I see that and I see a bad security posture, and the responsibility passed up chain and even harder to answer the same questions about oneleet. Will they secure your gsuite email I assume you’re using? Will they respond to phishing attacks at you? Will they prevent SMS 2FA? Will they get you into SSO? Is a password manager in place? Are y’all using personal laptops still? Segregated logins? Will they tell you not to share publicly as a VC-backed startup about who is doing your infrasec and by a pretty clear implication what your infra likely looks like?
How to not turn you into me hacked is a balance of the prod/infrasec (like the company you linked), and bread and butter enterprise sec, which only comes from in house. So, in house team, or at least a 1x hire, such that there is at least a more than vague indicator that someone in house there day to day knows how to do security, or it doesn’t matter from a vendor risk point of views.
The list of vendors that have passed audits with complaint environments and gotten hacked is very long.
A way to handle this pragmatically is give board advisory shares to a person who straddles the following abilities (and listen to them), until you have enough funds to hire a sec eng:
- is technical enough to know what needs to get done and why
- has enough startup sec experience to know what pragmatic advice is in light of tight funding for startups
If you’re YC-backed this should be easy to source.
Why this thread matters and I’ll close it is dev-speak (“awesome, delightful, obsessed”) doesn’t matter at all for selling to a sec team, which is who is going to pay and vet this. That language just tells me it’s going to be a slog through VC sales-speak to answer the concerns I listed. It’s all about the above I mentioned, plus the tech setup which I think you have done with the right mindset (just plug into everything, parse it, ship it to the usual sources. Don’t try to reinvent Jira or Slack please).
The other reason you have to think about this is what market SOARs sell into. They aren’t needed until a lot of other due diligence is done - EDR deployments, enterprise sec, email sec, etc etc. So, that’s a decently established company, and if they’re paying for SOAR, it means they are either the lucky program with healthy budget support, or have a threat environment just justifying it all. A lot of places just get a bad MSSP and call it a day. So, if you are a company justifying SOAR (bc of implied budget and program maturity), you deal with threat actors who know their stuff well enough. And, as a fair number of exploits indicate this part 2-3 years, they know to evaluate SaaS vendors as the way in. Looking at the stack, they could try Okta, CrowdStike, MSFT, GSuite and all the difficulty there… or the two data engineers and their startup. Gotta take it seriously, a lot of sec is abstract risk but this is happening in the wild now.
dogman144|1 year ago
How to not turn you into me hacked is a balance of the prod/infrasec (like the company you linked), and bread and butter enterprise sec, which only comes from in house. So, in house team, or at least a 1x hire, such that there is at least a more than vague indicator that someone in house there day to day knows how to do security, or it doesn’t matter from a vendor risk point of views.
The list of vendors that have passed audits with complaint environments and gotten hacked is very long.
dogman144|1 year ago
- is technical enough to know what needs to get done and why
- has enough startup sec experience to know what pragmatic advice is in light of tight funding for startups
If you’re YC-backed this should be easy to source.
Why this thread matters and I’ll close it is dev-speak (“awesome, delightful, obsessed”) doesn’t matter at all for selling to a sec team, which is who is going to pay and vet this. That language just tells me it’s going to be a slog through VC sales-speak to answer the concerns I listed. It’s all about the above I mentioned, plus the tech setup which I think you have done with the right mindset (just plug into everything, parse it, ship it to the usual sources. Don’t try to reinvent Jira or Slack please).
The other reason you have to think about this is what market SOARs sell into. They aren’t needed until a lot of other due diligence is done - EDR deployments, enterprise sec, email sec, etc etc. So, that’s a decently established company, and if they’re paying for SOAR, it means they are either the lucky program with healthy budget support, or have a threat environment just justifying it all. A lot of places just get a bad MSSP and call it a day. So, if you are a company justifying SOAR (bc of implied budget and program maturity), you deal with threat actors who know their stuff well enough. And, as a fair number of exploits indicate this part 2-3 years, they know to evaluate SaaS vendors as the way in. Looking at the stack, they could try Okta, CrowdStike, MSFT, GSuite and all the difficulty there… or the two data engineers and their startup. Gotta take it seriously, a lot of sec is abstract risk but this is happening in the wild now.