00:00welcome to the a 16z podcast I'm Michael
00:02Copeland and we are continuing our
00:05discussion of security and we are lucky
00:06to have Andrew Rubin CEO of a loomio and
00:09co-founder and along with Andrew Gough
00:12Banga CEO and co-founder of bromium
00:14welcome guys welcome thank you so much
00:17you're happy to be here thank you very
00:19much well fire you I read something that
00:21you had had said or written the
00:23barbarians are at the gate
00:26am I being attacked yes you are
00:29and what what barbarians at the gate
00:32means that never before have we had so
00:36much online court encode computerized or
00:39every existence every aspect of our
00:41existence how we invest how we get paid
00:44how we do health care how do we deliver
00:47power everything and unfortunately we
00:50built that on a security platform which
00:53is not architectural sound if you're
00:56getting attacked every day it's as if
00:57war and crime just came online and you
01:01how do you view that and how do you or
01:04the folks that you talk to kind of
01:05internalize the fact that if I have
01:08stuff out there that's valuable people
01:10are going to want to go after it so I
01:12completely agree with garv that we're
01:15effectively digitizing everything and
01:17it's literally everything it's
01:19everything from the way that we bank to
01:21the way that we hail a taxi or a car to
01:24move from point A to point B so
01:25inherently there's a lot more digital
01:28and electronic to protect I think the
01:30the aha moment for security and it's
01:33Rison its measured probably in months or
01:35maybe a year or two is that this concept
01:38of being in a binary state of safe or
01:41breached is no longer a viable way to
01:44look at the world because with this much
01:46out there it's almost an assumption that
01:48you've already been breached or you will
01:50be breached and you may not know it
01:51right away and what we're hearing more
01:53and more now is this concept of how do I
01:55reduce the surface area of attack when
01:58I'm breached that's a very different
02:00security conversation than we've had for
02:02the last 20 or 25 years so you're saying
02:04it was a matter of months before that
02:06kind of mindset shift happened why why
02:09finally do you think that occurred IIIi
02:11don't think it's any one thing I think
02:13a combination of a few things so the
02:14first one is that there's a lot more
02:16places to put stuff I mean if you think
02:19about five years ago whether or not we
02:21really would look at the public cloud is
02:24a truly viable alternative to your data
02:26center that you bill owned controlled
02:29for the twenty years before that there
02:31was a debate now there's no longer that
02:32debate it doesn't mean everything will
02:34land in the public cloud but it means
02:36that it's a viable alternative so we're
02:38more distributed and more heterogeneous
02:40than we've ever been I think the other
02:42thing that's going on is there's a shift
02:44in the way that enterprise is thinking
02:46about running their infrastructure and
02:48applications and the shift is all based
02:50on agility and speed and unfortunately
02:52security doesn't really like speed those
02:55are two things that traditionally have
02:57been at war with each other the faster
02:58you go the harder it is to understand
03:00what's happening and certainly the
03:01harder it is to protect it unfortunately
03:03that that friction point is no longer
03:06tenable right enterprises are going to
03:08go fast and they're going to need to do
03:09it with with security at the same time
03:11so go for you guys how do you address
03:14that tension between going fast
03:16operations and you know security we've
03:19been talking about this how you know you
03:21need to respect security but you need to
03:23get things done so in that be in
03:28companies in an environment where were
03:31speed is of the essence how do you
03:32reconcile those things so to be able to
03:35reconcile you first take a step back and
03:37just to add to what Andy said earlier
03:40you know so the world has changed the
03:43world is changing you start looking at
03:46besides so cloud is one very important
03:49development that has happened another
03:50development that has happened is mobile
03:53if you all know right and then another
03:56one that has happened is that you've
03:57relying more and more on the internet
04:00which is you know not just cloud as in
04:03as in you know you do cloud computing
04:05but the fact that you're very content
04:06that content dependent your car you can
04:09reading large amounts of content and
04:11you're exchanging and sharing that
04:13content you're trusting each other over
04:15the internet so if you look at all these
04:16friends the first thing you do is you
04:18take a step back and you examine how the
04:21security architecture must change and
04:23one of the other requirements comes
