In Santa Clara (CA), we meet co-founder and CSO of Cyphort, Fengmin Gong. Fengmin talks about his story how he came up with the idea and founded Cyphort, how the current business model works, as well as he provides some advice for young entrepreneurs.

INTRODUCTION

Martin: Hi. Today we are at one of the safest places in Santa Clara, the Cyphort. Fengmin, who are you and what do you do?

Fengmin: Yes. I’m a co-founder and also the Chief Strategy and Technology Officer od Cyphort.

Martin: What is Cyphort?

Fengmin: So at Cyphort, what we are really doing is we are offering the next generation advanced threat defense product. Think of it as a tool, but it’s a tool that is helping the enterprise IT people to really implement this new thinking about the best way to defend against advanced threat. And with that new thinking, new approach, our tool is actually designed to best help people implementing that new approach.

Martin: When did you start this company, and what did you do before?

Fengmin: The company was started in around March of 2011. And before that, I kind of did a few startups. And I’ll go back a little bit just to give you an idea. After I finished my PhD from Washington University in St. Louis, Missouri in the U.S., I spent about eight years on DARPA funded research projects, and that is mostly working on high speed networking and basically security. So for DARPA project, you typically actually build a prototype, not like National Science Foundation kind of project where you write papers.

So that eight years, I always think of it as a training for me. Once around Year 2000, that’s where we saw a few security startups, the early days of intrusion prevention or detection products, we realized that we have been doing much more advanced technology and building prototype under the DARPA project. We believed a much better technology and solution compared to some of the startups. So that’s where I started having the initial idea of maybe I should create a startup. Actually, it’s around that time that I got the first opportunity, first call to do a startup in Silicon Valley. So that’s when I moved and started my first company called IntruVert Networks. That is really an intrusion prevention product company.

Followed by that company, we were basically acquired by McAfee. So we went to McAfee and I worked there for a few years to help integrate that product into McAfee portfolio. But then I went to start up my second one, that is, Bartel Networks, a next generation firewall, followed by also two years as a Chief Security Content Officer at FireEye.

What I want to probably really point out, the main thing, I think, in this kind of past is always I tried to keep up with what the security threats are going, where it’s going, and how the IT infrastructure actually is evolving because a combination of those two really create or define new needs for tools for people to defend. So pretty much that’s kind of my career, how it has evolved, and even come into founding Cyphort is actually continuing on the same path and always trying to build the next best tool that IT people can use.

Martin: Who are your customers?

Fengmin: For us, the customer really includes all enterprise class companies. The product is helping them to really protect the threats that are either coming from the external coming to their network or some threat landed on their network, actually moving laterally inside the network. It’s not going to be industrial sector-specific because, as you know today, that kind of threat problem is applicable to every sector. It’s only mainly determined by how sophisticated and at what stage their enterprise actually understands the problem. So it’s across the industry sectors.

Martin: Fengmin, do you only help identify the threat, or are you also helping mitigate the threat?

Fengmin: Yes. That’s a very good question. We built a product to actually best support this new, I would call it, paradigm shift in terms of how do you deal with advanced threat. What we realized was really for enterprise, the bottleneck, if you will, in advanced threat defense is really with the ability to detect the threat reliably, cover all the vectors of potential threat propagation, and also provide a very actionable, relevant results for them to take action. So once we realized that is the main problem, the Cyphort product was built with the focus on accurate detection and covering all the bases, make sure that you detect them, and also with very reliable and very relevant data to the enterprise under protection.

But today what we don’t do is we do not provide a firewall function for you to do an enforcement. The reason we didn’t position the product this way is we realized that most of the enterprise already have one form or another next generation firewall or some of the security web gateway and they already made an investment. They have that product deployed, and those products are not doing the best defense for the enterprise because they do not know what data to use to actually make a blocking, for example. So if someone tells them this is the kind of data you use to do that blocking, they can block it well. So we come in to fill that gap and we want to provide that detection data.

Martin: So this means that your main focus is identification of the threat and then you push this kind of information or the result of it, who’s the threat and who is not to the firewall, who will then decide if this a threat according to Cyphort, you won’t allowed it in?

Fengmin: Correct. Actually, that brings us to this second notion. We talked about this new paradigm shift, right? The notion people say is you have to continuously monitor all the possible vectors and then you try to determine what exactly happened, what’s relevant to your environment, at what stage the attack is going, and then with this very specific data, you want to turn it into actionable data. So what we end up doing is associated with this notion is a notion of an ecosystem-based defense approach. So that’s when Cyphort detects something from Day 1, the product support is out of APIs. So it basically allows any other product to consume the results in a fashion that is readily implementable for blocking something.

Martin: How do you define a threat? Is spam also included in the definition?

