known-good repositories.
• Risk management will become more important to companies, as they shift from a purely reactionary approach to that of controlling risks.
• Watch closely anybody AWS, Azure, Google, Salesforce, Service Now, Oracle, SAP etc. acquires. They will start vacuuming up technologies that will serve this change. AWS has already done a few.

Evidence

The evidence of this movement is already out there.

• Microsoft Azure has their own Security Event and Information Management (SIEM) product: Sentinel
• AWS has rolled out Guard Duty and WAF, rendering the need for standalone WAF or IDS/IPS less relevant.
• Google’s Chronicle integrates multiple security functions as well as some AI capabilities.
• At re:Invent 2022, AWS announced Security Lake a new SIEM product similar to Chronicle and Sentinel
• Google purchased Wiz, with the intention to integrate it into their cloud offerings.
• AWS announced Security Agent, an AI-based vulnerability identification and remediation tool.

Counterpoints

Of course, this trend will encounter resistance from all those vendors. Just as hardware vendors ignored the writing on the wall in the early 2000s, so too with the sea of booths at the RSA ignore the rising cloud waters around them. However, let’s consider some contrary points.

Cloud services are not as accurate or capable as dedicated point solutions.

This may be true, but it does not matter. The cost and complexity of implementing, optimizing, and managing point solutions is already higher than adopting cloud-native tools. Moreover, the quality of a product is largely irrelevant in the grand scheme of protecting a business. Most of the companies that experienced a large data breach possessed cutting edge security technologies. It is not the technology that protects a company, it is how the technology is implemented, managed, and monitored.

Cloud providers are incentivized to ignore or cover up security problems. You cannot have the fox guarding the henhouse!

Pushing the farm clichés aside, this is untrue. Cloud providers are under tremendous legal, regulatory, and reputational pressure to secure their services. For example, a few years back AWS took heat for customers with public S3 bucks. Even though this is a legitimate configuration, and customers are entirely responsible for setting this access, AWS still implemented improvements to lock down S3 buckets even more.

Furthermore, if you are going to entrust the entirety of your company’s data and processing to AWS, why can you not trust their security? Lastly, cloud providers are deeply incentivized to protect customer’s workloads for one less savory reason: lock-in. If a cloud platform is consistently having security issues, customers will leave and move to a competitor’s platform.

This is monopolistic, many organizations will reject using cloud-native security tools leaving a market for point-solution vendors.

Yes, some companies will resist, however this will not stop the cloud providers. Those companies that resist will be at a disadvantage. Security today is an insanely inefficient and error-prone precisely because there are too many tools which are difficult to interoperate. Automating and standardizing security is the only way to contain this expanding inefficiency. Those companies that resist, will lose the efficiency and effectiveness gains of those companies who do adopt the cloud-native security tools.

The follow-on question for this is: at what point do the cloud providers transform from merely providing a compute service, to being a utility. Where are the limits of their reach? That is a larger, complex question for another article.

Conclusion

Information security is stuck playing a game it will never win. However, unlike the sage wisdom of Wargames which suggested the only winning move is not to play, we do not have that choice. We must defend our data, our infrastructure, and our nations from cyberattacks.

Information security teams can win this game, if they leave defense to the robots. Only automation can adapt, react, and protect at the scale necessary to defend an enterprise. And only the cloud providers have the scale, resources, and motivation to be able to build these robots effectively.

This was originally published in December 2021 and revised a few times since then.

The post Cloud Eats Security appeared first on Zenaciti.

1. What is the Intent?
2. Who is in the Room?
3. What are the Dependencies?
4. What is NOT Being Said?
5. What is the Market?

In this second, and final part we pick up where we left off.

6.      Does it Work?

This question is as obvious as it sounds.  Does the product do what the company claims it does? This is easy to answer if you can rise above the company’s messaging and posturing.

