In The Arena by TechArena - Disruptive Security Innovation with VectorZero
Episode Date: July 17, 2023TechArena host Allyson Klein chats with VectorZero CTO and co-founder Sean Grimaldi about his extensive experience fighting bad actors to protect the nation’s security and how his learning at the CI...A has informed his approach to elimination of attack vectors at VectorZero.
Transcript
Discussion (0)
Welcome to the Tech Arena,
featuring authentic discussions between
tech's leading innovators and our host, Alison Klein.
Now, let's step into the arena.
Welcome to the Tech Arena.
My name is Alison Klein,
and today I have a very exciting
guest with us, Sean Grimaldi, CTO and co-founder of VectorZero. Welcome to the show, Sean.
Thank you, Allison. Now, I usually have folks introduce themselves at this point in the program,
and your introduction is unlike any other that I've ever had in terms of background.
Why don't you go ahead and introduce yourself and talk about how you got to Vector Zero?
Sure.
Coming up in my career, I worked at a couple of tiny companies.
And then I went to Microsoft, which was just getting going, building a database called SQL Server.
It really felt entrepreneurial entrepreneurial and I enjoyed
just trying to reshape the industry. And that was clearly the goal to democratize data and really
change that whole landscape. And so I wanted to be a part of that. It was exciting. I really enjoyed
that and bringing shareholder value. It was an exciting time.
When I was at Microsoft, I had seen some people who were trying to, malicious actors who were trying to hack SQL Server and other products that I contributed to.
And some of them were just trying to get access and maybe get data and leave.
But other ones were remarkably sophisticated and they were trying
to establish persistence. So I thought, I want to learn more about those kinds of threat actors.
And in general, they were largely attributed to just be state actors. So when I left Microsoft, I went to CIA and CIA has unique legal authorities, including they can take actions as directed by the president that include things like offensive cyber.
So that was a world I wanted to be a part of.
And I was fortunate enough to be a part of it for 13 years.
Then after Microsoft and after CIA, I felt companies were really in a predicament.
If they didn't apply great cyber hygiene and keep everything as secure as possible,
a lot of pundits or people could say they haven't done their part. But then on the other hand,
the experience I had at CIA was when companies do their part, it's very hard to stop a nation state actor who's motivated. So what I wanted to do at Vector Zero is give
companies and organizations a chance where if they at least did the right things, they would have
good odds of retaining control of their data and processing. That's how I ended up at Vector Zero. an incredible target for a number of nefarious characters. And then at the CIA, obviously,
protecting the nation, you've had some views on what bad actors from nation states or independents
are doing, how they're attacking, etc. What is the focus on Vector Zero based on that collective
experience? And what do you think you're doing unique
in this industry to provide protection for enterprises? I think that what we're doing
that's unique is being comprehensive. So today in cybersecurity, there's so many point solutions
and we're asking companies to integrate these many different point solutions together into a cohesive kind of defense.
And it's just overwhelming.
It's really hard to do.
Many of the point solutions have different kind of scenes and end at different parts.
And to not only stand that up into a coherent, broad solution, but to keep it operating and
maintain securely in out years, it's really challenging.
So what Vector Zero is trying to do is create the very high security solution
for the company's most valuable data and processing and make that maintained very
well, that's where I've seen people go wrong is that even if they can stand up something really secure, as the team moves around or the talent shifts to new projects, AI is exciting, for example, then the quality of their cybersecurity begins to erode. that something we wanted to do is get that to be a scale problem where we could work on it for many
companies and each company didn't have to acquire the expertise and retain them themselves.
One of the things that I've spent a lot of time on the show talking about is the development of
the edge and companies looking at much more distributed computing models where you really don't have a way of protecting your compute infrastructure,
your attack vectors.
How do you think about that?
And how are you talking to customers about how to deal with that?
I think about it as for our company, we're focused on cloud and cloud edge.
And so we extend beyond cloud edge. People
have talked to me about satellites, for example, doing protection of processing and data inside of
satellites or inside of missiles or inside of airplanes. But where we've drawn the line is
with cloud edge. And it's remarkable to me how much we have to trust just blind faith today. Like how few systems we can validate with cryptographic signatures.
I believe that most things we're just trusting, like components within an operating system.
A lot of those are, like, for example, I think Linux, the last time I looked was something like 25 million lines of code written by people from all over the world, from many
different walks of life with different motivations.
And then you just blindly trust one signature for that whole work, that whole operating
system.
So to me, it became like, how much of this can we verify with cryptographic signatures
and controls and make it more like an engineering exercise instead of a trust-based
exercise. I don't think, I don't want to say you shouldn't trust your cloud providers or
anyone else who's a service provider, but I just want to give people more ability to verify that
trust through cryptographic and kind of math and engineering rather than through policy and layers.
