 Hey, everyone. Welcome to theCUBE's presentation of the AWS Startup Showcase, cybersecurity. This is season three, episode three of the ongoing series that features exciting startups from the AWS ecosystem. I'm your host, Lisa Martin. Pleased to be joined by Chris Lan, the Chief Product Officer at Halcyon. Chris is here to talk about defeating ransomware in the real world. Chris, welcome to theCUBE. Great to have you on this very important topic discussion today. Thanks for having me. I really appreciate it. Of course. Before we dig into the current state of the cybersecurity landscape, tell the audience a bit about Halcyon. This was formed only two years ago, back in 2021. What do you guys do? What were some of the specific gaps in the market where cybersecurity is concerned that your co-founders saw we could fill this gap? Absolutely. So it started out really around the time of the Colonial Pipeline incident, which a lot of folks, whether they're in the industry or just follow current events are obviously very aware of. And that was kind of a wake-up call for the founding team at Halcyon around, just the landscape was changing dramatically with geopolitical events, with economic, macroeconomic events, as well as we saw a very acute problem that was starting to rear its head. And we also noticed that that viewing kind of the ransomware risk through kind of the traditional lens and tools that existed out there in the market was insufficient in that. And what I mean by that is not that there aren't great security products, technologies and services out there that solve a lot of cybersecurity issues, but in the particular context of ransomware that because of these geopolitical events, because of these macroeconomic events that aren't transient in nature that are kind of the new normal as the globe realigns, as the globe kind of digests everything that the world's gone through the last three years, first with the pandemic and then with kind of coming out of the pandemic that conditions had changed in the risk landscape, motivations and the business model underlying ransomware was a big kind of missing piece that people weren't thinking and talking about and that this was really kind of how we talk about it at Halcyon and it's like non-governmental advanced persistent threats, if you will, where the outcome and the desire wasn't to achieve undetected access to a business and organization to steal intellectual property over years and or decades. It was, hey, how do I achieve the maximum amount of leverage as quickly as possible so I can drive real demonstrable economic returns as a threat actor. And that was very different. Yeah, you talk about the colonial pipeline it sounds like being really a catalyst for Halcyon forming back in 2021. And I think that's the timeframe. We've been talking about ransomware for a very long time in the cybersecurity landscape and how much is changing but I feel around the colonial pipeline time that's when ransomware became a household word and I started hearing about it in non-technology conversations where people were starting to become aware of it and aware that the bad actors out there had access to emerging technologies and that it was so lucrative for the bad actors. Talk a little bit about the strategy and the vision of Halcyon given the fact that there's so much, you talked about the geopolitical climate, the macroeconomic climate and the fact that there is so much return that these guys are getting. What's the vision and strategy of Halcyon to help organizations defend against that persistent threat? Yeah, I think you're asking a real fundamental question to our story and just to what we observed in the market and that is because of the nature of what is driving this threat category or this scenario of cyber risk that a couple of things really crystallized and that is for us, there is no perfect security and I know that I have immense amount of empathy for customers and partners. A lot of my being in the cybersecurity industry for 30 years personally, I am very good personal friends with a lot of chief information security officers Fortune 500s and I have a lot of empathy for the job that they're responsible for and the job that them and their teams do but there's not an easy but or there wasn't an easy but and there wasn't an approach to this particular crystallizing form of cyber risk that was really taking a resiliency first mindset a failure is inevitable mindset and working backwards from that worst case scenario if you have a ransomware event or you are targeted that may be one of the worst days if you're a CISO or you're on a security team that you're gonna find coming into work and having that working backwards from that inevitable failure, that assumption position that no matter how sophisticated your security program is no matter how many frameworks you followed or regulations you're adhering to that you can't put enough gates in the system and that products that existed out there that were designed to try to help mitigate some of what was unique and different about ransomware whether it's the business model or whether it's the technology involved wasn't taking that approach and so when we created the solution in the company we really started from that failures inevitable mindset let's work backwards with the goal being that we're gonna detect and protect as much as we can and surgically focused on ransomware but we're also gonna go beyond that and