Duo Security CEO: “Attackers are not hacking into your system, they’re simply logging in.”
August 22, 2018 | Blog

Duo Security CEO: “Attackers are not hacking into your system, they’re simply logging in.”

Duo Security co-founders Dug Song and Jon Oberheide
Duo Security co-founders Dug Song and Jon Oberheide

If I knew Duo Security co-founder and CEO Dug Song would one day sell his cybersecurity firm for more than $2 billion, I would have ordered a more expensive lunch. Or at least get a dessert.

I first met Song in 2011 when I was working for a news startup in Ann Arbor, Michigan. Song was kind of a big brother to me, even taking me out to lunch a few times. So it was a pleasant surprise when I recently learned that Duo reached unicorn status with a valuation of $1.17 billion.

I reached out to Song for an interview and he agreed. But then a week later came news that Cisco Systems agreed to purchase Duo for $2.35 billion, about twice its private value. The company’s investors include Redpoint Ventures, Lead Edge Capital, and GV, the corporate venture arm of Alphabet, the parent company of Google.

The price tag might seem steep but cybersecurity firms have attracted considerable interest from investors, given the increasing pace and sophistication of cyberattacks. Last year, investors poured $10 billion into startups, more than twice the amount in 2015, according to SharesPost research. During this time period, cybersecurity “mega deals,” $100 million or greater, jumped to 58 percent of all private deals from 25 percent.

Already this year, we’ve witnessed several cybersecurity unicorns go public, including Zscaler and Carbon Black. But SharesPost has predicted companies will more likely pursue acquisitions, especially by major tech firms like Amazon and Microsoft looking to fill out their large platforms of products and services. (Read our report here).

Indeed, Song decided to pursue this path.

“Cisco created the modern IT infrastructure,” Song told me via e-mail. “By joining forces with the world’s largest networking and enterprise security company, we have a unique opportunity to drive change at a massive scale and reshape the industry.”

Duo specializes in two factor authentication, in which a user must prove their identity by presenting two pieces of evidence (what they know, something they have, etc.). The company has since expanded its product offering to provide secure access to organizations transitioning to cloud-based IT environments and increasingly mobile workforces.

Two factor is hardly new and might even seem outdated given the growing power of computers, including artificial intelligence. But Song says the basic method remains the same.

“As seen in the latest headline-making hacks, attackers don’t need to use advanced techniques to breach an organization - the majority of the time, they’re going after users,” Song said.

“Despite the hype of sophisticated zero-day attacks and ‘next generation’ threats, the plain truth is that the vast majority of breaches are still caused by stolen login credentials or malware,” he said. “Attackers are not hacking into your system, they’re simply logging in.”

Cisco’s acquisition doesn’t close until November so I assumed Song would want to postpone the interview. To my surprise, he answered questions on a variety of topics, ranging from biometric technology and artificial intelligence to election hacking and the Internet of Things.

Here’s an edited version of our conversation.

SharesPost: Will two factor authentication eventually evolve to include biometric data like face recognition, which is now a regular feature on mobile devices like the iPhone? Are we moving to three-factor authentication or is that too burdensome?

Dug Song: We’ve already seen two-factor authentication providers, including Duo, leverage biometrics such as Apple’s TouchID as an additional layer of security for login requests. What we’re likely to see in the future are sites starting to use Web Authentication, commonly known as “WebAuthn,” which is a new feature supported in major browsers that enables creation and use of strong credentials, including biometrics, on the web. This means websites can offer users a single-step login experience with the best security possible. These credentials can be stored in a mobile phone, a computer’s secure storage or a physical token like a YubiKey.

SharesPost: How will the growing use of artificial intelligence change the industry in general and Duo specifically?

Song: Ten years ago, the standard approach to scaling security was to recruit more security analysts. The trend now is towards using automation to scale up security operations. Machine learning and artificial intelligence are great tools to help analysts in ways that were not previously feasible, but these tools will probably never replace people altogether. Instead, they will enable them to work more efficiently to identify threats in ever larger streams of sensor data. At Duo specifically, you’ll see us continue to focus on making capabilities that were previously accessible only to companies with large, well-resourced security teams available to organizations of all sizes. We want to enable small teams to have a big impact.

