Cybersecurity’s Hidden Network Effect

The Power of Collective (threat) Intelligence

Welcome to issue #15 of Indiscrete Musings

I write about the world of Cloud Computing and Venture Capital and will most likely fall off the path from time to time. You can expect a bi-weekly to monthly update on specific sectors with Cloud Computing or uncuffed thoughts on the somewhat opaque world that is Venture Capital. I’ll be mostly wrong and sometimes right. Views my own.

Please feel free to subscribe, forward, and share. For more random musings, follow @MrRazzi17

---

I’ve been wrestling with this idea of how security companies move away from being a traditional point solution in the value chain to actually becoming the platform security company that we all celebrate – absent dumb luck. Borrowing from other business models and looking at formative companies of our time such as Twitter (X), Amazon, Meta, Uber, Salesforce, and Tesla, all of them are different in many ways, yet the single property that defines them and perhaps is a significant variable of their success is: Network effects.

Principally, network effects are based on the notion that when more consumers or users use a product or service, the marginal value of the product increases. What has best defined network effects for technology in the last decade is social networking platforms; the unit of value increases with more users (e.g., likes, shares, comments). Classically, there are two types of network effects: One-sided and two-sided. One-sided network effects relate to the growth of a single group of users on the platform (e.g., WhatsApp), while two-sided benefit from the development of two groups, classically known as marketplace business (e.g., Uber, Airbnb). 

What is commonly known is that these business models are highly sticky and often very hard to supplant, yet they can also be immensely hard to scale, especially with two-sided network effects. I’ve asked myself, as you penetrate one side of the marketplace—let’s say servicing and adding customers—is the marginal utility going up for the product? This concept holds for security companies, for whom more traffic coverage is the ultimate network effect. The overall unit of value delivered to the customer increases with every additional customer added to the platform – I’ll take a quick look at how Cloudflare and Crowdstrike apply this, so it’s beyond the realm of just theory.

Crowdstrike’s Network Effect:

Crowdstrike wrote an interesting blog post a couple of years back about their respective network effects, which gets to the crux of this post. With each incremental customer added to the platform and network, their Security Cloud is able to gather data from six trillion-plus events a week. As a result, with each new customer, the strength of their armor for protection only increases, and the marginal utility gets better for every customer through the addition of new ones. From Crowdstrike’s blog post:

Part of the secret sauce of security is visibility. It is often said that organizations cannot protect what they cannot see. Nowhere is this more true than in the hybrid environments of the modern enterprise. Between the dynamic nature of the cloud and the sheer amount of data, applications and on-premises systems that need to be protected, maintaining visibility is a significant challenge for modern enterprises. Every day, virtual machines are spun up and down, short-lived containers are used and terminated, and new users and devices are provisioned and deprovisioned. While all of this is happening, attackers are looking for any possible holes they can find to penetrate corporate networks. Sometimes that involves malware, other times it may include the abuse of compromised credentials or a particular software configuration. In any case, recognizing patterns in behavior can help identify all the links in the attack chain and speed both incident response and remediation. 

Imagine each endpoint, container, and cloud workload as nodes in a vast web of data exchange, constantly feeding information into the collective intelligence of security systems. The more nodes added to their network, the richer the tapestry of insights becomes, creating a virtuous cycle where each new data point enhances the collective defense. It's here that the network effect comes into play, as each piece of data ingested fuels the engines of analysis, empowering security solutions to extract meaningful patterns and anomalies in real time. Even in their S-1, they discuss the power of building a network effect:

From the beginning, our strategy was focused on collecting data at scale, centrally storing such data in a singular model, and training our algorithms on these vast amounts of high fidelity data, which we believe is a fundamental differentiator from our competitors. Our cloud-scale AI means that the more data that is fed into our Falcon platform, the more intelligent Threat Graph becomes and the more our customers benefit, creating a powerful network effect that increases the overall value we provide. AI is revolutionizing many technology fields, including security solutions. To be truly effective, algorithms that enable AI depend on the quality and volume of data that trains them and the selection of the right differentiating features from that data. Our proprietary algorithms in Threat Graph identify events that may or may not be directly related, but together could indicate a threat that could otherwise remain undetected. Our cloud-scale algorithms make over 91 million indicators of attack decisions per minute. We are uniquely effective because we have more high fidelity data to train our AI models and more security expertise to guide our feature selection—all resulting in industry-leading efficacy and low false positives. Our rich set of continuously collected high fidelity endpoint data feeding our algorithms also enables us to use an active learning approach, where the models are continuously updated to fill in gaps identified in initial models and their performance is validated with this data prior to production use.¹

