MarTech and AdTech are the true global surveillance superpowers Permalink

Great reporting by Brian Krebs:

Not long ago, the ability to digitally track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a dangerous power that should remain only within the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites.

I’ve always held that 99.9% of us shouldn’t worry about the NSA, but 100% of us should worry about marketing (MarTech) and advertising (AdTech).

The Government™ has tremendous resources, but is also a massive bureaucracy saddled with myriad political, legal, and resource constraints. So, while the national technical means (read: spy tech) exist to hoover up and store limitless amounts of data, what they can practically do to and with that data is subject to some limits. Most notably, it’s not in the intelligence community’s interest to try to look at everyone.

Precisely the opposite is true of marketing and advertising. For every human with a dollar to their name, now or in the future, there is someone who wants to sell them something.

To borrow some intelligence jargon, the “targeting list” is effectively the whole of the developed world, and there is so much unregulated signal that two things are true:

  1. Virtually any entity within the ecosystem can truthfully say things like “we don’t share X with Y” or “we use privacy-preserving consumer identifiers”

  2. Virtually any entity within the ecosystem can piece together enough “anonymized” data to associate a name, place, and much more to any identifier, if they choose

SEO, GEO, and the future of content discovery Permalink

The End of Advertising by Michael Mignano was thought-provoking, but not for the reasons I expected.

Anyone who optimizes for growing their viewership or audience, from independent authors to businesses, is foolish to ignore search engine optimization (SEO). Like it or not, it works, driving content to more potential viewers.

And where there’s a system to game, there’s a marketplace of solutions to help you game it.

He alludes to the fact that generative AI (GenAI) platforms are going to incorporate ads, and I’m sure they’ll dominate the advertising ecosystem over time. The unexpected thought that his article provoked: what will happen to the creator ecosystem, and the millions (billions?) of dollars that have been poured into the SEO industrial complex?

Consider these assertions:

  • We’ll find and consume content increasingly via GenAI products like ChatGPT and Perplexity, rather than traditional search engines.
  • GenAI will sometimes link back to original sources, either by design (as Perplexity does), by user request, or perhaps original sources will appear as ads?

If these are true, and I believe they are, then there may be a new system to game: being the first to provide authoritative content to GenAI engines in hopes they drive traffic to your source.

The Internet is already being littered with talk of Generative Engine Optimization (GEO). But GEO thus far is focused on how to optimize content structure for summarization and reference by GenAI engines. Step #1 in GEO how-tos is “Do all of the SEO things.” This is surely important in 2024, but where’s the puck going?

Crude content discovery landscape A napkin drawing.

If there are predictions to be made:

  • We’ll see capitulation in the game of GenAI keep-away.1
  • GenAI engines will be increasingly connected and increasingly quick to provide results that blend the best of the models with the best results from the web.
  • The new game will be creating content and then feeding it immediately and in specific ways to GenAI engines (effectively “GenAI content stuffing”), resulting in a new way of thinking about “authority” or “rank” that increasingly cuts out traditional search engines.

Search engines aren’t going away overnight, or even in the next decade. But they’re a costly means to an end for both creators, who have to optimize for them, and GenAI platforms, which have to wait on them, potentially license results from them, and generally depend on them. For both of these constituencies, the search engine becomes both a boat anchor and a tax, and both will be increasingly motivated to cut them out of the equation.

  1. This is a big deal because there’s a considerable effort today to block GenAI crawlers from accessing content. Large publishers might succeed in this, but smaller sites and creators probably won’t. Like water, GenAI crawlers will find a way. 

After years observing cybersecurity defenders balance cost and effectiveness, focus has oscillated solely between device (e.g., endpoint) and identity (e.g., directory or identity provider) security.

While other technology and security domains contribute to overall maturity, their contributions are incremental and a distant third by comparison.

Put another way: If you aren’t exceptional at both device and identity security, being exceptional in any or all other areas won’t help.

September 30, 2024

Cybersecurity predictions, Q3 2024 edition

Anyone who’s worked in cybersecurity for a meaningful amount of time has been asked to make predictions. Here are two predictions I’ve made that have endured over the past 2-3 years.

MSSP, MDR, and all other defensive managed services coalesce into SOC-as-a-Service.

All of the historical managed security service market categories are dancing around this eventuality.

The simplest way to think about a security operations center, or SOC, is as a vertically integrated set of functions whose primary reason for being is to detect and respond to cybersecurity threats. And Incident Management 101 tells us that in order to be effective at detection and response, you need to understand where your incidents come from (threat vectors) and corresponding attack paths (root causes—there is rarely just one).

Traditional managed security services focus almost exclusively on detection and response. This is great, as it’s exceptionally difficult to be exceptional at detection and response. But the smart money is on maximizing what you learn from your incidents and making decisive changes to eliminate threat vectors, reduce attack surface, and ultimately to significantly reduce the cost to adversaries who want to meddle in your environment.

It’s overwhelming to think about the dozens of cybersecurity market categories that one could Frankenstein together as bookends for detection and response to build a highly effective SOC. Is it attack surface management (ASM), vulnerability management (VM), exposure management, cloud security posture management (CSPM), incident response (IR)? Very few organizations need any one of these functions turned up to 11. What most organizations need is a subset of these functions working exceptionally well together.

So again, the destination here is a vertically integrated and highly operationally-focused slice of some of these functions, not just detecting and responding to threats, but systematically working to reduce the number and severity of incidents, effectively and at scale.

The browser becomes the most important device of all.

We love to say things like “identity is the new perimeter.” This statement may be accurate, and helpful for convincing people that they should invest heavily in protecting identity. But, it can lead to superficial implementations that fixate on the identity provider, or IdP, and leave us with gaps in our understanding of what’s being done to circumvent obvious points of identity protection, and what happens once a session exists.

Trust is increasingly pinned to the browser. It’s how we access the IdP in the first place, and it’s where any modern organization does 99% of their work after authenticating via the IdP.

Application control, including application whitelisting or allow lists and behavioral controls, are hallmarks of great endpoint protection. These are available for the browser, but are clunky to manage and far from mainstream in the enterprise. Ad and script blockers are absolutely critical to protecting end users from all manner of shenanigans, but both of these spaces feel like moving targets—purveyors of the most popular browsers don’t like them and these interdictions can be at odds with interoperability and ease-of-use.

Soon, we’ll see widespread acceptance of the importance of the browser, and it’ll become commonplace to instrument and think about browser protection, integrity, and observability in the same ways that we’ve come to think about these concepts on traditional end user platforms, like macOS and Windows (Linux, too, I know there are dozens of you!).