paint-brush
In the Land of Security — Be Fastby@wickett
283 reads

In the Land of Security — Be Fast

by James WickettAugust 1st, 2018
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

<a href="https://hackernoon.com/tagged/security" target="_blank">Security</a> products are notorious for being hard to install and slow to get usage in production. There is one corner of the security market where this is doubly true: the web application firewall (WAF). One of the <a href="https://labs.signalsciences.com/demand-more-from-your-web-application-firewall" target="_blank">secrets of the WAF industry</a> is that once the deal has closed and the product is sold, it takes months to get installed and — worse yet — it often goes unused. Due to all the problems they create, <a href="https://labs.signalsciences.com/three-ways-wafs-fail" target="_blank">WAFs get placed in monitoring mode</a> (sometimes called passive mode). The astute reader is probably well aware that passive is the opposite of active, which means the investment in a defensive security product is doing exactly nothing to actively protect against real threats.

Company Mentioned

Mention Thumbnail
featured image - In the Land of Security — Be Fast
James Wickett HackerNoon profile picture

Lessons Learned in Product Development

Security products are notorious for being hard to install and slow to get usage in production. There is one corner of the security market where this is doubly true: the web application firewall (WAF). One of the secrets of the WAF industry is that once the deal has closed and the product is sold, it takes months to get installed and — worse yet — it often goes unused. Due to all the problems they create, WAFs get placed in monitoring mode (sometimes called passive mode). The astute reader is probably well aware that passive is the opposite of active, which means the investment in a defensive security product is doing exactly nothing to actively protect against real threats.

It seems rather odd that the first lesson we learned in building a security product is this:

Get the product in active use on customers’ production traffic

When we set out to build Signal Sciences, of course we wanted to build a product people actually used. More on how we did that in a minute, but we knew that we wanted to be a different kind of security company. Our next lesson was even more fundamental.

Product development in the fast lane. Photo by Matthew Brodeur on Unsplash

In lieu of active defense, most WAFs emit streams of logs and events that even a large team of security professionals can’t analyze fast enough. It is pretty hard to function in this type of environment for a human. We knew we wanted to build a WAF that people could use but as we built the product, we started hoping to deliver a product that people enjoyed using. A product that brought joy to people in the roles of security, operations, and development.

Can you imagine a security product built to bring joy? Well, we could.

We started a cross-functional team to deliver joy to our customers. Here is a screenshot of the slack channel for the team:

Signal Sciences slack channel for the Joy Team

To be clear the Joy Team isn’t just a renamed group for our frontend UI or something like that. The team handles customer experiences from installing the product to maintaining documentation to operational health metrics. It is composed of support staff, software engineers and product folks who care about delivering joy to customers.

These two values of c_reate a product that gets used in production_ and bring joy to customers really helped us shape our core principles as a company.

Core Principles

We wanted to build a product and a company that rallied around core principles that were radically different from the legacy WAF vendors, and security products in general.

We created a set of core product principles:

  • Ease of Use — Building all our products with a focus on simplicity and clarity
  • Data Insights — Turning data into information
  • Visibility — Making information accessible to drive faster response and decision making

From Day 1, Signal Sciences has been a customer-centric organization, and these principles are based on customer feedback to address the gaps we jointly saw in the industry.

Getting Our First Customers to Run in Production

In the early days of Signal Sciences, we knew that our customers would love using our product if they could just visualize attacks and abuse against their live apps and APIs. We didn’t want a fictitious experience where they would get access to a demo environment and see staged data. This meant only one thing, we wanted all customers to do a proof of concept (POC) with us, but in their real, actual production environments.

To some security vendors out there, this probably sounds like a pipe dream. Many people doubted we could get security folks to run our product in production, but they did. Sometimes they would even turn us on in production without telling us, often on a Friday afternoon. After this happened a few times, we affectionately began to refer to these times as “YOLO Fridays.” Luckily, most of these went well even in the very beginning of our company.

