Ep.03 John Czupak | Sourcefire, SNORT and Threatquotient Oh My

podcast default

In this episode of the Cybrary Podcast, we sit down with John Czupak the CEO of ThreatQuotient. Speaking with Cybrary CEO Ralph Sita and Myself Thomas Horlacher the Head of Creative Services, John discusses being at Sourcefire during the creation of the SNORT technology and how now at Threatquotient they are working to help with the issue of Alert Fatigue for security teams.

Topic: Discussion on being at Sourcefire and the Threatquotient
Hosted by: Ralph Sita, Thomas Horlacher, John Czupak
Length: 24 minutes
Released on: January 3rd, 2020
Listen to the Audio
Enjoyed this podcast?
Share it with friends now!

In this episode of the podcast, John Zcupak, CEO and president at ThreatQuotient, and Ralph Sita, CEO of the Cybrary speak on their experiences with startups. They both were School buddies and successful people in the Cyber industry. John has been working many jobs which he has got successful in his missions. One of the most notable companies he was associated with was Sourcefire, the original creator of the Snort technology.

It all starts with startups, and according to Ralph startups are not easy to run and get a huge amount of challenges at the beginning for itself, and there are some factors, determination, grit, luck, and smart people, which makes it different. Additionally, John adds that the mentality of detecting the threat to prevent the threat and keep it out the way was a bet he and his partners made during the early days of when IDS was shiny stuff in the cyber world. He then says IPS is a blended technology with the core IDS. The talks continue like that to the point where John describes the main mission of ThreatQuotient, a threat-centric security operation platform. He states that the main challenge in organizations is that they can’t get the information together to get the most out of it. On the other hand, ThreatQuotient does, and it gives different capabilities to the organizations. ThreatQuotient’s main mission is to eliminate the noise in the air and put it into digestible, actionable data for the companies as Ralph states. According to John, he has got a dedicated threat intel team which come across important information, so they share it in some capacity with other users such as the SOC team, the incident response team, the hunt team, the vulnerability management team or so to make use of it efficiently, and he sees a tremendous value in sharing it with other users.

Ralph jumps over to the other topic and talks about the hacks and stuff like that. John believes that there is no silver bullet to this problem. There are, however, some possible solutions to prevent it. He says, it is for organizations to raise their employees' awareness and security understanding at least a basic level, and create the opportunity for the employees to work in a team just like a sports team.

Lastly the discussion shifts to talking about startups and businesses. Ralph thinks of startups as a bet and says there are risks and gamble in startups that are not in businesses. There should be gritty people around you having the same mentality which is half of the formula to a successful startup. Thomas says there should be some people who are expected to do more than expectation. Doing things a little more extra every time is just what a startup takes to stay competitive and up to date.


Thomas: All right, everybody. Thank you. And welcome back today. We have John Czupack from here today in the studio, along with Ralph the CEO of Cybrary. Thank you for coming in today, John. And just give us a little history about yourself and a little about what does.

John: Yeah, thanks for the invitation.Really appreciate joining you guys today. Yeah, I, I call myself an old cyber startup guy. So, I come from the world of having been in the cyber industry now for many, many years, the company that is the most notable that I was associated with was 12 year run I had at Sourcefire, which was the original creators of the Snort technology company we built took public eventually, and in 2013, uh, sold off to Cisco for a check with a lot of zeros on it. Currently I'm the CEO at ThreatQuotient. We've built a threat-centric security operations platform. I've been there since the end of 2015, and we're backed by kind of a who's who of investors and are making a run at a pretty big problem space right now in the security operations world. So, uh, glad to be here.

