Wednesday, July 9, 2014

What Matters to Small Businesses


Ever since entering the cyber security industry in 2000, I have often wondered about the small to medium business market. Essentially individuals handling sensitive data at extremely small scale who are concerned only with business sustainability at a per-transaction level. What makes them tick? What do they have to lose? What are they worried about? Are they a market worth pursuing?

I have some thoughts.

Recent Experiences

Swim School

Someone close to me has ventured into the small business world, specifically providing a service oriented business on a very small scale and for local clients only. Her business is seasonal, but she handles financial data from her customers and her employees, and conducts financial transactions. Her service is swim instruction. We are literally talking life skills. She has 1 computer. She plans to build from small to medium and is hoping for a business that is self sustaining and ever growing. So in observing this small business, the risks to the actual sustainability include:

1. Poor reputation. The business is largely dependent upon peer relationships and organic growth. If the reputation of the business goes south, then so does the business. Key contributors to a poor reputation include: perception of the value of the service (kids don't demonstrate the expected growth), injury or death of a student, failure to deliver promised services.

2. Failure to deliver services. If for some reason the teachers were unable to attend sessions, or the facilities were rendered inaccessible, the business could not deliver services and would have to refund payments. In a business this small, there is no margin for that beyond the incidental, once a year occurrence. 

3. Competitive prices. If a competitor (private or public) were to price their services at a significantly lower rate, the business could not attract customers. There is already a balance between quality and price. Comparatively, the low price competition does not actually stack up to my friend's business, but when a family is looking at "swim instruction" for $50 a session vs. $30 a session, that makes a real difference in affordability over time.

4. Loss of finances. The business is currently so small, literally every student counts, and every penny is accounted for and relied upon. A $10 monthly service processing fee for payroll is scrutinized. 


I have a relationship with another small business owner in the optometry industry. When talking to them, their main concern is the availability of patient records, and status of their equipment. None of their services are provided online and are exclusive to in-person evaluations and consultation. Much of the evaluation is based on trends over time, thus elevating the availability of the records. With a two geographically disperse practices, there is no need for data synchronization across locations and thus an on-premise paper system works great for the needs of the business. Billing is another story.

In this example, the risks are the same as the Swim School so I won't repeat them. The thresholds are different, but core issues are the same.

Cyber Industry & Threats

Now, compare the issues the cyber industry is concerned about.

1. Malware
2. Fraud
3. Service disruption
4. Data theft (customer and proprietary)
5. Espionage

Does a small business care about any of these? Let's take them one at a time.

Malware. Small business has a malware infection on a local system. What's the worst possible impact? Probably financial malware that steals banking info - let's say Zeus. Banks offer most of these business customers mitigation tactics like multi-factor authentication, and the business is so small, they would notice unusual movement of money should it occur. Is rapid detection and an anti-malware service really helping them in any tangible way?

Fraud. Same argument as above. What's the worst that could happen? Probably that their financial information is stolen, accounts accessed, and money moved. However, are they really being exposed to fraudsters? Are they being phished? Are they selling enough product or services that a fraudster would try to generate fraudulent purchases? Probably none of the above apply.

Service disruption. Most of these small business have a web presence, but are not necessarily dependent upon them to conduct their business. Some are, but especially in the services industry, the online presence is informational or used for customer loyalty and ease of scheduling etc. 

Data theft. Some of these small business do have sensitive data, however extending that data into Internet resources (going paperless) actually increases their risk. The worst that could happen is for their customer data to be exposed or stolen somehow either through a server breach or persistent malware. Again, I'd question the likelihood given the limited impact and financial gain from an adversary perspective. Denial of access to the data probably poses the greatest risk, which could invoke malware that locks access to the system - ransomeware.

Espionage. Rarely will a small business have data that is worth the effort of the theft from a competitive perspective. Again, probably not a real threat.

What Do they Need?

Most likely, the core need of these small to medium business is general IT problems; making sure their computer systems are fast and online. 

What they really need is someone to sift through all the noise, and help them navigate the fears of the cyber world. They need little more than access controls and desktop AV. 

They need consultants who will charge minimal fees to help them understand what they really need and what they don't...from a genuine risk and business protection perspective.

Tuesday, July 8, 2014

Amazing Security at Small Business Prices

Having invested over 13 years of my life in the Managed Security Services Provider (MSSP) space, I had the privilege of having insights into the top InfoSec companies in the world. In my later years as a strategic solutions developer many of my discussions with business leaders revolved around market and customer strategy and competition. My last role at my unnamed MSSP job included developing strategic partnerships aimed at specific slices of the security industry while as a greater MSSP developing next-gen concepts to attract and retain our customer base.

