Welcome to our Blog

The Foundry Files


Students vs Startups Ep: 55 - What is Cyber Risk Management?

Students vs Startups Ep: 55 - What is Cyber Risk Management?


Featuring Emergent Network Defense

Read Time: 15 minutes

Welcome to Episode 55 of Students vs. Startups. This week, moderator John Gilroy talks with Joel Benge from Emergent Network Defense. Joel tells us about his unique journey from birthday clown, to White House Cyber Security Policy Advisor, to working for Emergent. Listen below for this truly fantastic episode!

[audio src="https://easternfoundry.files.wordpress.com/2018/03/students_vs_startups_podcast_episode_55-final_1-1.mp3"][/audio]


Thanks to our Sponsor:

00 00 00 radiant_logo


John Gilroy: Welcome to Students vs. Startups Showdown on the Potomac. My name is John Gilroy. I'll be your moderator today. Let's have a big round of applause for show number 56. Whoa. We made it. We made it. Yeah. Al Gore hasn't turned off the Internet on us yet so we're still somewhere bouncing around the interwebs. As most listeners know, we are sitting on the offices of Eastern Foundry. We kind of took over a conference room, got a big table here. One-sided, got a couple students. Other side of the table have a startup. We have a 26-minute conversation and we all go out and get beers or something like that or fast friends as we walk out of here.

I'll start off with my students. Christopher, tell us about your background and how you wound up in this crazy podcast.

Christopher Smith: Okay. Well, I first got into sales and customer service before I joined into IT as a desktop support admin. I currently work at Georgetown School of Continuous Studies, where I also study.

John Gilroy: And Taiwo, tell us about your background please.

Taiwo: Abioye: I started work as a network engineer, network security engineer, basically I did that for about four years. Then I got a master's degree in computer and information security. After which I picked up a job as a security engineer for Cloud  Services in which I consulted for the Nigerian government. I actually worked as a security architect on building a could infrastructure for the Nigerian government. Right now, I am a full-time student at Georgetown University and I also work in the University information security service office as a security analyst.

John Gilroy: And our startup is a company, Emergent Network Defense, some people just call it Emergent and our representative is Joel Benge. Joel, tell us about your background please.


Joel Benge: So, I got started as a birthday clown.emergent

John Gilroy: Truly, that would be my goal.

Joel Benge: Honest to god. So, my background is actually in theater and education and then in the '90s just before the IT .net bubble burst I accidentally got a job testing video games which got me doing help desk, network support at NASA, and doing some late night working in the trenches cybersecurity stuff. So, I was applying for a job at the department of homeland security when my resume floated across the desk of a guy who was the director for cyber strategy for the department headquarters, they were standing it up. And he looked at my background. He goes, "Well, he's got some really good technical background, but look at all the liberal art that he's gotten. So he's a nerd but he talks good."

John Gilroy: He talks good.

Joel Benge: So I became the communications officer cybersecurity person at Department of Homeland Security. I was there for about seven years before he left and went on to work at the White House, worked under the previous administration as a cybersecurity policy advisor and then left to go work for the banks. Meanwhile, he stood up this company, Emergent Network Defense, or rather the patent, which is actually at Georgetown University. That's where he finished his PhD. They productized the patent, did some R&D on it, and lured him over as CEO. And so he was looking around, realizing that this is a, and I'm happy to talk tech and all that crazy stuff later, but he said, "This is really hard to explain." So he asked me if I would come over and figure out how to communicate this thing. So, been doing that for about two, almost two and a half years now.


joel Joel Benge


John Gilroy: Joel B-E-N-G-E, Benge. I went to your Linkedin profile. I saw some kind of difficult to understand concepts here. You're recommended for strategic communication security and computer security. That sounds pretty good. And you also describe yourself as a beerthusiast. So, what's a beerthusiast? What's that got to do with cybersecurity?

Joel Benge: So, that actually goes back to college when I was brewing in the dorm room. Had an early interest in microbiology.

John Gilroy: I that's actually the justification.

