Mach37

, , ,

Mach37 Spring '16 Class Interview: PCPursuit

, , ,

2016-04-20 - DC CSCS Mt Up - 06 - DSC_0282

Robert Walker

CEO and founder

PCPursuit 

What opportunity did you recognize that led to the founding of PCPursuit?

Robert Walker: There are a couple of things going on in information security that are really important. Too many information security products only tell you there is a problem after your data has already been stolen. I have seen a few things in my career that are technologies that can prevent problems from happening in the first place, but they are not easy to use and are typically expensive. We recognized that we could make physical systems and digital systems more secure if they could just talk to each other. It’s really never been done before and that’s what we are changing by providing a proactive security solution that is inexpensive and easy to deploy.  

What makes your approach different and better from existing approaches?

Walker: Simplicity. You don’t have to roll this out to every asset in your enterprise. You can deploy one tiny piece of software on your Active Directory domain controller and it can protect your entire enterprise. This uses the exact same framework that Microsoft uses themselves. Most solutions don’t do it this way because it’s extremely hard to do.One specific thing our technology doesn’t do is require you to deploy agents to each PC in your enterprise. We have a server that sits between your physical control systems and your Windows Active Directory domain controllers. That PCPursuit software asks if a user badges in and if so, when and where. We report that back and based on what the enterprise administrator wants, we can log it, we can send an email to their manager or restrict access.  

What specific value does addressing that opportunity/problem provide for your customers?

Walker: PCPursuit enables enterprises to get considerably better security out of the assets they already own. We make the stuff they have better and we do it very inexpensively. It’s a massive improvement for a very low cost.  

Why aren’t current solutions addressing this problem effectively?

Walker: Because they are not thinking outside their own boxes. Physical security solutions only think about the physical side. Digital security only considers their own boxes. We took it up a level to look at both pieces.  However, there is another dimension to consider. The technology is really hard to build. The concept is simple, but the execution isn’t easy.  

What about your (team’s) background puts you in a unique position to succeed?

Walker: Both my co-founder and I worked at Microsoft. I was there as a full-time employee for 13 years. My co-founder has worked at Microsoft for many years as a consultant. So we both have very deep exposure to Microsoft technology and we know how to implement it in a way that very few people understand. It's not that no one else can do this. It's that few people understand as well as we do how Windows was designed. 

What makes this an exciting opportunity for you?

Walker: The thing that I think is most exciting about what we are doing is that we are one of those really rare solutions that can help make your enterprise tremendously more secure than it presently is and at a very low cost. By putting these two pieces of technology together, PCPursuit delivers two key benefits that address two intractable problems:

  • It discourages employees from tailgating into buildings. If you can’t get any work done because your login won’t authenticate, you won’t tailgate to get in. If we change the psychology in an office to "always badge in" instead of "avoid it," it changes behavior. Then not badging in becomes the anomaly.
  • We also make physical presence another factor for authentication. Passwords aren’t secure. Even if you have to change them every several weeks. People forget them. They write them down so they don’t forget them making them easier to steal. With PCPursuit, if you didn’t badge in, you can’t get access. If your password got phished, that hacker in Russia won’t be physically in your building and can’t get access from inside your enterprise network. If someone found your password, they can’t use it. And we can do it for one-tenth of the cost of other tools in the market. You don’t have to buy tokens or other tools, just install our software on a single server and connect it to Active Directory and your enterprise is immediately more secure.

PCPursuit represents the first example of a simple approach to pairing physical security with digital security. It will have the biggest impact on securing the enterprise since automatic Windows updates. This is the kind of stuff that actually works. Stuff that’s really simple. You just make a little tweak and people don’t have to change the way they work, but it still makes a big difference. It turns out that the technology is hard, but the implementation is simple and effective.  

What one aspect of the Mach37 programs did you personally find most beneficial?

Mach37 is really well-connected and is the only accelerator focused solely on information security. Their specialization in information security means everything they do is geared to this field and that is very valuable. In addition, they understand selling to the enterprise. There is a big emphasis in the program on selling and that is not a natural skill for engineers which is the background of most of the founders. 

