Seven Questions About Security for Rapid7 CEO Mike Tuchen
Security is one of those hard-to-define aspects of the IT business. Threats are always changing, and no matter how much work you’ve done to ensure that your systems are secure, you’re never done because, well, see the beginning of this sentence. There’s a certain Sisyphean logic to it all.
But even a task that never ends has to have a beginning, and more often than not it goes something like this: What do I have that needs to be protected, and how well or not is it protected now? Sometimes the best thing to do is call in someone from the outside to look at it all with fresh eyes. And sometimes the answers can be shocking.
It’s the sort of thing that Rapid7, a fast-growing security firm based in Boston, specializes in. While some security firms are more the cops on the beat, hired to keep things in check based on established rules and policies, Rapid7 is one you call when you want to know how the bad guys will try — and try they will — to get through whatever security measures are already in place.
The firm also owns Metasploit, an open source service that’s essentially an early-warning system about new vulnerabilities. Twice in the last year, new research by Rapid7 — released to the wider world through Metasploit — has caught my attention: Once it was about Java, and the other item was about how the methods employed in Stuxnet could be used to create new ways to attack public infrastructure.
I recently had a chance to ask Rapid7 CEO Mike Tuchen some questions about his company and the interesting role it’s playing in trying to clear up a lot of ambiguity about IT security that so many CIOs find frustrating. My first question was to ask Tuchen to explain from a high level what Rapid7 does.
AllThingsD: Mike, the thing I always think of when I talk to security companies is that the scope of the problem is constantly moving. If I were to use a football metaphor, it would be that the goalposts are always changing. And yet there’s another metaphor that fits as well: That of a medical triage, because once you know you have problems, there’s the matter of determining which one to fix first. What does Rapid7 do to help companies sort all this out?
Tuchen: We think of the security market as breaking out into “front-end” and “back-end” activities. Front-end activities are the assessments we do to proactively answer questions like: What’s my security posture? Where am I strong, and where am I vulnerable? What should I do to become more secure? That’s where we fit.
Back-end activities are the enforcement and remediation efforts to protect data or networks that typically act in real time in response to threats detected including firewalls, anti-virus applications and so on.
We’re finding that as the threats are constantly growing and changing, there’s a lot of interest in assessment. The reality is that we’re seeing a new breach on average of once per day for the last 18 months or so. So when things are moving that fast, who wouldn’t want to know where their weaknesses are and what are the most important things they need to do to lower the chance of a being one of those companies breached? Our customers are telling us that once they’ve done the assessment, they’re able to set their priorities for the next 12 to 24 months. If you haven’t done an assessment, there’s a good chance you’ll buy a back-end product that doesn’t solve all your problems because you never knew what all the problems were in the first place. That’s how budgets tend to spin out of control.
So one big question around security is around the shift to the cloud. There are still a lot of people who don’t trust systems they can’t touch, but with the cost savings, the shift is looking more real every day. What does that shift mean for you and for your clients?
The first question you have to ask is “what do I have?” It’s kind of self-evident: You can’t secure what you don’t know about. Cloud services can make this trickier by adding another question into the mix: “Where is it?” And it gets even dicier when you take into consideration all the virtual machines that can be turned on and off at will and moved from one physical machine to another. The boundaries get a lot less well-defined. So the first step is discovery: What do you have, where is it, and what controls are in place?
The next step is determining what types of threats you’re likely to face and figuring out what’s working to head them off and what’s not. After that you put together a strategy for improvement.
Generally speaking, the best approaches we’ve seen start with basic hardening techniques. You take some concrete actions that are designed to make it more costly and difficult for attackers to establish a beachhead on your systems. Next, you lock down the perimeter as tightly as possible, and train employees to recognize and resist social engineering attacks.
When it comes to assessing the security of cloud offerings and software-as-a-service applications, it’s a matter of getting comfortable with the security that the vendor has in place. Our own experience with this has been pretty bleak. It’s clear that the industry as a whole has work to do there.
