Are Cybersecurity Platforms on the Horizon? A Podcast with Brendan Hannigan of Sonrai Security

On this edition of the Designing Enterprise Platforms podcast with Dan Woods of Early Adopter Research (EAR), Woods speaks with Brendan Hannigan, the CEO and cofounder of Sonrai Security. Sonrai Security is a company that helps govern and secure public cloud platforms. The conversation is part of a series of interviews that occurred at RSA 2020 and covered key questions about the viability of platforms in the cybersecurity landscape, including:

  • Why have platforms in cybersecurity been slower to develop than in other domains?
  • Why has the rise in point solutions been so broad and persistent? 
  • Are we entering a phase in which broad platforms will emerge and take more of the share of spending?
  • And if not, how will all the point solutions be made to work together?

This is an edited version of their conversation that can be heard in full on the podcast.

Woods: Brendan, you’ve been in cybersecurity for a long time. What did you do before Sonrai and what is Sonrai all about?

Hannigan: I started out building switches and routers many years ago at Digital Equipment Corporation. I’ve always been associated with networking and security. I built a company called Q1 Labs, along with Sandy Bird, my cofounder at Sonrai Security. I had a great team over there who built a security intelligence and analytics solution, which actually has become a pervasive platform. That company was sold in 2011 to IBM and then I was asked to run IBM security. We built that division to be a $2 billion business, and we grappled with this problem of platforms versus point solutions every day of the week. I left that business. It continues to grow well for IBM and now I’m involved primarily with Sonrai Security, building out a solution to help companies govern and secure AWS, Azure, and Google environments. 

Excellent. And Sonrai’s mission is essentially to be able to come to any of the public cloud platforms and to create what I call a trust network, or a trust graph of all of the relationships where you describe what has access to what. And then with that massive trust graph created, you can now understand vulnerabilities and ways that you can fix them.

Exactly. What I like to say is that the way in which we build technology value is change from stem to stern, and we need to revisit how we deliver and govern and secure these environments. We have to do that from top to bottom, and that’s what we’re focused on helping our customers do. One key element of that is this concept of the control points in these public clouds, and they’ve changed from what we were used to in what I call the old world of data centers. They key control points now are identity, data, and the workload itself and not the firewall, not the perimeter, not the device, not the IP address. Not the things that actually everybody at the RSA conference quite frankly spends a lot of time focusing on. It’s a new set of control points because it’s a new way in which we deliver technology value. The platform we’re trying to build actually is to help our customers understand and identify risk associated with the connections and the identities and the access to data that arise in these platforms, find that risk, eliminate that risk, and make sure it never reappears. But to do that in the context in which they’re using those cloud environments, which is very different than a traditional data center.

Have platforms in cybersecurity been slower to develop than in other domains? If we look at the show floor here at RSA, it’s still dominated by point solutions. Why haven’t we gotten a platform yet?

There are multiple things happening. There are unique dynamics in our market. There are unique situations in terms of venture funding, and dynamics of buyers. The challenge I represent is as follows. If we look at old world data centers, traditional databases, we ended up with three dominant databases: Microsoft, Oracle, IBM. I always like to say, as it comes to cybersecurity, we’d never end up with three vendors. It can’t ever happen. The dynamic in security is the very nature of the threat dynamically changes. When you have built something which is addressing a particular weakness of the infrastructure we have, then by definition, the criminals are going to exploit new ways in which they can get access to sensitive data. They’re going to exploit new technologies as they emerge. That creates a level and a need for innovation and change which is unique to cybersecurity. That level of change is not demanded in other environments. It is demanded in cybersecurity because we don’t live in a world of just customers and vendors. We actually live in a world of customers, vendors, and external threat actors, and we don’t control those external threat actors. 

The analogy to the ERP world is, if the ERP world was like cybersecurity, there would have been a bunch of venture capitalists attacking these problems that were of high value with lots of money and new investment to solve those problems. And if that were the case, maybe we wouldn’t have gotten platforms and ERPs.

Maybe. But you see, what would happen there is the dynamic on the buying side of it is, even if people were saying, hey, I’ve got 50 new problems solved for you this week, you know, and they’re new relative to even last year, the customer would say, “I can’t absorb these right now.” Whereas in cybersecurity, some of these things must be addressed because they’re new and emerging threats which have to be dealt with.

Right. If you’ve got a hole in your roof, you’re worried about patching the hole in your roof more than you’re worried about whether that patch integrates with all the other patches you have on your roof. 

Exactly. That’s always going to exist in cybersecurity. That’s always going to require a level of innovation that buyers want, that the market needs, and that the venture community will support. 

But now you get to that landscape where you have lots of different point solutions. It seems to me that the reason that we got platforms in other realms, was customer demand. People want integration and they don’t want to pay for it themselves. People want modeling of a larger scope of activity and they don’t want to have to build it themselves. People want automation that can span all of the point solutions. People want threat intelligence that every part of the cybersecurity platform can participate in, both in gathering information and in benefitting from other things, and they want a simplified management approach. And then finally, they want to be able to still support an ecosystem where a point solution can come into this larger platform. 

