Tech Brew Ride Home - (Portfolio Profile) Mimoto
Episode Date: October 8, 2023Find out more at Mimoto.ai Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco.
Hey, who did this to you?
What happened next turned the story into a political firestorm.
Reports have identified the victim as Bob Lee, the founder of Cash App.
From Bloomberg Podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16.
Welcome to another bonus episode of the TechMeme Right Home, another portfolio profile episode featuring one of our investments from the original Ride Home Fund, although you'll hear that there's some AI tied up in this as well. Today we are going to talk about Momoto. We are talking to Momoto's founder, Chris Bondi. Hi, Chris.
Hello, Brian. I actually know Chris a little bit because the last time I was in San Francisco, we met up for California. We met up for
coffee and she almost came to my comedy show, but she went to another comedy show that,
if I remember that night, you had already booked a different one.
I found out the last minute about yours.
I would have definitely chose you over whatever else it was.
It was fun.
I don't know if they ever posted that online, but anyway.
Okay, Chris, Momoto, to find out more about it as we're talking, it's Mamoto.a-I-M-I-M-O-T-O-A-I.
me what Momoto does and we're going to get into some of the weeds here of why I think,
if you're a listener to this show, you've heard so many stories recently, you'll get immediately
why I was excited to invest in this company.
Great. Well, so what Momoto does is that we match a AI-generated verified profile
with a specific person, which enables us then to understand what is happening within an organization,
So what that means or what that can mean are things like account takeovers to know is it really that person who you expect it to be, as well as are people sharing credentials, which you can imagine, count takeover kind of sounds similar to that, as well as if you have a group account or root access, who specifically is the person doing that, as well as if there's a group account or root access, who specifically is the person doing that, as well as if there's,
were data extraction, is that data, is it happening?
And then is it the right person doing that?
So it's really understanding for all the technical things that I'm sure you'll ask me about.
The core difference is a fact that we don't look at a credential as being a person.
A person is a person.
And so once you end up with that starting point, you look at everything differently.
And so that is, that's what we do.
And that's, it's, yep, that's what we do.
Let me, before we get deeper in the weeds in terms of technically how this works, can you tell me the founding story where this idea came from, you know, the background of the team, like how you got here?
Yeah.
And actually that works very, very much into why we have that focus.
So I have two technical co-founders, and one of them, Doug Coburn, had, this is our third time working together.
And so Doug, many years ago, had experiences where he would be brought into a company to help them with their, whatever technology he was helping them with at the time, and they would put in their credentials and walk away.
So he at one point came into a large healthcare provider and somebody put in their credentials, walked away.
He had access to 40,000 servers, 200,000 endpoints, jumped forward a few years, which in retrospect is not that long ago.
He lived in Europe at the time, came into an international bank.
Same thing, somebody put in their credentials, walked away.
He had access to all the ATMs, Java-based, not version control.
And that thing of what is the, you know, who's behind the credential.
And so he contacted me three years ago and said, there's this problem I've been looking at forever.
And we finally got to the point technology-wise that we can address it.
And what I look at it and see, was there something there, a market there?
And when I looked at it, there was definitely what he had thought, but it was so much bigger than that.
And then our other technical founder, David, was the, David ended up being the perfect match of that.
Because Doug is the ultimate problem solver.
And David is somebody who has, you know, not only does he have this background in data sets and software development,
but he's either been in software companies or startup companies where he has been creating net new product or been in banks where he's been brought into, been part of a team that is,
creating the next generation of something. So you have this like, I'm a problem solver. I will create
that thing to fix anything. And the person who's like, I will create the product. And then you have
me. And your background as well? Oh, in my background is that in a prior life, I used to come into
companies to get them to realize their vision. So a lot of, so there were seven acquisitions to IP,
two IPO filings, but a lot of that had to do with the like, what is that technology and
what is the business, what is the business that that technology will actually help? So I'm best
known for serverless becoming a category. And the thing, though, that is particularly
interesting for what we're doing is the fact that five years ago, I was in an Israeli company
where we were creating digital doubles
that were predicting what people would do offline.
