People sometimes ask about the process by which we select companies for participation in our accelerator program. One of the challenges with investing in the information security market (or any early-stage technology space) is that of identifying companies with a product that is both different and useful.
While “different” is an important criterion, it is necessary but not sufficient for a product to be successful in the market. For a product to be “useful,” it must address a real-world problem in an accessible way.
Thinking about what might be useful naturally leads us to ponder where the real, unsolved problems lie. In this article I’ll describe some areas in which I see opportunities for people who want to solve important security problems in a new and different way. This list is by no means exhaustive, but it includes approaches where we see underserved markets, new ways to deal with old problems, or significant chances to make a dent in the continuing onslaught of security threats that people experience every day.
This isn’t a technology approach so much as a useful measure of whether a company’s product is likely to matter in the market. As I described in a previous article, if one looks at the history of the information security market, many of the most significant developments have been products that somehow embodied the experience of skilled people who may be expensive, difficult to find or hire, or simply rare enough that it is impossible to find enough of them to fully staff a security function. It is probably fair to say that the same value applies in the network operations markets as well. As we saw with the network intrusion detection system (IDS) market, a product that can identify important events and route them to the most appropriate people may allow an enterprise to make more efficient use of the people who are already there.
The hard part of building good products that embody or automate expertise is that there are natural pressures that tend to make the product complicated for the user. The most successful products not only solve complex security problems with automation, but also provide improvements in product usability and organization workflow.
A definition of a “home run” might be a security product that also simultaneously improves the user experience or user interface of something that people do every day. Those are rare, but when it happens, the opportunity is worthy of note. By some measures, Single Sign-On technology might be one example of improving the end-user experience while also enhancing security. It’s not always easy to deploy, but if done well, many people save time and administrators have a better handle on identity management.
The Internet of Things
A problem in the security business (and perhaps any technology sector) is that people toss terms about without actually agreeing upon what they mean. Perhaps the best example of this is “The Internet of Things.” Because anything can be a “thing” it’s difficult to even know where this category begins and ends.
If you have been wondering which things are capital-T “Things,” here is a list of some examples that might fit the description:
- Network-connected home appliances like the Nest Thermostat
- Network-connected sensor devices such as electric power meters
- “Smart cars” and “smart highways”
- Industrial control systems
- Remotely piloted vehicles
- Any device that can be attached to a wired or wireless network that isn’t a computer or workstation at which you can sit.
This category creates security challenges because:
1) These things can provide a point of entry for attackers to the rest of your network
2) Some of these things have the ability to affect the physical world in real ways
3) These things may be transmitting information about you or your environment with significant implications for your privacy.
Sometimes, existing tools may be helpful for improving the security of connected devices, but there are constraints that may not be present with a regular computer. Connected devices may have minimal processing power, limited communications bandwidth, and in some cases, very limited power budgets due to battery size limitations. This necessitates new ways of approaching security management and monitoring.
Software Defined Networks
Another area that is showing up more and more in the enterprise IT conversation is software defined networking or “SDN.” This is another space that means different things to different people (and vendors), but the general idea is that the flexibility of networking equipment hasn’t improved as quickly as the flexibility of computing systems has. For example, the use of virtualization has made it very easy to move an entire server’s configuration and data from one computer to another very quickly and much more easily than the traditional process of installing everything on a new machine, verifying that the new system does the same thing as the old one, and then moving the data.
Similarly, software defined networking offers the promise of simpler and more flexible network routers and/or switches where even low-level configuration changes to hardware behavior can be stored in profiles and pushed out from a central management point. This technology potentially even allows for radical reconfiguration of the network “fabric” while systems are in operation without significantly impacting throughput on the network.
Obviously, this flexibility is powerful for enterprise network managers in terms of enabling new ways of adapting to enterprise needs very rapidly. This flexibility may come at a security cost, however. The standards and technology approaches in this area are still somewhat young, and some of the emerging standards don’t address security in much depth yet.
Some things to consider about SDN include:
1) The implications of centrally storing the configuration of your entire network on a system that can transmit changes that take effect rapidly;
2) How to prevent unauthorized access to the management/change function on individual routers or switches
3) Emergent network effects after making a change – do side effects “ripple” through the network afterward? How long do they take to dissipate?
Zero-Trust Security Models
Recently, a number of organizations have been advancing an approach to security that is a departure from traditions and practices that current information security practitioners hold dear.
The “zero trust” or “untrusted everything” approach is driven by the need to acknowledge that threats and attacks have changed more quickly than our defenses have. Current environments often have pre-defined trust relationships between various computer systems. The problem is that an attacker can compromise one system and use it as a springboard or stepping stone to other systems that are configured to trust the first.
These approaches often explicitly reject the idea that there is an “inside network” of trusted resources and an “outside network” full of bad actors waiting to attack things.
In the past, enterprises would often deploy some perimeter security technology at the border between the “inside” and the “outside”, while frequently neglecting security improvements to systems on the “inside.” Security people have long referred to the resulting condition as having a “hard shell with a soft, chewy center.”
Today, not only is there ambiguity about exactly where “inside” ends and “outside” begins but also an increasing mix of mobile devices that may connect to internal networks while also sometimes traveling to hostile or insecure networks. Using your mobile handset in a favourite coffee shop and then in the office might be an example of that scenario. Sometimes these devices may even be personally owned, which may make it difficult to choose a satisfactory protection regime that allows users to get their work done on tools with which they’re the most comfortable.
In order to even begin to address this ambiguous environment, it is necessary to make some decisions. One decision that can guide the beginning of a workable strategy is to declare that bring-your-own-device environments, and networks running personal applications should be considered untrusted.
Some organizations choose to turn a blind eye to the prevalence of personally owned devices and personal applications while tacitly acknowledging that there is a productivity benefit to allowing their use. Reality requires that an organization develop a strategy to mitigate risk sufficiently in a world that isn’t black-and-white.