John: Welcome to Students Versus Startups Showdown Potomac. My name is John Gilroy. I'll be your moderator today. Let's have a big round of applause for show number 43. Yeah, yeah, yeah. What we did is we took over a room at Eastern Foundry here in Rosslyn, and we have a table. One side of the table we normally have students, and the other side of the table we normally have startups, but for a little variation today we have some students that are late and so instead of students versus startups, we're going to do startups versus startups, at least until some of the students show up.
On one side of the table we have Craig Zingerline, and he is with a company called Upside Travel. On the other side of this table, our official startup, is Danny Jenkins with a company called Threat Locker. I think what we're going to do today is, I'm just going to have Craig tell about his background, and then we'll start questioning Danny, and we'll go for 26 minutes. If students show up, students will show up, so Craig, tell us about your background. You got like a four hour background. Give it maybe a couple minutes of your background, please.
Craig: Sure, so, currently running growth at Upside Travel. We're exclusively focused on the business travel space, which has kind of been an underserved market. Prior to this, I was actually in the Bay area for about three and a half years. Part of that time I was running an early stage startup as CEO, and part of that time I was running product and growth for a different pre-series A startup. Multiple time founder, and I just love all things product growth, and startup.
John: You have some good questions for our startup sitting across from you then, don't you?
John: You sure do. Danny, tell us about your background please.
Danny: Okay, I'm Danny Jenkins, CEO and co-founder of Threat Locker. I've been working in cyber security since well before it was called cyber security. I've founded two cyber security startups, both in email and content security. One in Ireland in 2005. I was CTO and co-founder and one in Florida in 2009. I was the CEO and co-founder. Both of them provided different elements of email security.
John: While we're based in Washington, D.C. here and you're company is based in Florida. Is that right, Danny?
Danny: Yes, that's correct.
John: So, what brings you to Washington, D.C.?
Danny: We are part of MACH37 Accelerator program, which is an accelerator to accelerate cybersecurity companies.
John: You're in a cohort that usually lasts a couple months, and then they let you go after they coach you up, huh?
Danny: Yes, and hopefully we will have a presence in D.C. going forward.
John: Great, so blacklisting, whitelisting, cybersecurity. Hot topics, startup versus startup here. Craig, I'm going to toss it to you, let you have the first question before I jump in.
Craig: Sure. What with Threat Locker, why did you start the company?
Danny: Over the years in cyber security I've found that there's a fundamental problem with trying to control what software is running on business computers, whether it be malware, just games that the business doesn't want people playing, or just downloaded illegal software that the business doesn't want. The current market solutions are very limited. They're very different in controlling what can run. Antivirus software plays a role, but it works on a blacklist basis, which means it only stops known bad software, so it doesn't stop zero-day threats, and software like App Locker or McAfee Application control, they work on a whitelist basis, which stops all unknown software and malware, but they don't do a very good job at managing it.
We wanted a product that made it easy to deploy and easy to manage for businesses.
John: Danny, is this for residences or commercial organizations?
Danny: Commercial organizations.
Craig: Where in the lifecycle of the company are you?
Danny: Okay, so our product is complete. It's live on a number of businesses and education and in telemarketing company. We also have two MSPs/MSSPs trialing the product with the intention of selling it to their clients.
John: Yeah, wow, I think I've been in business longer than you. I've seen all kinds of things. Blacklists, whitelists. It would seem to me that in a business environment you could have a software developer that's going to test something and try something out all the time. I mean, I've dealt with a lot of software developers, always looking for a new tool and new this and new this, and so, if it's not part of the whitelist then you're handicapping them, aren't you?
Danny: In an environment where it is very dynamic, we make it extremely easy to create exceptions for certain software, so if you are even a developer, you could say I'm going to allow programs that I compile myself in Visual Studio, and you can also approve programs on the fly, so if it's an application that you want to download. Say you want to download WiX for building MSIs, you can download that application very easily, and it's a one click, about 10 second approval process to approve that software.