In theory there is support for platforms, because customers clearly would say I want it. The buying dynamics is that a lot of security buyers in particular have been very technology-oriented buyers. They have looked at external threats, they have bought technologies to address those external threats, which are rational decisions. I think sometimes the buyers and vendors have not taken into account the complexity of getting some of these solutions deployed and operational in the real world. In other words, people have solutions to solve problems, but they’re not taking into account the complexity of it. So they have this propensity to purchase point solutions because they feel it will address it. And it would address it if they had extremely technical people to deploy all these point solutions. Enterprises now, and buyers, are much more enlightened than they were just a few years ago, where they realized, hang on a second, how can I deploy this? Do I have the people to deploy it, do I have the people to operate it? And if the answer to those questions is, no, I’m not sure I do, they’re going to be more likely to look and say, yes, I’m going to go for a broader solution potentially because it’ll be actually possible for me to deploy.

And this is also driving the trend toward managed services that are becoming platform-like integrations.

Platforms have emerged in security. They’re just a little bit more ephemeral than platforms that have emerged in other spaces. So for example, my own experience, we started out as a very point product with the Q1 Labs product, which was basically a network activity monitor. Then we added functionality relating to security and intelligence, SIM and event management. It is a security intelligence platform. There are also platforms which have emerged in the area of endpoint, like Crowdstrike. But what’s different, Dan, is that if you looked at a timeline, you’d say, well, we have an endpoint platform, we’ve got a SIM platform, we’ve got identity platforms. Some of those ERP platforms you described, or some of those database platforms, they last for decades, right? They have, once the aggregation happened.

In this world, Crowdstrike replaced a previous set of platforms, the MacAfees and the Symantecs of the world. How did that happen? What happened is that the platforms themselves became platforms, they gave a level of stability to the customers, but then this relentless need for innovation, they didn’t keep up. It was hard for those platforms to react to the changing nature of the threat, quite frankly. They were focused on antivirus. They couldn’t address new and emerging threats. So the platform, as time went on, its effectiveness declined. That doesn’t happen in the endpoint software world at the same rate. The decay rate is faster for cybersecurity platforms. There’s a decay rate, and that decay rate is inevitable. It happens faster. Additionally, companies purchase technologies and their platforms are not keeping up. They acquire smaller vendors. The execution perfection required to integrate a small company and for it to be effectively successful for the next 10 years, for example, which is what you need for these things to last, is challenging. 

The logic of a platform is that you have a bunch of related point solutions that then start being able to be exposed to each other. The reason that you need a platform is that, if you looked at those point solutions separately and used them as separate products, the amount of data that you can exchange through APIs or the amount of scope of control that you have over the product through the APIs is much smaller than what you can actually do with the product. So the integrations have to go through these little straws of narrow functionality and visibility. But once you put all of those inside a large platform, you can take off the restrictive APIs and share all of the data. That’s theoretically the reason that a platform would work. The problem is assembling the platform by acquisition means that you have a different set of development constructs in one part of your point solution than in another, and vendors have not appreciated how difficult it is to acquire something and bring it into a platform. 

There are these core functions which have to be architected to allow for this broad functionality through integration. But the core function, it has to be developed from the ground up. That’s what we’re doing at Sonrai, which is building a platform to help govern and secure AWS, Azure, and Google. It’s a heavy lift because we want to be able to do it and build something that can then reach out and integrate with other sources into our environment. I think the world is now broken into two parts. There’s the old world and the new world. Old world is everything we’re used to: data centers, perimeter firewalls, endpoints and things. I actually think there are opportunities for a slower decay rate and more stability in that world because, quite frankly, the greatest innovation now is happening in the new world and that new world is actually happening in the public cloud providers. If I’m developing technology and deploying technology, the move is on for enterprise to put that into public cloud. What that means is the underlying changes in the traditional data center technologies will slow down. But when you talk about decay rate and the emergence of platforms, when you then talk about these new environments, new dev ops cycles, security shifting left, building in this new world, it’ll be very hard for big vendors to come in and aggregate all these little companies and build platforms. Because it’s changing too quick.

Are we entering a phase in which broad platforms will emerge and take more of the share of spending, and if not, how will the point solutions be made to work together? Based on what you’ve said, they will never be as broad as they were in the enterprise software world. But there will be coherent platforms, but in your mind, they won’t last as long. One of the reasons for that is the commonality of requirements isn’t there. Cybersecurity for a web application ecommerce site is different than cybersecurity for a small business. So you’ll have platforms attacking each of those common requirements.

