Welcome to our Blog

The Foundry Files

READ OUR BLOG

Students vs. Startups Ep: 59 Innovations in Red Team Testing

Students vs. Startups Ep: 59 Innovations in Red Team Testing

 

studentstartup_logo-1

Featuring Scythe

Read Time: 15 Minutes

Welcome to Episode 59 of Students vs. Startups. This week, moderator John Gilroy talks with Bryson Born, founder of Scythe. Scythe takes a unique approach to cyber security, and built a program that emulates a hacker after they've entered your network, thus showing you all possible vulnerabilities. Take a listen below to hear Bryson's story.

 

Thanks to Our Sponsor 

00-00-00-radiant_logo-1

Transcript:

John Gilroy: Welcome to Students vs. Startups showdown the Potomac. My name is John Gilroy, I'll be your moderator today. Let's have a big round of applause for show number 59. And traditionally, we always thank Al Gore for inventing the internet and allowing us to have this podcast. If you've listened before, you know what we did, we kinda took over a room at Eastern Foundry, we have students on one side of the table, we have a startup on the other. We have a 26 minute discussion and walk out of here fast friends. One side of the table we have our students, our first student is Maryam Sajjad. Maryam , tell us about your background please.

Maryam: Sure, thank you John. My name is Maryam Sajjad, and I'm a Master's student at Georgetown University with a concentration in Information Security. I have an Undergraduate degree in Information systems and operations management from George Mason University, and I work as an IT Professional and do a lot of project management related work for the CIO.

John Gilroy: Well, you're gonna be a good foil for our guest today. Matthew, your background please.

Matthew: Hi, I'm Matt Ledder. I have a finance degree from the Georgetown McDonough School of Business and I'm currently a Technology Management Master's student, also at Georgetown. I have experience in government and defense consulting, and I'm a member of the Georgetown men's soccer team as well.

John Gilroy: Wow! That's pretty impressive. Bryson Bort, CEO and founder of a company called SCYTHE. Bryson, tell us about your background please.

Bryson Bort: Former Army officer, got recruited back to the DC. Like many of us, the siren song of defense contracting pulled me back. Finally reached a point where I wanted to go out and do my own thing. Went to my network and said "hey, what should I do next?" And someone said, "why don't you start your own company?"

IMG_7825

John Gilroy: Did the like you? Were they an enemy or friend?

Bryson Bort: I cringed first. Hey, I'm not one of those West Coast people, and second of all, I mean, that's kinda risky. I don't have an idea. I don't think anyone should start a company for money, you should start because you have some passion that you want to do. So, much like how the Marine Corps was created, a few drinks and a cocktail napkin, and that's how I came up with the idea for GRIMM, which brings us six years later, to today.

John Gilroy: Wow. You know, it took me two years and seventeen hour days to get my Master's degree, and I went to your LinkedIn profile, you have three Master's degrees. I mean you're whooping me pretty good, here, aren't ya?

Bryson Bort: It's not a competition when it comes to education.

John Gilroy: Master's in Electrical Engineering, MBA in Telecommunications. So you're perfectly set for your career, aren't ya?

Bryson Bort: Yes, I know too much.

John Gilroy: Oh, I don't know about that. So, if we're sitting in an airplane, going out to RSA and I turned to you and I go, "well tell me Bryson, what business problems does your company solve?" Maybe you could give us a real nutshell answer for that.

Bryson Bort: Sure, so SCYTHE actually came about because two years ago, we had a Fortune 50 approach GRIMM and said, "hey, we have a problem that we haven't seen solved in the market." And I'm sure all of you who know something about business, that's pretty much the best you can get is when someone says, "hey, I've got an idea and I'm going to pay you to build it." And for there, I just said, "hey, can I have the intellectual property 'cause we want to take this to market."

Bryson Bort: So we spent two years of our own time and money bringing to market, and of course the question is, what did we bring? Companies today, you're constantly reading in the headlines how they're getting hacked, and they're having all these issues and there's all these breaches and disclosure problems. And most of the solutions on the market are all build around this problem of hey, how do we keep them out? How do we solve this access? How do we stop these supercool hackers who don't live in their mother's basements, from being able to get in? And that's not actually the problem. The problem is once they get in, what do they do? And so, we built an application, a platform, that allows a company to easily be able to emulate just about any threat on the planet and see what would happen once it gets in.

