Podcast: Christopher Lehman, on how to start a successful cyber security business

David: And we are live. Welcome to another episode of Unscripted, and I have the great pleasure to introduce this. Christopher Lehman, the executive and CEO for Safeguard Cyber. How are you Chris? I’m

Chris: fantastic, David. Thank you for having me.

David: And you have a busy schedule. You’re currently on the go traveling, and I do very, much appreciate having time to, to chat with me today.

But before we get started, just to ease yourself into it, you have an extensive background in tech and in cyber. Just for the people that are not familiar, what you’ve done so far do you mind just walking us through memory.

Chris: Yeah, sure. So I’ve been in technology and technology sales for coming up on 25 years now.

And I’ve had a, an opportunity to work with what I believe are some of the most successful and, world class technology organizations in the world. Companies like EMC companies. Salesforce and after spending a lot of time in a, lot of years, helping companies manage data and manage content.

Effectively. Back in 2014, I had an opportunity to join up with somebody who’s been a mentor of mine for my entire career, Dave DeWalt, and for David. You may know who Dave is. Some of your listeners may not, but Dave was the CEO of a company called Documentum. We originally met, then went on to become the c e o of McAfee.

And after McAfee, he became the c e O at FireEye. And I was looking to for a new opportunity and the team at FireEye had reached out and I had a chance to reconnect with, Dave and spend a number of years. At FireEye. And then I left FireEye in the 2017 time period and went to work for a company called ExtraHop, who is in the network detection and response space.

And we sold that business last year successfully. It was a 900 million sale of the company and I was running. Sales organization there. And I was then, after we had sold that business to Bain I was looking for my next opportunity, had to connect, an opportunity to connect with Dave. Actually it was at Black Hats in 2021 in Las Vegas.

And he told me about this great company where it was a part of one of. Portfolio businesses. So Dave, after being the c e o at FireEye, started a venture capital investment firm called Night Dragon, and they focused exclusively on cybersecurity businesses. And Dave told me about this business that he said, look, it’s got great technology.

It’s got this great kind of market opportunity where they’re solving a, really big problem. And they’re looking for a new c e o and he tapped me to to play that role for him at, safeguard. And I joined here about a year ago.

David: Yeah. What an amazing journey. Do you sometimes feel that.

all this stuff that you’ve done so far, like all those experiences were kinda led you to the kind of the perfect positioning to take the next step in the journey.

Chris: A absolutely. It’s maybe it’s a little cliche you hear people say I feel like. All my life I’ve been preparing for this moment, right?

And not to be dramatic about it I think that in any career you hopefully are, learning new skills and getting new experiences at every step in your career, regardless of whether you’re at the beginning, middle, or end of your career and regardless of the kind of company you’re working for.

And One of the things that I’ve always tried to be a student of the game when it comes to my profession and really understanding what makes great companies and why is it that some companies are wildly successful and other companies struggle. And I think that companies that are world class.

Do certain things exceptionally well and doing little things like very clearly articulating and understanding the problem that you’re solving for your customers and what your value proposition is. It all starts with that vision. And then after really developing a vision, Providing a compelling value proposition for customers and the market.

It’s then all about executing right, and making sure you’ve got great people who are on your team, who are thinking about the problems that the market is trying to solve and then just working a little bit harder than anybody else. Yeah I, feel like I was able to, Learnings and knowledge at every company where I worked and trying to apply that to, to safeguard cyber.

David: And Christopher, this is the kind of the first time that you are a chief executive Officer. You’ve held various senior roles in, the majority of the companies. You were in your past but this time, this is the top role. Did when you took on a you always say, Hey get hired a for the for the job they, want, not the job they had.

Yeah. and David Dewal obviously did just that. Yeah. Do you find there’s any, particular nuances or. What was the first first 60 days were like, did you feel any different? I know the chief revenue officer typically is responsible for a lot of moving parts in the organization and in, and it’s a it’s a make or break role, right?

So nothing happens until somebody sells something. But a chief executive officer has DAP Plus, plus

Chris: Yeah I you I’ve had to I’m a career sales leader who in the last year moved into the, c e O role. And obviously just your purview and scope of responsibility is much broader as a sales leader.

