On the Record with James Dirksen, CEO of DeepSurface
Hometown: Born in Long Beach, CA but mostly grew up Modesto, CA
Hobbies: I have 6 children, and I spend a lot of time with them and my grandchildren. We are very active, and we like skiing, hiking, and scuba diving
3 words to describe you: tenacious, medium-smart, coach.
What was your childhood like and how do you think that shaped who you are today?
I grew up kind of “feral” and unsupervised in a farming community in central California—by age 11, I was already riding my motorcycle on my own to the market!
In 1982, at the height of the Cold War, my father was called up from reserves to active duty, and we moved to Germany. It was a big change for me to go from a farming community in California to a big city in Cold War Germany, but it provided tremendous experiences. I learned German and was traveling on my own at a young age. After 4 years in Germany, we moved back to California, and I finished high school in LA. I then went to college at Cal State Fullerton and Point Loma in San Diego. I received my degrees in biology and chemistry, which I have literally never used, except for my angel investing in biotech startups—they say you’re supposed to invest in what you know!
You say you never used your degrees in biochem—so what did you do after graduating from college?
My plan was to get a job using my biochemistry degree, but a friend actually offered me a job at the Pentagon building war rooms. They were physically building out the war rooms, and they were a team of engineers who did not know how to manage contractors. The job requirements were pretty low—I got the job because I had a degree and knew how to use a hammer.
On my first day of this new job, I was told that I was also going to be the network administrator for the new war room and several others. And, I said, “That’s great…what’s a network administrator?” They handed me a stack of books for a popular networking system called Netware, bought me a computer, and that’s basically how I got into networking. Within a few weeks, the internet exploded in DoD use, and suddenly we needed to figure out how to get everything safely connected to the internet. We were really thrown in headfirst.
Being thrown into all of these new tasks probably prepared you well for entrepreneurship! How did you then move from government work to startups?
Yes—I was ill-equipped for both of those jobs but jumped in and learned quickly!
About four years after I started my job in DC, my wife and I decided to move to Portland, where she was from, to raise our kids. My first job here in Portland was at Intel, and I realized that I didn’t like working for such a giant company, so I quickly moved to an Intel spin-off company and then eventually started joining startups.
The whole time I was in the security space and doing consulting on the side—helping people install and configure firewalls, VPNs, and things like that. In 2003 I had the chance to buy a startup that had failed in the dot com crash. Over the next 7 years, my partner and I grew that company from 5 to 55 people and ended up selling it to Symantec. That was a great learning experience. I like to say that I got my MBA by running a company for seven years, and then exiting to Symantec.
How did this all turn into DeepSurface?
I had already worked with Tim Morgan, our CTO, and had grown to appreciate him as one of the best application security and pen testers on the West Coast. About five and a half years ago, he came to me and said “Vulnerability management is broken—we're still using the same tools and techniques that we were 15 years ago. The only exciting thing that's come along in that whole time is some pretty good threat feeds, but everybody is still approaching the problem wrong and spending most of their time on things that don't actually help their risk position. And I can prove it every time.”
In his security consulting practice he would go in and show people that the measures they’d put in place didn’t address risk, and he’d tell them what to do instead. Tim would then create a report for them using software tools that he was creating along the way. Those were the sparks that led to our product. Tim had the idea to take all these tools, combine them into a platform, and extend them into something that could check all the conditionality of hosts every day, and then stitch together vulnerabilities to show risk. But instead of doing it one time for one customer, he could let the customer do it for himself. That was the beginning of DeepSurface.
We started with a few Chief Information Security Officers (CISO) Tim and I knew here in Portland, who implemented the Beta product Tim wrote on his own. It went well, and we started charging for the betas because it was already showing a lot of value, so we had almost $100,000 in revenue still in the Beta phase. At that point things got rolling—we raised a pre-seed round, brought on another 8+ customers, and all of our Beta customers converted to GA customers—and by the end of that year we were at about $400k ARR.
That’s amazing. On the topic of counting vulnerabilities, can you talk a bit on the significance of chaining vulnerabilities?
Sure. Basically, most every hack is a “privilege escalation”, and that's what the hacker is after over and over until he finally captures something valuable and exfiltrates it. Let's say you have a network, and you have a vulnerability on a workstation. It might be a really minor vulnerability, but people click on things, and someone eventually clicks on a phishing link. So then the hacker gets a very low-privileged account on that workstation machine.
That’s useless by itself, but now the hacker might be able to start doing surveillance from that machine to another machine on their subnet or find another vulnerability on the same device. Another vulnerability on that same device may allow you to move up privileges or become a member of a privileged group.” Now you are a member of the group, and you would look around again and say, “if I'm a member of a group, can I get to a system account either on that machine or another machine to find another privilege escalation?”
Suddenly, the hacker “root” or “system” on that host can pull credentials out of memory from a network administrator who drops by one day. Now remember, we really haven't even left the user subnet yet! All this happens on or close to a user host. But now we have an administrator account on the network by chaining a few simple vulnerabilities together.
To represent this In graph theory, we call it a directed graph—they're going from one privilege level to another and one host to another. With all that privilege they can go “walk-around” and see what else they can find without having to break into anything else–no more hacking required. Now they are just moving around your network and headed for sensitive assets that are fully patched and secured, but they are easy prey for the attacker now as they have gained access and credentials. You can’t secure those critical assets from someone who has access and credentials.