, , ,

A Tale of Four Cities (with apologies to Dickens)

, , ,

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair…” Charles Dickens, A Tale of Two CitiesSince the beginning of 2016, it seems like the worst of times. We have seen a correction in the stock market as the Chinese economic bubble has popped, taking the global oil markets with it, and bringing back the all-too-recent memories of the Internet bubble of 2000 and the financial bubble of 2008 (watch out, 2024!). The misery has spread to the Tech sector. The unicorn, unofficial mascot of Silicon Valley, which had gone from being a rare beast in 2014 to a veritable population explosion in 2015, is once again on the verge of extinction.Yet the economic talking heads tell us this is normal, that the U.S. economy is doing well and is reasonably insulated from both the Chinese economy and the negative oil shock. That corrections are a necessary part of the market, to restore balance after a period of irrational exuberance. So, what the heck is going on with Tech?In 2015 I was Principal Investigator for a DHS-funded program called EMERGE, working to leverage commercial business accelerators to help commercially-focused innovative companies bring some of their technology to address needs of the DHS community. As part of this program we were fortunate to get an inside view of four different business accelerator programs in four different cities:

Slide2

Slide4

Slide1

Slide3

ST Apts

Here is what I learned. First, tech innovation does not occur in isolation; it is the result of effective regional innovation ecosystems that include customers, entrepreneurs, funding sources, a high concentration of expertise and ideas, and enough of a support infrastructure to help the entrepreneurs through the early pitfalls. Each of the four accelerator programs above has done an outstanding job of helping build and then leverage their local ecosystem as an integral part of what makes each region grow.Second, Silicon Valley is not identical to the Tech sector. Although news coverage often glosses over this fact, innovation occurs in many places across the country. I will argue below that while Silicon Valley is indeed unique in many ways, generalizations based on that unique set of circumstances can often be wrong. In the current situation, the doom and gloom based on over-priced investments there is less relevant in other parts of the country.And so, the four cities.Dallas – Texas has several innovation centers including both Dallas and Austin. There is a diverse industry base, with concentrations in energy, health care/life sciences and tech, significant university presence, and a good concentration of wealth. Tech Wildcatters has successfully provided leadership to the region’s startup community with special programs in both health care and tech, and most recently going to a year-round program from the more typical discrete sessions. Dallas is a vibrant startup location, although it is unclear what effect the collapse of oil prices may have on access to capital in the region.Chicago – political issues aside, Chicago has the benefit of a high concentration of Fortune 500 Corporate Headquarters, a robust investment sector and strong University presence. TechNexus has done a masterful job first in priming the innovation ecosystem development 7 or 8 years ago, and now tapping into the innovation needs of Corporate strategic partners who are looking to early stage companies as a source of new products and ideas. If the city can recover from its social strife it is certainly positioned to continue as a significant center of tech innovation.San Francisco – San Francisco/Silicon Valley is the undisputed investment capital of the world for tech. According to Pitchbook in the third quarter of 2015 more than 27% of all the venture capital invested globally came out of Silicon Valley. China has risen rapidly as both a source and target of VC investment, although the collapse of the economy in China seems certain to be a major setback in this area, as the graph seems to indicate starting in Q4 of 2015. New York ranks third on this list, providing just north of 8% of the globally invested capital.Yet with all that money floating around it appears that some Silicon Valley investors may have had more