Some of the executives defining our business objectives and goals were consuming reports from industry talkers like Gartner and growth news from competitors (both of which in my opinion were little more than marketing fluff), and were being told the security services industry was in the midst of a boom and would be increasing exponentially year-over-year for the foreseeable future. This led to the inevitable objectives from our excited executives:

a) Build something to put x competitor out of business to capture their market share.

b) Develop something new that shows true expertise and draws attention and customers to us.

c) Change what you do to make our services more competitive than those companies that are experiencing exponential growth.

More simply put: do something cooler than FireEye, deliver something sexier than Mandiant, do it at a price so low that all of the SecureWorks customers come flooding to us.

The Problem

Those objectives I outlined are impossible for a single organization to meet as their primary objectives, hence one reason why I'm no longer with an MSSP. You can't build to compete in a commodity industry and hope that your customer base will fund the development of services to attract the top customers who will truly drive profit, but expect non-standard and truly cutting edge services. Here's the deal. Let's set a projected customer base that is comprised of every potential US based company that would fall into the general buckets:

1. Commodity based or compliance driven security services (~70% of the MSS industry today)
2. Major companies with internal security practices with a niche problem they can't solve (~20%)
3. Top companies with full-fledged, advanced security programs who never will outsource (~10%)

I'll add some more categories: the majority of the MSSP market (the 70%) are organizations who don't know or care about security, but they know they need to have some. The middle 20% are doing the best they can afford, but understand they need help from true experts to fill in the gaps. The top 10% are likely critical infrastructure, defense contractors, IT innovators, or major financial institutions who know and have experienced true security problems like no one else, and have staffed and built accordingly and don't really need services help.

The Gartner projections and the growth bragging done by MSSPs are all focused on the 70%. Having interacted with that segment of the market, my experience is these organizations want the minimal solution at the minimal price to maintain a minimal level of compliance with some defined standard. That means your products and services MUST be extremely scaled back and dumbed down. They do not actually want to know about security problems because mitigating them costs money. They want to be compliant and ignorant. When you operate in this world, you select products with low value, highly automated and templatize your services, and hire entry level security professionals looking to enter the industry without demanding much salary. With that combination you will be able to offer competitively priced solutions, but the tools, automation, and low skilled staff, and uninterested customers will not enable you to reach into the arena of advanced threats which you need to invest in to build experience that will attract larger customers.

The middle 20% are the exact opposite. They have interacted with advanced threats and have come face-to-face with serious cyber challenges. They know the risks. They know enough about the adversary to be concerned, but not enough to fully act. They know the potential solutions...but can't sustain them in house and thus need help. They expect unique solutions, in-depth analysis, custom experiences, and proprietary insights into threats and threat actors. To meet the needs of the top 20-30%, you need industry expert intelligence, visibility, technology, processes, top notch customer service, extremely customized and white-glove oriented services, disaster recovery, flashy presentations, showpiece facilities, blogs on emerging threats, and cash to burn on parties and special events. You need serious money to build and sustain. You need to be willing to go deep with these customers and you can't nickle and dime them to death. You have to sacrifice some profit for the sake of experience. You also need to build a bridge between your standard services and your advanced team satisfying your top echelon customers. The problem with that model is once your customers interact with your best services, they will be frustrated by your standard efforts. 

You can't deliver anti-malware services to Lockheed Martin that augment their in-house capabilities with an IDS and a $30,000 salaried Security Analyst who follows a one-size-fits-all service template. That won't fly. You can't simply ingest commodity (and free) intelligence from open source communities and inject that into your products to generate automated alerts. Your customer base already does that. You can't deploy low-end one-size-fits-all technology with a 10 year old threat paradigm to protect your customer environments because they can build something better in-house. You truly need bleeding-edge across the board. That is expensive. Really expensive. You can't just send random and standard response recommendations for every detected threat. You can't work in an isolated threat paradigm that doesn't consider the sector or business characteristics of your customers. However, to meet the growth projections of this market (the big ones), you can't afford to do anything less than highly automated, low skilled, and template driven standard services.

The shortcut lies in close proximity to national defense. However, those partnerships and experiences are locked up by data classification and NDAs, making them marketable, but almost unusable. For example, at a defense contractor, I may have solved a significant security challenge for a US Government organization, but I can't take and use that anywhere, and neither can they. Mandiant's APT1 report was old news the day it hit the press for a select group of the security industry, but those "in the know" couldn't share those details. Creating that from scratch in the commercial space requires considerable time, access to rich data in multiple environments, and top talent. This is a common problem those near the defense circles have. They want to use their government experiences as a marketing tool, and often do, but their customers don't realize that USG experience and cool intelligence can't be integrated into a standard service. I've can't. So if someone comes to you saying "our staff are all from the NSA," resist the temptation to be impressed. Nothing against the NSA, but realize all that cool stuff they worked on there is likely isolated to DoD spheres, and the intel doesn't move with them to their new employer. 

