Laying Off Five Security Staffers, Patreon Disputes Reports It's Their Entire Security Team (gizmodo.com) 32
Patreon has confirmed it laid off five of its security team employees, TechCrunch reports, "but declined to answer our questions, or say how many employees it had on the security team prior to the layoffs."
But while a former senior security engineer posted on LinkedIn that "I and the rest of the Patreon Security Team are no longer with the company," Patreon's U.S. policy head, Ellen Satterwhite told Gizmodo that "a majority of our engineers working on security and vendors remain in place." "As part of a strategic shift of a portion of our security program, we have parted ways with five employees," said Patreon in an emailed statement attributed to the company's U.S. policy head, Ellen Satterwhite.... In response to further questions, Satterwhite also said "the entire internal Patreon security team was not laid off. As a matter of policy, we can't share the exact number of Patreon employees working on security, but can confirm a majority of Patreon's internal engineers working on security remain in place...."
Satterwhite noted that "we also partner with a number of external organizations to continuously develop our security capabilities and conduct regular security assessments." The reference to "external organizations" seemingly suggests that the company has outsourced much of its security operations.
"As a global platform, we will always prioritize the security of our creators' and customers' data," wrote Satterwhite. "The changes made this week will have no impact on our ability to continue providing a secure and safe platform for our creators and patrons."
But while a former senior security engineer posted on LinkedIn that "I and the rest of the Patreon Security Team are no longer with the company," Patreon's U.S. policy head, Ellen Satterwhite told Gizmodo that "a majority of our engineers working on security and vendors remain in place." "As part of a strategic shift of a portion of our security program, we have parted ways with five employees," said Patreon in an emailed statement attributed to the company's U.S. policy head, Ellen Satterwhite.... In response to further questions, Satterwhite also said "the entire internal Patreon security team was not laid off. As a matter of policy, we can't share the exact number of Patreon employees working on security, but can confirm a majority of Patreon's internal engineers working on security remain in place...."
Satterwhite noted that "we also partner with a number of external organizations to continuously develop our security capabilities and conduct regular security assessments." The reference to "external organizations" seemingly suggests that the company has outsourced much of its security operations.
"As a global platform, we will always prioritize the security of our creators' and customers' data," wrote Satterwhite. "The changes made this week will have no impact on our ability to continue providing a secure and safe platform for our creators and patrons."
Re:A steaming heap of corporate-ese... (Score:4, Insightful)
If you know how to read corporate-ese, you can see that the PR statement doesn't contradict the fired security engineer.
The security engineer says the entire security team was terminated.
The PR statement says the majority of engineers working on "security and vendors" remain in place. That is obvious weasel-wording. There is no reason to include "vendors" unless the statement would have otherwise been untrue. Ergo, most, perhaps all, of the security engineers are gone.
Fully expected (Score:5, Interesting)
That's why I decided to take a step back in my career and went from working in cybersecurity to being a dev in cyber. Most security stuff is getting so heavily automated these days, and the cost of maintaining highly skilled staff is so high, that everyone outsources it or goes for off-the-shelf security products... which I now help write.
For anything regulatory, or otherwise requiring an external audit, you have one-off pentesting contractors.
Re:Fully expected (Score:5, Insightful)
I predict this will be a time-limited trend. Off-the-shelf can still not cut it in most commercial set-ups (and that will continue until technology finally stabilizes, i.e. in 50 years or more) and unless you have your own experts, you will never know what it can and cannot do as vendors like to inflate their claims and like to hide shortcomings and defects. Also, what do you do when you get attacked and you cannot get consulting on short notice? Pay though your nose for somebody 2nd rated to that does not know your systems to clean them up? And how do you do realistic BCM and DR tests?
Not having your own security people is really not smart. Yes, they cost money. Not having them costs a lot more, but it takes a while for that to become obvious.
As to Patreon, my guess is that was their full team and they only retained some partial experts or non-experts that actually have other responsibilities. Sounds like a classical "save a penny, lose a million" move to me. Quite like the people that sack their system administrators because "everything works".
