Modern Cyber with Jeremy Snyder - Episode
66

Eldon Sprickerhoff of Caledon Ventures

In this episode of Modern Cyber, Jeremy talks with Eldon Sprickerhoff, co-founder of eSentire and now strategic advisor at Caledon Ventures.

Watch Now
Eldon Sprickerhoff of Caledon Ventures

Podcast Transcript

00:02

Welcome back to another episode of Modern Cyber. I am coming to you with a guest today who has a lot of wisdom, knowledge, and experience to share with us. So I'm super excited for today's conversation.  Today, we get to talk to somebody who's done the whole journey from founding a company, growing a company, leaving a company, and all the lessons learned along the way in a very rapidly evolving space that is super important in today's modern cybersecurity landscape. I am delighted to be joined today by Eldon Sprickerhoff .  Eldon is an acclaimed

00:31

entrepreneur, advisor, mentor, investor, and board member working at the intersection of information security, computer science, machine learning, SAS, and finance. He's probably best known for co-founding eSentire, a leading global cybersecurity managed detection and response company. has a bachelor of mathematics from the university of Waterloo. And in 2019, Eldon was awarded their J.W. Graham Medal in computing and innovation for his groundbreaking and entrepreneurial achievements in cybersecurity. In 2024, he was inducted into the Waterloo region entrepreneur hall of fame.

01:01

He currently works as a strategic advisor at Caledon Ventures. He's also the author of a book that we're going to talk about time permitting on today's episode. Elden, thank you so much for taking the time to join us on Modern Cyber. Jeremy, my pleasure to be here today. Awesome, awesome. I want to talk through that journey because I know as we were kind of getting ready for today's episode, you said something to me that really kind of jumped out. And that is that, you know, in 20, I think 2001, I think you said when you started eSentire.

01:29

The idea that you had at the time was kind of crazy. Take us back to those early days. What was the initial concept? How did you guys get started? So right before starting East entire is working at a prime brokerage in New York and ING prime brokerage. It then was sold to ABN and sold to UBS. But what I'd been building there were security systems and techniques and methods to defend prime brokerage itself.

01:59

and  the hedge funds that were being hotel there as well.  so  after the dot bomb, 9-11, I finished up that project, came home  and  started working on this with the idea of uh some kind of  managed security services.  I think at the time there was not a lot that was around there. It was sort of  focused around alerts being sent out.

02:27

uh for  IDS,  very, very lean data.  And I  sort of saw the idea that you could do more with sort of,  coming from an instant response perspective, you could do more with more data. You shouldn't just rely on a single  IDS alert that came out of this. The other thing is that at that time, hedge funds  were just starting to get a little bit more sophisticated.

02:57

ah These were  small financial entities that had all the issues that larger companies had, or a tier one banking had,  but they didn't have the resources. And so what I ended up doing was sort of spinning up this idea as like, let's build an operation center where uh the tooling, uh the tools that would be available for an on, uh

03:27

in-person incident response team  would  be able to  use these from a remote perspective.  And not just  send an alert if something was  raised  to engage with the attacker. What could you do to, from forensic level data at the time we started, which would never traffic,  but expand it from there.  And just engage with the attacker and kick them out and keep them kicked out.

03:54

And that was sort of the early edge of the wedge that you could engage with the attacker. You just didn't have to, you know, send a message telling people there was an attack going on or some machine was infected. Yeah. That's really interesting. Cause one of the things you said about kind of, let's say the customer problem of it really resonates to me in the current modern landscape, which is, you think about organizations, they're what you described is they're, big enough that they've got all the problems.

04:23

that you have as an organization with, let's say, some very valuable financial data that you're holding as one of your core assets, really.  And yet you're small enough that you don't have the resources to kind of fully staff or run your own 24-7. And the thing to me that is kind of parallel is that I think tons of organizations, like literally tens of thousands of organizations around the world would fit that description today as we fast forward like 24 years em since the founding of East Entire.

04:51

where, know, A, lots of companies are digital nowadays that weren't 24 years ago. So they're holding digital assets like crazy. And B, the bar on what is a valuable target has just been lowered so dramatically. Like almost every company is a valuable target at this point. And I always tell people, just because you don't think that attackers are out to get you, first of all, they don't actually care that much. They kind of spray and pray across the internet. We see...