04:26is that the security architecture must
04:28also be responsive to the need to go
04:31faster right now you came up with a set
04:34of requirements you must your new
04:36security architecture or your
04:37modification to the existing security
04:39architecture must we must have these
04:41properties it must deal the cloud it
04:43must deal with mobile it must deal that
04:45consumerization it must deal over the
04:47fact that we are relying more and more
04:48on internet content it must deal with
04:50the fact that change is more common now
04:53then it becomes a computer science a
04:54computer architecture software design
04:56problem and it turns out that it is I
05:00mean we let the message of hope it does
05:03turn out that you know it is possible
05:05for human innovation to come up with
05:07such a design which is more
05:09sophisticated a more they'll talk design
05:12on security but you can put this
05:14together and I'll build on that I just
05:16want to kind of add one thing that you
05:18know when we launched a loomio into the
05:21market last october so about six months
05:23ago obviously the amount of feedback
05:25that we started to get because we were
05:26talking to more people and certainly
05:27talking more openly went up very
05:29dramatically and one thing that's
05:31interesting is consistently across the
05:33board customers are saying to us that
05:34they're finding that there isn't a
05:36natural or easy iterative path from the
05:39architecture of the past what groves
05:40said about having to rethink the problem
05:42from first principles we're actually
05:44hearing customers say that so despite
05:46the fact that you started off mentioning
05:47that everybody's dressed in black and so
05:49it must be security what's interesting
05:51is that it actually doesn't seem that
05:53eerie for one very simple reason because
05:55for the first time in decades the
05:57customers are actually in a place where
06:00they're willing to truly rethink this
06:02from the very beginning they understand
06:04that there's a new set of problems and a
06:06new set of challenges that security has
06:07to face that aren't built on the
06:10problems of the past and therefore
06:11they're willing to look at a completely
06:13new way of solving it that's a massive
06:14change in the enterprise of the customer
06:17mindset that goes chicken Jolla I guess
06:19with with this shift to the cloud
06:21right I mean they're they're willing to
06:23look at that in terms of running a
06:24business and so they're also willing to
06:26look at ways to to change their security
06:29approach well and I think if you look at
06:30it some of the organizations that you
06:32would think are least likely to take
06:34advantage of things like public cloud or
06:36allow open access through mobility
06:39they're willing to do that then it's not
06:40a leap or a very far step to imagine
06:44them being willing to look at security
06:45through a completely new lens for the
06:47first time in a long time the challenge
06:49is that the industry has to respond by
06:51bringing things to market that actually
06:53start from a blank page and allow the
06:56customer to look at it not only as a new
06:58set of problems but also from a
06:59completely different way of trying to
07:01solve them and so we have an obligation
07:03sitting on our side of the table Gaurav
07:05and I and and others to actually bring
07:07things to the customer that
07:08fundamentally start from a different
07:10place than just simply iterating on the
07:12architecture or the model of the past so
07:14you guys have a different philosophies
07:16and your company's about how to approach
07:19all this change if barbarians are at the
07:24gate they're trying to get in all sorts
07:25of different ways in new ways all the
07:27time how do you then anticipate kind of
07:29the new you know it's one thing to
07:31change my architecture and sort of head
07:34off on a new direction but if I don't
07:35know where the next breach or attack or
07:39you know bad thing could come from how
07:41do i how do you approach that so I mean
07:44this is this is if you take a step back
07:46and it's hard to take step backs because
07:48it's just life is so busy and you may
07:51take a fresh step back the problem that
07:54we are trying to deal with that is what
07:55you were terrified about unseen and
07:58unknown what you don't know what you
07:59don't see but you don't see coming
08:01the instructive way to think about it is
08:04is actually just go back to the drawing
08:06board again and say what has happened
08:09what two things have happened the way we
08:13do IT is changing with cloud and mobile
08:15and all that that's one aspect the other
08:18aspect is we have so much online just
08:22forget so imagine we had none of that IT
08:24chain we still have so much online that
08:27it has become very rewarding for the bad
08:30guys for the adversary to come back and
