Cryptography & Startups: Insights from CipherStash’s Dan Draper

Cole Cornford:

Hi, I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. Today, I’m joined by Dan Draper, the CEO of CipherStash, a company that solves in-use encryption challenges so that people can’t look at the records that they’re working with if their data scientists are working in a CRM. I think this is really good idea to limit the blast radius of a breach.

I think it’s a super interesting topic. I’m not a cryptographer, so it’s quite eyeopening for me to learn from him here. Lots of other things we’ve covered, such as why it’s important as a founder to choose hard problems, to create a moat, how to raise capital, and how to think about investors not just as the ability to earn money, but also why it’s important to raise capital from the right people, how to be an engineering leader and plenty more. Anyway, without further ado, here’s Dan Draper. And I am here with Dan Draper, CEO of CipherStash. How’re you going, Dan?

Dan Draper:

Good, thanks, Cole. How are you?

Cole Cornford:

Mate, today it’s sunny, it’s beautiful outside. Last week I was in Canberra, and it was negative five degrees when I left my hotel, but it feels like when I wake up every morning that it’s still negative five because my house just doesn’t have any insulation. It’s awful.

Dan Draper:

Yeah, I’m exactly the same.

Cole Cornford:

What’s with Australian housing? They just don’t think about making it warm at all.

Dan Draper:

I know, it’s really strange. My wife and I have a very old… 1865, I think this house was built, and I don’t think they had any idea how to think about the elements when they were building houses in those days. It’s so cold.

Cole Cornford:

I don’t know. I always tell myself a lie where I’m like, “I’m going to get up and I’m going to be very productive at 5:00 or 6:00, and I’m going to catch up on all my business administration in the morning,” and actually, it’s just the alarm goes off and it’s like, “Oh, it’s warm in my bed. It’s warm in my bed. It’s warm in my bed.” And then-

Dan Draper:

Yeah, it’s warm. Exactly.

Cole Cornford:

… I just end up getting up at 7:00 because the baby wakes up, and everything goes to shit at that point. But I’m always like, “Ah.” But anyway, I shouldn’t complain all that much because we’ve got nice weather the rest of the year, right?

Dan Draper:

Absolutely.

Cole Cornford:

So, Dan, maybe you’d like to tell my audience a bit about yourself and where you came from, because I know you’re CEO of CipherStash nowadays, but how did you get into cybersecurity, and how’d you end up getting over to there?

Dan Draper:

Yeah, it’s interesting. My story is pretty atypical, I think, for this space. I grew up in Adelaide and studied electronic engineering, actually ended up doing more of the computer science element. Electronic engineering does require quite a lot of coding, and just felt myself drawn to that. So, I ended up moving much more into the software engineering side of things, and ended up switching over to computer science in the end. But I had this really strong drive to go and create a business. And frankly, when I was at uni, I had no idea what I was getting myself into, but I always had the motivation to build things and to solve problems for people.

And so, while I was still at university, I went out and started a business with a friend. We did a thing at Adelaide Uni called the Entrepreneur Challenge, this is back in 2002, and we were finalists, and we pitched to investors. It was all fake, it wasn’t real, but we got an experience of what it would really be like. And it helped me understand not only a bit about what business was and starting a start-up was, but also that that’s what I really wanted to do.

And so, after the challenge, my friend and I went and started what eventually became NetFox. Looking back on it now, I would describe it as a security company, a cybersecurity company. We never called it that back in those days, but I don’t think we had the right language and the mental model for it. And so, it was essentially a web internet firewall for high schools. So, high schools would have 500 kids that were all accessing the internet. This is in the early days of ADSL in Australia. Nobody knew how to manage that. Kids were discovering all these crazy things on the internet in the early days of the noughties.

Cole Cornford:

I remember those, man. That’s some good days.

Dan Draper:

They were the good old days, right?

Cole Cornford:

I was probably one of the kids that got around those web firewalls. So, I remember we had this climate change proxy website by, I think it was a guy called Bennett Haselton back in the 2000s. And there was a space, if you clicked on the space, it would allow you to use the website as a proxy to go to access anything else on the internet. And it was just one of those really bad HTML-only pages with no JavaScript on it at all. Everyone looked at it, and they’re like, “Ah, this is fine. This is just all good.” But yeah, there was all sorts of fun things that kids would do. I remember there was a program called AceHide, I think, that would get rid of the icon in the start bar about the video games that you were playing.

Dan Draper:

Oh, right. Yeah, yeah, yeah.

Cole Cornford:

Because we were all into, I think, RuneScape and Quake Free and Warcraft Free.

Dan Draper:

Yeah.

Cole Cornford:

So, that was on a shared drive.

Dan Draper:

You were probably one of the kids in the class that was using something like NetFox. Yeah.

Cole Cornford:

I was the worst. I was the worst.

Dan Draper:

It’s funny because I got a taste of what being a blue teamer was like in those days. Once again, we never called it that, but these very smart, very motivated young kids who were probably bored at school, that wanted to try and break through our proxy firewall, and we were constantly trying to find ways to stop them, and they were constantly trying to find ways to get around the access control. So, it was a fascinating experience. And that company, it did okay for a while. We had about 300 schools around Australia. But eventually, honestly, I actually, I didn’t have the experience, and back in those days, I was still very young and I didn’t, frankly, have the motivation. I think it ended up becoming more of a philosophical debate about what content should be blocked for students at schools, and it wasn’t something that really motivated me. And so, eventually we sold that business to a company in the UK. It didn’t make me wealthy, but it was a reasonably good outcome, and I learned a hell of a lot in the process.