John: Craig, you know software developers. You think they'd bite on this? You think they'd resist? I think they'd be kicking and screaming and work their way around it.
Craig: I think somewhat, but I also think that some who are faced with kind of managing these threats everyday would welcome it. Obviously we'd need to get under the hood a little bit to see. Question would be, who within the organization actually owns the deployment and the control of the access of the product?
Danny: Okay, so, typically depending on the size of the organization, larger enterprises tend to have security departments that want to control everything. Small enterprises tend to have IT departments, which also are responsible for security running. In those cases it would be the IT department. In larger organizations and enterprises, there could be a case where the security department has control over anything that's unsigned or maybe unknown manufacturers and then the IT department chooses what from Microsoft is allowed to install.
An example of that is, say take Team Viewer, which isn't malware by any means, but you may not want it running on your computers in an organization so people can access your systems remotely, so in that case...
John: Years ago when they first initially had spam problems, this is where I think the whitelisting technique started, because it only accept email from certain lists, and so you take this basic concept and expand it in applications and email and all kinds of nooks and crannies in the system. Is that right? the security department may say well, Team Viewer is not allowed, but anything signed by Microsoft or anything signed by Adobe is free game for the IT department to manage.
Danny: Yeah. Corporate firewalls have been whitelisting solutions since you know, the beginning of time or computer time at least, and in 2002, I remember the Blaster virus came out, and at that point nobody had personal firewalls. Everyone said personal firewalls are a joke, you don't need personal firewalls. I remember a day that virus ripped through a corporation I was working for. 4,000 PCs were infected within hours.
John: I remember that. Craig, don't you?
Craig: I do.
John: Yeah, it was a big deal to have a personal firewall.
Danny: Everybody said personal firewalls isn't a market there, and by the end of 2002, beginning of 2003, everybody has a personal firewall.
John: Right . . .
Danny: Application whitelisting is the same concept. Right now, we don't say you can come into my house unless you've got a criminal record. We say only people who we trust, who we want in our house, come into our house. We do that with firewalls, and that's how we should do it with our computers. We shouldn't let any software run, especially in a business environment, without having explicit permission. What our software does is makes it easy to grant that permission. Software applications aren't that easy, which is why whitelisting hasn't been so successful so far.
Microsoft Office has thousands of libraries and executables. As an IT manager, you don't want to list all those files. With our solution, you just say I want to allow Microsoft Office and we take care of the rest. We take care of the updates, we take care of the hashes, the signatures and everything else.
John: Yeah, I teach marketing at Georgetown, and there's a penalty for website that's slow to load. Speed kills, absolute speed kills absolutely. We know that. However, it sounds like there'd be a performance hit by using your software on a system.
Danny: I think 99 percent of applications take less than 20 milliseconds to process. Most of them are even on the low end of that. Now and again, large, complex applications can go up to 100 milliseconds, but if you can find a user that can tell a difference between 100 milliseconds you're doing well.
John: Well, Craig can, huh?
Craig: No, definitely not. Who's in this space? Is there a huge company that's in this space that you're in?
Danny: Okay, so the top competitors we see, Microsoft builds it into their operating systems, but it's intangible in that just to deploy it takes years. McAfee, Carbon Black are both big players in the space. Where we differentiate from them is McAfee is really saying, "We're just going to go with the static computers, the static servers, the critical infrastructure that doesn't change very often." And Carbon Black are taking a similar approach.
Whereas we're saying that everybody needs whitelisting, not just the big static machines. People in payroll need whitelisting, people in marketing need whitelisting, because it's pointless only protecting 20 percent or 30 percent of your infrastructure and saying well that's the critical 20 percent, because we all know, if you get a virus on your PC and you're in marketing, that virus can access everything you can, and that includes all the shared documents, all the customer data. Everything you have access to, that virus can access, so it's just as important to have it deployed across the entire organization.
