The Shield Story: A Reason for Optimism

Foreword

We're a couple of weeks late to the "Year in Review" blog party.

That's ok; this isn't one of those.

Of course, we're thrilled about launching Shield, onboarding our first partners, and continuing to grow our all-star roster. On top of that, 2023 introduced us to talented people solving real problems, and we made some friends along the way.

But that's not the purpose of this reflection/look ahead.

According to author and entrepreneur Seth Godin:

"Your job… is to find a spot on the map with edges that (some) people want to find. Not a selfish, unique selling proposition, done to maximize your market share, but a generous beacon, a signal flare sent up so that people who are looking for you can easily find you. We're this, not that."

For those who don't know us, this article is intended to be that beacon.

Before we dive in, here is some housekeeping:

• The word "we" refers to the entity of Shield. It's safe to assume that in most cases, "we" represents the experiences of Shield co-founders Teddy and Michael. For example, the "On the Origin of Shield" section is from Teddy's perspective.
• "M(S)SP" is used as a shorthand to represent the channel through which we work exclusively.

Why Write This? (And Who Should Read It?)

It’s no secret that time and resources are limited.

So why spend 12 hours writing this article? And why should you spend about five minutes reading it?

Mostly, it’s an opportunity to be that “signal flare sent up.” It’s an opportunity to share exactly what we’re building, who we’re building it for, and why it matters. And it’s an opportunity to share the conviction that led Teddy and Michael to bootstrap a software company and why that conviction remains.

But there’s also a certain amount of disillusionment with the cybersecurity industry that fueled this article.

FUD (fear, uncertainty, doubt) is pervasive and peddled by practitioners and vendors alike. Cybersecurity is positioned as a mystical subject beyond the limits of comprehension, or prevention. Hell, the unofficial motto of the industry is “not if, but when.”

We don’t subscribe to this thinking.

Cyberattacks are rooted in logic, not magic. This is good news. It means the logic and processes used by even the best attackers can be broken down and understood.

This is why we have never been more optimistic about the prospect of genuine proactive cybersecurity.

This is why we built Shield.

This article is for security practitioners who are dedicated to keeping the bad guys out. We hope you share in our optimism by the end of this article. (It’s also for friends and family members who want to follow our journey; we’re grateful to have you in our corner.)

Problem Meet Solution

"Exposure extends beyond vulnerabilities. Even taking a risk-based vulnerability management (RBVM) approach might not be sufficient."

- Gartner, Implement a Continuous Threat Exposure Management Program

‍First, the good news.

The days of reactive-only cybersecurity are in the past. The last five years have seen a massive shift towards proactive security measures.

But, the predominant strategy, vulnerability management, is ineffective.

Its disproportionate focus on Common Vulnerabilities and Exposures (CVEs) is the reason. This approach has significant shortcomings, each seemingly compounding on the last:

1. Too many CVEs. Last year, 28,902 CVEs were published. That's over 79 per day. It's operationally infeasible to fix every known vulnerability. Nor should security teams want to because;
2. Most don't matter. The fact that the average score produced by the Common Vulnerability Scoring System (CVSS) was 7.12 (or considered "High" severity) is more of an indictment on an outdated and theoretical scoring system than proof of actual importance. Less than 25% of "High" or "Critical" vulnerabilities have ever had an exploit published against them! And;
3. Exposure extends beyond CVEs. Whether it's social engineering, spear-fishing, a wireless Raspberry Pi from the parking lot, or one of the countless other methods employed by attackers, a CVE is not required for an attacker to exploit an organization.

Not to be confused, ineffective ≠ unimportant.

According to Gartner:

"The most successful protection approach combines preparation for unknown threats with a risk reduction strategy, emphasizing publicly known vulnerabilities and identified control gaps."

Patching exploitable vulnerabilities is critical to a strong security posture. However, the current tools lack the organizational context to help security teams distinguish the vulnerabilities that actually matter.

On top of that, attackers use other methods to access a network. In our experience across thousands of penetration tests over the last decade, it's more common than not to take over a network without touching a CVE.

A common misconception is that once an attacker gains initial access to an environment, it's game over.

In reality, they must move through the network to reach the critical assets they seek. This movement is made possible by the "control gaps" mentioned above. These security gaps, such as vulnerabilities, misconfigurations, and weak credentials, allow attackers to pivot and escalate toward their goals.

ELI5 analogy

Think of an escape room. Once you enter the room, there are steps to reach your goal. One clue leads to another. This is roughly analogous to what an attacker is doing in a network. But rather than escaping, they are working towards the critical assets in your network. Like removing one key clue in an escape room can make it impossible to escape, removing one critical security gap can make it impossible to move any further in a network.

Even if a perfect vulnerability management tool existed, with intelligent prioritization based on exploitability and criticality of assets, it still misses a considerable part of the picture, i.e., everything beyond initial access. Thus, it can never provide actual organizational context.

This is why, according to Gartner, "even taking a risk-based vulnerability management (RBVM) approach might not be sufficient."