So the fact that five years ago
I was sitting on panels about the future of AI,
I never thought five years in my future.
I would be like, okay, what is the next, next, next generation
of that?
But it is, I would argue only because it's, you know,
it's the way I look at it,
is that that combination of, you know,
the person who's like,
looking at the business and where things are going beyond the horizon, and then the, um,
both problem and scaling. Like, I can't say that it is the perfect, uh, founding team for
everyone. I would say it's definitely the perfect founding team for us, in part because the thing I
forgot to say about my co-founders is that they're wonderful human beings. So like, pretty dang
cool that I get to work with smart people who are also really nice. That helps, certainly.
But so to come back to the product, I mentioned that, and we have mentioned, that there is AI in this.
The investment we originally made was before the AI fund existed.
Otherwise, the AI fund might have taken a look at it.
But so essentially what you guys do is you use machine learning to, as you say, generate a profile of a specific person.
And it's based on like biometrics that you couldn't get before.
literally like, actually, actually it's not biometrics you couldn't get before. People have
tried to do this long ago. What you couldn't do before. So there's two things. One is there's
the stuff we're doing net new that is different and where our patents are around. But there's also
stuff where it's novel use of technology that's been used other places. So using, so to answer
what you were starting to say that I interrupted,
was that it wasn't that you couldn't look at typing styles.
It's that everything was trying to be done in-house.
And so when you were doing that on-prem,
too much CPU didn't scale.
So cloud-based ML frameworks are a massive part
of why we can do what we do,
as well as when you look at things that have a part of typing style,
Right now it's, and where most things are that are identity related,
is it's all in getting in the door,
as opposed to the unique experience of Doug of being,
like he was already in there.
So he could, you know, that's why those, you know,
the things like account takeovers,
if they're coming in through a supply chain issue,
they're bypassing authentication.
And so like that idea of understanding exactly where the problem is,
and then putting additional inputs in it so that it's not just biometric related is the thing
that ended up being quite different.
But the granularity of this, because I think this is key, is that like you said, you're
creating a profile of a specific person.
So even if that person gets compromised by social engineering or something like that, your system
can say, we know that this is not Chris, because we're not,
Chris types on the keyboard and puts more pressure on the keys or always puts her left
pinky constantly capping on and off.
And whoever's typing right now under Chris's credentials is not doing that.
So it's this, we're using the key, the keyboard and typing as an example.
But it's that level of even if someone has been compromised, you can in real time identify.
There's no, maybe they got the two-factor authentication right, but you're
your system can say, we still don't think that's Chris.
Right. Well, and two-factor authentication, just to be clear, is it is, it's not verifying a person,
it's verifying a device. Right. And so, yeah, so yeah, I mean, you gave the example of the
pinky capping on and off. And it's not that, like, if we back that up, what we're seeing in our
system because we're not looking at the raw keystrokes, what we're seeing is whether we can tell
it's a left pinky or not. It is the thing of we're seeing this thing that's happening every time
if it's Chris. Now, we can equate it with it's my left pinky, but it's this thing that's happening.
This thing isn't happening anymore. But we're also because it's not just the biometric part,
it also is a thing like, so of my two technical co-founders, David has a computer science degree.
Doug was self-taught when he was very young.
There are command lines that he does that if somebody was taught wouldn't be the same.
So, you know, if it's not just my style, but it's things like you had Doug in there and it would be like, oh, well, he would be a super admin.
But the point is that it would be like, oh, these command lines are not things this person would have ever, has ever done in the past.
Which is why, as you said, you can identify who's sharing credentials because, well, wait a minute, there's no way that Chris would have.
entered those command lines. Or if, again, if it's a group, a group account or something like that,
and you're like, well, wait, who did the code that wrecked everything?
