Mach37 Spring Class 2016 Interview: Unblinkr

 

Demo

Mancy Sanghavi, Unblinkr Founder

 

UnblinkrLogoTransparent

 

What opportunity did you recognize that led to the founding of Unblinkr?

Mancy Sanghavi: 250 million cars will join the Internet of Things by 2020. Cars are running millions of lines of code and are just as susceptible to hacking as any computer network. Advanced driver assistance and connectivity features increase threat vectors on the connected vehicle. We identified an opportunity to make cars secure.

What specific value does addressing that opportunity/problem provide for your customers?

Sanghavi: Automotive Industry insiders acknowledge connected cars need to be secure from outside hackers. Through the publicity car hacking has received recently, consumers want to know their vehicles are safe. There are plenty of discussions on how to secure the connected car. Our product provides an answer to that question. By using our solution, car manufacturers can stay competitive and offer more advanced connectivity features for consumers.

Why aren’t current solutions addressing this opportunity/problem effectively?

Sanghavi: Cars today are infinitely more complex than the Model T designed by Henry Ford in 1908. Automotive companies have never had to think like technology companies in the past, and they are having to play catch up. Their design times have to be more responsive. We don’t have to play catch up because our team has been dedicated to this problem for over 5 years.

What makes your approach different and better from existing approaches?

Sanghavi: The connected vehicle space is new and there is no clear leader in aftermarket automotive cybersecurity. Cybersecurity is crucial in order for the market to adopt driverless cars. There are a few startups offering point solutions whereas we are taking a holistic approach. We believe in intelligent data by bringing context to increase awareness of the situation, thereby enabling us to make better decisions.

What about your (team’s) background puts you in a unique position to succeed?

Sanghavi: Our team has done research on the security and privacy concerns of these types of advanced technologies. We have bid on and received research grants to examine connectivity and have spent time in labs researching internal car networks. We conduct black box testing and pen testing on cars.

What one aspect of the Mach37 programs did you personally find most beneficial?

Sanghavi: The Mach37 program is incredibly beneficial and I highly recommend it. The 14-week program gives startups a unique chance to interact with experts and learn how to run a business from start to exit. Startups hone their message and learn the building blocks to take a litmus test of whether their idea can succeed in the marketplace. Mach37 helps you build your boat before they launch you into the waters.

Are there any adjacent industries transformed by your solution?

Sanghavi: Imagine summoning a driverless car via smartphone, revolutionizing taxi and parking industries. Targeted in-car advertising creates revenue opportunities for telecom and marketing industries. Insurance is getting ready for the day of driverless cars and when people aren’t paying car insurance anymore. Our solution helps track history and prove whether a car has been hacked. This is valuable information for insurers.  However, these disruptions come with challenges. The FBI is concerned that driverless cars are a terrorist target. Centralization means more vulnerability and creates user privacy concerns.

What are the key market/economic forces in your industry?

Sanghavi: Over 35,000 people in the US die in road crashes each year. Driverless technology is the hope that the number will become zero. But we are replacing human error with a machine. If that machine becomes hacked, that is dangerous for the families riding in the car. One day anti-hacking software installed on a car will be mandatory, the way seatbelts and airbags are mandatory safety elements today.

An industry driver is that revenues from connectivity are expected to increase sixfold from approximately $30 billion in 2014 to approximately $170 billion in 2020. Possible legislative mandates like SPY Car Act may fuel demand for Unblinkr product. An Executive Order mandates all government vehicles to address threat vectors by 2017. The EU eCall law will drive demand for the product overseas.

Learn more about Unblinkr here.

Mach37 Spring ’16 Class Interview: PCPursuit

2016-04-20 - DC CSCS Mt Up - 06 - DSC_0282

Robert Walker

CEO and founder

PCPursuit

 

What opportunity did you recognize that led to the founding of PCPursuit?