05:16

bot scanning happening across the entire internet. It's not necessarily the case that anybody's targeting you, they're targeting anyone. So like that I think is true. And then the second part of it that is still true is that, know, tens of thousands of organizations still don't have the resources to run their own kind of security operation centers.  So  I'm really curious, as you kind of built this from that initial vision,

05:40

What was the initial reaction from customers? Was there hesitancy? Was there resistance? Or was this kind of like, no, this makes total sense day one? No, so it was not an easy, immediate sell, right? There's a certain amount of trust that goes along with it. And especially in the startup phase, not everybody has the same risk appetite to work with early stage companies. And so you have to figure out a delta or a vector.

06:08

to win people's trust over.  the big thing that we, the approach that we took at the beginning was basically vulnerability assessments, which  it's sad to say, but at the time they were just sort of NMAP scans. That was the sort of the default in the industry, just NMAP scans. So what we ended up doing was doing  the  scanning from the outside, scanning from the inside and dropping a sensor, a network.

06:38

sensor with a few NICs in it,  looking at a bunch of different network traffic as it traversed and ran through a bunch of different tools. Some were open source, some that we'd written ourselves.  And  over the span of a couple of weeks, uh build up enough information  to  show that there were  vulnerabilities  and active attacks that were going on right now. And I think  the service component moved.

07:07

We had people that if they saw something going on in the environment, they'd immediately let them know and try to shoot that down. And by the end of the engagement, pull the lever and the report came out and you walk through the report. And more often than not, the client would say, this is great. And you didn't make me wait two weeks to tell me that there was an infected machine. Can you leave that?

07:36

box  right in there and I'll pay you a monthly charge. And that was that thing that got the trust.  And so, you you bend over backwards for those clients, especially the early clients, and they become your references and your, your best salespeople as well. And so it just sort of grew from there. Interesting.  Cause I was just getting,  getting, getting,  getting, past the trust, getting past the roadblock. Yeah. Yeah. But at the same time, like

08:05

you mentioned the services side of it, but the technology side of it was also really raw at the time, right? So if you think about, you you mentioned at the beginning IDS being one of those things, and you've got kind of NMAP to kind of get some network topology and understanding about how the customer is structured and maybe segmented. Or I imagine, by the way, mostly not segmented at that time. You can correct me if I'm wrong, but that's my Flat networks. Yeah, yeah, I figured like maybe a DMZ with a couple like, you know, with your website, if you were...

08:34

sophisticated quote unquote at the time, right? But you you've got NMAP, you've got IDS, uh one or a couple of IDS tools, but you've got what? Like the very first versions of vulnerability management at this time and really kind of like nothing by way of let's say a backend,  let's say data correlation engine or a SIM or anything like that. So  how did you guys kind of figure out  what were going to be the core building blocks and how much of that?

09:03

was stuff that you had to build versus stuff that you could partner or buy. So like early pieces of Snort, you know, of course, I I was lucky enough to be, I think it was Lisa in 1997, large installation system and then conference and Marty Roche gave his first talk about Snort at that time. And I was in the audience and just immediately started using it, seeing what you could do to push things.

09:32

I think the,  you know,  and so  there's a point where I said, like, you can't tell, you know, from a single IDS alert whether or not there's something good or bad or useful or not. So  let's just start grabbing all the network traffic. So start, you know, just  grabbing every  packet that came off the NIC  and...

09:57

and folding it in and then basically saying to the operations centers, like if something here is indicator of concern or  indicator of compromise, let's make it really easy to see what happened beforehand. Okay. So chain everything together. You can see that it flipped this, was it a false positive? So every indicator of concern could be investigated as though wasn't a trap.

10:19

It was made that how, because I can't imagine there was tons in the way of, say, like, you know, quote unquote, ML powered heuristics or things like that at the time. So you were probably doing a lot of rules definitions. Lots of rule stuff, like the bandwidth pieces,  just unusual IP addresses,  really like the dark ages of investigations.  And but just trying to tie that all together  as possible. ah know, there were there were things that were, you know, bandwidth was not as high.

10:49

then. So you didn't have to worry about crazy amounts of data again, but you can hone the techniques that worked. And as bandwidth got better and cheaper,  you can sort of scale on those pieces as well. it was again, very early days. um can do just very early, like nothing  close to what we have now, but  stats as to AS  numbers,  some sort of unusual things we've seen before.

