Finding True Security: A Podcast with Tempered’s Jeff Hussey and Bryan Skene
In this edition of the Designing Enterprise Platforms podcast from Early Adopter Research (EAR), EAR’s Dan Woods continues his series of interviews from RSA 2020 by sitting down with Jeff Hussey and Bryan Skene from Tempered. Their conversation focused on Woods’ key cybersecurity questions for 2020, which include:
- Have platforms in cybersecurity been slower to develop than in other domains?
- Why has the rise in point solutions been so broad and persistent?
- Are we entering a phase in which broad platforms will emerge and take more of the share spending?
- How will all the point solutions be made to work together?
The podcast covered:
- 1:00 — Tempered’s approach
- 6:00 — Why Tempered is a cybersecurity platform
- 12:00 — Why are there so many point solutions in cybersecurity?
- 17:30 — Will we ever get a unified platform?
Listen to the podcast or read an edited version of the conversation below.
Woods: Jeff, why don’t you tell us a bit about yourself and Tempered.
Hussey: I’m Jeff Hussey. I’m the co-founder and CEO of Tempered. What Tempered has done is completely reimagined cybersecurity with a particular view on securing things, or the IOT. There have been vast proliferation of point solutions in the market due to cybersecurity being an increasing problem in the enterprise and recognition from very senior board level interests to improve security posture across the enterprise. It’s a big market and it’s capturing more and more of IT spend. There are over 2,000 cybersecurity companies now.
Wow. That’s a real way of getting across the broad point solution point.
Hussey: That’s why there are so many point solutions. And they’re very difficult to integrate. No one has done the work to fix the fundamental problem that creates the need for all of these point solutions or an integrated platform solution.
Is Tempered a solution suite of a variety of point solutions? Or is it a point solution that helps you integrate other point solutions?
Hussey: We actually view ourselves as a platform. We’re the first company to commercialize a networking solution based on the host identity protocol. And the host identity protocol fixes the basic flaw in IP that creates the security vulnerabilities that everyone is trying to figure out, and that is the IP address is both the locater and the identifier for a flow or a connection. The inventors later recognized it was a big problem, they shouldn’t have done it that way, but here we are, TCP-IP, the accidental backbone of global commerce and communications, is insecure and nonmobile. And so what we’ve done is develop a platform that fixes that. It’s taken us nearly six years of development work to do that, but now we have a solution. We call it the airwall — it’s like a firewall but it’s invisible.
Is that for IOT as a first use case or is it for IOT because that’s the best use case for your solution?
Hussey: It’s a general-purpose solution. It works in the IOT and that’s where it’s been most applicable for the past several years, and that’s been the focus of our go to market. But now it works for any IP workloads. We have agents that will run on endpoints, we have gateways that will secure anything from a robot to a commercial office building.
And Bryan can you introduce yourself?
Skene: I’m Bryan Skene and I’m the CTO. I’ve been at Tempered for about five of the last six years, since it started. I really like your question about is Tempered building this point solution that manages other point solutions, or does it build a platform? We are fundamentally orchestrating a new host identity protocol that separates the IP address from the location or the location from the identity of a thing, that allows us to orchestrate everything based on something that doesn’t change, regardless of what happens in the underlying network. That’s very fundamental.
What’s interesting to me about what you’ve said so far is that you can almost never sell the platform. You can sell a point solution that solves an urgent problem, and then people take comfort in that there’s a platform, but they don’t buy that wider vision, they buy that solution. And so it makes perfect sense that you’ve found a use case in IOT, but then this larger host identity platform could actually be applied other places.
Skene: When you think about point solutions, we can talk about some of the buzzwords and the hype cycles that have occurred over the past 18–24 months: zero trust, multifactor authentication, micro-segmentation, and so on and so forth. What we’ve done is build a solution or a platform — I don’t care what you call it, but in our scheme, every connection between these in an overlay network is software defined, and there’s a software defined perimeter. Every connection is zero trust, it’s multi-factor authenticated, it’s encrypted end-to-end, micro-segmented and impervious to lateral movement.
You basically have a lot of properties of all of these systems in one platform because it was rearchitected with a little better engineering. To my questions, why do you think that platforms in cybersecurity have been slower to develop than other domains?
Skene: If you look at the set of companies that we affectionately refer to as the cartel, like Cisco, Palo Alto, Fortinet, Checkpoint, and some of the other rising security players, they’re making a lot of money using and selling old technology to customers. A radically new way of doing things is potentially very dilutive to their business model. In the world of networking, for vendors, complexity pays. I don’t think that the appropriate economic incentives have been in place to innovate and drive the cost of the product down and improve its overall posture.
You’re saying that the platforms are impossible to build or that if they built them it would be like radial tires, you’ve all of a sudden built a tire that gets flats less and lasts 10 years longer, and so in some sense you’re saying that the cartel doesn’t want to build a platform because if it worked, it would reduce their business.
Hussey: Precisely. But that’s what we’ve done. I was the founder of F5 Networks and that started as a point solution and it is now very much a platform and occupies a very specific piece of real estate in the network, and everyone on earth has one.
So the reason that platforms have been slow to develop in cybersecurity is that complexity is making a lot of money for the established players?
A variety of those companies offer integrated suites that are some point solutions brought together. Do you think that those are just a gesture toward a platform or do you think they’re really serious about building these? For instance, Fortinet has a variety of different components for the next generation firewall, for remote office branch office, for endpoint protection, that are all intended to work together as a platform.
Hussey: They’ve done some acquisitions, but in a lot of cases, it’s really marketecture and it’s segmentation from a marketing perspective. SMB firewall, enterprise firewall, internal firewall, secure web gateway, all these various things that are point products that can get budget allocated to them. But it’s not a cohesive solution. They’re still in the firewall business. They just have different flavors of firewall. Or for Cisco. They have a number of products, identity services engine, application centric infrastructure, and those are incredibly complicated to run them. You have to completely refresh your architecture, which is great for Cisco. And it requires a phalanx of professional services folks to deploy. We’ve taken a completely different approach. We’ve innovated and developed technology, a platform, that obviates the need for those costly and complicated steps.
Why do you think it’s been true that there’s been that 2,000 company wave of point solutions in cybersecurity?
Hussey: It’s an acute problem and everybody is trying to solve it. If you’re an enterprise, if you’re a CISO and your either sections or your enterprise is taken down for ransomware or something else, you’ve got an incredibly powerful motivation to do just about anything to remediate that attack and prevent future occurrences. And so, you know, they’ll try just about anything. But, ultimately, piecing all those things together and deploying them at scale is impossibly tricky.
Skene: A lot of these point solutions were developed for human traffic, for client and server communication through a web browser, and that are trying to be extended and morphed and put into a situation where it’s machine-to-machine even though they have different characteristics.
Hussey: The point solutions, the things that you could buy from the cartel, firewalls and so forth, come out of the IT age, which was intended to connect typically humans to information. Now, the world is changing very quickly. Now it’s things talking to things, talking to cloud instances, talking to virtual machines. But the proliferation of things and the policies, the unique granular policies that need to be architected into the network, is a far more complicated endeavor than simply complying access to data on a database or something like that in an enterprise.
Are we entering a phase in which broad platforms will emerge? In my research I’ve been trying to identify the forces that are driving people to want platforms. And one is integration. Another is modeling. And then threat intelligence, every single point solution should be able to provide threat intelligence, but also consume threat intelligence from other parts of the platform. And then you want all of this to be simplified. Finally, you want every point solution to participate in an evolution forward where the evolution of each point solution is aware of the evolutions of the other point solutions, so that the platform proceeds in an orderly direction. But you have to have an ecosystem approach. By that I mean, no platform ever can credibly become the only thing you have. You’re always going to have point solutions that you have to bring in and integrate. The problem right now with the integration of point solutions is that you’re integrating through a straw. The data available through the external APIs, the scope of functionality that you can unfold with external APIs is so small, that you can’t do a meaningful platform by having 20 point solutions. They just don’t expose enough of their internals to allow that. So will we ever have a real platform?
Hussey: We’ve done it. We have what we refer to as platform ubiquity. We can run on a phone, IOS Android, on a laptop, server, Windows, Mac, all the flavors of Linux, can run in the cloud, we can run on VMs, we can run anywhere. And for those places where we don’t have software agents, we have gateways that can be connected to legacy devices or industrial devices. We can create the fabric that touches everything within an enterprise and gives you all of those benefits, which are the zero trust, multifactor authentication, encryption, micro-segmentation.
But this is an identity access management sort of solution.
Hussey: It’s network access control, we centrally manage identities.
But in terms of a platform, you’re not going to do endpoint protection.
Skene: We could.
Hussey: The point is that we don’t do that, but we could, and we’re not just doing perimeter security or network access control. We also have other elements of our platform that provide connectivity through perimeter security.
It sounds like you deliver a really secure network with the security built into it from the ground up.
Hussey: How else can you do it? If you try to bolt security on, what we end up with is an evolution towards this platform or this orchestration of various point products and the economic incentives are not aligned, and the question was are we going to get there. But we’re just not going to get there with that approach. We need a platform, and that platform is going to have to do something simple and do it really well and do it foundationally, like what we’ve done.
Skene: At significant scale.
Hussey: When you talk about all of these various point solutions and tacit reliance on the notion that the enterprise is going to integrate them, are they going to be able to do that at scale? No. It’s not possible. There just aren’t enough people to do that. And are you going to be able to train your entire staff on 14 different interfaces? Not going to happen.
Is it possible that the way we will get to a platform is that there are limitations on the platformization of cybersecurity where you’ll only have relatively narrowly defined suites for endpoint data protection, for firewall, etc? Then the way we’ll get a platform is through the managed service providers productizing that integration and that delivery of the larger, broader platforms.
Hussey: I think that’s a possibility. Or, we can just reinvent the future and instead of network security, which suggests that you can network first and secure later, which is wrong. We talk about secure networking because we have a security-first approach. That network first, secure later, is the kind of thinking that has created the problem. We just take a fundamentally different approach, unless the connection can be secured with all those attributes I mentioned before, no data is ever going to move.
What do you think, then, the pain is going to be? How are your average CISOs going to handle the situation in which they have platforms of limited size, they have point solutions, and then they have to do all the integration? How do you make a framework that allows you to make tradeoffs, to decide where you need the crown jewels and the best protection you can get, and where you need pass/fail protection?
Hussey: That’s a great question. What we experience when we go into the field and meet with our customers and help them achieve a more rigorous security posture, we see that invariably there’s a massive amount of technical debt in modern enterprise networks. And so for the CISO to wrap his or her head around the problem, they really need to know what’s actually going on in their network. What’s connected, what’s talking to what, and when, and what? And very few organizations have their arms around that notion. But once they do get that, then that grossly simplifies the challenge of securing all those communications.
How would you compare your solution to something like Illumio that says, we’re going to go in and have you do a massive micro-segmentation of everything so that only connections that are on a white list can be made. And in doing that, we’ll force you to understand your network and we’ll force you to actually configure it properly so that there can be no east/west movement that isn’t allowed and that you understand what you’re doing?
Hussey: That’s consistent with our approach. That’s what has to happen. The difference between us and Illumio is, A, we run on anything, and we can do not just east/west segmentation, we do east/west and north/south segmentation.
Essentially your argument with a CISO is why don’t you solve the fundamental problem, which is having a secure network? Once you do that, then you can surround that with whatever you need to solve the problems that remain.
Hussey: And start winning. Actually make real progress. One of the things that we say is, “Visibility doesn’t equal security.” Lots and lots of ink is being spread about the need for visibility, and there are lots of good companies that are providing those products, but the fact that you now have a better sense of what’s going on in your network, but you don’t have the facility actually walk down with that communication and make it impervious to lateral movement and invisible to threats, you haven’t done the job. Or, you haven’t finished it, you’ve just started it.
Skene: Plus, it’s reactive as the system is dynamic. So, you have to constantly see more and then react to that, and see more and react to that, rather than taking a white list approach where you’re intentional about what you allow to talk.
This has been a really interesting conversation and I think we’ve got some new ideas about platform evolutions going on. I’m really happy to have talked to you today.