dollars than sense. If you look at the number of deals and the dollar amounts as compiled by Pitchbook, the dollars invested continued to rise in 2015 even while the number of deals plummeted, leading to a rapid rise in median valuations.By comparison, valuations in New York during this same time were only 10% of the San Francisco valuations, an enormous disparity. There are some possible alternative explanations for this disparity (bigger opportunities, move towards later stage investments, etc), but both the anecdotal evidence at the time (“too much money chasing too few deals” was a sentiment we heard more than once) and the subsequent down rounds of investment even for some of the high flyers indicates over-valuation on the part of investors was at least one primary cause of the disparity.A second point. Why on earth would you want to locate and operate a company in the outrageously expensive environs of San Francisco where none of your employees can afford to live? Or Palo Alto, where Palantir is driving out start-ups by snapping up office space at high rents. Well there are certainly some reasons: if you want to hang with the cool kids, California is the place you ought to be. If you need to raise a billion dollars or so, where else would you go? And certainly if you want frothy valuations during the good times, the target destination is clear.A recent Harvard Business School study (http://www.hbs.edu/faculty/Publication%20Files/09-143.pdf) hinted at one possible evolution of this trend. According to the study:“Venture capital firms based in locales that are venture capital centers outperform… [as a result of] outsized performance outside of the …firms’ office locations…”That is, if you are a VC you want to be in one of the centers of VC activity because there is a strong ecosystem of investors…but, the big returns are to be found by investing in other places. Certainly Silicon Valley is not going away as the primary center of activity. Increasingly however, those investors seem to be syndicating with other groups in places such as Dallas, Chicago or…Washington DC – The region centered around Washington DC is generally considered to include Maryland, Virginia (or at least Northern Virginia), and DC itself. The Federal Government is a large presence, along with some of the specialty areas such as cybersecurity and data analytics it has helped develop. Health care/life sciences is also a major player in the area, and there are multiple world-class universities that support the ecosystem. The region generally ranks in the Top 10 innovation areas of the country, and the area’s capital investments are growing, actually increasing in the 4th quarter of 2015 even while investments were declining nationally. One reason for this increase is the growth in cybersecurity, with the potential for more than a billion dollars in cybersecurity investments in the region in 2016. The two biggest areas were health care/bio and software (including cyber), and there is an organized, active ecosystem working to promote the growth of these and other industry sectors.Conclusions – Clearly the stock market is in correction territory, driven initially by economic issues in China and the energy sector. While the tech sector also appears under pressure, the fundamentals here are very different. In the short term, what appears to be a broad retrenchment in the sector is actually mostly a correction of inflated valuations on the West Coast that are not indicative of the sector as a whole. As Rick Gordon, Managing Partner of the MACH37 Cybersecurity Accelerator puts it: “while Silicon Valley has been out on the great unicorn hunt, we have been building an army of cockroaches…small, fast, nimble, designed to survive a nuclear winter, and available at a reasonable price.”The age of easy money from building the next mobile app may be behind us, but the advent of autonomous vehicles, personalized medicine, data-driven everything and more will ensure that the tech sector will continue to drive the next wave of innovation and economic growth for decades to come. But it is increasingly likely that the actual innovations will be found in places like Dallas, Chicago and the Washington region even if the investment capital still flows from New York and Silicon Valley.