Fengmin: We would not consider the typical email spam you think in the past where someone is mainly sending an email, a lot of message just to spread maybe some rumors, right? What we are focusing on is think of malware pieces, maybe a piece of code, compared to the old days of the virus. Now the advanced one that comes in not only have a lot of attack payload but also have a lot of capability to try to hide itself and also have a lot of network-based communication to go back to the server. So that’s where the malware is really the most lethal weapon, if you will, for the modern threat, right? So the malware is really the focus, and then anything associated with that. So you mentioned the email. Although the spamming is not the focus, but email as a vector for the malware to get into the enterprise to infect someone’s machine. So we also cover the email. We make sure we are able to extract the files and then inspect them to actually detect them as well.

Martin: You have two sides of the equation. You have, on one side, the attackers, and you have on the other side something like Cyphort who is defending the company. And there’s always this kind of competition. One time the attackers are in the frontline, and sometimes the defenders. How do you keep up with the speed that the attackers are developing? Because they are using different strategies. How do you keep up to date?

Fengmin: Yes. It’s very interesting, and this is indeed a challenge for us. One of the fundamental components in our detection technology is, in addition to use… people are all aware of this notion of sandboxing. Sandboxing is really useful to be able to detonate or run a piece of code and, based on behavior, try to determine if it’s malicious or not. Now, just using the sandbox to detonate it may not allow you to adapt and to cope with the new ones, but that’s how the old generation of the product typically implements a set of specific rules or look for a pattern, if-then-else kind of pattern or heuristics try to then determine if a piece of code is malicious or not.

But for Cyphort, one of the things from Day 1, we realize what we need to do is to marry this detonation behavior-based with machine learning. So the machine learning allows us to do two things. Number one is indeed even for a piece of malware, we’ve already seen it’s something that maybe just happened, but by looking at the behavior of that and relying on the machine learning model to train and then build a more sophisticated mathematical model to predict and to generalize into the class of malware that have a similar behavior but it’s not the same thing. So we are able to detect that. That gives us the ability to detect unknown or you can also refer to as a zero day from a malware perspective.

Then the second thing that machine learning allows us to do is once we have this systematic architecture, then if we are able to continuously monitor, use additional means to collect new samples and to do the training periodically and then release the new model into the product, now we have a continuous learning and adaptation. So of course to complement and support the second part, what we have been able to do is, in addition to collaborating with a lot of other entities, the threat intelligence, companies and also community-based feed out there, we also have built what we refer to as a crawler infrastructure in Cyphort labs. What the crawler infrastructure allows us to do is to constantly go out, use our own hardware-based sandbox to go out to the wide internet and to get our sandbox infected. When that happens, and then we have the collection of new exploit pack and new samples, and that feeds into our machine learning, so that’s really at least a main part of our approach how to keep up.

Martin: This is also where my question relates to. I totally understand if you have lots of users and you get lots of data that you can improve your machine learning algorithms for detecting those threats. But when you started out, you did not have that much of a customer behavior data. How did you convince the first customers to say, “Yes, I’ll go with Cyphort,” without you having that much data which machine learning algorithm you can apply to?

Fengmin: Right. Of course, there are two parts to it. One part is indeed we need to leverage some existing collection of malware samples, and luckily with both some of the partners and also one of the well known ones that you’re probably aware of is Virus Total, and it probably has the largest collection of the malware samples. So by applying, using the existing samples, we are able to learn a model fairly recent. So that’s from the technical part. But then when it comes to engaging the customer, really I would say a few big steps that we have taken.

  • Number one is indeed really be able to identify the key problem the customer is facing and also showing that we understand the customer’s problem, and also have a common understanding of the best approach to actually improve their defense.
  • Once we have that conversation, then the next thing is we share how we build this product or the tool, how that tool would support this understanding of how to approach it.
  • And once we have that, really the third step is basically almost all enterprise customers would require that we actually make the product available and for them to actually test drive it. So they would actually go through an evaluation on their network.

Of course, in that process, we provide as much help to get them through the hurdle where they typically are always resource-limited, so we help them make it easy for them to install it on the live network and go through an evaluation period. So we are able to approach the customer that way, and we’re happy with what we have been able to do so far. Yes.

Martin: Fengmin, how do you show the customer whether there is a malware? For example, if I’m looking at a company and the emails they are getting. And what I understood is that you are also scanning some kind of files, whether there’s malware included or not, for minimizing that the system is breached. How do you do this in minimal? Is it just that you have some kind of bar which says, “Okay, 95% chance there’s malware included,” or if there is a special threshold the email doesn’t go through? What’s the process?

