Etsy, the online crafts marketplace, now has 2 million sellers doing business on its platform, and nearly 30 million buyers. As for any company, cybersecurity is a high priority.
Contrary to many companies, and the way many people think about cybersecurity, Etsy doesn't focus primarily on building a bigger, impenetrable wall. Rather, they focus on monitoring and reacting to breaches quickly. The wall has its uses, of course, but they view it as an incomplete solution.
CNBC caught up with Etsy's chief technology officer, John Allspaw, and its former chief security officer, Zane Lackey, who co-founded cybersecurity firm Signal Sciences based on principles developed at Etsy, to talk about the rapidly evolving cyberthreats companies face and how they meet them.
CNBC: Etsy and Signal Sciences both take what might be considered a counterintuitive approach to cybersecurity. The point is not primarily to prevent attacks, or to build an impenetrable wall to keep hackers out. Can you describe how your approach differs, and why you think it's more effective?
Lackey: The most profound shift I see going on in security right now ... is that of moving security from an organizational blocker to an organizational enabler. Historically, security has focused on delaying any change until it could be reviewed or blocked outright. Fast forward to today, and the rise of technology approaches like Cloud and DevOps mean that the pace of technology change in organizations is increasing by orders of magnitude. In this sort of new environment, if security tries to remain a blocker to the business it will simply be bypassed. Instead, security has to focus on how it can enable the business to move quickly and securely, in some sense moving from a culture of "no" to a team of "yes, and." Oftentimes the most effective way to approach this shift is to decentralize and provide ways for teams to do their jobs in a secure-by-default state, rather than security acting as a highly centralized and slow gatekeeper.
Allspaw: To add to what Zane said, I believe security teams should feel just as empowered to teach the rest of the organization as they are to contribute themselves to projects. In my experience, successful security teams don't want to stand in the critical path of every project, they continually look for new and novel ways of getting out of that critical path so they can focus on gaining confidence in areas they don't yet.
CNBC: Does acknowledging that bad actors will sometimes get inside your cyberworld signify an admission of defeat?
Lackey: Absolutely not, and quite the opposite in fact. One of the hallmarks of the most forward-thinking organizations today is recognizing the fact that security isn't a black and white notion of "fully breached" or "not breached at all," but rather a constant state of the gray area in the middle. Toward that end, these forward-thinking organizations are constantly refining their process of detecting and disrupting attacks earlier and earlier in the attack chain.
Allspaw: Does the purchase of a kitchen fire extinguisher signify a lack of cooking expertise? ... [Continually] refining their process of detection/disruption early is what is necessary and critical. The modern enterprise is about investing in adaptive capacity, and this area is no different. This traditional and outdated model of cybersecurity ("protected" versus "not protected") is what makes organizations brittle; bad actors certainly would hope us to have that mental model.
CNBC: With close to 2 million sellers, and 30 million buyers, Etsy has an extraordinary number of attack surfaces. At that scale, with what may be imperfect security protocols of some of your buyers and sellers, how do you protect Etsy itself?
Allspaw: I don't think that scale is necessarily the only, or the best, influence for helping decide what investments we make (technically or organizationally) to maintain that adaptive capacity for handling attacks. The sophistication of attacks, for example, should be seen as just as critical.
Lackey: From [the] broader perspective of the changing threats that all businesses are facing today, I think there are two keys to remember:
1) Recognize that all defenses are imperfect, but don't skip implementing a defense that's 90 percent effective just because of the remaining 10 percent. Instead, deploy the 90 percent defense and then think about what additional defense you can put in place to give you coverage over that remaining 10 percent. The old way of doing things in security is to refuse to deploy anything that's less than 100 percent and this is something that Alex Stamos rightly refers as "security nihilism."
2) Don't approach security from a compliance or checklist mentality, but instead ask yourself, "How do attackers actually target my business?" Defensive actions that made a lot of sense 15 years ago and still exist in compliance checklists today may not make sense for a business operating in a modern environment.