Because there's eight people that could have, but you can identify who of those eight people
is likely the one that was in that session. Yes. Yeah. And actually, that's one of the things
that I think is really exciting. You know, it's the, you know, is it, I'm expecting it to be
Chris. Is it Chris? Yes or no? I mean, that's,
important, particularly an account takeover, but that is, you know, that's fairly easy.
I mean, for us, it's fairly easy.
It is more of the thing of it's a group admin account that was taken over.
Or it's just a group admin account, somebody internal.
And, you know, was that Brian or Chris?
Or you and I are on a group admin account and it's Brian and Chris, but like Jeff, who is not
part of it, is using that group admin account.
And so that, understanding that is hard work.
But, like, again, I work with really smart people.
So one of the keys of this also is, and correct me if I'm wrong, I might be overselling here,
but you can identify this in real time.
Like, this isn't something where you find out a day later.
Like, literally the Momoto system can alert you and say,
hey, we think right now someone is in the system that shouldn't be in this particular system.
Exactly. Exactly. And that's one of those other things. Without, you know, giving too much away, you know, there's the identifying and making sure it's correct. But there's also, even when you're doing alerts and or execution to like kick somebody out of something, there are also things you can do on that side of it where it is, it's not binary, yes or no. Like there are, you know, there are checks you can do before you set the alert and all that can be happening.
in real time or as a machine learning person would say in near real time, which you mean like we know, check, check, check, check, check. Now send the alert. But it is, yeah, it's within seconds and not within like, which a lot of times is how a breach is discovered, which is a scary thing about the new SEC rule, because people will know there's a breach, but it takes time to figure out what is actually happened. So people are going to have to alert about.
about breaches where they're not going to actually know all the facts yet.
Right. And so this gets into, this is why listeners of the show would know that I jumped at the chance to invest.
Like all of these stories, and let's talk about the MGM hack specifically in a second, but all of these stories that I do,
where it's like, well, the hackers were in the system for a month or something like that before it was discovered.
Like, this is a mitigation of that possibility. But also it is,
It's essentially a way to stop it in its tracks before anything can be done.
Because even if it's an hour, there's a lot of people, hackers can leave things that
would take you a while to find or whatever.
So time is of the essence here, and this is a way to cut that time to as little as possible.
Yeah.
Yes, most definitely.
In fact, I know that you had mentioned MGM.
I actually could give you a really quick example that
I don't know the name of the company because Sophos Labs did a description of a hack that I think is really good and that way takes us out of the mindset of beating up on MGM for a moment.
Well, just so the listeners can remember because it was a while, MGM, the casino company, you know, like MGM resorts and the Bellagio and all this stuff.
I believe there was a story. I didn't even do it today. This is October 6th that MGM.
A source says refused to pay the hackers ransom and it's going to end up costing them $100 million.
So we're not beating up on MGM.
Yeah, no, no, no.
We're using this as an example of, hey, let's say, MGM, let's save you $100 million next time.
Right, right.
Right.
But go ahead.
Yeah, no, no.
And yeah, it's funny because you said that, you know, a while ago and I am, I've become a breach groupie.
So in my mind, it's somebody compliment me because I've,
written something about MGM and I said, oh, if you were impressed with that, you should read our Slack messages.
So the reason why I wanted to go back to the Sophos Labs one is only because the, I don't want to talk with certainty about how the MGM one happened.
I could say how it seems to have happened.
Sofus Labs did a description that was, you said within an, you know, if you knew within an hour, and it happened, and it happened under three hours.
And it was they'd come in through a team view account.
So they looked like they were in the same geo.
It was an admin team view account.
So they looked like they were in the same geo.
They were doing it midnight the time of the person whose account it was.
And so, you know, time of the person could have been using it.
And because it was an admin account, what they were touching,
look to be things that person would have touched.
So you would have, if you were only going like, oh, that credential, yeah, that makes sense for that credential.
