Tuesday, September 24, 2019

Sexy versus common cyber problems

Many people in the cyber security/defense/IT community are fascinated by the "sexy" work of high-end vulnerability researchers. Often the word "hacker" and someone who can break into any hardened system become confused in modern culture. The people who find so-called 0-day vulnerabilities (vulnerabilities in software that the vendor doesn't yet know about or have a fix for) and turn them into exploits are often looked at the top of the pyramid of hackers due to the incredibly challenging technical obstacles that must be overcome, the deep and arcane knowledge of system semantics and architectures and the obvious intelligence of many of the practitioners of this domain.

The Google P0 team is probably the preeminent public global team researching and publishing novel attacks against hardened systems such as Windows, Chrome, iOS and other software systems critical to the secure usage and survival of the Internet. They are impacting the gray market for vulnerabilities. Other teams conduct this research as a PR function for their product or services firms. Many high end teams are restricted to secretive government (or government funded) laboratories or government agencies to support law enforcement or national security objectives. And a small amount support themselves or a larger criminal syndicate through the development and use of these capabilities. When I did a Google search for vulnerability research, I also found Brene Brown which made me chuckle. (Different kind of vulnerability research!)

http://heartbleed.com/http://heartbleed.com/Blackhat and many conferences were built around a platform to share the latest and most interesting "hacks" that these researchers have developed. News stories and books are built around the challenging accomplishments of the individuals and research teams. Vulnerabilities come with their own logos and web sites now.

Some members of the community watch admiringly and wish they could do the same. Some enjoy reading/learning about it and admire the technical accomplishments. Others leverage the research  to raise awareness around theoretical or ever-real threats to their company/products. While others use it to spread FUD (fear, uncertainty, or doubt) to sell more product or further a political agenda. Many companies benefit from the free research and Q&A that is performed on their products by third parties for no cost that allow them to leverage these discoveries to secure their products without paying for it. (To their credit, many are seeking ways to better engage these third parties and compensate them for those valuable contributions.)

Graphic from F5 Decade of breaches lessons learned report.
An increasing portion of the community is spending time pushing back on this so-called "sexy" part of the community. They rail that it gets too much attention, that it's pointless to try to find/fix super complex vulnerabilities because you'll never find them all. That high end talent is wasted on this problem. Their argument is built around the (strong) empirical evidence that the vast majority of security compromises aren't done using super-fancy 0-day attacks but rather password re-use, phishing attacks, outdated code that has known exploits in Metaspoloit, misconfigured systems, open cloud repositories, etc. 27% of companies state that they've been breached because they didn't patch KNOWN vulnerabilities, so why spend so much time/energy finding unknown ones?

While I haven't heard the counter argument made publicly (that one should exclusively focus or at least massively increase attention on 0-day vulnerability research) there are certainly individuals and organizations who make this their exclusive focus and have no interest in addressing the human/configuration side of the problem for various reasons. And I have seen individuals in those groups who have denigrated the work of those working on social engineering attacks, auditing systems for compliance and/or rolling out patches.

The problem is that like most complex domains, it is not a boolean problem or a boolean answer. It's complicated and requires a nuanced perspective which is often missing in online rants.  In this post, I'll address some of these complexities and explain why we need to address the human/configuration side of the problem while not neglecting the "high end" technical security risks that remain.

Attackers target the human or misconfigured/unpatched systems for numerous reasons:
  1. It has a low barrier to entry, meaning significantly high portions of the attacker community have access to these techniques (ie, script kiddies, starting out criminal/national state teams, etc.)
  2. It does not burn valuable capabilities in the event of later compromise. Why spend your 0-day if you don't have to!?
  3. It is often more reliable. (In the modern era many 0-days rely on probabilistic techniques like heap spraying which fail a portion of the time depending on the usage/configuration of memory in the target.) 
But if these attacks don't work, or the attacker is concerned that using well-known techniques may trigger enhanced monitoring/scrutiny of their actions they will often choose to use more complex advanced techniques such as 0-day exploits (software exploits that are built around the knowledge of an unknown (0-day) vulnerability in a piece of software. For a great read on the topic check out this RAND report.) Only a subset of attackers even have the resources to buy or build their own 0-day exploits.

