Bridging Cybersecurity: Detectify

The current events of COVID19 and the conflict in Europe have raised the stakes for cyber attacks. Jørn Larsen, the CEO of Trifork, talks with Rickard Carlsson, the CEO of Detectify, about trends in cybersecurity and how Detectify is leading the way. They discuss Detectify’s approach to fighting cybercrime and the impact of cryptocurrencies, war, and pandemic on cyberattacks.

Intro

Jørn Larsen: So, welcome to CodeNode, London. And in the studio here I have Rickard Carlsson.

Rickard Carlsson: Nice to be here. Thank you.

Jørn Larsen: So, you are the CEO of your company Detectify.

Rickard Carlsson: Yes.

Jørn Larsen: And you are in cyberspace, you would say?

Rickard Carlsson: Yes, in the space of cyber security.

Jørn Larsen : Cyber security. So, at Trifork we have a business area called cyber protection. We like to take the hat on that we protect our customers' data, and you are a company that helps customers to do just that. And maybe just, at the beginning here, a little bit about your background. And so, where did life start for you?

Rickard Carlsson: I'm Swedish. My background is very early on. I always had a very high passion and interest in technology. Disassembling anything I could get my hands on at home. Even, you know, as a five, six, seven-year-old kid I dissembled everything, and I tried to change things. Moving forward that moved in...

Jørn Larsen: You had to put it back together, or just disassemble it?

Rickard Carlsson: Partially sometimes put it together. So, I guess it was a bit of a fun thing for my parents. But then, later on, I always continued to try not to do things the standard way. I always tried to find a fun and creative way of doing things. But eventually, university-wise, ended up in applied physics, applied math, financial mathematics, and robotics. So, the mixture between physics and math and computer science. Did that for university, but in the end, very common would be to end up with like a Ph.D. or something, but I realized I didn't want to do it, so I became a management consultant, actually, on the side instead. 

I worked as a management consultant for technology companies for about three and a half years in Stockholm and San Francisco, but then realized I wanted to get back to more technical things, and that was when I was introduced to my technical cofounders that had started to write the prototype of Detectify.

Jørn Larsen: So, you were brought in as the business guy in the company that already had the product?

Recommended talk:Expert Talk: Software Security • Jim Manico & John Steven • GOTO 2022

Rickard Carlsson: It has the foundation of a small product in place. I was brought in because of a mix between them, the business consulting and business end, but the real background in technology because, I guess they forced us through, I don't know, 15, 20 languages, or coding languages at the university is because you have to solve problems. So, I have a background in tech, but then learned some of the business sides as well.

Jørn Larsen: And what do you like to do in your spare time? What are some of the passions you have?

Rickard Carlsson: If I would get to the one thing in terms of like sports, it would be skiing. I'm an open racer. I'm a ski instructor. I still do master racing at the age of now 37, so I started racing again with my sky club and ski touring all over the world. That's one thing. I also spent the last four years building a house by myself. So, did that instead of just hiring contractors, so like, why not do it next to running a company.

Jørn Larsen: Then I hope you'll come and visit me in Switzerland? I have my daily life in Switzerland, and I'm just setting up a new clubhouse. This is our London clubhouse. I'm setting up a new clubhouse in Andermatt in Switzerland if you...

Rickard Carlsson: Nice place.

Jørn Larsen: ...if you know that area?

Rickard Carlsson: Yes.

What is Detectify’s mission?

Jørn Larsen: So, I hope to see you there one day. So, also the company. So, maybe talk about exactly how you work with your customers? You know, what's your mission?

Rickard Carlsson: What we do is that we help organizations understand their external attack surface, because what's happening when...most of the researchers today, they want to... I mean, everyone has left old development, waterfall type of processes. Everyone is aiming nowadays to move as fast as possible. At the same time with that, you need to decentralize security. But what happens then is many companies lose control. They don't know what they're exposing. They don't know their external attack surface, because of the technology stack, and what is being changed so rapidly and so frequently for a company. So, we help organizations get that outside-in view of their attack surface, and then we simulate attacks towards that one. So, we can also try to point out any, like, weaknesses or improvements that can be made.

Jørn Larsen: So, you have continuous development, continuous deployment, continuous everything? Do you represent continuous white hacking?

Rickard Carlsson: Yes. We simulate attacks and hacks toward your external attack surface.

How to simulate hacks toward external attack surfaces

Jørn Larsen: How do you do that? How do you do the split between what you put in, so, real people hacking or trying to penetrate the surfaces, and how much is done with tools? Where are you there on the...?

Rickard Carlsson: We are 100% tool-based.

Jørn Larsen: You're tool-based?

Rickard Carlsson: So, as a company, we don’t have professional services or manual hacking activities, like penetration testers. But we have pen testers employed at Detectify, but they don't work as pen testers. They work as security researchers trying to find and develop new attack methods so that they can implement them. 

