Duo Security CEO: “Attackers are not hacking into your system, they’re simply logging in.”
August 22, 2018 | Blog

Duo Security CEO: “Attackers are not hacking into your system, they’re simply logging in.”

Duo Security co-founders Dug Song and Jon Oberheide
Duo Security co-founders Dug Song and Jon Oberheide

If I knew Duo Security co-founder and CEO Dug Song would one day sell his cybersecurity firm for more than $2 billion, I would have ordered a more expensive lunch. Or at least get a dessert.

I first met Song in 2011 when I was working for a news startup in Ann Arbor, Michigan. Song was kind of a big brother to me, even taking me out to lunch a few times. So it was a pleasant surprise when I recently learned that Duo reached unicorn status with a valuation of $1.17 billion.

I reached out to Song for an interview and he agreed. But then a week later came news that Cisco Systems agreed to purchase Duo for $2.35 billion, about twice its private value. The company’s investors include Redpoint Ventures, Lead Edge Capital, and GV, the corporate venture arm of Alphabet, the parent company of Google.

The price tag might seem steep but cybersecurity firms have attracted considerable interest from investors, given the increasing pace and sophistication of cyberattacks. Last year, investors poured $10 billion into startups, more than twice the amount in 2015, according to SharesPost research. During this time period, cybersecurity “mega deals,” $100 million or greater, jumped to 58 percent of all private deals from 25 percent.

Already this year, we’ve witnessed several cybersecurity unicorns go public, including Zscaler and Carbon Black. But SharesPost has predicted companies will more likely pursue acquisitions, especially by major tech firms like Amazon and Microsoft looking to fill out their large platforms of products and services. (Read our report here).

Indeed, Song decided to pursue this path.

“Cisco created the modern IT infrastructure,” Song told me via e-mail. “By joining forces with the world’s largest networking and enterprise security company, we have a unique opportunity to drive change at a massive scale and reshape the industry.”

Duo specializes in two factor authentication, in which a user must prove their identity by presenting two pieces of evidence (what they know, something they have, etc.). The company has since expanded its product offering to provide secure access to organizations transitioning to cloud-based IT environments and increasingly mobile workforces.

Two factor is hardly new and might even seem outdated given the growing power of computers, including artificial intelligence. But Song says the basic method remains the same.

“As seen in the latest headline-making hacks, attackers don’t need to use advanced techniques to breach an organization - the majority of the time, they’re going after users,” Song said.

“Despite the hype of sophisticated zero-day attacks and ‘next generation’ threats, the plain truth is that the vast majority of breaches are still caused by stolen login credentials or malware,” he said. “Attackers are not hacking into your system, they’re simply logging in.”

Cisco’s acquisition doesn’t close until November so I assumed Song would want to postpone the interview. To my surprise, he answered questions on a variety of topics, ranging from biometric technology and artificial intelligence to election hacking and the Internet of Things.

Here’s an edited version of our conversation.

SharesPost: Will two factor authentication eventually evolve to include biometric data like face recognition, which is now a regular feature on mobile devices like the iPhone? Are we moving to three-factor authentication or is that too burdensome?

Dug Song: We’ve already seen two-factor authentication providers, including Duo, leverage biometrics such as Apple’s TouchID as an additional layer of security for login requests. What we’re likely to see in the future are sites starting to use Web Authentication, commonly known as “WebAuthn,” which is a new feature supported in major browsers that enables creation and use of strong credentials, including biometrics, on the web. This means websites can offer users a single-step login experience with the best security possible. These credentials can be stored in a mobile phone, a computer’s secure storage or a physical token like a YubiKey.

SharesPost: How will the growing use of artificial intelligence change the industry in general and Duo specifically?

Song: Ten years ago, the standard approach to scaling security was to recruit more security analysts. The trend now is towards using automation to scale up security operations. Machine learning and artificial intelligence are great tools to help analysts in ways that were not previously feasible, but these tools will probably never replace people altogether. Instead, they will enable them to work more efficiently to identify threats in ever larger streams of sensor data. At Duo specifically, you’ll see us continue to focus on making capabilities that were previously accessible only to companies with large, well-resourced security teams available to organizations of all sizes. We want to enable small teams to have a big impact.

SharesPost: Do you think people place too much faith in technology to protect data versus altering their own behavior?

Song: Not at all. In fact, we are often too quick to blame people for the failings of technology that should have been secured better. Duo is working to democratize security: to build it for everyone, so that you don’t have to be a security expert to benefit from it. We want people to be able to focus on their own missions while we help secure theirs.

SharesPost: Can we protect against foreign hacking of our elections?

Song: There’s no doubt that cybersecurity has become the biggest geopolitical issue of our time. The federal government, in particular, has been pushing to modernize its IT infrastructure, which is not only about increasing productivity, but protecting against cyber threats meant to derail how we function as a society and democracy.

However, it’s important to recognize that this is not primarily a technology or security issue, but a policy challenge. The risks from electronic voting are very real, demonstrable, and solvable - but we need the political will to address them.

SharesPost: Given the risks posed by the Internet of Things, do you think the benefits of such technology outweighs the potential dangers? How do you strike the balance between innovation and cyber risks?

Song: Manufacturers need to build devices with a security-first mindset, rather than see it as an afterthought. But unfortunately, as with any other type of computing, advances in technology rush ahead of the means for securing them. This means that the Internet of Things will continue to be insecure before consumers (or regulators) demand change. It’s better to wait to adopt anything until the second or third generation, to give researchers time to find the bugs and for the manufacturers to fix them.

DISCLAIMER: This blog does not contain a complete analysis of every material fact regarding any issuer, industry, or security. The information contained in this blog has been obtained from sources we consider to be reliable; however, we cannot guarantee the accuracy of all such information.

None of the information contained in this blog represents an offer to buy or sell, or a solicitation of an offer to buy or sell, any security, and no buy or sell recommendation should be implied, nor shall there be any sale of these securities in any state or governmental jurisdiction in which said offer, solicitation, or sale would be unlawful under the securities laws of any such jurisdiction.

Any securities offered are offered by SharesPost Financial Corporation, a member of FINRA/SIPC. SharesPost Financial Corporation and SP Investments Management are wholly owned subsidiaries of SharesPost Inc. Certain affiliates of these entities may act as principals in such transactions.

Copyright © SharesPost, Inc. 2019. All rights reserved.

Thomas Lee

Thomas Lee

Thomas Lee is the Senior Writer at SharesPost. He was previously a business columnist at the San Francisco Chronicle. Lee has written for the Star Tribune in Minneapolis, St. Louis Post-Dispatch, and Seattle Times. He is author of “Rebuilding Empires” (St. Martin's Press), his book on the future of big box retail in the digital age.

DISCLAIMER: This blog does not contain a complete analysis of every material fact regarding any issuer, industry, or security. The information contained in this blog has been obtained from sources we consider to be reliable; however, we cannot guarantee the accuracy of all such information.

None of the information contained in this blog represents an offer to buy or sell, or a solicitation of an offer to buy or sell, any security, and no buy or sell recommendation should be implied, nor shall there be any sale of these securities in any state or governmental jurisdiction in which said offer, solicitation, or sale would be unlawful under the securities laws of any such jurisdiction.

Any securities offered are offered by SharesPost Financial Corporation, a member of FINRA/SIPC. SharesPost Financial Corporation and SP Investments Management are wholly owned subsidiaries of SharesPost Inc. Certain affiliates of these entities may act as principals in such transactions.

Copyright © SharesPost, Inc. 2019. All rights reserved.