And how does DeepSurface solve this problem of chaining vulnerabilities?
Traditionally, what people have done is patch all of the criticals on their sensitive assets (their databases). But, what I just described would completely circumvent that, because the hacker isn’t breaking into a critical asset, he’s just logging into it. That is the big insight that you need to understand when you're thinking about hackers. They take their time. They think about privilege escalation—they're not attacking your crown jewels, they're just logging into them.
The current tools addressing risk are things like threat feeds and vulnerability scanners, and while those things are great, they don't take into account context. These days, if people are running a mature vulnerability management program, they have to take into account context, such as users, permissions, network privileges, etc, and figure out if a vulnerability is actually exploitable. Then the defenders have to do that on each machine. But most people don't even go to that level—they just identify the criticals and highs according to the Vuln scanner and fix them within a certain number of days.
But that really isn't reducing the most risk, and most people have given up on the ability to do the analysis—they've moved to sorting by the CVSS (common vulnerability scoring system) score, which isn't really a risk score. In fact, when we inquired how CISOs were doing the analysis and prioritization of vulnerabilities and if they thought they were keeping up, pretty much everybody felt like they couldn’t keep up anymore because of the high frequency of new vulnerabilities coming out and the lack of talent in the market. We learned that a lot of people have given up on their ability to manage this problem and turned instead to detection and response tools—meaning, tools to discern quickly when they were getting hacked and try to stop it. But it's always cheaper to do prevention.
What DeepSurface does is give companies the ability to automate that “every host” analysis, as well as automate showing which vulnerabilities can be linked together to get the assets. This gives them an automated way to figure out how attackers will chain vulnerabilities, and what we do in the end is assign a risk score to each chain. Obviously what you're going to find out is that the shorter the path that leads to the most critical asset with an easy to exploit vulnerability is going to be high risk, while very long chains that are going to set off your EDR (extended detection and response) along the way are going to be low risk. That may all be common sense, but you have to go through all of the context gathering, analysis, and chaining together before you get to the common sense risk score.
I’d love to talk more about your long term expansion plans and the bigger vision.
What we're automating is a very large market—in the $10+ billion range. People spend a lot of time and effort either not addressing risk or trying to manually analyze and prioritize. We can give them not only all that time back, but also a much better idea of the risk by doing an analysis and prioritization with the methodology I've been talking about. This allows people to become decision makers and decide how to protect against the highest risk vulnerabilities we’ve helped them identify. Our product really works well in organizations that already have a vulnerability team, which is generally any company with 1000+ employees or smaller companies in more highly regulated industries.
What do you think has been your biggest or most unexpected challenge in terms of building DeepSurface?
The biggest challenge was during COVID when the ability to meet new CISOs and describe the product almost disappeared. There were no conferences, people weren't answering the phones, and nobody was at their office anymore. We had to completely reinvent how we communicated with CISOs but we’ve found ways and bow have almost 10 times the leads as last year.
Looking forward, what are the roadblocks you foresee for product implementation?
There’s two problems: awareness and mindset. On the first point, unfortunately a lot of people believe that the vulnerability problem is unsolvable, so they’ve moved on to EDR (endpoint detection and response) and XDR (extended detection and response). We have to show and convince them that the problem is solvable.
On the second point, companies already have their metrics, which is based on how many tickets they’ve opened and closed. But ticket metrics are not risk metrics, so we have to get them starting to think in terms of risk instead of closing tickets. In fact, we can almost always show that you can close ~20% of the tickets and double your risk reduction by focusing on risk metrics instead of ticket metrics. That means that companies not only have to change the way they think, but they have to change the way they're measuring success, and changing the way people do business is always harder than just giving them a better way to do it.
I would love to talk about what the VC/startup relationship means to you. How did you get connected with Differential? As an investor yourself, how do you think that influences you as a startup CEO?
In terms of how we got connected with DVP, we had our pre-seed round with angels and funds out here in the Northwest. With that funding, we were able to bring our product to market and get some traction, at which point we wanted to partner with a more strategic VC. We were looking for funds who understood what we were doing, the market we were going after, as well as investors who could both coach us on large enterprise cybersecurity sales, and the ability to help us with our A round if (and when!) we get to that point. Differential has more technical team than we’d worked with in the past, so you got the value proposition very quickly. We found all of this and more in Differential!
—
James Dirksen is co-founder and CEO of DeepSurface Security, the first risk-based vulnerability management platform that allows cybersecurity teams to automate the process of analyzing and prioritizing vulnerabilities. A serial entrepreneur and accomplished executive, James brings a unique blend of leadership in the private and public companies to DeepSurface. After beginning his early career as a cybersecurity practitioner at Northrup Grumman and PriceWaterHouseCooper (PwC), he went on to found and be VP of Sales and Product at RuleSpace, an early SaaS product powering website categorization services for cybersecurity companies that was acquired by Symantec in 2010. After selling RuleSpace, he moved on to serve as VP of OEM Products at Procera Networks (now Sandvine) providing software DPI solutions used in cybersecurity products worldwide, and most recently served as Galois’ VP or Product, spearheading efforts to transition DARPA-funded cybersecurity prototypes to commercial use. Based in Portland, Oregon, James is also a board member and advisor to several startups and nonprofits.
Related News