John Gilroy: And so the product's called Crossbow, is that right?

Bryson Bort: Yes, that's Crossbow.

John Gilroy: Great, great. Well, Maryam , I'll let you jump in here, you have a great background for this discussion.

Maryam: Thanks John. So, who would you say is your biggest competitor?

IMG_7842

Bryson Bort: I have three Master's degrees, what competitor? Competitor, so it's an nascent market, we have competitors. And there's both positive and negative to that, right? Two years ago, when I had to explain our idea, I cannot tell you how painful it was to try to explain something when there was nobody else doing it. Now, they're like, "oh, you're like Verodin, you're like SafeBreach, you like AttackIQ." There's now competition that has helped the education of a customer to create a market that wasn't there before.

John Gilroy: Good. Matthew.

Matthew: So, you talked about how recently, there have been there have been competitors that emerged. What was your biggest challenge at the inception of this idea?

Bryson Bort: Two years ago? Well back then, it was trying to balance, you have this large Fortune 50 who has a specific goal, and once we identified that, we wanted to take this to a larger market. Your biggest concern is not building something that works in one place that's not going to be able to work for the entire market.

John Gilroy: You mentioned the company Verodin, and I'm trying to think of competition for you. So, would you be classified as an amorphous category of security information, event manager type software? What are you classified as?

Bryson Bort: There's two analyst categories we've seen. One is vulnerability management. The other is automated breach simulation.

John Gilroy: Automated breach simulation, well you must know something about it Maryam .

Maryam : Could you tell me a little bit more about how exactly that works with your clients? Is that something they come into you looking for? Or is that something you help them assess?

Bryson Bort: We wanted to give control to the clients.

Maryam : Okay.

Bryson Bort: If you think about bringing in an outside company to conduct a penetration test or a vulnerability assessment, that's a nerve wracking affair. You are giving a third party, no matter how much you trust them, the opportunity to access the crown jewels and the different pieces to give you that insight. We wanted to create a product where the clients themselves would be able to do that, control and run everything, so they wouldn't have to have that trust factor with somebody else.

IMG_7808

Bryson Bort: There's really two kinds of clients that we have. There's the mid-range companies. So you have these, they're decent sized companies, they have fairly robust information technology, because as we all know, pretty much nothing in this world doesn't run without information technology. And they're now starting to realize, okay we need to build out a serious security practice. We've got a good IT team, what do we do for security? And most of the really good security professionals have already been snapped up by the Fortune 500's or the government. So, what are you going to do? And we provide them something that allows them to have basically that person in a box. So, they have the ability to "here you go, here's the platform". It's easy enough for an IT administrator to use it. So you can now get that same maturity, and start to walk to a better security posture.

Bryson Bort: For the Fortune 500's, they have very robust red teams and advanced capabilities. It's almost nation, state level, if you look at what some of them are able to do. The challenge that they have is it takes a long time to build up these individual campaigns to test yourself. So, what we've done is say, "hey, classic form of where automation helps." We're gonna save you that three to six months of effort, you're gonna be able to create that in a minute. You now get to spend that extra time on coming up with your own edge cases that really test the limits of your technical prowess.

Matthew: I'm wondering what roll branding plays in all of this? Or if you do that? Or if you're just sought out by these companies? Or how that works?

Bryson Bort: So, I've already learned something from this interview, and that was when I walked up and I saw the difference between my company and our description, and 580 which is gonna be the next podcast, and they had keywords at the bottom, they had a much more fleshed out explanation. And you look at ours and it's like, oh, huh.

John Gilroy: Well, Bryson, I'll give you an application for your fourth Master's degree. You can take my class.