Joel Benge: So, to get nerdy in engineering, which is about beer brewing, but what's funny is the thesis of the product and the model that we have is actually biologically inspired swarm. So if you think about ants, what our product actually does is it discovers the risk that is lurking in an organization. Not whether they're being hacked or not, whether there's something bad going on, but those crack, and those holes, and those things that could go wrong. And so, if you think about the way ants find food, they spread out, they collect the little bit here and there, and eventually, they coalesce around a path to food. That's what our product does. So, from beer brewing and microbiology, and birthday clown, and magician, and stuff, and then we ended up with a digital risk product that's actually in use at some of the nation's banks. We're doing some stuff with the federal government and some international non-profits. So, kind of a convoluted path.

John Gilroy: On your website, you talk about being with a top University startup, so it must be a Georgetown affiliation. Is that right?

Joel Benge: Yep. So we were selected to represent Georgetown for the NCET conference last year. We also presented at SXSW last year in their incubator program. Did some TechCo startup. Didn't get that but we have paying customers so I don't feel so bad about not getting the beauty contests.

John Gilroy: I teach a course in social media and I talk about Twitter and I'm focused on 140 characters, 100 characters, and hashtags. So, #seearoundthecorner, that's what I see at your website, #seearoundthecorner. So what do you see? Who sees?

Joel Benge: So, what our product does is we actually, like I said, sample actual real live network data, policy data, from the organization. And then we tell them where they might have a digital incident next. So we're actually doing predictive risk analytics and telling them, "Hey, heads up because out of the thousands of things you should be worried about this is the one that's going to hurt your business."

John Gilroy: Christopher, my, my, my all kinds of roads go downhill so, pick one.

Christopher Smith : So, I was just, after listening to you, I want to know, who do you specifically target as far as the market goes?

Joel Benge: So the market, this is interesting, so we are cyber security is our bread and butter, but we're a digital risk management company. And the reason for that is there was a level of maturity that we're seeing in the financial services industry, large banks, actually this a lot comes out of the Dodd Frank stuff that happened with the subprime mortgage meltdown and that maturity that they got in risk management, not cyber stuff, moved into the cyberspace and they started asking for a lot more accountability from their CIO, their CRO, and they're CEO. So what we've actually done is we've targeted not, the CISO, not the cybersecurity people, but the risk organizations. So we're focusing really at financial services, some federal government agencies cause they have a regulatory burden for risk management, but it's the risk officer. 'Cause if you see what happened at like Equifax, I mean they canned the CEO and he was hauled before congress and his answer was, "Um, well, one guy forgot to apply patch." And that just doesn't fly anymore. So it's organizations that have a high regulatory burden and are very mature, so financials is number one.

Taiwo: You talked about predictive security analysis. I'm just curious, how do you do that?

Joel Benge: So, this is very cool, what we do is we automate and speed up tabletop scenarios. So, anybody who's ever done cybersecurity, one of the things that we do for risk analyst is we get all of the smart people in a room and we think, what's the worst that could happen? What's a bad thing that can happen? And they write down a story. So this comes into some of my background in theater and education from a storytelling perspective. And then they'll say, "Well, how would we know if this would happen?" Or "What would cause this to happen?" And so they'll think, "Well, I need some reports over here and I need to pull this data in and I need to ask these people some questions." So, it's a very manual process.

Our system does away with that manual process by automating it. So we use actual data and we have an ontology of about 900, almost 1000 objects. If you think about these legos, if you just reach in and pull out an actor, a vulnerability, and a target, snap them together, and you have a scenario that could happen, and what our system does is it uses its metrics to say, "Is this thing likely to happen in our organization?" But what we do that nobody else does is we actually model a statistical projection of how much it could cost. So then we say, "If this happens in your environment it's going to cost your legal 5 million dollars." For example.

So, what's really cool is with 900 objects you could literally be looking at almost any potential scenario that could ever happen, stuff that we've never even thought of before. So we have a machine imagination algorithm that cooks up new scenarios. You give it 20 and it'll give you 100.

Taiwo: How similar is your system to a regular intrusion detection/prevention system?

Joel Benge: So, we need those types of products. We get that asked a lot. How are you not like this? How are you like an RSA Archer? And a lot of cybersecurity right now is focused on what's happening now and preventing something from happening. But what they don't ask is, what happens next? And so what we do is we use all that data. We use intrusion detection. We use threat intelligence. So, my system uses Twitter feeds, calendar, so are we close to tax season? We always see more attacks during tax season and we get more nervous around then, right? So we use all that first line data, that tactical first line tools, and we're actually answering to what was called the second line of defense, which is your risk officer and your CIO and your executive risk board to say, "Hey, look, I can't tell you exactly what's going to happen, but something like this might happen in your environment."

