Loading summary
Transcript14 lines
- [00:00]
Tom Uren
Foreign this is Tom Uren. I'm here with another sponsor interview. Today I have with me Mike Wiachek, the CEO and founder of Stairwell. In this interview Mike tells me how he came to believe that security is fundamentally a data science problem. Mike told me he'd always been fascinated by Internet search and had wanted to work for Google and had applied without success many times. Mike finally got his chance after working for the Department of Defense and after he had enrolled in a Master's degree in computer science at the University of Maryland. In this interview Mike mentions Operation Aurora, a compromise of Google by Chinese state backed hackers that fundamentally changed the company's approach to security. We picked the interview up just after Mike has enrolled in his master's degree.
- [00:55]
Mike Wiachek
I enrolled in 2004 I think, and two months in I sent my resume again to Google and this time they said we want to meet you. And I ended up flying out to California. I interviewed with a couple of different teams. The security team at Google, just given the security work I had been doing as well as the SRE team, it was a different place. It was tiny company, relatively speaking. It had just gone public and I was really thrilled for the chance to be there. When they made me an offer, I was blown away. But the thing that happened was I was, I had really liked the work I was doing in grad school, like the getting to work on some stuff there. I decided I would stay and finish that out and join Google down the line. On the, on the, the financial side, I thought Google's stock price was somewhere around $160 a share and I had missed my opportunity. It'll never go higher, never go higher. It's doubled since the ipo. It's, it's a foolish decision. So I have a very expensive master's degree, but I ended up joining Google afterwards and I think the big focus on like the data search aspect of it kind of happened in the. After Operation Aurora I started the tag, the Threat Analysis Group. And I was inspired by some advice I had gotten from actually a Navy SEAL when I was working for the Defense Department. He was telling me some stories of being in Afghanistan and I remember asking him, I don't know if I could do that. Like how do you keep yourself collected and focused when like people are shooting RPGs at you and you know, like you don't know if you're going to wake up tomorrow morning. Like, to put it bluntly, it was a really, it was just like just trying to think about what that situation was. And he said well, like there's an exercise that I do where I ask myself three questions to keep myself focused. And I said, what are they? And he said, one, I don't care what's happening, but I look at me and my buddies and I ask myself, what do I have? Two, I say, what do I need to do? And then three, how do I do one with number two, right? And he goes, it's simple. It almost sounds stupid, but it really keeps you focused. So as we were staffing up the Threat Analysis Group, we were embarking on the early days of what we would now call Cyber Threat Intelligence. And I did that. I said, what do I have? And the answer I had was all the compute you could possibly imagine, all the storage you could possibly imagine. What do I want to do? I want to find bad malware. That's my goal. And then next question was, how do I do that? With that and having access to all of Google's source code for search and infrastructure and scale made it obvious like, let me just use what we're good at to solve a problem that we have yet to solve. And that ultimately led to acquiring VirusTotal and building this large data source that we were able to just do incredibly powerful stuff with. You know what's funny is that actually led to Chronicle down the line in 2015, co founded Chronicle. And Chronicle was yet another take on a data search problem. It was like, you know, we could process logs really quickly at Google and other companies. This became a financial or technical limitation for. And so how do we expose some of that magic sauce to the world? And then after Chronicle went back to GCP and I decided I wanted to do another true venture backed startup, namely Stairwell, it kind of combines both of those things. And so when you sit down and you look at what we did with Tag, which was data mining, the malware files and malware feeds that we were able to get our hands on. And then if you look at Chronicle, which was the scalability and technical excellence of Google's like log infrastructure kind of exposed or reinterpreted for the security space, it left this gap. And the gap for me was both of these were continuations of the way everyone did stuff. Like we do work with our logs in alert triage every day, we do work with our threat intelligence data here. But crossing those lines becomes incredibly hard. Right? Like we pass around IOCs and they're brittle. We don't actually get to the real meat and potatoes, if you will, of things that easily. And that directly led to Stairwell, where instead of Focusing on logs, it's what files are more important, the files in a malware feed or the files that are on the endpoints that we're supposed to be protecting. Right.
- [05:51]
Tom Uren
I'm sort of imagining a searchlight in my head, and one of them is narrowly focused on stuff you've already identified as bad, and another is narrowly focused on logs. But I guess the place you're turning that searchlight is like the files that are actually in an organization. And to me, that actually sort of makes sense, that from an organization's point of view, I don't really care about malware per se. I care about what's on my system and what I can do about it. And I don't really care about, again, the logs are kind of a secondary artifact of what I really care about.
- [06:29]
Mike Wiachek
That was exactly the insight that we had with Stairwell was we're looking at the data sources that are available to us because we have logs.
- [06:39]
Tom Uren
Yeah.
- [06:39]
Mike Wiachek
We use them.
