As part of a founding team that is now running its third cybersecurity company, Bentsi Ben-Atar says that each member is a piece of the puzzle. He shares that each of them brings their own strengths, and he loves the highs and lows of being in a startup. Though Ben-Atar previously held more technical roles, he is now CMO of Sepio, which provides hardware access control solutions. While these vulnerabilities have existed for a long time, he explains that there wasn’t good technology to detect hardware-based attacks. Sepio has been working to create a new domain to prevent these attacks, which involved educating the market about the problem. With the team’s experience in cybersecurity, they had connections to CISOs who were eager to try new solutions and share them with others. Ben-Atar shares that finding the first customers who can be ambassadors for your solution is important for success.
I’m really interested in hearing your personal journey leading up to Sepio and what you’re doing with Sepio today.
The group of founders, we’ve actually been working together for almost 30 years. We started out as an academic reserve in 8200. Since then, we’ve been working together on various companies. Sepio is our third cybersecurity company together. The first two were successfully acquired by NASDAQ-traded companies.
When we decided to go on our next endeavor, we looked into the market and we said, “We’re too old to do big data and all those flashy buzzwords. But we know networking with great intimacy.” We’ve identified that this domain is lacking the required technology and required measures to detect rogue devices and hardware-based campaigns.
This domain was previously one perceived just as a spy business; it is no longer the case. The cybercrime syndicates and even the average Joe can have the same state-level capabilities with regards to hardware attack tools as a well-financed agency. Using an attack vehicle that existing cybersecurity products didn’t take into consideration allows the attacker to bypass a lot of the security measures. What happens if you’re using a device that completely impersonates a legitimate device, even if it’s a simple device like a keyboard or a mouse? These vulnerabilities and these blind spots within the existing infrastructure are something that attackers are happily exploiting with great success over multiple domains: critical infrastructures, ATM attacks, financial swift transaction attacks.
Hardware attacks actually apply to a variety of domains. People moving into cloud environments doesn’t minimize the effect of this problem. Actually, it even intensifies. You still use your keyboard, and you’re still using your mouse in order to navigate and run your commands. A qualified attacker will easily log your keystrokes and take screenshots of your confidential data, and then he will use that to run a data leakage ransomware attack or even a data encryption attack.
Why aren’t we more advanced than what you’re describing?
There are several reasons. The first is that hardware-based attacks require some physical contact or some physical proximity to the victims. You will go after a certain bank or after a certain power plant. Once they are attacked, they are very reluctant to share the fact that they’ve been breached over their cyber-physical security. There are very unique attacks that usually are kept well hidden.
None of the existing security products can detect those attacks, so you don’t have those kinds of flashy animation of attacks coming out from China and targeting East Coast and West Coast, so from the CISO perspective, this is a problem that appears in Mr. Robot, Mission Impossible, or James Bond. So he would say, “I’m not of interest to anyone.” If you have something that is of value—your customer database, your IP, transactions that someone can carry on your behalf—you have valuable data. And someone, if they find an easy way in, will go for it.
What you’re describing is a maturity of understanding of how this actually happens and how we defend against it. Currently, a lot of these organizations are helpless against these attacks and part of it is because of the lack of attention that CISOs may be giving to the interest of others to attack. Right?
Yeah. There’s a lot of misconceptions. For example, the term “rogue device.” Every company takes its own approach about what defines the rogue device. The fact that you, as a CISO, buy a solution that promises you to mitigate rogue devices makes you feel comfortable.
It’s a lot of misconceptions, especially with everything that has to do with USB devices. This is something that still puzzles me. USB vulnerabilities are probably the oldest malicious type of interface. When you go into a CISO and you ask him, “What is your USB policy?” He would say, “We do not allow USB devices.” We’ll ask, “How do you type? How do you navigate?” “A keyboard and a mouse.” “How are they connected?” “That’s through a USB.”
For some unknown reasons, the keyboard and mouse are treated differently than other USB mass storage. If this is the device that is allowed to connect, guess where the attackers will target? They’ll target the mouse and keyboards.
You’re a co-founder, but you’re also the chief marketing officer, transitioning from a very technical CTO level previously. What made you decide to make that switch in what you’re dealing with in the day to day?
Because of two things. First of all, it’s a challenge. I love the challenge. I think that in order to bring this new concept of “zero-trust hardware” access into the market, you need to come with some qualification so people will listen.
And we’ve been working as a group of founders, and each one of us is a piece of the puzzle. So one acts as the CEO, and the other is responsible for the engineering and product. We’re like a team, and each one has its own strengths. I happily took this challenge upon myself.
What have you found works really well with educating the market on the need for a solution like this?
You have to have the first wins that you can use as references, and those will be your ambassadors for educating the market. If you’re able to convince five, then those five become your ambassadors of hardware access control.
In order to find those first early adopters, you need to look for those very unique CISOs. I’ve categorized them as the evangelizing CISOs. They happily adopt the solution once you’ve proven them the value. The other kind will be the followers, who will look up to the evangelizing CISO. There’s a lot of cut and paste CISOs that will buy whatever the others are buying.
We’ve started with the evangelizing CISOs, and we were fortunate enough to have some of the most intelligent, professional CISOs that we met in our long career. Some of them ran organizations of like 50,000 employees, 20,000 employees, which for a young startup in its first year to get a customer of that scale is phenomenal. Once we got this reference, then they have taken us by the hand to their peers. As the years moved on, there were more incidents, more people arguing for this domain. If three years ago, I had to explain if this problem was really happening, then this is no longer the case. People are responsive, and we see that in our business results.
So over time, your marketing strategies are actually going to become a little bit easier for the world to understand because a lot of this extra education is getting solved by this parallel path that the world is on. Right?
Yeah. Besides the marketing, the sales activities are completely different. The people that you need in order to sell your product are more of an entrepreneur in nature, like BizDev type of oriented RSM so that they could find their way in, explain the problem, and find those opportunities.
You’ve been doing this for a while, but still decided to go on another company journey. Where’s the thrill for you?
I enjoy the rollercoaster atmosphere of being a startup. There are high highs and low lows. I enjoy the thrill of those highs and lows. And the challenge, we’re building something new. We’re inventing a new domain. Not a lot of people were looking for hardware access control, but we’re changing that. We were originally Israeli, so there’s no “can’t do it” attitude. It’s just a matter of time when we’re going to succeed.
Michael Matias, Forbes 30 Under 30, is the author of Age is Only an Int: Lessons I Learned as a Young Entrepreneur. He studies Artificial Intelligence at Stanford University, is a Venture Partner at J-Ventures and was an engineer at Hippo Insurance. Matias previously served as an officer in the 8200 unit. 20MinuteLeaders is a tech entrepreneurship interview series featuring one-on-one interviews with fascinating founders, innovators and thought leaders sharing their journeys and experiences.
Contributing editors: Michael Matias, Megan Ryan