So after that, not very long after that, I met my now wife, we decided to move to Sydney together, and I spent several years working for other start-ups, particularly in senior engineering leadership roles, CTO and VP of engineering and those kinds of roles, and got a sense of what it was like to lead a team and to build much, much more elaborate products, but also got some experience with selling to big enterprise companies that were very, very different to selling to a high school. I also got exposed to the fundraising process, which was incredibly valuable, and in particular one of those experiences was with a company based in New York where I went and worked as their CTO for a while, not a cyber company. They were flying private jets from New York to Boston, and they described themselves as, “The Netflix for private jets.” For $2,500 a month, you could fly unlimited on these private aircraft from New York to Boston. It was a really, really cool business, but a very expensive business to run. They made a few strategic errors and eventually went into what the Americans called Chapter 11.

Cole Cornford:

I was going to say, I imagine that it sounds like a terrible business idea. Airlines, as far as I know, are really hard to even do as a commoditized service, but trying to convince people, “Hey, we’re going to fly between literally one route on special jets that have bugger all passengers,” sounds like a terrible idea to me.

Dan Draper:

Well, funnily enough, it does sound like a terrible idea. It is actually a good idea, but it’s very, very hard to pull off. In fact, there’s a local start-up called Airly that have actually made it work. They’ve got a fairly narrow market.

Cole Cornford:

Aren’t they in Newcastle?

Dan Draper:

Yeah, I think so. Yeah.

Cole Cornford:

Yeah, I’m pretty certain I’ve seen them at Lake Macquarie and Newcastle because I think I met the CE by accident at a fundraising dinner.

Dan Draper:

I can’t remember the founder’s name, but I remember catching up with him when I came back from New York after the failure of Beacon, this company was called, and he went and picked my brains. And hopefully, some of the lessons I was able to share with him helped him in the success of Airly, but they’re making it work, which is great.

But then I worked for the Australian government for a while, Digital Transformation Agency, got exposed to the security folks there, and that really gave me a big taste of cybersecurity. I remember working with one of the, they call them ethical hackers that was doing all the pen tests for the ATO. He shared with me all kinds of interesting insights.

Cole Cornford:

Oh, mate. Literally the exact same time that I was working at the tax office.

Dan Draper:

Oh, interesting.

Cole Cornford:

So, mate, I wouldn’t be surprised if it was Fluff or Fuzz, or sorry, they’re all code names, but I don’t want to dox anyone. But there was a bunch of good hackers at the ATO who are my good friends.

Dan Draper:

There were some very, very good hackers at the ATO. So, we got to work with some amazing security engineers, people that knew a lot more about this world than I did. And it took me a little while to realize that I knew that I didn’t know a lot about vulnerabilities and some of the more cyber specific concepts in technology, but I realized after a while that a lot of my experience was very, very relevant to it. I just had to fill a few gaps. And so, I started filling those gaps over the next few years, and one of those big gaps for me was the area of cryptography. I became absolutely obsessed with cryptography and even did, it’s actually available on Coursera, but Stanford’s graduate course in cryptography you can do on Coursera. After doing engineering, I would say cryptography was the hardest study I’ve ever had to do. Very, very math heavy, but so rewarding.

Cole Cornford:

Mate, did you do extended Euclidean algorithm and Chinese remainder theorem and-

Dan Draper:

Oh, all of that. Yeah, yeah. Yeah, totally. Yeah. Lots of probability and statistics. So interesting.

Cole Cornford:

Ah, yeah.

Dan Draper:

What really got my interest was the idea of searchable encryption. And searchable encryption, and we’ll get to that shortly, perhaps, is what underpins the work we do at CipherStash. But I had a couple more steps in the journey before we get there. I worked for a company called Expert360. We were selling to very large Australian corporates, so big banks and insurance companies and so forth. And as I’m sure any one of your audience who’s listening has worked for a company selling to those kinds of companies, or on the other side, for that matter, knows the rigor and arduousness that these companies put their vendors through, vendor assessments and so forth. And we really struggled with that for a while, and I was frustrated that I felt like technology could help us solve the problems more effectively. So, that was one data point.

I worked at Expert360 for three and a half years while I was studying cryptography, and then right before the pandemic hit, I went and worked for a health tech company called MedicalDirector, who were acquired by Telstra Health a couple of years ago. I mean, I’ll tell you what, working in a healthcare company right as the pandemic is hitting was a baptism by fire, to say the least. But it really opened my eyes to the data security challenges in healthcare and in particular the level of access that everybody in healthcare has to patient data. It was really quite alarming, and I wasn’t even necessarily coming from an InfoSec background. I was learning a lot about InfoSec, but that wasn’t my main experience. It blew me away just how many people had access to patient records, and I wanted to do something about that. And as I was sitting at home, as everybody was locked down over COVID, reflecting on my life choices, I decided I wanted to take these two experiences, the cryptography and the experiences I had at Expert360 and MedicalDirector, and create a company. And that eventually is what became CipherStash.

