Featuring SurfWatch Labs
Read Time: 15 minutes
Welcome to Episode 40 of Students vs. Startups. This week, moderator John Gilroy talks with the VP of Customer Delivery at SurfWatch Labs, Chip Hathaway. SurfWatch provides threat intelligence for its customers by focusing on researching trends in the dark web. Listen below to hear all about their approach to security!
If you would like to get weekly updates sent straight to your phone, you can subscribe below on iTunes!
Thanks to our Sponsor:
John: Welcome to Students vs. Startups, showdown Potomac. My name is John Gilroy. I'll be your moderator today. Let's have a big round of applause for show number 41. Yeah, wow. I like 41. That's a good number.
If you've listened to this before, you know. We are sitting in the offices of Eastern Foundry. We've kind of taken over, we kind of occupy Eastern Foundry. We have a long table here. Three students on one side of the table, a start-up on the other. We hit the bell. They go for 26 minutes and we walk out of the room fast friends.
Our students today, kind of a good bunch here, I think. We have Toni Jackman, Mike Abel, and Arthur Deegan. Toni has got a very interesting background. Lot of smarts here. Lot of smarts here, Chip. You've got to be careful with her. Toni, a little bit about your background, please.
Toni Jackson: Hi, I'm Toni. I am a retired army officer and I currently am an adjunct at University of Maryland-University College in health informatics.
John: Health informatics, that's a good field. Michael, your background please.
Mike Abel: Hi, I'm Mike Abel. I work as a service delivery manager for ActioNnet. I'm a 2012 graduate of the School of Continuing Studies at Georgetown University.
John: Service delivery, that's going to resonate here. Arthur, please.
Arthur Deegan: My name is Arthur Deegan. I'm a program director for the applied intelligence program at Georgetown University.
John: All three of these students have master's degrees in technology management from Georgetown School of Continuing Studies. It's going to be a real good group here. Our start-up today is a gentleman by the name of Chip Hathaway. He's the vice-president of customer delivery at a company called Surf Watch. Chip, how are you?
Chip Hathaway: I'm great. How are you.
John: Give us a 30 second background on how you wound up with this company called Surf Watch.
Chip Hathaway: How did I end up with Surf Watch? Actually I first want to say this is a much better educated crowd than I am. I'm a little intimidated to start.
John: You're going uphill here, buddy.
Chip Hathaway: Exactly. I ended up with Surf Watch. Actually I was recruited out of a former company, called Metro & Aviation. We were a small, venture capital backed company that sold to Airbus in 2011. My former CEO brought me into Surf Watch Labs as an initial investment came in. I've been with Surf Watch now for about three years, four years almost, coming up on, and I head up the group that does product management, product development. We're delivering the analytical products that we give to our customers.
John: In the area of cybersecurity primarily, is that right?
Chip Hathaway: In the cybersecurity industry, right.
John: Let's say you're sitting with a friend, Brent, and he turns to you and he goes, "What the heck do you guys do anyway? What's the value of proposition? What business problem do you solve there, Chip?"
Chip Hathaway: What do we actually do for our customers?
Chip Hathaway: That's a great question, isn't it.
John: Brent’s is going to ask you that, too.
Chip Hathaway: He has. Cybersecurity has always been an industry focused on defenses. Everybody has endpoint security systems, firewalls, all these things that try and make bigger and bigger walls to keep folks out of their sensitive information. What Surf Watch Labs does is we take a different approach. We said, "That's great. You need to have a great defense. But part of a good defense is actually looking outside your walls." We provide what's called threat intelligence, which is we're looking out there. We're looking in open source areas and we're looking in what's called the dark web the dark net, all that great stuff that goes along there. We're pulling information out of those areas for our customers.
From the open source side, we're typically looking at what are the current trends. You're this size company in this industry. Who's being attacked? How are they being attacked? Who's actually trying to attack you? How are they doing it? What is the approach that they're using to attack folks? We're giving them insight from that direction, and we're also giving them very specific information about have you been breached? Is there information being sold about you or customers on the dark web, and what that looks like and what they can do about it.