- [06:40]
Tom Uren
Yeah, yeah. It's like this searching under the lamp for your keys.
- [06:44]
Mike Wiachek
Exactly.
- [06:44]
Tom Uren
Because that's where the light is, rather than that's actually where your keys are.
- [06:50]
Mike Wiachek
That's 100%. That's exactly the case. It's what you can see. And the hardest thing is to sit down and say, maybe there's a source of data that we have that we're not utilizing or operationalizing to the full extent possible. And that requires changing hearts and minds. There's no way around it because, like, everybody knows this is how you do this problem. But when I ask people, let's say my EDR fires off an alert about malware on Jimmy's laptop. How do I look to see if there wasn't a different form of that file on another machine today, yesterday, last week? Like, I can't. All I can search is for hashes, and I can't calculate anything that lets me do that. If you do want to do it, it kind of predicates that you need to have a copy of all the files and you can go over and you can extract those features and data from it. So when I think about a data search approach to security, it's really focusing in on, like, data acquisition, data preservation, data analysis, and then driving value from it. And if you look at those four stages, we can map that to a bunch of things. If you want to think about how a search engine works on the Internet, you have to crawl the web, you have to store the contents, you have to index, rank, tokenize, all that type of fun stuff. And you have to basically be able to run a search engine that provides good answers. Think about something like a SEM, you know, Chronicle or Splunk or whichever. You have to get data into it. It needs place to store it, it needs to be able to parse it, tokenize it, normalize it, and then search it for the final stage. Durable is no different. Right, except we're doing the whole stack ourselves. We're collecting all of the executable and executable like files from endpoints, servers, VMs, et cetera. We're storing them, we're continuously reanalyzing them in light of new and emerging information. And then we provide alerts on those. We make them searchable. You want to find files that are highly similar. Okay, this is what you've had that's similar to the thing that you're asking about. I was giving a talk at one of our investors offices about a year ago and I was describing this approach and there was a CISO that there who came up to me at the end and she said, you know, you're future proofing my AI strategy. And she said, we are unsure of how we want to go with AI and every day we don't do something, it feels like we're losing the opportunity to do so. But because you're preserving this data, I don't need to know what I'm doing today. I can figure that out later. And I can always rebuild from wherever I started. And I said, that's actually. That's almost a straight up sound like a retirement investing advice. Right. Day to start saving for retirement is yesterday, and the second best is today. It works so well.
- [09:41]
Tom Uren
Yeah. So tell us how it works. Like, before we started talking, you demonstrated how you're sprinkling the AI magic on your data. And I think it's actually quite interesting.
- [09:53]
Mike Wiachek
Yeah. So we have been testing this feature we're calling sterile intelligent analysis for, oh, geez, the last month or so. And by the time this airs, it will be available on our website@stairwell.com but we built this machinery that when we collect files from customer endpoints, they are. They're torn apart. They're analyzed by, you know, varieties of scanners and feature extractors. They're unpacked. Everything that's happening with them is done to help make them more discoverable for our customers. Getting into that line of thinking, future proofing an AI strategy, it actually is coming to fruition with this. And so what we're doing is we can take all that data from the file along with portions of the actual raw files themselves and adding this into a giant prompt, if you will, for a large language model and asking it to help perform tier one triage. I've done many years of reverse engineering for malware and other unknown files. I know how slow and tedious it can be. And like, let's face it, for 99% of corporations out there, there's no budget to hire a reverse engineer to sit on staff to help look at the alerts that you're getting all day. And then when you look at the teams in the SoC, they're flooded with false positives or noisy rules or so on and so forth, that this actually is borderline holy grail magic. You can upload a file right on stairwell.com, you can try it. When you upload that file, it is rapidly run through that pipeline of all of this feature extraction. Sometimes tens of thousands of features for one file come out of it and then sent for AI analysis where you're presented with a tldr. This is the high level view, a malicious likelihood indicator, a confidence assessment in that indicator. And then what's interesting is another page and a half, a fairly technical explanation that conveys why this was the verdict that was achieved. So instead of if you think about an AV scanner saying good or bad or worm Trojan not infected, whichever, you're actually given like the high level impact assessment along with the technical justification. And then one of the things that we put at the bottom of the report are like the, the summarization of the key factors to justify why did this happen. Like, this file is it's importing undocumented functions to manipulate process memory across processes. It looks like it's injecting into LSASS this stuff like this, where you're given that information, like right there, black and white.
- [12:43]
Tom Uren
Yeah. You demonstrated to me and in a very short amount of time, like maybe 10, 15, 20 seconds, it came up with like a very nice sort of summary. Well, Mike, thanks a lot for a very interesting discussion about both, I guess, the past and the future of security as a data problem. Mike Wiachek, CEO and founder of Stairwell. Thank you.
- [13:06]
Mike Wiachek
Thank you.