Ralph: Yeah. Thanks John. I mean John was a very kind and generous. He gave us some time at our weekly biweekly, all hands meeting gave us a rich and detailed history of what he's accomplished. And it has been a tremendous amount that he's accomplished in this area. Truth be told, John and I are also high school buds. And we won't tell you when we graduated. Cause we're still trying to

John: 96

Ralph: 1996. So yeah, that makes us 22, John. I don't know if that works out, but either way. John is a good buddy of mine and a superstar in this industry. John, you know, I'll jump right into it because I mentioned this before we got on the air and I just thought it just stood right out with what you've done in your career, and how you've pivoted back and forth and always survived. That was one of the things you really preached that, you know, this isn't an easy task what we do, it isn’t an easy task on what anybody does in startup companies. And you gotta have determination, grit, a little bit of luck, but you gotta also know that being surrounded by smart people all the time is probably your best attribute as a leader, and I certainly can attest to that I'm never the smartest guy in the room. I'm not the smartest guy in this room, but I will tell you that having those assets at your disposal really makes a difference in what you do. And one of the things that you mentioned was in your early days, and what you guys were doing. You kind of switch from the mentality of, you know, let's detect the threats and identify them to let's prevent the threats and then keep them out of our front door, out of our house in today's environment. How important is that for organizations to adopt that mentality that an ounce of prevention is worth a pound of cure? I think our parents told us that, and then their parents told them that as well.

John: Yeah. So that's a, it's a great, great question. Some of the kind of threads of the question go back to many years back to my days back in Sourcefire. And we went through an early industry shift where we were at the time pure IDS company based on the snort technology, and the industry was shifting though moving into IPS functionality. And it makes a lot of sense If you think about it. If you can detect it, why not block it, right? Now, We did a bit of a zigging when the industry was zagging at the time. And, and let me explain what I mean by that. We, we actually did not initially chase the IPS kind of silver bullet mantra that was going on in the industry. What we believed, and this goes back to really smart people smarter than I am. What we believe was that the core IDS problem could be solved in a different way. And we made a bet on a new technology that was blended with our core IDS, sort of roots in technology that changed the way in which those systems were used by, by organizations that actually led to us becoming a really big and powerful business, right!

And so we made a bet on something with really smart people. And when you're doing startups, sometimes you have to do that. I think today where we're at with and there were some similarities. And so, you know, I, I like to kind of look at how the industry evolved. And if you think about it most of the bets and technology investments historically were placed in block and prevent kind of technologies, firewalls, AVS systems, IPS systems are all reality today, though. And we all know this folks that pick up the wall street journal every day, that companies, despite the large investments in these blocking and prevention technologies, companies are still getting compromised. Yeah. I mean, you don't go any given week without reading something happening. So I think there's been a dramatic shift. From a, not a way from blocking and preventing, prevention technologies, but a shift into demanding that companies have the abilities to be able to detect and respond. So if, if we can acknowledge that we've either been compromised or we are very susceptible to being compromised because it's just the nature of the business. Attackers are complicated. Systems are complicated. The real measure now is, well, how quickly can we detect these things? How quickly can we respond to it? How efficient is a SOC? What kind of enablement. Are we giving our own people to try to be able to respond in a different way? So it is, as I've described to some folks kind of the new wave of cyber that's happening as we speak.

Ralph: So, it sounds like even for what you're currently doing now at , you guys are absolutely seeing the value in. You know, the early detection, the SOC service, SOC as a service, you know, you guys are pioneering that right now. Tell us a little bit more about, you know, just the overall platform, and how you guys are the leaders in your industry. Cause you guys really are.

John: Yeah, Thanks. Thanks. Maybe I'll take one step back, and we'll talk a little bit about the problem that we, that we solve, and I'll try to put it in terms that I like to describe human beings can understand, normal, normal English. If you think about the way analysts and teams and SOCs operate. Generally speaking, today, it's actually a really inefficient process, which leads to an efficacy problem. How do I detect the thing that really matters? How do I focus on the highest priority items? And so, you know, let's peel that back a little bit. You've got different operators. You've got analysts at incident responders and hunters and malware teams and our vulnerability teams. it's most typical and normal that these individuals or organizations are working in silos, you know. If they collaborate and communicate together well, that's great, But the reality is it's not an easy thing for them to do.