Cole Cornford:

I tell you, it’s a really interesting journey for me being able to have such a heavy engineering background coming into being a founder. Most founders I find in the cybersecurity industry come from being in security and seeing a gap in the market, whether it’s education or whether it’s just about integration or a different way to do a specific type of problem. It’s not too much about, “Hey, I’m coming from a pure engineering perspective and building something to solve a problem I see.” So, that’s really impressive to me. I also love that you started a company straight out of university. I had that idea. It was an idea. We didn’t actually go anywhere with it. I just called it Check Web, and I was like, “I’m going to build websites.” And then everyone’s like, “Cool. How do we run a business?” And then I realized I didn’t actually know anything about that, so we just parked it. But I’m glad I did not do that. It would’ve been a terrible idea.

Dan Draper:

It’s interesting, though. I’ve had this conversation with lots of people. Clearly, I was very, very naive, and I didn’t know what I was doing. I learned a lot, but in that first business, I didn’t learn enough fast enough for it to be successful. But I do think there’s some merit to when people that don’t necessarily come with a high level of expertise to a new problem, I think there’s merit in how they come to that problem. It’s like, in some ways, if you know how hard the problem is, you might not even try and solve it. Whereas, if you’re coming at it with a little bit of naivety and an open mind as a consequence, sometimes I think you are going to be more successful. In fact, we’ve seen examples of that. Mel Perkins at Canva is the classic example. She admits this. She did not know what she was getting herself into at the time, and had she known, she might not have even tried. But she went ahead anyway, and obviously now Canva’s a great success story. But I think there’s merit to that.

Cole Cornford:

Even for myself, right, I started an AppSec company because I asked my question, “Why is there no AppSec companies? They’re all product companies. Why is there no AppSec consulting companies? It’s really important to do consulting around how to build a software security pipeline correctly, right? Whether it’s doing fret modeling, doing design reviews, doing training for engineering workforces or whatever. Why does no one do this?” And I ended up coming back to it’s because they didn’t think about the business model and how to make it effective, and the lack of capability domestically. And the final piece is it cannibalizes the other business arms of existing players, right?

Dan Draper:

Yeah.

Cole Cornford:

Because if you do pen testing, it means that if you’ve got a good AppSec program going, then you need to raise the bar in the quality of the penetration testers that you hire because they’re not going to find low-hanging fruit, and that means you’re just going to make less revenue. So, it just doesn’t make business sense.

Dan Draper:

Right, yeah, it makes sense. Yeah.

Cole Cornford:

Now, you can replace that for every single part of AppSec, right? If you’re doing observability in the cloud, then you’re not going to necessarily need CM engineers as much anymore if you’re using something like a Datadog or you’ve got Kubernetes with Prometheus and Grafana, right?

Dan Draper:

Totally. Yeah, yeah, I get it. I think the other side of that is that so often the people that understand how to sell and understand marketing and business and so forth haven’t got a clue about our world. And equally, a lot of cyber engineers and software engineers, AppSec, whatever, don’t really understand business. So, it’s rare that you get somebody that can bring these two worlds together.

Cole Cornford:

I got quite lucky because I think I’ve always been pretty good at communicating and being a friendly outgoing person, and so that’s really helped me at business a lot because it means I can build relationships with folk, and it’s never really a problem. And I’m not really scared if someone’s title is CEO, CIO, I just think that they’re a person and that they’re probably nice to want to talk about how good strawberry milk is from the Oak Factory. And generally, they’re a bit disarmed when you have something like that instead of a, “Hey, you’re a CEO, please buy my things,” versus, “Do you like strawberry milk?” And you’d be surprised how often strawberry milk breaks barriers.

Dan Draper:

That’s really cool. I love it.

Cole Cornford:

That’s sales qualification call number one, “Do you like strawberry milk or Turkish Delight chocolates? If you do, let’s have a conversation.” Right?

Dan Draper:

Yeah, that’s your qualification process.

Cole Cornford:

That’s how you do it.

Dan Draper:

Love it.

Cole Cornford:

But I guess when I started my business, I was quite naive in a lot of ways because generally just the places that want application security services are juts large enterprises or the scale up businesses, and it’s quite difficult to work out how to break into either of those markets without a good plan to create a funnel and then sell effectively. And so, I had to learn that over the last three years and did everything else, good and bad. I think that I’ve grown tremendously since starting a business, and I always encourage people to give it a red-hot go because as long as you don’t go too far into debt, you can always pack up shop and come back from it. Starting a business and failing at it doesn’t mean that you’re screwed for life because you still have a lot of skills and, in fact, are probably more employable than people who haven’t had the entrepreneurship journey, right?

Dan Draper:

Totally. Yeah. Straight out of my start-up, so remember that I went from university to doing a start-up, I did have a part-time job at a computer company for a while, but it was just an entry-level job, but after the start-up, I went straight into a CTO job because I had all this extra experience. And like I said, I didn’t have a very typical journey, but it exactly illustrates your point. I learned more and got more experience doing the start-up than I think I would’ve gotten had I taken the more traditional path.

Cole Cornford:

I guess my next question for you, then, is to maybe just talk a bit more about CipherStash and the problem that you’re solving with your business now, right?

Dan Draper:

Yeah, sure.

Cole Cornford:

Because I know that there’s a lot of engineering behind it, and it’s pretty smart cryptographic stuff, so let’s maybe dumb it down for some of my audience who aren’t able to understand extended Euclidean algorithm and so on.

