Keynote for AGC's annual security conference / meat market in San Francisco ahead of the RSA Conference, February 2017. "This is your industry I will not let inside me - NO I steered clear, long (and hard) ago I wiped the slate clean As the whistle I hear Downtown - noon Within a visible distance It's with invisible distance" -- Universal Order of Armageddon, Baltimore, 1996 https://www.youtube.com/watch?v=yfi9dtZj6Y8

1. Disrupting
Security
Dug Song, CEO
duo.com

2. Disrupting
Security
Dug Song, CEO
duo.com

3. Disruptive Innovation
An innovation that creates a new market
by providing a different set of values,
which ultimately (and unexpectedly)
overtakes an existing market

4. w00w00: Disrupting Industries Since 1999

5. w00w00: Disrupting Industries Since 1999

6. w00w00: Disrupting Industries Since 1999

7. w00w00: Disrupting Industries Since 1999

8. w00w00: Disrupting Industries Since 1999

9. Best-In-Class SaaS Growth
$15M
$30M
$45M
$60M
Q 1 Q 2 Q 3 Q 4 Q 5 Q 6 Q 7 Q 8 Q 9 Q 10 Q 11 Q 12 Q 13 Q 14 Q 15 Q 16 Q 17 Q 18 Q 19 Q 20

10. Best-In-Class SaaS Efficiency
$150M
$300M
$450M
$600M
$60M
$87M$90M$96M$99M
$119M
$143M
$177M
$347M
$559M
$49M
Median

11. 1. Threats
2. Architecture
3. Market

12. 1. Threats
2. Architecture
3. Market

15. A Portrait Of The Hacker As A Young Man (ca. 1999)
Break Build
Authentication
dsniff,
Kerberos v4
OpenSSH,
RPCSEC_GSS (NFSv4)
Firewalls
Cisco PIX,
Check Point FW-1
pf (OpenBSD)
VPN Check Point FW-1
OpenBSD IPSEC,
dsocks
IDS / IPS Sourcefire, ISS, etc.
Anzen/NFR (Check Point),
Arbor Networks

18. “A lot of people think that nation-
states are running on zero-days, but
there are so many more vectors that
are easier, productive, and less risky.”
Rob Joyce, NSA TAO, Jan 2016

19. “In the world of advanced persistent
threat actors, credentials are king for
gaining access to systems.”
Rob Joyce, NSA TAO, Jan 2016

20. “Better-defended networks require
specific methods for accessing
resources, monitoring credential use,
looking for anomalous behavior, and
two-factor authentication.”
Rob Joyce, NSA TAO, Jan 2016

21. 95% OF BREACHES
involve stolen credentials
— Verizon 2015 Data Breach Investigations Report
#1: Users

22. #2: Devices
75% Of Breaches Involve Compromised Devices
Source: Duo analysis of 2M+ devices, Jan 2016

23. #3: Access

24. Obama To Schmidt: Nation’s Cybersecurity Priorities?

25. Obama To Schmidt: Nation’s Cybersecurity Priorities?
✓ Strong Authentication
✓ Up-to-Date Devices
✓ End-to-End Encryption

26. President Obama’s $19 Billion Cybersecurity Proposal
Calls for 35% Increase Over 2016 Enacted Level
Major Pieces of the Cybersecurity National Action Plan
Critiques from the Tech Industry
• While manyin the techindustryhave applauded
the president’s proposal for investment, many
of the suggestionsare seen as basic and a sign
at how woefully behind our governmentis on
cybersecurity.BrianBarrett,a writer for Wired
magazine,compares the plan to “standard
advice you’d give a tech novice”.
• With the proposalcoming from a “lame-duck”
president nearingthe end of his second term,
there is a growingpessimismthat pieces that
require congressionalaction will go unfunded.
• Despite being a basic tenet of internet security,
encryptionis notablyabsentfromthe
president’s press release.While many in the
tech communitybelieve encryption is necessary
for continued cyber safety, the topic remains
controversialin Congress.
Full Multi-StepAuthentication Rollout
While a large portion of the government uses 2-step or multi-step
authenticationfor internal logins,the initiativeplans to extend this extra
layer of security to citizen-facingfederal governmentdigital services.The
President hopes this switch will also increase public awarenessof this
identity proofing mechanism,encouragingmore wide use amongprivate
online systems.
$3.1billionInformation TechnologyModernization Fund
This fund enables the retirement, replacementand modernizationof IT
equipment throughout the government.Many see this initiative as overdue
as some branches of the governmentare running antiquated as old as
Windows XP which Microsoft stopped officiallysupporting in 2014.
National Initiative for CybersecurityEducation
$62 billion is requested to invest in educatingthe nation’s next generation of cybersecuritypersonnel. Proposed programs
include the CyberCorpsReserve which would offer scholarshipsfor Americanswho wish to obtain cybersecurityeducation in
exchange for civil service in government.
EINSTEINandthe ContinuousDiagnostic andMitigation Program
The president proposes allocatingincreasedfunding to the government’s
primarycyberdefense system: EINSTEIN,which has faced significantcriticism
since it is currently unable to dynamicallydetect new kinds of cyber
intrusions, makingit only useful against known threats.