Robert Walker: There are a couple of things going on in information security that are really important. Too many information security products only tell you there is a problem after your data has already been stolen. I have seen a few things in my career that are technologies that can prevent problems from happening in the first place, but they are not easy to use and are typically expensive. We recognized that we could make physical systems and digital systems more secure if they could just talk to each other. It’s really never been done before and that’s what we are changing by providing a proactive security solution that is inexpensive and easy to deploy.

 

What makes your approach different and better from existing approaches?

Walker: Simplicity. You don’t have to roll this out to every asset in your enterprise. You can deploy one tiny piece of software on your Active Directory domain controller and it can protect your entire enterprise. This uses the exact same framework that Microsoft uses themselves. Most solutions don’t do it this way because it’s extremely hard to do.

One specific thing our technology doesn’t do is require you to deploy agents to each PC in your enterprise. We have a server that sits between your physical control systems and your Windows Active Directory domain controllers. That PCPursuit software asks if a user badges in and if so, when and where. We report that back and based on what the enterprise administrator wants, we can log it, we can send an email to their manager or restrict access.

 

 

What specific value does addressing that opportunity/problem provide for your customers?

Walker: PCPursuit enables enterprises to get considerably better security out of the assets they already own. We make the stuff they have better and we do it very inexpensively. It’s a massive improvement for a very low cost.

 

Why aren’t current solutions addressing this problem effectively?

Walker: Because they are not thinking outside their own boxes. Physical security solutions only think about the physical side. Digital security only considers their own boxes. We took it up a level to look at both pieces.  However, there is another dimension to consider. The technology is really hard to build. The concept is simple, but the execution isn’t easy.

 

What about your (team’s) background puts you in a unique position to succeed?

Walker: Both my co-founder and I worked at Microsoft. I was there as a full-time employee for 13 years. My co-founder has worked at Microsoft for many years as a consultant. So we both have very deep exposure to Microsoft technology and we know how to implement it in a way that very few people understand. It’s not that no one else can do this. It’s that few people understand as well as we do how Windows was designed.

 

What makes this an exciting opportunity for you?

Walker: The thing that I think is most exciting about what we are doing is that we are one of those really rare solutions that can help make your enterprise tremendously more secure than it presently is and at a very low cost. By putting these two pieces of technology together, PCPursuit delivers two key benefits that address two intractable problems:

  • It discourages employees from tailgating into buildings. If you can’t get any work done because your login won’t authenticate, you won’t tailgate to get in. If we change the psychology in an office to “always badge in” instead of “avoid it,” it changes behavior. Then not badging in becomes the anomaly.
  • We also make physical presence another factor for authentication. Passwords aren’t secure. Even if you have to change them every several weeks. People forget them. They write them down so they don’t forget them making them easier to steal. With PCPursuit, if you didn’t badge in, you can’t get access. If your password got phished, that hacker in Russia won’t be physically in your building and can’t get access from inside your enterprise network. If someone found your password, they can’t use it. And we can do it for one-tenth of the cost of other tools in the market. You don’t have to buy tokens or other tools, just install our software on a single server and connect it to Active Directory and your enterprise is immediately more secure.

PCPursuit represents the first example of a simple approach to pairing physical security with digital security. It will have the biggest impact on securing the enterprise since automatic Windows updates. This is the kind of stuff that actually works. Stuff that’s really simple. You just make a little tweak and people don’t have to change the way they work, but it still makes a big difference. It turns out that the technology is hard, but the implementation is simple and effective.

 

What one aspect of the Mach37 programs did you personally find most beneficial?

Mach37 is really well-connected and is the only accelerator focused solely on information security. Their specialization in information security means everything they do is geared to this field and that is very valuable. In addition, they understand selling to the enterprise. There is a big emphasis in the program on selling and that is not a natural skill for engineers which is the background of most of the founders.

 

Security Spaces Worth Watching

People sometimes ask about the process by which we select companies for participation in our accelerator program. One of the challenges with investing in the information security market (or any early-stage technology space) is that of identifying companies with a product that is both different and useful.