11:19

Yeah, basically folding in asymmetric,  bi-directional  reset packets  to shut down bad behavior, isolate machines and things like this. so, you know, every module that we built up sort of built on  the  trust place that we had within the company, you know, and again, remember most traffic was not in-to-encrypted at that time. So you could do a lot of investigation if you had access to all of that data.

11:48

as well. Yeah. Yeah. I'm just thinking through like some of the things you're talking about. And, you know, I was also administering networks around that same timeframe. And I'm just remembering some of the challenges that I had to deal with. And, know, certainly like uh firewall rules were a huge thing, but I'm also just thinking about like, what were my defenses and what could have been responses at that time? And I'm just thinking like best case scenario. Okay, great. Like on the one hand, IP addresses are pretty fixed at that point in time on the internet, right? Like

12:18

You couldn't rotate through elastic IPs as an attacker and you couldn't bounce all over with  Tor or even with VPNs or whatnot, right? Like your IP address was your IP address.  Maybe you had one relay point if you had a compromised machine somewhere else that you could literally like virtual desktop into and launch your attacks from there. But then you're, you you're just affiliated with one more IP address. And so your rules engine or whatever  catches it. You grab the IP address, you chuck that into a block list on your firewall.

12:48

What else were you really able to do for customers at the time besides telling them, these are the behaviors that we're seeing and these are the vulnerabilities that we know about on your network? What else did the service really consist of at this point in time? Pretty raw early days, right? Very raw, right.  that was, so  part of it would be ah everything you could pull from sort of uh data, so uh network data as well.

13:16

this new machine came on that you didn't know about. We had a section where you could, depending on what was in the sensor, look for rogue networks that were in your environment. We put a lot into that box just looking for what other things could we find that were interesting. You'd see situations where

13:45

you know, people that were inappropriate behavior. So people weren't necessarily, they're using proxies  or going to Facebook and it were,  or this kind of thing as well. So this is, this is still before Palo and, um, and,  uh,  you know, the, other sort of next gen firewalls came in. So we're doing a lot of that, some heavy lifting as well.  Um, there was some stuff we were doing with,  uh,  you know, man, the middle. Encryption decryption pieces as well. So.

14:15

Uh, we just sort of pushed as much as you could before the NG firewalls  with a six came in to do a lot of that heavy lifting as well. Gotcha. Gotcha. That, know, there were, there were, there were cases where, know, because you had all this network traffic, there'd be, you know, something blew up on the network, like an overnight piece.  You know, we could say, okay, let's take a look at that conversation. You know, I there's, there's one case where somebody's doing an upstream data transfer.

14:44

And it  died suddenly because they're uploading their data overnight and it died. It kept dying. you just play that whole, that's a back side. We'll look at it died right at the two hour mark. What's your TCP timeout? Yeah. It changed that. fact it had never, would always manage to just be under two hours. And the moment it goes beyond that.  Right. So there's, network functionality that you could, you could do as well. And there's, you know,  inappropriate internal behavior where, you know, somebody is sending uh

15:13

you cash notes to an employee that shouldn't be right. like, because you have you have all that traffic, if they did on the network, you could play it back. so it was just kind of a you know, sort of, we didn't have a lot of reference points, or people to ask, what would you do? It's the Wild West. we're just figuring out yourselves as you go. Yeah, yeah, there's, there's all this, we don't know all the use cases that

15:41

this could be useful for, but we have all this data  and we keep it for a couple of weeks, whatever the sensor could hold  and just sort of, we'll figure out what goes,  what could be used with all this transparent open data. Yeah, yeah, awesome. Fast forward us a little bit. I imagine that that was  the first, however many years it was as you were kind of, as we just said,  learning your way into helping customers through managing all these problems.

16:11

I'm sure a ton of TCP IP. I'm sure all of your engineers spent way more hours cursing at DNS and route tables and things like that than most of our audience will even be super familiar with given like, you know, in the age of cloud, I always tell people like, you have no idea how easy you have it nowadays, right? Like, you know, first of all, you've never cut your fingers on rack mounting a server or a firewall probably.

16:36

But second, like, oh my gosh, I mean, the headaches and the heartaches of troubleshooting TCP IP.  There is, by the way, like a ton of value that I think you learn from the whole troubleshooting process, from learning to kind of think systematically, well, if it's not this, then what is it? And to your point, like, when do you arrive at the point, well, oh, this is a TCP  type, a timeout window issue, right? Like you go through a lot of troubleshooting before you realize that that's the cause of your problem.