27. President Obama’s $19 Billion Cybersecurity Proposal
Calls for 35% Increase Over 2016 Enacted Level
Major Pieces of the Cybersecurity National Action Plan
Critiques from the Tech Industry
• While manyin the techindustryhave applauded
the president’s proposal for investment, many
of the suggestionsare seen as basic and a sign
at how woefully behind our governmentis on
cybersecurity.BrianBarrett,a writer for Wired
magazine,compares the plan to “standard
advice you’d give a tech novice”.
• With the proposalcoming from a “lame-duck”
president nearingthe end of his second term,
there is a growingpessimismthat pieces that
require congressionalaction will go unfunded.
• Despite being a basic tenet of internet security,
encryptionis notablyabsentfromthe
president’s press release.While many in the
tech communitybelieve encryption is necessary
for continued cyber safety, the topic remains
controversialin Congress.
Full Multi-StepAuthentication Rollout
While a large portion of the government uses 2-step or multi-step
authenticationfor internal logins,the initiativeplans to extend this extra
layer of security to citizen-facingfederal governmentdigital services.The
President hopes this switch will also increase public awarenessof this
identity proofing mechanism,encouragingmore wide use amongprivate
online systems.
$3.1billionInformation TechnologyModernization Fund
This fund enables the retirement, replacementand modernizationof IT
equipment throughout the government.Many see this initiative as overdue
as some branches of the governmentare running antiquated as old as
Windows XP which Microsoft stopped officiallysupporting in 2014.
National Initiative for CybersecurityEducation
$62 billion is requested to invest in educatingthe nation’s next generation of cybersecuritypersonnel. Proposed programs
include the CyberCorpsReserve which would offer scholarshipsfor Americanswho wish to obtain cybersecurityeducation in
exchange for civil service in government.
EINSTEINandthe ContinuousDiagnostic andMitigation Program
The president proposes allocatingincreasedfunding to the government’s
primarycyberdefense system: EINSTEIN,which has faced significantcriticism
since it is currently unable to dynamicallydetect new kinds of cyber
intrusions, makingit only useful against known threats.
✓ Up-to-Date
Devices

28. President Obama’s $19 Billion Cybersecurity Proposal
Calls for 35% Increase Over 2016 Enacted Level
Major Pieces of the Cybersecurity National Action Plan
Critiques from the Tech Industry
• While manyin the techindustryhave applauded
the president’s proposal for investment, many
of the suggestionsare seen as basic and a sign
at how woefully behind our governmentis on
cybersecurity.BrianBarrett,a writer for Wired
magazine,compares the plan to “standard
advice you’d give a tech novice”.
• With the proposalcoming from a “lame-duck”
president nearingthe end of his second term,
there is a growingpessimismthat pieces that
require congressionalaction will go unfunded.
• Despite being a basic tenet of internet security,
encryptionis notablyabsentfromthe
president’s press release.While many in the
tech communitybelieve encryption is necessary
for continued cyber safety, the topic remains
controversialin Congress.
Full Multi-StepAuthentication Rollout
While a large portion of the government uses 2-step or multi-step
authenticationfor internal logins,the initiativeplans to extend this extra
layer of security to citizen-facingfederal governmentdigital services.The
President hopes this switch will also increase public awarenessof this
identity proofing mechanism,encouragingmore wide use amongprivate
online systems.
$3.1billionInformation TechnologyModernization Fund
This fund enables the retirement, replacementand modernizationof IT
equipment throughout the government.Many see this initiative as overdue
as some branches of the governmentare running antiquated as old as
Windows XP which Microsoft stopped officiallysupporting in 2014.
National Initiative for CybersecurityEducation
$62 billion is requested to invest in educatingthe nation’s next generation of cybersecuritypersonnel. Proposed programs
include the CyberCorpsReserve which would offer scholarshipsfor Americanswho wish to obtain cybersecurityeducation in
exchange for civil service in government.
EINSTEINandthe ContinuousDiagnostic andMitigation Program
The president proposes allocatingincreasedfunding to the government’s
primarycyberdefense system: EINSTEIN,which has faced significantcriticism
since it is currently unable to dynamicallydetect new kinds of cyber
intrusions, makingit only useful against known threats.
✓ Up-to-Date
Devices
✓ Two-Factor
Authentication

