Stiennon's Laws
I read a great post by Phil Venables this morning where he added his “law” to the list of laws that are good frameworks for how things work. Of course he cites Moore’s Law first. I love his contribution to the list:
Venables’ Law can be stated as “Attackers have bosses and budgets too”
He cites the first time he tweeted it almost ten years ago! It adds to the wisdom that a good security approach should increase the cost to the attacker (budgets), and also disrupt the organizational chain.
I have some laws too. :-) I can’t find the Tweet that records when I first wrote them but I could find them in the piece I wrote for Forbes. The piece addresses a common theme for me: Why Network Security Vendors Should Stay Away From End Point Security, and Vice-Versa.
Becasue it addresses the platformization debate as well and was written when the current CEO of Palo Alto Networks was a (non-security) executive at Google, and probably did not see it, I thought it would be interesting to re-post it here. Do not view the original without an adblocker.
There would be many more successful security companies if their founders and leaders had a better understanding of the IT security space.
One fallacy that will not die is the idea that, to grow, a vendor must be a full stack solution. There is no question that every organization needs to deploy layered security. Solutions are needed for data security, user identity and access management, end point security, server security, network security, and most recently, cloud and mobile device security. No matter how enthusiastic Wall Street may become there will never be a single vendor that dominates in the complete stack.
Let’s go back to basics. At the simplest level of security commandments are these rules:
1. A secure network assumes the host is hostile.
2 .A secure host assumes the network is hostile.
3. A secure application assumes the user is hostile.
These rules are very powerful when applied to product strategies. Any proposed product that binds any two of host, network, and application, will be a market failure. Sadly, the messaging around coupling can be very compelling.
Thus, when FireEye acquired Mandiant, there was wide acceptance of the idea that somehow FireEye needed an end point product to complete its solution; so much so that Pal Alto Networks just burned $200 million in acquiring Israeli endpoint security solution Cyvera.
Symantec is a case in point. Symantec has acquired over 75 security vendors over the years. Many of them network security. Remember the Symantec firewalls acquired with Axent? Today, Symantec has 121 products in its catalog, only web gateway security is a network product. Despite billions spent on trying to get into the network security space Symantec failed. Actually, Symantec succeeded at becoming a dominant end point security vendor with forays into certificates and end point encryption.
McAfee also has attempted to have a firewall solution, first with Gauntlet, which it spun off to Secure Computing, and then re-acquired along with Secure Computing. Most recently, probably thanks to Gartner’s market confusing ramblings about Next Gen Firewalls, McAfee acquired StoneSoft. McAfee’s acquisition of Intruvert and successful market penetration of its IPS solution is the best example of an endpoint security vendor being successful in the network security space. However, when Intel acquired McAfee there was no mention of the large network security business McAfee had built by acquisition. Perhaps Intel did not want to highlight to the broad base of partners that use Intel processors in their network devices that they had entered the space?
Sophos, an anti-virus vendor, has just acquired its second UTM vendor, Cyberoam. What does that say about the success of its first acquisition in the space, Astaro? (See Sophos + Astaro: Good companies, bad deal). Perhaps Sophos is actually attempting to pivot away from endpoint security and become a network security vendor. That would be a good strategy as traditional anti-virus becomes less and less effective at countering the latest malware.
Check Point Software has had its less than stellar attempts to get into endpoint security. First, with the acquisition of consumer desktop firewall vendor, Zone Alarm, and then with the acquisition of PointSec, a full disk encryption vendor. Its market share in endpoint is small and probably does not justify the investment it made in those acquisitions.
None of these companies have experienced any benefit from having end point and network solutions. There is no synergy and the most successful acquisitions come when the acquirer keeps the two businesses separate.
The reason network and endpoint security solutions do not mix are plentiful:
1.Buying centers. End point security is managed by a different team within the enterprise than is security. That means different sales cycles, different sales teams, separate contracts, and most importantly, different skill sets. There is a broad gap between the Microsoft Windows experts responsible for laptop and desktop configuration and the wizards that maintain switches, routers, and firewalls.
2.Brand perception. Let’s face it, anti-virus products are a pain to work with. Every end user has had frustrating slow downs, system crashes, and false positives from their end point AV. Those users include the network administrators. The last thing they want is a product from the same vendor on their network where slowdowns and crashes are much damaging to productivity. Ever wonder why Microsoft never introduced a router and every attempt at introducing a network firewall has failed completely?
3.Best of breed. Every organization needs the best firewall and the best end point protection for their environment. They will always make those decision independently.
A full stack security strategy is one of consolidation. But the security industry does not consolidate. Unlike every other segment of the IT industry, security has an outside driver: threat actors. Cybercriminals and nation states force each security vendor to innovate or die. It is hard enough to stay ahead of the curve in one space. Attempting to do it in two spaces is futile.
Always love your perspectives! Question though. What about the XDR space which purports to add value by looking "across" network, endpoint, user and app signals to better detect and respond to attacker activity? Now, XDR vendors sort of come in two flavors - those who are trying to elevate past just EDR (e.g. Crowdstrike) and those who are prevention point agnostic (not wedded to a given network or endpoint vendor brand). But in either case there is still the intent to drive value through network + endpoint + etc etc.?
I really enjoyed this post, Richard. After decades on the tech industry - the hometown of laws - learning about the axioms that permeate cybersecurity is a fascinating tour.
"... a good security approach should increase the cost to the attacker (budgets)...": that's precisely the principle behind preemptive security measures: to create economic disadvantages for criminals when attacking a particular target. We have an academic paper current under review to be published on the matter around BforeAI's Active Defense capabilities in disrupting network traffic to malicious websites hindering the attack much less effective while a takedown submission is processed.
I appreciate laws for what they are: to make visible a set of truths that could be easily missed by the naked eye or even the common sense of professionals in the industry. Laws have exceptions, which don't weaken them in the least, just reinforces the value of the law in itself. Understanding the (potential) exceptions and making strategic decisions around it is a fascinating topic that I have applied over the course of my career - a combo of Dave Snowden's Cynefin, paradox management, and just plain common sense. It can create incredible, outstanding results. And that's exactly how you position these historical and recent bets on acquisitions that would "violate" Stiennon's Laws.
Thanks for sharing this, incredible food for thought.