CNBC: Leading tech companies, including Etsy, have adapted a "continuous deployment" approach to releasing new software — rapidly and continuously improving and releasing new code to allow for more rapid innovation and reliability testing. This poses new challenges for security engineers, as they need to adapt quickly to keep up, but also informs how you approach your security product. Talk a bit about the promise and peril of continuous deployment when it comes to security.
Lackey: Continuous Deployment, DevOps, Cloud, all of these technological changes often feel like a massive loss of control to security because it's the exact opposite of how security has approached the problem for the last 20+ years. In my own personal case, when I joined Etsy as head of security in 2011 they were doing 20 code deployments to production every day in a time when even forward-thinking organizations were doing one a week or month, and more legacy organizations were doing one every 12-18 months. At first I was terrified, but what I came to learn through my experience is that when combined with visibility moving faster actually makes you more safe, not less safe. There's many reasons for this, but one of the most important is that every system has its weaknesses and vulnerabilities, but if you can create an environment that can detect issues and move quickly you have the strategic advantage of being able to react quickly whenever an issue is detected.
Allspaw: How long does it take to find the data you're looking for in your production systems? How long does it take to discern if the behavior you're seeing is a bug, or evidence of intentional probing? How long does it take to make a one-line change to your applications, in production?
Answers to questions like these have a huge impact on your ability to detect attacks and meet attackers with disruption.
Dr. Richard Cook called this ability "poised to deploy." When you look at continuous deployment, you shouldn't just see a software development approach, you should also see an opportunity for risk mitigation.
CNBC: Hackers have become extraordinarily sophisticated in targeting individuals and organizations with "spear phishing." Bad actors send messages that look exactly like internal emails, but in fact deliver malware. Some estimates have the success rate of spear phishing as high as 70 percent. How can companies and employees protect against this new threat?
Lackey: I'd love to say we've progressed to the point where advanced threats are our most common concern, but the reality on the ground for almost every organization is that it's often the most basic threats that lead to an incident. If we step back and look at how we're all being compromised today three major vectors jump out at you: 1) Credential re-use, 2) Compromising endpoints via phishing and 3) Compromising web applications. Luckily we've seen the emergence of some exciting companies around all three of these challenges such as Duo Security for two-factor authentication, a number of companies who focus on the next generation of endpoint protection, and in our own case Signal Sciences was born out of our experiences defending web applications that were going through the shift to DevOps/Cloud.
Allspaw: Yep. Incidents don't happen like most engineers imagine that they do, because they simply don't have to. The key is that attackers being "extraordinarily sophisticated" can often mean taking approaches that engineers think might be unsophisticated, yet tend to be quite fruitful. Unbuckled passengers can defeat the purpose of even the most intelligent airbags.
CNBC: The Etsy offices, engineers keep a big supply of candy by their workstations. Talk about why, and the importance culture plays in cybersecurity.
Lackey: It's very easy to think of security as a purely technical problem and only focus on technical controls, but the reality is it's just as much if not more a cultural problem. When the security team is physically isolated and only says no to requests, no one else in the business (rightly) wants to speak with them. However, the most effective security teams focus on being accessible and rewarding to work with. At Etsy, one of the things we found unexpectedly useful was as simple as ensuring our physical location in the office was in a high traffic area so it was convenient for people to drop by and ask questions. Even more important than the location though was the fact that we made sure we always had plenty of candy and snacks out for anyone who dropped by, which was extremely effective in starting conversations with parts of the business who might never have spoken to us otherwise.
Allspaw: I believe that one of the quickest ways that a company can weaken its position in the realm of security is to ensure that security teams be unapproachable and cranky. It is in attackers' best interest for your security engineers to play out the stereotype of imposing and intimidating "no" people.
Lackey: One thing that we like to say at Etsy is that "you're only a blocker when you're the last one consulted." Talking to security early and often means you're not only talking with them during "special" times. It should be seen in the same light as talking with design and product management and operations teams — relying on the expertise of domain experts in a way that is fluid.
And yes: Candy brings conversations, and conversations set foundations for understanding, and understanding is one thing that helps people feel trusting and approachable. Every bit helps.
The conference is sponsored by CNBC, MIT and The Aspen Institute.