17:06

But fast forward us a little bit, you know, after those first couple of years, when things were starting to click and starting to work, first of all, what were you calling your service at that time? Cause I don't think MDR was really like an established term. It was not. oh And we struggle with this.  you can't define yourself.  And so  the other difficulty here is, know,  I'm pure technical,  technical  person.  We didn't have any real marketing. I was sort of.

17:36

You know, co-founder, I had the sales hat on. We didn't have a  marketing function. Didn't even really know what to call ourselves. And so, you know, we would go up against, you know, the early days, uh, secure works. Right. And it was like MSSP, but you know, even then it was,  uh, you know, it was like, would manage your firewall. They would manage your VPN. They maybe would manage your antivirus.  Uh, and they, and they would send you an alert if something came up  and.

18:04

You  I knew their tech stack really well. I sort of considered them sort of the McDonald's, right? They just had a huge footprint and they didn't really extend beyond that.  But we would go  head to head with them and  say, we're actually showing what's going on. It would be like, you you have this fire department and if you have a fire in your house, the ah fire department would call you and tell you about a fire.

18:34

rather than like, you you want somebody to come here and fight the fire. That's what we're doing. And so  we had a lot of collaborative threat management, micro incident response. uh And, you  know, we struggled with that messaging and there was  the turning point was we had a, know, a Gartner analyst came in  and,  you know, was, you know, sat down with us for an hour on site. We'd gave them our story, we're about 45 minutes into the conversation and uh

19:04

And he said, yeah, we see you as being in the MSSP category as well. Yeah. So here's like my internal talk to her is like, you haven't you haven't heard. But we've been talking about the last 45 minutes. It's like, OK, what we're what we're trying to do is we're engaging with the attacker that made it through everything you had in place, whether it was firewall, antivirus, we're we're kicking them out. And that sort of got him into a start.

19:31

And so we talked about those tactics with the interlaced, you know, reset packets and changes to the firewall. And, you know, by that time we had some SIM capabilities, like there wasn't really much in the way of SIMs. we built our own and had it sort of cross-correlating with the data off the network piece and so on. And so, you know, basically a couple of months later, you know, like he went away and a couple of months later, you know, Gartner came out with that MDR definition.

20:00

And there was four or five companies that were on that list. And so was like, that's, and it was, we saw it was like, yeah, manage that is, that is it. And not just from a network piece, not just from an endpoint piece, from all these different vectors, whatever your horizon covers, we're going to engage. not just sending alert. We're going to engage. we see other, if I see an attack on one client, I'm going to extend an umbrella across all the client base.

20:30

The quicker we do that, it's bigger for the client. It's good for us. We don't have to fight multiple fronts. And that's sort of where that thing came up.  was no Gardner. You know,  I don't know if that analyst got a  bumper coming up, coming up with that phrasing. Yeah. But  I, know, and so there's been some people that said,  whatever the Godfather or the founder, it's like, you know, it was just a very good idea. Yeah.

20:56

We didn't know what to call it. We barely spun up sort of marketing by that time  and  doing outreach with uh Gardner and Forrester and those other  analyst firms.  What time frame are we talking about here when  this was finally kind of coined as a term? Oh.

21:16

I would have to go back and look. I'd have to go back at least  nine, 10 years after we started. Okay. Okay. Yeah. Yeah. So for nine, 10 years, you're kind of growing primarily through word of mouth or through what? Yeah. You know,  I hired a couple of salespeople and I have stories about that that were not great. Sure. Yeah. And, I did a lot of the sales myself, right? So, you know, I  was lucky is the prime brokerage that worked for.

21:46

After I left  the so that one of the jobs of  prime brokers is to hotel small hedge funds  and give them a place to work and do their trades and  soft dollar  benefits.  And when they're big enough, they spin out on their own.  And  the  the hedge funds that spun out, they would look for CTOs and they would end up basically taking the people that I worked with on that team. OK, so I had this network that that new

22:15

I was capable of. it's  just perfect timing. The zeitgeist, you know, and they had these problems. They knew I could help solve them. We've worked together before.  I wasn't going to rip them off. It was not going to lie.  And we could grow together. And that's  basically where it started. Then, so I was the sort of the first order.  We sort of call those groups the elders of Eldon is what they're referred to as the  first, the true believers and  willing to take a risk on startup early days.