08:32after you in the online space right now
08:36this is none of this is new so shifts in
08:39IT have happened before shifts in our
08:41way of life have happened before and
08:43warden crime is as old older than
08:46mankind as old as mankind
08:48why do you want to look at it so the way
08:50you want to think about this is go
08:52become a student and war and crime what
08:54how war and crime works what are the
08:56economics of war and crime and then go
08:58become a student or some of the computer
09:00science behind that gives you the
09:03approach you need to take that gives you
09:06the approach so for example white why
09:08would people come in and say I'm going
09:11to spend $10,000 on this mind is
09:14software explored so that I can hack
09:16this fortune 500 why because that
09:18$10,000 is a small fraction of the
09:21reward that you would learn from that
09:22and it is much much cheaper than trying
09:26to attack the bank in the physical world
09:28that's a reason why they do it right
09:30what makes their job easier what makes
09:33their job easier is the sheer complexity
09:35of IT but also the fact that things are
09:37shifting and IT security is behind the
09:40ships like the fact that you're plowed
09:41the fact that you have so now the best
09:44approach is first to recognize that this
09:46is happening and then to come back and
09:48design what your response to this is
09:50going to be and how do you guys approach
09:54that I know you you talk about reducing
09:57surface area we do so we talked a lot
10:00about reducing the surface area of
10:01attack because there's a premise that
10:03security functioned in a very binary
10:05world for a long time
10:07Security's job was to keep you safe and
10:08safe inherently meant that nothing was
10:11wrong and of course when SAF fails then
10:13it seems like everything is wrong the
10:15way we would say it is it felt like you
10:16were either perfectly safe or
10:18catastrophic we breached and what we're
10:20finding is that where customers are now
10:21working off of it's just a fundamentally
10:23different assumption which is I'm
10:25probably breached if I'm not already I
10:28will be and it's equally interesting and
10:31maybe even more so to ask the question
10:34when that happens what is the surface
10:36area of attack how much damage will
10:38something inflict what is the blast
10:39radius inside of my data center or cloud
10:42when something goes wrong
10:43so from an alumina perspective we really
10:45look at it in terms of mirroring the
10:48compute environment the infrastructure
10:50and application environment so that
10:52security doesn't feel like a bolt-on
10:54doesn't feel like something that gets
10:56tagged on after the fact but security is
10:58from the very beginning built into the
11:00infrastructure and the applique
11:01and follows the motion as things drift
11:04and change over time and part of our
11:07story is to distribute the policy in the
11:09enforcement out to all of the individual
11:11workloads so that the surface area of
11:12attack is no longer the perimeter or all
11:15the things behind it but the individual
11:17workload itself and how it's talking to
11:19and communicating with other things
11:20inside of the environment so you get
11:22access to just this small slice you know
11:24even that and that's exactly right and
11:27actually what's interesting is even the
11:28perimeter in its most traditional sense
11:30when we used to wrap a brick wall around
11:32an entire data center that really was
11:35effectively the same theory in that I
11:37was putting a brick wall around a group
11:38of assets a bunch of servers sitting
11:40inside and therefore they were protected
11:42what we're doing is we're simply taking
11:45that in shrinking the surface area of
11:46attack down dramatically dramatically to
11:48the point where it could be a single
11:49server a single VM and now with an
11:52announcement that we made last week even
11:54a single process running on one of those
11:56compute instances but all of it comes
11:59back to the same thing how do we have
12:01the ability to distribute security
12:03dynamically make sure that it's always
12:06provisioned correctly in a dynamic world
12:07and how do we reduce the surface area of
12:09attack go after you guys there again
12:14there's this idea that wow its security
12:16it's gonna slow me down it's gonna be a
12:17pain in my arse you know how do you make
12:19sure people use it and how do you advise
12:22you know your customers and and folks in
12:25this world to make it easier so actually
12:29you know the thing that makes it easier
12:32is when you design with these
12:36assumptions built in when you design
12:38something the mobile is not excluded the
12:41Internet is not excluded the cloud is
12:43not excluded and there's some of the
12:45tools that you use are you know this
12:46whole idea that nd talked about earlier
12:48it is micro segmentation micro
