Tas Giakouminakis, Rapid7 founder, on:

The Security Industry's Evolution

6月 29, 2017

When you founded a security company nearly 20 years ago and have been in the industry for even longer, you have a LOT of stories. In this interview, Kyle Flaherty, VP of Solutions at Rapid7,  sits down with Tas Giakouminakis, a founder of Rapid7, at the NASDAQ MarketSite studio in New York City to discuss some of those stories. The conversation ranges from starting a company focused on vulnerability assessment way back in 1998 to how we deal with things now, 20 years later.

Throughout the conversation the two hit on:
—What has changed in 20 years is easy ... what hasn't is alarming.
—How research is the lifeblood of any security solution or platform.
—The importance of community within security, especially with Metasploit.
—What it is like to create a company that has grown and thrived through the growth of security.
—How to use the research available to anyone to take actions and minimize risks.


Video Transcript

Kyle Flaherty:

Show more Show less

Hi everyone and welcome. I am Kyle Flaherty and I am here today with Tas Giakouminakis, and we're going to be talking about security in the industry that we're in, here actually at the NASDAQ studios. Tas, thank you so much for joining us.

 

Tas Giakouminakis:

Thank you Kyle.

 

Kyle Flaherty:

Here's my first question. You founded, with two other co-founders in 1998, Rapid7. What was the impetus ... I'm sure you've told this story a million times, but now we got it on film here at NASDAQ. What was in your mind, especially around Nexpose and vulnerability management and all that kind of stuff. What pushed you to do that?

 

Tas Giakouminakis:

With Percussion Software, which is a company we were at before, myself, Alan and Chad had actually founded this company while early folks there ... folks like Chad. What we were doing was really starting to take things like data management and integrating all this data, later content management, which is a product we had launched in '98 and getting that stuff to the web. What we realized is that people are doing a terrible job of securing all these systems that are now publishing all of our critical data to the web. We realized there has got to be a better way to do this. We started our approach to unified vulnerability management. We took our model of: We know data. We know web. We know broader vulnerabilities and misconfigurations and started Rapid7 and Nexpose from there.

 

Kyle Flaherty:

You said people were doing horrible jobs at this. Fast forward 17 years later, whatever ... 18 years almost at this point. Are we doing a better job?

 

Tas Giakouminakis:

We're doing a different job. When you think about when we started the company, the amazing questions people were asking is "Is virtualization going to catch on?" “How much of the data center is going to get virtualized?” VMware was the new thing and there is a lot of just emerging technologies. Cellphones ... Smartphones were far from smart back then, right? Look at today where I can go days without turning on a desktop computer and still be fully functional. We have the cloud. We have an Internet of Things and all these wearables, etc. that are just really driving our lives. As technology changes, all the problems we face change and evolve. We've seen security continue to try and stay ahead and IT try and stay ahead. It's a constantly changing space.

 

Kyle Flaherty:

I've been in this space for a long time as well. I often wonder and I ask a lot of people this on the podcast, but the amount of noise that's out there right now in the security market in general, the hacking events, the big stuff that happens all the time, these big vulnerability announcements, etc., and all the vendors that surround that just talking all the time … Is that a positive? Does that hold us back as a security community? As someone who has been there, done that type of thing, how do you see that market?

 

Tas Giakouminakis:

There's the good and evil. It's one of those things where when people get the right information, you want to raise awareness. And definitely the awareness is out there, but too often we're peddling magic pills. There really isn't a magic pill. What you see now with machine learning or artificial intelligence and suddenly we're solving all your problems, that's not realistic. The core tenants are people, process, technology. It's an important part of it. What else are you really doing to ensure?

 

Kyle Flaherty:

I think also often ... Listen, I'm a marketer so I can kind of throw myself under the bus, I think we go too far and talk about a magic pill when we should just talk about the simple things that we provide from a value standpoint, from that perspective. Speaking about that, you've seen not only the market obviously evolve overall, but you've seen Rapid7 as a company evolve. At your perch as the CTO and diving deep into the research and things like that, what gets you ... I'm going to ask both questions: what is the most challenging part of security right now, and then also where are you most optimistic? Where do you see us heading? Not us as just Rapid7, just the market overall?

 

Tas Giakouminakis:

Interesting question. Most challenging, I'll start there. When you look at breaches overall, users are usually a big part of that. When you think about just where we've evolved, it went from "I'm securing my perimeter, securing the DMZ, too." End users are the perimeter and everything they touch is the stuff that needs to get protected. Changing that culture where it was so easy for IT and for security to say "No, you can't do this." When you say "No, you can't do this," now you've created a new adversary. Your user who just wants to get their job done is going to do everything they can to get around you ... Get around your controls and get their job done. That's good for the business. Of course, we want them to get their work done, but we still face that cultural challenge of how do we enable them and make the right business decisions?

