Part 2: Marcus Ranum on the state of information securityDate: Nov 16, 2009
At Information Security Decisions 2009, Marcus Ranum analyzes the late golden age of information security and how venture capital (or lack thereof) has dramatically changed the vendor landscape.
About the speaker:
Marcus Ranum is Chief Security Officer at Tenable Network Security.
View the rest of the presentation:
- Part 1: The history of information security
- Part 3: The realities of compliance
- Part 4: Vendor consolidation and technology integration
- Part 5: Predictions for the future of information security
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Part 2: Marcus Ranum on the state of information security
Marcus Ranum: This is where we are right now what I like to
call the late Golden Age of
Computer Security and the prevailing temperature of this time is driven by
worms and professional hackers. Worms aren't as big a deal as they used to
be. I think we all remember with some pain, 2001 and 2002, when it seemed
like there was a new dumb worm coming along every week, that massively
exploited vulnerabilities that your machines had had for years and
suddenly, everybody got religion, about segmenting networks and segmenting
services so that everybody couldn't talk to everybody else. And then the
intrusion detection market turned into the intrusion prevention market.
Well, if we can detect these worms, let's shoot them down and we had a lot
of interesting changes in that time.
But, right now, where we are is we have horrible levels of vulnerability
everywhere. From the end user perspective, the situation is extremely grim.
Everyone is basically exposed and cyber crime has professionalized. Those
two things taken together are really, really bad news. But then, there's
the other piece, the second bullet from the bottom there, the venture
community pulled up stakes and left. The venture community saw the big
firewall of security company IPOs just weren't happening any more. That was
a side effect of the fact that IPOs just weren't happening any more for
quite a while. OK? But they saw that there weren't huge profits being made
in security any more. That the pie had been largely eaten and that there
wasn't really a lot of point in struggling over the rest, and so they
started moving on to user-provided content sites and social networking
sites and stuff like that. But the net effect was, you may have noticed.
There are a lot fewer computer security startups right now. Here's the part
that happened late Golden Age was that the lawmakers started staking out
turf. I wrote a couple of articles in the early 1990s entitled "Inviting
Cockroaches to the Feast" which is what I thought was going to happen when
the lawmakers arrive, and sure enough, I was pretty much right. The
lawmakers come along and here's the thing, if you're a company, what is the
product of a lawmaker? Legislation, right? It's not actually solving
problems. Their job is actually not to solve problems. Their job is to
write laws. In fact, they'll sometimes try to couple laws that they write with
problems they're trying to solve. But in some cases, what you'll see is
exactly the opposite, right? This is where you get the term "unfunded
The Congressman goes, well you know, I could write a law about spam and it's
actually not going to cost the taxpayers anything. It's just going to cost
all the service providers or content providers something to deal with spam.
This is a great way for a lawmaker to be populistic, to play to the
electorate, right? "We're going to solve spam for you." When there are
laws, there are always people that are going to come along and litigate
based on failure to comply with laws. I'll get to that in a little bit. OK.
So that brings us to the current state of security. Let's talk a little
about the industry right now, what's happening to it, what's happening with
it. Of course, I used to work for Digital, and I once thought there would
never be a time when I would see Digital sold for parts but what we're seeing in
the industry right now is, as always, consolidation. In the mid-1990s
during the Golden Age, what we were seeing was consolidation-driven because
there was so much money that if you were a McAfee or a Symantec or one of
those guys, you could buy some startup that had a good idea and your stock
would go up. Just the fact that you bought some startup that had a good
idea, people would go wow, visionary management, and your stock would go
Cisco has been doing this for a very long time, very successfully.
Nowadays, investors have gotten a little bit more canny and they actually
look to see whether the acquisition is an accretive one that's going to
make the company more valuable. One of the things that I found particularly
interesting was the collapse and rapid disappearance of intrusion-detection
market. There are about 5-10 companies selling intrusion-detection
products, and they just vanished overnight. Where did they go? They went
into the firewall companies. Because the firewall companies were kind of
going, wow, what can we sell next. We're already handling lots and lots of
bandwidth, we better offer something else. And there was at the same time
as the intrusion-detection market was just about starting to mature, was
the same year that we started getting all these crazy worm attacks. And
somebody said, "yeah, I know, let's just start buying intrusion-detection
stuff putting it into firewall engines and blocking traffic based on
signatures of the data we're seeing going back and forth." This was a very
good idea, from a technological standpoint although it probably happened
before it was ready. From a customer standpoint, any of you who worked with
the first-generation intrusion prevention systems probably know what I'm
talking about. It wasn't quite ready for prime-time. It worked fairly well.
Now, log analysis and event management is the next thing, that's standing
in the railroad tracks waiting to get gobbled up into other stuff. And
we're already seeing it with EMCs acquisition of log-event management
companies. Those guys are going to appear and then very quickly disappear
would be some prediction. This isn't a bad thing. It's just a thing.
OK. So, what's driving it? What's driving this acquisition and what's
driving most of the market is this over-investment in attempts to do quick
exit strategy startups, in the late 1990s. So the venture capitalists came
in, they saw these security IPOs, they saw the Netscape IPO, they saw all
healthy on, they saw that the Internet was hot and they just shoveled money
into it, and that's why we had companies that did some notoriously stupid
things because they way too much money. Money seems to make people stupid.
The venture capitalists over funded stuff, over invested, and its
inevitable there's going to be some shakeout from it because there's just
not enough money to go around. We'll talk about that in a second. So you
have over 200 security startups funded between 1995 and 2000, so when the
VCs were over funding the security industry, essentially what they were
doing to you customers, the premise that they were putting, was that 9 out
of 10 of the products that you plunked down your money and put your career
on the line for, evaporate in the next five or six years because the
company that produces it is not going to survive, and we know that but just
buy it anyway and trust us, it'll all work out just fine. If you take the
security market today, depending on which analyst you believe, it's
approximately $20 billion give or take 15 cents. The top five vendors
account for $19 billion of the security market right off the top.