,

Industrial Cyber Espionage

,

According to published news reports this morning covering a press conference by Attorney General Eric Holder, “The United States has for the first time filed criminal charges against foreign government officials in connection to cyberspying allegations.” The grand jury indictment charges five men with “conspiring to commit computer fraud and accessing a computer without authorization for the purpose of commercial advantage” according to the New York Times. In the press conference, the Assistant Attorney General provided specifics related to the case examples of companies affected and the types of information stolen from them.Officials mentioned the Mandiant Report, last year’s watershed public exposure of this type of activity. In that report, Mandiant describes the theft of hundreds of terabytes of data from more than one hundred companies in twenty major industries since 2006. On average, a target company was attacked and then remained exposed for a year or more while information such as technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists were targeted. Many of the targets turn out to be major companies such as Westinghouse, US Steel and Alcoa.But this is just the tip of the iceberg. In the U.S., much of the innovation and many of the jobs come from small or startup companies who don’t grab the headlines and who may not know that they are targets. In the manufacturing sector, for example, data from the NIST Manufacturing Extension Partnership (MEP) indicate that something like 80% of current U.S. manufacturing jobs are with companies of fewer than 50 people. Most of these companies spend a large majority of their time simply trying to grow the business and stay ahead of the competition through innovation, and may not have either the expertise or resources to adequately protect their intellectual property from cyber attack. These companies are perhaps the most underserved segment of the industrial base with current large enterprise cybersecurity solutions, and the largely invisible damage inflicted here represents a particularly corrosive threat to legitimate areas of competitive advantage for the country.Indeed, we know they are a target. According to the NetDiligence 2013 report Cyber Liability & Data Breach Insurance Claims, 63% of US Secret Service forensics investigations are at companies of fewer than 100 employees, and 45% of insurance claims paid are to companies in the small-cap (less than $2B revenue) or nano-cap categories (less than $50M revenue), split about evenly. According to Rep. Frank Wolf (R-VA), chairman of the House Appropriations subcommittee that funds NASA and many of the nation's science programs, "I have seen up close how certain countries...have targeted federal agencies, contractors and law firms to steal billions of dollars of cutting-edge technology that diminishes our national security and undermines job creation."There may be some hope however, creating sector-focused markets of small and mid-tier companies for a new generation of emerging cybersecurity solutions such as those at Mach37. We are in active discussions with manufacturing organizations and other industry alliances, regional threat-sharing groups, and similar partnerships that can bring appropriately scaled technologies to groups facing a common set of threats. We are also fostering a set of potentially disruptive technologies that can help fill this dire need. To name a few:-          Pierce Global Threat Intelligence provides a new mechanism for real-time sharing of threats-          Identia provides one approach to securing supply chains by simplifying identity management across organizations-          MSB Cybersecurity provides support for cybersecurity standards compliance along with actionable recommendations-          Axon Ghost Sentinel detects unusual behaviors in distributed device environments-          Disrupt6 is on the leading edge of new security paradigms for the emerging world of the production internet (IPv6)To be sure, nobody has the silver bullet to “fix cybersecurity”. But, active promotion of the next generation of cybersecurity solutions and companies, and accelerated connection of those solutions with the groups that need them most, can go a long way to effectively dealing with the high stakes world of cybersecurity in which we live.

, ,

CTO SmackChat: The Dreaded “Pivot”

, ,

Your startup is a success! Family and friends have seen you through to the point where an angel investor got excited, and your first alpha customer really likes where you are heading. The beta tests are under way and the feedback is coming in.One customer says he would be interested in buying if your product could provide two additional capabilities not in the beta version. Another indicates her problem is not exactly the one you are addressing but she sees how it could apply by changing the domain slightly and taking some additional inputs into account. Some feedback says it seems similar to what they are already using. There is a request to show the output on a map background. And, your marketing guru says that several customers are really struggling to solve a problem that one component of your solution could make dramatically easier. Should you pivot, or stay the course? Add features or simplify? Expand to related problem areas? What feedback do you rely on to make those decisions?A couple things are clear. As a startup your resources are stretched way too thin simply trying to address one market. Expanding to a second problem area before succeeding in the first one makes it much more likely that neither will succeed. The second notion is integrity of a core product offering. If every customer has a different set of implemented features, your business is really a service business built around customizing features rather than a product business.But the harder trap for most entrepreneurial technologists is falling in love with your own ideas. After all, you thought it up, and your whole career has been built on confidence in your technical ideas. You probably know better than the customer what is really possible from a technical standpoint, and what the hard problems are that you know how to solve. In the end though, the right answer is always what customers will pay for. And in our example above I would be inclined to listen to the marketing guru who seems to be close to some potentially paying customers: perhaps it is time to change the product idea, get rid of a bunch of the features that are not helping differentiate it, and focus on the one core bit that could help several customers solve a critical problem.There is no science behind when to pivot and when to stay the course. An important indicator is slow or flat sales (or interest) combined with some customer pull along a different development vector than the one you are following. As the divergence grows that market signal gets stronger that the pivot is upon you, but in the end you need to make a judgment call and work with your own company leadership to ensure it is the right one.

