Learn how Mikko and the SensorFu team built a product that detects network and system leaks for mission-critical production networks.
Davis Baer: What’s your background, and what are you working on?
My name is Mikko Kenttälä and I am CEO and one of the SensorFu’s founders. SensorFu builds a cybersecurity product that continuously seeks new network and system leak paths and alerts IT-ops when they are found. These leaks can be a result of human error or malice and they may violate security policies or contractual obligations. Making sure that planned network segmentation or containment holds is crucial for keeping things safe and private.
I have always loved to hack devices and software to find out how they work, learn new tricks and build something new. I have been curious about what makes people tick, how organizations work or don’t work, where our society is going to and what’s the impact of technology on all this. It is not a surprise that I ended up as an information security professional and a digital privacy advocate. Before founding SensorFu I worked on building citywide, free, open and public wireless networks, doing a lot of security audits and leading a team building threat intelligence products. I still do occasional audits to keep my mind open and I always volunteer for cyber defense exercises to hone my team and security skills and understanding. I am also a board member of Electronic Frontier Finland (EFFi).
What motivated you to get started with your company?
Our team has a long history working in information security, and hacking almost every imaginable gadget or software out there. We’ve seen first hand how companies invest increasing amounts of money and effort in improving their cyber security posture. However sometimes they go for the fancy and complicated solutions and neglect the obvious. They may not spend enough effort to make sure that cornerstones of security such as network segmentation and crypto are properly used. I suspect that this is due to our industry’s own marketing message where new threats and latest fads get most attention and working on no-brainer foundation work is often not considered sexy or advanced enough. Seeing these things being broken time after time drove us to start SensorFu. In a sense, we wanted to go back to basics with IT security. We feel that security requirements pile up, while systems and security solutions get more complex by the day. We wanted to turn this almost upside down: offer easy and cost efficient way for companies to validate that core tenets of their IT security are working as intended. In the way of Unix philosophy — offer things that do one thing and do it well.
Having a team of like minded people around me made it easier. Years of shared experiences with Ossi Herrala and Sebastian Turpeinen gave us a running start as a founder team of SensorFu in early 2017.
What went into building the initial product?
We had this ideal about helping people get core tenets of their IT security right — on an ongoing basis. Based on our security audit experience we had both insights and contacts to potential customers. We must have talked to at least two dozen people to bounce off ideas, and really, listen in about what was not working well for them. Soon after we founded SensorFu, we had shortlisted our ideas to just one spearhead: network leak detection.
Our product gets deployed in mission-critical production networks, industrial control system (ICS) process control networks, and other live environments that are to remain secure and isolated. In a very real way, our product sits nexts to customers’ critical ‘crown jewels’ that we’re helping to protect. Therefore security and robustness of our own product must not be an afterthought. Right from the beginning, we’ve spent a lot of time designing our product for critical network environments, making it secure by default and enabling updates with minimum fuzz. Some of the early choices we made were to use Alpine Linux as our default platform, and use Rust as our programming language of choice. We have taken on a habit of fuzzing our APIs and 3rd party components we’re using internally — with good results and upstream contributions for common, open source, good. We take great pride knowing that a product that we ship meets and goes well beyond of what are the industry practices of building secure products.
If you’re interested more about our thinking process of getting from an idea to a product, we have published a few blog posts of what we went through to get first versions of our product built: [teaserI][teaserII][teaserIII][teaserIV][teaserV].
You look for network leaks? Isn’t this problem solved by firewalls, air gaps or some other solution already?
But who watches the watchmen (Quis custodiet ipsos custodes)? Yes there are Firewalls, Router ACLs, SDNs and Air Gaps but do you know those are working as expected, not just at any given point in time, but on an ongoing basis? Vendors and people make mistakes with access control lists and firewall rules. People misconnect cables in patch panels or plug those cables to wrong network sockets or click wrong button on the virtual switches and make other mistakes. Devices are or may become multi-homed — e.g. with a flip of the Wi-Fi switch on a service technician’s laptop an escape route may have been created from an isolated environment to where that laptop is connected using another network interface. Security devices may act in pass-through or fail-open mode during reboot or firmware update, or that update may have caused the active configuration to behave differently than before. Employees or subcontractors may need to engage into shadow IT to get their job done and they may get more than they ask for. Of course there may also be an occasional malicious actor or malware that messes up your infrastructure.
At the end of the day, our audit experiences keep on showing that this problem is far from solved and something new had to be done to improve the situation. By helping to detect network leakage early, our customers are able to avoid a variety of problems in the tail end of things.
How have you attracted users and grown your company?
Our founding team is on their late 30s’ and early 40s’ and we’ve been lucky to work in a variety of roles within information security industry for the past 20 or so years. To get going we were able to leverage our existing direct contacts in Nordic and abroad. We also actively contribute to grassroots events and specific industry forums and events. For example, Ossi and I had great fun presenting Escapology at Disobey security conference in Finland in front of a very demanding crowd. Evangelism like conference presentations builds awareness, but we are constantly trying to think who needs us next and why, and go after them to tell them that. We try to make as many pre-qualified contacts as we can, and are also searching for right channel partners to scale our sales in the future.
In 2018 we applied for Y-Combinator’s startup school. Startup school has focused us in systematically measuring and tracking our progress in sales via variety of metrics such as how many leads, meetings, pilots, and closed deals we have every week. This seems like an obvious thing to do, but sometimes it’s good to hear someone else tell you that.
What’s your business model, and how have you grown your revenue?
We license our product as an annual subscription. Each of your protection domains, especially isolated network segments, needs its own Beacon, and bigger organizations are likely to have several. We’re barely 18 months old as a company so we try not to get stuck on this model, and are constantly evaluating if there would be more efficient ways to license our product.