 

Kyle Flaherty:

I personally feel like that's one of the big pushes that I've seen in the last ... Even from an RSA … you go to these shows and it's ... talk about noise. More and more people are talking about that connection now between whatever you want to call it, remediation, workflow, these teams are hopefully coming together. I feel like DevOps in a lot of ways has forced that issue ... ITOps has forced that issue. That's where I'm seeing some optimism of we're finally talking a little bit, not just throwing bones over the wall and hoping they get fixed.

 

Tas Giakouminakis:

Absolutely. Going back to that whole people plus technology, we realize organizations are understaffed. People still look at security and IT broadly as a call center versus really a business driver. Part of this ... and to your point of optimism though, is that yes we are starting to do more things. What I would encourage most companies to do is take on a project that you can actually change the way you think about things. Make security, IT, all the automation, all the things you think you need to do from a Sec/DevOps kind of process, to make that project successful. Once you have that wind under your belt it's a lot easier to get to the next one and the next one versus organizations that try to boil the ocean. They want to do it all. Those usually fail.

 

Kyle Flaherty:

When you get that wind, it's how you communicate that up whether it's through a sea level or the board or what-not. I feel like we are doing a better job there too of supplying people from that perspective. Your role now at Rapid7, your team actually came recently to the Boston headquarters and actually presented to the full marketing team. It was fascinating. You're about to present to a bunch of people who are here at NASDAQ who are customers of ours. The research that you guys do, and I looked at your slides as you know so a little foreshadowing here for those aren't here. Taking research that's out there, whether it's ours, whether it's someone else's ... DVIR for example, and making it actionable. How critical is that? Is that something that just anyone can do? You don't need products to do that necessarily. Is that correct?

 

Tas Giakouminakis:

Yeah, absolutely. Really the question is, look at these reports and figure out how well do you map to these reports. What are the things that you're doing and the incidents you're seeing and so on. Are you in that same category? If you're not seeing the same things that these reports are seeing, then you need to start asking questions. Is it a gap in our visibility? Or, are we just doing a great job? It could be either, or more likely somewhere in between. You can then start looking at these things and saying "Where can I improve?" Again, in a lot of these reports there will be recommendations. How do you educate users? How do you change processes? There might be technology you need, but for many things there is also open source technology so it's not even always a cost issue. Just make sure you're reading these reports and pulling out those common threads and the learnings you can get out of them.

 

Kyle Flaherty:

We have things like Project Sonar and Heisenberg and obviously the Metasploit Framework, and your team is knee deep ... throat deep ... Deep, deep into all this stuff. From that perspective and from what you guys are seeing, what kind of excites you? Maybe give a little bit of what you're going to present too, today. There are some amazing data points. What gets you jazzed up to put your feet on the floor each day and keep this fight going on?

 

Tas Giakouminakis:

It's an interesting place we're at. It's always a cat and mouse game. It's completely evolved. Adversaries evolve. You've got smart people on both sides of the equation. They're automating, we need to be automating. It's this constant struggle. It's great just to see how things are changing, see how we can start doing more for our customers. There is no perfect ... again, the silver bullets. They don't exist but the more education we can do, the more tools we can provide. There is lots of community effort as you said, that we're doing. Getting that going and starting to make a difference. Once you're armed with that information you may choose to make the wrong decisions, but at least it's out there and you can make the right decisions. It's a lot of fun to be able to talk about all these things as we're seeing them.

 

Kyle Flaherty:

We were just talking before this ... kinda all-star. You've sat here before, ringing the bell, IPO of Rapid7. You've seen this growth of this company and we have all these customers here today. We have thousands of customers ... honestly, what type of feeling does that get for someone who has been here and seen this kind of growth? You walk into the Boston office or LA or Austin or Singapore ... name the offices. That must be a special feeling, the fact that we continue to do this. I feel like we're on that other side of really smart, I hope. Really smart people fighting the fight, from that perspective.

 

Tas Giakouminakis:

It's been an incredible experience. The amazing thing is when we started the company security wasn't that relevant to be perfectly frank. We spent a lot of our time getting people to understand why it mattered, and here we are 17 years later, almost 20 years later and it's great to see that ... Great and then it's not. It's great that we are relevant, unfortunate how many incidents are happening. It's been exciting.

 

Kyle Flaherty:

I think that's why you have to ... we talk a lot about research but the product portfolio expands, like the service's portfolio expands as the customers need these new things you have to ... whether it's car hacking or IoT or anything like that, you have to keep up with that. That, I think is one of the big challenges for us, in general, in security. In '98 it was like, "Oh, just get a firewall. That's fine. You're cool." It was an IPS and "you're fine." Now we've got to deal with stuff on a whole different level from that perspective.

 

Tas, thank you so much for joining me. You and I now have to run off and actually start the presentation for our customers here at NASDAQ, so I really appreciate the time.

Want to hear more stories like this?

Check out Security Nation, our podcast dedicated to covering all things infosec.

Listen now