After a weeklong re-examination of disruption theory, out of the blue comes a new venture, Tanium, that received $90 million in funding from Andreessen Horowitz meaning that they, at least, value it in the billions. Contrary to what many people think, billion dollar companies don’t just appear out of no-where everyday. For that reason, I thought I’d take a closer look.
Tanium’s idea is this: to fight security and other network management problems by making it dead easy for network managers to find out what is going on. You might think that has what network managers do but while true, in fact, up until now they actually haven’t had tools to be effective. That means that network managers have been focussed on prevention rather than a cure. While there is a tendency to think that is a good thing, prevention often equates to restrictions, rules and regulations and is, basically, why Dilbert could dub network managers as the “preventers of information technology.”
To explain this, I lift liberally from a post by Steven Sinofsky (ex-head of Microsoft Windows and now Tanium board member):
Orion popped open his laptop, clicked a bookmark and navigated to Tanium’s web-based “console”. At the top of the screen, we saw a single edit control like you’d see for a search engine. He started typing in natural language questions such as “show computers where CPU > 75%” and “show computers with a process named WINWORD.EXE”. Within seconds, just like using search, a list of computers scrolled by as though it was just an existing spreadsheet or report. At this point we reached the only reasonable conclusion—Orion was showing us a simulation of the product they hoped to build.
After all, we were all quite familiar with the state of the art for this type of telemetry (BigFix in particular represented the state of the art) and we knew that what we were seeing was just not possible.
But, the demonstration was not a simulation or edited screen capture. In fact, Tanium was running on a full scale deployment of thousands of end-points. This wasn’t even a demo scenario, but a live, production deployment—the magic of Tanium. As we learned more about Tanium and how it easily scales to 500,000 end-points (not theoretically, but in practice) and the breadth of capabilities, we were more than intrigued.
This is compared to what happens today.
Today’s IT Pros on both security and management teams know the types of information they need from their network. With current tools these questions require careful planning, significant infrastructure, and a fine balance between what IT needs to know and the cost to the end user who is working on the computers that are being queried – if you get it wrong, you can cause slow logons and sluggish performance at inconvenient times. However, to effectively manage and secure networks and provide assurance of compliance with government and industry regulations IT Pros absolutely require information such as hardware configuration, software inventory, network usage, patch and update status, and more. In addition, today’s socially engineered security risks are often combinations of seemingly simple combinations of running programs, files or attachments on the system, and a few other clues. An IT Pro walking up to a PC or Mac could easily obtain all of this information, but for all practical purposes it is impossible for them to gather that data from the thousands of end-points they are responsible for with any level of ease or timeliness.
Getting that data at scale is typically hard and slow because almost every Systems Management tool uses a classic hub (servers) and spoke (end-points) architecture. IT Pros deploy multiple servers running on network segments with high-end databases and significant networking hardware combined with fairly elaborate end-point runtimes. Even when this state of the art deployment is carefully tuned, the best case at very large scales can be 3 days to “compute” the answer to critical operational questions, assuming you knew ahead of time you were going to ask those questions. By this time the information would be out of date and by then the whole problem you were thinking about has probably changed. As a result most IT Pros know that best case the data is approximate, and worst case just worthless. For mission critical problems, such as compliance with HIPAA (healthcare) or PCI (electronic payment) regulations, this is more than just inconvenient for IT, it can cause a painful failure with board-level visibility.
The state of the art for Security is all about building stronger and taller walls between the enterprise network and the internet. We’re familiar with these approaches across the basics of firewalls, more sophisticated security appliances and adaptive architectures, and of course the typical security suites that run on end-points. Unfortunately, the bad guys are wise to that game, and modern threats are created anticipating that these protections are in place—in many cases, the bad guys actually “QA” their attacks against the systems enterprises use before they release them. In addition, today’s malware is targeted to particular organizations, and is often put in place by a series of seemingly benign or undetectable actions. Malware, a bot, or a backdoor make their way onto the network leaving behind a series of benign clues—a running process, a changed file, a memory signature, or a specific network packet. It is only taken together that a pattern emerges. It is only after the fact or with an IOC (indicator of compromise) in hand that IT Pros can potentially track down end-points that have been compromised. Unfortunately, IT is literally swamped by IOCs to investigate and there are no effective tools that support this wide range of questions and even if you could, the state of the art would give answers in days, long after the damage was done.
Given that background, let me try and assess what the future of this venture is.
No. While not everyone agrees with my 2 step definition of a disruptive innovation, it appears that Tanium’s technology performs better than the current technology on all dimensions that matter — specifically, it is faster and more accurate.
But surely, therefore, there is someone who might be adversely affected? The obvious target are network managers and their departments. That, however, is not clear. This is a tool for them and makes them actually more productive and, some might say, productive. The quicker they can identify problems, the quicker they can get around to the task of fixing them. What is more, Tanium does not automate any function, it requires people to make it operative.
I guess the only potential threat to these departments is an equilibrium one whereby Tanium is so effective, it reduces the power of those undermining security and the threats diminish. However, as we know with the TSA, that does not necessarily mean resources won’t be devoted to security.
How will Tanium make money?
So if Tanium isn’t saving a current budgetary cost, how will Tanium make money? The answer is that it is removing costs associated with a lack of security. As many recent examples have shown, security and management issues are extremely damaging — especially to large corporations and governments. They have been willing to pay alot for security solutions that don’t really work, think about what they will pay for one that does work.
What is more, this is a situation where the legal system is going to drive adoption. Put simply, enterprises that don’t adopt Tanium and do so quickly may be vulnerable to law suits that say they should have. The big limit on company’s liability is now is that they were doing the best they could given the technology. That technology just moved and with it, the legal standard.
What about imitation?
Tanium’s end game comes straight out of the playbook in Peter Thiel’s Zero to One book (that I read this weekend and will have more to say about later). They hope to be a dominant player in this new technology — which, basically, means a monopoly. I am sure that somewhere on a PowerPoint deck somewhere is a branding aim: “No one ever got fired for buying Tanium.” They want to be in a position where this technology is annuity.
The big challenge, of course, is that someone else leapfrogs Tanium and does this better. Google and Microsoft both come to mind as potential threats here. And we know that Tanium sees them that way which is why they were actually quite slow to market (from what I can gather 5 – 7 years without even tapping the VC market). They have operating in extreme secrecy even with client testing. Indeed, when the aim is to control a market, the tactic is to take your time and to reveal yourself to the world when you are ready to control the market.