You’re responsible for managing and executing the go to market. And go to market is Huge, part of successful businesses, and I’ve got a ton of experience there. But the other really important part of the, business is the vision and the technology. You need to have all three parts.

You’ve gotta have great vision, you’ve gotta have great product, and you’ve gotta have great go to market and the opportunity at safeguard cyber. It’s a, company that really has strong foundational technology. And the area where it needed the most work was really refining the, vision and the go-to-market execution.

And that’s why I think Dave felt like it was a good fit for me and I felt like it was a good fit for me because I could apply my experience in developing world-class, go-to markets and sales teams and apply that to a business. Has this massive market opportunity. And that’s what I’ve really been focused on.

I, focus on all aspects of the business, obviously, and that’s my job as a C e O. But job one was to, when I came into the business, really refine the vision and better articulate the value proposition for the business to, the. So

David: Christopher let’s let’s, talk a bit about the problem.

You’re solving this, somebody is always saying, Hey you better if you’re tackling a problem, you better be a very large problem worth solving. And you, mentioned specifically a market opportunity. Would you be able to describe very quickly, in a nutshell what, is the main problem for safe cyber that solves solves with its customers in?

How did that originate? Why are we there? Why isn’t, has no one ha ever solved this problem

Chris: before? . Yeah. Great. Great question. The, very brief answer and then I want to give you some more insight into what we’re doing. Very brief answer is that we provide security and compliance solutions for enterprises communication channels regardless of where.

That communication is occurring, whether it’s in email or in a collaboration platform like a Slack or a Teams or a messaging application like WhatsApp or Telegram, social channels, LinkedIn, Facebook, Instagram. And really what Safeguard cyber is all about is addressing. What we call truth truths and there’s, truth trends and threats that the enterprise is facing today.

And some of the big trends and fundamental truths that organizations and security teams really need to recognize are the fact that number one, human beings are always gonna be the most vulnerable elements or weakest element in any security. We are trusting by nature human beings and the human eye literally cannot detect a lot of the attacks that they that are, targeted against them.

It really doesn’t matter how much training we do of our employees and of human beings. They’re simply not gonna be able to identify some of the threats that they face on a day-to-day basis. And the data really backs this up. David, and I’m sure you know this 82% of all breaches that occurred last year.

We’re the result of the exploitation of the human in one way, shape, or form or another. That’s according to the Verizon breach Report. And we don’t see that changing. We think education is very, important in a security strategy for an enterprise. But like I said, it doesn’t matter how much training you do the sophistication that attackers have are gonna enable them.

Hide behind messages and communications that the, victim and the target just aren’t gonna be able to see or notice.

David: Trend try. I went to, okay, go ahead. Oh, I was just gonna say why don’t you just double click on that specifically because it’s so important. 82%. I think we had to like, almost pause for 20 seconds to let us people sink in what the impact is.

And it’s bec and you mentioned it’s not changing because human nature. Is not changing. We product of evolutionary development over millions of years and, we want to be helpful. That’s right. If, and if you have some stories related because you have, you’re exposed to a lot of your customer facing as well.

So would you mind just describing maybe maybe scrubbing some of the details so people. Because you, gave it the high level of statistics, was it, what does it boiled down to? Give me an example of something that happened that basically describes that in more details and gives people some context.

Chris: So I’m, gonna, I’m gonna get right to that cuz it’s a great question, but I think it’s important to talk about, like I said there’s fundamental truths. There’s the mega trends and then there’s the threats that we’re facing and this is what we’ve based the business on. Fundamental truth number one that everybody needs to recognize, and to your point, we need to let it sink.

82% of all breaches are the result of the exploitation of human vulnerabilities, right? And that’s number one. Number two, the way we communicate has changed dramatically over the last decade, right? And it was really with the popularity of the smartphone, right? And the popularity of cloud-based communication channels.

It’s no longer just about. We know that 45%, another statistic, 45% of all business communication now takes place outside of email. It’s happening in collaboration applications like a teams or like a slack. It’s happening in messaging apps like WhatsApp and Telegram. It’s happening in social channels like LinkedIn, right?

There’s a, brand new world out there in terms of the way we communicate. And this is a trend that again, we don’t see abetting. We think that we are gonna continue to evolve and find new ways to communicate. Businesses want to be agile. They want to meet their customers where they are and engage with those customers and prospects in a way that the customer and prospect wants to communicate.