Everybody has heard the phrase sort of alert, fatigue, right? So you've got great systems, but all of these systems are generating lots of alerts. And how do you prioritize those things? So, there is an inability, largely speaking for these organizations to bring the information together, to be able to coordinate the tools and coordinate their own efforts together. And that's really what, when we describe what we do as a threat-centric security ops platform That's really what we're doing. We're bringing back, we're bringing the elements of threat data, our threat intelligence. We're giving the abilities to be able to integrate technologies together. So, Wouldn't it be valuable to be able to interact with my SIM to see whether or not I have seen a breach, wouldn't it be useful to be able to provide automated capabilities to update things, simple things like signatures on an IPS system, as an example. Wouldn't it be valuable to give a collaboration room where people can come together and have access to all of these elements? That's what we deal with when we talk about a security operations platform. That's kind of at the heart of heart of our business.

Ralph: Got you. I mean, there's a lot of noise in the space, right. And the ones that are smarter, the ones that are providing a true service to the companies out there are the ones that can first off help eliminate a lot of the noise and then put it into digestible, actionable, you know, data for these companies. So great point there

Thomas: Going kind of off of what you're saying is the siloing of security teams and other teams like that. I mean, one of the things that we're starting to focus on now is what we're calling security enablement and trying to enable kind of everyone to have at least more of a security understanding, so that you don't have to form out those things to a security team and kind of wait for an answer back. You might be able to answer your own kind of questions that way and figure it out yourself. So, I mean, have you noticed, like in, like in the history, you know, your history in the industry, have you noticed that people are starting to understand that and trying to move away from siloing off like security teams and their SOC teams and stuff like that.

John: Yeah. We're at the, we're at the beginning stages of the crest of this wave and your comments actually dovetail almost precisely with our approach and our strategy and the architecture of what we've built within our platform. And the idea is this we've always had a philosophy that at a foundational level. There's a lot of good data that's available to operators to detect and respond, right? But is it easily available? Can it be shared with individuals? Can you effectively prioritize the most important items? How do you do all this and how do you do it in a team sport way, right? And so building a platform that predominantly was used by threat Intel operators, analysts, threat intel teams for a threat Intel management or platform use case. So, you know, the concept there’s traditionally been, I've got a silo dedicated threat Intel team, and as they come across the important information, they'll share that in some capacity with other users, What we believed from almost from day one is that, wow, there's power in this information. If you can make that information easily available to all of the other possible users within a SOC or within an org, an organization. The incident response team can make use of threat data and integrations into applications. The hunt team can make use of this information. The vulnerability management team can make use of threat Intel information to help prioritize those systems that are the most important that they should focus on first and today, right?. And so, you know, philosophically, but also also architecturally, we've built a platform that empowers all of those users to make use of this really valuable data. And it's hard stuff. It's hard to build this stuff, but there's tremendous value in it when you can offer it up to these users.

Thomas: Sure, sure.

Ralph: Yeah. So hacks happen every day. I mean, we, we put up a, you know, a scripting course on our site and guess what? People tried to hack the scripting course page on our site. And they tried it with a lot of fervor, Capital One, Equifax, all of, all of them, you know. Are the hacks any different, I mean, what makes them different today than they were two years ago? Or is it just the result or is it just the reporting up? Do you see a bigger impact to the stock price? To the board of directors? I mean, somebody's going to lose their job internally all the time, but what really is the benefit of seeing these and learning from them. Has it gotten any better?

