Risky Business #686

Subscribe to the Risky Business News podcast and newsletter.

Patrick Gray:

Hey everyone and welcome to Risky Business, your weekly information security news and current affairs show. My name’s Patrick Gray. This week’s show is brought to you by AttackIQ and AttackIQ’s, Jonathan Reiber will be joining us in this week’s sponsor interview to talk about how companies and their boards are really moving towards outcomes-based security programs. And this is something AttackIQ obviously thinks it can help organizations to deliver by doing a tax simulation and control validation which is actually something CISA has started recommending organizations do.

By the way also joining us in that interview is Marcus Bartram from Telstra Ventures, which is one of AttackIQ’s investors. So Marcus is popping in to talk about this outcomes-based guiding principle as it applies to where investor cash is going more generally. So do stick around for that one. It is interesting stuff.

Joining me now are this week’s sponsor guests Jonathan Reiber from AttackIQ and one of AttackIQ’s investors, Marcus Bartram from Telstra Ventures. And the topic is outcomes-based security. CISA recently started recommending that organizations take steps to validate their controls and to do that in a rolling way and technology like AttackIQ’s is a way to do that. And when you think about it, making sure your controls are actually working, it’s not really a crazy idea. So both Jonathan and Marcus say the push towards more attack simulation and validation is part of a broader trend towards outcomes-based security. People are buying stuff because it delivers measurable security outcomes these days, not just because it’s cool and shiny. Here’s Jonathan Reiber to kick this off.

Jonathan Reiber:

I think there’s an interesting confluence going on. Cybersecurity’s reached a kind of inflection point I think, which is after more than a decade of significant investment and a lot of success for technologies that have entered the market and transformed our approach to cybersecurity, we’re beginning to see cybersecurity move from a kind of cool, fun tech out there requirement that’s like mostly populated by nerds moving into a mainstream approaches as it actually is just like any other area of human endeavor and you have to train and test and achieve an element of readiness. You wouldn’t ask the French football team or the Australian soccer team or football team to go on pitch and defeat Messi without training against him. Lionel Messi would run circles around you. You wouldn’t ask the Navy to defeat a peer adversary without exercising. And that’s essentially what we’re been doing in cybersecurity and the result is that things break down and don’t work. So I love that CISA is doing this. I think that they’re saying, look, you got to get ready.

Patrick Gray:

Well, I mean let me just say one thing there, which is Lionel Messi’s going to run rings around everybody no matter how much training they’ve had because he’s essentially a God who walks among us. But yeah, no, I certainly see what you’re saying about the maturation of the field. I do feel like with some challenging economic conditions bearing down upon us, we could see some consolidation. I think people are going to stop buying stuff because it’s cool and they’re going to buy stuff because it’s either essential or saves them money. I think we’re on the cusp of that era. I think there’s probably an opportunity for you there actually, considering your whole business is predicated on determining whether a control is effective or not, right? I mean imagine this is how you’re pitching it given the change in market conditions.

Jonathan Reiber:

Well, I want to hear from Marcus because he’s like, he’s a lot smarter than me. But we’ve have two major research findings in the last quarter that I think are very important. The first is we did a longitudinal study of customers that use our cloud platform and we measured EDR performance endpoint detection and response performance within our cloud environment. We’ve got a whole bunch of on-prem and we don’t see what they do. Their massive customers. But we found that EDRs only perform at 39% effectiveness against these top seven techniques. And we pick these techniques because they occur in the real world. EDRs block them constantly in the lab environment and they have significant impact when they do happen in a real-world environment. So these things are being blocked and yet when they operate against a customer in a customer environment, customers aren’t stopping them.

The question became: why? Well, it’s not, in some cases we don’t actually know why because we’re not that in deep in our customer’s platform. You have to find out over time and ask them what it is, why they think these things aren’t happening. But in some cases folks don’t even turn things on. They install them one time and they hope that they work and then someone else comes in, they forget to sign off on a contract of some sort or they leave their job and then these things stop working.

It’s just like a Carrier Strike Group at sea. If you’re not trying to fix it, it’s not going to work. So that’s like, that was one of the findings.

The second was the customers are saving millions and millions of dollars in finding efficiency in staff and in performance and decreasing the cost of breaches by doing testing to elevate the performance of the money that they’re already spending.

Patrick Gray:

So do you have any actual numbers on dollar savings that people may have made by doing tool consolidation based on control validation exercises?

Jonathan Reiber:

So we had these five enterprise customers, big customers with revenue in the billions that have been using the platform to discover efficiencies. And they found just below about a million dollars in terms of tool consolidation. So they’re discovering redundancies in controls and they’re able to cut some element of that redundancy to save themselves quite a bit of money.

Patrick Gray:

That’s great. Yeah. Well I think everybody is going to be going for ROI essentials and ROI is going to be the name of the game. It’s always been something I’ve told the little itty bitty baby startups, which is no one buys something because it’s cool, they buy it because they need it, they buy it because it is aspirin for their headache. They buy it because they have to. But I think that’s the truth in that is actually going to become more substantial over the next couple of years.