So it's kind of like, the weather. So your intrusion detection is the rain meter that tells you if it's raining. Or your firewall is your temperature gauge, right? But you need your temperature gauge, your firewall, your barometer, your airspeed, all that stuff to tell you whether there's a hurricane coming tomorrow.

John Gilroy: You know, Christopher, very few people predicted the most recent Superbowl. It's hard to predict things. I mean, fewer variables I think than what he has to handle. Well, I'll let you go with the SuperBowl question.

Christopher Smith: So, when you're going to the C suite and you're telling them, "This is what you may need to watch for." What kind of measures do they have to really think? Do they think more of like as far as risk mitigation or risk avoidance?

Christopher Christopher Smith


Joel Benge: So, we implement something called a risk appetite. So that's the first thing. And most people, if you were to stop a tactical first line CISO and say, "Hey, what's your appetite for cyber risk?" He's gonna say, "Zero. Zero percent. I have zero tolerance for anything happening." And I'll say, "Congratulations. Shut down your computers. Go home. You're out of a job." Right? A business person knows that you have to take a certain amount of risk. And so what we do is we actually capture, and this is moving, again, from the financial risk space into cybersecurity to say, "It's okay for some things to happen." We can mitigate that. We can be insured against it. We can transfer it. We can do something to reduce the impact. The thing you need to do though is know what's coming. So we capture the risk appetite which we do quantitatively on a curve. And then what our product does is it projects a likely curve. So it's all probability space. It's really ... I got a lot smarter people than me doing the math on that stuff, but it's really saying, what are you okay with? This is what's going to happen. Where's the crossover and what's the delta? So we can say, "You have a 3% chance of being over your risk appetite, for example.

John Gilroy: So, Taiwo, you've been in situations with evaluating risk. What do you think of this?

Taiwo: Yeah, I'm still curious. Do you leverage machine learning for this?

Joel Benge: Absolutely.

Taiwo: Because it seems, for me, for it to be able to achieve that you are obviously talking about quality machine learning. So what kind of machine learning do you use?

Joel Benge: So, we have machine learning in a couple different places. One is in the development of the scenarios. So we have people building actual scenarios feeding into the system. And then we have what's called machine imagination. And you've probably seen this online. Google might have had one of these things where you hand draw a stick figure kitty cat and push a button and it generates a fake photograph that looks realistic of a cat. It's called machine imagination. Because machine learning is so good at this point for certain problems that if you show it enough of an example it can start proposing new things. That's where we do machine learning to machine imagination. We also use a naïve basing classifier to assess the scenarios. So, like you said, you have to use machine imagination to look at a thousand scenarios because if you were doing this manually within Excel spreadsheet and a consultancy group you'd need a thousand consultants to do this.

Christopher: I'm thinking about the Equifax hack. How is the change of how CIOs are responsible for mitigating risk, how has that changed how you guys ... Are people calling your phone nonstop and like, "We need you now?" Or is it like-

Joel Benge: It's been funny and I was laughing with John earlier saying that, I hate to hear the word it depends, but it depends on the organization. So you'll have typically in a mature organization, you have now a corporate risk officer, or a chief risk officer who will turn and partner with that first line CISO, that tactical person. And there's often a communication barrier where they know they just can't ... They're not getting what they need from that tactical person. So, they'll say, "How's my cybersecurity risk look like?" And the tactical person will give the a bunch of compliance metrics or performance metrics and things that don't really relate to risk.

And what we say at Emergent, and what we're learning in the enterprise risk management spaces. If you're not able to tell me the business impact it's not risk. The risk is we're gonna lose in the marketplace or we're gonna have a capital failure, or we're gonna have a reputational failure. The cause might be cybersecurity but that's not communicating risk. So when they reach a wall where they're not able to have that communication they bring us in 'cause what we have is a model that actually unifies the first line of defense and the second line executive view.

John Gilroy: You know, Joel, military people, those kinds of comments about them, historians look at them and they say, "They always prepare for the previous war." And it seems to me that some of your limitations might be in preparing for what happened before and not ... With hockey players you're supposed to skate where the hockey puck is going.

