Today we are launching Sevco Security – a milestone I have been waiting on for more than 20 years. While Sevco is my third startup (and the ninth startup for my co-founder Greg Fitzgerald), my excitement stems from the problem we are tackling: I have long believed the next big thing in IT Security will be a renaissance in the basic blocking & tackling of IT practices, but only now is our industry ready to embark on that journey. I am delighted to have the opportunity to play a part.
Introducing Sevco Security
I spent the first ten years of my career breaking into networks for a living. First as a red team operator for the US Air Force, then as an offensive network operations officer for the US Intelligence Community. I have spent the most recent ten years applying what I learned about compromising the security of networks to instead improving their defenses by building new products in startup companies. There are a few key things I believe to be true:
- Compromise is inevitable. If well-resourced attackers want access to your enterprise network, you cannot stop them. Attackers make the same cost v benefit tradeoff when selecting their targets as you do when considering defensive investments. The only reason you have not been compromised is because it hasn’t yet been worth their time.
- After initial compromise, attackers often know more than your own defenders. With deep knowledge and unrestricted access, attackers have a more complete view than the usually siloed administrators. Plus they don’t have the distractions of meetings, required compliance training or other internal bureaucratic hurdles.
- Continued investment in security “on top” of IT will see diminishing returns until we begin investing to increase discipline of core IT functions.
Today, mature security teams are finding that their biggest challenges are not that their endpoint security controls are sub-standard, they’re simply not installed on compromised machines. They’re finding vulnerabilities are present not because their patch management tools are slow or ineffective, but because the patch management agents are not installed. They are finding that keeping those tools “fully deployed” is a significant challenge. When assessing deployment efficacy, they know the numerator of the fraction – it’s whatever is reported in the console – but not the denominator. No one in the organization knows how many devices any given control should be deployed on.
Devices and their security controls are the most acute problem, which is why we are launching our company with Unified Device Inventory as our flagship feature, but this is just the beginning. Users, software, SaaS applications – every primary asset class suffers from similar challenges. Our industry’s immaturity identifying the assets we use to process our data is a critical gap that is holding us back from continuing to improve.
What we believe
The collection of IT assets that make up “the enterprise network” are complex. Every complex system has a number of non-functional requirements to meet, in addition to actually providing the services. Often referred to as “the -ilities,” they represent the systems engineering challenges rarely encountered outside the technology teams: availability, scalability, resiliency, and more. It is a huge challenge – Wikipedia defines over a hundred system quality attributes in their page on the topic.
Historically, IT has prioritized availability and performance: keep it running and minimize the cost. Security was a compliance activity, relegated to auditors and their checklists with little attention from executive management unless auditors threatened non-compliance. In the early 2010s, companies began investing in security as a third priority, independent of compliance – with the pillars of confidentiality, integrity and availability. That investment has resulted in significantly increased maturity in our security operations and commensurate reduction in material breaches.
Every security program framework includes “an accurate inventory of enterprise assets” as a foundational control. It’s control one in the CIS Top 20. The NIST CSF starts with “Identify.” ISO 27001 A.8.1.1 requires an “always up to date inventory.” However, while we have told auditors for years we have it under control it is becoming increasingly apparent that we must do more.
It is time we prioritize inventory as a fourth IT pillar, on par with availability, performance and security – I’ll propose we call it accountability: starting with the ability to simply account for your assets, with the same discipline required for a company’s financial transactions. It is a foundational investment that makes everything else more effective, applies to both IT and Security functions, and improves the efficiency of the existing people, processes and products.
Looking forward
I won’t claim to have all the answers. This is an industry-wide problem and while I know the security domain pretty well, our industry is a collection of very different domains working together. It would take multiple lifetimes to gain expertise in all of them, but given the rate of technological change the value of any experience fades quickly. It will take all of us working together, sharing challenges and potential solutions to discover the right path.
That process won’t be easy. Unlike many startup problems that are technology focused, this one is as much about our entire ecosystem, our IT & security processes and organizations. It is not technology we can build in a lab and share with the world in a grand reveal – instead Sevco and our partners must align on a common vision and iterate together on the solutions, one step at a time.
This won’t be the first hard problem we’ve solved. Sevco’s founding team is nearly all members of the founding teams of Carbon Black or Cylance. Our investors – Accomplice Ventures, .406 Ventures, Bill Wood Ventures and SYN Ventures – were nearly all part of the original Carbon Black or Cylance investors. Carbon Black created Endpoint Detection and Response (EDR), allowing incident response and forensics teams to mature their operations. Cylance brought us into a world beyond signature-based antivirus detections. Both companies materially improved “state of the art” in our industry – and Sevco will do it again.
If our Unified Device Inventory can help you today, or you’d like to join the revolution and shape what comes next, give us a call. We look forward to partnering with you!