#6 Insights on Cyber Security Threats from a Startup
Episode #6 of Students vs. Startups takes a look at Cyber Security and Threats. Today, we have three graduate students from Georgetown University’s School of Continuing Studies Technology Management Program.
Our grad students will face off with a couple of cybersecurity companies. The first startup is Huntress Labs represented by its CEO Kyle Gordner. The second startup is called HTSI and is headed by Tom Gilmore.
Please support our sponsors
We have three students from the Master of Professional Studies in Technology Management Program from the School of Continuing Studies at Georgetown University. The students are Tyler Gray, Maura Imparato, and Michael Abel.
We have two companies working with our host, Eastern Foundry
If you enjoyed this podcast, you may want to listen to podcast # 21 Recharj and
Stress, Startups, and Mindful Meditation
Another similar podcast #20 was the interview with Manu Smajda from mPower Financial on
How Innovation is Applied to the World of Student Loans
Here’s the transcript
About a 19 minute read
John: Welcome to Students Verses Startups Showdown on the Potomac. My name is John Gilroy. I will be your moderator, today, the structure for this twenty-six-minute podcast is quite simple. We put a leader of a tech startup in the hot seat, students ask questions, we find another innovator, and then do it again. The founding sponsor for Students Verses Startups is The Radiant Group. If you enjoy solving complex problems, like to work with bright people, The Radiant Group is the place for you. Contact Al Di Leonardo, or Abe Usher at theradiantgroup.com. Here we go, ready round one.
All three of today’s students, graduates of Georgetown University Masters program, we know them, Tyler Gray, Maura Imparato, and Michael Able. Let’s have a quick introduction from our students first, so that you know what you are facing. Tyler a little bit about your background, please.
Tyler: Sure. I’m Tyler Gray proud graduate of Georgetown University’s technology management program which I actually used to found my own digital agency. Gray Street Solutions, three years ago. We do digital marketing primarily for defense contractors and trade associations.
John: Maura please, your background.
Maura: I am Maura Imparato. Graduate of tech management program at Georgetown, and a proud teacher of the same. I’m currently studying my doctorate for neurotechnology, just to add a little bit of new information to my background.
John: Good background. Michael?
Mike: I’m Mike Able, Hoya Saxa. I work for NTT Data, formerly of Dell Services Federal Government, and I work at IT Service Operations, so I make everything run on a day to day basis.
John: Michael is a proud father of three children. Is that right?
Mike: Absolutely. I’m out numbered at home.
John: Wow. You got a tough, tough crew to face here, Kyle. Our startup, today is Kyle Hanslovan and the name of his start up is Huntress Labs. Kyle tell us about your background, please.
Kyle : I started about ten, twelve years ago doing offensive cyber security in the US Air Force. It was one of those jobs that thankfully got paid to break things for a living. I got to help out national security a whole lot, and whether it was in support of maybe gathering intelligence or actually trying to find out who might be trying to gather intelligence on us, it was kind of super fulfilling. About a year ago, twelve months to be exact, we started asking ourselves how can we use these skills to give back, and specifically how could we help small and medium sized businesses? Most of us think of breaches about the large enterprise customers of government, but most forget when it comes to small and medium sized businesses these are the ones that don’t recover, so that’s how we’ve used those skills.
John: At Georgetown you have to have an ethics component to every class. Would people call you an ethical hacker?
Kyle : Yeah. It even makes the LinkedIn headline of ethical hacker.
John: That’s great. Kyle I’ll ask you the question, I ask all our startups, and toss it to the students. The question is, what business problem do you solve?
Kyle : It’s funny. About a year ago I would have answered that with the technology, I would have said, we help find hackers and malware that slips past antivirus and firewalls, but that’s not the business problem. The business problem is a lot of these small and medium sized businesses, a breach to them means it could be an intellectual property being stolen. It could be a large action that they now have to clean up and they don’t have the resources to send their IT, or system administrators to go do, so our whole point of the company is to find these breaches before it essentially cripples the company, similar to if you go to the doctor each year to find cancer. It’s not going to stop you from getting cancer, it’s to find the cancer before it gets terminal.
Tyler: What do you think the biggest reason that most small, medium sized companies don’t take better care of their network security, and their customer information? Is it just ignorance or it’s not going to happen to me? What’s the most common I guess reason, yet, why not, because they are not securing their data?