The first part of this question is to have the company’s sales engineers demo the product.  Ideally, I want to see how they explain the product, its features, and its strengths.  My focus with them is the infrastructure of the product; where it is deployed, how it is installed, what third party products does it need, etc.

When time permits, I like to install and use the product myself. I have a rich background in installing technology, so this can be fun. It can also be miserable, like the encryption product I reviewed once that bricked my laptop.

With some hands-on experience under my belt, the next step is to see what others have to say.

7.      What Do the (Real) Users Say?

During most due diligence projects, the company will set up one or more user meetings. These are useful since I can hear how the product performs in the real world. However, it is unlikely they will put unhappy customers in front of me.  As such, I need some “unfiltered” opinions.

Online user groups, like Reddit, can be useful here. While you cannot fully trust on-line sources, they can give you clues to what is bothering users. Many years ago, I was analyzing a web gateway product. I noticed numerous online users complaining about logging capabilities. When the SE’s showed me the product, I specifically had them focus on logging. They got defensive. Eventually, the product manager fessed up that their logging capabilities were weak. Had I not read all those on-line complaints, I might not have thought to dig into the product’s logging capabilities.

However, user groups almost always skew to the negative. Nevertheless, between the handpicked customers the company provides, and the rants of people on the Internet, I can assemble a picture of the product’s real-world usage.

8.      What Problem Does It Solve?

How a product is sold to customers says a lot about its potential. A smooth sales process translates to scale, while a clunky process can hinder a product’s growth. Analyzing a company’s sales processes can be highly entertaining, but it does not give much insight into the product’s technical capabilities. This is because there are plenty of technically weak products that sell well, while innovative ones languish.

However, sales can provide insight into the market for a product, if you look at why people buy it.

This begins with an understanding of the sales personas.  These are the generalized roles at a prospective customer that sales works with to close the deal. There are four sales personas:

• Champion: person who identifies the product and promotes it within the company
• Evaluator: person who assesses the product for use and provides a recommendation for purchase, or not
• Influencer: person who’s opinion of the product holds weight among the other personas
• Decision Maker is the person who makes the final decision to buy the product

While a single person may embody all these personas, that is uncommon.  Even small companies divide the decision maker from the evaluator.

Evaluators and influencers are where this why question has the most traction. These personas are typically tasked with vetting the product for use. If they see something they like, they will recommend the product. Mostly, they will want to solve a problem.

The clearer a company defines the problem their product solves, the more convinced the evaluators and influencers will become. Therefore, when I meet customers of a product, I want to talk to the person(s) who evaluated the product prior to sale.  I want to hear why they bought the product, to determine if the company solves a real problem and they communicate that effectively.

A few years ago, I was performing due diligence on a threat intelligence platform. The sales team complained of losing to competitors when they got into evaluations. I had them walk me through a typical technical deep dive with a customer doing an evaluation. The issue was obvious. They could not effectively define what problem their product resolved.

This also had an impact on product development and marketing. The company kept adding features, trying to out-innovate their competitors. Consequently, the product was a mess of features, that sounded cool, but again did not address specific business problems.

Why companies buy (or do not buy) a product can give you a ton of insight into not only sales, but the entire product development process.

9.      Where is the Data?

This is another deep-in-the-weeds issue, but it is a looking glass into a product’s maturity. Mature products handle data properly. Immature ones do not.

A few years ago, I was analyzing an attractive up-and-coming security analytics tool. I asked about data handling. The engineers fumbled around the question, ultimately trying to convince me that saving the data in flat text files to the file system was an ingenious strategy. It was not. It was a terrible way for a security product to store data. Despite looking attractive and powerful, the product had some serious technical problems under the covers. My questioning about data handling revealed these issues.

For this, I investigate how the data is stored, access controls, encryption, auditing, and distribution of data (redundancy.) I also love it when companies supply their data models. I can analyze the structure of their database(s) and see if they are well architected, or a patchwork of disparate databases.