Whereas, yeah, that's something that they would have never,
got to the point of being able to do a script because we would have caught that so quickly.
That you, in a piece that you wrote recently, you said that one of the, there's three facts
about the state of play right now is that, number one, no approach alone is impenetrable.
Number two, MFA's history, it's long.
So there's tons of known weaknesses that are exploitable there.
And number three, the status quo of security usage.
It hasn't been working for how many stories have I done where every single time it is, well, there was social engineering, and that's how they got in.
So we know that there's this huge gaping vector that we can't really seal off because people are people.
And so Momoto, as you said, is treating these as people, people as people as opposed to a device key, essentially.
Yeah, most definitely.
And I think that the other part of that is also, I mean, the MGM thing ultimately is also a supply chain issue.
And so, you know, you have both the, you know, you have the issue overall, but then you have the, you know, even if you've locked down everything, even if you're, you know, your pools from GitHub, they're brilliant.
You know, like you have, you have, you have, and, you know, you have sneak, you have socket, you, or whatever you're using, that you're feeling confident of that.
If you're, but you will be using something else.
And so, you know, it is, you know, and so that is the reason why you need to know whose fingers are on keyboards.
So verifying people, not devices is the key, since that's the vector, that's the problem.
Yeah. Well, and actually, it is that, but it also is, it's not in the, it's not as they're coming in.
It really is that ongoing, like, what is happening now?
And that's the problem.
I think that a lot of times people think of their security posture and they think of it as we have a fortress.
And we have these walls and there's a drawbridge and everyone come in this way.
And the reality is it's not a fortress.
It's a chain link fence.
There are things are getting in different ways as well as there are people internally doing things.
Sometimes internally on purpose, sometimes not on purpose, but there are things that are happening internally that you don't know what's happening.
happening. And that's not beating up on the people internally. That's just what it is. And as well as like what's getting in through all the, through the chain link fence.
So let me ask you a practical question. Let's say I'm at an enterprise and I'm listening to this right now. And boy, that sounds good. I'd like to trial that.
What's what's the difficulty of implementing? Like, do you have to, well, we need six months to get a profile of all of your employees to, to, to create.
create a profile for them. Tell me the ease with which I can demo this and create profiles and see it in action.
Thanks. And it's so good because I realized that I just shook my head, which does not compute at all audio-wise.
So we take between four and six minutes to create a baseline profile and then the ML is continually updating it and learning it over time.
So it is for, in fact, we just had somebody who had run his own implementation of it.
A CIO said that he wanted to do the first like group of implementation because he want to see how it worked.
And he sent me a message back that said 10 minutes.
I was like 10 minutes.
He's like 10 minutes, your implementation.
10 minutes.
Oh, okay.
10 minutes.
Got it.
So yeah, I mean, it was, you know, it is the way that you would normally, again, the benefit of the people I work with, that it's built by people who have been, you know, Doug was the person who always was doing installs.
So it's built by people who know how to do installs.
You know, it's those.
But yeah, yeah, so it's easy to implement.
And then, you know, that baseline is easy to see.
Again, for folks listening, if that sounds good,
Momoto.AI to try it out.
Let's back up a bit and ask about, you said that this team,
this is not your first rodeo.
For this company and this idea in particular,
what have been the challenges?
I saw something recently that for the entire security industry,
there seems to be a pullback and spend that's maybe sort of a secular change or whatever.
Obviously, you guys have launched a startup at a time when there was pullback on startup funding.
For this idea right now, to whatever degree you want to go high level or in the weeds,
what have been the struggles for this idea that you didn't anticipate when you started a couple years ago?
Yeah, I'll give you two different versions of it. On the business side and the funding side, we thought it was a no-brainer.