Kyle : This one would definitely be resources, and education, period. I think education isn’t specific to the mid-market. A lot of our users at the end of the day, whether they’re in an enterprise network, or whether at a small accounting firm, or law firm, they’re just as likely to open that attachment that all of us know that we shouldn’t open. As for the response though, at the end of the day it boils down to IT is supposed to enable business, it’s supposed to enable a company to grow, and a lot of companies just aren’t prepared to make the investment for cyber security, because often times cyber security is looked at as harming growth, rather than actually producing growth in a company. I think those are the reasons that the S and B’s probably struggle. Mainly resources.
Maura: I’ve certainly seen that struggle between when a small team has to decide when to spend their time and resources, do they lock down with a ton of security, or do they let everyone communicate, get out into the internet, do their work, basically. How do you think that you can convince small companies to go ahead and make that investment?
Kyle : Our whole start in this was asking the same question, if we were to help small and medium size businesses, how could four former intelligence folk come in and convince somebody it’s time to change? How could we make a difference? We ended up realizing that was going to be almost an insurmountable task. Think of all the small and medium size business. However, we learned that there’s a trend, and especially in 2015 it “hockey sticked,” it took off, of companies that were outsourcing their IT. We learned that both from a business perspective, as well as just a technology perspective that if we can convince the IT outsourcer’s to add in the digital layer of security, something more than just like antivirus and spam protection, or antivirus and firewalls.
That if that was built in by default into their services, one, it would help that IT outsourcer distinguish themselves, but two, it would remove the choice from small and medium size business, because they just buy IT outsourcing kind of rather than a la carte, it’s more like all NC pricing, they get whatever flavor, so our whole goal for this is if we sell to an IT outsourcer all the small and medium size businesses, hundreds of them, potentially all benefit from our product at the same time the IT outsourcer benefits from having smaller response times. They get to look good, to come into that company and say, “Hey. By the way, this is how we stopped this infection that slipped past our preventative products.”
Mike: There’s a million different IT security companies, and firms, and products out there, I’m curious are you guys just a standalone product that you can sell and leave, or is there professional services associated with it, and with all the different products and service providers out there what’s your differentiator?
Kyle : That was the single question that we ended up going to MACH37, our cyber security accelerator. From a technology perspective, we knew we were addressing a problem that had slipped past antivirus. We knew it first-hand because we were the one conducting breaches and getting around antivirus, but to be able to distinguish yourself against these titans, industry titans that have way more capital than any proper startup would have. That was hard for us. That’s part of the reason that influenced us going to the small and medium sized markets. The competition was less, but more importantly for it, our product had to be something that made sense, and when I say that is a lot of products today, create more work for the IT shop.
If I give you constant alerts, and I’m actually creating you more work, this is not a beneficial relationship between our company as a vendor, Huntress, as well as your IT shop, we’re making you more work, but if we’re able to say, “Here, deploy my lightweight agent to each one of your computers, and you never have to touch that thing again, and the next thing that you hear from Huntress is a ticket that’s automatically created in your service board, or your ticket queue,” and it says, here’s the breach, here’s the computer that it’s on, here’s how to remediate it, and here’s the priority, like now that’s enabling you to actually take action as opposed to here’s endless alerts good luck tracking it down if this is actually malicious or not.
The other piece that comes in is most IT outsourcer’s that we’re dealing with in small and medium sized businesses they don’t have cyber security expertise. A lot of our pitch is let us, similar to how they pitch to their customers saying let us outsource your IT for a fraction then in-house cost of IT. Our pitch to those IT outsourcer’s is, “Let us outsource your cyber threat hunting for the fraction of the cost of in house cyber security expertise.”
Tyler: What sort of benefits do you feel that you’ve gotten from going and curing an accelerator like MACH37 thirty-seven? Do you feel like you would have been able to start your company without it, or what would you say to others thinking about going their own way verses getting involved with an incubator or accelerator?
Kyle : The difference between pitching a value proposition and pitching features was something that was the single greatest thing I’ve pulled away from, our accelerator, I would have told you when we started this that, “Oh. By the way we look for hacker footholds, it’s the persistent mechanisms that start malware,” our customers don’t care about that. What they want to hear is, how are you going to enable me to be proactive instead of reactive? How are you going to save me essentially, or protect my profit margins, and most importantly how do I out-perform my competition, because there’s a lot of IT outsourcer’s to choose from. Once we grab those value props and learn that’s why people really buy product, our company took off. That was kind of the distinguishing moment for our company between floundering with just technology and excelling with an actual product that people wanted to buy.