John: Arthur, I've got to toss to you here. Artificial intelligence, usually tied with something called predictive analytics and especially cybersecurity. It all fits together, doesn't it?
Arthur Deegan: Yeah, from a layman's point of view, it sounds like Kaspersky or Norton but in conjunction with a Life Lock type of service where not only are you looking up defenses and staying up to, but also letting your customers know when something has hit the fan and kind of trying to adjust to that. Right?
Chip Hathaway: Yeah. We're trying, especially from the closed sources where we collect information, there's very much of a Life Lock perspective. We're trying to let folks know before something gets worse. Obviously at the point that we detect something, somebody has been breached or information has been leaked. We're about trying to get them ahead of that curve before it gets worse and try and prevent anything from getting out any further.
John: Toni, you've been involved in technology for a while. Cybersecurity, big topic.
Toni Jackson: Big topic in healthcare.
Chip Hathaway: It is.
Toni Jackson: A lot of breaches. Not just an issue with PII, but also Protected Health Information, which is protected health information. Do you all do any type of work with any healthcare organizations to help them tighten their reins on patient information?
Chip Hathaway: Yeah, we do. We use our standard approach. For Surf Watch we have essentially two offerings. It's our what we call threat analyst platform. Essentially it's a business intelligence approach to external threat intelligence. What are the trends going on, what's happening out there. Obviously the other side where we're more of a manual approach where we're going out into the dark web looking for information that may be targeting them. What we actually pull for our healthcare customers is we're trying to pull information any time PII is leaked. We're also, just from the federal and state mandated breach reports that are out there, HIPPA related reports that are out there, we're trying to show what are the trends, how are those people being attacked. We're pulling the open source side and the dark side.
John: Michael, just a personal question here. Any information on Equifax on you?
Mike Abel: That's funny. I have that written down. I'm curious what advice you and your company would have given to a company like that.
John: Yes, sir, Mike. Got compromised. Mike Abel, right there.
Chip Hathaway: Patch your system sooner. No, I mean, for us, actually we've been tracking ... There's a few sources right now on the dark web that are saying they have the information. They've been trying to sell it. A few deadlines have come and gone, and they haven't released that information. We're trying to watch and see who are the frauds, who's actually got some real information, what information has been posted. Because there have been samples of the data that's been posted out there. We're collecting that and notifying our customers that actually have some of that information related to them.
Mike Abel: What type of tools do you guys have or maybe what type of proprietary things do you have that will search that that really puts you ahead of your competitors?
Chip Hathaway: We have two sides. The dark web, you're right, is not an easy place to get into. It's actually not as difficult as folks think. The hard part is really getting the credibility to get in the sources that are even more closed. We've had a team of folks that have been out there for three or four years looking in sources, building up the credibility and the handles and the reputation to move into different forums. One thing about the dark web is nothing is static. Things come up, go down all the time. If somebody thinks they're being watched, they shut down that forum, they go to another one. If you have the credibility, you can kind of follow the crowd and move along with it. That's what a lot of our competitors do as well.
The other part of this is automated collection. There's so much for sale on the dark web. Our special technology there is the ability to go out there and collect information as it becomes available on the dark web, bring it back, and then use it and search that information for our customers' data.
John: Arthur, I'm sure in your program you took a course on cybersecurity. One of the things you learned is all these rules you have to comply with, compliance. There's a company only two blocks from here called Ostendio and they focus on compliance. Where does the whole compliance picture fit in with you?
Chip Hathaway: It's not yet there for us from a ... Part of a good compliant cybersecurity solution is looking outside of the firewall. It's getting there. Some of the financial industry is starting to focus on it. The large financial institutions actually have their own arms that are attempting to implement their own technologies and their own capabilities to go out there and look for this type of information.
What we try and talk about with our customers is the fact that even though we're not a compliant driven solution, it's a great technology from a perspective to be able to look at themselves and their supply chain. Part of the compliance process is evaluating your supply chain and what risk do you have coming from your supply chain. Because we've seen, like the Home Depot hack, you get that supply chain, you get someone who's a vendor to you, and they get into your systems and they got laterally and they're able to take information from you. What we enable through our technology is we actually look not just at the primary customer and the company that has worked with us, but also their entire supply chain and what do they have breached, what are the leaks that they have. So that our customer can get ahead of the curve and question their supply chain.