SharesPost: Do you think people place too much faith in technology to protect data versus altering their own behavior?

Song: Not at all. In fact, we are often too quick to blame people for the failings of technology that should have been secured better. Duo is working to democratize security: to build it for everyone, so that you don’t have to be a security expert to benefit from it. We want people to be able to focus on their own missions while we help secure theirs.

SharesPost: Can we protect against foreign hacking of our elections?

Song: There’s no doubt that cybersecurity has become the biggest geopolitical issue of our time. The federal government, in particular, has been pushing to modernize its IT infrastructure, which is not only about increasing productivity, but protecting against cyber threats meant to derail how we function as a society and democracy.

However, it’s important to recognize that this is not primarily a technology or security issue, but a policy challenge. The risks from electronic voting are very real, demonstrable, and solvable - but we need the political will to address them.

SharesPost: Given the risks posed by the Internet of Things, do you think the benefits of such technology outweighs the potential dangers? How do you strike the balance between innovation and cyber risks?

Song: Manufacturers need to build devices with a security-first mindset, rather than see it as an afterthought. But unfortunately, as with any other type of computing, advances in technology rush ahead of the means for securing them. This means that the Internet of Things will continue to be insecure before consumers (or regulators) demand change. It’s better to wait to adopt anything until the second or third generation, to give researchers time to find the bugs and for the manufacturers to fix them.

PLEASE READ THESE IMPORTANT LEGAL NOTICES & DISCLOSURES

CONFLICTS

This report is being published by SharesPost Research LLC, and distributed by SharesPost Financial Corporation, a member of FINRA/SIPC. SharesPost Research LLC, SharesPost Financial Corporation and SP Investments Management, LLC, an investment adviser registered with the Securities and Exchange Commission, are wholly owned subsidiaries of SharesPost, Inc.

Recipients who are not market professionals or clients of SharesPost Financial Corporation should seek the advice of their own personal financial advisors before making any investment decisions based on this report. None of the information contained in this report represents an offer to buy or sell, or a solicitation of an offer to buy or sell, any security, and no buy or sell recommendation should be implied, nor shall there be any sale of these securities in any state or governmental jurisdiction in which said offer, solicitation, or sale would be unlawful under the securities laws of any such jurisdiction.

This report does not constitute an offer to provide investment advice or service. Registered representatives of SharesPost Financial Corporation do not (1) advise any member on the merits or advisability of a particular investment or transaction, or (2) assist in the determination of fair value of any security or investment, or (3) provide legal, tax, or transactional advisory services.

ANALYST CERTIFICATION

The analyst(s) certifies that the views expressed in this report accurately reflect the personal views of such analyst(s) about any and all of the subject securities or issuers, and that no part of such analyst compensation was, is, or will be, directly or indirectly related to the specific views contained in this report.

Analyst compensation is based upon various factors, including the overall performance of SharesPost, Inc. and its subsidiaries, and the performance and productivity of such analyst, including feedback from clients of SharesPost Financial Corporation and other stakeholders in our ecosystem, the quality of such analyst’s research and the analyst’s contribution to the growth and development of our overall research effort. Analyst compensation is derived from all revenue sources of SharesPost, Inc., including brokerage sales.

DISCLAIMER

This report does not contain a complete analysis of every material fact regarding any issuer, industry, or security. The opinions expressed in this report reflect our judgment at this date and are subject to change. The information contained in this report has been obtained from sources we consider to be reliable; however, we cannot guarantee the accuracy of all such information.

Any securities offered are offered by SharesPost Financial Corporation, member FINRA/SIPC. SharesPost Financial Corporation and SP Investments Management are wholly owned subsidiaries of SharesPost, Inc. Certain affiliates of these entities may act as principals in such transactions.

Investing in private company securities is not suitable for all investors. An investment in private company securities is highly speculative and involves a high degree of risk. It should only be considered as a long-term investment. You must be prepared to withstand a total loss of your investment. Private company securities are also highly illiquid and there is no guarantee that a market will develop for such securities. Each investment also carries its own specific risks and you should complete your own independent due diligence regarding the investment, including obtaining additional information about the company, opinions, financial projections and legal or other investment advice.