Mike: How do you present your value to these companies, if your job is essentially to become a non-factor? I mean security companies their goal is to make sure things are steady and no one is broken in. How do you prove that and show it to your customers that, yeah, this is worth your time and money?
Kyle : We started out doing expensive paid pilots. If you wanted to try our software you had to pay for us, and that was foolish, early on, but when we opened up our product and said, “We believe so much in it. We’ll give you twenty-one days you can use our product on as many computers as you want,” and that allowed us when they deployed us to a couple hundred, or maybe even a couple thousand computers, and we find that breach to slip past antivirus, it’s a heck of a lot harder to argue like, does your product work when we actually showed you something that you didn’t know? When we showed you here was the HIPAA data that’s being stolen, or here’s something that is actually capturing credit cards, that was the proof in the pudding. We had to change. We had to grow as our startup, and had to actually prove that we worked, rather than just say we worked, because at the end of the day nobody cares what you say, they want to see the proof that it works.
Maura: I’m curious to know what’s your marketing strategy? Are you advertising locally or nationally? What’s your goal?
Kyle : This gives me a huge chance to plug that we just went to the largest IT outsourcer conference in the US. Two thousand of these partners all get together, and they all use a common product for their ticket tracking queues. The reason this was important for us was that tight integration, so when we do find an infection, and can all report directly into the ticket queue that every one of these use, and know, and love. That was huge for us, and on top of it, the difference between us, and we had other awesome cyber security technologies some of the folks from the enterprise market competing at the same competition with us, but the two thousand attendees actually voted us the best newcomer for their partner’s choice award. The reason for it was our price point made sense, we weren’t creating more work for them, and most importantly integrated into the products that they know and love. The other competitors even in the enterprise space couldn’t offer that.
Tyler: Obviously with so many threats emerging out there, how does your team incorporate feedback and decide what to work on, next, in terms of prioritization, and deploying it?
Kyle : This is a sad truth of startup world. We started up 100% focused on how do we make the next greatest cyber security technology, and it turned out that the technology has to work, bottom line. You cannot sell fish oil. The integration into products to make it seamless, meaning that if they already have a tool that pushes patches out, don’t give them a second tool to push your agent. If they already have a tool that they get all their alerts or their notifications and what to do, don’t give them a second user interface that makes them go off and look at another pane of glass. Those lessons, right there were kind of the key for us. Those really distinguished us and our delivery, especially in our marketing.
John: Great job, students. Great job, Kyle. If someone is listening to this, how can they get more information on your company, Kyle?
Kyle : The easiest way to find us is at huntresslabs.com, we’re also really active on Twitter. It’s one of those things whether you find us at huntresslabs.com, or @huntresslabs either one of us could …
Tyler: I’m going to be compulsive and spell it.
John: Two S’s in there, is that right?
Kyle : That is H-U-N-T-R-E-S-S L-A-B-S.
John: Music to my ears. Thank you, very much. We are hosted by Eastern Foundry, a community of government contractors who are bringing innovative solutions to the government marketplace. For more information, go to eastern-foundry.com. Our monthly sponsor is F5 Networks, the global leader in application delivery networking. Contact F5 to learn how they can help your agency strengthen performance and security.
Welcome back to Students Verses Startups Showdown on the Potomac. Round two. You already know our students. Tyler Gray, Maura Imparato, and Mike Able. We have a new startup in the hot seat, here. The startup is a company called, Hilltop Security. We have the president and CEO in the room Tom Gilmore. How are you, Tom?
Tom Gilmore: I’m doing well.
John: I went to you LinkedIn profile. I saw you participated in Spartan Races. What is a Spartan Race?
Tom Gilmore: It’s an endurance obstacle course. They range from four to twelve miles, and anywhere from twenty to eighty obstacles.
John: I think a startup would be an obstacle course in it of itself, isn’t it?
Tom Gilmore: It absolutely is.
John: Tell us a little bit about your company, please.
Tom Gilmore: The company is, it specializes in a cyber-security internet response platform. What we’re doing is taking all the data being generated by everything in the security stack. Integrating all that data, and then processing it, so that analysts don’t have to do that manually. That speeds up the incident detection and response process, dramatically, and saves time and gets them to remediation much faster.
