Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.
This week I was lucky enough to talk to Dmitri Alperovitch. Dmitri is the cofounder and CTO of CrowdStrike–a next-gen endpoint protection platform. Dmitri previously worked at CipherTrust and was the VP of Threat Research at McAfee.
This interview is longer than usual but it’s 100% worth reading all the way through. I learned so much from our conversation. Thanks for reading!
You were one of MIT Technology Review’s Top 35 Innovators Under 35, you were named as one of Foreign Policy’s Top 100 Leading Global Thinkers and you’ve received a host of other awards. You’re clearly a top performer and expert in the security space. What advice would you give to others who want to reach the top of their own respective fields?
Do what you’re passionate about. Pick an area and try to differentiate yourself in that area. I wasn’t chasing the awards but I was passionate about cyberespionage issue and I started beating the drums about that and proposing technology and policy solutions before anyone was paying much attention 5-6 years ago.
In an article that you wrote that was recently published for World Economic Forum, you say that we have to promote cooperation among the developed countries with regards to cybercrime and cyber espionage. Is seems like these other countries really have a lot to gain from some of these activities, will this kind of cooperation ever happen?
The broader overall message is that cybersecurity is not just a technology issue. At the end of the day we don’t have as much a cybersecurity problem, as much as we have a problem with various countries like Russia, China, Iran and others that are either conducting cyberespionage against us or not addressing cybercrime emanating from their borders. Everyone recognizes that cybercrime and cyberespionage are big issues but we’ve largely avoided confronting China and Russia because we have other issues with those countries. We really need to take an all-government approach to thinking about this from an economic, military, diplomatic, and legal perspective to figure out how we influence these countries and get them to change their behavior.
Part of the implication here is that we’re able to attribute attacks to certain people or groups. I’ve heard that attribution in cyber attacks is notoriously difficult. What’s the current state of attribution?
I disagree. Attribution hasn’t been an issue for a decade now. The people who say this are the people who have never done attribution. Just look at Sony, within a month, the government said they were absolutely certain it was North Korea (as did CrowdStrike). Virtually every major attack gets attributed eventually.
How are the newer endpoint detection and response and next-gen endpoint protection players different from the more traditional endpoint protection players?
The endpoint market has been revitalized in the last 3-4 years. Despite the success of FireEye, network devices aren’t solving the problem. Target is the prime example–they had FireEye and still got breached. The reason that these devices aren’t solving the problem is twofold. Most of these network companies aren’t great at prevention. Second they don’t have the visibility to see what’s going on. Administrators are overwhelmed by false positives and lack of context and prioritization and these network solutions give them neither great visibility into the threat nor the ability to stop it.
Endpoint companies are changing now that traditional antivirus solutions are no longer effective. Now you have live attackers breaking into systems without using malware. According to Verizon’s threat report, 60% of intrusions that the industry sees do not involve malware. The first crucial capability of EDR solutions is that they give corporations the ability to pay attention to non-malware attacks and to record what happens (i.e. what programs were running or what was the user doing when the attack happened). This is essential because nowadays, you must assume you’ve been hacked. Since you can’t stop everything, you must hunt for the attackers that are already on your network.
The second key capability of next-gen endpoint players is that they allow organizations to look beyond indicators of compromise (IOC) and instead look for indicators of attack (IOA). Though many vendors say otherwise, IOCs are just signatures. To find IOAs, you must look at what users are trying to accomplish. The IOC based approach is equivalent to giving bank tellers pictures of known bank robbers in the area; if there’s someone who has never been caught robbing a bank, you’re going to miss them. The IOA approach is putting a video camera on every customer and observing their behavior. If we see someone going into the vault, taking money out, and leaving, you know they’re a bank robber.
The third crucial capability that EDR players provide is intelligence, so that you can see these attacks occurring in real time, contextualize and prioritize them.