Decades ago this was commonly performed by individual hackers who found vulnerabilities and didn't share them but used them to poke around and "explore" the Internet. Reporting a discovered vulnerability to a vendor could result in the police being called or lawsuits and many hackers were young and didn't think they were "causing any harm" or even wrong for using what they'd found for their own entertainment.

But today many firms have vulnerability reporting programs and policies of working with third party researchers. Most of the top software companies in the world even offer some sort of compensation (cash, prizes, or recognition) to these third party researchers through the use of internal or external bug bounty programs (A great list is here.) The combination of maturing software development practices, productive pathways to reporting third party discovered vulnerabilities and anti-exploitation mitigating techniques available in modern operating systems and hardware means that finding useful 0-days and exploiting them typically requires a significant effort by an advanced individual or team of individuals.

Attacks are conducted using BOTH approaches on a daily basis around the world. While reports and news stories getting attention focus on breaches that utilized one or more 0-day attacks, the vast majority are done using human/system mistakes. 0-day attacks tend to be utilized in the highest value or extremely targeted cases by nation states conducting intelligence operations although in less frequent cases by law enforcement, or "defense" operations. A non-negligible portion of 0-days are deployed by criminal groups (although in an era when North Korea employs large teams of hackers to raise billions to bypass national sanctions and fund weapons/missile research,Russian Business Network as long as they target other countries, drawing the line between criminal group and nation state operations becomes increasingly difficult!)
or Russia explicitly refuses to shut down criminal operations out of the

Attackers will use the path of least resistance to accomplish their objective. In a perfect world humans would not be susceptible to manipulation and sharing passwords or other sensitive data. And software would be free of bugs and vulnerabilities. Systems and networks would always be properly configured. But that world is far away and I would argue theoretically unachievable. (Although I have yet to gather the methodology for a proof, I'm working on it!)

As a result, we are faced with a world with vulnerable software, systems/networks and humans. And attackers who spend the minimal amount of resources to accomplish their objectives. In that environment, defenders should focus their efforts on ways of increasing the cost to an attacker that is consistent with their threat model. If you're an individual or small/medium sized business (SMB) not in a high-risk class, you don't need to worry about targeted 0-day attacks and should focus more on phishing-style threats, reducing your threat surface and patching. If you're an elite government agency or global Internet powerhouse, you should invest in the full panoply of security measures including internal/external red teaming, vulnerability research programs, human testing, secure coding programs, multi-tiered security layers, robust secure operations centers with visibility into each layer, deception measures in the network, customized locked-down software stacks,  investments into new architectures and mitigations, etc.

Individuals and specialized research shops will continue to exist and advance the objectives of these groups. If someone is a vulnerability researcher (VR) they aren't going to suddenly start offering phishing training to individuals, even if that was the highest payoff security measure for the organization who employs them because the role wouldn't be interesting to them and would squander their abilities. They'll just change employers or take a mundane position and do this as an evening hobby. Similarly, we shouldn't force phishing training experts to become VR experts just because there is a need if staring at hexadecimal and decoding heap structures isn't something that fascinates them and they have an aptitude for.

To state more succinctly, attackers will continue to exploit BOTH classes of vulnerability (software vulnerabilities and human weaknesses/system configuration) as required for their objectives, and improving the security of BOTH while properly understanding our risk is critical. Doing that in a quantitatively robust way is currently impossible since we're still grappling with how to quantify both classes of risk, but heuristics and other measures are appearing so we can at least approximate it. (Example papers on quantifying phishing, vulnerabilities) Researchers continue to publish papers looking at trying to quantify/model these actors as game theoretic problems using things like attack graphs with limited practical success. (Random example)

The larger question about the allocation of resources (People, money, etc.) needs to be addressed at the policy level. As long as companies can knowingly sell software that has known vulnerabilities in it and is insecure by default configuration, we will have massive security breaches. As long as enterprises build/buy solutions that depend on everyone in their organization never making a bad security decision and having to analyze false web sites or phone callers to detect falsehoods, we will have humans being exploited. As long as we have millions of job openings for security professionals, we will remain understaffed and dependent on untrained operators and insecure code.