10.      What is the Vision?

If I had to pick one thing that sets great companies apart from mediocre ones, it is vision. Vision answers the simple question “why?”  Why does this product (or company) exist? Why should I care? The clearer a company is about these questions, the better their products tend to be. However, there is nothing simple about vision.

A strong vision connects the product and company to a genuine purpose. Something that can motivate people to a higher cause. Consider Tesla’s vision, to accelerate the world’s transition to sustainable energy. This is a strong vision. Notice it does not mention cars.

Vision is like an invisible guardrail that keeps a company focused on a higher calling. It gives leaders an intangible push to look beyond the mere function of a product, to how that product can fulfill a higher purpose.  Without a strong vision, companies and their products become mediocre.

I am routinely surprised how few leaders understand the power of vision. I think it makes them uncomfortable. Perhaps its because it seems light and “touchy feely.” Yet vision is what motivates people.  As Simon Sinek reminds us, people do not buy what you do, but why you do it.

I could not tell you exactly what vision needs to be. It is different for each organization. However, I know what it is not.  Vision is not merely making money, dominating a market, or “delivering shareholder value.”  Those things are the result of a strong vision, not a vision itself.

Where I look for vision is inside everything. It should start with the leadership, particularly the C-level suite. However, vision should permeate every level of the company, from the executive office to the janitor’s office.

Conclusion

Reflecting on all my due diligence projects, I realize there is more to them than encryption protocols and marketing presentations.  They are complex efforts with a lot of information. In many ways, I find due diligence work similar to risk assessments. Large quantities of data, which when laid out, paint a picture. That picture may be one of ingenuity, opportunity, and prosperity…or not.  Or something in between.

I wrote this blog as a marketing tool as well as a lesson for companies who are getting a visit from a technical due diligence consultant. Ideally, the ideas I shared here will help you assess your own company and make improvements before a person like me shows up.

I will leave you with one of the more poignant moments from my due diligence work.  Many years ago, I spent months analyzing a company. In the final meeting, we were going over all the findings. After the presentation, the CEO of the acquiring company pulled me aside and asked me, “give it to me straight, what is the largest risk in this deal?”

I thought of all the technical weaknesses in the product, the poor logging, the laughable 10Gb performance, and the lack of a good cloud product.  However, those were not the biggest risk.

“There is no vision here. The leadership is…lost.”

The leaders could speak confidently of the product’s features, but not about the company’s purpose.  The leaders were connected to plenty of important people, but they could not explain why I should care about their products. The CEO of the acquiring company nodded and smiled broadly. I had confirmed what he suspected, but nobody was brave enough to say.

If you want a great product, start with the ten hairy questions, and answer them honestly. That way when the investors are sniffing around and they send in some guy like me, you will be ready.

Also, I am not washing your dishes.

Go back to read Part 1

The post Big Hairy Questions: Strategies for Technical Due Diligence (Part 2) appeared first on Zenaciti.

Most of my work is for investors or acquirers.  They hire a person like me, who has a long history in security technology, and I provide analysis of the strengths and weaknesses of the technology.  Any company that has had gone through an acquisition or funding round has had to deal with technical due diligence and a person like me.

Ideally, the analyst has a strategy. In a recent meeting, an investor asked me to describe my process for technical due diligence. In my response, I detailed ten “Big Hairy Questions” that form a framework for my analysis.  These questions are not the only ones I ask.  Rather, they are a structure to analyze the people, processes, products, and potential of a company.

With that in mind, let’s take a look at the Ten Big Hairy Questions for technical due diligence.

1.      What is the Intent?

Way back in the 1980s, I was an art critic for my university newspaper. It was a fun gig.  I met a zany assortment of creative characters.  I wrote about all sorts of artwork from a room filled with feathers to surrealist nightmares from Chicano artists.

My technique was to assess how successfully an artist met their own intentions. First, I would ask the artist what they intended to accomplish.  This usually prompted long, flowery, and impassioned explanations of their work. Then I would ponder what they said and ask myself a simple question: how well did the artist accomplish what they set out do?