Look at some of the segments where clearly there’s aggregation in platforms, like next generation firewalls. Vendors emerged. They actually got aggregated into these next generation firewalls. That’s not going to keep happening. There are two reasons why it’s not going to keep happening. They’ve solved some wonderful problems, and now investors and customers don’t need the next generation firewall. They’re very happy with that. People are focused on other things like how do they manage the complexity of identities in public cloud environments. And so that will allow aggregation in that old world. Which is good for customers in that old world, although it’s not going to let them off the hook because the churn of change will be happening in the newer environments. 

So once you solve the problem, you don’t need a next next generation firewall. You’ve solved the problem. And then that problem will either persist or decay, but then you go into the financial platform role, where maybe one company buys up all of the next generation firewalls.

There’s clearly an opportunity for aggregation there that could happen. It’s a good example where then bigger companies, because of the slower pace of innovation, their risk associated with this change and their platforms decaying is lower and so they can do that aggregation.

How do all these point solutions come together in a coherent form? If you were a practitioner, how would you face this world and determine how to integrate all these point solutions and which of these smaller platforms to integrate, and then make the trade-offs?

You make the trade-offs as follows. The most important thing when you’re trying to consume technology in this type of world is you basically pick your anchor platforms and those platforms have dynamics of innovation and functionality, but they also have to have the ability to get deployed and be used by normal human beings. The second dynamic is making sure they’re open. In other words, that they allow for the interconnection with other entities and other capabilities that are delivering some kind of a point function. Splunk did this. They have a platform, but they have a very broad ecosystem that allows people to use that as the foundation and then deliver some of these functions. And then after that, people have to be discerning. And this is a buyer behavior: We don’t need to have 55,000 of these things for some of these problems. If they evaluate risk properly, they’re going to be discerning about how many new technologies to bring in and what are the balancing acts between where those technologies are applied to the critical data and can they consume it.

The key there is where is it that you need the best you can get in terms of cybersecurity capability and where is it that you need a pass/fail system? There are certain places where you just need something that’s good enough to stop the above-average hacker and there’s other places where you have to have the crown jewels protected in every way and monitored in every way, with deception and proactive measures. 

At Sonrai we use the crown jewel methodology all the time, which is a risk-based approach to cybersecurity, which is you’re tailoring your approaches depending on the criticality of the information which you are adopting. You don’t have a strategy or a technology across all these dimensions. Customers do that. They’re applying very sophisticated analysts and other people to specific portions of their infrastructure, and for other portions of their infrastructure they don’t have the same level of complexity. Because they just feel like a) the risk is lower, and b) the capabilities to absorb and deploy the technologies is also lower, actually. And so that is absolutely critical.

How have you seen the hybrid world being managed by the best customers that you’re dealing with? 

Everything has changed. The way we develop software has changed. The nature of how we’re building software has changed. The rate at which it’s developed has changed. The way people can create infrastructure on the fly has changed. Who’s doing it has changed. It used to be IT and it’s not anymore. It is not going to be possible to take a legacy platform and somehow jackhammer it into this new world. It’s too hard. There are certain things you might be able to do, but from a pure risk, governance, and security perspective, you have to have it from a native perspective. Which means it’s built from the ground up. That’s a new set of technologies to manage this new world. But there are things you can do in the new world that are just unbelievably complex to do in the old world. I can keep track of every identity. We can build a graph of every identity and what it can access in every element of the cloud. It’s so hard to do that in the old world. It’s possible in the cloud. The nature of the information we’re going after, what the risks are, how we evaluate those risks and how we remediate are just totally different. Customers have to accept that. They have to embrace it actually, and believe not just that they’re trying to secure the new world, but actually that their goal can be a superior result in the new world. 

The way you’ve laid it out, platforms will emerge from the public cloud vendors. What are the arguments for and against this stance?

AWS, Azure, and Google are the greatest set of innovations I have ever seen in my career. Now, they also are developing tools and capabilities in their solutions to help people evaluate risk, to help people enforce security, and clearly those platform providers have an important role to play. But in the history of our business, the platform providers have never effectively done a job exclusively on their own of governing and securing their own platforms. It was true in mainframe. It was true in mini computers. It was true in Sun Microsystems. It’s true with Linux, and it will be true with these public cloud providers. In other words, there’s something about cloud and the providers that’s suddenly magically going to change the outcome that’s happened in all of technology, well, the last 14 years would say that’s just not happened—it hasn’t happened. There’s complexity and there’s risk in there that are allowing customers, with this powerful platform, to make unimaginable mistakes. And those unimaginable mistakes haven’t even been fully exploited yet by hackers because the hackers are still doing ransomware attacks on municipalities. This is just people making their own mistakes, shooting themselves in the foot, and leaving their crown jewels open to the world. You’ve got a brand new infrastructure emerging, a brand new way of using that infrastructure and you cannot go to your board and say my developers in Amazon, they’ve got your back from a security perspective. It’s not going to fly. You have to have companies which will be focused exclusively on your effective use of these platforms and that will not come from the platform providers themselves.