John: Arthur, want to jump in, please?
Arthur Deegan: I'm sorry to kind of double back ... Dark web is really fascinating stuff. I did take a class on cybersecurity and we got to kind of navigate around that a little bit. You talk about gaining credibility. In order to gain credibility, you sometimes have to do some unsavory things or-
John: What a great word.
Arthur Deegan: ... or maybe bluff a little. That makes me ... In doing so, do you ever cross any legal boundaries? Vice versa, have you ever experienced any sort of retaliation if and when your cover has been blown?
Chip Hathaway: Yeah, good question. Our approach with that, and I won't go into a lot of detail, is we get authorization from our customers to reacquire things that have been taken from them. It helps us with credibility, but it also keeps us fairly clean from how we're approaching things. We have also exposed particular dark web actors when they've had a broad enough breach. We actually exposed one back in 2013 or 14, I think it was '14, that had had a breach of a lot of major consumer sites. Before he went public with that breach, he was bragging about it. We actually went to the vendor, it was a third party vendor to these major brands, and let him know the issue. We ended up putting out a blog entry about a week after we found it. We absolutely got targeted and we watched really closely what was going on during that timeframe. They actually targeted individual, Adam Meyer, chief security strategist, for a period of time. We had to do extra steps to make sure Adam was well-protected.
John: Toni, I love this word reacquire. Toni, if I steal your shoes, you may reacquire them from me. I may wind up in the hospital. Reacquiring, there's a lot of little meanings to this word, isn't there?
Toni Jackson: That's true. The question that I had ... Because a lot of times when we hear about like what happened with one of the Met Star hospitals, and it was ransomware, we find, especially in healthcare, a lot of the issue comes from people not being educated on what to do in order to protect themselves. Do your solutions actually include that education piece as well?
Chip Hathaway: We do. Everything that we post to our customers, we always try and follow up with a, "Here's a recommended course of action." I have a team of folks that are former security practitioners. They're looking at the data coming in and what we're finding. When we alert our customers, part of that alert says, "This is what we recommend you do about it." Whether it's education as far as a broader step and something that all companies should focus on or whether it's detailed, specific actions they need to take to prevent anything from happening further in a particular incident.
John: Michael, you've had your share of security adventures, haven't you?
Mike Abel: They are all over the place in the government and contractor services, no doubt about that. What I'm curious about, though, is what motivated you to move over to Surf Watch Labs three years ago? Why did you decide to opt for a start-up?
Chip Hathaway: There we go.
John: That's another good question. A personal question.
Chip Hathaway: I like working. I had a great experience with Metro & Aviation. I was actually with the company for about 14 years. We went through an acquisition process, and that was a great learning experience, but I like small, dynamic, quick-moving companies. When I got an opportunity to move over to Surf Watch and try and get back into that energetic, quick-moving environment, I jumped right on it.
Arthur Deegan: Why is it called Surf Watch? I know you're only in three years. I know it's a start-up. What's with the name?
Chip Hathaway: That is a great question for our founders.
Arthur Deegan: Surf the web?
Chip Hathaway: Our founder, he was a gentleman that came out of the dark communities in the US government, NSA. He actually had a company that was contracting the NSA for a period of time. He wanted to take what he'd learned out of that environment and apply it to the commercial environment. In the process, he sold that company, that prior company, and had established a great life down in Charleston. He moved down there and he just loved all things. The original name of the company was actually Hack Surfer. We took that and changed it over to Surf Watch Labs, I think it was back in 2013.
John: Toni, I've watched a lot of Clint Eastwood movies. Frankly, he's a hired gun. When I look at this guy, is this what this guy is, Toni? Is he a hired gun? Reacquire stuff. Hey, you know.
Toni Jackson: I don't think you're a hired gun.
Chip Hathaway: Thank you.