12:51virtualization which is what premium
12:52does whether you do it in the network in
12:54the datacenter or like what poem does in
12:56the endpoint is it gives you that exact
13:00tool so why what do people care about
13:02people care about doing whatever they
13:04want to do that's right they want to
13:07click on everything right I've seen your
13:09clickers if you want right right so if
13:11you want to click on anything if you
13:13you wanna run and you cannot be told
13:14that you may not do that then the
13:16question really becomes is how can we
13:18create the environment and the
13:19infrastructure so that you can do that
13:21safely and the approach that bromium
13:23takes the approach that we taken a whole
13:25bunch of other and it's not very
13:27dissimilar it's actually a dual love
13:29word and he just talked about best riff
13:31from an end user perspective it is then
13:34you're running a piece of code and you
13:35don't know about the origins of that
13:37piece of code that it could be a website
13:38or whatever one thing would be to give
13:41it get the website access to your entire
13:44computing environment another way it
13:46would be to create a virtual machine
13:48container in with the website is allowed
13:50to run and this thing may not escape
13:54whatever whatever the side effects of
13:55this website are not allowed to escape
13:57the virtual machine container now this
14:00is very powerful because you never say
14:02no my virtualization allows you to build
14:04boxes tiny boxes around untrusted pieces
14:08of computation that means you never say
14:11no you always allow any kind of
14:13competition you just build boxes that
14:15control what leaks out of that container
14:17what is the scope of that competition so
14:20just becomes very empowering because in
14:22our system we're in the system that are
14:23built in this way you can literally do
14:25whatever you want to do it is just that
14:27when you are it's like using a burner
14:30cell phones why do you have to buy cell
14:32phone you throw it away it's like using
14:34disposable gloves so if you have a thick
14:36enough disposable glove you can touch
14:37anything why because you don't really
14:38care it's gonna get dirty you want to
14:40throw it away right right but it gives
14:41you this power of being able to touch
14:43the dirtiest of things and the sickest
14:45of patients and so on and so forth so
14:48this is a very different paradigm shift
14:49where you're designing the
14:51infrastructure from the ground up in
14:53such a way that saying no to the
14:56end-user is not an option you are going
14:59to be secure in spite of the user of
15:01being able to do one thing to do
15:02anything and click on anything and go as
15:04fast as they want or as fast as they
15:06I see uhm let's talk about courage
15:09versus foolishness and take a step back
15:11you know I'm gonna have the courage to
15:13move to the cloud as a as a company as a
15:17you know what's courageous and what's
15:19foolhardy you know courageous is I don't
15:21know what but foolhardy is staying on
15:23Windows XP for example
15:25how do you guys view that so it really
15:28is you know there is a or there's one of
15:31our friends the CEO of Aetna Kimbra he
15:34said just very famously you know this is
15:38the top this is the 10% er what that
15:40it's a seesaw the size so depending how
15:42you pronounce it the chief information
15:44security officer that takes risk to
15:47reduce risk health the reality the world
15:51is changing if you say status co you
15:55might think that your risk to your
15:56business is not is not increasing the
16:00reality is that increasing really really
16:02really fast faster than you can control
16:04so in order to deal with the risk in
16:06order to deal with the changing
16:08conditions you have to take a risk and
16:11unfortunately none of the existing big
16:13vendors is going to give you what you
16:14want you have to take think about a new
16:17approach so foolhardy is going to the
16:19world thinking nothing has changed it's
16:22business as usual I can keep saying no
16:25to the end-users until the such day that
16:28my company is gonna get breached or I'm
16:29going to get fired or I'm going to have
16:31to fire somebody right or smart is
16:34realizing that things are changing go
16:36through this process of selecting and
16:38deciding what is good but could be good
16:40taking them to the paces and moving that
16:44move intending to the adopt a new
16:46approach my alia that I think I think or
16:50Aegis in this case is actually
16:52responding to the needs of the
16:53organization and being able and willing
16:56to look at any tool any form of
16:58infrastructure any operating model that
17:00allows the enterprise to do what it
17:02needs to do it takes courage to actually
17:04say we're gonna implement completely
17:06different things than we have in the
17:07past but we're doing it because the