22:45

And then there's the second order ones, which had heard what was going on. And again, we kept building our uh polishing our honing our tools.  We figured out on what you had like pushing the limits of what  the hardware could do. Like how do you pull traffic off a Nick as efficiently as possible? And so built up a lot of  the first sort of circular cues  to pull up pull up data so you don't have packet loss, but too many processes.

23:15

all the same time. ah we had a researcher uh who created this thing called Regal, which was this uh completely new language to  do  deep packet inspection that didn't exist at the time. So different modules to do deep packet inspection to uh reassemble ah network streams and do analysis based on that. just came up with

23:43

You know, all  of these different sort of techniques  as needed. There's one that  I remember going to uh a conference and someone was talking about whitelisting.  because it was the sort of the bit nine days with those early whitelisting pieces.  But at this moment, like because we had this deep packet inspection engine that had, you know, you could pull together  URIs.

24:13

And you can  and then we had so we can pull fully qualified domain names.  And,  you know, I as I was driving home from the conference, it was like  we have these different modules and we could come up with  and because we've been grabbing all this data, we you you can analyze what the looks like. Yeah, we could we can come up with a white list of acceptable  XCs and then  basically  pulled it together so that the

24:43

Deepak inspection module that pulled URIs, fed it to the fully qualified domain name. If it wasn't on the white list that we updated for each client, it would send a reset packet.  And when the person redirected within the browser, we do a redirect. So they had to do a password  to permit that download. And this was the time where executables were just being downloaded malicious executables should be downloaded like crazy. So

25:11

There was no defense against it. The antivirus was just terrible. And this is one thing that just over  the  course of three weeks came up or three days basically came up with  an early  model of this product uh that would kill  all non-white listed EXCs because we had months and months worth of experience. And this overnight stopped people from having to rebuild machines.

25:37

And nobody else had it. Right. I ended up calling it the EXE Cutioner. Right. Yep.  And it was just, was something that just didn't exist.  And now it's sort of old hat because of next gen firewalls, but none of that existed back then. And that, you know, when, clients, know, they're complaining on the message board, like other people were complaining, I got hit again, you know, to my users, I had to rebuild from scratch. And this is what we're using. We used East entire. We've had no problem. We've had not, we have not had to rebuild a machine in months.

26:07

And just was that next phase of sort of scale up pieces. Okay. Interesting. along the way, I'm curious, was there at some point like an inflection point where you were kind of like going and growing, but at, let's say like a reasonable kind of more conservative rate, and then all of a sudden things took off? Or is this more a case of your classic like 10 year plus overnight success? So both.

26:36

Okay. And, and so what basically happened is the, like with the, you know, the, the December, I can't remember the year, but it was Target got hit, right. And, uh, the SEC came out in sort of April of that year, March of April of that year. And they released this, uh, 28 questions that were going to be part of investigations for hedge funds and alternative investment manager, uh, firms and finance firms. And of these sort of 28.

27:06

questions, cybersecurity questions, we could answer 24 of  them basically. And that was just open the throttle that  suddenly,  here was the easy one throat to choke that answered 24 to 28 questions that  the world's biggest compliance regime was that you had to follow, we're going to answer.  then  even if you hadn't registered directly with the SEC, uh

27:34

Invest like due diligence teams for investment funds would come in and ask you those questions as well. Yeah. So that was just that that was, was, I could not have asked for a better sort of marketing pitch that changed the trajectory because it just, it just exploded within a week. It just exploded. had lightning in a bottle that everyone wanted. Yeah. Yeah. And how have you seen from that point? Like how have you seen the space evolve?

28:05

Yeah, so again,  at the beginning, people just wanted to take care of, right? It's like, here's just you take care of it. uh And now everyone wants to have insight and hands on in their own tooling, everything as well.  it's very much, know, I trust you, but I need to verify myself. And I want to be able to have my own people also looking at this. where  you

28:32

This is not just in sort of small and mid-size companies. We found  that one of the big pushes now is,  even if you're large enterprise uh level, you  may not want your tier one, two people to be employees,  but you'll keep the tier three and the incident  handlers to go after, ah to investigate as well. you'll outsource to an MDR company  the first couple of tiers and then

29:02

but have your own team  also have access to the tooling  and be able to participate in incidents and  perform independent uh investigations  if there was say an internal employee concerns or things like that that you didn't necessarily want to give to the third party. Gotcha, gotcha. And so it's almost like there's a little bit more of a kind of separation of duties between let's say like your MDR provider is kind of like tier one, triage, initial incident response, data gathering.

