Interview With Tomás Byrnes – ThreatSTOP

Aviva Zacks Aviva Zacks

In a recent interview with Tomás Byrnes, CEO and Founder of ThreatSTOP, Aviva Zacks of Safety Detectives asked him about his motivation to start his company and what keep it ahead of its competiton.

Safety Detective: What motivated you to start your company?

Tomás Byrnes: I was solving a problem I had. I was running a site that had all the tax returns for private foundations, which are mostly high net worth individuals, in the United States. The biggest reason we were doing it was to make it so that people could search for grants. It was called Grantsmart, now owned by NOZA Search, which is a resource that’s used by people looking for charitable grants. We took all of this tax data that the IRS had and made it available online. We indexed it to allow people to look for grants.

But we were under attack all the time because hackers thought they could get the social security numbers and signatures of the foundation owners since those are part of the tax return. Now, they couldn’t, because we blanked those out before indexing, and the system that scanned to find those things, blank them, and the index was not connected to any network, but that didn’t stop them from trying, hard. In order to defend against this, I was using an early version of what is now called Threat Intelligence to block connections from IP addresses that had attacked other sites. This was the DShield project, started by Johannes Ullrich at the SANS Institute, and an offshoot of it from SRI called Bothunter, as well as a couple of other sources. I was taking this data, which was one of the first-ever threat intelligence systems, and turning it into blocklists on our firewalls, to protect this database of tax returns. It was a lot of effort and risky if you got it wrong. There wasn’t any dependable automation.

Check Point had put together a project with DShield to take the data and put it into Check Point firewalls using an SSL certificate, but they hardcoded the SSL certificate so when the certificate expired, that broke.

There was a project that was part of Snort, AKA SourceFire, now a part of Cisco, called SnortSam which was to take data that you had and put it into arbitrary firewalls, but it would break because it had a local SQL database and if anything happened in updating the data from the input to the firewall, the firewall rules would get completely messed up. So I was spending one to two hours a day on something that was a charity doing manual firewall rule maintenance, which, if you’ve ever done it, is a really painful job. I figured that there had to be a better way.

I hit on the idea of using a DNS lookup to update the access control list. That’s where the idea that would become ThreatSTOP came from.

I filed a patent on the process just because I’ve built successful companies before, so I knew that’s what you do when you create intellectual property, just to protect it so that whether you charge for it or not, nobody else can stop you from doing it. And next thing I knew, a lot of people were using it. We were doing it as an open-source project as part of DShield.

And at the same time, the United States Department of Homeland Security had an SBIR grant solicitation out asking people how they would do a collaborative network defense, how were you going to create a system that allowed people to share information with each other in an anonymized way so that you didn’t know who the victim was but at least they could share information dynamically to help protect each other. We applied for and got that grant and that was what we used to fund the company.

Like everything in a startup, it takes longer than you think to actually get it to work. From the time that it was a prototype until we were able to really have a product that could be sold took almost 3 years. We got the grant at the end of 2010 and it took us until the end of 2012 to have a minimum viable product. Our first real marketing started at the time of RSA in 2013.

We started with DShield and 3 other open-source feeds, and now we’re up to 850 different data sources. We have our own security research team in Israel. We have customers all over the world, including some large carriers, and we operate on everything from your own personal machine all the way up to the largest network defense devices on the planet, which is the A10 Thunder TPS. We work on firewalls, routers, switches, DNS servers. We work on all nameservers that support Response Policy Zones. Currently, that’s BIND, Infoblox, BlueCat, PowerDNS, Knot, and Unbound. We are the only DNS firewall that works natively (no software or appliance required) in Windows Active Directory Service, so you can actually use us to do your DNS filtering natively. We also work natively in AWS WAF and Azure (in the marketplaces).

In short, we allow you to use Threat Intelligence to protect your assets and users using whatever you have now, and whatever you will have, whether physical, virtual, cloud, or hybrid. Using IP and DNS data, automatically.

SD: What keeps you ahead of your competition?

TB: The big difference between us and all the other guys out there is there’s no software that you have to install in the device. We use what you already have in the network. Because it’s based on DNS, it works on what people already have and will have in the future because DNS is a key part of the fundamental plumbing for the entire Internet. And so we work on physical, virtual, and cloud. We already are in Azure as a template and we’re in the AWS store for our web application firewall managed rulesets. That’s what we’ve been doing during COVID. We take threat intelligence and operationalize it and that’s a really hard problem we’re helping companies solve.

SD: What verticals use your company services?

TB: Well, we have customers in all verticals, but where we found most traction has been in third-level education and healthcare, and that kind of makes sense. They’re both BYOD and IoT heavy environments. So they don’t control the endpoint in many cases. In third-level education, the students bring whatever they have, the professors do whatever they want. The same is also true in a hospital environment believe it or not, and in hospitals, a very large percentage of what’s on the network doesn’t even belong to the hospital.

A lot of the different specialties in a hospital are actually practices that rent space from the hospital and share revenue with them. The things like MRI and ultrasound machines actually belong to a different company—usually, someone like GE Healthcare—and you couldn’t put software on them if you wanted to because they’re certified to a level by the FDA for that use with a specific configuration. Making changes requires recertification. So the only place you can do the enforcement is in the network.

Those are the two verticals where we’ve had the most success. But really, where we have success is anybody who has a real need for automation and really wants to understand and use threat intelligence to proactively defend their network and their devices.

We have oil and gas pipeline companies because a lot of their what used to be private ISDN networks have been replaced with VPNs and needless to say, many of these places where these are deployed are remote. They are also a big target. Attackers are constantly attempting to get into these PLCs that control the valves or measure the flowrates on these pipelines or know what their power is.

SD: How would you say COVID-19 is changing the way we’re handling cybersecurity?

TB: First off, the attack surface has gotten much, much bigger. If you think about it now, everybody has the problem that a university has because everybody is working from a network that isn’t necessarily controlled by IT. So for those people that have been using our product, they’re using it in many more places. I think the other thing is it’s actually creating a lot of confusion. The information security market has got an awful lot of noise and a lot of snake oil and I think it’s a lot harder for people to figure out what to do.

The usual situation where you have really well-resourced companies that can do things really well and then everybody else is really trying to figure out what to do has morphed to where everyone is under-resourced. So I think it’s increased the number of people who have the kind of problem that we solve but it’s also made it much harder for people to figure out what to do. I think that it has accelerated, overnight, a trend that already existed towards way more of the BYOD stuff that isn’t really under the control of the IT department being actually used for business stuff. And so you’ve got to have some way to manage that.

About the Author
Aviva Zacks
Aviva Zacks
Cybersecurity Expert and Writer

About the Author

Aviva Zacks is a content manager, writer, editor, and really good baker. When she's not working, she enjoys reading on her porch swing with a cup of decaf.