Managed detection and response (Score:2)
Re: (Score:2)
Re: Managed detection and response (Score:3)
Re:Managed detection and response (Score:5, Insightful)
Add that we now have had some major disasters where the customers got hacked because the service provider screwed up and went cheap, and the picture does not look nearly as good.
As usual, the service providers overstate the quality and reliability of their services. What else is new. It is exactly for that reason that you need your own people and independent review in addition.
Re: (Score:2)
As usual, the service providers overstate the quality and reliability of their services.
Private Equities' "portfolio" companies subcontracting to other Private Equity "portfolio" companies, who in turn subcontract...
It's Private Equities all the way down.
Re: (Score:2)
"managed detection and response" funny how often it is the "God Access" of the outsource vendors operations that provide the entry point for the security policy failure.
Which means they served their purpose: they gave someone for the company to blame that isn't themselves.
This is exactly the same as the general moving of all services to various cloud hosts. Why run your own servers when you can rent space on Amazon's? Why do your own security when you can pass the buck to someone else?
You have to remember, that as far as business is concerned, having someone to blame for security failures is much more valuable than having real security. If you take on security yourself, do
the code passed the security check so we are not (Score:2)
the code passed the security check so we are not at fault when some hacked our system due to an security bug.
You need sue the code security checking service provider
Re: (Score:3)
Well, no. You can outsource a lot of things in the security space, but you _still_ need your own experts or it is not going to work. Sure, you do not need a full team. But, for example, DR/BCM tests are something you need to plan together with your service provider and _you_ need to evaluate the result and define what needs to be fixed. Your service provider does not understand your business enough and has an unfortunately high motivation to gloss over problems. Or you can outsource your SOC. You still need
Re: (Score:2)
Where I work we're integrating physical token authentication into basically everything. Including things that most companies don't use token authentication for and most software and even hardware won't even support. So, we're coming up with our own ways of making it happen. If we outsourced that then we'd be permanently married to that vendor, in addition to paying them more than what we'd pay our own staff just so they can box it up and resell it anyways.
At a previous company I worked at, we paid half a mi
Re: Fully expected (Score:2)
Off-the-shelf can still not cut it in most commercial set-ups
That depends on how flexible the off-the-shelf solution is. The flip side of this is: The more flexible it is, the more need you will have for developers*. On the other hand, I have seen company execs mandate an off-the-shelf solution and invite the solution vendors' analysts in to re-engineer company processes to fit the product. If you have no core processes with strategic advantages over your competition, I supose this could work. But then why is anyone buying your product instead of your competitions? O
Re: (Score:3)
More security and systems admins, not "developers". Most developers these days do not even know the basics of networking and have no clue about IT security. But you are correct: The more flexible the packaged solution, the more understanding of the local situation the configuration needs for it to be effective. There is nothing free. Something that works in a complex environment always needs to be selected, installed and configured with real understanding of the target situation and the threat landscape or
Re: (Score:2)
I personally can't fathom how somebody would do that. I started out as a network engineer, then moved to security, then learned software development in order to compliment it. I've seen people here on slashdot that talk like they're expert software developers but when they actually start talking technical stuff it doesn't take long before they reveal that they're nothing more than an automation drone.
Re: (Score:2)
Well, yes. I also have done real hands-on work in networking, network security, software development and software security, etc., and I run my own Email, Web and DNS servers just to have a real understanding of how things work. I find that to really understand IT security, you need the full picture. But the dirty secret is that many IT security experts do not have development experience at all. Or system administration experience. Or can configure servers. Or understand how firewalls really work. And so on.
Re: (Score:3)
Re: (Score:1)
...the cost of maintaining highly skilled staff is so high, that everyone outsources it or goes for off-the-shelf security products... which I now help write.
You say that as if outsourcing security, comes cheaply these days. The only real advantage is companies have the ability to point a finger at someone/something else to blame for going with the "mil-spec" (read: lowest-cost) option.