To see security postures change significantly requires measures across the entire spectrum. Changing the hardware and underlying software our platforms run on. Writing more secure code. Shipping systems securely by default. Automating testing and management. Training more users and security professionals. Buying security products that don't suck and work together to provide a complete picture. Embracing creative defensive approaches like dynamic defense (and "defending forward", whatever that means?) Quantifying everything and making rational decisions. To date we keep spending more money each year but still haven't seen a reduction in breaches... and we aren't going to by denigrating people in the community plugging different holes in the dike than we are.

Wednesday, November 28, 2018

Crowd-sourcing and bounties for defense

A little different post than I've done in the past, but I thought it would be interesting to the larger offensive/defensive cyber communities and too long form for Linkedin or Twitter. I'm an advisor to a company called 418 Intelligence, which is run by a friend of mine named Mark Jaster. They are trying to provide a platform that allows companies to move beyond bug bounties and actually crowd sourcing threat hunting/anomaly detection. They're just now opening up the platform to the community, I think it's worth checking out as I think there's upside for the individuals and for companies and room to grow/expand. I'd love to hear what people think of their approach, and would incorporate any positive or negative feedback you have back to them.

Here's the invitation:

If you have skills in analyzing logs and pcap files here is an opportunity to join the first cyber professionals testing a new community platform, supported by DHS, designed to incentivize and crowdsource better defense and insights on what methods are working. If testing and shaping this vision sounds interesting, sign-up to participate as a tester of the alpha release of the FOURSight DEF3NSE cyber defense crowdsourcing platform from FOUR18 Intelligence. This release operates a three-round live simulation game of an intrusion where you analyze artifacts and bet points with other players on what is happening and how to defend against it. It then transitions into crowdsourcing countermeasures against a known attacker group executing the same attack playbook in the real world.  The sign up form can be found here: FOURSight DEF3NSE Pre-registration Form.

FOURSight DEF3NSE is the first online community and marketplace for cyber defenders and decision makers to directly connect and incentivize crowdsourcing better defense and network resilience against cyberattacks. The system uses a unique, gamified and incentivized "wisdom-of-the-crowd" betting experience to crowdsource fast and accurate assessments of cyber risks and countermeasures, and it is designed to pay-off participants by creating a market for this information, including what will be the first-ever bounties for breach hunting. If the vision of bounty-hunting for attackers, or of testing what you know and winning pay-offs by predicting how successfully a countermeasure will perform against an attack sounds interesting, please join others in testing the platform and helping the designers make it great.

Once you register you will receive orientation materials explaining the system further, and an update on the testing schedule, but if you have any questions you can contact the team at admin@def3nse.net.

Thursday, June 21, 2018

@War review

I finished Shane Harris' book on Cyber Warfare recently and felt obligated to write a review about it on GoodReads. Given I spent the time writing it up, thought it might be worth sharing here for those following my blog who share an interest in the cyber security/warfare communities.

A thorough introduction to the world of cyber warfare from the perspective of a journalist surveying published media from mid 2005-2015 time frame. Some sampled private discussions and insights into behind the scenes discussions and classified projects. A good read for someone new to the field to catch up quickly. 

Unfortunately the author spends a significant amount of time pontificating on concerns that have been excessively debated elsewhere and attempting to seem moderate while making clear his opinions where the concerns lie... and unfortunately basing his conclusions on rumors he heard from self-proclaimed "experts". One example is the "thousands of exploits" the NSA is hoarding. This claim appears to be based on a single unquoted individual, and appears inconsistent to the other information in his book. (Pointing to a budget of $25M to acquire exploits, and price tags of $50,000-$1,000,000 would imply a catalog of 25-500 (dozens or hundreds, not thousands)) Much hand wringing is spent on NSA surveillance, defense-industrial relations, foreign government spying, and other topics that have been extensively discussed in the media over the last decade and a half.

Speculation is rampant in the book regarding what's happening behind closed doors and allegations are made without the editorial self-control that a reputable paper would employ. As someone with two decades of experience in this community, this reviewer recalls numerous relevant events that were not included and significant portions of the book devoted to commonly discussed events from various media sources (with a few interesting exceptions). In fact, the acknowledgements section credits many of the content writers of those stories from the news sources covering cybersecurity/cyber warfare (Michael Riley, Nicole Perlroth, Kim Zetter, etc.)  who actually interviewed the original sources and wrote about the events as they happened (or as they were uncovered!)

