Wednesday, April 30, 2014

Culture eats strategy for breakfast - a short goodbye :)

Today is my last day as an official employee at Rapid7, the company I co-founded 14 years ago. While I'll still be involved as a part-time advisor, it's always bittersweet when starting a new chapter. I thought I would share my farewell letter to the company - it's as good a summary as I can make of my philosophy on startups and on the importance of corporate culture.

Fellow Moose,

Fourteen years ago, almost to the day, Tas, Alan and I started Rapid7. It's been an amazing ride - we have accomplished so much in that time and I'm proud to have played a part in this incredible story. I've had the opportunity to work with some pretty amazing people from whom I've learned a great deal. I've learned about what it takes to grow and scale a business, what it takes to succeed, and I've learned a lot about myself. One of the things I've learned is that I am, at my core, a startup guy. I love small companies and small teams, I love starting new things, and it's time for me to get back to my roots. So…tomorrow will be my last day as an official employee of Rapid7.

Someone asked me the other day what it's like to be part of a startup. The best way I can describe it is that it's like a shared delusion; you have to keep the hallucination going, keep everyone dreaming, keep YOURSELF dreaming, until that dream starts to become a reality. Once in a while, someone "wakes up", they fall out of the dream, and we don’t hear from them again. And that's OK - we just keep going.

You know in the cartoon where Wile-E-Coyote runs off the edge of the cliff and keeps running on thin air? It's like that - except you've got a dozen people running beside you. And everyone is responsible for making sure that nobody else looks down.

You start off with just a couple people - not geniuses, just regular folks who have no right to start a company. If you're incredibly lucky, you've got a killer idea, but probably what you've actually got is an idea that's just barely good enough to work. And if you can somehow find the nerve to believe you'll succeed when the odds are overwhelmingly tilted towards failure; if you can stay flexible and keep adapting and making sh*t up until you find out what works; if you can work 10x harder than everyone else so you can outrun your early failures; if you can sustain that belief, that dream state, for long enough…then you have a chance of pulling it off.

That's why the "Who" is so much more important than the "What". That's why culture matters. And that's why I've always said that we're not in the software business. We're not even in the security business. We're in the people business.

When I look back at the last 14 years, there's so much to be proud of. We've built a great team, we've shipped products that help customers, we've closed big deals, we've done acquisitions that took the industry by storm, we've broken record after record, and we've earned the praise and recognition of analysts and the press. Even though we have much more to achieve, we should be really, really proud.

With all of that said, what I'm most proud of is the personal success of the people who have joined this shared delusion we call Rapid7. I've had the great privilege of helping people I hired grow into world-class engineers, sales people, and managers. I've seen them get promoted, earn degrees, obtain US citizenship, get married, buy homes, and start families -- taking advantage of all the opportunities that Rapid7 provides. I will be forever grateful for having been even a small part of that success.

I'm incredibly proud of the team we have today and I'm excited about where Rapid7 is headed. You're all ready for the next phase of growth, adventure, and success. Just remember to keep taking care of each other, and don't look down!

With love,

Monday, April 28, 2014

If you lived here, you'd be home now - thoughts on the Internet Explorer 0-day vulnerability

Growing up around Boston, I remember seeing the famous billboards for the Charles River Park apartments: "If You Lived Here, You'd Be Home Now".  These signs were placed strategically, almost sadistically, on Storrow Drive where they were seen every day by the thousands of motorists trapped in rush hour gridlock.  This morning, as IT departments scrambled to react to the Internet Explorer 0day vulnerability, I couldn't help but think about that devilish piece of advertising.

This critical vulnerability in all versions of Internet Explorer was discovered by FireEye "in the wild". When a vulnerability is found being actively exploited like this, there is no time for the vendor to prepare a patch -- the only responsible course of action is to follow the dictates of military journalism: "Maximum disclosure with minimum delay". This resulted in Microsoft publishing its security advisory on a Saturday, while its engineers were still feverishly working on a patch.

Monday morning dawned with no available patch for this issue. The US and UK governments (and most IT departments) published guidance saying to avoid using Internet Explorer until a fix becomes available. Presumably, FireEye's excellent technology can be configured to block this attack, but edge-protection technologies only protect users while they are on the corporate network. Anyone using a laptop from home, a hotel, or a coffee shop is still wide open to attack.

What else can be done at this point, without a patch? A lot, as it turns out! Organizations who have done a good job at deploying Microsoft EMET (Enhanced Mitigation Experience Toolkit) on their desktops are protected in large degree from this 0-day attack. EMET is a free tool that provides system- and application-level control over exploit mitigation settings such as DEP and ASLR. While the exploit does attempt to bypass DEP and ASLR (and possibly EAF mitigation), FireEye confirms that systems with EMET 4.1 and 5.0 were successful in blocking the exploit in the wild.

Situations like this are exactly why Rapid7 features EMET deployment as an integral part of our Desktop Recommended Controls in our ControlsInsight product. You can't get a passing grade in ControlsInsight unless EMET is not only deployed to endpoints, but is also configured correctly and actually running. We don't believe that EMET is a panacea, but we have seen time and time again situations where the first few versions of an exploit are blocked by EMET, giving organizations precious time to obtain and deploy a patch in production. Sometimes, all you need is a couple days -- even a few hours of protection can make a big difference in your ability to react and respond to a new vulnerability.

Too many organizations confuse "vulnerability management" with "patch management". There is a LOT more to successfully managing vulnerabilities than simply playing whack-a-mole with known patches. A good vulnerability management program will include a careful of assessment of key controls such as desktop and server hardening, browser and browser plugin configuration, least-privilege settings, antivirus, and exploit mitigations such as EMET. As with any controls assessment, it's not enough to say "We have antivirus installed" or "We have EMET installed" - you have to validate whether AV is installed, up-to-date, and running.

If you came into work this morning knowing that EMET was deployed and properly configured enterprise-wide (and you could prove it), you probably had a very different set of conversations than everyone else who was scrambling to react to this unpatched vulnerability. In other words "If You Lived Here, You'd Be Home Now." :-)