John: David Linthicum, writes for InfoWorld, he's based right here in Reston. He's written 13 books. He's talking about moving to the cloud and multi-cloud and partial-cloud and every-no-and-then cloud and moving back and forth. What does your system do for people who are partially deployed in their hybrid-cloud environments.
Danny: Okay, so, cloud service we protect just the same as we do in-house service. Cloud services such as Office 365, Microsoft hopefully protect them themselves, but we take care of the clients, so even if you're in the cloud you still need a PC to access the cloud, you still need a laptop, you still need a desktop, you still need to be running some kind of endpoint to access that data. Just because your email is in the cloud, it doesn't mean malware on your computer can't get access to it.
John: Craig, you work for a small company. Would this be of interest to you? If he's pitching you one day, what do you say?
Craig: Yeah, man, I think it's definitely not in my wheelhouse in terms of organization, but I think that looking at the threat is definitely something that we'd consider, yeah. Definitely you should reach out and we can put you in touch with the right folks, and I mean, this whole area is actually as a super early stage company, kind of coming into this, we never really worried about it. Maybe we should have, and I think Upside is at a point where, who knows? Right? Question on the actual OS side of it is, does it matter to you, PC, Mac?
Danny: Right now we support Windows XP through Windows 10 and Windows Server 2003 through to Windows Server 2016. We have in our road map to have a client for Mac and Linux Mac is months away. Linux is probably closer to the end of the year.
John: Where do you see yourself in five years?
Danny: On a jet somewhere. No, we expect the company to grow pretty rapidly. I mean, the first year is always the most difficult year in selling, but we expect to have at a conservative level, 20 to 30 million dollars in revenue within five years. We expect to have large coverage in a lot of enterprises, a lot of businesses.
John: Okay, the good news is that Craig has a travel company, and the better news is that one of our students showed up. Obi, how are you?
Obi: I'm doing well today. How about you?
John: Good, good, good. We're going to have to tag team with you and jump right in here. Hope you're prepared. Quick, just tell us about your background and we'll jump right in and quiz Danny.
Obi: Sure. I'm a current student at Georgetown University. The program is the Masters of Technology Management. Come from a background of finance and technology, and currently I'm involved in the blockchain industry, crypto-currency. I started a crypto-currency startup. This summer we just passed a milestone in funding that we're very happy about. Just came from our new office.
John: Startups everywhere around this table. I thought you were a student, now you're a startup. We have three startups. That's good, good, good. Do you have a question for Danny? I know you did your research because I talked to you a couple of days ago.
Obi: Yes, you did. In your industry thus far, what do you think are some of the biggest technical hurdles that you have in satisfying your clients?
Danny: I think, I hope we've addressed them. The biggest hurdles were making whitelisting usable. I say usable. I spoke to a very large hospital in Dublin last week, and-
Obi: Is that IP whitelisting?
Danny: No, it's application whitelisting. I spoke to a very large hospital who had actually deployed Microsoft whitelisting, AppLocker solution. Sorry, I'm getting confused. I spoke to a bank in Ireland, not a hospital. I spoke to both, but this one. They deployed it, it had taken them two years to deploy it. It was the fundamental problem. They had to do it. They were a bank. They were regulated. They had real concerns. But the pain in deploying it was too much.
Our biggest objective when we started this company was say, it doesn't matter how big your enterprise, we're going to have it deployed in hours, and we're going to have exceptions approved in seconds, not hours or days.
Danny: I think that's the biggest hurdle and I hope we satisfied it.
John: You saying limitations here with being focused on Microsoft only?
Craig: I think it's actually smart to pick an area that scale, and work up, work out any issues, and then move in, so I think it's, I'm sure a conscious move. I think focusing on doing fewer things and doing them really well is probably a good thing.
Danny: The reason we chose Windows as a platform is probably 95 plus percent of business computers are running on Windows, and with the exception of the CEO and the small business areas that tend to sway toward Mac, but certainly the small to medium enterprise where you've got an IT department and some kind of security department, they are running focused on Windows primarily, and with the exception of maybe the CEO and a few other areas, the Macs are used less.
Now, we do believe adding the Mac into the equation is very, very important.
John: You know, always in my class when I brought in some entrepreneurs, and many times what entrepreneurs will say is that if you want to have resale value for a company you have to have a physical product, instead of a service. I guess, this is an actual product that you have, it's not a service at all then.
Danny: It is a service. It's software as a service, yes.
John: Okay. Yeah, I for some reason I thought it was a product. I didn't know exactly how that ... Is it cloud based or premises based service?
Danny: It's a cloud base with a client that runs on machines. It's a very small footprint client. Five meg. It gets deployed by a group policy or just a single click install. I'm not joking when I say my 12 year old deployed it across his school, and he isn't the smartest IT person, so it's very, very easy to deploy. Clients with a cloud service which does most of the brains.
Obi: I'm interested in the trade-off. You mentioned earlier that you're mostly involved in the Mac IOS environment, or maybe that was just a misunderstanding that I heard from the conversation, but in either operating systems do you deal with Linux, or?
John: No, it's just Microsoft.
Danny: Right now, we support Windows XP, plus all Microsoft platforms, and Microsoft servers, Microsoft desktops. In the near future we will support Mac.
Danny: In the not-so-near in startup terms future we will also support Linux operating systems.
Obi: F5 Networks is a company out in Seattle and they have firewalls and load balancers and they have software options that control web applications as well. Is that a competition? I can see loads of competition coming up against you here.
Danny: Okay, so it's competition in that they're trying to stop cyber threats, but it's not competition in that they're not solving the same problem. They're solving at the primitive level. F5 are a great company, but they're not controlling what's running on the endpoint, and if you look at most cyber breaches in the last five years, most cyber breaches have resulted as a result of malware running on someone's computer, and whether that be the DNC hack or the NHS being taken down in London earlier this year with WannaCry, it always results in malware running on the computer.
Now, protecting the perimeter is an important part in stopping malware get to the computer, but computers come in and out of the buildings, laptops come in and out of the buildings, USB drives, things embedded in emails, embedded in Word documents, encrypted through HTTPS and downloaded in documents, it's very, very difficult to protect against all malware threats from the perimeter. Whereas running it at the client, and running it in a whitelisting manner rather than the blacklisting manner allows you to get complete control of what is actually running on the client.
That's not to say turn off your firewall or your perimeter security.
Obi: In my industry, security is a very, very huge priority. Blockchain technology's whole premise is encryption, so as a personal question, do you all see yourselves employing Blockchain technology in the near future concerning maybe node to node security or transactions between a ledger of any sort?
Danny: Our security right now, node to node or talking from our clients to our server, is done through HTTPS and SSL. We're not using Blockchain technology, but we're using industry standard encryption.
Craig: Danny, what does your actual pricing model looking like?
Danny: We charge a subscription per device per year, and it's around about, depending on the size of the company, $20. Outside of our typical endpoint protection, we have different pricing models for things like medical devices with embedded operating systems such as MRI machines and things like that. That's a little bit more complicated to price, but it's definitely not commodity type pricing.
John: There was an article in the Washington Post two weeks ago and it talked about IoT. I thought it would be interesting. It talked about Internet of Toys, and it talked about IP devices being everywhere in the house, everywhere in the hospital, and so what does your solution do as far as Obi goes to the hospital and there's a unit there that's got an IP on it. How would your system prevent malicious code from infecting IoT devices?
Danny: I spoke to a few people today in hospital, coincidentally about this. We do protect embedded systems to and IoT systems and there's potentially a greater demand for it, because IoT systems such as MRI machines and embedded pumps or other devices in hospitals, they don't tend to get updated very often because the risk of updating them and shutting down a 10 million dollar MRI machine is great, so we can protect at that, and we protect a different way, because they tend to be static devices, so we can create definition files for them and apply them to them directly.
