Published on: February 8, 2024
Vivek Ramachandran is a serial entrepreneur, author, and cyber security professional with over 2 decades of experience. He is currently the founder of SquareX, a browser-based cyber security solution for consumers, which has earned over 100k users globally in less than 6 months and also has seed funding from Sequoia Capital Southeast Asia in May 2023.
In a recent interview with SafetyDetectives, he shared a bit about his background and journey that led to the establishment of SquareX. With a passion for offensive tactics, Ramachandran has an impressive track record of discovering vulnerabilities and contributing significantly to the field. Drawing from his entrepreneurial ventures, including Pentester Academy, he identified a gap in secure browsing solutions, leading to the inception of SquareX.
Can you introduce yourself and share a bit about your background and journey that led you to establish SquareX?
My name is Vivek Ramachandran. I’ve been in the cybersecurity space for over 25 years, with 13 of those as an entrepreneur. I started off as a programmer, worked at Layer to Security, Cisco Systems, and a bunch of other companies and startups. I realized that I loved offensive more than defensive, so I started finding vulnerabilities. I’ve discovered a couple of first-in-the-world vulnerabilities, like the Cafe Latte attack. I’ve broken web cloaking, authored a bunch of books in wireless security, which are five-star rated on Amazon. I received awards, most recently from Microsoft, where I’m one of their regional directors in cybersecurity. It’s an honorary position given to only 80 or 90 people worldwide in different fields.
Before starting SquareX, I was the founder of Pentester Academy, acquired by INE in 2021. We had thousands of students from over 200 countries; Fortune 500 companies, government agencies, the US DOD, Air Force, were all our customers. Before that, I was building out Wi-Fi monitoring systems, which I sold to Fortune 500 companies and many others.
After exiting my previous company, I decided to start SquareX. Because Pentester Academy was into red teaming, offensive attack simulation, and all that stuff, I had a unique vantage point on how attackers were breaking into end-user systems, both on the consumer side and the enterprise side.
I’ve taken all of that learning and figured if you look at the enterprise, primarily secure web gateways are what are used to help with safe browsing. Now, web apps and everything have gotten so complicated that, unfortunately, without having a browser-native security component, it’s easy for attackers to break through SWGs. That’s really what SquareX is doing, building a secure browsing solution that will run entirely in the browser across pretty much every browser.
What do you see as the biggest cybersecurity challenges that everyday users face today?
Unfortunately, everyday users do not fully understand cybersecurity, and the messages from cybersecurity solutions are even more cryptic, adding to the confusion. That’s where cybersecurity products have always gotten in the way of productivity. The moment your antivirus or cloud security solution lights up, it’s probably blocking access to a file or a website, or something that gets in the way of work. Because of this, users tend to disable or use side channels if something doesn’t open on your office laptop, so they try to open it on your phone.
I think the greatest challenge is there is a massive disconnect in how users want to be treated by cybersecurity solutions versus how cybersecurity solutions are being designed for end users. Today they are either too strict in their application of policies or too lenient both affecting the users security and experience .
The idea of opening potentially risky files or websites without fear of malware, phishing attacks, or data breaches is intriguing. Can you elaborate on how SquareX achieves this level of security for its users?
The key motivation for doing this is if you never get in the way of a user’s work, his productivity, and there is very little reason for him to really get frustrated with the tool as a solution, then there is a very high chance that user uses the solution and stays protected.
That’s why SquareX’s motivation was, can we use user experience as a North Star while keeping him secure? The fundamental innovation we did were sandboxing in the cloud as well as local sandboxing, as much as browser technology allows today. When you try to open up a file or a possibly malicious website with SquareX, we create these tight sandboxes in the cloud, one dedicated per user. So that way, you know, you are all multi-tenanted. There is absolutely no way that data leakage can happen between users , hence allows for reasonable isolation and enables users to open up malicious documents without fearing that there could be an infection.
These sandboxes are pretty watertight based on Linux containers with a lot of custom modifications done from our side. Even if the worst that can happen is that the container can get junk, an attacker could go ahead and pollute it. But the moment the user disposes of it, or he’s done with viewing whatever he was doing, that entire container and all the bad code running in memory or on disk get wiped out permanently.
The disposal of the environment to wipe away all traces of user activity is a unique feature. How does SquareX strike a balance between user convenience and thorough data erasure for privacy preservation?
Our technology is good to use when the user is nervous, afraid, or probably feels that something is genuinely suspicious for him to view. This isn’t like Google Drive or Microsoft OneDrive where you can store data for long-term purposes and keep viewing it. There’s a trade-off of convenience for security. Ideally, where users should end up using what we’ve given is when they receive documents from unknown senders or when they’re clicking on websites, which probably makes them a little nervous. That’s really where the balancing act hopefully works out in the user’s favor. We of course do not retain any logs on what the user opens within our cloud environments, so even if the user wanted us to reinitiate his session once disposed we wouldn’t be able to help them
Reflecting on your experiences, what trends do you observe in the current landscape of endpoint security that people should be aware of?
So, I think endpoint security is fundamentally evolving because of hybrid work.
Okay. And that’s really where now, you know, users sitting at home are probably using the same office laptop for personal work and vice versa, a personal laptop for office work. Additionally, regulation has started to become more strict. And what I mean by that is, in the European Union, and even now, California and many other states are starting to mandate that organizations cannot have extremely broad monitoring happening on user devices. Where, let’s say, an organization should not monitor your personal activities that you’re doing on Gmail. Even if you’re on your office laptop.
This is a very, very big change because if you think about endpoint security products, they have no way to differentiate between your work versus your personal workloads on the same computer. A simple example, an endpoint security solution. When you download a file from the internet, all it’ll show is a file was downloaded using Chrome. It does not differentiate between this came from your personal Gmail versus this came from your office’s Outlook.
I feel like many of these things will fundamentally change how endpoint security systems will have to work.
The other big thing is privacy first. No organization likes the fact that today a lot of endpoint security, as well as cloud security solutions, may ship their users’ files and documents to their servers to do all of those checks. There could be so many malicious third-party attacks, insider attacks, which could happen at the cloud provider. We’ve all heard about how Facebook employees were even viewing Messenger messages of people they knew.
So I think, in a nutshell, the next generation of endpoint security will have to operate in a privacy-safe way, and has to be regulatory compliant where it can differentiate between personal work versus office work. At the very same time, accommodate for hybrid use of the device or a device which is put to hybrid use.