Incidentally, the feathers got a thumbs down. However, the Chicano artist got a big thumbs up. He was David Tineo who’s work is internationally known.

This technique works for art as well as for companies and their products. However, with art you can ask the artist directly about their intentions.  With products you must ascertain intent from what the leaders say and the marketing messages. Websites, marketing slicks, tradeshow booths, white papers, and other marketing content are all the artwork of a company.

Apple is an example of a company that does exceptionally well at messaging its intentions. They want to make technology easier so more people buy their laptops and phones. Their marketing is all about inclusivity and broad adoption of their technology.

Conversely, companies with weak products (and teams) generate cluttered, messy, and ridiculous messaging. This often takes the form of grandiose claims of superiority, trite euphemisms, banal platitudes, and my personal favorite, idiotic sports or war metaphors: “Our Dynamic, Results-Driven, HyperDonker Delivers 91% More Extreme Thought Leadership to Get your DevOrcs Over the Goalposts and win the War Against Codemas!”  

Marketing messaging may only be a small component of a company and its products, but it speaks volumes to what they intend to do. I see this as the opening act in this play of unpacking a company’s vision.

This leads to the next big question.

2.      Who is in the Room?

Technical analysis is not all about banal platitudes and source code. Technology is the product of humans.  Who a company brings to the table during a due diligence product says a lot about the company’s maturity.  I expect to see executives, product managers, engineers, developers, salespeople, and sometimes support staff.  However, there are two people who get the lion’s share of my attention: the CEO and the sales engineers.

The CEO is obvious as he/she sets the tone for the whole company. When I talk to a CEO, I pay attention to what he/she focuses on: vision or pedigree.  Both have value, but in this context, vision is what really matters.

Vision is the why of a product and company. Why does this company exist? What problems does it solve? What is the company’s higher calling? I will discuss the criticality of vision later in this article.

Pedigree is who CEO knows, where he/she worked in the past, and his/her connections to people in power. Pedigree may be helpful building the company, but it has no impact on the quality of the product(s). A skilled CEO should know this. When they meet an analyst like me, they should be talking about vision and not all the big shots they know at the country club.

Incidentally, some companies have a CTO, or “Chief Evangelist,” serve as the keeper of the company vision, while the CEO is more of a glad-handler to investors. This is a sign of maturity. In these situations, I shift my focus to the CTO.

Sales Engineers (SE) are where a company’s vision hits the pavement.  Smart, enthusiastic, passionate SEs do not work for companies with lame products.  SEs love to talk about customers, especially the annoying ones.  A talkative SE can reveal everything wrong (or right) with a product in a few short minutes.  Just get them telling stories about customer meetings that went south, and they will reveal all the dirty laundry.

Other key people who need to be in the room include marketing leaders, product managers, and technical architects.  Finance people are a ‘nice to have’ as well. They tend to be matter of fact people, who can provide insights on the sales process.

3.      Where are the Dependencies?

This is down in the technical weeds, but it can be the Achilles Heel of a company and its products.

The use of third-party technologies in security solutions is ubiquitous.  Done properly, it can dramatically strengthen a product, company, and its value. In the complex, interconnected, inter-dependent world of security, using proven third-party technologies is a good thing. Or another way to think of it is “stay in your lane.” For example, if a company is building a new encryption product, they should not also be building a log collection software. There are plenty of third-party products, like Splunk or Elastic, that can do that way better than anything they can build.

Unfortunately, companies often mess up their third-party dependencies. They will use a third-party technology in their product but fail to build a strong partnership with the third-party provider.  This creates a lot of risk.  The value of the product (and the company) can be quickly erased if those third parties pull their support or licensing agreements.  This problem applies to open-source technologies as well, but in different ways.

As such, when I analyze a company’s use of third-party technology, I focus less on the actual usage and more on how strong the relationship seems.  Moreover, I will look at how easily they can swap out the third-party tech.  Relationships, even well managed ones, can sour for all sorts of reasons.

