Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.
This week I was lucky enough to talk to Rami Essaid, the founder and CEO of of Distil Networks. Distil Networks provides bot detection and mitigation to prevent malicious bots from accessing websites. Distil has received $38 Million in funding across several rounds and the most recent round was led by Bessemer. Bessemer Partner David Cowan describes the rationale behind his investment here.
Check out the interview below!
Just before this call, I tried to go to CrunchBase and I was stopped and asked to enter a CAPTCHA with the Distil Networks logo on that page. What is going on in the backend that’s determining that I might be suspicious?
We’re trying to differentiate between a real person and a computer on a website. There are a lot of things online that might make you look suspicious. Additionally, different customers can tune up and tune down the aggressiveness of our software. Crunchbase is more aggressive because they highly value their data and some people were using bots to take their data for free and taking down their site. Different factors on your computer such as your rate of usage, existing plug ins, or malware installed on your PC might trigger Distil’s protection.
Can you explain why the need to stop bot traffic is so significant? You’ve explained some of these here, but is there a biggest use case for companies purchasing your software?
There are several really big use cases. Bots are just a tool and they can be used for great things. For instance, Google uses bots that are imperative to the function of the web. However bots can also be used for malicious things. The two biggest data breaches in the history of the government–Manning and Snowden–used web crawlers to crawl around and steal all of that data. Hackers use bots to go through every page of various websites to find different vulnerabilities. They can also brute force their way through log in to pages. For instance, Ashley Madison customers had their usernames and passwords leaked, now hackers can create bots to take those usernames and passwords and try them on a whole host of other sites.
How do you tell the good bots from the bad bots?
We partner with all the major search engines and we whitelist them through our systems. In security you can’t operate under the premise of blacklisting; you have to assume that everything is bad and then let through only what you know is good.
Filling in CAPTCHAs or similar instruments creates some friction for a viewer trying to access a site. Have you considered other methods of determining a viewer’s identity?
We actually have other methods that introduce more friction than Captchas. Our customers can choose the type of verification that they want. For instance, our customers can force suspected bots to verify their identity by inputting their email. You inherently have to introduce some friction for security. We’ve played around with a fingerprint pop-up or authenticating with facebook or google sign on, however there is a very fine line between identifying who you are and identifying whether or not you’re a bot; we don’t want to collect any personally identifiable information.
The architects that create bots are constantly tweaking their algorithms so that the bots avoid detection. How do you stay ahead of these hackers?
We do a lot of R&D and we’re always going to be an engineering-heavy organization, but our machine learning is the secret tool that can outpace bad guys. Traffic patterns from real people don’t look like bot traffic and the captcha that users fill out feeds information into our machine learning algorithm so we’re always improving.
Your latest round was led by Bessemer, and David Cowan–known for being one of the top cybersecurity investors–joined the board. He has talked a little bit about this here, but in your view, what do you think were the key one or two factors that impressed him and your other investors, and led to their investment?
I’ve had the opportunity to know David for about 2 years now. I pitched him on our A round and we stayed in touch. I think that David recognized the potential scope of our idea, because every website needs this type of security. Additionally, when we talked about our roadmap, he got really excited (we’re releasing a second product in the fall and then a third product early next year). It also didn’t hurt that we were growing 400% year over year and signing Fortune 500 clients onto our product.
How did you get into security?
I paid my way through college by selling cell phones. After school I opened up my own retail store which I later sold to the company that I had worked for in college. From there I transitioned into sales and marketing. In my last role in sales and marketing I was working for a cloud security company and I helped build out their sales force. When I got there, I realized how vulnerable the web is, and that it’s probably getting worse, which led to me getting really interested in security.
- There are several huge vulnerabilities in Android that Google has failed at patching. Google is discovering the problems that come along with relying on hardware makers to approve software updates before they can be distributed.
- The author argues that companies like BioCatch, which monitor a user’s normal behavior (how their mouse moves around a screen, how quickly they scroll, etc.), and biometric identification companies are the future of identity and access management.
- His Jeep hack prompted the first ever cybersecurity-related vehicle recall. Unclear what he’s doing next.
- Interesting profile on the IAM company that recently received an investment from Insight. Based on several estimates, the company likely will have around $15 Million in 2015 revenue. They currently have 65 employees, up from 40 at the start of 2014.
- Apparently only 14% of the profiles were women (many of which were fake accounts) and it seems that AM might not have deleted some of the accounts of users that paid $19 to erase all connection to the site.
- The IoT platform will be cloud-based and will provide end-to-end protection and forensics for IoT devices.