Bryson Bort: As I think you noted on the logos, I think we have a good logo. I think it's a logo that grabs you. We spent a lot of time thinking about the colors because the previous company GRIMM, was much more of a, hey this is a bunch of hackers, and you can see the logo right here, there's a Grim Reaper on it. And it's black and it was white and red, very simple, stark colors. And we considered for SCYTHE, we needed something more enterprise friendly, which is where we came up with the blues and the whites. With respect to branding, we're still figuring that out. We're a startup, we just launched a few months ago. Actually after its, I'd be interested in y'all's perspective because that's an area that we're still on that path of maturity.

John Gilroy: I have a friend of mine who has a patent. It took him twelve years, three lawyers, and beating his head against the wall. He finally got it. I noticed you have a patent too, so this is a very small group you're a member of, huh?

Bryson Bort: We have two patents.

John Gilroy: Wow!

Bryson Bort: Don't ask me what their names are, I don't remember, but we filed two patents about a year and a half ago. Breaking down different elements of our technology.

John Gilroy: So, Maryam , what do you think this company's gonna make? And I think they're in a very, very vicious market. I think you better have some sharp elbows in this market.

Maryam: So who would you say is your target market?

IMG_7819

Bryson Bort: We're industry agnostic, if you run enterprise information technology, you can benefit from our product. The two different demographics are the mid-range companies who have been primarily neglected with cyber security and the way the market provides to help them. And the Fortune 500's who are looking for something to give them a further edge because the challenge we all have is being as good a tool is not the same thing as being as good as a threat. And the threat's what matters and the ability to truly emulate that is the key differentiator for these folks.

John Gilroy: Now last week, Vince Cerf spoke at Georgetown University.

Bryson Bort: He's a smart man.

John Gilroy: I've had the pleasure of talking to him several times. And I put it right to him the first time I met him. I said, "Vince, I heard when you started developing the concept called this Internet, you just ignored security completely." And he said, "oh no, we didn't. We were right there in the beginning." So what do you think, if we had Vince Cerf in the studio here, would you say, "hey Vince, you kinda screwed up in the beginning there. Should it have been more secure? Less secure? Or maybe it wouldn't have grown as fast?" What do you think about the Ben Franklin of the internet? Good security? Bad security? Or toss it right out at the beginning? What do you think?

Bryson Bort: I would say, "It's nice to meet you sir, can I have an autograph?" I don't think it's fair to look back and say you didn't design for security. You still have protocols, products, lots of things being developed today that have significant security issues. The challenge is that anything that is on a computer is inherently exploitable. I mean, seriously, you can give me any challenge you want, it's at the bottom of the sea, it's not connected to the internet, it's turned off, and with enough time and money, I can find a way to gain access to it. So that's not really the problem that can be solved.

Bryson Bort: Everything is exploitable, so Vince Cerf, Al Gore, everyone did a great job and getting something and going as far as they could see. And there were those considerations, but the reality is, nobody's smart enough to see all the possibilities. The connectivity creates an exponential surface area. So surface area's this concept that it's like a visual way to think of how do I get to something? How do I get into it? And that surface area is more than just the thing itself. It starts to become how does this thing talk to this thing? And then that creates multiple options, and then this thing. And of course as we have all seen, everything is now interconnected in all of these different ways, and so the surface area is just mind mindbogglingly infinite. And I would offer it's unsolvable. So where we encourage companies is, don't try to focus on prevention of access, because even someone who's a genius like Vince Cerf would not have been able to solve that problem, none of us can. Focus on, what's your ability to detect and respond to what an adversary is doing?

John Gilroy: You can be the teacher for a night, and test my blue team vs. red team, the differences, 'cause your website talks about that.

Bryson Bort: Sure, so the blue team is the concept that as we said, information technology is what underpins the delivery of business service data and the blue team's purpose is the confidentiality, integrity, and availability of that information. Basically, I guarantee that you get what you need, I'm assuring that. It's not going to be messed with, so nobody's twiddling the bits, and it's available when you need it.

