By Allure Security on Nov 29, 2017 12:00:00 AM
As a security researcher for some two decades now, I’m quite familiar with how security has always been an afterthought in the “move fast, break things” technology culture. But now we’ve reached the breakpoint of the internet: The internet is broken. It has never been secure.
I started Allure in 2009 because I wanted to take what I had learned in my Columbia University research lab and bring it to the marketplace for real world impact. The “real world” offers us lessons we can’t learn in the lab. Early in my career, I had the great fortune to collaborate with many organizations that experience real security problems and I was hooked. I wanted to make systems more secure for enterprises and for everyday people in their everyday lives. I wanted the systems that my kids and my friends use to be completely safe all the time. I want to see our society continue to innovate and connect - all of which the internet has made possible.
When I started Allure eight years ago, it was hard to get folks to care about internet security. Now, nearly everyone understands the vulnerability and the risk of something as simple as sending an email, opening a document, or using public Wifi. After years of research, user studies, customer pilots, and countless briefs with CISOs and security teams, we’ve learned a few key insights that have been key to our product development.
Make security usable
So much of why even the best security products or ideas fail is because they have been designed for a machine, not for people. I’ve spent a lot of time thinking about how people work - including attackers. People are unlikely to follow security protocols that hinder their workflow or get in the way of productivity. We learned from our work on host level user behavior studies how people actually work. For any security product to be successful, it has to work not only for the security ops center, but also for the end-user.
Data loss is about the data
Yes, we have to protect routers, endpoints, networks, and our users, but data loss is about the data. That’s what attackers want; that’s what fetches high dollar on the black market. Security researchers have been scrambling for ways to stop data loss by focusing on preventing data from being lost or stolen. Totally reasonable—except every idea they had failed to solve the problem completely. We approached it from a different and more pessimistic perspective: attackers were still succeeding. How could we make attackers pay a price, rather than just give them unfettered access to the real valuable data?
Start-up success takes collaboration
Eight years is old in start-up years. We spent the first four years steeped in research at DARPA, DHS, and other government agencies - testing our theories and our technology. We’ve spent the past four years commercializing that technology into a product and deploying pilots to commercial customers. We’ve learned a lot and have been humbled all the more. None of this would have been possible without a team who has dedicated many years of their lives to our mission. I’m extremely thankful for the sacrifices our team has made to get us here. And perhaps one of the biggest insights I’ve had in this journey is that real success takes collaboration - not only in the academic community that we’ve been part of, but also the business community at large.
We needed a professional management team to take our product to the next level and into broad use in the real world. Let me put it this way: It’s one thing for an aerodynamics engineer to conjure up a particular design for a high-speed resilient, reliable, and stable airplane, and it’s quite another to get the plane to fly without crashing. That’s why I’m thrilled to have Mark Jaffe lead us as Allure’s CEO this year, and I know he’s as excited as I am to get this company off the ground—and keep it soaring.
I’m really looking forward to working with Mark and the entire team on establishing Allure DDR as a premier security solution for enterprises, and truly making safer the everyday technologies you and I rely on in our daily lives. But I’m also hoping that Allure DDR will inspire other academics. To be honest, the academic world is at times unaware of the hard problems that come with solving real-world challenges at scale. But when more academics get involved in realistic security operations, there’s no doubt that it informs and produces better thinking and better solutions. One of the thrills of Allure is bridging those two worlds—and I find that really exciting.