29:32

but then we've got an internal team that's a little bit more for, let's say specialized investigations or strategic initiatives and that kind of thing. Yeah, exactly. it's just sort of, you know, co-programming, pair programming, it's sort of paired security. And it's funny because the earliest definition we used was collaborative threat management. And so we're kind of back into that. That is what I named it, right? It is truly collaborative and treating every possible...

30:02

concern indicator as a possible incident. Let's just investigate it and dig down. But the tooling is co-managed now. Makes sense. So I want to come back to your personal journey. When did you decide that it was time to step aside and what kind of led you to that decision? So we're sort of holding in on the 21 years with the company. that's a lot, right? 21 year career in anything, especially from

30:31

from the earliest days, you I said it was my baby.  You know, I still love my baby. uh when your baby can drink legally, you shouldn't have to be a helicopter parent. And so that was sort of my  sort of way of thinking. you know, step back from the day to day. You know, we'd gone through  a we've gone through a couple of raises,  fundraising, ah very good team in place. I had no qualms about leaving it.

31:01

into better hands. And I just said I had more gas in the tank and I felt that I'd probably done everything that I could to help push the company forward. it was time to try a few other things and other gas in the tank and, you know, want to work with a bunch of other startups. I'd spent the last two years before that, part time working at a couple of accelerators, cybersecurity focused accelerators. And so got a kick out of that. And so

31:29

Just the timing was great. We just closed a large round that had the  unicorn  moniker that was attached to  it. So it felt like  it was the right time  to step back and  let somebody else  run with the day-to-day operations and the big part. By the way, I think in Canada, your baby was able to drink three years prior, right?

31:57

Yeah, so 19. But 19 you can drink. yeah, 21 you drink in the States.  so that was  it. Certainly it was like I didn't I didn't feel like I was letting anybody down. I didn't feel like I ah like I owed anyone more time. Right.  And just get a about talk to us a little bit about your book. I assume the book has some of your some of these experiences that you've just talked through as

32:26

kind of part of the core narrative, but what else is in there? Sure. So,  uh, I think I mentioned that I've been working with this accelerator with cybersecurity startups  and,  they would bring in every quarter a cohort of early stage companies, you know, so eight or nine cybersecurity companies, all super early stage.  And  the, you know, what I discovered very soon is that, you know, so, you know, when I started, you know,

32:55

pure technical person, like not a wit of business acumen. I've consulted before I knew what it took to grind and I'm, uh I'm very competitive and I,  I'm that dog that will never give up the toy. Right.  And so just insane  grit. ah like, I would not want to come up against me  in a competition. But, but what I just get when I started, there was no uh Y Combinator. There was no YouTube. oh

33:25

And so the things that had to learn for startups and business, was all just hard, in the arena, hard-learned fights. And so what I discovered though is now we've got YC and there's any number of people speaking on startups, that these startups that were coming through at the beginning of the accelerator, they were making all the same mistakes that I did.

33:52

And they, you know, and so when I ended up doing, you know, like, uh, so every pitch deck started off with here's the company name. Cybersecurity is a, you know, 25 ding dong, dillian dollar problem. Right. Uh, we solve cybersecurity. Here's our team. Here's our advisors. We're raising money. Any questions? And that was right. And so you've you're, even though there are reams of advice.

34:21

from YC and founders and Bessemer, KPIs and everything that you'd hoped for, they were still missing it. So I started putting together this sort of FAQ over, this  is what you probably need to know about starting a company. This is probably what you need to know about finding.  And so as a core mentor,  you'd be given  one company and you meet every week, you get deep into their...

34:51

their issues. ah I'm  very empathetic  again for for as I saw a spot for founders or anything. Anyone who's taking that risk. think when we first met you, you you had a besides New York.  Yeah. No  serial. Right. Entrepreneur startup. And it's like, why would you why would you want to do like a glutton for fun? But  but you learn things each time around. Right. What you would do. And so

35:19

I just, want to be very explicit with the mistakes I made, you know, what, what you need to do from founder led sales,  when to raise money, when you shouldn't raise money, ah how to be very attractive to employees.  What, know, how, how do you deal with stress?  How do you deal with success? How do you,  that was early startup pieces for  people who can tech tech people starting a business, but to have no business acumen.  And basically here, here are the traps.

