Tell us about Sucuri. How did you get involved in website security?
Sucuri is a website security platform. The platform offers small businesses a suite of security tools designed to keep their online presence safe. We were established in 2010 as a US Company, and in April of 2017 we were acquired by GoDaddy. Today we are a premium security provider to many small businesses, helping them keep bad actors at bay and providing professional incident response services if they are compromised. Our primary goal is to partner with our customers in such a way that they can get back to running their business and let us worry about their security. As for my personal involvement with website security, it began 2005 / 2006 as a defense contractor building complex GIS-based web applications for the Department of Defense, but that was more about gaining familiarity with its importance, rather than true intimacy with the subject. True intimacy came later in 2010 / 2011 when Dre and Daniel invited me to join the Sucuri founding team. Since then, my knowledge has come from first-hand experience working with 10’s of thousands of small businesses around the world.
There are many website security products on the market. What is unique about Sucuri?
At the core of what makes Sucuri unique is our people - our overemphasis on value-first and our general intolerance for nonsense. We’re proud of having a 98% satisfaction rate from our customers, and have for years, for a reason. Another big thing you’ll find with Sucuri is that we don’t put the risk on the customer and that we’re very transparent about pricing. What you see, is what you get. We don’t expect the customer to be familiar with all the nuances of security (e.g., how many pages they have, or types of infections). We assume full ownership. If a customer comes to us infected, we charge one flat fee and make sure the customer is totally clean. This approach is a huge technical differentiator that many people don’t realize.
Sucuri offers several different products and services. Can you briefly outline them? Which is the most popular?
It’s actually pretty straightforward. We have Protection, Detection, Response, and Continuity. Protection comes in the form of a cloud-based firewall, which includes performance optimization with a CDN (Content Delivery Network). In short, it aims to keep your website protected by creating a perimeter around it. When attackers target your website, our solution fights them off while letting the good traffic come through. Detection is also cloud-based - it keeps a continuous eye on your online presence to gauge its security state. It looks for any signs that something malicious has occurred and checks for things like blacklists, malware distribution, and other evil activity. For most small businesses, it’s impossible to keep ahead of everything, let alone security. This solution aims to solve that. Instead of worrying if something is wrong, we’ll just tell you if we detect it. Response is what we consider a productized service. It is a team that comes in and fixes all the bad stuff done by the bad actors. You have an infection? No problem, our team goes in and removes it. Consider it your personal quick reaction force. This service predates almost all the other products we offer, it’s where we got our start. The biggest question we always get is if a customer can come to us infected - yes, of course. Continuity is also cloud-based and comes in the form of backups. Even all the controls in the world cannot prevent all attacks. We subscribe to the idea that while we have to be right every time, the attackers only have to be right once. So, at a minimum, you should always have some form of backup. This goes beyond websites and extends to your everyday business activities as well.
Following on that, your products can support a large variety of platforms from WordPress to Joomla - how are you able to manage so many different platform requirements?
Exactly, our technology is platform agnostic. This means we can support any technology, and this was a key decision we made early in our inception. As for how, that was easy - we focused on being in the cloud. The cloud allowed us to build a singular solution that looks specifically at attacks, and doesn’t worry about the environment it resides in. The cloud allowed us to scale quickly, and control the entire experience for the customer.
Which of the popular platforms seems to be the favorite target for attackers? Why do you think that is?
WordPress hands down. As for why, it is because there is more value in targeting it. It has less to do with platform security and has more to do with the ROI (Return On Investment) being greater. This makes more sense when you look at the anatomy of today’s attacks, which are mostly automated attacks of opportunity. In short, there are a lot more WordPress installations available. If you can find a successful vector to exploit, the odds of having a massive impact (which translates to massive ROI for the attacker) are huge.
How would you describe your typical customer?
Our typical customer is the small business owner that uses their web property as a key acquisition tool. They recognize the importance of their web presence, but don’t have the dedicated internal staff to focus on their security concerns. They need a trusted partner, and that’s where we come in.
You mention on your website that you use Machine Learning to detect new threats - how does that work? How active are your analysts in the process?
I am not a big fan of using terms like machine learning, artificial intelligence, etc.. I would say that we do a lot of heuristic analysis and at the core of everything we do is people, so our people are integral to the process.
You were recently acquired by Internet giant GoDaddy. How has that changed Sucuri?
Sucuri is still a stand-alone brand. Yes, we have new administrative systems to work with, new processes to comply with, but as for how we operate - it’s mostly the same as it was before the acquisition. If anything, you could say it’s made us better. We’ve had to scale to support the GoDaddy customers and in doing so it’s allowed us to get more creative in how we service our customers. This has benefited not only GoDaddy, but all the Sucuri direct customers as well. It has also brought about a lot of new exposure, and access to additional resources. We have a plethora of new data insights we didn’t have before, and we get to see what it’s like to work for the largest hosting company in the world. This brings some valuable insights that all our customers and partners benefit from.
Let’s take a step back for a moment. What do you see as the most significant challenges to website security today?
I’d say it’s the amount of misinformation in the space. Today, those that are controlling the narrative are the marketers that can win the positioning the game. This is also being affected by the large brands that are conveying security incorrectly - Google and their HTTPS mantra (e.g., HTTPS secures your site) is a perfect example of this. We have always strived to be a beacon of truth in a world riddled with misinformation.
Have attacks like the Equifax hack or the incredible Yahoo hack affected the cybersecurity industry? What lessons have - or haven’t - been learned from these types of massive attacks?
It depends on what industry you’re speaking of. At the enterprise level, no one wants to be the next CEO / CISO (Chief Information Security Officer) to get fired so you can bet investments are going up. All the latest reports and spending, and startups in the space would support that statement. At the consumer and small-business level, the effects are slightly different. I would say there is a certain level of indifference and fatigue as it pertains to security. Unlike big brands, the value proposition is tough unless they have directly felt the pain of a breach. This makes sense when you consider all the things a small business owner has on their mind - security is not a revenue generator. I personally sense a general indifference - “If this can happen to a big brand, then I’m screwed.” or “Well, I’ve never had a problem, so I’ll assume I’m fine.” As for lessons learned, when you look at all the breaches over the past couple of years, the problem we face is not technological. Everyone has technology and every day there is new technology. The problem is how do people make sense of the mountains of data they are tasked with sifting through? How do we help make better decisions? How do we prioritize? When everything is important, nothing is important.