How do you see things like confidential computing
fitting into this and getting to a hardware root of trust
in those environments?
I think it's essential because as more and more workloads
are moved into the cloud,
you want to trust your cloud provider, obviously.
And they, as an ex-Microsofty, obviously I have a lot of faith in what the big
thing companies can do, but there are also a lot of people there, right?
Many of these companies have many thousands of employees that are contributing
code every minute of the day, all the time.
You know, if we can get cryptographic signatures
from the CPU all the way up through the bootloader
and the firmware, the kernel of the offering system,
the workload that that individual customer is running,
and the datasets,
you're beginning to change the discussion
from I trust the cloud provider entirely to I trust the
cloud provider and can verify a lot of the things they're saying. Today, most of the major CSPs are
making it much easier to get these kinds of measurements and attestation documents to prove
and make it verifiable, their claims.
So I think that's essential.
And I wouldn't be surprised if over time that attestation of how do I trust this particular
server and all the servers in this line of business to make that will become, I think,
more and more important.
And I can start to see that with some of our customers as well.
I've been following the security arena for as long as I've been in the tech arena.
And one of the things that we talk about is that the bad actors get more sophisticated,
the security solutions get more sophisticated.
And there's this kind of stepping forward that has happened over the years.
With generative AI, obviously, it's given tools to folks who may not have had the sophistication
to actually start implementing attacks on organizations. Is this an asymptotic moment
or a disruptive moment from a security standpoint? And what is the response
to use AI in an equal fashion to protect? Yeah, I think you're right that a few months ago now,
a lot of the encryption today people think will possibly be broken through quantum computing.
So there is an effort underway to collect information that's encrypted today with the
idea that it can be broken with quantum computing.
Maybe not today, but maybe it'll be cost effective to do that in a year or two.
One of the things that's always been an impediment is just how hard it is to write programs for
quantum computers.
A couple months ago, I used one of the big language models, and I tried to get it to
help me write a quantum computing program that would factor large numbers and break
standard encryption.
And what was interesting was that if I wouldn't have had the AI there to help me with that task might have taken me months.
It might've been a really hard problem because I don't know a lot about quantum computing languages.
I've never created my own language, for example, or my own compiler.
So with the help of the generative AI, large language models, I was able on a Saturday morning to get
pretty close. And then I ran it in an emulator on the Google cloud that emulated a quantum computer.
It was really interesting to me. And I think that the offense is obviously becoming much
stronger. The malicious actors, it's becoming more and more accessible.
The time between an invention and when it becomes exploited will be faster and faster.
But on the other hand, on the defensive side, like something Vector Zero is doing, is we're
using machine learning and pattern recognition to not just look at drift, like what has changed
in the infrastructure from the prescribed infrastructure, not just what's drifted, but
what seems unsuitable. For example,
if IP address were to become public and we're trying to get to a point where our AI models
will say, that's not reasonable. We don't believe that any of these IP addresses should be public.
So to automatically adapt. And I think Gardner and other people are starting to call that
moving target defense, where
the AI can trigger an event and say, this is suspicious, take action on it. And then our
environment, for example, our infrastructure will automatically reconfigure to attempt to mitigate
that finding. So I think that AI will work on both sides of this equation. And like you said,
both sides will get stronger and stronger. But people who rely on very manual processes or
aren't able to keep pace will, I think, just be brutalized by some of this.
And that brings up my next question, which is, I know that you talk to a lot of companies about their security and the state of their security solutions.
We know that IT's top priority is security.
It comes in every survey that you read every year.
Security is number one.
Maybe performance will battle around that.
But security is always top of mind and prioritized for
investment. Yet we continue to read in the news year after year, month after month, data breaches,
denial of service attacks, all sorts of challenges that companies face on the daily in terms of
attacks. When you talk to customers, what are the things that you think are the gotchas in terms of attacks. When you talk to customers, what are the things that you think
are the gotchas in terms of what the average company's security stance is versus what state
of the art is? And what would you recommend for a chief security officer to be thinking about
in terms of modernizing their security solutions?
In my opinion, I see a lot of people who are just overwhelmed. There's so many things happening at
once and there's so many responsibilities like retention and our compliance and just meeting
the needs of the business and now AI.
And there's just so much coming in at once.
It's hard to take a moment and prioritize it and say this kind of data and
processing is fundamental to our business.
If it were, if integrity or confidentiality or availability was not
present for this type of processing, it would
change our relationship with our shareholders dramatically, probably very negatively.
Whereas this other type of data, this other type of processing, it might annoy some people.
Certainly they're going to get annoyed if, for example, something that happens a lot
here is there's really heavy traffic around Washington, D.C.
So a lot of people have traffic maps and you can go in the cafeteria and see a traffic map of just all red.