The EDR and next-gen EPP space is really heating up with a lot of venture funded competition (Tanium, Bit9/Carbon Black, Cylance, CounterTack, etc). What are essential features or capabilities that will determine the winners in this market?
There are a lot of players and that’s a healthy thing because it indicates that there’s a large addressable market. We differentiate ourselves by providing a complete solution–certain other companies for instance are just next-gen AV solutions. Some are similar to us in philosophy, but they don’t do detection, prevention, and intelligence. The winner will be able to do all of these things across all platforms and fully embrace the cloud, which no one except us does today.
The cloud provides a huge advantage for security companies. Alex Stamos recently noted that China can buy any commercially available product, throw their best people at it, and find vulnerabilities which they can they use against real world companies. How do you beat an adversary like this given that every product has vulnerabilities? The only way you beat them is through the cloud. With cloud products, we can see everything that they’re doing and we can adapt, learn their tradecraft and detect their attempts to use it against our customers as a result. Every product out there has many layers of security and with these attacks, an adversary will try to break through the first layer and then the second and so on. What happens in the cloud, is they’ll take our products to the lab to try to find a way around it. They’ll find a way to break through the first layer and then they start working on the second layer. However as a security company, since we can see every attempted attack in our cloud, we notice that they broke through the first layer, learn from it and make sure they can never do that again, and then instead of moving on to the next layer, they have to go back and start from scratch.
How’d you choose your investors?
They mostly chose us. George Kurtz and I were trying to change things at McAfee but they were so reliant on their legacy antivirus product line that it was too hard to turn that train around. We left and came up with the idea for CrowdStrike. We both knew Warburg from past companies where we had worked, so we pitched our idea to them and one other prestigious firm. We did a presentation to both firms on what we wanted to do and both of them agreed to fund us, however for a variety of reasons we thought that Warburg was a better fit. We chose them because they, like us, were hoping to build a large and successful security company and we knew they’d be around for the long haul. We were the smallest investment for Warburg at the time. Joe Landy, the Co-President of Warburg, was only on two boards, Bausch and Lomb’s (which Warburg purchased for $4.5 Billion in 2007) and ours. For our Series B, we weren’t even fundraising, but Accel really wanted to talk to us, and we met with them and it was a great fit. For our Series C, it was the same story. We weren’t fundraising but Google Capital reached out and wanted a conversation. With Google it was a no-brainer, because with an investment from Google Capital, you can get access to Google people and all of their incredible brainpower and experience.
- This NYT article argues that the security space seems to be getting crowded and investors are now paying more attention to profitability. David Cowan said that companies trying to identify anomalous behavior on computer networks or respond to attacks in real time “pretty much sums up 95% of the companies raising money at the RSA show.”
- When Facebook opened its bug bounty program, independent hackers found more bugs in the first 48 hours than FB’s internal team found in a year. HackerOne enables these kind of bug bounty programs by connecting organizations and governments with ethical hackers.
- The cloud access security broker’s Series D was led by Iconiq Capital and brings their total raised to $131 million.
- BlackBerry expects Good to realize $160 million in revenue in the first year after closing, giving the company a forward EV/Rev of 2.7x. This seems bizarre, because in their amended S1, Good recognized $211 million in 2014 (up from 160 in 2013) revenue, meaning they sold themselves for 2x trailing revenues. They also had shrinking losses, so the multiple seems strangely low. There’s a good TechCrunch piece on this. Also see BlackBerry buying Good isn’t just good, it’s smart.
- They gave the next-gen endpoint protection product five stars all around claiming “so far we have seen no better anti-malware performance than this.” Cylance is completely cloud-based and treats every sample as if it were a zero-day threat by looking at the samples across 6.2 million indicators.
- The company provides secure socket layer/transport layer security (SSL/TLS) meaning that it secures data in transit. TA will remain a minority stakeholder.
- The two hackers known for hacking a Jeep which sparked a major recall, will join Uber’s research team for self-driving technology and robotics.