, , , ,

Stay East Young Man

, , , ,

I recently read the New York Times article, “The Pentagon as Silicon Valley’s Incubator,” by Somini Sengupta, which highlights a welcomed trend in cyber security investing that most of us in the industry are watching unfold.  The article highlights the enhanced relationship between Silicon Valley venture capital firms and DoD and Intelligence Community cyber security stakeholders.  The article also underscores my assertion that the DC-Maryland-Virginia Cyber Beltway is the center of mass for global cyber security expertise (see Blog Post: dated   August 2013, “The Cyber Beltway’s Innovation Dislocation").We at MACH37 are thrilled that Silicon Valley and other venture capital rich regions are bridging the gap with the Cyber Beltway.  We continue to strongly support initiatives focused on achieving such gains, such as the Security Innovation Network, which has made tremendous strides in bringing both communities together.However, Sengupta’s article illuminates a related and troubling trend – the migration of cyber entrepreneurs from the Cyber Beltway to Silicon Valley.Specifically, Sengupta references two cyber security start-ups, Morta and Synack, both of whom recently pulled up chocks and moved to Silicon Valley to secure venture investment.  Sengupta also references several other high profile cyber security policy stakeholders who migrated West to join other cyber security startups.I can imagine why VC’s would desire to keep first time entrepreneurs close to home.  It’s difficult for VC’s to effectively mentor and manage young and inexperienced entrepreneurs when they are separated by over 2,850 miles.  I can also imagine why former policy stakeholders would be drawn to the luster of the fast-paced Silicon Valley start-up environment.  I am sure that echoes of Horace Greeley’s “Go West Young Man” add to the excitement and romance of their first entrepreneurial experience.However, if VC’s have already recognized the unmatched density of cyber security expertise residing within the Cyber Beltway, it makes little sense to me that they would desire for these entrepreneurs to leave the rich intellectual ecosystem that originally inspired them.In the cyber security space, perhaps more than any other technology sector, intellectual capital has a very short shelf-life.  In order for cyber security companies to thrive beyond the releases of their initial alphas and betas, their founders and technologists must continue to innovate.  In order to do so, they must maintain an awareness of the state of the cyber threat as well as the state of their competitive environments.By pulling these entrepreneurs out of the cyber intellectual epicenter, their VC’s are inadvertently undermining their ability to compete over the long term.  Outside the Cyber Beltway, these entrepreneurs are going to lose a step and will find it more difficult to, not only keep up with the threat, but also to seize and defend a competitive market position.To be certain, in Silicon Valley, these entrepreneurs are going to find a wealth of expertise in new venture development, software engineering, and enterprise solution sales and marketing.  But they will also find a dearth of cyber security expertise.  There are lots of folks out West who know how to build a highly scalable database to search through and correlate log and threat data, but very few of them have any idea what they are actually looking for.Let me suggest an alternative approach.  Stay East Young Man (and Woman).If VC’s want to give their cyber security entrepreneurs every advantage to succeed, leave them inside the Cyber Beltway.  If the entrepreneur is a first timer, establish your firm’s presence here and surround the entrepreneur with experienced talent.  By allowing the entrepreneur to remain immersed in the ecosystem that originally inspired her, her venture will continue to innovate, keeping pace with the cyber threat and competitive environment.  Several venture firms with strong cyber security track records such as NEA, Grotech, New Atlantic, Valhalla, Harbert, Columbia Capital, Paladin and Alsop Louie understand the importance of this immersion and are either already established or are in the process of building a more sustained presence within the Cyber Beltway.MACH37 is working hard to make it easier for both cyber entrepreneurs and venture capitalists to build cyber security companies inside the Cyber Beltway.  We augment our entrepreneurs’ existing cyber security skill sets with the critical product management, development, sales and marketing and venture development capabilities they will need to succeed.  We pair them with seasoned entrepreneurs, cyber technologists, market analysts and venture advisors who are committed to helping them be successful.  We drive their ventures through concept validation, target market customer acceptance, and alpha commitment and provide them and their investors with the strong market-driven foundations they will need to achieve the success we are all driving towards.