Bryson Bort: The red team's job of course is to try to break all of those rules. I think it's really important to understand that, and this is a lot of times where we mean client education because they're like, "aw, you guys are great, give you a contract, then hack us!" It doesn't work that way. One, technical problems are not the whole posture of an organization. It's funny how there's people that use these computers and people tend to be the largest surface area in a company. And so, if you're missing that, you're missing out what those pieces are. The other thing is, it's not that, "hey, can I just demonstrate some hack. Oh, look what I gained access to." It's understanding how does that fit with the business rules? So going back to that confidentiality, integrity, and availability, applying that to, what does that translate into business, and what are those impacts, and what are their priorities and interests? That's what the red team should be focusing on. That's how they should prioritize what they're looking at. And that's how you really define I broke something that's relevant versus, look this is a cool technical thing, nobody cares.

John Gilroy: So Matt, you have some experience in soccer, you know about offense and defense. Sound like a good approach to you?

Matthew: Sounds pretty good to me. Coming at it from both sides. I watch movies and stuff. The Social Network came to mind, when you're watching this you know. Mark Zuckerberg hacked into the Harvard database, got all these pictures and made a rating girls website. I don't know if that was true, that's what was in the movie. But, that's just what came to mind when you were telling me about that. You can't just, you know, get hired by a firm and they say, "Hack us so we can see what's wrong." So what exactly is the process like?

IMG_7818

Bryson Bort: Well, first of all, my favorite hacking scene is in Fate of the Furious, where she says, "deploy all the 0-days" and 0-days are exploits to make a computer do something. And then there's just this sea of cars in New York City pouring out, jumping out of parking garages, all pursuing them. That's my favorite Hollywood moment for pretty much a day in my life. That's kind of all we do.

Bryson Bort: We scope in priority. This is something that I like to think that GRIMM distinguishes itself. It know we were talking about SCYTHE, but this is a GRIMM piece. We like to go onsite with a customer when we start that contract. We want to see the culture. We want to see the processes, the policies. You get so much of an understanding, not only how does that business work, but within hours, you can quickly get a feel for how much is security an important part of the way they do things? I mean you can have the tech folks doing their thing all day long, but if the rest of the company is not a part of it, then it doesn't matter. And you can identify that very quickly from actually imbuing yourself in that piece.

John Gilroy: Earlier, I mentioned a guy name Vince Cerf, and we can look back years ago, the start of the internet and criticize him for maybe not being real secure. However, just last week, we had a guy up on Capitol Hill by the name of Zuckberg and he could be criticized for starting a company and kind of ignored basic security principles as well. So I don't think it's indicative of an age, its indicative of trying to get in a business to make money. What'd you think of what happened last week with Facebook?

Bryson Bort: So that's where we're also crossing a line. When you start looking at the national level implications of a lot of these technologies. And it starts to become not really the technology itself, but it's the way that nation states are now starting to exert geopolitical influence on each other. This is where we move beyond the fact that it's not just a question of, "hey, I'm a technical geek, let's look at this term of service, let's look at what this data is." But it's now starting to look at what does it mean, how does that impact things? What are those levers?

Maryam: So, what do you do to make yourself a better choice?

Bryson Bort: So, we'll go back to SCYTHE on that one. What are we trying to do with Crossbow? We work really hard to have a very tight feedback loop with our clients. We're small, we're a startup. It has a lot more value for me to understand exactly how a client tries to use it. What kinds of difficulties do they have? I could build the best thing on the planet but if they don't understand how to use it correctly, that doesn't help. And as simple as we've made it, it's still trying to do very complex things.

Bryson Bort: So that feedback loop, the focus on relationship. I don't see these things as transactional, I see them as we're trying to make the world better one company at a time. And we really want to help them do that, and we try to go further for that. For example, one of the things we just released is, when we had our minimum viable product to go to launch we had something that was technically sophisticated and the user interface looked like what you would expect a group of hackers to have built. Well that's not very friendly. So that was step one, let's make a prettier interface that starts to put a lot of shortcuts into it. Then the next thing we understood was, so you're running these and you're getting reports back and we had very detailed reports that allowed the technical staff to be able to prioritize and work for remediating these issues, but everybody has a boss.

John Gilroy: Or teacher.

Bryson Bort: And that boss wants some result at the end of that. And so we realized, what if we just created an exec to summary report that automatically summarizes this. So they can run it and here you go! Feels like an A, doesn't it?