We also work with a group of nowadays about 400 freelance hackers. So, when they find new attack methods, they send them to us, we implement them as security tester modules, and then we run those tests on our customer base. We can be very fast, I think that's the thing. From when we get something submitted, from our external hackers, to when we have it live, we're down to 15 minutes today.

Jørn Larsen: And what do you call such a pattern?

Rickard Carlsson: It's like a security tester module.

Jørn Larsen : Ok.

Rickard Carlsson: Yes.

Jørn Larsen: Do you immediately change the software that then tests your customer's software?

Rickard Carlsson: Yes.

Where will Detectify be in 5 years?

Jørn Larsen: So, where will Detectify be in five years?

Rickard Carlsson: It's an extremely hard question to answer because if anyone will be able to tell where cyber security needs will be in five years, I think it will be a very hard question to answer. What I know is we work with freelancers, because we know that no company will be able to employ all the security experts they need internally. So, we base our company on crowdsourcing of security knowledge. I know that that will be sort of a stable base for the company, but then exactly how we take things from the freelancers and automate it and how to run those tests, and on what technologies, I don't know. But I think that's the benefit of working with external researchers because we will always try to have always the best knowledge.

The effect of remote work on security

Jørn Larsen: So, having just passed, hopefully, this COVID you can say incident or event in the world for the past two years, where we had lockdowns, opening lockdowns again, I know from my company that we were fairly quick to transfer into working remote and because it was actually something we were already doing before, and our customers were not always prepared for that. But even the most conservative companies, had to learn it quite quickly. So, how did that affect the security, you can say, the situation around enterprises as you see it, and how did it affect your company?

Rickard Carlsson: I would say, it impacted enterprises. Enterprises have... that still trying to see security with the consideration of a perimeter, and they say, "Okay, inside of this perimeter, you can do whatever you want almost, and outside of the perimeter, we're trying to keep the bad people outside." People that had a security setup that was very heavily based on a perimeter, most likely saw much higher risks because suddenly the perimeter... since people were not logged into their Ethernet cable in the office, but they needed to, some say, dial in from the outside, risks increase because of the perimeter. Organizations that didn't, that it's much more zero trust, or the perimeterless company, or beyond core for these different methods or tests, I think they saw not so much increase in security risks at all. So, it depends, I would say, on what stage or how modern you are as a company, the security risk that you see.

Then for us, as Detectify, of course, it's super... I think half of the people that now work at Detectify have been onboarded through a pandemic. So, they haven't met all their colleagues, of course, and all of these things. That impacts interpersonal relationships a lot. I think you need to also be much more... it's harder to communicate and convey information when onboarding your people. I think that's much harder because otherwise, you hear things. People can pitch in much easier. When everybody is more isolated, you need to be much more structured in training, and I think that we could have done much better because we're trying to do it better now, put in much more formal training that we didn't think was needed before.

Recommended talk: The Secrets of OAuth 2.0 Part 1/2 • Aaron Parecki & Eric Johnson • GOTO 2020

Jørn Larsen: And how did it affect your revenue growth? Did you see an uptake because some companies were more vulnerable?

Rickard Carlsson: I wouldn't say that. Of course, first, everybody was scared and was holding on to their money. And then the second thing, what benefits us is not this work from home, people needing more VPN licenses, people needing more things to be able to work from home. That type of security does not benefit us. What benefits us is rather we work with a lot of technology companies, so they saw more business, and now we're seeing that transformation is impacting us in a good way, especially in the field that we operate in now. Since if you're a company that's not digital, you will most likely in a fairly near future you'll be dead. We're seeing that organizations that used to outsource all their IT are now actually building up their own internal IT function, and then our product gets more relevant for them.

Cyberwarfare

Jørn Larsen: Yes. And now we have a new situation in the world. So, it's like we go from one big event to another big event. We have nations trying to hack other nations, to be a little diplomatic here. And how do you see that affecting your business? Is it something you can see?

Rickard Carlsson: We speak to customers, and many are scared. Or not scared, I would say. They see the situation in a different light. Previously, you were maybe talking about cyber security, and people will say, "Hey, it won't happen to me." But I think the last few years, over the last, let's say five, six years with the increase in ransomware payments that is... I think most of the statistics had said last year was a $5 billion industry, something like that. With that in mind, and almost now the talk about that cyberwarfare is... You know, had the army, you had the navy, you had the air force, and now we have the cyberwarfare, I think that has been very much more generally understood now among many more people.

Jørn Larsen: Yes. So, all companies need to take this threat seriously?

Rickard Carlsson: Yeah.

Jørn Larsen: And you're a go-to company for, you know, mitigating that threat.

Rickard Carlsson: For some of the problems, yes.

The impact of cryptocurrencies on cyber incidents

Jørn Larsen: I sometimes meet people who say, that digital currency is hot.

Rickard Carlsson: Bitcoin or Ecoin or even more Dogecoins or whatever.

Jørn Larsen: Do you see Dogecoins and the rest of them being something that is fueling cyber incidents or not?

Rickard Carlsson: In most cases, I think it would be much, much harder to send...

Jørn Larsen : Anonymous money or...?