We saw a problem. We thought it was no-brainer. So I think there's that. What we didn't anticipate, what I personally didn't anticipate was and it was a pattern matching. It was the, oh, the word indemnity is in there. Momoto means identity.
in Japanese. Oh, it's a day. Oh, and it is the idea that it was the front door. And so that,
that education part. And so that was, you're saying that the education in terms of going to
market and trying to sell to clients. No. Okay. That was on the investor side. Because
the client side, see, this is two different things. On the client side, it was, oh, yeah, we need,
Now, there's a learning on that side too.
So that was on the actual business side,
which is why I was saying like,
I just thought it was obvious.
And so early on, we were having people say like,
I don't know if there's a market.
And like I would get them, think,
I don't know if there's a market.
And the same day, I'd have somebody say like,
we want to, we want to expand your usage.
So like, you know, it was that disconnect.
But what we learned was also that we don't necessarily
sell into the CSO side.
We sell into the CIO, CTO side.
side, IT side where there's some CSOs also in our mix, but even those are like, sometimes it's
like a CIO slash CISO because it's the people who are responsible for the visibility internally.
I mean, ultimately what we're doing is looking at a anomaly, behavioral anomaly detection
internal for the internal usage. And so that is, you know, behavior, whether it's how you type
or behavior where are you something where you shouldn't be.
That is what we ultimately are doing.
And so it's not the people setting up the rules.
It's people who are responsible.
And so that actually has made it a faster sale.
On the product side, the lesson learned and product and go to market was that I gave you
where we started with Doug, what we thought we would be doing, frankly, was breach of
detection in real time. Like that's what we thought we were selling. And Doug talked to, you know,
100 plus people before we built. Like all those things that you're supposed to do. In fact,
lesson learned, like you click off everything you're supposed to do and you still like,
there's still things that fall through. And everything seemed to be like, yeah, that would be
great. That'd be great. It's a crowded market and everyone says the same thing. And so that,
But what we did was we sold in after we built, there's some things we, lessons learned,
some things that we actually did well.
And part of it was we'd sold into initial prototypes.
And we then watched what they were doing and where they were getting value.
And so one of them was somebody bought because they thought they had a potential breach.
And within three or four days, the CTO reached out to me and said,
turns out it's not a breach. It's people internal doing stupid things. He had no idea they were
using root access. And not only did he have no idea they were using root access. What he had been
seeing was things being deleted and moved that shouldn't be. He knew specifically who it was.
But see, that seems that seems as valuable to me. Oh, no, no, more. Yeah. Oh, no, no.
It was it was just the, it's a, the technology didn't change, but where we were, the value,
were talking about, it actually was really fast value.
And so from that, they started referring customers
of there that they were certain were sharing credentials,
not sharing their credentials, but internally with other things.
And then the other prototype, they were very concerned
with their code, as they would be,
they're very concerned with their code.
And so they quickly went from the prototype
to expanding throughout their organization.
and because they were concerned about the supply chain.
And so in both cases, it was very internal focused
in what the use case was.
And it was a gap that was in internally
that we hadn't been looking at.
That once people started using, they're like,
oh, I have this problem here.
And I mean, the funny thing about the 100 people
we spoke with is that there was a C-So in that,
now it was only one of 100 who said,
oh, this is really good,
but I'd also use it this way.
And he pointed exactly,
exactly to what we're doing.
So, you know, if you go like, oh, you know,
there's initial interviews.
Right.
So, again, I was guilty of this in describing it, like,
the sort of, oh, well, this is anomaly detection.
This is in the security space.
But really what we're talking about is this is a different kind of observability.
That is unique to what y'all are doing.
It is.
It is definitely, I don't think what you said was wrong.
I think it's just, it is the anomaly detection part and the observability part is that it's interesting that when our customers ask to be, ask for integrations, nobody's asking about our oct integration.
They're asking, do we have, they're happy that we have a splunk integration.
They're asking if we can integrate with other sims.
And so that, you know, we're doing that as opposed to.
And the oct integration is helpful for us because.
it is another data point for us.
But it's interesting where,
that's why I was saying like that disconnect.
The customers get it really well.