I think protecting IoT is just as important as protecting the endpoints, if not more important.
Obi: You classify yourself as a startup. Where are you at the moment as far as funding and is getting acquired something that you look forward to down the line?
Danny: We're at a stage where our policy is complete. We're live on a few of the customers. I know we're repeating this, sorry. In terms of funding, the only funding we've had today is self-funded from the sale of a previous business of mine.
Danny: And that's running out. We also got some funding from MACH37 Accelerator program and . . .
Obi: Okay . . .
Danny: Yeah, so our primary objectives other than sales, sales, sales is to get funding over the next six months.
John: Pretty optimistic. Craig, what do you think?
Craig: I think the funding climate's good. I would raise more than you think you need, do it as fast as humanly possible, and then focus on your business. You know, I don't know this space all that well, but ...
John: But you know plenty of startups. What do you think of this startup model? You think it's got potential?
Craig: Yeah, man I think if you can get some happy clients on board, and get some feedback loops going, and then you can actually sell some clients on board, like for real, no discount, honest pricing, and you can get that fly wheel going. It's unclear to me how acquisition plays in your space. How are you going to acquire customers? Is it purely an outbound sales processes? What are you doing in terms of acquisition and trying to get customers?
John: Good question.
Danny: It's a million dollar question that we haven't nailed down, but based on my experience from previous businesses and our best plan to date and I'm not saying by any means that won't pivot because sales does always pivot, but lead generation we expect to do through social interactions and also through outbound tele sales which is a painful, but still necessary, way of generating leads.
Also, events is going to play an important part. Cyber events, IT management events, anything that involves alcohol is always good for IT management.
John: Whoa. Have to erase that from the podcast. Obi’s young and innocent here, come on, give him a break.
Danny: A lot of events will be ways to actually get leads. Also, MSSPs. We are talking to a number of MSSPs, and we intend to put that in part of our plan to sign up MSSP to actually ...
John: There's a lot of people know what that is. Microsoft. Tell us what an MSSP is.
Danny: MSSP is a Managed Security Service Provider.
Danny: And MSPs, Managed Service Provider, to actually get to their clients. We're working with one in Hong Kong at the moment that they're testing in house with the intention of selling it, and they're happy so far. They're the main channels, but I haven't dismissed all options yet.
John: It seemed like Microsoft conferences might be a good places for you to take and pitch your wares, because it's all Microsoft focused, isn't it? You been to many of those?
Danny: Not in this business, but in the previous business, we were at the Microsoft worldwide partner conference and we did have some success there as well.
John: Just recently those were in Washington, D.C. Can be real expensive can't they?
Well, I'm going to ask you the question that I ask every one of our guests. If someone wants to find information about your company, about Threat Locker, where should they go?
Danny: They'd go to our website, is the best place, threatlocker.com.
John: T-H-R-E-A-T-L-O-C-K-E-R dot com. We got to ask about your accent Danny. Where you from? Where you born?
Danny: I'm from the UK originally. I spent ten years in Ireland, and then a year in Mala before spending the last six years in Florida.
John: Wow. Does anyone guess your accent at all? That's too hard to guess.
Danny: Most people guess it or say Australia or something.
John: Something like that. Well, Danny, unfortunately, we're running out of time here. If you would like to see show notes, links to the transcript, visit the theoakmontgroupllc.com.
I’d like to thank our sponsor, The Radiant Group. If you are interested in getting involved in geo-spacial projects, contact The Radiant Group.
We are hosted by Eastern Foundry, a community of government contractors who are bringing innovative solutions to the government marketplace. For more information, go to Eastern-Foundry.com. If you would like to participate as a student or a startup, contact me, JohnGilroy@theoakmontgroupllc.com, and thanks for listening to Students vs. Startups showdown in the Potomac.