Network Security: look at the people, not the things.
Updated: Sep 23, 2019
"Know yourself, know your enemy. A hundred battles, a hundred victories."
It must be one of the best known—and most difficult to achieve—lessons in history. It's an instruction for strategic superiority that has aged amazingly well but when he wrote those lines all that time ago he couldn’t have foreseen the way we live today, right? Right?
In a way, he did.
In the chaos of the weeks after the 9/11 attacks news organizations interviewed a clown’s-car worth of security experts. I don’t mean to make light of the situation back then. The attacks were horrific and it really shouldn’t be surprising that the people running the news desks were looking for reassurance that someone, anyone, knew what to do next.
Like so many other people at the time, I also watched a lot of TV so I got more than my fair share of those interviews and with the clarity of time I can say that most of them were just boring. Not because what the experts said was necessarily wrong, but because it was all so repetitive. Add a lock on the door to the cockpit, add a second door, we need a better x-ray machine, we need better agents looking at the x-rays, and so on ad nauseum. So one evening, when I wasn’t really paying close attention to the box the harsh tones of strongly-accented Israeli English made me look up. And there on-screen was some dude straight out of central casting if you were looking for “gruff, Israeli, ex-military, ex-Mossad, security expert.” The guy spoke English so badly that my first reaction was to think that CNN had finally ran out of experts and they were scraping the bottom of the barrel in terms of interviewees. But then he said this:
“You keep trying to secure things. It’s impossible to secure things correctly. You try, but it will not be enough. You have to secure people. We secure people and planes don’t get attacked.”
The interviewer was totally taken aback by this and a little horrified. Clearly the thought that in terms of security we should be looking at what people do in addition to the things that they bring with them had never crossed her mind. Her reaction was to take the conversation in the direction of “profiling.” It all went downhill from there. I never did hear what else the guy had to say about securing people and to my knowledge he wasn’t invited back. But his lesson stuck with me.
“You have to secure people.”
“Know yourself—know your enemy” indeed. Maybe gruff ex-Mossadniks read Sun-Tzu, I’m pretty sure that Ben Johnson—CTO (link) of Obsidian Security (link) does. Obsidian is an innovative provider of intelligent identity protection and I think that he might agree with our unnamed former spy. To secure the thing that is your network, you must start by knowing the people in it, where they are, where they are supposed to be, and where not.
To hear Ben describe it, enterprises large and small are just begging to be attacked. You typically find semi-isolated teams within the organization dealing with identity on the one hand (and being ignorant of what happens downstream in the network), and then you have the IT guys, that are mostly in a reactive posture to identify and mitigate attacks. If this security concept ever fit reality (and I doubt it), it relied heavily on a deeply mistaken assumption; that the organization owns their network. If those three words were ever true they no longer are. They died with the first SaaS subscription or the first time bring-your-own-device happened. Companies are part of a network that they don’t own, don’t control, and cannot even truly know its size and shape. Security-wise, when modern organizations look in the mirror, what they see is a stranger.
And you still want to secure things?
In terms of innovation discipline, Obsidian leans heavily on user intimacy. Their very statement that security starts with extensive identity management capabilities is a strong hint of that, right there. Look at the person, understand what they do, when they do it, who they do it with.
Having an impressive leading value strategy is not enough to innovate successfully. If all Obsidian did were to know what companies need in terms of identity, their offering would be interesting, sure, but ultimately lacking in staying power. What I particularly like is that their product is both operationally excellent, in that it’s easy to adopt and truly easy to use, and here’s the kicker: since networks change constantly, identity management has to learn what the changes are and adapt itself in real time. So there’s a very interesting element of product leadership in the way that Obsidian uses machine learning (was there ever a more appropriate term) to enable their system to evolve as the network evolves.
There are dozens of cyber-security companies out there. It’s rare to find one that takes a truly new approach, and delivers new value based on it.
The Nootka Nation of the Puget Sound in what is today the American Northwest had a highly specialized mythology with deities, heroes, and gods for all purposes.
Kivati Innovation takes its name from the "cheerfully optimistic god of Transformation and Improvement."
I help companies transform themselves into more innovative and profitable organizations.
To learn more, drop me a line:
benjamin (at) kivati (dot) net.