Joel Benge: Skate where the puck is going.

John Gilroy: Yeah. And so, but how do you know where it's gonna go. I mean, it seems like you may be limited to the past experience rather than the unexpected guy jumping out of the sky or something.

Joel Benge: That's exactly the idea behind black swan. There's a fantastic book called The Black Swan by Nicholas Taleb and what is basically are these really low probability high impact events. So your 9/11s, your sub-prime mortgage meltdowns, certain political upheavals, and what always happens is, something big happens, the person who's responsible is standing there with his hands in his pocket going, "I could never have seen this coming. Nobody ever imagined this." It's a failure of imagination. But then you bring in the experts and they do a post-mortem, and they look at it and they go, "You know what? All the data was there. All the markers were there. If I had known what I was looking for I would have seen it coming." So that's what our product does is our product imagines literally, given enough time, hundreds of thousands of bad day scenarios and then looks at the data and says, "Could any of these happen right now?" So that's how you can see the future and get predictive.

Taiwo: Cool. I did cost works on, I think it was in the summer, where I did something on security and machine learning. I'm a little bit interested in this and your product, especially because it has a lot to do with some research I've been doing in the past. My prediction was that in the future security is gonna be run on machine learning or deep learning. So, what's your prediction for the future of security as regards machine learning, artificial intelligence, and deep learning?


Taiwo Taiwo


Joel Benge: So, I was at the Darpa Grand Challenge last year, or the year before when they actually had the machines attacking and defending, so if you're familiar with that. And Carnegie Mellon University won that by the way, which is where we actually teach digital risk model, at Carnegie Mellon. Never attended there but teach there, so I like to toot that horn. I think we're not yet on the cusp of replacing people. Very much in the tactical first line lighting strikes, bam, bam, bam. We're very good at machine learning. That's very fast. We can do that. But it's the understanding why it matters, making the decisions not of how to get in but what to go after, that type of stuff is always gonna be in the hands of the attacker and there's an intelligence behind that, there's human. So we have to have an intelligence on our end who are saying, "What do we protect?"

If I have to make a decision about letting an attack succeed because, given enough time, they will always succeed. Ants and water always find a way in. You can't stop it. Ask my wife. My kitchen is overrun right now with ants. So what I can do is mitigate. And I can choose to present them with a soft target. Or I can choose to give them dummy data so I can reduce the impact. I can't stop them but I can reduce the impact. And that's always got to be human intelligence. What we're finding is the cybersecurity people don't have that understanding of the business. They can't make that decision. The business people don't have enough understanding of cybersecurity to understand when the first line tactical person is running around with their hair on fire saying, "We've got to do something. We've got to do something." So what we need are maybe artificial intelligence systems like ours that bridge that gap and help create a communication linkage between the two. So I don't think we're gonna see cybersecurity taken over by the machines but we're going to be working side by side with them.

John Gilroy: Christopher I had the pleasure of meeting the CTO from RSA and they spoke at Eastern foundry. Pretty smart guy from Israel and he could do math upside down and I mean, this is tough competition. I wouldn't want to compete with that RSA guy. He's brutal. He's really sharp and this is just one of hundreds. And this sounds like a very competitive environment to me - - - doesn't it.

Christopher: Yeah, and I was kind of thinking who would be a competitor for you in this +marketplace 'cause it kind of seems like you have that golden nugget that people haven't really-

Joel Benge: So, we get asked that a lot. There are some companies that are trying to look at this and many of them, maybe they have better math than we do as far as the dollar calculation, but they're doing it manually and they're doing it with a survey, and it's a very static and linear algorithm and they do it for one scenario. Where I think we have the advantage is in the technology in swarming. So our swarming algorithm that lets you look at incomplete data. It's a dynamic. It's real time. It moves a lot. And so in that way we've talked with several of saying, "Hey, you've got a great piece of it and we've got a great piece of it." In business you think about competition, but if you really look at cyber security and what we have to do with it and where we are even as a nation right now, we've got to work together. So we're in touch with RSA. We're in touch with companies like Quallas which we don't compete with at all but they've got great data. So we need their data and what we can do is we can better use their data, uplift it, and put it in front of the board. So it really becomes win win. There's no competition in the cybersecurity space? John, give me that guy's number because I would love to talk to somebody at that level at RSA.