Dan Draper:

Of course. Yeah, yeah. So I mean, obviously, we’re very passionate about the encryption, but at the end of the day, it’s not even really about encryption, as excited as I am about encryption. What this comes down to is about effective data protection and data governance. As everybody knows, data is critical to the modern business, and particularly with this push for more AI, but even just being able to understand more about your customers, it’s critical that you’ve got the right data. But so often having that data either increases risk, puts our businesses at risk, or conversely, we’re not necessarily going after the opportunities that we might otherwise because we’re concerned about the data risk, or one of our customers is concerned about the data risk and doesn’t want to do business with us. That’s a common problem, particularly for start-ups.

And so, at CipherStash, our mission is to eliminate the reasons that data becomes risky, and one of the main ones is overaccess, and the other one is to make sure that we can limit the blast radius when something does go wrong. As most every audience, if they’re in cybersecurity, will know, there’s no such thing as a perfectly secure system. Things go wrong, but how do you make sure that when they do go wrong, it’s not catastrophic? And so, the way that we do that at CipherStash, and this is where we’ll talk a little bit about the encryption technology, but we protect data directly. So, that’s every individual value, say row and a database, for example, with this technique we call encryption in use.

So, if you’re familiar with encryption at rest or encryption in transit, encryption in use is sort of the bridge between those two worlds. It’s keeping the data encrypted at all times, and what that does is it means that the data access becomes deny by default. It’s always encrypted. And so, if someone that’s not authorized comes along and finds this data in a database, or a warehouse, or on a file server, or something, they can’t access it. Whereas, you think about the traditional system, traditional approach to protecting data, if anything slips through the cracks, then it can very easily be accessed by an unauthorized person.

Take that up one step further. All the different places that we store data in, the modern organization, databases, data warehouses, applications, S3 buckets, what have you, every single one of those places has to be configured correctly with the appropriate access controls. And if you miss one or if data goes to a place that you don’t happen to have configured at all, you’re not even aware of it, then you can end up with a breach. So, with CipherStash, we not only make the data access deny by default, we bake policy information into the encryption so that no matter where it is, those policies are there. That means you have to apply policies only once. You don’t have to worry about all the myriad different places to apply those access controls.

The second really big important thing is what we call access logging guarantees. So, knowing when data is accessed is incredibly important, and it often doesn’t happen in the modern organization because, firstly, you often don’t know when something is accessed. It’s hard to record those things, particularly in a database. And even if you do, that will often result in very noisy alerts or noisy logs into your seam or whatever. How do you know what is an alert? If it’s a legitimate person that’s accessing the data, how do you know they’re not themselves compromised? Which is a very common problem at the moment.

And then a couple of stats for you. 75% of US employees have access to more data than they should. Even the people that say to me, I hear this all the time, “Dan, none of our engineers have access to the database.” Well, great, good for you. I don’t think that’s as common as it should be, but even when that is the case, what’s the one thing in your system that does have full access to the database? It’s the application or the API. In order for you to deliver a service, the apps that you have connected to your database need full access. So, what happens if the app is compromised? I mean, you’re an AppSec engineer, Cole, so that’s pretty easy to do, right?

Cole Cornford:

Yep.

Dan Draper:

So, we want to make sure that a compromise of the application doesn’t also result in a catastrophic data breach. So, it’s this defense in depth idea.

Cole Cornford:

It reminds me a bit of… Have you ever heard of Material Security?

Dan Draper:

Is that a company? I don’t think so, actually.

Cole Cornford:

They’re a company that’s in the SF sales pitch. Great work. Aussie people, I think. So, Ryan Noonan, I think. But anyway, his thing is that you get access to a mailbox, and then in that mailbox, if an adversary gets access to the mailbox, you get to read everything. But they’re just saying that we’ve identified all of the things that matter within the mailbox and basically put a layer of authentication to access emails. So, the idea is to reduce the blast radius if an individual’s mailbox gets compromised, right?

So, I think that this is a similar idea. I really like the concept of blast radius reduction. There’s a blog by Phil Venables, who’s the Google CISO, and he just always talks about… He’s like, “You need to make sure you have silos and that those silos are disconnected from each other, and that if one of those silos gets compromised, it doesn’t affect everywhere else.” We know that people love to move laterally between networks and applications and so on. So, whatever you can do to cause the impact of a security incident to be smaller and smaller, it’s huge.

And yeah, data. Data security in general, it’s a huge area. I have lots of people, they’re like, “Oh, look, I got Snowflake here.” And then I’m like, “Okay.” So, I’ve already started sweating, just starting to sweat. And they’re like, “So, we have raw data from 190 different systems that we just dumped in there, and we just tell our data scientists to go figure shit out.” Right?

Dan Draper:

Go for it. Yeah.

Cole Cornford:

And somewhere they’ll say “machine learning” probably. And then I start coming in thinking like, “Oh, well, let’s do content addressable storage so that people can’t look up other people’s addresses, and phone numbers, and names, and credit card details, and so on.” And then they’re like, “Nah, nah, because that will ruin our models.” So, as far as I can tell, there’s a correlation issue, there’s an anonymization issue, there’s an aggregation issue. But even outside of the data science category, going into a SharePoint, going into a Slack channel, going into a Google Drive and seeing all of these different… Documents just pile up. I’ve been in business for three years, and recently I went through and started just eradicating and archiving content, and it took me multiple days. It’s like a really small company. Can you imagine doing that for a Telstra or a Westpac or something?