4.      What is NOT Being Said?

During an M&A transaction, emotions and tension are high. Executives get into pitching mode where they say only what they think the investor needs to hear. At some point, what they are saying becomes less important than what they are NOT saying.

Due diligence is about uncovering both the strengths and weaknesses of a product or company. This is not to derail the deal but rather to inform the investors about the risk of the transaction. A company’s products may be fantastic, but there are organizational or structural weaknesses that threaten the ability of the company long term. If an investor is putting money into a company, they have a right to know those weaknesses.

If you want to know what is wrong with a company’s products, ask the people who build, sell, and support it. That may seem like a “duh” thing to say but it works, astonishingly well.  Most people, especially engineers, are honest and forthright. If you show curiosity, the information flood gates will swing wide, and you learn every problem in the company from the lack of good coffee to the plain-text passwords stored in Access databases on a public file share.

Or they will cross their arms and turn to stone.

Companies, particularly immature ones, will “harden” their staff prior to due diligence. That is, they instruct them on specific topics or issues to avoid or dismiss. The irony of hardening is that it rarely works.

Hardening creates cognitive dissonance in people. It is our nature as humans to share. Most people will give off clues when they are not saying something. They may talk around an issue or use body language to indicate they do not really believe what they are saying.

I once worked with an engineer who would roll his eyes every time somebody said their product worked at 10Gb.  His body language was clear as day, the product could not handle 10Gb. When I put this concern in my report the company reluctantly admitted this was a serious issue.

Americans are particularly transparent in this regard as we are culturally predisposed to babbling about whatever annoys us. Other cultures are better at hiding their true feelings.

Some tips on hearing what is not being said:

• Make people feel safe. Downplay the gravity of situation. Make them laugh.
• Meet with people alone. People are more honest in a 1:1 setting.
• Watch their body language. People get uncomfortable, fidgety, and nervous when they are not telling you the full story.
• Refocus them and ask them to complain about an unrelated issue, then lead them back to the product.

Not all of these techniques work all the time, but they can open doors. Again, the intent is to determine what people are not saying and put that in context to what they are saying. This provides a more complete (and honest) picture of a company and their products.

5.      What is the Market?

Products do not exist in a vacuum. They must meet market demand.  Markets are fickle, as are the people who define them. You can spend a lot of time dithering over and debating a market, its size, and how hot it is, was, or might be.

Consequently, I like to keep my market analysis simple. I assess four elements:

• Existence: Does the market even exist? A new innovative technology can define a whole new market…or not. Crowdstrike comes to mind here. They redefined the endpoint security market, ultimately charging ahead to be worth billions. However, for every Crowdstrike, there are hundreds of great ideas struggling to define themselves as well as a market. This is where the Gartner’s and IDCs of the world can step in and help validate the existence of a market.
• Clarity: Merely existing does not mean a market is well defined. A market must have a clear set of success metrics and qualities. A recent example of a poorly defined market is homomorphic encryption. This is a brilliant technology, but there are few players and even less clarity as to what constitutes a successful product in this space. Market definition emerges out of a collection of products, but it may also come from analysts, journalists, and other external sources.
• Size: This is more often called the totally addressable market (TAM). TAM is how many companies would want to buy the product. TAM is always an aspirational number. Average price of a product and the heat around it can also dramatically alter TAM. A company should know their TAM and have some data to back up their estimates.
• Heat: This refers to the buzz around the product space. A few Google and LinkedIn searches can validate the general heat of a market. Hot market spaces can command premium prices and rapid growth. In 2021, when I wrote this, container security was super-hot. If you do a search on container security in 2021, the vast number of articles, products, and marketing fluff out there is evidence of a lot of heat.

Continue to Part 2

The post Big Hairy Questions: Strategies for Due Diligence (Part 1) appeared first on Zenaciti.