Toni Jackson: However, how do you actually help people reacquire their data? It's out there. It could be anywhere. How do you actually bring it back in? How do you reel it back in?
Chip Hathaway: It's how much trust you have in folks who are selling stolen information. Yeah, we absolutely can go out there and go to a marketplace and purchase something and bring it back to our customers. We'll do that. Do you trust that that's the only place that information is being sold? You never quite know. Yes, we do acquire it. One of our customers has a storefront, for example. If it's a leaked account or a breached account or somehow they did a brute force attack and they figured out a bunch of passwords, then we'll go out, get a sampling of those accounts, bring it back to our customers, and allow them to test them. If it seems right, then they're going to force everybody to change their passwords and come up with some new password policies pretty quickly.
Arthur Deegan: You talked a little bit so far about competitors. Who are your biggest competitors?
Chip Hathaway: It's actually a tough question to answer. The cybersecurity marketplace is probably the most confusing marketplace I've ever seen. There's a solution for everything out there, and some solutions for nothing. But we-
John: They'll still charge you.
Chip Hathaway: They will charge you. Our biggest competitors are a small niche group of folks in the what we call the strategic and operational threat intelligence marketplace. We run into folks like Recorded Future. There's a former company called Eyesight Partners. It was acquired by Fire Eye. There's another company called Digital Shadows that's in the space. For exclusively dark web information, there's another competitor called Flashpoint Intel.
Mike Abel: I'm curious about your position as VP of customer delivery. What is the most important thing you do in that role and what makes you ideal for it?
Chip Hathaway: The easy answer to what's the most important thing I do in that role is making sure that our customers are happy. Whether it's changing the product, whether it's changing how we're delivering analysis and that information to our customers, it's critical. What do I do from that perspective? My background is from the product development side of the house. Really, for me, it's measuring where are customers coming at us, how can I automate the solutions that they're asking us to build from a more manual side. As we adapt the business ... One thing I've learned in this company is, and especially in a developing marketplace, that the company has to keep changing to keep up with where our customers are really asking us to go. We keep building the product roadmap to kind of map with where our customers are asking us and also kind of watching what they're asking our teams to do.
Our team of cybersecurity specialists who are being tasked with, "Hey, I need you to go check out this particular IP and tell me something about it. Who's associated with that IP? What are they doing? Have they attacked other folks?" If that's something that they're asking for consistently, how can I automate that process? How can I make that more clear and something that they can click a button and get that information immediately?
Mike Abel: How do you find is the best way to really work with them and communicate and find out what their real needs are and maybe some they don't even know they have?
John: That's a voice of experience asking that question, I can tell.
Chip Hathaway: Yeah, sounds like it. The customers that I've worked with the most, and being able to detect what they're really asking for is watching the pattern. Because customers tend to want to get an itch scratched right now. They tend to try and solve the smaller problems. When you start watching that pattern of smaller problems accumulate, then you say, "Okay, we're knocking out little ones here, but what's the bigger picture? Where can we go with that and how can we solve a bigger problem that's driving all this energy?" I think the other most important about being able to develop a roadmap is being able to talk to prospects. Being an engaged part of the sales process. It's not just knowing where your customers are today, but knowing where people are asking you for future capabilities as they're coming on and they're learning about you, they're going through your lead process. You're talking to them and you're trying to figure out, "How do I make this solution something that's going to satisfy something that they need?"
John: Toni, if I were to go downstairs, pick up a newspaper, I'd see Kaspersky banned from the federal government. Eugene Kaspersky would say, "No, it's a set-up! It's fake news." The whole idea of cybersecurity, it's very murky. It's kind of a threat and not a threat. It's WannaCry. It's difficult to specify exactly what cybersecurity companies do.
Toni Jackson: Yeah, that's true. It is. I can understand that because when you indicated that you normally go into a company and they have a smaller need and they want the fix right now, because there's a lot of fear that's associated with the fact that your data could be anywhere in the world. My question is with what you do, where do you see yourself, especially with things evolving as they are, where's your company going? Where do you see yourself in five years?