In our first year, 2017, we were able to sign-up three paying (pilot) customers. We worked with them to fine-tune our product and launched it to general availability in late 2017. Going to 2018 we’ve brought in our first international deals, and have been steadily adding new customers.
What makes me really fired up about all this is good feedback we’ve received from new customers. In particular from one where Beacon has been able to provide immediate value by finding real issues at customers’ networks within a week or two of initial deployment.
What are your goals for the future?
I think our primary goals as we see them today, in no particular order, could be summarized in the following bullets:
- Grow internationally — in particular we’re looking at North America and China, India and Japan in APAC region.
- Expand from utilities and energy to other critical infrastructure domains and to other markets. For example we just signed up a customer in the enterprise sector whose original concern were contractual obligations to have isolated environments for the work they do for their big customers.
- Find a great channel partner for APAC and possibly North America.
- Continuously improve and enhance our escape methods and techniques. We believe there is a lot of uncharted territory to be explored and researched within our problem domain of network leak detection.
What are the biggest challenges you’ve faced and obstacles you’ve overcome? If you had to start over, what would you do differently?
One of the issues we keep bumping is what kind of environments to support. Our pilot customers were in critical infrastructure, energy and utilities domains. They needed our system to run on a hardware platform that they could physically distribute around their networks and e.g. electrical substations. But soon after we started getting request for being able to run within virtual private cloud (VPC) as AWS native AMI, in Azure, in Google Cloud, in Digital Ocean, on local hypervisors such as VMWare and KVM, or if we’re available in Docker Hub — the list goes on. It has certainly been hard to tell people “no, not yet”.
I want to also mention an issue with terminology. Since our product is taking a new approach to a known problem, there really isn’t established terminology in common use which would make it easy for people to associate us with something familiar. Instead, there are all kinds of technologies and terminologies we often get confused with— some of the leading ones being data loss prevention (DLP) and data leakage detection and prevention. These are typically more of an intelligent access control lists or monitoring of network traffic, whereas we are actively trying to escape, testing also exactly those types of security controls. Some vendors talk about breach simulations and kill chains, where of course our technology is crucial in cutting it early but we have tried to keep our message even simpler. Words and terminology do matter, and if we were able to rewind a year, I think I would work even harder with our terminology and story around it. Currently we are quite happy with network leak detection and think this appropriately describes what our product does.
Another thing that is, of course, easy to say afterwards, but if we were able to start all over — we would move even faster, hire more and earlier and ramp up things faster.
Have you found anything particularly helpful or advantageous?
By far the big advantage has been versatility of our team and understanding of the problems being faced by our customers. We know the challenges, having dealt with them for 20+ years. I’ve seen many of the existing security solutions, their shortcomings and possible improvements when doing Red teaming or Blue teaming in exercises or regular pen tests. This means that we were solving a pain point we were super familiar with and we instantly got traction. I think this is to say that sometimes a eureka moment just comes at you, but it’s more likely to happen if you’ve worked passionately on something for extended periods of time while keeping an open mind.
Another thing I want to mention, one of the things almost everyone asks from us is a variety of reports they want our solution to provide. We were super resource constrained last year and weren’t exactly thrilled to put R&D effort to building a reporting framework. Luckily we found out that some of our early customers were using centralized logging and SIEMs to eventually process our alerts. We have another Mikko in our team — and he happens to be a Splunk and SIEM expert and was able to build us what customer desired completely leveraging their existing security investment, Splunk in this case. This experience has encouraged us to further integrate with and embrace infrastructure customers already have. Moral of the story — if you don’t have to build it from scratch — don’t.
What’s your advice for entrepreneurs who are just starting out?
I mentioned YC startup school already, but I really want to give them a shout-out: many of the lectures and internal goals it made us set were super useful. We had been thinking about many of the topics already but hearing experienced people to share their advice helps when you have hard decisions to make and far too many options to distract you with.
Above that, I feel it’s important that right from the beginning you get into the right mindset where you don’t cut any corners, set up payroll, and use certified accountants. Make it full time from the get-go. Build a strong culture with your team and assimilate new comers, don’t blindly trust outside experts to tell you how you should run your company or what sort of values you should have. There’s a lot of people who ‘know’ how you should do things, but not so many that have actually done it, or are willing to substantially commit in helping and supporting the course they’re advocating for. This relates a bit to chasing buzzwords — for example we don’t have Machine learning (ML) or artificial intelligence (AI) on our roadmap. We spent time studying and analyzing AI and ML to find out if they would help within the problem domain we’re helping to solve. We currently think we can achieve really good results without them.
Pick your co-founders well — it’s kind of like marriage. Trust is everything. In this regard, we don’t really like the advice that many have been giving lately about founder vesting for early-stage companies. Common reasons given for founder vesting is that it allows company to reclaim stock if things go south between founders. But when you’re starting a company, you need to make things work. Period. In bad times, and in good times. We may not be able to avoid founder vesting if we ever raise VC capital, but until then, we will be founder-vesting free. You don’t want someone to nominally hang around just to get their vesting done either, there has to be other means to resolve such an unfortunate situation.
Lastly, remember to manage the expectations at home. When you have kids and a spouse, you need to talk a lot so that everyone knows where things are. Think about it this way, in the early days of your start-up you’re spending all of your time and thoughts on your company and product while you are churning through your family savings or your spouse’s income. Family is your most important support and needs know how things stand so that they can support you the best they can.
Where can we go to learn more?
You can also follow us on social media: we’re on LinkedIn and Twitter. If you have any questions or feedback, leave them in the comments section below or email firstname.lastname@example.org — we would love to hear from you.
If you’re interested about some of the cooler escape methods we’re using to detect network leaks, I did a presentation about some of them in Disobey Security conference in Jan, 2018.
For your convenience, here are the links: