Slavik Markovich (CEO), Dan Sarel, Guy Rinat, and Rishi Bhargava
Accel, ClearSky, Greylock Partners
Demisto was founded just three years ago. During this time, it has managed to hold three financing rounds led by three major funds, to enlarge its customer base by 300% last year and probably much more than that by the end of 2018, and almost to triple its workforce , from 50 in 2017 to 140 today, expansion that is projected to continue.
The company says that it needs almost no marketing efforts, because "the customers are knocking at the door." Demisto is now preparing for expansion from the US to countries on five continents. Is this because the company's solution is very well adapted to the market's needs, or because cyber threats are getting worse? Apparently both.
When people at Demisto try to explain exactly what their cyber defense technology is, it's hard for the average listener to understand them. In technical jargon, it is called security orchestration automation and response (SOAR), which makes it possible to operate different cyber defense systems through a security operations center (SOC). But then they relate the complaints they heard from enterprises that led them to found the company: thousands of daily attacks, too many tools that are supposed to deal with them, and too few employees who can operate them. The solution is a system that responds to attacks rapidly and as automatically as possible.
Demisto's system is designed for large enterprises, such as the dozens of Fortune 500 companies among its 120 customers. The system is capable of distinguishing between small and large-scale attacks, between one-time and constant attacks, and between annoying and really dangerous attacks. With the system's help, an enterprise's security personnel can detect the problem quickly, classify it, respond in the best way, and later diagnose the damage, if any, and take recovery measures. The system uses prepared playbooks, bots that carry out some operations through voice activation, and a system of data storage and deep learning.
Slavik Markovich, Dan Sarel, Guy Rinat, and Rishi Bhargava founded Demisto in 2015. Four years before that, Markovich sold database security company Sentrigo to US giant McAfee for $50 million and went to work for McAfee, together with Sarel and Rinat. At McAfee they met Bhargava, who joined the company when it acquired US company Solidcore in 2009. All four of them had experience in a number of technology companies, and were badly infected with the entrepreneurship bug.
What made you leave a large company like McAfee for another startup adventure?
Markovich: "It was probably mainly boredom. In a large company, moving things with enough agility and quickly enough isn't easy, and we wanted to found something new that would be ours."
Sarel: "In our work at McAfee, we saw the problem that we're solving now. We went to customers who experienced a serious attack, and saw what a mess followed it. Everyone said that there were too many events and security tools and not enough people. We went through an orderly process of interviews with customers, understood in depth what they were doing and what tools they had, and how much they needed a product to put things in order. But now our product doesn't just put things in order; it makes a revolution."
There are so many technology companies in cyber security. How do you make customers prefer you?
Markovich: "There are other companies that automate processes, but they work behind the scenes, and there are companies that help make decisions, but they have almost no automation. We connected the two things and created a unique customer experience. Another advantage we have over the others is the use of machine learning to study the enterprise and help it respond faster. We offer simple insights, such as which security analyst is the most suitable for a given task, and more sophisticated insights, such as identifying the next necessary step following an event."
Sarel: "We did a test case with one of our large customers, and they concluded that we save them $500,000 in an ordinary year, which is more than they paid us. There were also cases in which security centers succeeded in detecting and deal with only 10% of attacks. With the help of our system, the percentage rose to 90%, which means that the enterprise's CISO sleeps better at night."
Aren't you afraid that automating the work will make hackers able to predict what an enterprise will do?
Markovich: "We don't believe, at least not right now, that the machine can replace the security analyst. The scenarios that we are developing are a combination of automated and human elements. In the end, the analyst makes the decision. It's true that we streamline the process, but we don't replace the human factor. A lot of analysts like our bot: instead of writing a command and getting a response, you talk with another entity that helps you."
With time, the hackers are becoming more sophisticated, as well the cyber defense systems. The question arises whether a day will come when not even systems like Demisto's are enough, because the artificial intelligence of criminal organizations will be more sophisticated than they are.
Markovich: "Really, when we talk about machine learning, we're usually talking about our side, about defense, but the hackers are doing exactly the same thing from the other side. There's a kind of balance here that's very asymmetrical, because you need to get it right 100% of the time, whereas the attacker only needs to succeed once. But if you make your customer a difficult nut to crack, it becomes not worthwhile for the attacker, so we concentrate on detecting break-ins as fast as possible. I don't see this situation changing in the near future, and we're still ahead of the attackers' capabilities."
But quite a few ransom attacks succeed, and organizations have to pay to regain access to their data.
Sarel: "As an industry, some of where we went wrong is that for 20 years we thought only about how to detect attacks or how to prevent them, and not enough about how to recover from an attack. This was one of our first insights: eventually, if someone really wants to, he or she will succeed in penetrating. Then you are judged on having detected the break-in as fast as possible, understood what happened, and responded. If it's a ransom attack, you have to check whether the customer has backups and the information can be reconstructed. Sometimes there is no avoiding negotiations with the hackers."
How do you negotiate with virtual attackers?
Sarel: "There are people who specialize in it."
Markovich: "What's important for us is to identify the type of attack, check whether there is a solution, and if necessary, call for an external consultant or take other measures."
What's the next stage? Where is Demisto going now?
Markovich: "Right now we're expanding into other areas of the world: Australia, the UK, Germany, Singapore, and South America. Next year we'll pass the 200 employees mark. In the area of the product, we'll expand to everywhere there's a security processing procedure. The company's promise is that we'll be the operating system of enterprise security - the main brain that helps manage all of the defense systems in an enterprise."
You raised $43 million this year. Will we see more financing rounds soon?
Markovich: "We don't expect this scenario in the next two years. Even now, we raised money because we could, not because we had to, but it was a respectable amount that should last until 2020. The plan is to continue making the company grow until it holds an IPO, I hope in the not too distant future. We think that we can build a large independent company, but of course, if the right offer comes along, it could be an interesting conversation."