Tech Brew Ride Home - (Portfolio Profile) Mimoto

Episode Date: October 8, 2023

Find out more at Mimoto.ai Learn more about your ad choices. Visit megaphone.fm/adchoices...

Transcript
Discussion (0)
Starting point is 00:00:00 On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco. Hey, who did this to you? What happened next turned the story into a political firestorm. Reports have identified the victim as Bob Lee, the founder of Cash App. From Bloomberg Podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16. Welcome to another bonus episode of the TechMeme Right Home, another portfolio profile episode featuring one of our investments from the original Ride Home Fund, although you'll hear that there's some AI tied up in this as well. Today we are going to talk about Momoto. We are talking to Momoto's founder, Chris Bondi. Hi, Chris. Hello, Brian. I actually know Chris a little bit because the last time I was in San Francisco, we met up for California. We met up for coffee and she almost came to my comedy show, but she went to another comedy show that,
Starting point is 00:01:09 if I remember that night, you had already booked a different one. I found out the last minute about yours. I would have definitely chose you over whatever else it was. It was fun. I don't know if they ever posted that online, but anyway. Okay, Chris, Momoto, to find out more about it as we're talking, it's Mamoto.a-I-M-I-M-O-T-O-A-I. me what Momoto does and we're going to get into some of the weeds here of why I think, if you're a listener to this show, you've heard so many stories recently, you'll get immediately
Starting point is 00:01:43 why I was excited to invest in this company. Great. Well, so what Momoto does is that we match a AI-generated verified profile with a specific person, which enables us then to understand what is happening within an organization, So what that means or what that can mean are things like account takeovers to know is it really that person who you expect it to be, as well as are people sharing credentials, which you can imagine, count takeover kind of sounds similar to that, as well as if you have a group account or root access, who specifically is the person doing that, as well as if there's a group account or root access, who specifically is the person doing that, as well as if there's, were data extraction, is that data, is it happening? And then is it the right person doing that? So it's really understanding for all the technical things that I'm sure you'll ask me about. The core difference is a fact that we don't look at a credential as being a person.
Starting point is 00:02:52 A person is a person. And so once you end up with that starting point, you look at everything differently. And so that is, that's what we do. And that's, it's, yep, that's what we do. Let me, before we get deeper in the weeds in terms of technically how this works, can you tell me the founding story where this idea came from, you know, the background of the team, like how you got here? Yeah. And actually that works very, very much into why we have that focus. So I have two technical co-founders, and one of them, Doug Coburn, had, this is our third time working together.
Starting point is 00:03:37 And so Doug, many years ago, had experiences where he would be brought into a company to help them with their, whatever technology he was helping them with at the time, and they would put in their credentials and walk away. So he at one point came into a large healthcare provider and somebody put in their credentials, walked away. He had access to 40,000 servers, 200,000 endpoints, jumped forward a few years, which in retrospect is not that long ago. He lived in Europe at the time, came into an international bank. Same thing, somebody put in their credentials, walked away. He had access to all the ATMs, Java-based, not version control. And that thing of what is the, you know, who's behind the credential. And so he contacted me three years ago and said, there's this problem I've been looking at forever.
Starting point is 00:04:26 And we finally got to the point technology-wise that we can address it. And what I look at it and see, was there something there, a market there? And when I looked at it, there was definitely what he had thought, but it was so much bigger than that. And then our other technical founder, David, was the, David ended up being the perfect match of that. Because Doug is the ultimate problem solver. And David is somebody who has, you know, not only does he have this background in data sets and software development, but he's either been in software companies or startup companies where he has been creating net new product or been in banks where he's been brought into, been part of a team that is, creating the next generation of something. So you have this like, I'm a problem solver. I will create
Starting point is 00:05:17 that thing to fix anything. And the person who's like, I will create the product. And then you have me. And your background as well? Oh, in my background is that in a prior life, I used to come into companies to get them to realize their vision. So a lot of, so there were seven acquisitions to IP, two IPO filings, but a lot of that had to do with the like, what is that technology and what is the business, what is the business that that technology will actually help? So I'm best known for serverless becoming a category. And the thing, though, that is particularly interesting for what we're doing is the fact that five years ago, I was in an Israeli company where we were creating digital doubles
Starting point is 00:06:09 that were predicting what people would do offline. So the fact that five years ago I was sitting on panels about the future of AI, I never thought five years in my future. I would be like, okay, what is the next, next, next generation of that? But it is, I would argue only because it's, you know, it's the way I look at it,
Starting point is 00:06:31 is that that combination of, you know, the person who's like, looking at the business and where things are going beyond the horizon, and then the, um, both problem and scaling. Like, I can't say that it is the perfect, uh, founding team for everyone. I would say it's definitely the perfect founding team for us, in part because the thing I forgot to say about my co-founders is that they're wonderful human beings. So like, pretty dang cool that I get to work with smart people who are also really nice. That helps, certainly. But so to come back to the product, I mentioned that, and we have mentioned, that there is AI in this.
Starting point is 00:07:14 The investment we originally made was before the AI fund existed. Otherwise, the AI fund might have taken a look at it. But so essentially what you guys do is you use machine learning to, as you say, generate a profile of a specific person. And it's based on like biometrics that you couldn't get before. literally like, actually, actually it's not biometrics you couldn't get before. People have tried to do this long ago. What you couldn't do before. So there's two things. One is there's the stuff we're doing net new that is different and where our patents are around. But there's also stuff where it's novel use of technology that's been used other places. So using, so to answer
Starting point is 00:08:01 what you were starting to say that I interrupted, was that it wasn't that you couldn't look at typing styles. It's that everything was trying to be done in-house. And so when you were doing that on-prem, too much CPU didn't scale. So cloud-based ML frameworks are a massive part of why we can do what we do, as well as when you look at things that have a part of typing style,
Starting point is 00:08:35 Right now it's, and where most things are that are identity related, is it's all in getting in the door, as opposed to the unique experience of Doug of being, like he was already in there. So he could, you know, that's why those, you know, the things like account takeovers, if they're coming in through a supply chain issue, they're bypassing authentication.
Starting point is 00:09:00 And so like that idea of understanding exactly where the problem is, and then putting additional inputs in it so that it's not just biometric related is the thing that ended up being quite different. But the granularity of this, because I think this is key, is that like you said, you're creating a profile of a specific person. So even if that person gets compromised by social engineering or something like that, your system can say, we know that this is not Chris, because we're not, Chris types on the keyboard and puts more pressure on the keys or always puts her left
Starting point is 00:09:41 pinky constantly capping on and off. And whoever's typing right now under Chris's credentials is not doing that. So it's this, we're using the key, the keyboard and typing as an example. But it's that level of even if someone has been compromised, you can in real time identify. There's no, maybe they got the two-factor authentication right, but you're your system can say, we still don't think that's Chris. Right. Well, and two-factor authentication, just to be clear, is it is, it's not verifying a person, it's verifying a device. Right. And so, yeah, so yeah, I mean, you gave the example of the
Starting point is 00:10:23 pinky capping on and off. And it's not that, like, if we back that up, what we're seeing in our system because we're not looking at the raw keystrokes, what we're seeing is whether we can tell it's a left pinky or not. It is the thing of we're seeing this thing that's happening every time if it's Chris. Now, we can equate it with it's my left pinky, but it's this thing that's happening. This thing isn't happening anymore. But we're also because it's not just the biometric part, it also is a thing like, so of my two technical co-founders, David has a computer science degree. Doug was self-taught when he was very young. There are command lines that he does that if somebody was taught wouldn't be the same.
Starting point is 00:11:04 So, you know, if it's not just my style, but it's things like you had Doug in there and it would be like, oh, well, he would be a super admin. But the point is that it would be like, oh, these command lines are not things this person would have ever, has ever done in the past. Which is why, as you said, you can identify who's sharing credentials because, well, wait a minute, there's no way that Chris would have. entered those command lines. Or if, again, if it's a group, a group account or something like that, and you're like, well, wait, who did the code that wrecked everything? Because there's eight people that could have, but you can identify who of those eight people is likely the one that was in that session. Yes. Yeah. And actually, that's one of the things that I think is really exciting. You know, it's the, you know, is it, I'm expecting it to be
Starting point is 00:11:53 Chris. Is it Chris? Yes or no? I mean, that's, important, particularly an account takeover, but that is, you know, that's fairly easy. I mean, for us, it's fairly easy. It is more of the thing of it's a group admin account that was taken over. Or it's just a group admin account, somebody internal. And, you know, was that Brian or Chris? Or you and I are on a group admin account and it's Brian and Chris, but like Jeff, who is not part of it, is using that group admin account.
Starting point is 00:12:25 And so that, understanding that is hard work. But, like, again, I work with really smart people. So one of the keys of this also is, and correct me if I'm wrong, I might be overselling here, but you can identify this in real time. Like, this isn't something where you find out a day later. Like, literally the Momoto system can alert you and say, hey, we think right now someone is in the system that shouldn't be in this particular system. Exactly. Exactly. And that's one of those other things. Without, you know, giving too much away, you know, there's the identifying and making sure it's correct. But there's also, even when you're doing alerts and or execution to like kick somebody out of something, there are also things you can do on that side of it where it is, it's not binary, yes or no. Like there are, you know, there are checks you can do before you set the alert and all that can be happening.
Starting point is 00:13:25 in real time or as a machine learning person would say in near real time, which you mean like we know, check, check, check, check, check. Now send the alert. But it is, yeah, it's within seconds and not within like, which a lot of times is how a breach is discovered, which is a scary thing about the new SEC rule, because people will know there's a breach, but it takes time to figure out what is actually happened. So people are going to have to alert about. about breaches where they're not going to actually know all the facts yet. Right. And so this gets into, this is why listeners of the show would know that I jumped at the chance to invest. Like all of these stories, and let's talk about the MGM hack specifically in a second, but all of these stories that I do, where it's like, well, the hackers were in the system for a month or something like that before it was discovered. Like, this is a mitigation of that possibility. But also it is, It's essentially a way to stop it in its tracks before anything can be done. Because even if it's an hour, there's a lot of people, hackers can leave things that
Starting point is 00:14:36 would take you a while to find or whatever. So time is of the essence here, and this is a way to cut that time to as little as possible. Yeah. Yes, most definitely. In fact, I know that you had mentioned MGM. I actually could give you a really quick example that I don't know the name of the company because Sophos Labs did a description of a hack that I think is really good and that way takes us out of the mindset of beating up on MGM for a moment. Well, just so the listeners can remember because it was a while, MGM, the casino company, you know, like MGM resorts and the Bellagio and all this stuff.
Starting point is 00:15:20 I believe there was a story. I didn't even do it today. This is October 6th that MGM. A source says refused to pay the hackers ransom and it's going to end up costing them $100 million. So we're not beating up on MGM. Yeah, no, no, no. We're using this as an example of, hey, let's say, MGM, let's save you $100 million next time. Right, right. Right. But go ahead.
Starting point is 00:15:42 Yeah, no, no. And yeah, it's funny because you said that, you know, a while ago and I am, I've become a breach groupie. So in my mind, it's somebody compliment me because I've, written something about MGM and I said, oh, if you were impressed with that, you should read our Slack messages. So the reason why I wanted to go back to the Sophos Labs one is only because the, I don't want to talk with certainty about how the MGM one happened. I could say how it seems to have happened. Sofus Labs did a description that was, you said within an, you know, if you knew within an hour, and it happened, and it happened under three hours. And it was they'd come in through a team view account.
Starting point is 00:16:27 So they looked like they were in the same geo. It was an admin team view account. So they looked like they were in the same geo. They were doing it midnight the time of the person whose account it was. And so, you know, time of the person could have been using it. And because it was an admin account, what they were touching, look to be things that person would have touched. So you would have, if you were only going like, oh, that credential, yeah, that makes sense for that credential.
Starting point is 00:16:52 Whereas, yeah, that's something that they would have never, got to the point of being able to do a script because we would have caught that so quickly. That you, in a piece that you wrote recently, you said that one of the, there's three facts about the state of play right now is that, number one, no approach alone is impenetrable. Number two, MFA's history, it's long. So there's tons of known weaknesses that are exploitable there. And number three, the status quo of security usage. It hasn't been working for how many stories have I done where every single time it is, well, there was social engineering, and that's how they got in.
Starting point is 00:17:34 So we know that there's this huge gaping vector that we can't really seal off because people are people. And so Momoto, as you said, is treating these as people, people as people as opposed to a device key, essentially. Yeah, most definitely. And I think that the other part of that is also, I mean, the MGM thing ultimately is also a supply chain issue. And so, you know, you have both the, you know, you have the issue overall, but then you have the, you know, even if you've locked down everything, even if you're, you know, your pools from GitHub, they're brilliant. You know, like you have, you have, you have, and, you know, you have sneak, you have socket, you, or whatever you're using, that you're feeling confident of that. If you're, but you will be using something else. And so, you know, it is, you know, and so that is the reason why you need to know whose fingers are on keyboards.
Starting point is 00:18:32 So verifying people, not devices is the key, since that's the vector, that's the problem. Yeah. Well, and actually, it is that, but it also is, it's not in the, it's not as they're coming in. It really is that ongoing, like, what is happening now? And that's the problem. I think that a lot of times people think of their security posture and they think of it as we have a fortress. And we have these walls and there's a drawbridge and everyone come in this way. And the reality is it's not a fortress. It's a chain link fence.
Starting point is 00:19:06 There are things are getting in different ways as well as there are people internally doing things. Sometimes internally on purpose, sometimes not on purpose, but there are things that are happening internally that you don't know what's happening. happening. And that's not beating up on the people internally. That's just what it is. And as well as like what's getting in through all the, through the chain link fence. So let me ask you a practical question. Let's say I'm at an enterprise and I'm listening to this right now. And boy, that sounds good. I'd like to trial that. What's what's the difficulty of implementing? Like, do you have to, well, we need six months to get a profile of all of your employees to, to, to create. create a profile for them. Tell me the ease with which I can demo this and create profiles and see it in action. Thanks. And it's so good because I realized that I just shook my head, which does not compute at all audio-wise. So we take between four and six minutes to create a baseline profile and then the ML is continually updating it and learning it over time.
Starting point is 00:20:17 So it is for, in fact, we just had somebody who had run his own implementation of it. A CIO said that he wanted to do the first like group of implementation because he want to see how it worked. And he sent me a message back that said 10 minutes. I was like 10 minutes. He's like 10 minutes, your implementation. 10 minutes. Oh, okay. 10 minutes.
Starting point is 00:20:42 Got it. So yeah, I mean, it was, you know, it is the way that you would normally, again, the benefit of the people I work with, that it's built by people who have been, you know, Doug was the person who always was doing installs. So it's built by people who know how to do installs. You know, it's those. But yeah, yeah, so it's easy to implement. And then, you know, that baseline is easy to see. Again, for folks listening, if that sounds good, Momoto.AI to try it out.
Starting point is 00:21:19 Let's back up a bit and ask about, you said that this team, this is not your first rodeo. For this company and this idea in particular, what have been the challenges? I saw something recently that for the entire security industry, there seems to be a pullback and spend that's maybe sort of a secular change or whatever. Obviously, you guys have launched a startup at a time when there was pullback on startup funding. For this idea right now, to whatever degree you want to go high level or in the weeds,
Starting point is 00:22:00 what have been the struggles for this idea that you didn't anticipate when you started a couple years ago? Yeah, I'll give you two different versions of it. On the business side and the funding side, we thought it was a no-brainer. We saw a problem. We thought it was no-brainer. So I think there's that. What we didn't anticipate, what I personally didn't anticipate was and it was a pattern matching. It was the, oh, the word indemnity is in there. Momoto means identity. in Japanese. Oh, it's a day. Oh, and it is the idea that it was the front door. And so that, that education part. And so that was, you're saying that the education in terms of going to market and trying to sell to clients. No. Okay. That was on the investor side. Because the client side, see, this is two different things. On the client side, it was, oh, yeah, we need, Now, there's a learning on that side too.
Starting point is 00:23:08 So that was on the actual business side, which is why I was saying like, I just thought it was obvious. And so early on, we were having people say like, I don't know if there's a market. And like I would get them, think, I don't know if there's a market. And the same day, I'd have somebody say like,
Starting point is 00:23:23 we want to, we want to expand your usage. So like, you know, it was that disconnect. But what we learned was also that we don't necessarily sell into the CSO side. We sell into the CIO, CTO side. side, IT side where there's some CSOs also in our mix, but even those are like, sometimes it's like a CIO slash CISO because it's the people who are responsible for the visibility internally. I mean, ultimately what we're doing is looking at a anomaly, behavioral anomaly detection
Starting point is 00:23:57 internal for the internal usage. And so that is, you know, behavior, whether it's how you type or behavior where are you something where you shouldn't be. That is what we ultimately are doing. And so it's not the people setting up the rules. It's people who are responsible. And so that actually has made it a faster sale. On the product side, the lesson learned and product and go to market was that I gave you where we started with Doug, what we thought we would be doing, frankly, was breach of
Starting point is 00:24:34 detection in real time. Like that's what we thought we were selling. And Doug talked to, you know, 100 plus people before we built. Like all those things that you're supposed to do. In fact, lesson learned, like you click off everything you're supposed to do and you still like, there's still things that fall through. And everything seemed to be like, yeah, that would be great. That'd be great. It's a crowded market and everyone says the same thing. And so that, But what we did was we sold in after we built, there's some things we, lessons learned, some things that we actually did well. And part of it was we'd sold into initial prototypes.
Starting point is 00:25:14 And we then watched what they were doing and where they were getting value. And so one of them was somebody bought because they thought they had a potential breach. And within three or four days, the CTO reached out to me and said, turns out it's not a breach. It's people internal doing stupid things. He had no idea they were using root access. And not only did he have no idea they were using root access. What he had been seeing was things being deleted and moved that shouldn't be. He knew specifically who it was. But see, that seems that seems as valuable to me. Oh, no, no, more. Yeah. Oh, no, no. It was it was just the, it's a, the technology didn't change, but where we were, the value,
Starting point is 00:25:58 were talking about, it actually was really fast value. And so from that, they started referring customers of there that they were certain were sharing credentials, not sharing their credentials, but internally with other things. And then the other prototype, they were very concerned with their code, as they would be, they're very concerned with their code. And so they quickly went from the prototype
Starting point is 00:26:26 to expanding throughout their organization. and because they were concerned about the supply chain. And so in both cases, it was very internal focused in what the use case was. And it was a gap that was in internally that we hadn't been looking at. That once people started using, they're like, oh, I have this problem here.
Starting point is 00:26:47 And I mean, the funny thing about the 100 people we spoke with is that there was a C-So in that, now it was only one of 100 who said, oh, this is really good, but I'd also use it this way. And he pointed exactly, exactly to what we're doing. So, you know, if you go like, oh, you know,
Starting point is 00:27:02 there's initial interviews. Right. So, again, I was guilty of this in describing it, like, the sort of, oh, well, this is anomaly detection. This is in the security space. But really what we're talking about is this is a different kind of observability. That is unique to what y'all are doing. It is.
Starting point is 00:27:24 It is definitely, I don't think what you said was wrong. I think it's just, it is the anomaly detection part and the observability part is that it's interesting that when our customers ask to be, ask for integrations, nobody's asking about our oct integration. They're asking, do we have, they're happy that we have a splunk integration. They're asking if we can integrate with other sims. And so that, you know, we're doing that as opposed to. And the oct integration is helpful for us because. it is another data point for us. But it's interesting where,
Starting point is 00:28:03 that's why I was saying like that disconnect. The customers get it really well. But it was, the lesson learned was where we thought we were going to be selling into, what we thought we'd be selling, is not what it is. I guess my outtake of that is like there's that, but at the same time, the technology, we pivot, we pivot, it technology-wise. You know, the core of what we were doing was that same good core, but really listening to and doing experiments. That's what we do for my past. It's like you do experiments and
Starting point is 00:28:39 you figure out whether you're right or wrong. Right. Well, you know, in the range of pivots from, well, we pivoted because no one wants this product to we've pivoted because people love this product. It's just that they're using it for something. Not that we've pivoted. didn't expect them to use, but they're finding, they're finding value just not necessarily the level of value or the value that you thought starting out, but there's still value there. So it's like pivot to where there's value. Right. Well, it is that. And it also is where they were seeing immediate value. I mean, that was a thing where we had a conversation, we had many a conversation before we launched anything of the challenge of running a POC where somebody was going to, like,
Starting point is 00:29:26 you never hope somebody's going to try to get free. You know, so like how do you prove your value if that's where you're, you know, like people are concerned about breaching. And so finding that people were, that there was a gap in what the, what was being seen internally and a gap in, sometimes it was an actual gap. Sometimes it was a gap because, well, you know the credentials in there, but do you know that's that person. And so, you know, there's those pieces as well. That was, again, like within days of getting contacts, which is pretty darn cool. I agree. I don't know what it says about me
Starting point is 00:30:09 that if you're saying the other VCs didn't see that right away, all you had to do is the, it's people not devices that were worried about here. That was obvious to me. So, Well, I'm not going to comment on any of that. I'm going to say that that was an early problem. We have less of that issue now. You know, it's hard to have that, you know, it's hard to have that issue and I would assume. And then look at MGM. But that actually leads to one of my biggest issues with the, you mentioned the piece I wrote.
Starting point is 00:30:43 There's a line I have in that piece that I tend to be kind of ornery and then I dial it back for what I actually. will publish. There's a line in there, I think, something to the effect of, you know, if you're wringing your hands about, oh, this is so terrible, and then you're not doing anything, you are the problem. I will tell you the piece actually started with that being it. And then I doubt it back because I, you know, it is a massive frustration for me. Whether it's us or not, like, like people need to be able to address things and actually, again, whether it's a or not, we need to be addressing security in a different way because it will only get worse. People forget that the other side, the bad actors are also in business. They are also innovative.
Starting point is 00:31:35 The reason why different versions of breaches happen is in part because it's where they can make the most money. It's just like running a business because it is running a business. Well, again, if this makes sense to you instantly, like it made sense to me instantly and obviously to Chris, again, Momoto.a.i or email me, Brian at Techmeme.com or Brian at Ride Homefund.com. I'll put you in touch with Chris. If people are excited about this, how else can they get involved with Momoto right now? Ah, so if they are, well, we are, we have a round that we will be closing soon. But beyond that, if your business listeners, what we are starting to do more of is talk to partners. Specifically, we have one OEM partner and that has, that's, we see our future as being both what we're doing as well as that ability to have humans and have that, you know, I believe the world is moving towards that things will be either human influenced or human driven. And so that ability to have
Starting point is 00:32:56 security products in particular, but enterprise products where it is, you know, depending on who the person is, what, you know, it interacts differently, you know, amazingly going back to the thing five years ago that I had, but that is something that I'm very open to and we'll have to meter, not doing us not doing too much of it, but finding partners in that area is really exciting for us. So anybody that is thinking, oh, that would be a potential partnership, including OEMs. Finally, though, just to mention the round is still open. so if people were interested in getting involved that way, there's still space.
Starting point is 00:33:41 There is space. They would need to move quickly, but there is space. Got it. Well, Chris, again, Momoto, Momoto.aio.ai, proud investor, hashtag proud investor, you know, how that goes. And thanks for coming on and sharing that with us, and hope to talk to you soon. There's going to be plenty more exciting news from Momono. Great. Thank you so much for the time.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.