A talented field yielded some creative solutions to vexing security challenges. RSA's 2017 Innovation Sandbox held its competition and selected a winner yesterday afternoon: UnifyID. The ten finalists all offered interesting and compelling presentations (especially the runner-up, EN|VEIL), and we'll review their presentations in a follow-up article. Today we concentrate on observations from investors in the security sector.
Can security lead transformation?
RSA's Hugh Thompson introduced the program by asserting that automation had already brought about a tremendous transformation of human society, but that the process of transformation is still in its early stages. He asked the audience to consider whether security might not only contribute to, but even lead, that transformation. He argued that security recognizes and exposes weaknesses in systems. Given the degree to which users must now make more security choices, it's more important than ever to expose and address weaknesses as we design systems.
Venture capital looks at the state of the cyber security sector.
Before introducing the Sandbox finalists, Thompson brought up a panel of venture capitalists to offer their take on the state of the sector. Moderated by Nicole Perlroth of the New York Times, the panel included Ariel Tseitlin (Scale), Jake Flomenberg (Excel), and Bob Ackerman (Allegis).
Perlroth began by asking what she called "the inevitable bubble question." Are we in a cybersecurity bubble? Is there a slow-down? Are you now asking entrepreneurs about profits and so forth, becoming more selective in where you invest?
"Markets," Ackerman answered, "initially run on hype, and then move to a cycle in which they digest information." He sees the cyber sector as being, currently, on the cusp of that shift. Tseitlin sees a similar cycle, but believes we're not yet out, fully, of that first stage. Flomenberg pointed out that there's still a lot of capital flowing into the sector. "And if you look at deal volume, we're still in a frothy stage. You see ten, twenty companies in the early stage addressing the same problem, where perhaps there should be three." There has, he believes, been a pullback in later stage funding, where investors have begun to show more selectivity.
There is, Perlroth said, a common in-box problem that she imagined VCs must share with journalists. You're pitched all the time: how do you decide who the winners are? After suggesting that investors need "a buzzword detection engine," Ackerman acknowledged that the signal-to-noise problem is a very real one. He said that Allegis goes after deep expertise, practitioners in the security industry or the Intelligence Community who have worked on the cutting edge. He finds aspiring novices an unattractive investment. "If you haven't been there, you don't know it. If you don't know it, you can't learn it fast enough." Tseitlin's approach is to look at how a product will apply to a particular market. One overarching challenge they see is the problem of "incredibly high false-positive rates." CISOs need to be able to make better use of their people, and of the systems they've already purchased. Flomenberg focused on one particular family of buzzwords. "If someone comes up to market a 'big data security solution' there's a big problem." Start-ups need differentiation. If you're standing on the claim that "my anomaly detection is better than your anomaly detection, then, Flomenberg observed, "You're on shaky ground." The basis of competition is actionability. "It's hard to imagine that algorithms are going to be enduringly differentiating." Instead, entrepreneurs should consider what unique data asset they're collecting, or what distinctive workflows are they providing.
Perlroth's next question was about the ability to address well-know yet enduringly successful threats. "The big events we read about are phishing attacks. Consider the DNC. Do you see that still as a big gap in the marketplace?"
Ackerman replied by saying, "It's hard to defend against stupid. You can have the most sophisticated technology, but the human element is the weakest one." He sees the challenge as one of shaping human behavior, and described some training and testing efforts he's observing enterprises adopt.
There wasn't general agreement on the value of training. Considering email security, Tseitlin thought that training wasn't the best way of dealing with this issue. He thinks some technical solutions remain to be developed. Most business transactions continue to come over email, which we have to treat as an untrusted medium. He thinks that authentication has been "technically solved," but that such solutions have yet to penetrate the market. So we have, he believes, not so much a human or user education problem, but a market education challenge.
So where, Perlroth asked, are the are the opportunities? Flomenberg believes that the opportunity to systematically test our defenses is tremendously important. The cloud is the new attack surface, and it's still in its early stages. Containers present huge new surface areas.
According to Tseitlin, "Whatever a VC tells you about starting a new business or innovation is to a degree removed from reality." Entrepreneurs typically know more. Security, he believes, is about a decade behind where IT generally is. A decade ago, for example, It deployments were generally done manually, and this is no longer the case. But security is still in a manual world—it awaits automation. The other manually. No more. But in security we're still in a manual world. Encryption is the other coming disruption: "Once quantum computing arrives in a few years, all of our encryption goes out the window."
In Ackerman's view, innovation has hitherto been driven by computation, storage, and communication. He thinks security has become a fourth engine in this process. "Everything is now connected, but it's connected beyond what security can handle. This is where innovation will occur," he said. "You need, for example, to make encryption more pervasive, and easier."
Perlroth took up the point about encryption. "Now, if you're a journalist, and you're not using encrypted chat, etc., you're not in the game. How will the new Administration affect security innovation?"
Ackerman replied that he expected more federal budget increases, more regulatory attention to the security landscape, and "a lot more discussion—this is an administration that likes to speak." He looks forward to an increased level of awareness and investment, "a net positive for our community."
Tseitlin was less optimistic. "We know the new president wants to do something about cyber, but we don't know what that is, yet. It's a wild card. There's no actionable advice we can really give."
Flomenberg predicted that we'd make some new friends of former enemies, and vice versa. He thinks that morale at some of the agencies is surprisingly high. "They feel, we're going to do something come hell or highwater, and we haven't seen that for some time." And he expects to see some tax policy implications for venture capital.