35:48

Here's how I managed to sidestep all these things. The expectations of salespeople, KPIs, what are investors looking for? How do you make your first sale? How do you do pricing? And so I put this, I was building this FAQ and then I discovered I had 50, 55 or 60,000 words. so, well, I guess there's a book there. so instead of having to do one-on-one is this sort of, can increase my reach.

36:17

just putting it out there. And so uh that's sort of where  it started. uh it  was just sort of,  I mean, very, uh very open and transparent and honest about what that road is like.  because it's not easy, no part of it is easy.  And we're so  attuned to good news  that  you'll see in  different sources.

36:47

You know, they raised this much. You never really see what's going on behind the scenes. You never get the stories about the founders, right? You know, started a company billion dollar deal, but they end up with nothing because the cap table was offside in their favor outside of their favor. You never get like all that messaging. And so it was, you know, I'm to be very transparent about the mistakes I made, what I would do if I were doing it over again. And

37:17

you know,  what it takes to succeed. Why do you and ah what does stress look like? How do you deal with stress? So is super transparent.  And said, look, make you're going to make mistakes. Don't make the same ones I made. If you do make the same mistakes I made, just recover faster  and  be a mistake innovator. Yeah. Yeah. Mistake innovator. Love it. Love it.  And I guess  the other  the thing I said was like, I worked on this

37:47

The chief survival officer was the main thrust of it. was like, everything you need to do is to help your baby survive. And you should assume that it's going to be an easy route. let's just focus on that. It's unlikely your baby is going to survive. Most startups don't. So just don't half-ass it. That's why it was called... I came up with the title, committed. Committed because...

38:16

Yes, you have to be committed to your craft or your baby, but you're a little, everyone who starts a company is a little bit crazy. Yeah. And,  uh, so committed. All right. And I talk about balancing mental health with the stress of the job as well. So  I think, I think that  note on mental health is super valid and it's funny, you know, there's a lot of talk about mental health in the cybersecurity community kind of add as a whole, especially  when you kind of factor in how a lot of cybersecurity jobs are.

38:45

kind of a grind like day to day. and, know, you don't get a lot of thoughts  and kudos and praise when everything's just working. But then when things do go bad, then you get a ton of stress and you get a ton of blame. And I think that's not necessarily a great dynamic for a lot of people working in this field.  But then, you know, this, the, the mental health aspect of being a founder and balancing your own mental health, think is also.

39:12

you know, it's a different kind of stress. Maybe it's not that same kind of operational day to day, or maybe in some cases it is, but it's a little bit of a different set of concerns that I think you do need to balance, but it is so important. It's very easy. I've seen lots of founders really struggle with everything from not being able to sleep to,  you know, making terrible personal decisions that were motivated by stresses they were experiencing in their work life.  so it's definitely something to bear in mind. You know, and you're also

39:41

responsible for the livelihood of so many people. Yeah. Right. So it's not just your family. It's your, you know, you get very close with these people you're working with while you're in the flames in the fight and you and you, you cannot always share all the stresses of, of, uh, founder hood, right? If, you know, if, uh, cause they have different risk appetites.

40:10

than you do. And if  I think if you if they knew  what all the risks and stresses were, they would immediately start looking for another job.  Yeah.  And so there's a lot you have there's a lot you have to hold back and internalize, you know, and you know, whether or not,  you know, you,  you come close enough, you'll make payroll that week,  or  they get paid before you do and all of those things. And  you know, people's personal lives  get affected.

40:40

Right. Like we, you know, I know of founders that in cybersecurity that given these issues, you know, ultimately, you know, commit suicide. And that's about as bad as it gets. And but there, you know, there it is. I thought it was really important to talk about, be very frank about some of those aspects of stress and how you have to figure out ways to deal with them and just not not just

41:09

Yeah,  absolutely. We're coming up on time on today's episode and I wanted to just get a couple of final questions in. Talk to us about what you're doing now at Caledon Ventures. So uh Caledon Ventures is my own  little advisory investment firm, uh working with several  cybersecurity companies, uh looking at doing advisory pieces, small investment pieces.

