Exploring the idea of a “layer zero” - why it matters, what makes it powerful, and how security startups can strategically position themselves around it.
Much to commend this piece. In Automotive one ongoing "bugbear" is the CAN BUS largely unchanged core (layer zero) since c. 1976! Means all the fancy "stuff" multiple layering on top via various products, solutions is largely misdirected. Hence ongoing "relay attack" and close variants, hence weak cyber sec assurance despite UN type approval regs. hence until a new CAN BUS standard is agreed upon and embedded at the heart of EVs, SUVs you can literally "drive a bleedin' "horse 'n cart" thru the whole lot. Not helped by Infotainment being connected via CAN BUS to the brakes in some vehicles! We await , poss emergence of a new CAN BUS c. 2027...
TIM {ex. HONDA cyber / & relay attack lead , R&D UK}
Nice article as always. Another disadvantage is most companies are multi browser, multi cloud, multi OS, multi everything so the layer zero fails at providing a single pane of glass and so an abstraction layer is required to decrease managerial overhead.
Right now they are in stealth mode. But I will absolutely share with you as soon as they emerge to the public. I can assure you that after 30+ years in high technology, this is some pretty mind blowing stuff.
There’s value if you're building visibility, control, or integrity at that foundational level. Just don’t wrap it in slogans. Wrap it in adversarial thinking.
Ross - huge fan of your writing! I was actually working on a deck to use for an intro to security where I started with a picture I called "core IT infrastructure" which is actually your layer zero. I then built on it to show how each major architectural component - like the network - inevitably spawned third party security products. I was trying to paint a picture of how we ended up with 4,000+ security companies, but eventually dropped the approach because I was told my audience found it confusing. You did a much better job. I do have a couple of observations that may be obvious, or not...
1) A new "Layer Zero" always creates an explosion of new security companies. Sometimes this happens quickly as with cloud, sometimes slowly as a Layer Zero "emerges" as with the browser or identity as perimeter.
2) There is at least a philosophical argument that if Layer Zeros were better architected, we would not need so much add on security. Go back to the very beginning (Cuckoo's Egg timeframe) and much layer zero did not even have access control. Software is still a layer zero, and much of it is still not built well and needs security add ons.
3) The evolution of security add-ons to layer zero follows a predictable pattern. First comes posture management. Though the term has changed, I would call early vulnerability scanners posture management for the network. After posture management comes threat detection (so after we had scanners for the network we had intrusion detection). We see this playing out in cloud with the evolution from posture management to runtime threat detection.
I would add the posture management is usually what is dictated by compliance frameworks and and so the pattern is:
a) build a complex thing to perform some business function
b) figure out that if the thing is not configured correctly it is vulnerable
c) build a tool to monitor configuration
d) mandate a specific configuration and tools to report on the configuration
4) I would think about the SOC a little different than you do. All security SW fits in one of three(?) categories (gross simplification). It either a) makes layer zero much more secure (Z-Scaler), b) monitors and detects misconfigurations or threats in layer zero and produces alerts or c) provides tools to manage the vulnerabilities and threats generated by the category b tools (SIEM, TIPs SOAR, etc)
5) Maybe this is obvious, but Layer 0 is where the business process/data lives and it is what adversaries are attacking. So it is also the ultimate target for pen testing/red teaming. Pen testing and malicious attacks starts with a "naked" Layer 0 then all the layers on top of Layer Zero are build to protect it from attack.
6) I would argue that major SaaS platforms are a separate class of Layer 0
Thanks a lot, Bill, I rarely nod in agreement while reading comments but this is one of those. Interesting perspective on SOC, I see it as an "operational" tool but I think we're not far away from one another.
I spent some time thinking about SaaS as well. I agree, but with the e caveat that it's a messy and distributed layer with no uniformity and a lot of pain if you choose to build a company around it.