There is a reason you are flourishing. At least until it's your product that gets hacked and then removed from the corporate shelf. Solarwinds stock fell 40% after SUNBURST, have tried (and failed) to block a class-action lawsuit, and are today are still worth less than half of
Re: (Score:1)
Devil's Advocate:
Security has no ROI, so a business is failing in its fiduciary duties to shareholders to do any more than the minimum. Since there are no consequences in getting breached, why bother?
As a full stack dev, if I don't make my deliverables, I get fired. If my code causes a major breach, there are so many layers of company insulation between myself and that... that I'll not see any bad side. So, I don't care if my code runs as root, my install script turns off SELinux and UFW. All that matte
The Future of InfoSec and Scapegoats. (Score:4)
First we read about Twitter, where Peter "Mudge" Zatko tried to raise legitimate security concerns and was silenced in a rather permanent way. Now, we read about yet another major corporation canning it's internal security staff in favor of "external organizations" (read: people we can manipulate) to conduct security audits.
Why do I have a feeling yet another attack against InfoSec professionals simply trying to do their damn job (which may have included identifying incompetence within management), has occurred here.
More to the point, what exactly do you tell the aspiring or seasoned InfoSec security professional looking to join a US corporation and earn that fat paycheck? Keep your head down? Try not to do your job too well? Good luck not becoming the company scapegoat when the cyberattack happens?
Certain aspects of business can more afford the standard fuckery of politics to infect it. Security, isn't one of those areas, and yet ignorant/incompetent CxOs continue to assume it is, simply because they maintain the (corrupt) power to fire anyone threatening to expose obvious security problems usually caused by incompetence or greed. It's pathetic and needs to stop.
just say "all of them" (Score:4, Insightful)
Just say "all of our employees" and then everyone will think you're doing it right.
Re: (Score:2)
Just say "all of our employees" and then everyone will think you're doing it right.
"Security is everyone's responsibility". Also see "QA is everyone's responsibility"
Devs, QA, PMs, DevOps, Support, Sysadmins, Management should all know/train on security. But they will (likely) not be experts. Add to the fact that attackers keep coming up with new techniques (that they're trying to keep hidden) means it's hard to keep up defense techniques. "The questions are the same, the answers are different"
Security should be part of the design before you even start coding. Having expert input is
Not surprised, given my interview with them... (Score:4, Interesting)
I interviewed for a DBA position, they had 1 half-time DBA who was picked for the role because he knew the most about MySQL. All the technical questions were soft balls given my experience. They declined to make me an offer, even though they had no DBAs on staff. They outsourced any technical stuff to a 3rd party. At the end, it was clear they (the team who did the interviewing) were actually seeking a Google cloud SRE and not a MySQL DBA.
The overall impression is that they did not have a strong technical leadership and the company at-willed entire groups arbitrarily and regularly (they fired entire groups of staff at a time without any real plan). I'm glad that the interview process didn't proceed, because I got a better offer at my next interview at a company that's way more stable and much more mature.
Patreon's pitch was that they wanted to build a walled garden for creators to keep content in, so they would stop uploading videos to Youtube and relying on other media companies to house the content which was exclusively for Patreon subscribers.
Re: (Score:2)
Patreon's pitch was that they wanted to build a walled garden for creators to keep content in, so they would stop uploading videos to Youtube and relying on other media companies to house the content which was exclusively for Patreon subscribers.
If Patreon does not prevent people from downloading content and re-posting it anywhere else on the internet, or if they freely encourage it with "Download" links, then that "walled" garden is more like a picket fenced garden with an old rusty latch.
it's 6 (Score:2)
we can't share the exact number of Patreon employees working on security, but can confirm a majority of Patreon's internal engineers working on security remain in place....
keyword is majority: 5 gone, so there are 6 left
QED :)
Say you laid off the whole team without saying you (Score:1)
The first question to ask is... (Score:2)
The first question to ask when you read something like this is, how big is the company, how many employees do they have?
For Patreon, the answer is 400.
So, yea, it's a fair assumption that this is their entire security team. Their statement is pretty transparent too. "Engineers working on security" most likely refers to people who are developing code who are technically "working on security" but who are not, in fact, security engineers.
You can't fill those gaps with MSSPs either.