Books such as "Countdown to Zero-Day" by Kim Zetter provide a much deeper look that is more technically accurate and better sourced and represent a good alternative for a reader looking to gain insight into the technical and political aspects of the cyber warfare complex through a single (large) operational lens. 

@War is a good option if one has no prior exposure and views it as a breathless description of the events of the last 10-15 years in the US cyber warfare community from a non-technical observer doing his best to share what he's read about and been told as an outsider.

Friday, January 19, 2018

2017-2018 Update

 Nehemiah Security Siege Technologies     

As readers of this blog (or former readers!) have noticed I have been updating the blog less and less over the years. We successfully sold Siege Technologies to Nehemiah Security back in 2016 and have been working on the integration between the firms.
Pretty exciting to see technology we've been developing for years (Now known as AtomicEye RQ) make its way into the broader commercial market and getting traction with some big (Fortune 500) customers in addition to mid size and various government groups.
It wouldn't have happened without an experienced team like the group that Nehemiah brings to the table. Hopefully once that stabilizes I'll be able to get back to blogging more often, either this year (2018) or next (2019). Hoping to get back to some technical/cyber topics but will probably also include more diverse content as well. Stay tuned!

Wednesday, April 19, 2017

Leadership lessons

Normally use this blog for longer form discussions about public news in the "cyber" field, but since I don't have another blogging forum I'm going to post this writeup here.

Getting tweens/teens to do chores can provide some lessons on leadership. I've assembled ten of them below for your enjoyment. 😀

1) Questions are OK. Sure, they're doing it to try to delay/distract/disrupt your objective as long as humanly possible. But it's OK to want to know what the objective and buy into the overall mission.
2) Be specific. If you don't know where you're going it's unlikely you'll get there. Describe what you're looking for and there's a small (OK, tiny) possibility it will happen the first time around.
3) Explain what triggers task completion and try to avoid time based metrics. If it's time, the human response is to conserve energy (see: USSR as an example of how well that works out). But if it's goal based, people will often choose to work harder to accomplish the objective quickly and do other things they value more. Like watch Netflix.
4) Positive and negative outcomes are useful and must be tailored to the individual. Some people love chocolate, others don't. Some would consider reading a punishment, others a pleasure. Personally I find beatings are consistently unpopular but you might find something else works well. 😏
5) Music and humor are great ways to make tasks more enjoyable and lighten the mood. Unless you're listening to NF's rap song about Mom dying and leaving him, in which case you want to start crying and console each other.
6) Yelling doesn't produce anything positive IMHO. Except fear/anger. Which, if you're trying to train a Sith could be useful I suppose.
7) Showing/training is important for things more complicated than "carry this from here to there". Although sometimes even that requires instructions.
8) Have reasonable expectations and don't accept poor work. The DMV is a great reminder that even adult humans are perfectly willing to work in a way that yields a terrible product/experience. Don't be United Airlines and accept that just because it's the way things are or you might end up with kicking, screaming and blood everywhere.
9) Positive feedback provided promptly to people doing great work or with a great attitude is helpful. Kind of like participation trophies, but actually earned. 🏆
10) Lead by example. Returning to my Sith Lord example, Darth Vader doesn't make his troops do all the enemy soldier killing, he's at the front of the line doing it himself (even at a distance). Showing everyone you're willing to work just as hard slaughtering enemy troops means they have someone that they can and should follow. Or get force choked.

Hardware enabled trust

Siege has been doing some work with hardware and software enabled root of trust implementations over the past few years. Specifically, looking at implementations like Trusted Platform Module (TPM), boot processes, UEFI, hypervisors and other implementations that utilize hardware "trust" functionality. Wanted to share some insight into what the research and implementation communities are doing.

To start, the major presentation that started a lot of attention for hypervisors and hardware trust was Joanna Rutkowska's 2006 Blue Pill presentation at Blackhat. That discussed injecting a hypervisor rootkit into a running operating system utilizing AMD's SVM (Secure Virtual Machine) instructions. Also discussed countermeasures, detections, and possible extensions to Intel's VT-x instructions. Also in 2006 researchers from Watson research discussed virtualizing the TPM so virtual machines could utilize TPM functionality.