John: Yeah, so I think there's several threads in there. But you know, this is clearly has become a board level issue. There are real dollars that are involved in this substantial dollars. I mean, individuals losing their jobs because of breaches, you hear about that all the time, but that's just one small aspect of how companies are impacted by this. So this is real. It's not getting better, right? That's our reality. It's not getting better. And if you think about the dynamics, though, of it, it really goes back to understanding the kind of threats that you are susceptible to. It is understanding who your potential adversaries. May be it's under getting an understanding of the kind of campaigns that you might be susceptible to and the kind of campaigns that are actually going on in your environment. This is raising, the bar relative to the kind of, you know, questions that are, that, that are being asked of companies today. What are you doing about this, right? Now the sophistication of the attackers is not it's, it's not, the bar is not lowering, but it does depend I think on the kind of profile of the attacker, whether or not the attacker is a nation state. That kind of attacker may be a very different attacker than a scripted ransomware kid, right? That could be equally as, as impactful to an organization, but the ways in which a nation state attack might occur and the kind of investment abilities those organizations have, they actually dwarf the size of our cyber industry in a lot of cases. So, yeah, it's a big problem. And you know, there's an old saying, you try to just try to minimize your attack surface and, and, and do the best we can in some cases.

Ralph: So what's the, I mean, I don't know if there's an answer to this, and I'm not expecting you to give it to me in this podcast because I don't know it, and a lot of people don't. What's the solution? Is it a better training of the people? Is it blended with devices and services? Like what you guys offer is an overall education, because even standing up your product, there's a lot of education in order for these companies to properly utilize it. So the investment in people seems to still be lagging behind the mentality that let me throw a device, let me throw a service at it. You know, from our perspective, people are everything. People are the ones that make the first silly mistake and people are the ones that are left to try to detect it in a lot of cases. Where's the blend.

John: Yeah. I think you've hit a couple of nails on the head. You know, I'm, I'm not being provocative in saying that we know there's a talent shortage out there. We know even for those individuals and organizations that have experienced people. There's a gap in talent between the individuals. You've got junior analysts into, you know, so-called tier one analysts into tier two and tier three analysts. How do you raise the skill level of those individuals, right? A part of the industry problem. I'd like to think I've not been a contributor to it. Cause I think I'm sensitive to this phrase, but the concept of silver bullets have been thrown around for a long for decades in this industry. And the minute I hear, if you just buy my thing, all of your problems are going to go away is the minute I call BS on it. Right.

Thomas: Right.

John: So, I don't think there's a, there, there's not a silver bullet to this challenge. There's an opportunity for organizations to rise, try to raise the skill level of individuals. And again, I used the phrase earlier, a team sport. I think this has to be a team sport. Absolutely. So how do you provide not only the educational path, but also the tools and technologies that individuals can work with. So, one of the overused phrases today is AI. Well, yeah, I’ll believe in a fully, you know, automated AI system that's going to solve all the problem. I’ll believe it, when I drop it on my foot, my foot doesn't hurt, right?

Thomas: Right.

John: It's right. it's just I think our reality is this problem is going to be solved by a combination of technology, people training.

Thomas: Got you .

Ralph: though couldn't couldn't agree more. I mean, it's like you said, the team approach from everybody across the platform and then that team has to continually get better as a team all the time. So we know that.

Thomas: Yeah. I mean, it's kinda, it's kind of, like an industry shift of, like where, where do you start thinking about security and the process? Like now it needs to start being something that you're thinking of from the very beginning and not kind of like an afterthought after you've already made your product, or, you know, you've already started doing your services and everything. It's something that needs to be kind of done throughout the whole life cycle from your Dev team and everything like that. So, that you don't get to a point where there's too much wrong and you don't, you don't really know how to, you know, start correcting things.

John: Yeah. There's a , there's a huge momentum. I mean, we're not in the DevOps SecOps business, but there's a huge momentum in that world where, you know, building a quality code from the start is a big part of minimizing your tax surface. So, companies are starting to pay attention to that in a big way.

Thomas: I mean, you spoke about during our all hands about being at a company that had almost died multiple times as you put it. So I mean, how important is it just the people that you work with and like the office moral, things like that, for trying to kind of bring your company back or kind of keep pushing through when you get to like a hard time like that?

