As part of a founding team now running his third cybersecurity company, Bentsi Ben-Atar says each member is a piece of the puzzle. He shares that each of them brings their own strengths and he enjoys the ups and downs of being in a startup. Although Ben-Atar previously held more technical positions, he is now CMO of Sepio, which provides access control hardware solutions. Although these vulnerabilities have been around for a long time, he explains that there was no good technology to detect hardware-based attacks. Sepio worked to create a new field to prevent these attacks, which involved educating the market about the problem. Thanks to the team’s experience in cybersecurity, they had connections with CISOs willing to try new solutions and share them with others. Ben-Atar shares that finding the first customers who can be ambassadors for your solution is important for success.
I’m really interested to hear your personal journey to Sepio and what you’re doing with Sepio today.
The group of founders, we have actually worked together for almost 30 years. We started as an academic reserve in 8200. Since then we have worked together on various ventures. Sepio is our third cybersecurity company together. The first two were successfully acquired by NASDAQ-listed companies.
When we decided to embark on our next project, we looked at the market and thought, “We’re too old to do big data and all those flashy buzzwords. But we know networking with great intimacy. We have identified that this domain lacks the technology and measures required to detect malicious devices and hardware-based campaigns.
This domain was previously seen as a spy business; this is no longer the case. Cybercrime syndicates and even the average Joe may have the same state-level capabilities when it comes to hardware attack tools as a well-funded agency. Using an attack vehicle that existing cybersecurity products have not considered allows the attacker to bypass many security measures. What if you’re using a device that completely impersonates a legitimate device, even if it’s just a simple device like a keyboard or mouse? These vulnerabilities and blind spots within existing infrastructure are something that attackers are happily and successfully exploiting across multiple domains: critical infrastructure, ATM attacks, fast financial transaction attacks.
Hardware attacks actually apply to a variety of areas. People migrating to cloud environments do not minimize the effect of this problem. In fact, it is even intensifying. You still use your keyboard and you still use your mouse to navigate and execute your commands. A skilled attacker will easily record your keystrokes and take screenshots of your confidential data and then use it to execute a data leak ransomware attack or even a data encryption attack.
Why are we not more advanced than what you describe?
There are several reasons. The first is that hardware-based attacks require some physical contact or physical proximity to the victims. You will go after a certain bank or after a certain power station. Once they are attacked, they are very reluctant to share the fact that they have been breached on their cyber-physical security. There are very unique attacks that are usually well hidden.
None of the existing security products can detect these attacks, so you don’t have this kind of flashy animation of attacks coming from China and targeting the east coast and the west coast, so from a CISO point of view it’s is a problem that appears in Mr. Robot, Mission Impossible or James Bond. So he would say, “I don’t interest anyone.” If you have anything of value — your customer database, your IP address, transactions someone can perform on your behalf — you have valuable data. And someone, if they find an easy way in, will go for it.
What you are describing is a mature understanding of how this actually happens and how we defend against it. Currently, many of these organizations are powerless against these attacks, in part due to the lack of attention CISOs pay to the interests of others to attack. To the right?
Yeah. There are many misconceptions. For example, the term “unauthorized device”. Each company takes its own approach to what defines a malicious device. The fact that you, as a CISO, are buying a solution that promises to mitigate malicious devices puts you at ease.
There are a lot of misconceptions out there, especially with anything to do with USB devices. This is something that still puzzles me. USB vulnerabilities are probably the oldest type of malicious interface. When you go to a CISO and ask, “What’s your USB policy?” It said, “We don’t allow USB devices. We’ll ask, “How do you type? How do you navigate?” “A keyboard and a mouse.” “How are they connected? “It’s via a USB key.”
For unknown reasons, the keyboard and mouse are treated differently than other USB mass storage. If this is the device allowed to connect, guess where the attackers will target? They will target mouse and keyboards.
You’re the co-founder, but you’re also the chief marketing officer, moving from a very technical CTO level before. What made you decide to change what you do on a daily basis?
Because of two things. It is above all a challenge. I like the challenge. I think to bring this new concept of “zero trust hardware” access to market, you have to come with some qualification to get people to listen.
And we worked as a group of founders, and each of us is a piece of the puzzle. So, one acts as CEO and the other is responsible for engineering and product. We are like a team and everyone has their own strengths. I took up this challenge with pleasure.
What have you found that works really well to educate the market on the need for a solution like this?
You must have early wins that you can use as referrals, and these will be your ambassadors to educate the market. If you manage to convince five of them, these five become your hardware access control ambassadors.
In order to find those early adopters, you need to research those very unique CISOs. I classified them in the category of CISO evangelists. They happily embrace the solution once you’ve proven its value to them. The other type will be the followers, who will admire the evangelizing RSSI. There are a lot of cut-and-paste CISOs who buy everything everyone else buys.
We started with CISO Evangelizers, and we’ve been blessed with some of the smartest, most professional CISOs we’ve come across in our long career. Some of them were running organizations of 50,000 employees, 20,000 employees, which for a young startup in its first year to get a client of that size is phenomenal. Once we got that referral, then they took us by the hand from their peers. Over the years there have been more incidents, more people arguing over this area. If three years ago I had to explain if this problem was really happening, then it is no longer the case. People are responsive, and we see it in our business results.
So over time, your marketing strategies are actually going to become a bit easier for the world to understand, because a lot of that extra education is being solved through that parallel path that the world is on. To the right?
Yeah. Apart from marketing, sales activities are completely different. The people you need to sell your product are more of an entrepreneur nature, like the BizDev oriented RSM type so they can find their way, explain the problem and find those opportunities.
You’ve been doing this for a while, but still decided to take another company trip. Where’s the thrill for you?
I enjoy the rollercoaster atmosphere of being a startup. There are ups and downs. I love the thrill of those ups and downs. And the challenge, we are building something new. We are inventing a new domain. Few people were looking for hardware access control, but we are changing that. We were originally Israelis, so there’s no “I can’t do it” attitude. It is only a matter of time when we will succeed.
Michael Matias, Forbes 30 Under 30, is the author of Age is Only an Int: Lessons I Learned as a Young Entrepreneur. He studies artificial intelligence at Stanford University, is a venture capital partner at J-Ventures and was an engineer at Hippo Insurance. Matias was previously an officer in Unit 8200. 20MinuteLeaders is a series of tech entrepreneurship interviews featuring one-on-one interviews with fascinating founders, innovators and thought leaders sharing their journeys and experiences.
Contributing Editors: Michael Matias, Megan Ryan