John: Okay. I’ll ask you the question that I ask everyone, what business problems does your company solve?
Tom Gilmore: The biggest problem that we’re solving is the one that’s been actually created by the industry itself. On average an enterprise has sixty-five devices in their security stack, and that means more data to manage, thousands of alerts that have to be addressed. Most of them turn out to be false positives, and we are taking all that data and turning it into a single interface for analysts, and CISO’s to deal with. There not dealing with sixty-five different devices or end point security platforms, they are dealing with one.
Maura: It sounds like you really are thinking of the user, the CISO who has too much stuff to do, and not enough time to do it. Have you done user testing, or do you plan to?
Tom Gilmore: We actually started as an R and D project in DoD. We’ve received significant amount of funding over the last couple of years to build out the platform. We’re now testing with an entertainment group, Lucas Film, who’s giving us an opportunity to play around in their network. In addition to having been exposed to attacks on the DOD side, we’re now looking at it in the commercial side in an area where we’re seeing a lot of activity. Particularly from a couple of nation states who like to steal media rather than purchase it.
Mike: What type of challenges are you running into as a company, right now, at this point in your development?
Tom Gilmore: Of course, our biggest challenge right now is capital. We spend a lot of our time doing investor pitches, and negotiating term sheets, and doing that, so we can fuel the growth of the company.
Tyler: How do you prioritize what type if security features to implement into your platform? Is it on customer demand, emerging threats, a mixture of something, or …
Tom Gilmore: We use pilots to validate what it is that users really want. We’re finding that it’s not just the SOC analyst or the CISO that is a consumer of security data. It’s the other managers across the enterprise who have an interest as well. Those stakeholders should not be ignored. The CIO’s, CFO’s, even the CEO in some organizations. In the case of Lucas, the CEO is very interested in what’s happening in the cyber side.
Mike: I don’t want to jump in here, but SOC …
Tom Gilmore: Security operation center. Larger enterprises will have a dedicated security operation center with dedicated analysts that are dealing with any number of incidents on a daily basis. Most don’t. One of the other groups that we target are the VSOCS, or Virtual Security Operation Center providers, companies like, Forcepoint.
Mike: CISO what’s that?
John: Chief Security Officer, Chief InformationSsecurity Officer.
Tom Gilmore: Depending on how the organizations built.
Tyler: You talk about a foundation, a social responsibility and stewardship, those aren’t words I typically hear associated with security companies. How does that play into the product that you provide, and the services that you put forth?
Tom Gilmore: The entire company is made up of veterans. All of us came out of the Intel community, in one service or another. Our CTO is a West Point grad, and retired Army officer. I came out of the Marine Corp, and our COO is a Marine as well. We look at this as something that is tied to national security. Most of the targeting done by nation states isn’t against the federal government, it’s against companies who have intellectual property that they’re looking to steal. We think this is us doing what we’ve, most of us have been doing all of our lives, which is continuing to contribute to the national security of our country.
Mike: What would you say differentiates you from your competitors in the industry?
Tom Gilmore: Our biggest differentiator is that we’re not looking at it as a technological problem, this is a human problem. One of the principles that we’ve applied is what we call, All Source Intelligence Fusion, so in the same way that military organizations have to take in massive amounts of data from various sources and fuse it together to produce intelligence, where looking at the cyber problem in the exact same manner. It’s not just coming from sensors in the network, but there’s information that people need to be able to report into, and they need to know what it is they should be looking for to determine whether or not they’ve been targeted. We don’t hear a lot of talk about counter intelligence operations, or operational security, or OPSEC, but those are exact same things that protect DOD that should be applied within commercial enterprise and then we just build technology to help enable it.
Maura: Sounds like you really need to get into the minds of both cyber attackers as well as your customers, sounds like you really need some kind of psychological angle what are you finding when you pitch, are people interested?
Tom Gilmore: Actually one of the things that we’re finding very interesting is the vast majority of the cyber security community is made up of veterans. We’re not having to reteach people this, in fact the CISO at Lucas Film was a Marine and came out of the FBI cyber division. We’re seeing a permeation of experienced veterans that understand cyber warfare, and understand security in general, that are taking the lead in a lot of these organizations. That makes it easy. It’s not a tough sell. People understand that we’re starting to see massive implications of breaches on some of these organizations like Target, we’ve seen what happened with Yahoo, that whole breach cost them a billion dollars and a deal with Verizon, and may have scuttled the deal all together, potentially. It’s warfare if we don’t treat it that way, we’ll continue to see global losses climb higher, and higher, and we think it’s the right approach.