John: Yeah, that's a, that's a great question. I won't mention the company name that almost died on multiple occasions, but look, the reality is for those of us that have done startups will understand and understand intimately. I, you know, I I've come across a lot of people that that have said, I always want to do a startup. Yeah, that's my next thing. I want to go do a startup, but it's not for everybody, but if it suits your DNA, and it is a risk reward, sort of a choice to do startups. If it suits your DNA and you go do it, and you have some success, you probably won't want to do anything else right? But it, nothing is free. You've got to pay the price to get the prize, right? And the realities are that you can have high highs. You can have low lows. And I always liked to lean on some of the basics, right? And so if you're going to go do these things from my experience, and in my opinion, do it with great people that you have a cultural affinity with, the people that you can trust. Attempt to surround yourself with smarter people than yourself. You have to be willing to make some bets. And actually all bets are not going to always work out, right? But you got to make some big bets sometimes and go with it. And, uh, you really want to have people in the trenches with you that, you know, can go long. When the highs get high, you don't get too high when they go low, don't get too low, stay as even kills your cat. Cause it can be an up and down thing, but the rewards of having it are pretty substantial. And a lot of times you don't realize it till it's over. When you look back and say, wow, we did something really cool.

Ralph: Sure, sure. And there, and there's a difference. There really is. Starting a business and starting a startup are not the same, you know, there there's a bet on a startup, there's a risk, there's a gamble. It's a different mentality. In it , you have to understand that the odds of failing are pretty much stacked against you. Odds of winning are smaller, but the reward is bigger. It's just a different thing. And to keep people around you that know that mentality, that are gritty, that are understanding of that. It's probably half of the formula to a successful startup, for sure. Maybe more, John would be the expert he's done about 27. So I

John: That’s cause I can't keep a job.

Ralph: Yeah, that's right. So yeah John, I really appreciate it. That's some great advice.

John: Thank you. Thank you. Yeah, appreciate it. I love the, the word you use gritty. That is a, that's a great word that kind of describes this. And yeah. You know, if you do it with people that have done it before, they sort of nod their head and, and get it and they probably wouldn't join again if it wasn't in their, in their strike zone. It's really more for the new people that have never been through it, keeping them balanced relative to the normalcy of the, you know, things that occur daily in these types of environments.

Thomas: Yeah. I mean, another thing that you said kind of touching on this is, you know, dealing with people you work with, as you said, winners, like to play with the winners and you know, if you don't have winners with you, you know, you need to get them off the bus like you want people around who are going to be able to work longer hours or kind of put in the extra work and the extra time. Cause that's what a startup takes. I mean, that's, you kind of have to do a little bit extra every day. And every time just, you know, to stay competitive and stay up to date with everything else.

John: Yeah. Yeah. Look, it's, it's simple. People pick up on that and if you've got folks that aren't meeting the expectations while everybody else is, you know, giving the best effort. They see that, right? And they also see it when the leadership doesn't recognize it or try to pick up on it. They, they see that, right? And so, yeah, it's a great phrase. Winners do like to be around other winners. Right?

Thomas: So I would agree. Yeah. As one of the winners here,

Ralph: Absolutely

Thomas: I try my best.

Ralph: You know what, John, I know you got a tight schedule. I appreciate everything you've done. You've been here. You enriched our people. Not a nobody in the room was disinterested, which is interesting for us because a lot of times we give some dry all hands, especially when we'll let Tommy talk at him.

John: I'll give him a technical talk on digital certificates next time.

Ralph: Schedule that one for a happy hour.

Thomas: Opening with that 90 minutes slide. And I just looked at everybody like, Oh no, I hope that's not what he's going to do. So, yeah. Yeah. But it turned out well, thank you very much for stopping by and definitely we'll have you on again. Iit was great talking to you. Thank you.

John: It was a pleasure. And thanks for the invitation and best of luck to Cybrary.

Ralph: Absolutely. Yeah.