In 2009 Rafal Wojtczuk, Rutkowska and Alexander Tereshkin presented several attacks  against the Intel's TXT (Trusted Execution Technology). Also in 2009 Rafal and Joanna presented an attack against System Management Mode (SMM). From the paper:
System Management Mode (SMM) is the most privileged CPU operation mode on x86/x86_64 architectures. It can be thought of as of "Ring -2", as the code executing in SMM has more privileges than even hardware hypervisors (VT), which are colloquially referred to as if operating in "Ring -1".
The authors describe
how to practically exploit this problem, showing working proof of concept codes that allow for arbitrary SMM code execution. This allows for various kind of abuses of the super-privileged SMM mode, e.g. via SMM rootkits
In 2011 Rafal Wojtczuk and Rutkowska presented an attack against the Intel VT-d and by extension Intel's TXT (Trusted Execution Technology). Wojticzuk, Rutkowska and Tereshkin were all part of Rutkowska's Invisible Things Lab, where the Qubes OS was also developed. Some of their posts on Qubes are available here. Qubes is an interesting project as they are attempting to implement defenses against the operating system/kernel, hypervisors and hardware that they are aware of by utilizing the full functionality of the hardware and secure design principles with strong isolation to build a significantly more secure operating system environment.
There are tons of other papers out there as well, I'd love to do a more comprehensive survey on the topic at some point. Siege has been doing some really cool research in the area and we started years ago, finally got to present it at Blackhat in 2016. Breaking Hardware Enforced Security with Hypervisors has some good information on the area and approaches to subverting the TPM interactions with the kernel/boot process by leveraging other architectural features (in our case, VT-x). Hopefully we'll have an opportunity to present some of the other things we've done in the domain in the next few years.

Thursday, May 26, 2016

From public sector to private sector: A view from the trenches.

(An abridged version of this post appeared in the CipherBrief on May 15th, 2016) 

In 2009 I left a job at the Defense Advanced Research Projects Agency and started Siege Technologies. My goal was to fill the vacuum of small, innovative companies building advanced, disruptive technical solutions in offensive and defensive cyber warfare left by recent large corporate acquisitions.  The last day at DARPA I signed paperwork removing all the accesses I had received during my time there with DARPA and our numerous partners. They took my green badge, CaC card, DARPA badge, and computer. I felt a little like George Banks in Mary Poppins when the bank fires him and proceeds to destroy his umbrella and poke a hole in his hat as part of the discharge process.  I founded Siege Technologies two weeks later and slowly collected most of those resources again over time. The experience was extremely informative and provided some important lessons for anyone contemplating a move into private industry from government or into a startup from a large company.

Advantages of government experience

There are some powerful advantages that time in government provide someone making the plunge into entrepreneurship. The biggest is a perspective on what’s going on at a national or even global level. Insight into the hard problems, operational challenges and thought leaders are invaluable takeaways from government service. Additionally the friends and contacts created throughout government, industry and academia can provide valuable assistance down the road. Having worked as a contractor, government employee and corporate employee again there’s a big difference walking into your favorite government agency with a “blue badge” versus a “green badge”. Having a government badge causes government people to assign moral characteristics to you that are significantly different than the negative assumptions pinned on contractors sadly. And strangely these positive views follow you out into corporate America. Even though I was the same person throughout the experience there is a significant difference in how the people you meet while wearing the government badge perceive you, during and after government service.

Starting from scratch is hard

It is not easy to take a blank piece of paper and write a novel. Starting a company is similar, as building something from nothing requires the ability to see a future that does not yet exist, and execute to make that vision a reality. Taking a small firm and helping it break out of a small business mindset to reach its potential is equally hard (and maybe harder in some ways) because you need to reshape structures that may have hardened and take on risk that may have been previously discarded or avoided. The technical team, technology, access to customers and partners, cash, and information are never as robust as you would like and are often in a state of flux. A challenge unique to moving to a startup from government is the gossip mill of other disgruntled government/commercial individuals who allege stolen ideas, inside access, or other improprieties as the real drivers of success. Changing the mindset of the brave souls who move from the comfort of government to the excitement of a startup is imperative, as there is no checklist of procedures or higher authority to consult before getting things done. Sitting at your desk or attending meetings are not going to get a product built or customers signed up, startups are an exercise in energy exertion. I vividly remember talking to my wife in December of 2009 about whether we would have a paycheck before Christmas and estimating how many days until our final credit line was maxed. Getting my first Siege paycheck on Christmas Eve was the best Christmas Eve gift I’ve received! As Benjamin Franklin said, “Nothing ventured, nothing gained”.

