Security veteran Window Snyder has launched a new startup to tackle the growing and complex security issues of Internet-connected devices as they become more prevalent in organizations.
Snyder has spent more than 20 years helping some of tech's biggest firms build security into their products, with senior security roles at Mozilla, Apple, Fastly, Intel, Microsoft, and Square. Her new company, Thistle Technologies, aims to help the connected device market get up to speed by making it easier for manufacturers to securely deploy updates to their products.
"Software systems have gone through a lot of work to get to the place where they are right now, and I've had a front row seat for most of that … more than a front row – I'm actually in the trenches," says Snyder. But, she adds, "a lot of the work hasn't happened in the devices space."
For systems that face highly visible attacks, such as operating systems, more time and resources are allocated toward building resilience. As an example, Snyder points to some of the work she did on Windows to reduce the attack surface or make it more difficult for an attacker to exploit memory corruption flaws. Over time, this work has led to more robust security mechanisms.
In the connected device market, she sees a large attack surface and small security investment.
"There are so many devices out there that don't have any of these mechanisms in place," she explains. "Even for those that do have security mechanisms, not all of them are built to the kind of resilience that's appropriate for the threats they're up against."
It's a big problem with multiple reasons. Some organizations have small engineering teams and few resources to build resilience into their products. Some have large teams but don't prioritize security because they're in a closed-system manufacturing operation, for example, and the machines don't have network access. Many connected devices are in the field for long periods of time and it's hard to deliver updates, so manufacturers don't ship them unless they have to.
"There's this combination of both security need and then additionally this requirement for an update mechanism that is reliable," Snyder continues.
Oftentimes manufacturers lack confidence in how updates are deployed and don't trust the mechanism will deliver medium- or high-severity security updates on a regular basis. As a result, the devices remain unpatched and exposed to attacks that could give intruders an easy gateway into a target environment.
Snyder plans to address this problem with Thistle Technologies, which this week announced $2.5 million in seed funding from True Ventures.
The company aims to make the update process easier and more reliable for manufacturers with an infrastructure they can use to deploy updates, so they don't have to build the technology to do it themselves. Snyder calls the update mechanism the "core security feature": With this in place, manufacturers have the ability to get back to a "known good state" if a device is compromised.
Snyder says the process of how Thistle will work is similar to how you might use a graphics library or a communications library. A manufacturer will incorporate the library into the product they're building, and it will deliver the update functionality. She notes there are other mechanisms, lower in the system and on the back end, to manage update delivery and configurations.
While Thistle's technology can be used by any manufacturer, Snyder says she's now focused on those with well-understood and recognized high-security devices. This might include point-of-sale devices, ATMs, or automotive devices, as well as devices in highly regulated industries like medicine and aviation. The people most motivated to get up to speed have customers who are worried about security, she adds, and they want a mechanism that can be easily integrated.
Learning, Building, and Growing
With the seed round secured, Snyder says the company is now staffing up and building its engineering organization. It's also working with developer partners to ensure the technology Thistle is building will meet their needs, as well as the restrictions they're operating against.
Understanding developers' needs, and the factors beyond security risk that developers face, is helpful, she explains. Thistle wants to understand and address the needs of multiple businesses across industries, and knowing how they think can help inform a product they'll actually use.
"I see that, in general, throughout my entire career, that a perfect security solution is useless if the business won't deploy it," Snyder continues. "You never actually get to deliver that perfect security solution … security is always kind of at odds with performance or your schedule for shipping a product," along with other factors like space and cost, she adds.
As Thistle develops its technology, the need to secure a wealth of connected devices continues to grow. It's often difficult for CISOs to evaluate a product's security before they buy it, she notes, and not every business has the resources to reverse-engineer devices and test the security themselves. CISOs often have to send out a questionnaire to the device manufacturer, which gives few answers – for example, the kind of encryption used but not its implementation.
"I think getting to a place where they can talk about, 'This is the type of mechanism we're using for security; this is the way we're storing out credentials; this is the way we are providing resilience in our implementation" can help CISOs understand whether to procure a device, she says. Without proper answers to these questions, more devices add to the attack surface.
As she continues to build Thistle, Snyder says a critical consideration is giving employees an environment they like to work in – a lesson learned in her years as a security leader. It's tough to secure an organization when the security team is consistently operating at high capacity, has to step up following an attack, and then goes back to operating above a sustainable rate.
"One of the things that I have taken from my years in leadership is making sure that we sign up for what we can deliver in a reasonable workweek – that folks have an appropriate amount of work life balance," she says.
Why the name Thistle? A thistle is a flowering plant with a built-in defense mechanism that wards off herbivores who might otherwise snack on it. The idea of this "organic defense mechanism" related to Snyder's idea for the company and technologies she's building.
"I feel like the problem that we're up against is enormous, and it really does take something like the tenacity of a weed to attempt to try and make a significant difference here," she says.