have our technology and our solution really assume that recovery mindset so that if and when you have that ransomware event that impacts your organization that recovery is that first order goal and doing it safely, doing it efficiently and doing it quickly because in most of these scenarios like with customers and prospects we've helped is that downtime isn't oh our employees can't be productive that downtime is I'm losing $2 million a day in revenue because I can't quote sales deals because my ERP system is encrypted and not accessible. Those are the things. And there's the whole brand reputation nobody wants to be the next headline and another thing too ransomware has become a when are we gonna get hit? Not an are we gonna get hit? It's really no organization globally is safe from it. Share a little bit of the stats of ransomware and specifically ransomware as a service with the audience so they really understand the gravity of the situation and then we'll kind of dig into why there's some vendor confusion out there. Yeah so you know I will say as somebody that you know has been a part of solving really hard cybersecurity issues for the majority of my career is first and foremost, you know the cybersecurity industry can be a victim of its own habits to some extent. And I would say the first thing that you hit on that is vendor confusion. Cyber security has become a multi-billion dollar industry. There's products and services for everything for specific cybersecurity risks. And so it creates a lot of just you know if I'm a practitioner, I'm a chief information security officer it creates a lot of noise. You know just being able to sift through and understand what is actually something that'll help me mitigate this risk. What is a control that I can put in place is actually effective because we as an industry you know want to elevate cybersecurity to more of a business conversation which is you know in a risk conversation at the same time, not all risks are created equal not all risks exist the same when you're theoretically talking about business risk and then you transition to what happens when that risk happens in the real world. There's a disconnect there. Additionally you know in our quest to try to make cybersecurity more accessible whether that's to you know bring more people into the field and make it a more accessible career choice to demystify a lot of the technology because it's a very technical field. You know and to meet, you know we've pushed out and the motivation was great. Things like you know NIST standards and MITRE you know frameworks for understanding the problem space and we get so fixated on are we following the playbook? Are we following the standards that somebody has laid before me? We're not questioning and we're not taking a step back from those and de-confusing the problem that you have you know that these organizations face and how is the most systematic way of going about preventing and responding to these types of problems like ransomware. And so it's created the kind of this perfect environment of high noise, low signal when it comes to understanding the risk but more importantly what you can do about the risk. And so that you know that is probably one of the you know one of the unique aspects of where we are today. And so you have you know thousands of cybersecurity solution providers out there saying this is how my phishing solution stops ransomware. This is how my XYZ solution or service stops ransomware and it's just the reality is it's not as you know at least with broad based security controls that are there just to you know to try to give you as much coverage as possible. You know they don't really take into consideration the unique attributes of ransomware of the business model of and you talked about it you know the difference between the ransomware operators the threat actors that are engaging in the actual you know ransomware event things like initial access brokers it's just a very complex topic. And when you're bombarded as a practitioner and as a CISO with all of this you know you want to make it easy you want to try to kill as many birds with a stone so to speak when you're deploying product or you're engaging vendors and it's unfortunately it's a dynamic you know threat it's a dynamic risk it's a very complex kind of you know attack or supply chain and as a result of that it's created an environment that's made it really hard for you know for organizations to get their arm around it effectively so that when they do and if they do actually have their event they know how to respond they know what the playbook needs to be and we can actively you know actively start to see progress in shrinking this average time to response of being 24 days now to being four days. You know not being you know in that you know hypothetical example where you're you may be you know not able to recognize or to book you know over a million dollars revenue a day you do the math on that's 24 million dollars if the average recovery time is 24 days so you know that's got to be shrunk and in order to shrink that that was really kind of the call to action that we saw when colonial first happened. Yeah that the response time the recovery time is absolutely critical because what you talked about that even the reduction from 24 days to response time to four is huge because ransomware is I read a stat I think it was from Cyber Ventures in the last year or two where once every 11 seconds