Alas if you build to meet the needs of the top 30%, you end up building a service model that kicks you well beyond the interest level and pocket book of the 70% of the industry in which you are hoping to grab growth and market share as your base for sustainability. You end up with a niche solution that you will struggle to sell beyond a handful of clients. The general market  might love your solutions, your branding, and your intelligence, but they will walk away due to sticker price and perceived irrelevance. In my last gig, we had customers provide us similar feedback saying, "we love your solution, but can't afford it," or "you had the best technical solution, but the price was too high." Likewise if you build for the 70%, you will never reach the data, the incidents, the technology, the intelligence, the experiences etc. needed to meet the needs of the top 30%. In my last gig we also acquired a product vendor that had an amazing solution used in USG spheres, however because of the way it was built, and because the methodology in which the USG used it, it was almost useless in commercial spheres. We couldn't sell it. Sure it sounded amazing...but it just didn't relate to the commercial marketplace. 

There is also the quality of service issue. As Mandiant is experiencing, if you do launch at the top 10%, and try to expand outside of that sphere you will end up compromising the level of expertise and quality of services you provide. To maintain a high perceived value, you can, like Mandiant does, limit the scope of what you do so specifically that you will always do exactly what you say you will. However, when you expand into the 70% you have to go wide, which means you need to hire new talent at a pace that will meet the needs of the extended market. As you do, you dilute your value to the point where your customers are left with a 70% service billed at a 10% cost.

As my former MSSP employer is experiencing, you also can't build to compete in the 70% market and hope to attract the 30%. Those 70% customers don't generate enough revenue and margin nor experience to enable you to invest in advancing beyond the realm of the basics.

There is a choice to be made. Go for one or the other. Most industry leaders are doing exactly that. FireEye doesn't market to the medium business customer, and Fortinet underwhelms in the advanced security customer. Therein lies a new challenge; the existing competition in a saturated market.

My Conclusion

Based on my experiences, I have come to conclude that barring some major innovative solution that uniquely changes the way the security industry works in a manner that is compelling to a wide section of the industry, attempting to enter the security market today is an endeavor into chasing the proverbial pot of gold at the end of the rainbow. Those Gartner projections are nothing more than a myth unless you are already well established in that sector with capabilities to capture it. Entering this market to compete with existing solutions or products is a non-starter.

If you want to go after that growth, it needs to be with something truly paradigm changing.

Thoughts on Marketed Solutions

If you want to enter the modern cyber security industry, there is little hope unless you have something so compelling and differentiating, that significantly disrupts the existing industry OR solves for a problem that no one else has. It has to be genuinely new, effective, and compelling to a wide section of the industry. 

We have a live example in all the "analytics" start-ups. Of those I've interacted with, they all tell the same story, but don't actually offer solutions that are unique. They all say you can't solve modern threat problems with static correlation (they use the word signatures), but then they offer a signature based system. They all claim SIEM is a failure because it relied on data normalization, contextual awareness, awareness of the problem (known use cases), and defined correlation rules. Then they offer a solution that normalizes data, overlays context through "data enrichment," and requires you to query the data or schedule recurring queries based on questions you want answered (we called that use cases and rules development in SIEM). They don't do anything the top 30% can't do, and they price the bottom 70% out of interest. Fail.

Is cloud the next frontier? If leading provider Amazon Web Services (AWS) is any example, my answer is no. They seek to openly share and publish advice on capabilities that are emerging due to customer demand. As customers seek greater visibility, AWS develops it, and makes it available to all. Those innovations that have come out are simply re-creating what we did in the traditional datacenter within the context of a new virtual datacenter. I'm not saying the two environments aren't unique, as they most certainly are, but the security innovation we're seeing the cloud is comparatively decades old thoughts being ported to an emerging platform. We've already solved the core issues, it's now a matter of porting what we know we should be doing to that dynamic environment.

Personally, the one major area that is left relatively untouched and unspoken for (apart from the passionate folks at CrowdStrike), is active defense. I know everyone out there is afraid of going blackhat on the adversary, but to quote someone (I can't recall who it was, but it wasn't my original thought), "do we really think the bad guys will sue us in international court for taking down their illegal money theft scheme?" The last frontier in my opinion is the disruptive industry. If someone had the gaul to actually build out a full-fledge adversary hunting and annihilation service (and I mean purely within the cyber realm), where you could be hired to identify who is targeting a customer and to silence them (again, on the Internet/cyber world), then in my opinion, you've solved for a unique and compelling slice of the market that should attract everyone.

Who's in?