John Gilroy: I know there's a teacher at Georgetown, his name is Brigadier General Greg Touhill, and we worked at this little place called the White House, CISO. And he works for a company now called Cyxtera, and their motto is "Zero Trust". So is this just a term that's bandied about? Is this even a concept or is this just, me too, yeah, reliable, me too? Good people. Is zero trust actually a concept in cyber security world?

Bryson Bort: Yeah, so zero trust is a technical concept and it speaks to, we were talking before how everything is interconnected. Well what if I didn't trust anything that's connected to me. So I'm not just going to, okay you've got a session with me, or, you authenticated with me. I'm not gonna trust what you say. You're gonna have to work your way up to where I believe that and we start seeing things like that become very useful as we start looking at how computers start having more of a physical effect. so we look at autonomous vehicles, well autonomous vehicles, one of the challenges with getting them to communicate with each other, is how do you trust the other car? And then of course smart cities, smart cities are going to be talking with infrastructure and talking to cars, and as you start to have that, the zero trust concept becomes increasingly important. Because I have to find a way of establishing your relationship and the value of that relationship and the veracity of your data to act on it.

IMG_7820

John Gilroy: What your company does, is essentially goes into a larger type organization or a mid-level company and gives them the tools and best practices for performing audits on their cyber security posture and then you walk away. So you give them the tools to test themselves and the remediation is on their behalf, not on your behalf then.

Bryson Bort: Exactly, and I think one of the things that's going to be really neat about the tool is why we've built something. It hasn't been used enough where we can collect a lot of data and it's going to be very interesting as this starts to be deployed more and we hit this tipping point where we've collected so much data that the predictive analytics that we'll be able to pull out of that are going to be a really fascinating insight on what actually works and doesn't work in companies.

John Gilroy: 'Cause let's face it. If a bank uses one of your tools, and finds something amiss, they're not going to put that in the newspaper, they're just going to fix it themselves and move on. I understand more and more why someone might want this tool. They may not want you to walk in and see what's going on, but they trust someone like Claude to go in and do it themselves. Then they can solve it behind closed doors. This gets to be a very gray area of security, doesn't it? Who do you trust and what level? Bad things happen that may or may not be reported. There's legal implications here too.

Bryson Bort: I do want to point out, we have worked with banks, so they do trust us. But yeah, you go into the zero trust piece. This means you don't have to trust. You get to use a platform. You have control over it and you decide when it runs, what it does, you have complete visibility, auditable visibility on every action. And you don't have to trust somebody else. It's yours.

John Gilroy: Now I understand more and more about your product. Maryam , I'm going to give you the last question here before we close up.

Maryam: Sure. Back to the beginning, how did you get funded?

Bryson Bort: So, I organically grew a very profitable cyber security services company called GRIMM and I used the profits from that to fund the launch of SCYTHE for Crossbow.

John Gilroy: Wow, that's the way to do it. Write that down boys and girls. That's the smartest way to start a company.

Bryson Bort: And try to raise money, 'cause organic growth only gets you so far when you're starting fresh.

Matthew: Do you have your wallet with you?

Bryson Bort: Two million dollars?

John Gilroy: So we've talked a lot here in the last few minutes. If someone wants to find out more about your company what website should they visit?

Bryson Bort: https://www.SCYTHE.io

John Gilroy: S-c-y-t-h-e dot i-o

Bryson Bort: Sierra, Charlie, Yankee, Tango, Hotel, Echo dot India, Oscar

John Gilroy: There's your military background, yeah. It's you say it in radio on podcasts. S-c-y-t-h-e dot i-o for more information. We're running out of time here. If you would like to have show notes, links or transcript, please visit theoakmontgroupllc.com. I'd like to thank our founding sponsor, Radiant Solutions. If you are interested in getting involved in geospatial projects, contact Radiant Solutions. We are hosted by Eastern Foundry, a community of government contractors who are bringing innovative solutions to the government marketplace. For more information go to eastern-foundry.com. If you'd like to participate as a student or startup, contact me John Gilroy at theoakmontgroupllc.com and thanks for listening to Student's vs. Startups Showdown the Potomac.

Subscribe