Chip Hathaway: The biggest curve that we keep trying to tackle and keeps changing on us is where we collect information from. We can be collecting from very standard places, just news media, blog, federal sites that are reported information, GitHub so that we're looking at did some innocent developer just post something out on GitHub that's actually the security credentials to get into a backend system within an environment. We have to keep watching that path of where people can put information and how do we search that information. How do we match that up to our customers. Honestly, how do we stay on top of the data and how do we make it useful.
For us, we're looking in two primary directions. How do we automate as much of our collection as possible. Number two is how do we build the analytics on top of that, the intelligence on top of that, to try and drive more and more value
John: Right back to you, Arthur. Automate, sounds like artificial intelligence. Back to AI and automation here, isn't it?
Arthur Deegan: Yeah. It just sounds really interesting that you're able to pull out through the dark web information. To my understanding, the dark web is not a very traditional kind of set of networks. How are you able to automate your systems to just pull out data?
Chip Hathaway: I won't give you the exact details, but I will say. It's a little human assisted. To gain access to areas, we have to have a human in the loop. Whether it's getting just a password or getting the credentials to get through. There's all those systems that are there to protect either D-Dossing ... One thing about the dark web is they love D-Dossing each other. There's lots of protections that are out there to prevent that, to prevent automation from detecting what's out there. For us, it's getting through those hurdles consistently. Once we find a path manually, it's automating it and then bringing all that information back.
From our backend processing, we're bringing a ton of text information back. We're using natural language processing to try and make sense of all the information. Because the amount of data we collect, just raw data, is just tremendous. We're trying to do pre-filtering of a subset of that data. We're also trying to do matches against our customers and the information that's relevant to them. There's a whole series of steps that we go through before we bring it forward to our analysts. Our analysts are actually reviewing the data and then posting it out to our customers.
John: Distributive Denial of Service attack, DDOS.
Chip Hathaway: Yes.
John: Got it.
Chip Hathaway: Good acronym.
John: Toni, please.
Toni Jackson: You indicated that you don't get involved in compliance. Correct?
Chip Hathaway: Not directly.
Toni Jackson: Not directly. Do you work with any other alliances that are out there, for instance, like High Trust?
Chip Hathaway: No, not currently. We haven't. We've had partners that are more engaged in compliance that we supply data to, but we ourselves don't supply compliance information.
John: Michael, want to jump in real quick here?
Mike Abel: What's your strategy for growth going forward? What type of marketing plans do you have to get yourself there?
Chip Hathaway: That's an interesting question. Our founder started the company with the concept that the type of data that we were collecting would be valuable and purchasable for small and medium-sized businesses. He had a very high volume lead gen approach to the world. We started from that perspective. We realized, even though it was valuable information for those businesses, it was actually a little outside of their capabilities for handling that information and having the right people in place to try and manage what we're sending them and how to process it. Over time, we've kind of changed our position, where we do much more focused marketing ... I mean, obviously you have to work hard on the SEO angle, but we're very focused on having webinars and really just training. Because in a certain way, we're kind of building a marketplace for the technology that is really pretty immature still, from a market and from a consumer perspective.
Moving forward, how does that grow? We definitely see growth through channel opportunities and trying to build that up. Then trying to get more access and really focus on areas where ... We target what's called a threat analyst within an organization. Trying to get more and more focus on groups that bring those types of people together to try and be our customer.
John: Great job, students, and great job, Chip. Chip Hathaway, vice-president of customer delivery for Surf Watch. Where can people go for more information?
Chip Hathaway: Www.surfwatchlabs.com
John: Surf Watch Labs at the end, that's good. We're running out of time here. If you would like show notes, links, or a transcript, please visit the oakmontgroupllc.com.
I'd like to thank our sponsor, The Radiant Group. If you are interested in getting involved in geo-spatial projects, contact the Radiant Group.
We are hosted by Eastern Foundry, a community of government contractors who are bringing innovative solutions to the government marketplace. For more information, go to eastern-foundry.com.
If you would like to participate as a student or start-up, contact me, John Gilroy, at the oakmontgroupllc.com. Thanks for listening to Students vs. Start-ups Showdown the Potomac.