Why a continuous state of compromise demands continuous validation of security
Eight and a half years ago, I made the decision to leave a well-established, publicly traded technology company to go to a small startup security company called Bit9. I was there 2 days when I knew I was “a start-up guy” (not to be confused with “a stand-up guy,” which of course I also am. But you knew that).
Today, I’m doing it again. Today, I am part of Randori.
Knowing I was a start-up guy, the question was: which one? As everyone in infosec is acutely aware, you can’t swing a dead cat without knocking over a half-dozen startups, most of which you’ve never heard of and never will. So how do you pick the one that will become a household name in the world of security?
To me, it’s about identifying the forward thinkers on the cutting edge of the ever-evolving, problem-solving, cat-&-mouse enigma that is the pursuit of stopping bad guys. Those are the ones who throw the football to where the receiver will be, in a world of people who throw to where the receiver is now. So much of what is built and invested in within the InfoSec space is like Boston’s Big Dig of technology: Trying to solve today’s problem through an undertaking such that the solution will be obsolete by the time it is complete enough to have been relevant. What will the landscape look like in 2022, 2025, & 2030? What tools will we need then that we may not know we need today? What will be true then that isn’t true today? What will still be true then?
If you can find those people, you will have the best chance of success. I know for a fact that those people are at Randori, and that’s not something I can say about anywhere else. I know because I heard these same people – in 2013 – talk about what the market would be saying in 2016 (“most companies will understand that they are under constant attack”), and in 2020 (“most companies will accept that they are living in a constant state of compromise”).
We didn’t all still work together when I saw their words proven right. Some of them had already left to start building what is needed today; to build what the most forward-thinking of security practitioners know they need today: Continuous validation of the efficacy of their security posture.
The angst and paranoia that all of us in security live with every minute of every day stems from the fact that, at the end of the day, all of our plans boil down to this simple formula:
- Do everything you can to prevent the bad guys from getting a foothold
- Prepare for what you will do when they get a foothold, because
- They’re eventually going to get a foothold.
There is sort of an unspoken 4, which is:
4. Hope it’s not today
Not ironically, for over 8 years I have consistently said, to anyone who would listen: “Hope is not a strategy.”
So despite us all doing everything we can to prevent the inevitable, and everything we can to prepare for the inevitable, no one (or very few, now) has the peace of mind of living in a perpetual state of knowing that as of a few minutes ago, the inevitable hadn’t happened yet.
Randori are the hackers+developers that work for you, continually pressing on the foundations and fortifications of your environment to find the soft squishy spots that can be leveraged to bypass your defenses and take ownership of your assets and IP. Randori continually validates the effectiveness of your security posture by thinking and acting the same way nation-states, criminal enterprises, & hacktivists alike do; we do it using the same tools & the same techniques. But WE do it because YOU asked us to.
If we have come to the point where we have accepted that compromise is inevitable, doesn’t it stand to reason that we have come to the point where we should be investing in knowing whether the inevitable has happened? And if not, shouldn’t we know how likely it is to happen, and what we can do about it?
I believe we have, and I believe we will all believe that soon. That’s why I’m at Randori.