I really appreciate your thoughts, Bill! I'd love to see the deck you ended up putting together - I feel like we'd agree on too many things :)
Much to commend this piece. In Automotive one ongoing "bugbear" is the CAN BUS largely unchanged core (layer zero) since c. 1976! Means all the fancy "stuff" multiple layering on top via various products, solutions is largely misdirected. Hence ongoing "relay attack" and close variants, hence weak cyber sec assurance despite UN type approval regs. hence until a new CAN BUS standard is agreed upon and embedded at the heart of EVs, SUVs you can literally "drive a bleedin' "horse 'n cart" thru the whole lot. Not helped by Infotainment being connected via CAN BUS to the brakes in some vehicles! We await , poss emergence of a new CAN BUS c. 2027...
TIM {ex. HONDA cyber / & relay attack lead , R&D UK}
Nice article as always. Another disadvantage is most companies are multi browser, multi cloud, multi OS, multi everything so the layer zero fails at providing a single pane of glass and so an abstraction layer is required to decrease managerial overhead.
There absolutely are people who have defined and are defining the concept of layer zero in security. I know one of them personally.
I'd love to read about how they do it - mind sharing any links to posts/articles/talks?
Right now they are in stealth mode. But I will absolutely share with you as soon as they emerge to the public. I can assure you that after 30+ years in high technology, this is some pretty mind blowing stuff.
There’s value if you're building visibility, control, or integrity at that foundational level. Just don’t wrap it in slogans. Wrap it in adversarial thinking.
Great piece as usual Ross - am a huge fan of your work. We should connect - you need to add StrongDM to this piece :)
Thanks Karim, appreciate it!
Yeah, need to add StrongDM and just about 6,000 more logos - no pressure haha
Ross - huge fan of your writing! I was actually working on a deck to use for an intro to security where I started with a picture I called "core IT infrastructure" which is actually your layer zero. I then built on it to show how each major architectural component - like the network - inevitably spawned third party security products. I was trying to paint a picture of how we ended up with 4,000+ security companies, but eventually dropped the approach because I was told my audience found it confusing. You did a much better job. I do have a couple of observations that may be obvious, or not...
1) A new "Layer Zero" always creates an explosion of new security companies. Sometimes this happens quickly as with cloud, sometimes slowly as a Layer Zero "emerges" as with the browser or identity as perimeter.
2) There is at least a philosophical argument that if Layer Zeros were better architected, we would not need so much add on security. Go back to the very beginning (Cuckoo's Egg timeframe) and much layer zero did not even have access control. Software is still a layer zero, and much of it is still not built well and needs security add ons.
3) The evolution of security add-ons to layer zero follows a predictable pattern. First comes posture management. Though the term has changed, I would call early vulnerability scanners posture management for the network. After posture management comes threat detection (so after we had scanners for the network we had intrusion detection). We see this playing out in cloud with the evolution from posture management to runtime threat detection.
I would add the posture management is usually what is dictated by compliance frameworks and and so the pattern is:
a) build a complex thing to perform some business function
b) figure out that if the thing is not configured correctly it is vulnerable
c) build a tool to monitor configuration
d) mandate a specific configuration and tools to report on the configuration
4) I would think about the SOC a little different than you do. All security SW fits in one of three(?) categories (gross simplification). It either a) makes layer zero much more secure (Z-Scaler), b) monitors and detects misconfigurations or threats in layer zero and produces alerts or c) provides tools to manage the vulnerabilities and threats generated by the category b tools (SIEM, TIPs SOAR, etc)
5) Maybe this is obvious, but Layer 0 is where the business process/data lives and it is what adversaries are attacking. So it is also the ultimate target for pen testing/red teaming. Pen testing and malicious attacks starts with a "naked" Layer 0 then all the layers on top of Layer Zero are build to protect it from attack.
6) I would argue that major SaaS platforms are a separate class of Layer 0
Thanks again for such thought provoking writing.
Thanks a lot, Bill, I rarely nod in agreement while reading comments but this is one of those. Interesting perspective on SOC, I see it as an "operational" tool but I think we're not far away from one another.
I spent some time thinking about SaaS as well. I agree, but with the e caveat that it's a messy and distributed layer with no uniformity and a lot of pain if you choose to build a company around it.
I really appreciate your thoughts, Bill! I'd love to see the deck you ended up putting together - I feel like we'd agree on too many things :)