This week I was lucky enough to talk to Lookout's Cofounder/CTO Kevin Mahaffey for 20 minutes over the phone. Kevin founded Lookout with two friends while he was still an undergrad at USC and the mobile security company is now valued at over $1bn! They most recently raised a $150mm round in August 2014 led by T Rowe.
In news this week, A16Z just finished a series of podcasts on security and I give highlights of a few of them in this newsletter. More highlights of the remaining podcasts to come in future newsletters.
I hope you enjoy this week's email and thanks so much for reading!
Interview with Kevin Mahaffey:
Your “2015 Cybersecurity Predictions” presentation noted that you think that the traditional reactive model in the security industry will begin to transform into a predictive one. My interpretation of the industry however, was that nowadays, hackers are going to get into your systems no matter what, and it’s more of a question of discovering the breach and mitigating the damage. Is predictive useful when hackers are getting in regardless?
- Having a predictive model and saying that the bad guys are already in and you should mitigate the damage are sort of saying the same thing. Ideally, you don’t want to just remediate the effects of breaches, you want to identify that breaches have happened before they cause damage. We do this by pulling heuristics from previous attacks that we’ve seen across the 60mm mobile devices that use Lookout, and trying to determine whether any of the heuristics that generally signal an attack are present on your network.
- In the past, antivirus and other software worked by identifying signatures that were used in previous attacks. This is still useful, but the biggest problem today is that people are attacking you from a new place on the internet or they’ve changed the signatures. The question becomes how do you find a bad guy if no one in the past has ever said that the IP address that he’s using is bad.
- The analogy I like to use is that of a security guard in a bank. If the security guard had a database of all the fingerprints connected to criminals, he would stop some repeat offenders, but he would miss the bad guys that are first time offenders or the ones that have never been caught before.
- Instead, security guards look at heuristics--what is a person wearing, are they acting suspicious, are they carrying anything etc. This concept works quite well in the real world and machine learning has advanced to the point where we’ve been able to input data from the 60mm devices using Lookout and then act like that security guard in the virtual world.
Mobile security has for a long time been thought of as MDM. Does MDM go far enough in addressing today’s mobile security concerns? Do you see the major MDM players as competitors?
- We don’t see MDM as competitors at all. MDMs are necessary for a lot of use cases but we sit alongside an MDM and help them apply their policies more effectively with respect to security. We make them smarter with regards to security.
A few months ago Google launched Android for Work and they’ve been working hard to increase Android Security (on-body lock function, etc). Are they doing enough?
- A while ago Google noticed that third parties were trying to build apps to add features to make Android work in the enterprise. Google is just now starting to provide the hooks to allow enterprises to adopt these platforms.
iPhones have traditionally been seen as safe and malware-free. You’ve mentioned that you think that’s changing and I’m curious why that’s changing now? Do you think the image of iOS as the safe operating system is going away?
- This is a complex question so I’ll break it down into two parts. There’s mainstream malware and then there’s targeted malware. Mainstream malware attempts to infect as many devices as possible and targeted malware really just needs to get into one person’s device (think system administrator) to be effective.
- Android is much more popular in the world, especially in the places where malware tends to originate. Additionally, it’s much easier to develop and release apps on Android (because you don’t have to go through a centralized, regulated app store). These factors have led to most of the mainstream malware being released on Android.
- We detected the first mainstream malware for iOS in the tail end of 2014 and we may see some more in the future.
- Targeted malware is very different--you really only need one device to accomplish your goal and whether you try to infect an Android or iOS device is just a question of whose device the person you want to attack is carrying.
You’ve raised money from some of the top VCs but you’ve also raised money from some untraditional tech investors (T. Rowe, MS, GS). Are these really big untraditional tech investors able to add value in the same way that VCs are, or did you choose them more because they could write really big checks?
- Traditional VCs are great at the early and growth stages in terms of adding value but maybe not as much in the later stages. Nowadays companies are waiting longer to go public and I can’t disclose any specifics, but the institutional investors are able to help private companies in the same ways that they would help companies of a similar size that in the past would have already gone public.
Obama has made threat sharing the pillar of his cyber strategy. Given the lack of trust between Silicon Valley and the government, how feasible is this approach and more generally, do you see threat sharing as an effective method of attack prevention?
- The approach is feasible. I can’t comment on the legislation but there’s a lot of concern as to what level of immunity companies are given when they share data and whether they will be liable for the information they share.
- The second concern is whether under this law, governments will be given access to data that they shouldn’t have.
- I will say that if there are known threat indicators, everyone in the world should know them. Someone shouldn’t be able to get hacked by something that could have easily been stopped if they had had that information. We should be better than that as a species.
Risk IT and services spending to reach $78.6 Billion in 2015
- IDC claims the space is growing at a CAGR of 7% and will reach $96bn by 2018.
Hard Rock Hotel & Casino suffers data breach
- The breach was a POS breach (similar to those that occurred at Target and Home Depot) and apparently lasted 7 months before it was discovered.
Where Are We Now? The NIST Cybersecurity Framework One Year Later
- The set of cybersecurity standards has seen widespread adoption in the private sector. It appears the framework is quickly becoming the de facto standard for cybersecurity.
Cybereason raises $25mm from Spark and Lockheed Martin
- Cybereason performs real-time threat detection. The strategic partnership with Lockheed Martin comes just weeks after Lockheed competitor Raytheon purchased cybersecurity firm Websense.
Darth Vader on Security: A Memo to Team Death Star
- An amusing parody of some of today's major security issues.
Resilient Systems Builds The First Platform For Security Response Management
- Cofounder/CEO John Bruce claims that billions are spent each year on security companies that aim to prevent and detect attacks, but that there aren't any companies that handle the crucial task of response - Resilient aims to change that with its platform for incident response management.
a16z Podcast featuring Illumio Cofounder Andrew Rubin and Bromium Cofounder Gaurav Banga: How to Think About Enterprise Security Today
- Rubin - Security doesn't traditionally like speed, but moving forward, organizations are going to go fast and security needs to keep up. Customers are finally saying, we need to rethink security from the ground up--there's not an iterative change from the current systems that will work in today's world. At Illumio, we attempt to reduce the surface area of attack. When you're attacked, how much do the bad guys have access to? We want to protect all of the individual servers, processes, etc, so that when bad guys get in, they only get access to that small slice of the organization.
- Banga - How do we make security usable? People want to do what they want to do and they don't want security to tell them what they can't do. Bromium creates a virtual machine container around untrusted pieces of computation so that if bad stuff leaks out of that, it's contained to that container. It's like using disposable gloves - it doesn't matter how dirty they get because you can just throw them away afterwards. Therefore, security is maintained without diminishing the user experience.
A16Z Podcast featuring Wired Reporter Kim Zetter: How Hacks Happen
- Common Theme: Hackers are getting to companies through third party vendors who have access to the company’s systems.
- Attribution: Attribution is always difficult. If u can trace an activity back to an IP address, there's also the question of whether the user of that computer as well was hacked. Most often we catch hackers when they make a stupid mistake.
- Disclosure: More and more we're seeing companies disclosing that they've been hacked as quickly as possible.
- Offense: It's a slippery slope. Crowdstrike started talking about "attacking back" several years ago until they realized that what they were doing could be illegal.
- Threat Prioritization: It's hard for companies to distinguish between threats that are serious and ones that aren't. Target received alerts before they were attacked, but they had so many alerts that they ignored the ones that led to the major breach.