17:09business requires it
17:10I think foolhardy is assuming that the
17:13only thing that you have to secure all
17:15these new things is what you've had in
17:17the past and what we're finding like I
17:19said earlier is that customers for the
17:21first time are actually very open to
17:22looking at completely new and different
17:24things because they realize that they're
17:26solving for a new and different set of
17:27problems let's talk about mobile a
17:29little bit go if you brought it up and
17:31Andrew you've referenced it mobile
17:34everybody's got a smartphone not
17:36all of us you know snap them in half and
17:38throw them away after we're done with
17:40them what's new in the mobile world and
17:43what are you guys seeing and how people
17:44how are people responding so our view of
17:47mobile is slightly nuanced than that
17:49better there is there's a laptop and a
17:51tablet it is a real mobile vector and if
17:54it's it's a vector of attack primarily
17:57because it leaves the four walls of the
17:59enterprise and all of the traditional
18:01defenses which rely on firewall those
18:03are just out of line right right so
18:05that's the reason why these things are
18:07far easier to get to far easier to
18:09attack and and and you know just that's
18:12just the economics of it
18:14the world of mobile smartphones
18:16introduces and also tablets introduces a
18:19different kind of problem which is the
18:21problem of information management right
18:23these things bring your own devices
18:25consumer eyes devices they're very
18:28primitive controls in terms of
18:29information management while they're not
18:32much malware exists on malware does
18:34exist but not much malware exists for
18:36attacking mobile devices by themselves
18:38like in their Android and the iOS case
18:40but the more important thing is that the
18:43CIO has very little visibility and very
18:46few controls and towards that's going to
18:47happen now there are companies that are
18:49doing the right things and providing you
18:51with the right levels of control and and
18:53CIOs some of them are trying to adopt
18:55those controls and and and being
18:57successful of course a lot more work
19:00needs to be done and what we're finding
19:02is that it's becoming in a sense just
19:04another access point and the reason I
19:06say just another is not to diminish how
19:08important it is to understand that I
19:10think every CIOs dream would be to
19:11really truly be able to have a perfect
19:13picture of everything that can access
19:14every application and every piece of
19:17data in their environment no matter
19:18where it is or who provided it but it's
19:20it's in a sense it's a fool's mission
19:23number one because it's hard to drill
19:25that kind of control over an
19:26organization nowadays and number two
19:28because it's somewhat antithetical to
19:30the way that the business is trying to
19:31operate to enable speed and agility what
19:33we're finding is that what customers are
19:35doing is they're actually identifying
19:36what they consider to be their highest
19:38value targets they're identifying the
19:40applications and specifically the data
19:42that is the most important asset that
19:45they have they're figuring out where
19:47those things are and they're realizing
19:49those things that really all cost
19:51wherever it is however it gets accessed
19:53that's exactly right
19:55what about taking the offensive we talk
19:57a lot about gates and walls and
19:58perimeters and we know that those are
19:59being breached but what about like
20:01rushing out and going after folks or
20:03making sure that the attacks don't even
20:05happen in the first place I I there
20:08would be there would be an interesting
20:10assumption if you could actually work
20:12off of the premise that the attack
20:13doesn't happen in the first place I can
20:15only tell you anecdotally that in the
20:17customer conversations I'm having there
20:18certainly coming at it from the opposite
20:20angle which is the attacks are not only
20:23persistent they're not only growing in
20:26number and frequency but in a lot of
20:28cases they're growing in severity and so
20:30I think the question is what is the
20:32definition of proactive if that's the
20:34premise of the question right and what
20:36we're finding is that the the definition
20:38of proactive is to actually understand
20:41exactly what it is that you have where
20:44it's running how these things are
20:45talking to each other and then put a set
20:47of controls in place that actually allow
20:50you to ensure that the right things are
20:52happening and thereby the wrong things
20:55if and when they do happen are
20:57immediately flags is out of profile and
20:59are either stopped or certainly
21:00responded to very quick right so it
21:02still doesn't sound like you know in
21:03that sort of offense versus defense kind
21:06of view of the world you need to get you