Smaller is riskier

There is a big difference between a job in the government, a job at a big business and a leadership position in a startup. The government has a difficult job ever firing anyone or laying people off, although it does happen in rare occasions. Big business doesn’t usually fire people and layoffs are usually focused on culling the weaker ranked employees (although entire segments of the business can be felled in a single swipe!) And while small companies engage in layoffs and firing, they introduce a new variable into the equation: Cash. In business they say “cash is king” because without it, a business cannot conduct operations. Starting a company involves working for free, reduced pay, gaps in funding, contributing money, and wondering how to make payroll. Borrowing money from friends, banks, and signing numerous contracts as the guarantor. Even well funded VC-backed firms have to worry about cash throughout the process and keeps track of the “going out of business” point when your burn rate chews up the cash in the bank.

Smaller is faster

Making decisions in a small company is easy. The individual makes a decision and moves out. Sometimes there are managers or stakeholders to consult, but the reporting chain is much smaller and stakeholders to consult much fewer. The ability to make decisions quickly allows companies to react to changing market dynamics and technology much more quickly than larger firms competing in the same space. A great example of this is purchasing. When I worked at a large defense contractor, in the 1990's I needed to get a copy of “PC Anywhere”. Weeks went buy until I heard it was authorized. Weeks turned into months and I reached out to find where it was to discover the acquisition system had lost my order. When I explained what I needed I was assured it would be coming soon. A week or two later a different product (PC-Xware) arrived! Contrast that with a small firm with a flat management chain… if someone needs something at a small firm they ask their manager and it gets ordered on a corporate card within a day or two.

Smaller is more innovative

It’s easy to understand why small companies move faster, but where does the phrase “small companies innovate, big companies integrate” exist? Innovation is a complex topic which numerous books have been written about to describe. I believe there are a number of factors behind the wave of innovation coming from small firms:

  • Ability to attract and retain top talent. Employees like to work in nimble, more fun, better paying environments!
  • Emphasis placed on innovation. Small companies are taking on larger, often entrenched competitors and creating something new is often imperative to survival.
  • A culture that values disruption over the status quo. Big companies don’t change quickly while growth-oriented small companies are focused on how to change the game and become a big company!
  • Quicker access to resources and decision making. The lack of process and large management chains enable individuals to go and quickly buy/hire/talk/build whatever they need to do as part of their mission to get the job done, while larger organizations utilize processes to limit risk. 

Building a company is rewarding

Taking a company from nothing or small into something large enough to have some “punching power” is extremely satisfying. It means the market recognizes that you are offering something of value. That people are joining your endeavor to make a difference. The resources you accumulate as you grow mean some of the concerns from earlier days are mitigated and new opportunities begin to present themselves. A new era of entrepreneurs are rising up who are increasingly availing themselves of the opportunity to inject a conscience into their work and engage in social causes through their corporate position, products, and with the resources created by the firm. My wife and I have committed to giving the bulk our gains from Siege some day to charitable causes and view the firm as an opportunity to have a positive impact at a scale unachievable as individual contributors to those causes. Firms like Newman’s own give away their profit to philanthropic causes, and numerous clothing/jewelry/coffee businesses integrating a social cause into their corporate mission and value statement. In fact the percentage of corporate giving is inversely correlated with size, with the smallest firms giving the most generously[1],[2]

Perspectives on the cyber security startup market

The cyber security startup market has been hot. On fire is probably more accurate. The graph below shows how investment has been ramping up over the last seven years (I started Siege at the relative low point of 2009, apparently not a good year from investors perspective!)

Figure 1 Millions of Dollars invested in Cybersecurity Companies.
Spending on cybersecurity in 2015 exceeded $75 billion according to Gartner[3]. The market is over $100 billion according to Market and Markets and will grow to $170 billion (USD) by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8 percent from 2015 to 2020[4]. The cyber security insurance market is expecting significant growth and should reach $7.5 billion in annual sales by 2020, up from $2.5 billion this year[5].