29. President Obama’s $19 Billion Cybersecurity Proposal
Calls for 35% Increase Over 2016 Enacted Level
Major Pieces of the Cybersecurity National Action Plan
Critiques from the Tech Industry
• While manyin the techindustryhave applauded
the president’s proposal for investment, many
of the suggestionsare seen as basic and a sign
at how woefully behind our governmentis on
cybersecurity.BrianBarrett,a writer for Wired
magazine,compares the plan to “standard
advice you’d give a tech novice”.
• With the proposalcoming from a “lame-duck”
president nearingthe end of his second term,
there is a growingpessimismthat pieces that
require congressionalaction will go unfunded.
• Despite being a basic tenet of internet security,
encryptionis notablyabsentfromthe
president’s press release.While many in the
tech communitybelieve encryption is necessary
for continued cyber safety, the topic remains
controversialin Congress.
Full Multi-StepAuthentication Rollout
While a large portion of the government uses 2-step or multi-step
authenticationfor internal logins,the initiativeplans to extend this extra
layer of security to citizen-facingfederal governmentdigital services.The
President hopes this switch will also increase public awarenessof this
identity proofing mechanism,encouragingmore wide use amongprivate
online systems.
$3.1billionInformation TechnologyModernization Fund
This fund enables the retirement, replacementand modernizationof IT
equipment throughout the government.Many see this initiative as overdue
as some branches of the governmentare running antiquated as old as
Windows XP which Microsoft stopped officiallysupporting in 2014.
National Initiative for CybersecurityEducation
$62 billion is requested to invest in educatingthe nation’s next generation of cybersecuritypersonnel. Proposed programs
include the CyberCorpsReserve which would offer scholarshipsfor Americanswho wish to obtain cybersecurityeducation in
exchange for civil service in government.
EINSTEINandthe ContinuousDiagnostic andMitigation Program
The president proposes allocatingincreasedfunding to the government’s
primarycyberdefense system: EINSTEIN,which has faced significantcriticism
since it is currently unable to dynamicallydetect new kinds of cyber
intrusions, makingit only useful against known threats.
✓ Up-to-Date
Devices
✓ Two-Factor
Authentication
X Encryption?!
THANKS OBAMA

30. 1. Threats
2. Architecture
3. Market

32. Security Bingo
Network
Firewall/
VPN
UTM
IDS/IDP
Data
Messaging/
Encryption
DLP
Web WAF/Fraud
Endpoint
Desktop
Mobile
Identity IAM/SSO
Management
SIEM/
Analytics
VA/GRC

33. Security Flipped! ( °□°
Network
Firewall/
VPN
Cloud & SaaS
Microsoft, Amazon, Google, Salesforce, Box, etc.
UTM
IDS/IDP
Data
Messaging/
Encryption
DLP
Web WAF/Fraud
Endpoint
Desktop
Modern Devices
iOS, Android, Windows 10, OS X, ChromeOSMobile
Identity IAM/SSO
Management
SIEM/
Analytics
VA/GRC

34. From Bolt-On To Built-In Security

35. 1. Threats
2. Architecture
3. Market

36. Defense
in Depth

37. Defense
in Depth
Expense
in Depth

38. Better Security,
Not Just More

39. Goldilocks Strategy

40. Goldilocks Strategy
Solve for Time, Value, Access, & Skill

41. Enterprise-Grade Security + Consumer-Grade Design

42. Mission
DEMOCRATIZE SECURITY
by making it easy & effective

43. 2

44. 7 7

45. Siloed Point SolutionsSiloed Point Solutions
Users Devices Network Apps
13

46. Modern Access SecurityModern Access Security
Users Devices Network Apps
Trusted Access
14

47. Trusted Access
Ensure only trusted users & devices
can access protected applications

48. 2017DuoProductLine
Duo Free
Easy two-factor
authen1ca1on, free for up
to 10 users.
$0
Duo MFA
Easy, best-of-breed two-
factor authen1ca1on for
cloud and on-premise
applica1ons.
$3
Duo Beyond
Our next-genera1on
security control pla?orm
for modern, perimeter-less
organiza1ons.
$9
Duo Access
Our essen1al security suite
to manage trust and
address risks from mobile,
BYOD, and cloud adop1on.
$6

49. Inbound Marketing: 93% of Leads, 75% of ACV

50. 1/12
3/12
5/12
7/12
9/12
11/12
1/13
3/13
5/13
7/13
9/13
11/13
1/14
3/14
5/14
7/14
9/14
11/14
1/15
3/15
5/15
7/15
9/15
11/15
1/16
3/16
5/16
7/16
9/16
11/16
High-Velocity, High-Volume, Predictable Growth
‣ Time: 75% of customers up and running in < 1 day
‣ Value: 50%+ new ACV from expansion & upsell
‣ Access: 25% SMB, 25% Mid-Mkt, 50% Enterprise
‣ Skill: Most buyers IT, not security
‣ Love: 70 NPS, 1000+ New Logos/Qtr
Series A
Series B
Series C

51. 1/12
3/12
5/12
7/12
9/12
11/12
1/13
3/13
5/13
7/13
9/13
11/13
1/14
3/14
5/14
7/14
9/14
11/14
1/15
3/15
5/15
7/15
9/15
11/15
1/16
3/16
5/16
7/16
9/16
11/16
High-Velocity, High-Volume, Predictable Growth
‣ Time: 75% of customers up and running in < 1 day
‣ Value: 50%+ new ACV from expansion & upsell
‣ Access: 25% SMB, 25% Mid-Mkt, 50% Enterprise
‣ Skill: Most buyers IT, not security
‣ Love: 70 NPS, 1000+ New Logos/Qtr
Series A
Series B
Series C

52. duo.com
Moscone South #1247