To recap:

• Step 1: patch the vulnerabilities that matter.
• Step 2 (necessary because vulnerabilities are not the only access method): identify the security gaps and attack paths in your environment and remove the choke points leading to your critical assets.

This is precisely what Shield enables security providers to do.

Shield gives you 24/7 visibility into your network from an attacker's perspective. It correlates vulnerabilities and security gaps across all network assets to show how an attacker could penetrate your environment and reach your critical assets.

This near-omniscient visibility into the interconnectivity of your network allows for accurate, intelligent prioritization, enabling you to see and remove the most critical risks on your most critical assets.

Said simply, Shield distinguishes the critical few risks from the trivial many.

On the Origin of Shield

Shield was conceived some 30,000 feet above the Rockies.

In 2021, we were coming home from a successful client engagement with our penetration testing and technical security consulting firm. In this case, a successful client engagement meant we had taken over this client’s network.

“But our scans were clean.”

This was the response from the client during the project debrief a couple of hours before our flight home.

Over the years, we had noted significant gaps in vulnerability management solutions. For some reason, this simple response was the straw that broke the camel’s back.

The client was a large enterprise with a large cybersecurity budget. They were paying top dollar for what is considered, correctly, a best-in-class vulnerability management solution. And they felt like their security team was on top of things.

And they were right; their scans were clean.

There was nothing wrong with the tool they were using. In terms of meeting the specs of a vulnerability management tool, it was and continues to be one of the best in the market. And their team had done a noble job of getting through a mountain of remediation work.

Their problem was less apparent on the surface. And it’s because it’s the same problem that most high-performing security teams face, whether they know it or not.

It’s that vulnerability management as a primary preventative strategy doesn’t work.

(We took over their network without touching a CVE.)

Rather than feeling content with another successful engagement, this was our overwhelming feeling on the way home.

We were pen testers, not product people. We didn’t know the first thing about building a software product. But we knew that this was a problem worth solving, and it was one that we were uniquely qualified to solve.

Within the week, we found developers through our network and began building Shield 1.0.

Coming to the Channel

Shield 1.0 wasn’t initially called Shield 1.0.

In fact, it wasn’t called anything at all. It started as an additional service offered by our consulting firm for existing clients. It allowed us to instantly show the organization the different ways we could take over their network during a penetration test.

We refined the tool over 15 months and hundreds of simulated attacks performed by our team of 11 testers.

In March 2023, we decided to turn the tool into a standalone solution. Shield was officially born.

Despite our background in large enterprise and government, we felt a strong pull to build for M(S)SPs. We first realized this pull after conversations with M(S)SPs we had previously worked with who expressed a strong interest in Shield. After several offers to acquire the technology, we knew we were on the right track.

The following additional factors amplified the pull:

• For practitioners by practitioners. Many existing cybersecurity tools in the channel are designed and built by product people or industry observers with no real security background. We wanted to create a security-first solution for security-first practitioners.
• Favorable market conditions. It’s estimated that the global managed services market will more than double over the next 5-7 years, and more than 60% of organizations will rely on managed services by 2025. These market tailwinds and an attractive business model are welcome news for a bootstrapped company needing revenue to pursue our mission.
• Our mission. The growth of the M(S)SP market is not only attractive from a business perspective but also the best opportunity for us to realize our mission to help the greatest number of organizations prevent cyberattacks before they happen.

This all looked great on a whiteboard. To put our assumptions to the test, we needed to put boots on the ground. The next major conference was the MSP Summit in May.

So, we did the only responsible thing and booked our trip to Vegas.

Arriving at the conference was like the first day at a new school. We arrived ignorant of the dynamics of the channel but eager to learn as much as possible. We left with a slight headache, minor dehydration, and reassurance that there was a culture fit in addition to the business and values fit.

The next three months consisted of more conferences and countless conversations with M(S)SPs and vendors in the space.

Our sole focus was to learn what we needed to do to evolve Shield 1.0 into the best possible product for the channel. With confidence in our direction, we brought on employee number four to lead our channel efforts. This meant one thing for a startup on the conference circuit: bunk beds (true story).

This period culminated in our official launch of Shield at CompTIA ChannelCon in August.

The response was overwhelmingly positive, with one influential name in the space remarking, “You guys are solving a real problem that no one else is solving for.” Add to the fact that we were beyond the Steven Glansberg-phase at lunch, and there was no turning back.

Shortly after ChannelCon, we began onboarding our first partners, who have been instrumental in helping shape Shield specifically for the channel.

From August 2023 to January 2024, we built and refined. And built and refined.

The idea for Shield, coming to the channel, our soft launch at CompTIA, and onboarding our first partners were all significant milestones last year. They are meaningful chapters in our journey and we don’t take them for granted. But we know the real work begins now.

It’s time to start working towards making “not if, but when” a relic of the past.

Looking Ahead: A Reason for Optimism

This article was a masochistic exercise to make a single point.

That is, there are risks in an environment that matter, and “risks” in an environment that don’t. Most fall into the latter category.

Before Shield, the best proactive solution could provide security practitioners with clues.

Shield gives you the answers.