But it was, the lesson learned was where we thought we were going to be selling into,
what we thought we'd be selling, is not what it is.
I guess my outtake of that is like there's that,
but at the same time, the technology, we pivot, we pivot,
it technology-wise. You know, the core of what we were doing was that same good core, but really
listening to and doing experiments. That's what we do for my past. It's like you do experiments and
you figure out whether you're right or wrong. Right. Well, you know, in the range of pivots
from, well, we pivoted because no one wants this product to we've pivoted because people love
this product. It's just that they're using it for something. Not that we've pivoted.
didn't expect them to use, but they're finding, they're finding value just not necessarily the level
of value or the value that you thought starting out, but there's still value there. So it's like
pivot to where there's value. Right. Well, it is that. And it also is where they were seeing
immediate value. I mean, that was a thing where we had a conversation, we had many a conversation
before we launched anything of the challenge of running a POC where somebody was going to, like,
you never hope somebody's going to try to get free.
You know, so like how do you prove your value if that's where you're, you know,
like people are concerned about breaching.
And so finding that people were, that there was a gap in what the, what was being seen internally
and a gap in, sometimes it was an actual gap.
Sometimes it was a gap because, well, you know the credentials in there, but do you know
that's that person. And so, you know, there's those pieces as well. That was, again, like within
days of getting contacts, which is pretty darn cool. I agree. I don't know what it says about me
that if you're saying the other VCs didn't see that right away, all you had to do is the,
it's people not devices that were worried about here. That was obvious to me. So,
Well, I'm not going to comment on any of that.
I'm going to say that that was an early problem.
We have less of that issue now.
You know, it's hard to have that, you know, it's hard to have that issue and I would assume.
And then look at MGM.
But that actually leads to one of my biggest issues with the, you mentioned the piece I wrote.
There's a line I have in that piece that I tend to be kind of ornery and then I dial it back for what I actually.
will publish. There's a line in there, I think, something to the effect of, you know,
if you're wringing your hands about, oh, this is so terrible, and then you're not doing anything,
you are the problem. I will tell you the piece actually started with that being it. And then I
doubt it back because I, you know, it is a massive frustration for me. Whether it's us or not,
like, like people need to be able to address things and actually, again, whether it's a
or not, we need to be addressing security in a different way because it will only get worse.
People forget that the other side, the bad actors are also in business. They are also innovative.
The reason why different versions of breaches happen is in part because it's where they can make
the most money. It's just like running a business because it is running a business.
Well, again, if this makes sense to you instantly, like it made sense to me instantly and obviously to Chris, again, Momoto.a.i or email me, Brian at Techmeme.com or Brian at Ride Homefund.com. I'll put you in touch with Chris. If people are excited about this, how else can they get involved with Momoto right now?
Ah, so if they are, well, we are, we have a round that we will be closing soon.
But beyond that, if your business listeners, what we are starting to do more of is talk to partners.
Specifically, we have one OEM partner and that has, that's, we see our future as being both what we're doing as
well as that ability to have humans and have that, you know, I believe the world is moving towards
that things will be either human influenced or human driven. And so that ability to have
security products in particular, but enterprise products where it is, you know, depending on who
the person is, what, you know, it interacts differently, you know, amazingly going back to the thing
five years ago that I had, but that is something that I'm very open to and we'll have to
meter, not doing us not doing too much of it, but finding partners in that area is really
exciting for us.
So anybody that is thinking, oh, that would be a potential partnership, including OEMs.
Finally, though, just to mention the round is still open.
so if people were interested in getting involved that way, there's still space.
There is space.
They would need to move quickly, but there is space.
Got it.
Well, Chris, again, Momoto, Momoto.aio.ai, proud investor, hashtag proud investor, you know, how that goes.
And thanks for coming on and sharing that with us, and hope to talk to you soon.
There's going to be plenty more exciting news from Momono.
Great. Thank you so much for the time.