While “different” is an important criterion, it is necessary but not sufficient for a product to be successful in the market. For a product to be “useful,” it must address a real-world problem in an accessible way.

Thinking about what might be useful naturally leads us to ponder where the real, unsolved problems lie. In this article I’ll describe some areas in which I see opportunities for people who want to solve important security problems in a new and different way. This list is by no means exhaustive, but it includes approaches where we see underserved markets, new ways to deal with old problems, or significant chances to make a dent in the continuing onslaught of security threats that people experience every day.

Encapsulated Expertise

This isn’t a technology approach so much as a useful measure of whether a company’s product is likely to matter in the market. As I described in a previous article, if one looks at the history of the information security market, many of the most significant developments have been products that somehow embodied the experience of skilled people who may be expensive, difficult to find or hire, or simply rare enough that it is impossible to find enough of them to fully staff a security function. It is probably fair to say that the same value applies in the network operations markets as well. As we saw with the network intrusion detection system (IDS) market, a product that can identify important events and route them to the most appropriate people may allow an enterprise to make more efficient use of the people who are already there.

The hard part of building good products that embody or automate expertise is that there are natural pressures that tend to make the product complicated for the user. The most successful products not only solve complex security problems with automation, but also provide improvements in product usability and organization workflow.

A definition of a “home run” might be a security product that also simultaneously improves the user experience or user interface of something that people do every day. Those are rare, but when it happens, the opportunity is worthy of note. By some measures, Single Sign-On technology might be one example of improving the end-user experience while also enhancing security. It’s not always easy to deploy, but if done well, many people save time and administrators have a better handle on identity management.

The Internet of Things

A problem in the security business (and perhaps any technology sector) is that people toss terms about without actually agreeing upon what they mean. Perhaps the best example of this is “The Internet of Things.”  Because anything can be a “thing” it’s difficult to even know where this category begins and ends.

If you have been wondering which things are capital-T “Things,” here is a list of some examples that might fit the description:

  • Network-connected home appliances like the Nest Thermostat
  • Network-connected sensor devices such as electric power meters
  • “Smart cars” and “smart highways”
  • Industrial control systems
  • Remotely piloted vehicles
  • Any device that can be attached to a wired or wireless network that isn’t a computer or workstation at which you can sit.

This category creates security challenges because:

1) These things can provide a point of entry for attackers to the rest of your network

2) Some of these things have the ability to affect the physical world in real ways

3) These things may be transmitting information about you or your environment with significant implications for your privacy.

Sometimes, existing tools may be helpful for improving the security of connected devices, but there are constraints that may not be present with a regular computer. Connected devices may have minimal processing power, limited communications bandwidth, and in some cases, very limited power budgets due to battery size limitations. This necessitates new ways of approaching security management and monitoring.

Software Defined Networks

Another area that is showing up more and more in the enterprise IT conversation is software defined networking or “SDN.” This is another space that means different things to different people (and vendors), but the general idea is that the flexibility of networking equipment hasn’t improved as quickly as the flexibility of computing systems has. For example, the use of virtualization has made it very easy to move an entire server’s configuration and data from one computer to another very quickly and much more easily than the traditional process of installing everything on a new machine, verifying that the new system does the same thing as the old one, and then moving the data.

Similarly, software defined networking offers the promise of simpler and more flexible network routers and/or switches where even low-level configuration changes to hardware behavior can be stored in profiles and pushed out from a central management point. This technology potentially even allows for radical reconfiguration of the network “fabric” while systems are in operation without significantly impacting throughput on the network.

Obviously, this flexibility is powerful for enterprise network managers in terms of enabling new ways of adapting to enterprise needs very rapidly. This flexibility may come at a security cost, however. The standards and technology approaches in this area are still somewhat young, and some of the emerging standards don’t address security in much depth yet.

Some things to consider about SDN include:

1) The implications of centrally storing the configuration of your entire network on a system that can transmit changes that take effect rapidly;

2) How to prevent unauthorized access to the management/change function on individual routers or switches

3) Emergent network effects after making a change – do side effects “ripple” through the network afterward? How long do they take to dissipate?