41:38

go to market approach, capital introduction  and so on.  it's just, fits very well with what I want to do, given, I have uh this sort of rare luxury of only doing what I want to do  these days. ah And part of the beauty of  meeting with all these different companies from the accelerator, I can sort of pick and choose as to what I think,  where I can be the most useful. uh

42:07

quasi-retired.  I've  discovered that is not just good to be busy, but you have to be useful.  when I'm doing the work, I try to figure out how can I be most useful to the people where I can see I  can be helpful. Awesome. Last question for today. We made it 40 some minutes in without talking AI, but we have to.

42:32

Yes. How do you think AI is changing MDR and going to change it in as concise a form as you can give in let's call it two minutes? So look, this AI thing looks like it has some legs.  I think so.  think, uh you know, it's a ripe opportunity for AI,  ML, whatever you want to call it. I've  got a background in mathematics, computer science, uh you know.

43:03

I jokingly would call ML in the early, earliest days, sort of fancy stats, right? I never thought that my, you know, when I was taking it, the linear programming courses would come in use. Um, but, here we are. And so, you know, you know, there's so much data that's available. Like we spun up our first model in 2016 or 2017, just looking, cause there's a point where you just can't throw more people.

43:34

And so  that was the first ML model that we spun up at ESA entire, like 2016 or 2017.  And it's the perfect situation where, you know, it has to be cost effective, right?  In the old days, we didn't necessarily need it because we could get away with static regular expressions and pattern matching and things like that. ah But now we've got this perfect storm of  every, like so much data that

44:03

There's no way to survive with your head above the water without using some kind of ML techniques.  And  so what's really interesting from the MDR perspective, there's so much that you can do  if you have the right data, if you've been collecting the right data. So  you can ah check the  efficacy of tier one analysts, tier two analysts. You can,  you know.

44:30

profile every investigation that's been done historically and build up workflows. And so you can start to take some of the heavy lifting off those  early investigations. ah know,  using LLMs can query using,  you know, ah just English language, what's going on with investigations.  Again, just  the amount of data that you can,  the  amount of data that you have access to.

44:58

And it just comes to the case of,  what's the best, most effective use that I can,  cost effective use  from the data that I have that can be magnified, take the workload off of people. Yeah. Yeah. And then so there's, you know, there's all like at least a couple of dozen AI SOC startups. You know, I saw a couple at B-Size New York last year. Right.  And, you know, I think every

45:28

Every MDR provider needs to have some game. Right  right now, if you're not doing it right now, you're already far behind.  Yeah,  you know, it's it's here to stay ultimately. MDR ultimately is a data kind of a data problem, right? Absolutely,  absolutely. And that's like the, you know, the  the the gap that I see right now with these startups is they don't  necessarily have.

45:54

a wide array of data. So they may have one or two sources,  and the  real world is  messy. And so if you've got access to that data, ah you can build realistic models that  aren't subject to, they're pretty resilient given unusual data. I've seen some early cases  where if the timestamp is different,  the  data is the same, but the timestamp is different. so.

46:23

workflows that are generated are different. And that's not the consistency that can be acceptable at this point. But it's seen a lot. So it's not going away. It absolutely needs to be part of the conversation going forward. Awesome. Awesome. Well, Eldon Sprickerhoff, we could go on for hours, but I'm afraid that's all we have time for today on this episode. Thank you so much for taking the time to join us on Modern Cyber. We're going to have your book linked from the show notes as well as Caledon Ventures on LinkedIn.

46:52

For anybody who wants to reach out to you, what's the best way for them to do that? know, LinkedIn is probably the best way. There's not a lot of Eldon Sprickerhoff on LinkedIn. so it's pretty easy to find you, I guess. It should be fairly easy to find me unless there's some shadow puppets coming up after this. guess that's kind of a low bar to set. Like, you know, if you can't find Eldon Sprickerhoff, then maybe you need to keep trying a little bit harder and get a little bit more committed, pun intended, to the cause. Oh, that's a hell of a way to end the show, Jeremy.

47:22

We'll leave it there on that terrible pun, but Eldon, thank you so much for taking the time to join us. To our audience, we will talk to you next time on the next episode of Modern Cyber. Bye-bye. Thank you.

Protect your AI Innovation

See how FireTail can help you to discover AI & shadow AI use, analyze what data is being sent out and check for data leaks & compliance. Request a demo today.
Request Demo

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!