Dan Draper:

No, frankly, I can’t, and I don’t think that’s possible anymore, honestly. It’s become an intractable problem. You’re talking about Snowflake, and I’m not here to talk ill of Snowflake, but the data warehouse kind of culture is a huge challenge. That idea that you talked about, where we’re taking copies of all of our data, putting it into a data warehouse, and then just storing it forevermore and giving data science access to it, is a huge risk, as we’ve seen play out in lots of recent breaches. Ticketek was likely through that kind of vector. It seems like Medibank Private was likely through that kind of vector, and I’m sure there’s a ton that we don’t necessarily know about.

So, one of the ways that we think about applying encryption in use is in a data warehouse environment. So, if you were to encrypt all of the individual records, use that idea of content addressable hashing that’s a similar sort of concept, that allows you to protect those records, but then how do you enable the data scientists who need to run queries or reports over that data to still do their job? Because none of those queries are going to work anymore if it’s all encrypted. And so, this is where this idea of searchable encryption comes into play.

So, searchable encryption allows an authorized user to still run queries over encrypted data, but now even the queries themselves are encrypted. And so, that means you get a really fine-grained access control over the entire query lifecycle. So, you can say to a data scientist, “You’re allowed to run a query, but you’re not allowed to decrypt the results.” So you can say, I’ll use a healthcare setting as an example, “You’ve got millions of patients in your warehouse. I want to find all patients who are male, live in Sydney, and are over the age of 40.” I can run that report, but as a data scientist, I’m not allowed to access the results. I’m going to send that over to an LLM, and then only at the very last moment is an offline process going to decrypt the records before feeding it into an LLM. The data scientists never saw the data. Now, there’s all kinds of interesting questions that your audience might have and areas that we can dig into around that, but that’s, in a nutshell, what it is we’re building.

Cole Cornford:

I think that that, especially because artificial intelligence is really big right now… Did you find your trip to RSA, and did you go speak to a lot of AI vendors? I think you were over there at RSA, weren’t you?

Dan Draper:

I was. Yeah, yeah.

Cole Cornford:

Yeah. How did you find that experience? Did you feel like you were able to sell to other people who were trying to sell to you?

Dan Draper:

Yeah. Yeah, it’s funny. I do find that we end up selling to other cyber companies quite a lot, and the reverse sale is a real thing, for sure. Anyone that has a ton of data, I mean ton of data generally, but particularly sensitive data, is going to start running into these problems. You want to start feeding it into LLMs and even just very simple machine learning models, that’s a huge risk.

But the problem has existed for a long time, even before everyone got excited about AI. We’ve got a marketing automation customer that he’s actually got quite a small company relatively, but they have hundreds of millions of customer records, and they’re just email addresses, names, phone numbers, addresses in some cases, not super sensitive, like not financial information and not healthcare information, but there’s so much of it and it’s so prevalent that it makes them a big target. And so, they’ve got to think very carefully about how they’re brokering access to that data within their organization.

Cole Cornford:

Yeah, it makes sense to me, because if I think about marketplace players or, if you like, let’s say recruitment agencies, right, if you have a recruiter and they’re able to just make exports of a bunch of different data or look at different accounts that they’re not supposed to be looking at and work out who the decision-makers are, then they can go, move from one job to the next job, and basically take access to the phone numbers, contacts of the clients that they care about and the candidates that matter, and that’s a really big risk. And that’s just in recruitment, but I imagine that basically any professional services organization is going to be in the same boat, right?

Dan Draper:

Yeah, totally.

Cole Cornford:

I would care about my HubSpot instance. If someone’s like, “Here’s a list of all tech companies that Cole talks to. We’re going to go sell AppSec to all of them, and we’ll just undercut Cole by 20%, right?” I don’t think it will happen.

Dan Draper:

Absolutely. Yeah. What you’ve talked about there is the classic insider threat problem, I guess, where some malicious insider, maybe they don’t even think of themselves as malicious, they’re like, “Oh, I’m going to take some of that data because that’d be handy in my next job,” but technically that’s a data breach, and in Australia, that should be reported to the OAIC. Most people probably don’t. And that’s certainly a case we think about.

The other case, which is thankfully, well, thankfully for the assessment of employees is a more common example, the insider threat is not that common, is when an employee has access to data, but they themselves are compromised. And so, this is a very common one. See it with so many breaches on the web where people’s credentials are already out there, so credential stuffing becomes very straightforward. Phishing is still such a massive problem, and it’s on the rise. I honestly don’t think we’re ever going to solve phishing fully, frankly.

So, how do you deal with a case when somebody is compromised and they’ve got access to the data warehouse, or the database, or what have you? One of the ways that we think about it is attaching the identity of the user to the data access. So, we call it data access monitoring. So, it’s the idea that if Cole is accessing a bunch of patient records, use the healthcare example again, we know exactly, well, not we, but our system knows what you accessed, where you were when you were accessing it, and how that compares to what you normally do when you access data.

And it turns out there was a paper published by Amazon a few years ago that we’re now incorporating into our stack. It’s this idea that when somebody runs a query, it’s not the query that they run that’s interesting from a data anomaly point of view, it’s what they access that’s interesting. And so, if you’re typically accessing a handful of patient records and then all of a sudden you access like 14,000 of them in the space of five minutes, that’s a huge alarm bell. And so, what we can actually do is cut off that access. We can send the 2FA authentication request, or we can simply just block the request entirely as soon as something looks a bit fishy. And because we’ve got identity available, we can get so much more powerful information about whether or not that access is legitimate.

