For the next interview in our series speaking to technical leaders from around the world, we’ve welcomed Matt Polak, CEO and Founder at Picnic Corporation.
Matt Polak is a subject matter expert in intelligence collection, having spent his career applying these skills to intractable growth and competitive strategy challenges for Fortune 500 customers. Matt’s extensive experience and expertise in the field of human intelligence inspired Picnic’s creation as a means to protect people from open-source intelligence gathering by hackers.
Prior to founding Picnic, he was the founding partner of BroadBranch Advisors where he directly supported over $200B of successful M&A transactions in over a dozen industries ranging from cybersecurity to life sciences.
Tell us about the business you represent, what is its vision & goals?
Picnic is a cybersecurity firm that proactively protects people and companies from the biggest threat vector in cyber today: attacks by social engineers. Our name is derived from an old IT security acronym that stands for ‘problem in chair, not in the computer.’ We think this is a great way of talking about the problem since social engineering targets people in order to bypass technical controls. So, as a nod to this saying, we named our company Picnic, but we are reframing this old saying with a positive spin as Protection in the Chair, Not in the Computer.
One thing that became clear to us early on is that many people don't really understand what social engineering is and how it works. Most people these days have heard of phishing. They may know what a phishing email is and associate the idea of social engineering with phishing, but this is an incomplete picture of what it is.
Social engineering is ultimately a game of trickery, where the goal for the threat actor is tricking a person to do something they would not otherwise want to do, such as clicking on a link or sharing a password. The thing about tricking people is that it is much easier to trick someone when you know something about them. And so, the first thing a skilled social engineer will do is conduct reconnaissance, gather as much information about a target as they can, and then craft a convincing scam based on that target’s personal data. This makes social engineering fundamentally a data problem because threat actors need personal information to effectively trick, coerce, or manipulate people into working against their own best interests by clicking on that fabled link.
Recognizing this, Picnic was created to help enterprise security teams address the problem of social engineering at its source by revealing what the public data footprint of an organization and its people looks like from the perspective of a social engineer, where its social engineering vulnerabilities are, and making it easy to remove or neutralize any exposed information that could be used to craft a social engineering attack. Social engineers are typically opportunistic and look for vulnerable data-rich targets.
We step in and take away their opportunities by removing attractive and valuable data before it can be exploited. In having this technological ability to see their exposure and eliminate attack paths preemptively, companies can prevent and dramatically reduce social engineering attacks.
Doing this well is a layered and complex problem because fundamentally it is about understanding the risk created by an organization’s exposed public footprint, including that of its employees, and simultaneously helping the organization protect itself and its people from nefarious actors.
What inspires and energizes you within your work?
I'm a third-generation entrepreneur and there is nothing more exciting to me than solving really hard problems. The thing that excites me most is doing the one thing that someone says can't be done, especially if doing that thing successfully is going to benefit people. Why can’t it be done? Who has tried it before? Why did they fail?
These were some of the kinds of questions I asked myself as I ventured into this journey to stop social engineering attacks. The more I learned, the deeper I pushed into this problem, and the more excited I got about combating it. There is no doubt that social engineering is the largest and most difficult problem to solve in cybersecurity—it is responsible for more than 90% of successful attacks–but that doesn’t mean there isn’t a way to effectively address it. Being able to give our customers the technological means to do so has made the journey worth it and being in the fight against social engineering continues to energize me.
I would also say that team sports have always been a central part of my experience and continue to be to this day. For me, building a successful company is at its core about bringing together the best and smartest people and creating an environment where they can excel. Something I say to my team all the time is that great people build great companies and technologies. Those things don't build themselves. That might seem like an obvious statement but it's something we may forget and need to be reminded of.
Lastly, I would say having fun is a key element of staying energized for me. Building an amazing company full of smart people solving an intractable problem is the pinnacle of fun for me. There's nothing I'd rather be doing every day than waking up and problem-solving with this group of amazing humans.
Can you share a little bit about yourself and how you got into cybersecurity?
I probably don't have a typical cybersecurity background if there is such a thing. I started my career working in the defence and intelligence community and quickly realized that I was more interested in an entrepreneurial path. I spent about 15 years building a growth and competitive strategy business pulling on some unusual skills related to human intelligence collection.
I did lots of work with large cybersecurity companies and became fascinated with the industry and the problems they were solving. Over time, I watched as thousands of companies were created to solve the myriad problems facing security teams.
What really caught my attention though was how, despite the billions and billions of dollars invested into these companies, every single headline was essentially the same story: company x was breached when an employee clicked on a phishing link.
I thought to myself how could this be?
So I started digging in and talking with customers about this and related problems. It became immediately clear that not only was this the largest problem every single customer was facing, but no one had a solution to the problem. Everyone agreed that employee cybersecurity training did little if anything to address this recurring problem of social engineering. Moreover, the myriad technical tools created by the thousands of vendors in the industry were good at solving point problems and niche issues but failed to address the issue of social engineering holistically.
