Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.

You might remember my guest from several weeks ago, Stephen Boyer. He featured the questions that I asked him on the BitSight blog! He expanded on his answers since our interview so I recommend that everyone check it out.

This week I was lucky enough to interview Alan Matthews. Alan himself has a fascinating story. Leaving England at 21 and moving to New York City, he went on to found five companies. One of those companies is Rapid7–one of the largest private cybersecurity companies and a apparently an IPO candidate. Rapid7 serves over 1/4 of the Fortune 1000 through their vulnerability management, penetration testing, controls assessment, incident detection and investigation products. Rapid7 has raised around $90mm in funding from Bain Capital Ventures and Technology Crossover Ventures. Take a read through the interview below and let me know what you think!

You’ve said, that when you started Rapid7 in 1999, you “didn’t know the first thing” about IT security. Security seems like a space where deep domain expertise is a prerequisite. How did you reconcile that? 

Hah! Well we make bold statements to get the imagination going so maybe it’s more bold than true. I was not a security expert although I’ve never shied away from going into a deep domain field with no knowledge. It’s how you learn and everyone starts somewhere. There are always less people in more advanced complex spaces which gives one more opportunity to be a leader. I started programming at school in 1974 and joined IBM in 1976. I knew assembly, OS design, and several other useful topics as a background for security but as a specialty I just knew that this would be important so it was worth spending 10,000 hours becoming an expert.

You started Rapid7 all the way back in 1999. Can you describe how the security landscape has changed since you started the company? How has the company evolved since then?

Yes, way back then! Doesn’t seem that long ago and we’ve not solved security yet so the risks, threats and actors are depressingly familiar today to 15 years ago. Probably what’s changed is the use of social media and more broad availability of information about people. That includes the millions of new ecommerce sites created in that timeframe, and the billions of smartphones shipped in that timeframe all representing criminal opportunities for credit card theft, fraud, or identity theft.

As far as the company goes, we’ve gone from five people to six hundred and fifty people, so there’s been a lot of change! Companies are built on belief; the belief that you can make something great with a tribe of like minded people. That’s what’s not changed although the skills it takes to organize that many people are quite different. You have to keep pointing towards a place that everyone wants to get to and inspire them to achieve it first. Most of the time it’s not a mad dash but an organized and logistically complex task that takes many people.

You’ve mentioned that systems are vulnerable 80% of the time and you can fix that, but that 20% of the time, humans are vulnerable and that’s the aspect you can’t fix. To what extent should we be trying to impose good security hygiene and to what extent should we embrace the so called “human error” and build products expecting it?

Well humans will make mistakes all the time and we can’t build products that are always failsafe…. We’ve been trying to do it with airplanes for a long time and what we’ve learned is that training and procedures are the most important things outside of mechanical failures. So endpoint user training is critical because the value to cost ratio is so high. I promote bonus payments to people in any organization that passes phishing tests on its users. We have to make people aware of the problem so they have some vested interest. There is a certain amount of moral hazard in protecting consumers from all fraud because it invites bad behavior.

As far as building products that expect human error we have a long way to go. In the realm of configuration it’s not possible to know whether the operator intended to allow or disallow activity that in one circumstance could be allowable and in another not. Clearly the NSA didn’t think about administrators of its own systems being a threat so you could consider that human error because the training and procedures were absent. You could consider the Germanwings disaster an inside threat of its own making given the inability of the captain to access to cockpit according to design.

You’ve made some acquisitions in the past several years such as NTO and Mobilisafe that bring you closer to offering a full security suite. Do enterprise customers get a lot of value from working with just one security provider? Is consolidation the future of the industry?

The new security landscape is one of data analytics and threat management. There is a race to collect more data and aggregate intelligence to be able to identify attackers and their goals and block only those actors. We play and intend to play a role in the warehousing and intelligent analysis of that data. I see consolidation being valuable to companies that want to accrete intelligence that way so it would be logical for some consolidation to occur. What I don’t think is that there are too many companies chasing too small a market except in the extreme cases.

 

The News:

Congress wants companies facing cyber attacks to share data

• A good overview of the current state of threat sharing legislation.

WSJ on How AT&T Is Virtualizing Security

• AT&T is finally starting to focus on securing its endpoints (the applications) as opposed to the perimeter.

The Benefits and Limits of Cyber Value-at-Risk

• Security professionals are getting closer to being able to quantify organizations’ cyber risk with cyber value-at-risk (BitSight is already doing this, see my previous guest Stephen Boyer), similar to how traders do with a financial VAR.  Over reliance on VAR doomed hedge funds like LTCM. I definitely see potential parallels in security.

Too many false positives in traditional security approaches

• In an effort to be thorough, security systems produce a lot of noise. 62 percent of IT professionals said that traditional security approaches produce too many alerts and false positives for them to handle.

Paul Becker, Director for Intelligence, Joint Chiefs of Staff, On The Cyber Threat

• To stop Chinese businesses from hacking us, we need to make the costs for them to do so, so great that it doesn’t make any sense. One example might be to delist offending businesses from stock exchanges.

How much money do cyber crooks collect via crypto ransomware?

• 13% of TeslaCrypt ransomware victims decided to pay the ransom which was typically between $250 and $500 in bitcoin.

Time to Identify Advanced Threats is 98 Days for Financial Services Firms, 197 Days for Retail

David Cowan on The Failure of Cyber Security and the Startups Who Will Save Us

• This isn’t a new post but it’s great and I wanted to go through and summarize it.
• In 2014, at least five companies with no military ties – JP Morgan, Target, Sony,  Kmart, and Home Depot – incurred losses exceeding $100M from cyber attacks.
• Typical antivirus/firewall basic security suites are not equipped to deal with APTs which are typically detected via anomalous behavior.
• Many products exist to detect such behavior, but humans then have to go through all of these alerts–any day they may only be able to examine 2% of the alerts.
• Target, Sony and Neiman Marcus all received alerts that they were under attack, but their security teams were so inundated with alerts that they failed to prioritize the ones that mattered.
• What to do?
  • Figure out your business’ crown jewels and figure out the adversaries most likely to go after those jewels.
  • Seek threat intelligence specifically related to these adversaries.
  • Use this knowledge of your attacker to remove unimportant alerts and highlight the important ones.