Cole Cornford:

I like the heuristics analysis. I’m starting to see that a lot in cloud security, posture management, and application security, and API security where effectively there is a log of all of the things that were happening previously and stored in some kind of data lake, and then you would understand what the normal behavior is for business logic for that API, that application, the endpoint, whatever. And then the software to kill the software, whatever it is, then helps make decisions about solving those kind of problems.

Dan Draper:

Totally, yeah, yeah. The logging is just one half of it, right? Yeah.

Cole Cornford:

Yeah. But I feel that that’s super cool, though, because it means that you’re taking this problem that is reasonably intractable, which is hundreds of billions of lines of log files associated with people legitimately accessing things and then saying, “Now, here’s the behavior, what they would normally be doing on a day-to-day basis.”

Dan Draper:

Right.

Cole Cornford:

But I guess the one thing I’d worry about would be long tail, right? So, if you come across someone who, once per annum, he says, “Ah, crap, I need to go look at what my last IAS was because I don’t know how much tax I need to pay,” how do you deal with those once-off pieces that just happen so infrequently for different users? Does that come up often, or is that by exception?

Dan Draper:

Look, it’s typically by exception. I’m not yet so convinced that AI can be completely unsupervised. I think there’s still going to be-

Cole Cornford:

I don’t think so, I love artificial… There was a website back in the day called the Internet of Shit, and I’m going to say that there’s going to be an Artificial Intelligence of Shit website as well where they just create all sorts of… If I see another freaking product thing that just says, “In today’s ever-changing cybersecurity landscape,” I’m going to literally vomit inside. It actually kills me. I just-

Dan Draper:

Yeah, I feel you. Surely there’s a meme there somewhere. Yeah, look, I mean, it’s impossible to catch everything. We think of it as firstly reducing the likelihood that you’re going to miss something by having a much, much smarter system and having human interaction as a backup. But then there’s a sliding scale of things that we can do. The very first end of the scale is if something looks a bit fishy, but we’re not 100% sure it’s all based on the score, we can do something very simple like slow down the transaction so that because we’re integrated into the database, we can reduce the performance of the query. If the activity continues, then because we’re integrated with the identity system, we can send a two-factor authentication request. 2FA is still, as simple as it is, one of the best ways you can protect access to your systems. And so, if the person passes the 2FA request, then chances are they’re legitimate, but if the activity still looks weird, then you can flag a human and maybe even block the request entirely.

So, it’s a sliding scale, and all of that kind of history of the event is included when you notify a human. So, they can look at that in a very informed way and make a decision. Whereas, you contrast that to so many of the other events and notifications that you get out of a seam, it’s very, very noisy and hard to reason about. And our goal is to not eliminate the seam, but to make sure that what we are firing off to the seam is really something that the user should pay attention to and they have the information associated with that event to make a reasonable decision.

Cole Cornford:

What I really like is that you’ve thought about the user experience of interacting with a product here, and you’ve gone from shadow-banning and rate limitings all the way up to enforced MFA or a process to just actually block someone. And you’ve been considerate that instead of… Because most of the time when I encounter something that makes decisions about stuff, it’s usually black or white. So it’ll just say, “Yep, this looks malicious. We’re going to block it,” instead of, “We’re going to start seeing how things are and making educated guesses about stuff and letting other people build it in.” I see it all the time with WAFs. WAFs is a classic example.

Dan Draper:

Absolutely, yeah. Sometimes I get so angry with WAFs. I had a VPN turned on. I forgot I had my VPN turned on, and I was doing a transaction. It got flagged because I was doing a transaction from another country. And it was legitimate, I just forgot to turn my VPN off. So, you don’t necessarily want turn things off immediately. But I think the difference is with a financial transaction, you’ve only really got one shot. If you don’t deny the transaction and it goes through, well, the damage is done. In a data breach situation, it’s obviously you don’t want any data leaked, but it’s much more of a sliding scale. The difference between a few hundred records being leaked versus a few hundred million records being leaked is significant, and you’ve got a few opportunities along that sort of lifecycle to make decisions and to cut it off and to reduce the impact. It’s not as black and white as maybe a financial transaction might require.

Cole Cornford:

So, I want to shift gears away from the tech and move over back to business a bit. Let’s talk about how you went about starting your company and getting initial fundraising, because I know a lot of people are keen… Right now, it’s a little bit of a winter for founders, and it’s hard to raise funding, but I think that also this is the perfect time to be raising funding because then when the winter passes, you’ll have a company set up, ready to go. Just got to have a really good compelling story and pitch to be able to get that. But what do you think? How would you go about considering where the economy is right now to go about pitching and fundraising?

Dan Draper:

Totally, yeah. I mean, it is a lot harder at the moment, for sure. But a lot of very successful companies were started in downturns, and the reason is very simple. It’s because if you can make your business work in a downturn, then you can make it work very, very well in a good market as well. So, it’s a very strong litmus test, I guess, of the value prop that you’re creating. So my journey, I mean, when I had my first company in Adelaide in the mid-noughties, there was no such thing as venture capital in, well, barely even in Australia, let alone in little old Adelaide.

Cole Cornford:

Let’s talk about Adelaide’s got the silver balls. That’s about the best you can get.

Dan Draper:

Yeah. I mean, certainly, it’s doing a lot better these days as a start-up ecosystem, but certainly back in those days, there wasn’t much going on. So, we raised money from some angel investors, and in hindsight, I look back on that. We didn’t raise anywhere near enough money. Fast-forward to 2024, I look at the venture capital ecosystem in Australia, and it is night and day compared to what it was back in those days.