So joining us also is Marcus Bartram from Telstra Ventures, which is an AttackIQ investor. Marcus it’s great to actually have a tech investor who does cybersecurity investments on the show because this isn’t, you’re not our usual type of guest and but I’m curious to know what your feelings are on the overall direction of the cybersecurity market on which types of cybersecurity companies are going to continue to attract funding. I’m really curious to get your sense of the lay of the land at the moment.

Marcus Bartram:

I think there’s a few things that are going on that are interesting. Firstly, probably to Jonathan’s point, the conversations I had with CISOs across the industry kind of drive to this idea of an outcomes-based purchase when they’re looking at new technology. So they’re less interested and I think they’ve been less interested for a while in things that give them a score or give them work to do and create cottage industries of people inside their organizations to run these tool sets. But they’re trying to drive to an outcome. And that’s a shift from what we were seeing I think five years ago or even longer.

Patrick Gray:

It was, here’s some tooling, now go train a team of 20 people on how to use it. That was kind of the approach.

Marcus Bartram:

Exactly, because budgets are expanding, the relevance of the CISO in the organization grew significantly over the last decade and boards and companies began to appreciate the problem and the risk that they faced. So they’re prepared to invest in all sorts of things to try and figure out what’s the right tooling to solve the problems that they have.

One of the reasons we invested in AttackIQ was we, so prior to that, we had invested in a bunch of really interesting companies that were detecting bad guys, detecting threats. But AttackIQ came at the security problem orthogonally to that because it was thinking about security controls. And we’ve been invested with the company for five years I think. And what we sort of believed and still believe is that ultimately this is like an industrial automation control problem. If you are a security guy and you’re basically trying to run a control environment, you need to be able to detect the state or the control, understand when it shifts, and then do something to address it and have that feedback mechanism continuously running in your business.

So there’s other industries that have solved this problem at scale and have for a very long time, but it’s not very well solved in the security industry.

So where’s the world headed to? I think there’s definitely some resiliency in the cyber industry on the budget side, but I think that’s going to shift if the economic environment continues to deteriorate. So, they’re going to try and hold budget, they’re going to reprioritize where they’re spending and they’re going to be looking to get rid of the vitamins and keep buying the pills, the things that will deliver outcomes and will deliver against real problems.

So that’s one of the lenses we try to think about as we look at new investment opportunities. Counter to that though, is the IT environment continually shifts and every time the IT environment and the infrastructure shifts, opportunities arise for folks to exploit those shifts because they’re not well understood, they’re not properly controlled, and it creates avenues for people to get into a customer’s environment and steal data or do whatever damage they want to do. So that’s sort of counter to these budget problems. So, I think there’s going to be this interesting period of instability here where CISOs are being pushed in one direction and the reality of the world they operate in is going in another direction which makes it a fascinating place to be an investor.

Jonathan Reiber:

I was just thinking, from my background in dealing with the Pentagon budget when we were doing cybersecurity planning and launching U.S. Cyber Command and investing, the Pentagon has a $40 billion IT budget, or probably more than that back then. And we were always trying to find efficiencies. And when you think about cybersecurity, it’s like your security budget they say should be 10% of your IT budget, which is about right. And that’s about what Cyber Command was. It was like four to 5 billion. I think it’s probably gone up. And the way I think about testing and control validation is how much time are you spending actually making sure that what you’re doing is working? And we had this cost assessment and program evaluation office, and Pentagon led by a brilliant woman, one of the smartest people I’ve ever met named Christine Fox, who in Top Gun, the character Kelly McGillis’ character was based on her and the first Top Gun.

But she does these assessments. She’s always saying, is it actually working? And in cybersecurity, there was no measure around that to say, are things actually working now? When she and I worked together, it was the sequester in the defense budget. So it was an automatic 8% that was being cut off the top. And the question was like, where can you find efficiencies? And for industry, for folks that are looking out at the economic environment saying, I’m spending millions and millions of dollars, in some cases, tens of millions and of dollars, if I’m a large financial institution on cybersecurity, is it actually working? And the data that we have is, no, it’s not. Things aren’t actually working. So if you add another 10% onto the 10%, so I guess that would be, I don’t know, don’t do math in public, right? Some portion, 10% of your security budget into testing, you can actually elevate and save all the money that you would otherwise be pouring into a hole.

And some of the data that we found is that there’s a 47% increase in security operation team efficiency, 37% more effective SOC analysts, 57% in red team staff. This kind of stuff is just really opened my mind and my eyes to what could actually happen. And for the commercial sector, which hasn’t done this kind of training vis-a-vis the U.S. military in the past, this is a new way of thinking. It’s saying, look, if we’re living in a stage of consistent conflict in cyberspace, then we need to achieve a level of combat readiness. And that’s a mentality shift, I think.

Patrick Gray:

Jonathan Reiber, Marcus Bartram, thanks for joining me.

Jonathan Reiber:

Thanks for having us.

Marcus Bartram:

Patrick, lovely to chat to you. We appreciate it.

Patrick Gray:

That was Jonathan Reiber of AttackIQ and Marcus Bartram from Telstra Ventures. There. Big thanks to them for that. And big thanks to AttackIQ for being this week’s sponsor. And that is it for this week’s edition of Risky Business. I’ll be back next week with more security news and analysis, but until then, I’ve been Patrick Gray. Thanks for listening.