Fengmin: Yes. For us, actually in Cyphort product, we end up using multiple inspection message, we refer to. Because we realize for the modern attack, the malware, they can come in different ways and also they all have their sophisticated kind of evasive behavior in them. Some of them may evade a traditional virus scan, like a static analysis, right? You look at a code, how the code structure looks like, and then the behavior based on when some of them actually are able to detect if they are being watched in a sandbox, they may stop running. So what we end up doing is once we realize this, then whenever we get a piece of code that we feel this unknown, they could be a malware-carrying file, then we actually go through both static analysis, looking for known patterns, and also we have repetition data referenced to Virus Total, in addition to our own more kind of sophisticated static analysis and behavior. So in this case, what it means is when we decide if something is really bad, indeed there is typically a kind of a range of behavior, and you can almost think there is a threshold.

Today what we have done is intentionally not expose that kind of slider to the customer but we are able to take into account of this multiple methods of inspection, then we look at those information together. So for the machine learning, indeed we actually come up with the behavioral-based score. They range basically, let’s say, from a 0 to 100, that kind of scale. And we choose a threshold based on our training and also we in the future can allow customers to set based on how aggressive they are.

But the interesting thing, it’s helpful when we use both Virus Total and static multiple kind of method is if something is already known…because you expect, right? They don’t always use something totally new. There are a lot of them that use some existing things. So that’s the benefit of the product. If they use something that is not new, then additional methods, including the Virus Total, actually give us a context, and in that case, it’s fairly black and white. And we can even tell them what are the other products already, be this bad or the same thing, and then what the names they are referring them to. And then we can basically compare that with what our machine learning is telling us. So they both help us to improve the machine learning. At the same time, we can tell the customer if something is already known, potentially how long ago they have been out there versus all the way to something really new. So that way, the customer, based on how aggressive they want to respond to it, they could choose different path towards it.

BUSINESS MODEL OF CYPHORT

Martin: Fengmin, let’s talk about the business model of Cyphort. How are you making money with it? Is it a SaaS model or is it something like an installment fee?

Fengmin: Yes. That’s a very good question because we always have to make money. So in this particular case, the current model is we choose a software of virtual appliance-based delivery model but it’s subscription-based. So we have seen a lot of customers. The subscription-based one gives them some flexibility, at the same time gives them more like a steady kind of cadence for them to make the budget decisions. So the thing really, so far it worked the best for us, is really the software-based delivery along with support for virtualized environment. And in this case, we can be deployed both on premise and also when they choose to, like we have customers where already most of their computing have gone to AWS, and so in that case, they can actually deploy our product in the AWS environment as well.

The way the product is designed, because it’s API-based and software-based delivery, it allows it to be easily deployed and also provides a service in a SaaS model. So we are actually right now working on that based mainly on the customer demand because in the initial set of customers, we’ve definitely seen more customers want to have products deployed on premise because there is still some concern about their data going out of their network.

Martin: Are you somehow differentiating the SaaS products maybe based on volume or based on number of employees of the customer or some other metric?

Fengmin: Oh, the pricing model you are referring to? Yes. Right now, actually we have a pretty much unified pricing model that is based on the protected bandwidth.

Martin: What’s that?

Fengmin: So the notion is let’s say you may have multiple links, network action links you have to watch. So on that link, you know what the typical amount of traffic is going through it, so then you purchase our product based on that expected amount of data that we have to inspect and then detect and then protect. So actually that’s also one thing that we have got very positive customer feedback. What ends up happening is let’s say you purchase five gigabits worth of the traffic and then the Cyphort product does not limit the customer how many links that you are monitoring, maybe how many servers you deploy to monitor this link. So for them, that is very flexible because you may have multiple offices and distributed across the globe and then you don’t have different pricing models. It’s the total amount of protected link bandwidth.

Martin: Fengmin, how did you acquire the first customers, and did any of the process for customer acquisition change over time?

Fengmin: Yes, and that’s a very good question. The initial customer is really based on some of the connections, in this case, both the connection, let’s say, with the executive team and also the connection, for example, with our venture capital funding partner. That is very typical practice. It’s more about initially with the connection we have someone that is willing and open their ears to listen to us, and that is very important. But then quickly as the time goes, today we have a lot of customers, now they’re already coming through a very typical funnel. You think of that process from you have mind share and you have lead generation. So that means now it becomes at scale operation because those customers, because they know they have heard about Cyphort and they have a problem, then they see Cyphort as a potential contender for that, then that’s how value comes in. Today our customers, both from that kind of normal channel, at the same time they become much larger customers compared to the early set.

Martin: Sure. Is it mainly driven currently by inbound marketing, or is it also that you have a direct sales force which goes out to meet potential clients and then tries to acquire them?

Fengmin: Yes. We actually have. Cyphort has, I think, maybe a very interesting, very initial result. We were so happy we were doing so well. As you imagine, most of the enterprise company products, you always rely initially on a direct sales force to go after the account. But then for Cyphort, as actually even early this year, we already have several dozen partners.