Zero-Trust Security Models

Recently, a number of organizations have been advancing an approach to security that is a departure from traditions and practices that current information security practitioners hold dear.

The “zero trust” or “untrusted everything” approach is driven by the need to acknowledge that threats and attacks have changed more quickly than our defenses have. Current environments often have pre-defined trust relationships between various  computer systems. The problem is that an attacker can compromise one system and use it as a springboard or stepping stone to other systems that are configured to trust the first.

These approaches often explicitly reject the idea that there is an “inside network” of trusted resources and an “outside network” full of bad actors waiting to attack things.

In the past, enterprises would often deploy some perimeter security technology at the border between the “inside” and the “outside”, while frequently neglecting security improvements to systems on the “inside.” Security people have long referred to the resulting condition as having a “hard shell with a soft, chewy center.”

Today, not only is there ambiguity about exactly where “inside” ends and “outside” begins but also an increasing mix of mobile devices that may connect to internal networks while also sometimes traveling to hostile or insecure networks. Using your mobile handset in a favourite coffee shop and then in the office might be an example of that scenario. Sometimes these devices may even be personally owned, which may make it difficult to choose a satisfactory protection regime that allows users to get their work done on tools with which they’re the most comfortable.

In order to even begin to address this ambiguous environment, it is necessary to make some decisions. One decision that can guide the beginning of a workable strategy is to declare that bring-your-own-device environments, and networks running personal applications should be considered untrusted.

Some organizations choose to turn a blind eye to the prevalence of personally owned devices and personal applications while tacitly acknowledging that there is a productivity benefit to allowing their use. Reality requires that an organization develop a strategy to mitigate risk sufficiently in a world that isn’t black-and-white.

 

You Don’t Scale

The more that information security incidents are in the news, the more often we hear that there aren’t enough people to do all of the work necessary to batten down the hatches against everyone who’d like to compromise our systems and networks. The U.S. Government has been particularly vocal in discussing a shortage of security talent, but it’s not uncommon to hear this refrain in business circles as well.

If these folks are as difficult to find, hire, and retain as we’re told, then we only have a few choices:

  • Train them internally;
  • Automate as many security processes as possible;
  • Do things to make the people you have more effective

Most people choose door #2 as a way to get what’s behind door #3.

There is a common criticism of information security practitioners: that we depend too much on technology, even when the core problems may not be technical ones. Those critics have a point: effective security isn’t something one can buy in a box and then proclaim victory afterward. However, in the face of limited talent, deploying a new technology may be the most straightforward way to attempt to address some risks.The reason is simple: many of the best security products tend to embody some very specific, reproducible, automation-friendly aspect of security expertise and perform it tirelessly, over and over.  You may have the best internal security people in the world, or the best  world-renowned consultants, but the bottom line is that humans don’t scale particularly well.

This is true whether you’re the security manager with the responsibility to keep your network safe 24 hours a day, or the consultant who parachutes in to save the day when things look bleak. The former can only hire so many staff members, and the latter can only be billed for a finite number of hours in a day/week/year.

If experts are in short supply, then one of the most scalable options is to encapsulate the expertise of rare, highly paid people and build it into a mechanism that can attempt to apply that expertise to real environments, be they network traffic flows, host configurations, or software updates.

There has yet to exist a security product that solved all of the world’s (or even one enterprise’s) problems, but if we look at some things that made a difference in the state of the art when they arrived, they tend to fall into a few categories:

  • They allow less-senior people to do some work that used to be the province of a few
  • They help people to make better sense of information they (usually) already had somewhere
  • They help less-technical users to avoid inadvertently hurting themselves
  • They fundamentally changed some aspect of how we work or build systems to make them inherently more secure*

*This is where the most value is created, but it’s also the most difficult.

If you’ve gone to the trouble of building something to solve a problem for yourself, and believe that other people have the same problem, that’s called a market opportunity.