Monday, February 01, 2016

Some notes on the Norse collapse

Recently, cybersec company "Norse Security" imploded. Their leaders and most the employees were fired, and their website is no longer available. I thought I'd write up some notes on this.

All VC-funded startups are a scam

Here's how VCs think. They see that there is a lot of industry buzz around "threat intel". They'll therefore fund a company in that space. This company will spend a 5% of that money to create a cool prototype, and 95% in marketing and sales. They'll have fancy booths at trade shows. They'll have a PR blitz to all the reporters who cover the industry. They'll bribe Gartner to be named a Cool Vendor or Magic Quadrant Leader. They'll win industry kudos. They have some early sales 'wins' with some major customers. These customers will give glowing reviews of the product they bought -- even before turning it on.

In other words, it's a perfect "Emperor Has No Clothes" story, where neither customers, nor Gartner, nor the press is competent to realize the Emperor is not wearing clothes.

VCs know it's a scam, but they are hoping it'll become real. As a well-known leader in this space, employees with the needed expertise will flock to the company. Or, they'll find other another company (often started by engineers instead of sales/marketing) that has a real product, and buy it out. What was once snake oil thus becomes something real, eventually.

The entire tech industry is built this way, not just infosec. VCs invest in sales, marketing, and operations people who can build a brand, channels, and competently manage people and money flows. They see those skills as the rare ones, and technical expertise as more a fungible quantity that can be acquired later, for simple wages rather than large amounts of stock in the company.

Norse was especially scammy-looking, with their real time map of attacks on the Internet. It was really cool, and everybody enjoyed looking at it, but nobody could figure out what value it had. It quickly obtained a reputation of snake oil.

It's rarely all snake oil

As a tech expert, I've looked into the details of infosec products. I usually find something really cool, something great.

But that "thing" is narrow. The market for that thing is too small to build a large company. The 'snake oil' bit comes from trying to make this small thing appear larger than it really is, to sell to a wider market.

Indeed, all companies do this, regardless of product. A great example is anti-virus company. They each have great technologies, and are useful to some extent, but still cannot detect advanced viruses. Their hype overstates their efficacy. But it's not necessarily their fault. Their customers are unable to understand the technical features of their products, and use it properly, exploiting what makes their technology great. You can't expect companies to communicate better with customers when the customers are unable to understand.

I don't know what technology Norse had. I assume there was something great underneath it all -- but not something useful to the larger market.

Threat intel is particularly hard to productize

All cybersecurity technologies are hard to productize, but threat intel even more so. The reality is that you can't see threats coming.

If it's somebody attacking the entire Internet, looking for low hanging fruit to exploit (mass port scanning, mass phishing attacks, etc.), then threat intelligence can certainly warn you of the impending attack. But the proper response to such intelligence is to ignore it. You can't get your underwear in a bunch over every such attack -- you'll just waste a lot of time and energy responding to attackers who aren't really a threat to you. I watch people get upset over my own mass scans, and I have to laugh, because they are doing infosec wrong. Scan yourself for low hanging fruit (indeed, use my tool), but ignore such attackers.

Conversely, when you are targeted, hackers come in low and slow, and will often evade the radar. As a pentester, I notice this. Even when they have "appliances" designed to detect me, I still get away with silent penetration. Defending the network isn't a product you can buy. You should be managing your network, like getting email and paged whenever a privileged domain-admin account is created. You shouldn't be buying magic pills that will somehow solve this "threat intelligence" problem for you. The intelligence you get from existing logs and firewalls is often enough.

I've been doing "threat intel" for 20 years. I still don't know how to make it into a product that will appeal to a large market, which is why I haven't founded a company trying to commercialize the technology.

All VC companies rush toward the cliff

Norse spectacularly imploded, suddenly firing a bunch of people and taking their website offline.

From one perspective, this is normal. It's how VC funding works. When VCs give you money, they want you to spend it all. They don't want you to save the money.

It's the hardest thing for people to understand about startups. They think in terms of their own finances. They want to save money for a rainy day, in case things don't go as plan. That's not the purpose of venture capital. Instead, it's a "venture" that will either succeed or fail. If, in the end, you can't figure out how to create a business out of the venture, then shut it down and sell off what little assets remain.

A zombie company remaining barely alive is no different than a failed company from an investor's point of view. Either way, it's not going to generate profits that can pay back the original investment.

You think yea, but maybe after a few years of zombie existence, they'll eventually get lucky. No, this isn't how business works. In a few years, technology changes, and will require a new investment, a new venture to promote that new technology. You would never give that new investment to a zombie company, which is weighed down by other concerns. Instead, you'd give that investment to a new company that can focus on it.

In mature markets, market share doesn't change very fast. You see that in the car industry, for example. Ventures are land grabs in new markets, trying to establish market share before the new market becomes mature. If your zombie company failed to get market share, then it's never going to win more.

Thus, in a new market, the goal is to invest money as fast as possible to achieve size and market share. If you fail, then fail quickly and move on. Don't linger.

Destiny is acquisition, not implosion

Norse imploded, abruptly firing their employees and shutting down their website. That's rare. It means the VCs weren't paying attention.

In the normal course of events, companies don't implode like this. If they run out of cash, they'll go back to the VCs for more -- enough to sell off the company to somebody else.

The VCs give companies a couple chances. The first chance will likely fail, but along the way, the company will have built up things like brand awareness and market share. A second round will come in, retool the company, replace the leadership, and try a second time.

Then the last round of investment comes. If the company was successful, then the last round is to pay for all the costs needed to take the company public. More often, the company has failed, run out of money. At this point, the VCs invest to slap a new coat of paint and sell it off to some sucker.

Acquisition aren't always for this reason. Sometimes is a fast growing company being wildly successful, so a larger company buys them out before their competitor can get bigger.

Sometimes companies are acquired for even stranger reasons. At larger companies, when an executive leaves, and a new executive takes power, they are always frustrated with the organization beneath them. The new executive is an outsider, and the organization underneath opposes their orders. Not outright, of course, but passive-aggressively. Therefore, what the executive does is buy a company, then use this "one time event" to replace the managers underneath them with managers from the new company. If you look at how a lot of acquisitions happen, it appears from the outside as if the smaller company acquired/hijacked the larger company.

The point is that companies should never actually implode. There's value there to be exploited. VCs should come in with a "down round" that takes the majority of ownership in the company, slap some lipstick onto the pig, and sell it off to some sucker.

By the way, as outsiders, we really can't see what's happening in acquisitions. Sometimes it's because the companies were successful, and it's an up-round where early employees profit heavily form their stock options. Sometimes it's a down-round, where except for the founders, the options are worthless. When the company your friend works for gets acquired, you don't know what happened. It's usually announced in such a way you think congratulations are in order, but in fact condolences are.


As you can see, I have a low opinion of cybersecurity products in general, and threat intel in particular. I see them all going the way of Norse -- not actually imploding, but being gobbled up by bigger companies and disappearing form the landscape as separate entities.


Gunter Ollmann said...

Funnily enough I share the threat intel reservation of purpose. In todays blog post I approached it from the "chocolate sprinkles of security" angle. Your readers can find it here --

Andrew Plato said...

No, Rob, seriously, tell us what you REALLY think. :-)

You're right, of course. But, Norse was an easy target here. I took one look at that Wargames map at RSA and knew implosion was their BEST destiny. Anybody with some experience in this industry knew that.

I'd like to think there are SOME VC-funded companies that have something special. Cylance has a pretty cool product. Vectra (Gunter's company mentioned above) is also pretty cool.