Cloudflare’s Network Effect: 

Biased, of course, but I can’t help but think of my former employer, Cloudflare, unlocking this concept early on. From the S-1: 

We have built a global cloud platform that delivers a broad range of network services to businesses of all sizes and in all geographies—making them more secure, enhancing the performance of their business-critical applications, and eliminating the cost and complexity of managing individual network hardware. Our platform serves as a scalable, easy-to-use, unified control plane to deliver security, performance, and reliability across on-premise, hybrid, cloud, and software-as-a-service (SaaS) applications. Today, approximately 10% of the Fortune 1,000 are paying Cloudflare customers. Additionally, across the broader Internet, approximately 10% of the top million, 17% of the top 100,000, and 18% of the top 10,000 websites use at least one product on our platform on a paid or free basis.

We started by building an efficient, scalable network. This network forms the foundation of our platform on which we can rapidly develop and deploy our products for our customers. Together, the development of our network and products create the interconnected flywheels that drive our business and have allowed us to achieve our market position.

Network Flywheel: We have created a network architecture that is flexible, scalable, and becomes more efficient as it expands.

Product Flywheel: We have leveraged this network to deploy products that are easy to use, continuously improved, and can be delivered without adding significant incremental cost².

In the case of Cloudflare, the network flywheel is equally impressive as the product flywheel; by owning the networking (ISPS/Bandwidth), you’re able to not only increase the marginal utility of the product by adding new customers each day but also simultaneously reduce the marginal cost with each customer – Cloudflare perhaps N^1 in its representation of being an actual two-sided marketplace for security (driving costs down while serving customers). A bit more of the S-1:

We began with the idea of serving the broadest possible market. To do this, we made our products easy to use and affordable and were able to provide our entry-level plan for free in part because of the cost advantage of our network. We leverage the resulting customer scale and diversity to continuously make our products better. Our machine learning systems improve our products with every customer’s request, optimizing our security, performance, and reliability globally. The over 20 million Internet properties (e.g., domains, websites, application programming interfaces, and mobile applications) that use our platform comprise a global sensor network, which functions like an immune system for the Internet—routing around congestion, optimizing for traffic conditions, and using data on cyber attacks against any one of our customers to better protect them all. We leverage these insights to block cyber threats every day, which in the three months ended June 30, 2019 averaged approximately 44 billion per day.

Feedback from our diverse, global customer base helps us expand into new, adjacent product areas. Since our customers’ traffic is already passing through our network, our serverless architecture means we can add products on our platform to solve new network challenges without significantly increasing our incremental costs. This allows us to provide new products at competitive prices and further expand the overall market.

In practice, the value proposition to the customer only increases, not in part due to the platforming approach of products but the additional marginal value you get by sharing the network. I’ll posit that as a customer, you would rather be in the most extensive security network than the second or third largest. Further, you would prefer a vendor that has a more comprehensive network, which, as an added benefit (utility), comes with the shared learnings of hundreds of other customers.

Applying this to early-stage cybersecurity companies, it’s a no-brainer to add as many customers as possible. Still, I’d reason to think of creative ways to unlock a vast amount of footprint as quickly as possible. In Cloudflare’s case, making the service free to use, primarily as a reverse DNS provider / CDN, gave the company insight into large chunks of the internet faster than most of its peers. This also may apply to Wiz’s success, which is remarkable in its feat. Still, perhaps they built a world-class GTM team earlier than most and executed faster than most, and in time, built one of the most innovative / largest cloud security networks in the world. Find your edge, inspect (traffic) as much as you can, and build the Network Effect.

1

https://www.sec.gov/Archives/edgar/data/1535527/000104746919003095/a2238800zs-1.htm

2

https://www.sec.gov/Archives/edgar/data/1477333/000119312519222176/d735023ds1.htm

Comments

[Morgan Livermore]

Love this perspective!