But in 2015 signs were showing that the valuations and dollars heading to cybersecurity companies had begun to cool. Specifically, “some are predicting a measured slow-down leaving a slew of Seed/Series A funded companies without a Series B sponsor”[6]. Median security EV/revenue multiples have declined from 5.5x in 2013, to 5x in 2014 and 4.5x in 20154.

That said the problems still remain. Enterprises large and small, government agencies and individuals are still being targeted and compromised with increasing frequency. 2015 alone saw a reported jump of 48% in compromises that were reported, and successful detected attacks have been rising at a compounded annual growth rate of 66% year over year since 2009[7]. The annual cost of these attacks range from hundreds of billions to trillions depending on your estimation methodology and sources (considering theft of IP versus just cleanup, for example). Nobody has built the silver bullet solution to solve the problem and significant opportunities exist if entrepreneurs are really providing new solutions to the problems that exist and loom over the horizon in the form of technologies or services.

Perspectives on transitioning government-funded technology

At Siege we have a number of technologies that we have developed with external funds, spanning areas as diverse as cyber quantification to custom hypervisors to software protection and software vulnerability remediation. Some were developed entirely with government funds, some with almost exclusively internal or commercial funds and most with a hybrid. Taking these capabilities from the lab to product is not easy. Numerous hurdles must be addressed, from classification to export control to publication restrictions to the myriad of intellectual property rights issues. And that’s before you address the “valley of death” that exists between research and products. An article in IEEE captures this challenge well, saying “New and innovative technologies will only make a difference if they're deployed and used. It doesn't matter how visionary a technology is unless it meets user needs and requirements and is available as a product via user-acceptable channels.  One of the cybersecurity research community's biggest ongoing challenges is transitioning technology into commercial or open source products available in the marketplace[8] and that reflects my personal experience working in research and innovation at big companies, DARPA and now a smaller firm. 

Inventors are often beholden to their creations and believe it possesses more value than they often do. There is usually a gap between the requirements targeted during development and what the market needs. And there is funding required to get the product from where it is currently to where it needs to be. Inertia fights against changing anything and turning this technology into a product, but the fight can be well worth it if the numerous obstacles are addressed with vigor head on. It is a fight that must be won in order to “change the game” and make a difference instead of allowing the solutions to important national and global problems to die an inglorious death in the lab.


It is impossible to affect change without taking risk. Change necessitates overcoming resistance and various obstacles to achieve a necessary goal. Starting or joining a new venture provides the opportunity to affect significant change at personal, technological, national and societal levels if success is achieved. But even if failure is an outcome, lessons are learned and character is formed through that process. The average successful entrepreneur has several failures in his or her belt (I had two false starts) and is middle aged with the median age entrepreneurs started their companies being 40[9].  Teddy Roosevelt captures the opportunity well with his famous quote: “It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat.[10]

[1] CEO Force For Good, “Giving in Numbers 10TH ANNIVERSARY 2015 EDITION”, September 2015.
[2] https://philanthropy.com/article/Most-Small-Companies-Make/225215
[3] http://blogs.wsj.com/venturecapital/2016/02/17/the-daily-startup-increased-spending-in-cybersecurity-drives-funding-surge/
[4] http://www.marketsandmarkets.com/PressReleases/cyber-security.asp
[5] PwC, “Insurance 2020 & beyond: Reaping the dividends of cyber resilience”, September 2015
[6] Momentum Partners, “Cybersecurity Market Review 4Q 2015 Year End”, January 2016
[7] http://www.pwc.com/us/en/press-releases/2014/global-state-of-information-security-survey-2015.html
[8] Maughan, D., Balenson, D., Lindqvist, U., & Tudor, Z. (2013). Crossing the Valley of Death: Transitioning Cybersecurity Research into Practice. IEEE Security & Privacy, 11(2), 14-23.
[9] Ewing Marion Kauffman Foundation, “The Anatomy of an Entrepreneur”, August 2009.
[10] Theodore Roosevelt, Excerpt from the speech "Citizenship In A Republic" delivered at the Sorbonne, in Paris, France on 23 April, 1910.