Martin: Distribution partners?

Fengmin: Correct, and these are the ones… So it’s very rare in even my past several companies. At this early stage, we have so many partners and signed with us, and actually today we definitely have over 50% of our deals directly coming through the partner source versus our direct sales.

Martin: And can you describe this kind of partners? Are they more some kind of antivirus or firewall programs, or are they consulting companies, or what type of companies?

Fengmin: Yes. Actually, one example I would mention is this company called Optiv. They used to be there were two companies. One is called FishNet. The other one is called Accuvant. These are the companies that they have their own labs. They also have their own, of course, sales engineer and the whole workforce from the marketing all the way to product. So they typically help the customer define a set of solutions for their security protection needs. So these are really major players, and they help both for getting the customer and also, of course, some of the training and support, installation also are coming from them. So those two companies actually, a few months ago, they merged and they became Optiv. And we are one of the very select few small set of partners that they have.

Martin: Over the last four years, what have been the major obstacles while building and growing Cyphort? How did you manage those obstacles?

Fengmin: I think for us, the main things are all related to scaling up the sales, and this is where, of course, one of the things that we learned is, for instance, the kind of product. We are indeed an advanced threat defense product, so if you compare it to the old generation of some of the security products, they are more complex, and that means going to the enterprise, there are more dependencies with other product and also there is the education of the customer aspect. So we have basically at the same time not only helped to educate the customer for their adoption of the newer approach, the better approach for defense, at the same time to basically improve the product because you always scale from smaller customer in the key features then to more mature at scale features and for what we refer to as enterprise readiness. It’s really talking about more deployment scenarios and more other products to integrate with and also to account for different kinds of IT configuration. So most of our work has been along these lines, along with scaling up the sales force. That’s the main challenge in the last few months.

ADVICE TO ENTREPRENEURS FROM FENGMIN GONG

Martin: We always tried to help first time entrepreneurs make less errors. What type of lessons have you learned over the last 10 years maybe, and some kind of lessons that you can share with the audience?

Fengmin: Yes. A few things definitely, I think, that come off the top of my head and I’ve seen more entrepreneurs still having this issue.

Number one, I would say, and also coming from a technical background myself is really for them to avoid falling in love with their technology, and they always think of their technology as the best, can solve everything. So that is where they tend to forget about the customer side because oftentimes you have to have a direct connection to the customer pain and the problem. So that is one thing that happens a lot with entrepreneurs.

And of course, the next one is more related to the product ease of use, ease of deployment. And for people with an engineering or technology background, they always think, “This is so easy for me,” but then you have to basically to put yourself in the customer’s shoes. In that case, maybe it’s not that easy. You have to make it easier for the customer.

And then the third one, I would say, it happens a lot with first time entrepreneurs is they always are eager to present a big solution. So I refer to it as maybe the tendency to boil the ocean, where if indeed you have a good idea, you should solve the most urgent problem with that one or two features and you should show customer traction, and then you can move on. So that is a mistake they make, oftentimes also would give, for example, the venture capitalist the impression that they really don’t understand. They lack the focus. So those are some of the main things.

Of course, when it comes to the team and then culture, there are some things, I feel, it’s also very important because being a startup company in general, to maintain a very innovative culture is probably the utmost for the team efficiency and everything else. So that’s sometimes the founders, and they have to balance it out. When you look for people with big company experience, hopefully they leave most of the big company operation culture behind, right? That will be one interesting thing to watch out for.

Martin: And how do you check whether somebody is fitting into a startup based on the innovative culture?

Fengmin: I think this is where… For instance, one example is certain developers or technical people, they are very strong but then maybe their thinking always says, “You give me as specific a task as possible for me to perform, then I just deliver to that,” versus someone says, “I just want to understand what we are trying to build. What is this supposed to do?” And that’s what we call the objective, and then they actually can think about the best way to do it, versus you have everything specked out, exactly you implement this way and that way. So that will be very fundamental. Some people are very comfortable in working in one mode versus the other. And for startup, typically you would want to look for people who have a little experience and also willing, open to share and not to hesitate to say, “This is a better way to do it.” That will be a good way to look at people.

Martin: Fengmin, thank you so much for your time and for sharing your knowledge.

Fengmin: Thank you. It’s my pleasure.

Martin: And next time if you are having a really big website and you are thinking about threats that are maybe coming at your company, just look at Cyphort. Maybe this is a good solution for protecting your website.

Fengmin: Thank you.

Martin: Welcome.

Fengmin: My pleasure to share the thoughts.

Martin: Thanks.

Share your thoughts and experience

E-mail is already registered on the site. Please use the Login form or enter another.

You entered an incorrect username or password

Sorry, you must be logged in to post a comment.