Accordingly, investing in private company securities is appropriate only for those investors who can tolerate a high degree of risk and do not require a liquid investment.

SharesPost, the SharesPost logo, My SharesPost, the SharesPost Index, and SharesPost Investment Management are all registered trademarks of SharesPost, Inc. All other trademarks are the property of their respective owners.

Copyright SharesPost, Inc. 2019. All rights reserved.

Thomas Lee

Thomas Lee

Thomas Lee is the Senior Writer at SharesPost. He was previously a business columnist at the San Francisco Chronicle. Lee has written for the Star Tribune in Minneapolis, St. Louis Post-Dispatch, and Seattle Times. He is author of “Rebuilding Empires” (St. Martin's Press), his book on the future of big box retail in the digital age.
PLEASE READ THESE IMPORTANT LEGAL NOTICES & DISCLOSURES

CONFLICTS

This report is being published by SharesPost Research LLC, and distributed by SharesPost Financial Corporation, a member of FINRA/SIPC. SharesPost Research LLC, SharesPost Financial Corporation and SP Investments Management, LLC, an investment adviser registered with the Securities and Exchange Commission, are wholly owned subsidiaries of SharesPost, Inc.

Recipients who are not market professionals or clients of SharesPost Financial Corporation should seek the advice of their own personal financial advisors before making any investment decisions based on this report. None of the information contained in this report represents an offer to buy or sell, or a solicitation of an offer to buy or sell, any security, and no buy or sell recommendation should be implied, nor shall there be any sale of these securities in any state or governmental jurisdiction in which said offer, solicitation, or sale would be unlawful under the securities laws of any such jurisdiction.

This report does not constitute an offer to provide investment advice or service. Registered representatives of SharesPost Financial Corporation do not (1) advise any member on the merits or advisability of a particular investment or transaction, or (2) assist in the determination of fair value of any security or investment, or (3) provide legal, tax, or transactional advisory services.

ANALYST CERTIFICATION

The analyst(s) certifies that the views expressed in this report accurately reflect the personal views of such analyst(s) about any and all of the subject securities or issuers, and that no part of such analyst compensation was, is, or will be, directly or indirectly related to the specific views contained in this report.

Analyst compensation is based upon various factors, including the overall performance of SharesPost, Inc. and its subsidiaries, and the performance and productivity of such analyst, including feedback from clients of SharesPost Financial Corporation and other stakeholders in our ecosystem, the quality of such analyst’s research and the analyst’s contribution to the growth and development of our overall research effort. Analyst compensation is derived from all revenue sources of SharesPost, Inc., including brokerage sales.

DISCLAIMER

This report does not contain a complete analysis of every material fact regarding any issuer, industry, or security. The opinions expressed in this report reflect our judgment at this date and are subject to change. The information contained in this report has been obtained from sources we consider to be reliable; however, we cannot guarantee the accuracy of all such information.

Any securities offered are offered by SharesPost Financial Corporation, member FINRA/SIPC. SharesPost Financial Corporation and SP Investments Management are wholly owned subsidiaries of SharesPost, Inc. Certain affiliates of these entities may act as principals in such transactions.

Investing in private company securities is not suitable for all investors. An investment in private company securities is highly speculative and involves a high degree of risk. It should only be considered as a long-term investment. You must be prepared to withstand a total loss of your investment. Private company securities are also highly illiquid and there is no guarantee that a market will develop for such securities. Each investment also carries its own specific risks and you should complete your own independent due diligence regarding the investment, including obtaining additional information about the company, opinions, financial projections and legal or other investment advice.

Accordingly, investing in private company securities is appropriate only for those investors who can tolerate a high degree of risk and do not require a liquid investment.

SharesPost, the SharesPost logo, My SharesPost, the SharesPost Index, and SharesPost Investment Management are all registered trademarks of SharesPost, Inc. All other trademarks are the property of their respective owners.

Copyright SharesPost, Inc. 2019. All rights reserved.