Attackers have the advantage right now. Even the largest and most sophisticated companies are getting breached on a regular basis. I think there are three things that need to happen: We need to do a better job of information-sharing about risks, methods, and actors so that companies don’t have to start from scratch. We also need to make security simpler. Right now it’s way too complex, and there are too many products that target specific problems that tend to be important to only the biggest of companies. And even those companies can barely stitch them all together into a coherent solution. For everyone else in the world it’s pretty much impossible to do that.
We’re working on a lot of this. We run an annual conference called UNITED to bring together innovative defenders to share ideas. It stands for “Using New Ideas To Enhance Defense.” We’ve committed $100,000 to sponsor some projects we like to call the “Magnificent7” and there will be no strings attached to the funding.
Washington seems to have finally awakened to the wider IT security threats. We hear a lot of talk coming out of Congress about cybersecurity. What, if anything, do you expect to come out of these efforts?
There are two security bills, SOPA and CISPA, that have gained a fair amount of attention lately. SOPA focuses on the illegal downloading of music, videos, software and other counterfeit goods that affect a wide variety of industries. These are the low-hanging fruit when it comes to online crime.
CISPA focuses on sharing private sector consumer data with the government to protect national security interests. The intent with CISPA is to legally protect private companies when they share consumer information with government and law enforcement entities. This information would not be available to the public at large and is highly scrutinized by privacy advocates. The information would be used to try to protect the country’s critical infrastructure. But if it were to become law, it won’t change the status quo of organizations and consumers fending for themselves when it comes to information security.
Also if they’re passed, they only affect U.S. citizens. These laws will not prevent foreign entities from engaging in piracy or breaching U.S. corporate or civilian assets. Companies will still be under non-stop attacks from persistent adversaries.
You raised a big bunch of funding last fall with a $50 million investment led by TCV. What are you going to do with all that money?
We’ll use it for three major initiatives: First, we’re doubling down on expanding our existing engineering teams. We doubled the team in 2010, nearly doubled it in 2011, and plan to double it again in 2012. Second, we’re accelerating our international expansion. We just hired a regional VP for Europe and are expanding our European and Asia-Pacific operations with new offices in Amsterdam, Hong Kong and Sydney. Finally, we’re looking to acquire terrific companies with passionate teams that want to join forces with Rapid7 to change the security world.
You acquired the Metasploit Project in 2009. How has that deal worked out and what does it say about the companies you may yet acquire? What are your plans for future acquisitions?
Metasploit has been great for Rapid7. We first started thinking about Metasploit when Chad Loder, one of our co-founders, came up with the idea of integrating an existing product with Metasploit. We discussed it with HD Moore, the founder of Metasploit, and he was equally excited about the idea of integrating the products together. In a week or two we had a working prototype. Right then we realized that we’d found something special: A passionate, driven entrepreneur who shared a lot of our vision and values, a product that logically works together with our existing product, a huge and engaged community of expert security insiders and a business that was ready to be commercialized. We asked HD if he’d like to join forces with us, and he agreed. We were able to build a team around HD, and together we’ve built the Metasploit business into a leader in its category.
In that case we learned that founder and team are critical. It also made it easier to build the rest of the team around HD from the bottom up. Now we’re actively looking for companies that play in markets that make sense for us, and products that have a solid foundation for the future. We haven’t yet found another opportunity that fits all of these areas.
I get that Rapid7 is growing; you’ve got an impressive list of customers that includes Anadarko Petroleum, Teradyne, Liz Claiborne and the U.S. Postal Service. Can you share some basic metric that shows how much you’re growing?
Our revenue for the last seven years is over 90 percent per year, and we’ve grown more than 70 percent in each of the last two years. And we have more than 2,000 customers. We’ve been lucky to be in a market where the demand is increasing because threats are escalating.