But I think that kind of data is it might be a convenience for employees to have.
But for example, the data that's most valuable to a company around their intellectual property, or for example, their AI model and decision-making models,
all these things, whether the data is taken or whether they're changed in place,
that they could be corrupted or altered without the owner necessarily being aware of that,
will majorly affect the decisions and effectiveness of the company in the marketplace. To me, a really good first step for people who are responsible and accountable for the
security is to begin to separate data and processing into these two different types.
What's existential and what's convenience.
The intelligence community does this quite well because they tag data as like
top secret or, for example, their classified data. I don't know that as many corporate entities are
as good at tagging their data and separating it into these two different buckets and then
treating them differently. The data that's a convenience, it will get compromised. It will get taken and altered by third parties.
I don't think companies can stock that.
But if it's fundamental to what is this company about?
What value do we provide that's unique in the marketplace?
That sort of data, I think, needs to be segmented and processed in a different, more secure infrastructure that's much more secure than
just the convenience data.
Today, many companies I see treat those as just like, I have a lot of data, I have a
lot of processing, and it's mildly overwhelming.
But don't segment it that way.
You've been at Vector Zero for a little over a year and a half at this point.
When you look back at that year and a half, what are you most proud of accomplishing and what do
you want to accomplish with the company in the next year and a half? One of the things that it
really excited me as someone who develops software and high security software was just, could we do it?
Right?
Like some of the things we're trying to tackle with automated moving target defense and
confidential computing.
Some of these are really innovative technologies that are emergent and developing rapidly.
Something I'm really proud of is that I was able to bring together a team
and make a software product that provides probably some of the best capabilities in the world for
extremely high security workloads and get that to work quickly. It was something I always wondered,
could I make that happen with non-nation statesized budgets? Could I get it to happen quickly?
So I'm really proud that it did work.
And now that's available to customers so that they don't have to try to recreate that themselves
or piece together all these different solutions in a coherent way and maintain it.
Something that you can just find someone who's an expert in it and we can do it
for you.
I think that's something I've been really interested in.
As I've worked with the intelligence community more and more as a member of
Vector Zero, I really do believe that we can create a new state of the art.
We can create a world where there's strong anticipation across servers in a minded business, where encryption makes it so that even if someone does compromise your processing or your data, and they, for example, change a lot of your processing, that we can detect that and we can make it so that companies can operate more freely by using encryption as a stronger control.
With confidential computing, something that wasn't obvious to me at first was that the current model of encryption security is that we appear in a fairly high security environment.
Even like a corporate laptop, you would probably keep it encrypted at rest.
HTTPS is ubiquitous now.
I think all the browsers will admonish you if you're not using it.
Encryption in transit is ubiquitous.
But the encryption and kind of isolation processing and in memory is the third leg of that stool that's been missing until now.
Where it has been not in full operational mode.
I think that over the years in the future, this will become the norm that everything
will be encrypted in use.
Everything will be encrypted in transit and everything will be encrypted at rest.
To me, that kind of adds that defense in depth. It's really a pillar of zero trust
and makes it much harder. Even if you can break into a system and you want to, for example,
exfiltrate data, when you get it out, it's going to be encrypted. It's really hard to get past that.
So I think that's an area where we want to accelerate that and not make it a 10 or 15-year
goal. I think we want to make it for companies that want to achieve that, to make it more like,
at least for their sensitive data, more like a week or two goal instead of this really long
duration. That's something that excites me personally. I would love to see that
even if a malicious actor broke in
and took all of your data,
they can't get the keys and they can't get it.
Nice.
Sean, it's been great talking to you.
I would love to talk to you
about all of the bad actors
that you foiled while you were at the CIA,
but I don't think you're going to answer my questions.
So I'll just ask one more, which is if folks want to engage with you and your team and learn more
about Vector Zero solutions, where would you send them and how would you like to be engaged?
There's the vectorzero.ai website, which is a place you can learn a little bit more about us. But I'm on LinkedIn.
I read it pretty much every day.
I follow a lot of people and I have a good bit of followers on there as well.
And I would love if people would just reach out to me directly with their comments.
If there's, I feel like it's a way I can learn more about what's going on.
Recently, I've been interacting with people working on satellites, and I've learned more and more about satellite security.
So I just would like to help where I can.
And if there's things that are interesting or where I could help, please reach out to me on LinkedIn.
I would appreciate it.
Fantastic.
Thank you so much for being on the program today.
It was a real joy, and I loved learning more about Vector Zero and you. Thank you very much for being on the program today. It was a real joy, and I loved learning more about Vector Zero and you.
Thank you very much for having me.
Thanks for joining the Tech Arena.
Subscribe and engage at our website, thetecharena.net.
All content is copyright by the Tech Arena. Thank you.