A lot of people complain about the lack of capital in Australia, but I’d say it’s actually pretty good. The biggest challenge is that the VCs, for the most part, are generalist and not specialist. And so, that changes the conversation that you have with them because you’re not going to come up against somebody that’s got, typically, occasionally you might, but more than likely you’re not going to come up against somebody that’s got deep technology experience or deep cyber experience. And so, you’ve got to find a way to present your business case in such a way that the generalist investor gets it. They understand what you’re trying to achieve.

And so, my particular journey, I met quite a lot of the investors of the companies that I was working for. So example, Airtree was one of Australia’s biggest and, in my view, best funds, and they invested in Expert360 where I was the CTO. So, I got to meet some of the investors there. And as I was thinking about starting CipherStash, I reached out and I just asked if they’d be open to having a coffee with me. I wasn’t looking for money at that stage, I was just looking for advice, get some feedback on the idea.

But the reason I think that the investor was willing to talk to me was because we already had a relationship. And I realize that’s super hard for folks that don’t have a relationship with an investor, but what I say then is go and talk to founders, go and talk to people who work in start-ups, immerse yourself in the ecosystem. There’s plenty of events in Sydney and Australia these days. South by Southwestern Australia now we’ve got the Sunrise Festival. There’s local meetups and so forth. I think it’s just a matter of starting to get yourself into the ecosystem so you can start to meet the right people.

Startmate and other accelerators are also another great way to meet investors. We actually did the Startmate program. It was super valuable, got lots and lots of exposure and contacts. But then what happens with us, and I think what tends to happen with a lot of founders is once you’ve got a few investors on your cap table and you start to build that relationship, then they can help you meet others. And so, I was introduced by Airtree to an investor in the US in Palo Alto called Nexus Venture Partners, and then they decided they wanted to invest, and so then they introduced me to more investors, and it sort of just grows from there. But getting that first relationship is so critical to the fundraising process.

Cole Cornford:

That’s what I mean. I always tell people that you just got to go out there, you got to go meet lots of people, you got to be proactive. People don’t come to you and just say, “Hey, I’ve got money. I want to buy you,” unless you’ve got a very specific brand already. And by the way, to get that brand, you have probably had a successful business or have some level of notoriety elsewhere, so you won’t have this question in the first place because people will come to you. But for the majority of start-up founders, you’ve got to get out there, right?

Dan Draper:

Totally, yeah.

Cole Cornford:

So whether it’s a Fishburners or Tank Stream, just pitch events, all of the universities have accelerators, go chat to all of them. My local uni does I2N, which is the Innovation Network or something. So, I just go and have a look and see what other people pitch. There’s no cyber in there. It’s all like handheld bottles of water that decompose and interesting circular economy things, but get ideas and go meet other founders, especially successful ones. I feel like founders are absolutely willing to have a conversation about how amazing and terrible it has been to start a business at the same time.

Dan Draper:

Yes, totally.

Cole Cornford:

They’ll tell you everything. They’ll be open. So, just go do it. Don’t be afraid, if they’ve got CEO on their title, to just add them and say, “Hi, I’m thinking of starting a company. What do you think I should do?” Right?

Dan Draper:

Yeah, absolutely agree. Most founders are super busy, and it’s hard to get their attention, but equally, most founders know how hard it is to start a company. Certainly, I speak for myself, and I know a lot of my founder friends have said this as well, it’s you feel like you want to give back a little bit and provide some advice, share some lessons. I think it’s really valuable if you can find somebody that is willing to do that for you.

We’ve been actually very fortunate at CipherStash over our last three and a half years of our existence. We have had a lot of investors reach out to us. I think there’s a few reasons. I think we’ve got some interesting tech, and most investors will recognize that if it is successful, it could be a very, very big business. Of course, like any high-tech business, it’s high risk. That’s good for a lot of investors. But then also we’ve done a lot of promotion of the company and in ways that is appealing to investors. So, we use things like Crunchbase. We’ve flipped up to the US, or in our American company, and we had to do all of our filings with the government, and so that attracts attention for investors.

But one thing I would say, if you are lucky enough to get an investor reach out to you, it can be not quite as good as you think. You’ve got to be careful, mainly because what a lot of VC funds will do is they’ll get very, very junior analysts to go and find companies that look kind of interesting. They’ll reach out, they’ll get you on the database, they’ll have a call, but then the senior investor or the partner or whatever is not interested whatsoever, and so you’ve just wasted a bunch of time.

So, I’m very careful now when investors like that reach out. How senior is the person that’s reaching out? Look at the fund’s website. Do they have a portfolio that gives you an idea of the kinds of companies they want to invest in? The right stage. Are they early stage, late stage? Do they say anything about what size checks they write? Even going as far as trying to understand who are their limited partners? Who are your investors’ investors? In Australia, you have a lot of superannuation funds invest in VC funds. You have some high-net-worth individuals. Who are those high-net-worth individuals? Are they people that can help you? There’s all kinds of interesting things that you, as a founder, should be doing to learn about potential investors before you take their call. It’s got to be a two-way street, and I think that, being discerning about the investors you speak to, actually will give you a reputation that you’re somebody worth talking to. So, this stuff really can self-perpetuate.