And that means embracing these new communication channels. All right, but when you combine the fact that human beings are vulnerable with the fact that the way they’re communicating has changed, it’s created this recipe and massive vulnerability and security gap that security organizations really have not addressed just yet.

They’ve invested a ton of time, money, resource, and making email more secure, and despite that, We know that a lot of people are still falling victim to phishing attacks and impersonation in email. But you need to then step back and recognize that a security team can’t just focus on securing email.

You gotta focus on all the other ways that your employees are communicating. And this leads to the last point, and to get back to your question around specific examples. The tactics that attackers are using today have also evolved, right? And increasingly they’re using social engineering attacks.

They’re using language based attacks to target and and, gain access to information that they want to that they want to gain access to. By and large security teams have not adjusted to this new reality. So you think about and, by the way, traditional security technologies aren’t designed to detect these language-based attacks, these social engineering attacks.

And two very recent examples of this are the Uber breach. And the take two breach that occurred. This was about two or three months ago now. And in both instances, the attacker used social engineering as a tactic and they. Executed the attack in alternative communication channels like WhatsApp and what we’ve seen in the security world.

We’re all familiar with the concept of a low and slow attack where the attacker is, starting off in one place and then very slowly moving laterally until they identify of vulnerability or, a victim in target that they can basically compromise. And then gain access to information do damage, steal information, hold the, target victim or excuse me, hold the target hostage for a ransomware.

But the concept of low and slow attacks don’t just occur across infrastructure and applications. They happen across communication channels. And in the case of Uber and in Take two, and again, take two. Those of you in the audience who may not be familiar with them, they’re the owners of the and the producers of the Grand Theft Auto gaming franchise, one of the most popular gaming franchises in the world.

Multi, multi-billion dollar. Business. And the attacker basically started off the attack by doing impersonation and using social engineering in WhatsApp. And once they were able to. basically gain the trust and access to the user. They use that impersonation to get the individual to move the conversation to other parts and other applications like Slack and teams.

And then from there, They were able to collect information and then ev eventually they were able to gain access to the networks of those companies and exfiltrate data in the ca in the case of Take Two and the Grand Theft Auto breach, they attacker was basically. Publishing news and providing video and, clips about what the new release of Grant Theft Auto was gonna look like.

And that may not seem like a big deal, but for a billion dollar franchise to have the new release of their product go to market before it was ready. Can do significant damage to the suc, to the financial success of the ultimate release of the of the product when it was ready. Those are two recent examples where social engineering was used.

They leveraged alternative communication channels to gain access. Compromise their target and then ultimately gain access to the network and information and do exfiltration. There’s huge brand damage and cost associated to that. And yeah those are the kind of problems that we’re helping organizations solve.

Yeah. And

David: if anything the, folks today, the way they communicate, right? It’s, like a multi-channel approach. So you can start having a conversation with someone over slack. You move to WhatsApp, then you move to text, especially the the younger, generation, they do not care what platform you’re using.

So it’s almost the issues even exaggerated because, you don’t know where, the communications are going to go next. . And so you have to have, the ability to monitor all of those. And you are using something’s called natural language understanding is part of your process to protect organization.

If you don’t mind, can you provide like a 32nd primary of what that is and how is that important for. For the protection of organization from this attack vector. Sure.

Chris: First there’s, really three things that I would want your audience to understand about safeguard cyber in terms of what we’re doing.

And I’ll, talk about natural language understanding and what we call contextual analysis. Your point about communications occurring across multiple channels. The first thing that we do is to provide unified visibil. So provide one pane of glass to gain visibility into all of these different communication channels that the employee is using.

And I’m a big believer that you can’t secure what you can’t see. So security really needs to start with visibility. And what we do is provide unified visibility into all these channels. So that’s number one. Number two, it’s this concept of what we call contextual analysis. And contextual analysis is what enables us to detect threats that the traditional security technology misses.

These are. Language based attacks, social engineering attacks, where there’s not necessarily any delivery of malware. There’s no malicious file, there’s no malicious link. They’re using tactics like impersonation, urgency, deception in the communication to convince their target. To do something that they shouldn’t.

It might be a password reset. It might be providing and, moving a conversation to an unsecured channel where malware could be delivered. And what we do. Yeah, go ahead

David: And, one thing I’ll mention. Again, double clicking what you just described, this is how it happens, right? The, you mentioned sense of urgency.

So you’re an executive, you are on your way on vacation, the kids are screaming in the background, and all of a sudden you get a text that looks like it’s coming from one of your colleagues asking you for a password for for a like a privileged system. You have two things, right?

The sense of urgency and then the chaos in the background that throws you off. You just want to deal with it and move on. And this is the perfect moment, the perfect storm of, what you just described. Is that correct?

Chris: A, absolutely. That is so oftentimes what we’ll see, if you think about the kill chain, right?

The kill chain and where the attack starts is happening much, much earlier than. Organizations realize oftentimes, for example, there’ll be some reconnaissance that’s occurring via a connection or communication on a channel like LinkedIn, right? A lot of business communication now takes place via LinkedIn and direct messages that occur on that platform.

So oftentimes an attacker. We’ll start to do reconnaissance, right? Where they’re gathering information about the ultimate target. They’ll befriend and connect the ind with the individual on LinkedIn. Maybe there’s some communication there and it’s creating a sense of familiarity with the target, right?

But then, and by the way, we know that LinkedIn is. The, channel where the most spoofing it’s the most spoof brand in the world right now. And so there’s spoofing that’s occurring there, there’s impersonation that’s occurring there. Organizations don’t have any controls in place to detect when that’s occurring but that’s where the attacker is, it’s a channel they’re using to gain trust, gain access, gain information.

They’ll then move that communication to a place like email, or they’ll move that communication after they’ve already initiated it in LinkedIn. They’ll move to email or they’ll move to a collaboration channel. And maybe the way that they’ve gotten access to that collaboration channel is through stolen credentials and.

Through they’ve harvested user’s credentials. They now have access to a, place like WhatsApp or Telegram or Slack or Teams or email, and they’ll initiate a further conversation. Maybe they’ll make reference to the communication. And, where it started originally in LinkedIn. So they’re gradually gaining trust, right?

And then in that moment of weakness they’ll ask for the conversation to move to a different channel, which most organizations don’t have secure. Like a Teams or Slack or WhatsApp or a Telegram. And then that’s when they’ll deliver a malicious file or malicious link, or they’ll ask them to go to a, a Website or location that’s not being monitored. And this is the gradual kind of low and slow communication based attack and social engineering attack that we see all the time. And, but to your point, David it’s gaining the trust of the victim and then gradually.

Escalating your privilege and access to information via the the initial connection. And part of what we try and do for organizations is help them identify when that attack is occurring much, earlier, prior to any kind of malware being delivered. Does that make sense?

David: Yeah, absolutely. And tell me why does the context so important and how does, Safeguard?

Looks at it because it’s not enough to, for you to monitor the channels, the context is super important. And I’m assuming you, you harness a lot of there’s a lot of backend magic that happens within the data centers for for, the company just to realize what is the conversation about in.

and then sift through, like in the noise through signal ratio to figure out what auto do all those conversation. What is malicious? Sure.

Chris: So this is where natural language processing and natural language understanding comes in. If you think about traditional approaches for security of communication channels, they rely primarily on Things like the the seg, right?

The secure email gateway where, they’re using maybe some kind of dm a c or they’re using keyword search and identification, but they’re very, kind of crude, not sophisticated approaches to securing messages. And then you’ve got behavioral analysis based technologies, which are really looking for deviations from normal behavior.

And the way they’re doing that is by, Analyzing and looking for deviations in the metadata. So the time that the message was sent, where the message is being sent from, and they’ll use that as a, way to look for abnormal behavior. The problem with those approaches is that none of them look inside at the actual text of the conversation.

And this is where language-based attacks occur that use those techniques that I mentioned earlier, deception, impersonation, urgency. And what we do with natural language understanding and natural language processing is we look. How the, why and the how of the conversation is the intent of the message to do something like escalate privilege or gain access to information.

What are the tactics and techniques that are being used in the conversation? Again, urgency, deception, and by looking at the why and the how of the conversation, and this is where all the magic happens. You know this, we’re using this combination. Natural language understanding with machine learning to analyze the conversation and identify when techniques are being used, which are strong indicators of malicious behavior.

David: And this, particular attack vector, which is a huge gap as we dis as we discussed, is not going away. If anything, with the introduction of chat G P T in past several months, the potential harnessing of that AI technology to reach out to people impersonating. Creating personas, creating these unmask type of attacks is ever increasing, even now exponentially.

Is that the case?

Chris: Absolutely. And part of what we do is to create a baseline understanding of how individuals communicate. And by creating a baseline, we can then identify when a user. Is being impersonated or being targeted, and by cuz we’re constantly, we we’re analyzing millions and millions of conversations.

So we our technology is advanced enough so that we can see when David. All of a sudden is using a word that he never ever uses and look, that’s a red flag. Maybe that’s an indication that this is an individual who’s impersonating David. And by creating a baseline understanding of how people communicate.

Running the conversations that they’re having regardless of where the conversation is happening through our analysis engine and leveraging tools like machine learning and artificial intelligence, which is what chat G p T is, we can identify when an individual may be Being impersonated or if there’s if it’s an inbound message when they’re using techniques, which as I mentioned earlier, might be strong indicators of an attack and bad behavior.

David: And Christopher, I hope your, system leaves some wiggle room. What if I. potentially sign up for a philosophy course at the master’s level, all of a sudden start using big words, to impress my, my, my colleagues. I’m assuming that the, system has some, provisions for

Chris: that as well, right?

Absolutely. Yeah. Absolutely. That’s part of what. Makes it a technology that can be used in practice. Like we, it, it is a very, smart and nuanced system that’s leveraging the kind of latest and greatest techniques in machine learning and artificial intelligence.

And having a high efficacy and high accuracy rate is extremely important. We don’t want to contribute to the noise. We wanna help identify the signal from the noise as, you mentioned earlier,

David: So tell me I’m, watching this and it’s a concern of mine. What does the and I want to give it a try, I want to just run it and potentially even find out how can the the company help me?

What does the process of implementing looks like? What should I expect in the first 30 days? Does it play well with other systems? You mentioned multi-channel approach and so on. Can you walk me, describe quickly, what does that.

Chris: One of the great things about safeguard cyber is that we’re an API-based technology.

And what that means is that we are deployed via API to API integrations. So no data feed is required, no agent is required. The deployment is very, fast and very, easy. We can literally be up and running and monitoring communication channels within five minutes. So the way we work with the market is to say look don’t take our word for it.

Let us prove to you that this is a, vulnerability, a gap in your security, and give you insight as to where. You, are at risk. And so we’ll work with companies and say our, recommendation is that you start with three channels so let’s start with M 365 and teams and LinkedIn or M 365, slack and WhatsApp.

And we’ll pick these channels and we then deploy it and we run the technology for 30. And we at the end of that 30 days, we basically come back and provide what we call to to the prospect or customer a risk report. And what that risk report does is help them identify where they have gaps in vulnerabilities in their security.

Oftentimes, We do find very active attacks in real time, and obviously we’ll notify the customer of that, that, so action can be taken. But being a, an API based technology means it’s very, low friction. And it doesn’t have any risk of disrupting your existing system.

So there’s. No downside to the prospect to evaluate the technology and see what kind of insights it’s, it can provide. One of the other things so in terms of the values that we provide, we mentioned unified visibility. We talked a lot about contextual analysis, our ability to understand the context and intent of a communication.

But the third thing we do is what we call tr cross-channel correlation. When you are under attack, one of the one of the questions that a security team and an investigation team needs to understand very, quickly is, what’s the blast radius? Associated to this attack, how far reaching is it?

And one of the things that’s very unique about safeguard cyber is our ability to identify and understand how far reaching an attack may be. We may detect the attack in WhatsApp or we may detect the attack in email, but we then have the ability to understand and identify what other communications may be related.

To this attack campaign. Okay. Yeah, we detected A B E C attack in M 365, but we can then identify where conversations related to that may have occurred. Cuz it’s gonna spider out, right? You detected an email. But then we can say, but this communication in Slack or Teams is related to this. It may go all the way back to communications that started off in LinkedIn.

Our ability to coordinate. Excuse me, to correlate and identify how far reaching the attack has been. And across multiple communication channels is a very, powerful tool for security operation teams and, investigation teams to understand just how much damage has been done and how far reaching was the attack.

Does that make sense? And

David: Christopher? Yeah, absolutely. And Christopher, that’s important because. it’s just, people always say, okay, it’s not a matter of if, it’s a matter of when in the remediation piece is super important. If you can reduce the time to remediation by 30, 40, 50% by knowing the, causation, by knowing the, as you mentioned the the, scope of the.

It has tremendous value to remediation and basically getting back on track and getting the company back in order in the operations back in order. That’s can be night and day for, in terms of how the company recovers. Right?

Chris: Absolutely. Time to response is super important and I’ve seen so many instances where security teams are they’re trying to contain the damage.

But again, until you understand how far reaching the attack has been, it’s really hard to get your hands around that and contain the damage. So again, our ability to understand the blast radius is super important to assuring organizations that they’ve got things under control.

David: So Christopher, that next time I’m trying to impersonate somebody and I reach out to you, I know that that I most likely will get flagged . Maybe I should give it a try. .

Chris: Yeah. Yeah. It’s I, seem to be a very popular impersonation person. It’s interesting.

So at our company, obvious. In my role I’m the most spoofed person at Safeguard Cyber, right? And our system detects these attacks and these impersonations. But it’s a very real issue. I and, I, again I, see it at our company and for organizations who aren’t monitoring these alternative communication channels, I, I.

Security teams really need to acknowledge this risk and this gap in vulnerability. And they need to take action. I know a lot of security practitioners are struggling to put the basics in. I believe strongly that and it comes back to these trends we identified at the.

Humans are the most vulnerable part of your security strategy. The way we communicate has changed and the tactics that attackers are using have evolved in such a way that your existing security stack cannot detect them. And the, first step is acknowledging these risks. And I think.

Security, and this is a, longer conversation maybe for another day, but I think the security industry has things upside down. When 82% of breaches happen as a result of the exploitation of human beings the Pareto principle would tell you wanna spend the majority of your time, resource, money, et cetera, on the, parts of your business where you can have the biggest impact.

And I see the industry and believe that the industry has it upside down. We spend so much time trying to secure infrastructure and applications when the, fact of the matter is, vulnerabilities and infrastructure and applications represent only 4% of the breaches that occur, right? 4% versus 82% in, terms of how these, attacks are occurring.

And I believe that if you believe in the 80 20 or the, Preto principle organizations will be well served to dedicate more of. Of their time trying to secure the human as opposed to trying to secure infrastructure because the human is where the majority of the vulnerability exists.

David: Yeah.

Maybe the issue, Christopher, is that when you’re selling hammers, everything is a nail. So some of the some of the companies out there the, solution they they have to they have to provide that, and that’s, what they’re that’s what they’re going to market with.

So they have to tout the fact that there’s vulnerabilities everywhere, including the networks, including the endpoints, and, sure.

Chris: And look, it’s not that those things aren’t important. They, obviously are important to be secured. It’s a question of just where can. Have the biggest impact, right?

And what are you gonna prioritize and, how much are you gonna spend on securing infrastructure versus securing humans? And I’ve challenged CIOs and CISOs with this question. And the the response i, always get is you’re right Chris. , but we’re not necessarily sure how to secure the human.

Like they know how to secure infrastructure. They know how to secure the application. They struggle with what they can do and what’s in their control to secure the human. And my contention is that there’s a lot that they can do to better secure the human. It’s just an awareness issue. And it starts.

Again, the acknowledgement of these truths and trends and, the threats that, that, that exist in the market.

David: Absolutely Chris and I hope the humans are here to stay that we’re not getting displaced by any AI technologies anytime soon. And until then Chris, what’s the easiest way for people to reach out to you to know more?

Just to get get some information about how to move forward with the company and. Yeah,

Chris: sure. I would encourage the listeners to visit our website at safeguard cyber.com. There’s tons of great information about what we do and, how we can help your organization on the website.

So I would start there and if not our website, you can feel free to hit me up on LinkedIn and certainly happy to start the conversation there as.

David: Fantastic. Chris Leman, thank you very much for taking the time to chat with me today. It’s been a real pleasure and I can’t wait to, see where Safeguard Cyber goes next and where you are going to be next and growing the business and bringing it to the next level like you’ve done so many times before.

Thank you again for joining me for all those who joined thanks very much. Be stay safe online as well as offline. I’ll see you the next. Thanks David.