Tyler: How is MACH37 thirty-seven helped further your company’s development and change some of the things that you may have done differently from the beginning?
Tom Gilmore: For us, MACH37 changed everything. We were all very experienced, government contractors, I’ve been doing it for twenty years, but what I didn’t have experience doing was commercializing and productizing a technology, and that was exactly the environment and the tools that MACH37 provided that we needed to do that successfully. I think it one, gave us an opportunity to take the company into other directions that we probably wouldn’t have. We would have focused on the federal government space, completely, to the detriment of building the company to what it potentially could be. Now, we’ve gone from a 100% federal focused to an 80% focus on commercial and 20% on federal government.
Mike: You obviously work in a very interesting industry, and I think a lot of times, especially for maybe younger students, or people who hear science, technology, engineering, and math might get turned off by the complex math, but what you do is a lot more comprehensive than that. What would, I guess, suggestions, or thoughts be about inspiring more young people to follow STEM, and open their eyes that you can do more than just code, you can really solve complex problems.
Tom Gilmore: If you look at our company, and most of the companies like us, the vast majority of the employees are involved in nontechnical functions. They’re involved in sales, HR, most of it is marketing and sales, but the other part to that though is that you don’t have to be a computer science major to do this work. My background was homeland security. There’s skills that need to be acquired if you look at cyber security, there are three hundred and thirty jobs open across the country, right now. I would say that less than 10% of those require a computer science degree.
John: What role does automation play in your company and the whole idea of protecting cyber security assets?
Tom Gilmore: It’s significant. Our platform in just data from thirteen thousand different sources. We set out to integrate data from anywhere, in fact at the core of our technology is what drives salesforce.com. That gives us a significant technical advantage in the space.
Mike: I understand you’re a small business, right now, what’s your plan to graduate out of that? How do you expect that’s going to change what your company does?
Tom Gilmore: We have a very aggressive growth plan. We’re forecasting thirty-two million in sales by year five. That’s only with three hundred customers. We don’t see that as all that dramatic, when you look at the space. Global losses are expected to exceed two trillion dollars by 2020. That represents 4% of global GDP, that’s pretty significant. Right now, there aren’t enough companies that actually do the work, and we have an inactive prospect list of fifty-seven different clients right now, and we’re now starting to throttle back because there’s so much demand. The human capital issue is such a problem, that’s why automation is going to be necessary. This All Source Intelligent Infusion approach, where we can consume the data that is being generated by the security stack and then start to enrich it with threat intelligence, determining whether or not it’s a false positive or not, in doing that routine work that the analyst used to do is the only way we’re going to get out in front of this.
John: Last week I sat down with Doctor Zulfikar Ramzan from RSA. He’s their chief technology officer. Bright guy. Fifty patents. Two books. Young guy. He talked about the sixteen hundred companies in the space, and he talked about some of the risks of automation, he said, “Automation can be a rough tool. It can gloss over some important nuances.” Do you agree with that?
Tom Gilmore: I do. If you look at some of the orchestration plays that are currently in use, they do that, and they overlook the opportunity to identify campaigns. They go straight to remediation and you miss out on the intelligence value that could be collected from that data, if it’s processed properly. What we did differently is we applied it in the industrial engineering methodology used by global logistic firms, and then we built an onthology that we patented to be able to collect that data and make it contextual for each organization, based on their needs and their risks.
John: Looks like we’re running out of time, here. I’d like to thank our founding sponsor, The Radiant Group. Our host Eastern Foundry, and our monthly sponsor F5 Networks. Now, Tom when someone wants more information about your company, how can they reach you?
Tom Gilmore: Two ways, our website at www dot, hilltopsi, that’s Sierra, India, dot com, and our Twitter handle is @hilltopsi. Hilltop Sierra, India.
John: Great. If you would like to see a transcript of this episode, please visit the blog, at easternfoundry.com. Signing off from high atop a nondescript building in lovely downtown Rosslyn, Virginia. I am John Gilroy, and thanks for listening to Students Verses Startups Showdown Potomac.