a ransomware attack happens. So the threat is there but it's an existential threat to organizations globally ransomware as a service is very lucrative. How should organizations be thinking about ransomware with the failure is inevitable mindset? It sounds like to me it's a mindset shift and a tool shift to help start dialing down the vendor confusion but how should organizations really be approaching ransomware from a response and a recovery perspective and how does Halcyon help them achieve that? Yeah so I mentioned this in my answer a few minutes ago first is viewing it more through the lens of ransomware is viewing ransomware is more of the next evolution of advanced persistent threat. So APTs which is the acronym for advanced persistent threat I don't wanna get too jargony given that we're really good in the cybersecurity industry at clinging onto our jargon but was really back in 2008-ish when Google Aurora published their research on basically foreign governments getting persistent access to networks whether it be defense industrial based suppliers or whatnot to steal intellectual property. And that really was a wake-up call for the industry and for CISOs and practitioners like you are a target even though you're a commercial organization and whether you wanna be or not because there's this thing called geopolitics going on around you and you were privy to that whether you want to be or not. So first and foremost viewing it as kind of that next evolution where it may not be governments that are directly engaging in the activity but there is relationships there disparate plausibly deniable relationships there. And so they're very advanced they're very focused on the outcome and the big differences whereas maybe with APTs of old it was governments or directly affiliated government groups trying to get persistence trying to steal intellectual property the goal with ransomware is pure dollars and cents and it is with a secondary being maximum leverage to be achieved so that they can reach their goals. The second piece beyond kind of just that threat actor is understanding that the business model has a big big difference here. It's not just trying to disrupt operational continuity to target you it's not just about trying to get access and stay beneath the radar and not be too disruptive and hope you don't get found. It is much more let me get in, let me get out let me get the keys to the kingdom from a data perspective or lock up your operation so that leverage is achieved. And then finally as I mentioned earlier is you got to really kind of security organizations and security leaders got to really change their mindset and it's really hard especially when you're problem solving but work backwards from what type of outcome if you're gonna approach this as failures inevitable and that you don't have 100% of control if you're gonna have a really bad or really one of your worst security response days because of ransomware but you can control, hey, when and if that day happens here's what I have in place proactively that gives me mitigating controls or visibility and operational the tooling so that I can move from detection and protection immediately into response and recovery seamlessly and that you have not only the tools there but you have the partner there that, you know there are little things that we look over when we were talking about cybersecurity like, oh, there's gonna be other stakeholders involved I have a ransomware event the first call I'm making is to my cyber insurer once the cyber insurers involved you don't get to call the shots anymore cyber insurer calls the shots I don't care whether you're CISO or Coca-Cola or another enterprise not to, you know that's just a random example but it doesn't matter how big the organization is you, you know, now you layer on top of that the new SEC reporting requirements that were just rolled out recently in Black Hat and it's a very dynamic environment with a lot of stakeholders where a lot of the control and a lot of, hey, this is the most important goal everyone else we're working backwards like can get really lost in the shuffle because you have other players involved that are worried about other things not that they're not in valid things but they're not the same things as the organization that's dealing with a ransomware event they're thinking how do I safely get back up and operational as soon as possible and that is not necessarily how the cyber you know, the number one priority for a cyber insurer or the number one priority for a retained general purpose incident response partner that you've pulled in. Wow, Chris, this has been a fascinating conversation thank you for first of all telling us about Halcyon the catalyst to launch the company being Colonial Pipeline makes perfect sense how you're really helping organizations to defeat ransomware in the real world which is as we talked about an existential threat it's a mind set shift, a tool set shift we appreciate your insights and your time Chris we're gonna have to have you back on the program because I feel like we're disrupting the surface here Yeah, it's an interesting topic and I really appreciate the time sorry we couldn't go a little bit deeper but happy to be back anytime. Next time, all right Chris thanks again we wanna thank you for watching the AWS startup showcase Cyber Security we appreciate your time and your insights for Chris Lam I'm Lisa Martin, we'll see you next time.