Cole Cornford:

Yeah, that’s one of the things I think… I always think about marketing qualification, right? But I guess it makes a lot of sense that the people who are investing in your company, they’re going to be there for the long term. They want to see you succeed. But you want to make sure that you partner with people that have shared values or they have favorable terms for you both, that are going to work with you, not just have you as a 2% of their portfolio, they don’t really care if it does well or badly. You should be spending the time where you can to validate that they are someone you… And also that you want to work with. A big part of it, I guess, is if you don’t get along with the people that are investing in your company, I don’t know, that sounds like a terrible marriage, because it basically is.

Dan Draper:

Absolutely. Yeah, yeah, it is. And if business goes well, you’re very likely going to be spending a long time working with your investors, so you want to make sure that you’re aligned. I have three tiers for investors that I think about, and it depends on the kind of investor they are and their motivation. Level one is, and this is the best, is the investor that’s got cash and expertise, and they’re willing to share that expertise with me, and they can take time out of the day, take me for lunch, or get on a call, or whatever. That’s by far the best kind of investor.

The next best is somebody that is willing to give me cash, invest in the company, and hands off, leave me alone. And they’re actually great as well, not as great, but they are much better than the third option. And the third option is when you get cash and you get an investor who’s very, very involved, but is not the right person to help your business. Either they don’t have the expertise, or they’re not aligned in terms of your values, they don’t have the same vision for the company. That’s the worst situation to be in.

I’ve only had that a couple of times in my career, but it is very, very stressful, and it’s terrible for the outcome of the business because if you can’t negotiate with that investor and you can’t find a way to work together effectively, then you’re going to end up in a lot of pain. And it can lead to burnout, it can lead to the business failing, can lead to investor disagreements, all kinds of problems. So, I would go with that tier. And I always try and go for level one, but if I can’t get level one, if the person doesn’t have the right expertise, I try and find just… People call it dumb money, but it’s cash to help accelerate the business. And that’s much better than somebody that he wants to get involved that doesn’t know how to get involved.

Cole Cornford:

Well, there you go, guys. If you want to learn all about fundraising, you should hit up Dan. Hopefully, he will give you some of his time while he’s not building his business and being a successful entrepreneur.

We’ve got two questions to wrap up the interview today, Dan, these are just quick ones for you, so hopefully you can give us some bites of knowledge to our audience. So, first one is best purchase for under $100?

Dan Draper:

That’s such a good question. Do you know, this is very personal and it probably doesn’t make sense for a lot of people, but for me, I bought this wireless Logitech vertical mouse. I spend a lot of time on a computer, and like many people, especially as you get a bit older, end up with really bad RSI. I like the fact that this is a Bluetooth mouse, so I take it traveling, and I can use it with my computer from a distance. But also, it’s got a little switch on the bottom of it. I can pare it with all three of my laptops, my desktop, and my two laptops. So it’s like, honestly, I can’t believe I’m saying a mouse to answer your question, but this is one of the best things I’ve purchased for under a hundred bucks in ages.

Cole Cornford:

You’d be surprised when people answer that question. Often, it’s something that just gives them joy, like the small amount of joy in their life that they would… Maybe it’s the pot plant. For me, recently, my wife spent $12 on a Le Creuset coffee cup. It’s just very expensive for a coffee cup. But every time I pick it up, I’m like, “It’s hefty, it balances well, it makes me feel like…” And I have double espresso every single morning.

Dan Draper:

Awesome.

Cole Cornford:

So for me, it’s just like, “This is nice. I like this.” Right? So yeah, those little purchases make your life just so much better.

Dan Draper:

Totally, yeah. Sometimes it’s the little things. Yeah.

Cole Cornford:

Go and get a vertical mouse.

Dan Draper:

Not sponsored.

Cole Cornford:

Not sponsored by Logitech yet, but if you do, hit me up. All right?

Dan Draper:

Absolutely. Yeah.

Cole Cornford:

Second question is best book to give someone in cybersecurity?

Dan Draper:

Oh, that’s a really hard question. I’m very, very biased. So, I’m going to talk about a topic that I’m very passionate about. The topic of searchable encryption is a very dense one, and it is, I would say, very, very hard to access unless you’ve got an applied math degree or you spend a lot of time studying it. It’s very, very dense and hard to access. But I came across a book recently that’s available on Amazon. It’s literally called Searchable Encryption. It’s written by an academic, and there’s lots of references to papers in there, but it’s very accessible. The author manages to boil it down to terms and explanations that are much, much more accessible to the average… I would say you’re still probably good if you’re an AppSec engineer or a practitioner in some way. But I think it’s really, really interesting technology, I wish more people understood it, and this book is a great way for more people to get a handle on it.

Cole Cornford:

All right. There you go, guys. Go look up Searchable Encryption by…

Dan Draper:

Oh God, I don’t know the author now. Let me find out who the author is. Hang on a sec. So, it’s by two authors, Kui Ren and Cong Wang. I’m probably not saying that name right. I actually don’t know them as authors. I think they’re some researchers in the space, but the book is really, really good, and they talk about a lot of concepts that are very important to searchable encryption generally.

Cole Cornford:

All right. Well, I think that’s all the time we’ve got today, Dan. So, thank you so much for coming on the podcast, and I hope that you have a wonderful weekend.

Dan Draper:

Thanks so much for having me, Cole. I’ve enjoyed the chat, and likewise.

Cole Cornford:

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.