Tomasz AdamskiView from the ‘Loo: Haven’t been hacked? Don’t count on it Anthony Reinhart June 26, 2014 Communitech, View from the ‘Loo Photo: J. Paul Haynes, CEO of Cambridge-based eSentire, says protection against cyber attacks is an ‘elephant in the room’ that is often overlooked until it’s too late. So, your data firewall is the tallest and thickest that money can buy. But what if the threat is on the inside? The U.S. National Security Administration (NSA) found out the hard way last year, when a trusted intelligence contractor named Edward Snowden leaked thousands of classified documents to the media, setting off a firestorm of debate around government surveillance, personal privacy and data security. Whether you consider Snowden a hero or a traitor is beside the point. Had the NSA focused on securing its data where it sat – think encryption – he might never have succeeded in exposing its secrets. Internal monitoring for unusual activity would have helped, too. J. Paul Haynes could have told you all of this. The CEO of eSentire, a fast-growing cyber security firm based in Cambridge, is all about what he calls active threat protection – eyes on the inside, scanning for trouble in real time, and resolving incidents before they become major problems (though he also advocates for strong firewalls, since they make eSentire’s job easier). Haynes and his team have enlisted some high-profile talent as they grow their footprint on Wall Street, helping hedge funds and other financial institutions secure their transactions. Their customers manage a combined total of $1.2 trillion in assets. This year, eSentire added Gus Hunt, former Chief Technology Officer for the Central Intelligence Agency (CIA), to its advisory board. Hunt, speaking earlier this month at a Communitech breakfast, laid out in dizzying detail how the world is “in this perfect storm of cyber security” due to the explosion of cloud computing, connected devices, big data and criminals looking to exploit it all. He urged audience members to “think from the data out, not from the perimeter in,” which echoed a chat I’d had with Haynes a couple of weeks earlier at Communitech’s Tech Leadership Conference. Haynes co-presented during a breakout session with Cedric Jeannot, CEO of Kitchener-based I Think Security, in a room decorated with an inflatable elephant – the elephant in the room, get it? After their talk, I caught up with Haynes for a quick Q+A, to find out more about eSentire and its approach to the ever-evolving world of cyber security. Q – What’s the biggest myth people harbour about their cyber security? A – That ‘it won’t happen to me.’ It’s actually like the stages of grieving. The first thing is denial; most people are stuck in denial, and when it does happen, they try to negotiate that it’s not going to be that bad. And then, when they come to realize that it is going to be that bad, there’s a degree of acceptance, and then they get angry. The elephant in the room is that people believe that all the security they have – the anti-virus software that was patched a year ago and the firewall that’s never been looked at – is good enough. It’s naïve to think that it won’t happen to you. There are two categories of companies: those that have been hacked and those that will be hacked again. Q – Could your company have stopped the Edward Snowden incident had the NSA been a client? A – There’s a high probability we would have acted on the signals, because we act on those types of signals on a regular basis. However, a lot of what Snowden was doing was permitted, whether they were his credentials or the credentials of his colleagues who shared them with him, which was bad employee behaviour. The large volumes of data leaving to thumb drives and the other ways he was extruding the data are the types of signals that we respond to. It was all permitted behaviour; there was no malware in there. Q – That must be a huge area of vulnerability, the employee trust factor. A – Yes. Insider threats are among the most serious. He was a hybrid insider-hacktivist, initially an insider but with an intention to take the moral high ground and expose data in a hacktivist kind of way. Let’s say we could have detected the signals and acted on them. The NSA themselves did not encrypt their data in the way that, if you go to any security conference, they always talk about. If you encrypt your data when it’s at rest where it’s stored, and somebody is able to hack in successfully, to pull that data out without being able to have all the decryption capabilities [makes it] white noise. The NSA did not do that, so the NSA suffered from what all of the commercial world suffers from – security is expensive and a pain in the butt, and they didn’t encrypt their data, [as opposed to] our world, where we have to defend customers from those situations. Encryption also causes other challenges; you can’t get the indexes working as effectively; it’s slower access and there’s a built-in latency. Our main customer base is all in finance, and the need for speed has never been greater with high-frequency traders and all that. Q – How many people work at eSentire? A – Under 100, but we’re rapidly growing and we’ll probably be between 150 and 170 this time next year. I came in as CEO about four years ago. The company is 13 years old, and our revenue this year will be seven times what it was in June of 2010 when I started. Q – Can you be more specific about that figure? A – It’s under $10 million, but it will be well over that next year. Our whole business is built on getting a recurring revenue stream. So, our recurring revenue stream going into July will be in the double-digit millions. Q – How crowded is the field in which you’re competing, and how specialized is your offering? A – Security is a very crowded field, so we often compete for share-of-wallet, but we’ve carved out a space called active threat protection. Active threat protection is a little bit different in that we assume you’re network is already hacked. So, we sit on the inside and look for those behaviours that are indicative of that. There’s a whole other market of perimeter defences, which, while we compete for share-of-wallet, we actually encourage our customers to put that in, because it makes our job easier. So, the better hygiene you have in your network, the less run-of-the-mill bad stuff we have to deal with, and then we can focus on the meaty issues. Having said all that, Gartner now has a category called “breach detection” or “advanced threat detection capabilities.” And we’re not only detection; we’re also defensive. Say your workstation is getting compromised and we see those events unfolding in real time. We’re putting active mitigation in place, so we’re drawing a fence around your machine so it can’t do any more harm. One of the things that Target had, as an example, was indicators, and they didn’t act on the indicators, and it spread and spread and spread. If they’d acted on the indicators, they might have been dealing with two million credit cards instead of 40 million. Q – So eSentire is a bit like a sprinkler system – it keeps the fire contained? A – We’re more like the ADT example, where we’re also the police force. So, we’ll detect it and then we’ll have the guys there with the guns. In military jargon, we’re forward deployed, we’re in theatre, we have the safety off, and when bad things happen, we terminate that traffic. Sometimes we terminate the traffic with less than 100 per cent confidence that it’s nefarious, and that happens a couple of times a month, but within the minute, there’s a phone call and we let it go. But would you rather be hacked? We have to be very careful in our customer market, in environments where they’re doing trading platforms, so it’s not lightly that we’ll kill traffic with minimal information. But we usually have to have a bunch of indicators to help us. Q – Is the financial sector your biggest customer segment? A – Yes, and we are expanding into other markets, but as of April 15, the SEC has announced cyber security examination criteria, and they’ve got a 28-point checklist, which has scared the pants off our customers. We help them with about 80 per cent of it. We give them a positive, affirmative answer on 80 per cent of their questions. So, we’re probably going to double down on financial services, because it’s ours to lose; we’re the big dog there. We’re securing, in the U.S., roughly 35 per cent of the hedge fund category of financial services, so it’s ours to lose. And that’s based on asset base, so that’s $800 or $900 billion in assets. Q – Why is the company located in Waterloo Region instead of someplace else? A – We started here, founded by two University of Waterloo grads, and our talent base is here, and our analysts are here. We like it here because we don’t have a lot of competition for cyber security talent. If we locate where the concentrations are – in Silicon Valley, or now, the highest concentrations are in the Baltimore-to-northern-Virginia area, where all the agencies are – the staff turnover there is like a revolving door, and there’s a high requirement for getting to a certain degree of confidence, and then actually getting productive with that level of confidence. So, we don’t want to compete in there if we can avoid it, but the reality is, we are; it’s a global market and we hire people from all over the place. Here, we have a great thing going, and for our foreseeable future, we can get all the talent we need locally. Anthony Reinhart is Communitech’s Director of Editorial Strategy and senior staff writer. View from the ‘Loo is a weekly look at the issues, people and events that shape Waterloo Region’s technology sector.