Rickard Carlsson: ...$3, $4 million to some person in Eastern European, Russia. You know, it would be much harder to do that if you wouldn't have the cryptocurrencies. Many people try to funnel that money through normal banking. It will be significantly harder.

Examples of cyber crimes

Jørn Larsen: Is there one incident or example that you remember clearly that was a hack, that was something that really took the world by storm and you were involved in somehow?

Rickard Carlsson: I think there have been multiple, okay, but maybe didn't take the world by storm, I would say. But you know, our team has been involved in quite a few interesting research topics. I think one of the more relevant ones, or that had a very big impact, was a new way of issuing SSL certificates is Let's Encrypt. Our team found a way how to issue a certificate for any domain. And they should say, they broke the authentication model in Let's Encrypt, meaning that you could be impersonating anyone online. Impersonating any bank because you can have a rightfully signed certificate and, you know, identify as that authority online. I think, of course, that was a fairly big one. I think a smaller one was maybe a few months ago when a colleague of mine, took over one of the name servers for Congo as a nation. So, he could reroute all traffic inside of Congo.

Jørn Larsen: That's pretty dramatic.

Rickard Carlsson: Yes.

Jørn Larsen: And some cases from your customers where they have turned to you and said, "Wow, it's really good you've found this vulnerability." Anything you...?

Rickard Carlsson: Hard to share.

Jørn Larsen: I don't want you to mention a customer, but maybe just a general idea that…

Recommended talk: Taking Security Seriously • Philippe De Ryck • GOTO 2019

Rickard Carlsson: No, but I mean, I think what is often interesting is you can look at it in two different categories, I will say. We have some customers that are very up to date on the very latest and greatest, and they rarely get... they get, "Mmmh, interesting. Cool." But then we have the people that are on the other side that are maybe a bit more like... Oh, it's like, "Oh, I didn't even know that that was an attack method." So, even though we tell them, "Okay, you have risks and problems here, they don't even understand that they didn't have the notion that could be a problem at all, because of the... The problem with cyber, I think, is the information asymmetry is so massive. The few people know a lot, know so much, and the general engineer developer, even if they're security interested, the difference in knowledge is so extreme I would say.

Jørn Larsen: So, the hackers are specialists and experts?

Rickard Carlsson: Yes but a developer is a generalist.

Jørn Larsen: Yes. So, that's a very good point, and that's why we need companies like you?

Rickard Carlsson: Maybe you have 20 developers in a team, and they have 20 generalists, but then on the outside, you might have 100 hackers, and each of them is super-specialized in a very narrow field. And, of course, could maybe try to, you know, find a weakness in some way or form.

Detictify: funding, diversity and events

Jørn Larsen: So, I can also see that you've been quite successful in raising money? An A round and a B round were a while back, and you raised $21 million...?

Rickard Carlsson: Yes.

Jørn Larsen: ...a year. And that's a considerable B round. So, that's kudos from us to you, because we run several companies as well who are startups. So, I think that's a big achievement, and some have seen a lot of potential in your company for sure. I'd just like to round off by talking a little about something I learned, and that is how many people are you in the company now? So, you say they fall into two groups. Do you have some freelancers or partners?

Rickard Carlsson: Yes.

Jørn Larsen: And then you have employees?

Rickard Carlsson: Yes. We have about 130 employees today, the majority based out of Stockholm, and then we have a smaller team based in Boston and US around.

Jørn Larsen: What I wanted to talk about is diversity in your company, because the younger companies are, the more prone they are also to adopt the general trends. And so, around the topic of diversity, and what can you say what's your priority it is...?

Rickard Carlsson: US-based statistics, we're about 35 nationalities. In our company, I think we are, I don't know exactly, but we are somewhere I think it's about 4% to 2% women, or that identify as women. And management team is also that we are five women and two other men. So, we've set it as an objective actually from day one that we want to build a diverse team. And also doing it cyber is a bit trickier because then the cyber industry is very heavily skewed.

Jørn Larsen: The gender distribution is very too much male, so I think that's a huge achievement that you have done that. And I also believe that once you have created a diverse environment, work environment, it's easier to maintain it. Yeah. So...

Rickard Carlsson: If you're 50 guys, you're gonna try to hire...

Jørn Larsen: It's tough for the first non-guys for sure. So, what's next up? Now, we're here at CodeNode. Please tell us about this event that you're running here today?

Rickard Carlsson: We're trying to be out and meet people in the security industry, and I think also if you're looking at the people that we have also tried to invite speak is that we're trying to share knowledge. We're trying to bring in people that have a view on security that will share something relevant and interesting. So, hopefully, that will be a good event for that.

Jørn Larsen: Thank you so much, Rickard Carlsson. And this interview will be broadcasted from our side on our go-to YouTube channel, which just passed 30 million views, and is one of the major ones out there. And I'm sure that people will look more at your company hopefully when we have sent out this interview. So, thank you so much for coming to our studio, and Connaught.Rickard Carlsson: Thank you for having me.