But the real question is why? Why did customers trust us with their production traffic? We believe that it started with our now patented architecture: we could guarantee uptime with a split module-agent design. We built a system that would fail open if something happened to our agent. This helped our conversation with operations, who often owns the web server, trust us enough to try it out. Once we got the OK to try an install, the next step was to ensure we had a quick and smooth install experience.

Snoozing Means Losing

No one likes projects that go on and on — and none more so than under-resourced security teams who have many other strategic projects that deserve focus. From talking with our customers, their WAF projects tended to look like home improvement projects which are completed late and exceed budget. We knew we could deliver better security than existing solutions, but we realized we could also provide a significant improvement for customers in terms of getting their WAF projects back on track. We knew this because our founding team had already done this as security practitioners at Etsy, a top site in Alexa’s traffic rankings.

In one customer engagement early on, we were informed we’d be part of a bake-off versus a large industry incumbent. By the time our POC had wrapped up, we had a meeting with the prospect and were eager to hear how we had fared. To our surprise, the prospect couldn’t give us any head-to-head points where we were stronger or weaker — because the competitor still hadn’t even been able to even install. Due to the inline complexities and operational dependencies required, such as DNS changes, legacy WAFs take months to install, and then constant laborious tuning and tweaking efforts, either performed in house or by expensive external resources.

The Early Bird Gets the Bad Guy

There are actually 2 parts to a successful install: the actual install, and the time it takes for the product to generate value. To satisfy the first part, we leverage packages and public repositories to help customers automate the install and update with configuration management tools like Chef, Puppet, Ansible, and Salt.

Below is an example from a prospect where we created their account on the backend, sent them an invite, and they installed a live agent, all within 15 minutes.

Figure 1. Sorry for all the redaction, but this is the log data from an actual production install. Total time from invitation to processing data: 15 minutes.

We track customer install time as a KPI and monitor our Slack channels when new prospects bring their first agents online, and it became a race to see who could install the fastest! Today our record is under a minute, and the average is 62 minutes among companies from fast and agile WeWork to a complex enterprise like Under Armour.

Once installed, our agents start processing data immediately, detecting attack payloads and applying flags that either block or log, depending on the mode you set in the Signal Sciences Dashboard. There is no learning mode, no RegEx signatures to manage to achieve blocking protection across all core attack types out of the box. So installation time is near instantaneous with time-to-value — a first in the WAF market, where so much time is required to spend authoring and tuning rules to avoid false positives. This brought a very real experience to customers to visualize and for the first time, see what attacks were happening against their web applications. This fact drives to the datapoint we find really exciting: 4 out of 5 companies who install Signal Sciences buy, since they, too, are able to quickly realize value like never before.

A Customer Story Where Time = Value

One of the great pleasures we have is talking to our customers about their install experiences — and this one about cost savings associated with selecting new products stood out to me. Recently, I spoke with Lance Horner, Head of Security for Day & Zimmermann, a century-old, family-held construction and engineering services company. He told me his story where he was starting to explore WAF products to allocate budget later in the 2018. His original plan was to do a “quick proof of concept” to get an idea around the cost of deployment, where the idea was to purchase later. When he went to install Signal Sciences in a proof of concept, it went so incredibly quickly and easily that he deployed directly into production in under 5 minutes. Due to the fact that his team was able to install the product so easily in production, generating immediate visibility and blocking of attacks, he gained approvals for the immediate release of budget to complete a project that freed up time and resources for other strategic projects later in the year.

Demand more from your WAF

If this article and our approach sounds interesting to you then we would like to ask you to give us a try and to take the Signal Sciences challenge. We can be up-and-running in your environment in minutes, and you get immediate value in blocking and visibility, saving you time from testing and configuring other types of WAFs on the market. We will show you that vetting a web application firewall solution doesn’t have to take weeks or months.

You don’t have to believe our marketing, our current customers, or our industry awards. You can find out for yourself in minutes.