John Gilroy: I keep thinking of you walking into a bank and saying, "Hey, give us all this information." I think most financial institutions gonna be reluctant to just open up their doors and say, "Well, here. This is what's happened to us in the last two years."

Joel Benge: Well, that's what's so sweet about the way we set up our product is we don't save any sensitive data of an organization in our system. So, what we do is we query those first line tools and we say, "I don't want all of your network data. I don't want the list of your users. I just want to say how many system administrators do you have? How many of these types of traffics did you see?" And we anonymize that down to nervousness. So you actually are just seeing the high-end numbers. Are we increasing or getting nervous in one area or another. And in that we've actually be deployed into the German Amazon Web services which, if you know anything about upcoming GDPR and the European privacy concern we sailed right through that process because when they saw that we don't collect sensitive data they were very comfortable with that.

Christopher: So how did you guys get funded for the whole-

Joel Benge: So we are extremely lucky to have been angel funded and we are angel and bootstrap. And we are, I wouldn't quite call us post-revenue yet but we do have some clients and some paying clients. We have a couple really mega angels you could call them who keep us fed. But we're extremely lean and we were talking earlier, I update the website. I could give somebody $20,000 to do it for me but right now the focus is on product and delivering. We're in talks with some A rounds and that will come when we're ready.

John Gilroy: Taiwo, what do you think? Gonna be around in five years?

Taiwo: Well, to answer, I'm gonna answer that question with a question. So, what kind of marketing do you actually have? Because that's basically you're gonna let us know what five years old for you.

Joel Benge: So as far as the marketing, we're keeping that really, really slim. I wouldn't call us stealth, but again our target market is very high end. So we have a lot of relationships and we're doing a lot of introductions through that way. So, you won't see a ton about us online. Website is endsecurity.com. Probably be rebranding that in the future. The marketing is about getting the thought leadership out there and getting everybody understanding this. So we're giving away a lot of our content through blogs and articles because we think we've got a different approach to this. The technology may not necessarily be right for every single company, but the approach and the model can be.

Taiwo: Who do you see as your biggest competitor?

Joel Benge: I can name names.

John Gilroy: You're gonna name names.

Joel Benge: I'm gonna name names.

John Gilroy: It's like in Seinfeld.

Taiwo: There's a company in New York that does exactly what you do. I've been trying to look ... I can't remember the name right now. It's a British company and I will put up like yours, but I can't really remember the name right now.

Joel Benge: Well, you don't need to. I can't think of anybody right now. No, there are some great companies out there, again. And there are some great companies in the cybersecurity realm who are trying to do this, but they try to do it too tactically. And they try to say, "This server, this user, this buffer overflow." And that's just unmanageable right now. We don't have the computing power to do causality. So it's much better to do prediction and it's more like weather modeling to say, "Hey, you need to look at your third parties and probably their websites. I can't tell you which one's having a problem but I'm nervous about that." And from a cybersecurity perspective, the cybersecurity guys pull their hair out because they want 100% coverage, 360-degree visibility, yadda, yadda, yadda. A business person, a risk officer, they just want uncertainty reduction. So if I can help a business person reduce their uncertainty by 5% that's a huge win.

John Gilroy: Well, Joel we are running out of time here. If people listening just want more information where should they go?

Joel Benge: So, you can go to endsecurity.com that's E-N-D for Emergent Network Defense. No we're not at the end of security and the beginning of risk but that's sort of the play on there. We also tweet @EmergentRiskAI and you can email us at seetheswarm@endsecurity.com for more information.

John Gilroy: Seetheswarm, that's interesting. If you'd like show notes, links, or transcript visit theOakmontgroupLLC.com.

I'd like to thank our founding sponsor Radiant Solutions. If you're interested in getting involved in Geospatial projects contact Radiant Solutions.

We're hosted by Eastern Foundry, a community of government contractors who are bringing innovative solutions to the government marketplace. More information on them go to Eastern-foundry.com and if you'd like to participate as a student or startup contact me John Gilroy at theoakmontgroupllc.com and thanks for listening to Students Vs. Startups showdown in the Potomac.