21:09know your processes in place know what
21:11you have know what you're securing know
21:12what's important and then once that's
21:14done and maybe that's never done think
21:17about going after somebody or some next
21:21phase of security and I have one other
21:24thing which is that what we're finding
21:25more more often now is that visibility
21:27leads to knowledge and knowledge
21:29actually allows you to secure whatever
21:30it is that you're trying to protect
21:32there's been a lot of security thrown at
21:35a lot of organizations without really
21:37truly understanding what it is that it's
21:38protecting because as Gaurav mentioned a
21:40few moments ago you know the world's
21:42gotten not only very scaled but it's
21:44also become very dynamic and very
21:45complex and so the what seems to be
21:48simple task of simply understanding
21:50where are all of my assets in the Illuma
21:52world it would be where are all my
21:54compute instance is how are they talking
21:56to each other that's not a static
21:59problem any longer it's not a snapshot
22:01where you look at it at
22:02day morning at 8 o'clock and that
22:04picture remains resident for the next
22:06two months or six months or two years
22:08that picture actually looks different 15
22:10minutes later and so just understanding
22:12being able to see and understand what's
22:15happening if you have that you're
22:16probably going to do a much better job
22:18protecting yourself but that's a very
22:20big challenge before you ever get to the
22:21protection piece of the story yeah I
22:23agree I mean attribution and then going
22:25after the bad guys I think we have ways
22:28to go and and it just it's just what we
22:31can do in terms of you know it's just
22:35very easy to miss out to give something
22:36to somebody today it's I think we have a
22:40lot of technical work to do in that and
22:42then also we have we have very primitive
22:45controls across countries we don't have
22:47the Interpol equivalent if you will if
22:51we don't have the nation state donation
22:53trade agreement that this is not done
22:54and this is we gonna you know extradite
22:57those people and bring them to a foreign
22:59jail if they do X Y & Z the legal
23:02systems around cybersecurity are much
23:03more improved now then say ten years ago
23:05but they're still very primitive
23:08compared to you know murder and you know
23:10physical extortion and physical theft
23:12and grand larceny and all those good
23:13things I think they're ways to go before
23:17that will happen and maybe nation-states
23:19can do this to each other but out
23:21whether commercial enterprises should go
23:23over there they have a mean to go over
23:25there successfully right so based on
23:27what you guys have told me and and
23:30discussed it it doesn't sound like
23:32there's we should all light our hair on
23:34fire and go running on the streets no
23:35need to get hysterical but if I'm a
23:38chief security officer if I'm a CEO if
23:41I'm a you know on a board what is you
23:45know if we can't win against these
23:47attacks what can we hope for and what
23:50does winning sort of look like you know
23:51and I'm doing air quotes around winning
23:53if it's not beating them I think winning
23:55is enabling the organization to do what
23:57it needs to do to conduct business to
23:59remain competitive to grow and there's a
24:00whole series of things that we've done
24:02with the infrastructure and the
24:03applications and really the entire IT
24:05model to allow that to happen better
24:08than it ever has and then security has
24:10to realize that its job is to protect
24:13that motion no matter what it looks like
24:14and so the reality is the
24:16answer for what his security look like
24:18today is probably going to be different
24:20even a year from now and certainly five
24:22years from now so it's not a fixed
24:23answer it's not that there is the right
24:26model and the right model is the only
24:27model the model is that security has to
24:30evolve as quickly and as dynamically as
24:32the infrastructure and applications that
24:34it's protecting and so long as those
24:35things keep changing security I better
24:37find a way to keep up and mirror it I
24:39think change is the answer you have to
24:42what is what is what is very obvious is
24:45the existing way of doing ten dozen work
24:47and if you are not impressing change the
24:51right kind of change empowering someone
24:54who is you know got a lot of budget and
24:56money behind them a good clear charter
24:58to see what you want to do it first and
25:00this is what's going to do second then
25:01you're not doing your job as CEO of a
25:04global company well change is gonna
25:06happen and risk needs to be taken in a
25:09smart way it sounds like so we'll keep
25:12an eye on this and we'll keep talking to
25:13you guys go off Andrew thank you so much
25:15thanks so much for having us