How my product could have prevented Adobe from being hacked

One of my podcast listeners forwarded me an interesting article from Adobe Software about how they had been hacked. It turns out that Adobe had a build server in their environment which had been compromised. This build server had apparently not followed their corporate standards for security, so when this server was deployed it was vulnerable to attack.

As a build server, it naturally had access to their certificate signing system so that code being built could be digitally signed as a signal to the end users that Adobe signed off on the executables that it came from them. Once the hackers had access to the build server, they started sending it other executables to be signed with Adobe’s certificate. Then these digitally signed executables (in the form of utilities that would dump the password files of the OS and then email them) were being emailed to people who rightfully assumed that Adobe had a hand in building them.

The sad part is that what happened could have been prevented. Corporate security standards for large companies are in place for a reason. As someone who thrives a LOT in small companies, I get it. Process sucks. It gets in the way of doing things that are meaningful. As your company gets larger, the impact that hackers can have on your business is compounded.

It’s not hard to imagine that this kind of thing can happen at a company that doesn’t have the resources to spare. But what I don’t understand is how this could happen at a company like Adobe which clearly does have the resources. You would think that they would have processes and systems in place which continually monitor their servers for non-compliance to the corporate security standards. After all, they obviously had a corporate standard and they admitted that it wasn’t followed in the article they posted. And system misconfigurations are one of the most likely ways that computers are hacked into.

Why don’t they perform follow up checks on their servers while they’re deployed to make sure that these standards are STILL being followed after they’ve deployed the server into production? It seems like a short cut that shouldn’t have been taken, but they did it anyway. Here’s why.

The answer is both simple and complex at the same time but it largely boils down to the fact that it’s not economical to continually monitor your servers unless you have to. When you are auditing your servers on a regular basis, you can find out when the standard isn’t being followed. But it’s a bit of a challenge to find software that is actually going to do that for you at a price point that is reasonable. This kind of software can easily run $1,000/server and the software tends to be very complicated. To implement it, you need to bring in professional services at $10k/week for no less than 4 weeks just to get it installed and minimally configured. That doesn’t include the cost of the software or hardware that you need to run it.

An Economics Lesson in Configuration Management Security

Let’s start with the services at $40k. You can’t get around this because it’s a fixed cost. Whether you have 25 servers or 2500, it doesn’t matter because the base time to set things up is about the same. Tack on $5k for the cost of the hardware, another $5k for the cost of Windows, SQL Server, and support software. Now add the $50k in auditing software to cover 100 servers. (MSRP is typically 2x the actual cost in the Enterprise space). That’s $100k to audit 100 servers on a regular basis. I’m not about to guess how many servers Adobe has, but I’m betting it’s a lot more than 100.

I take that back. I will guess. In 2012, they had 11,144 employees. Most companies have around 1 server per 25 employees. If we ballpark guess to say there’s 1 server per 25 employees, then they have around 445 servers. As a software development shop which relies a lot on software and technology to run the business, I’d guess we could double that number, add a bit, and we’d still be in the right ballpark. So you’re talking 1,000 servers and compliance software would run you about $500k for just the software licenses, never mind the additional infrastructure, and the full-time team needed to head up that effort.

Is it any wonder why they skipped out on regular auditing and only perform an audit when the servers are built? No, I guess not. But to me, this represents a big business opportunity.

The product I’ve been working on for the past couple years named AuditShark is nearly ready to launch and solves this exact problem.

What makes AuditShark different than other audit & compliance security products?

First, installation is incredibly simple. Just install the agent on each machine. As a SaaS application, there’s no console to install, so you don’t have to mess with hardware, OS, or database licenses. And since the product is primarily an agent that resides on each machine, you don’t need to acquire software licenses for all that other stuff.

Immediately, I’m addressing the $40k in professional services to get up and running, as well as the $10k in hardware, OS, and database licenses.

Next, is the cost of the software, which is completely an apples to oranges comparison. Most of this type of software is sold in downloadable form and the customer is responsible for implementing it in their environment. AuditShark is a SaaS based application, so you pay for it by the month on a given pricing plan. The most common method of charging for downloadable software turned SaaS is to divide the price by 12 to get a monthly cost. This comes out to a little over $40/month per server.

I’m charging slightly less than that on entry level customers, and large customers end up seeing a volume discount which cuts that amount in half on a per-server basis. It’s obvious that on the basis of price alone, AuditShark crushes any of the available competition. They just can’t compete on price.

But pricing advantages alone don’t make or break a product. The fact is that marketing trumps just about everything else, be it price, quality, features, support, speed, or anything else. When you win the marketing war, you can say anything you want and that perception becomes reality. Whether it’s true or not is immaterial. You need to win the marketing war.

And that’s where I stand today with AuditShark: in the middle of a marketing war.

Have a suggestion for me? Feel free to leave it in the comments and we’ll chat.