How would you explain your role to a non-technical audience?
Actually, I think non-technical audiences most easily understand this problem because they don't get bogged down in all the details a technical person might try to unpack.
Quite simply, this problem is about the digital exhaust created by all of our online activities. There is an ocean of personal data out there that bad guys have learned to harness. Cybercriminals and nation-state threat actors vacuum up all of this data and use it to identify accessible and valuable human targets. Once a human target is identified, they then use that person’s data to trick them into granting access to something of the value connected to that person’s organization.
While social media is an element of what social engineers look for when researching their targets, there is a much wider range of information that is useful to one of these criminals. For example, data broker information and third-party breach information are two key data sources for threat actors that are largely unknown to the average person. This data has ended up in the public domain through no direct action or wrongdoing by the individual.
Most people innately don't want to have their personal email, personal mobile number, children's names, children's schools, income history, voting records, and things like this online for anyone to look at. What Picnic does is identify all of this kind of information and where it lives, and then we work to remove it where possible or make it useless to threat actors when it's not possible to remove it. And we do all of this in a privacy-forward way.
What advice would you give to someone wishing to start their career in cybersecurity?
The first thing I would do is go and research who the venture capital firms are who are investing in cybersecurity. Look at their portfolios and understand where and how they are investing. Make a list of the companies and organize them into categories based on common problems they solve.
Choose the 3-5 that you think look most interesting and start networking to meet the founders of these organizations.
Present yourself honestly and share the research you've done and why you want to come work in cyber. There are not many founders I know who would ignore a well-researched and honest request for discussion and advice about how to break into cybersecurity. Don't come in looking for a job but rather come in looking to learn. In that conversation, you've got a better than 50% chance that the founder will ask about your interests and experience, and they will naturally associate that with the inevitable need for talent that they have in their organization.
When you do get that offer, maximize equity. I can't stress this enough. Trade as much of the cash that they offer you as you can for equity in the company.
Can you give an example of security issues at your jobs, and how you and your team fixed them?
An example of a common problem we help our enterprise security teams solve is one known as credential stuffing. This is when an attacker obtains a list of breached username and password pairs from the dark web and then tests them on dozens or even hundreds of website login forms with the goal of gaining access to user accounts. Since most people reuse passwords across different accounts, it is inevitable that some of these credentials will work on other accounts, either personal or corporate.
Picnic identifies any exposed usernames and passwords from work and personal email accounts of employees, and we stop their reuse in corporate infrastructure. The novel thing about this is that we cover both work and personal accounts. Most security teams have already tackled the work problem but have not yet addressed the personal email conundrum. This is very important because what we have seen is that the average employee in a Fortune 500 company has roughly 13x the number of clear-text credentials associated with their personal email when compared to their work email.
What are the chances that a key employee in your organization has an exposed clear text credential from their personal email account that is being reused in your corporate infrastructure? Based on what we have seen, the chances are nearly 100%, especially in large organisations with many employees.
What are common weaknesses in IT security strategies that companies often overlook?
I guess I hinted at this one in the above question with my comment about operational security.
Most security organizations are drowning in alerts and constantly reacting to problems in their environment. The number one thing organizations should do to reduce their risk profile and alleviate this alert fatigue pain is to come upstream of the attack and take preventive and proactive measures to make themselves less of a target by reducing their human attack surface.
What are your thoughts on companies looking to prepare for CMMC compliance?
Complying with any security regime such as CMMC or FedRamp is time-consuming and difficult. I would recommend organizations work with trusted partners who understand the landscape and can help them minimize the time and cost of going through the process. When it comes to specific requirements within CMMC related to insider threat and identity, I would encourage organizations to think about how to put in place proactive measures that can reduce the probability of a negative event.
The cost of deploying a preventative layer of protection pales in comparison to the negative press associated with a public security event.
What are your takes in response to the Log4shell incident?
Log4shell was a major headache for the cyber community. It was a quick and relatively simple exploitation of vulnerable versions, and this was exacerbated by the large software "supply chain" surface that many companies have. To add insult to injury, many companies with shadow IT were negatively impacted since the security team wasn’t aware of the exposed server running popular logging software. Is it updating? Is it access-controlled and isolated correctly?
This incident reinforced the need to know where your assets are and have confidence in tooling and testing to upgrade libraries quickly. In addition, companies learned that they need to have continuous knowledge of the threat landscape in order to find and solve problems.
Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
We have seen the industrialization of cybercrime take place over the last decade. Criminals can now buy services from other criminals to help further their particular goals. An example of this would be initial access brokers who seek to gain the initial access into an organization so that they can then sell that access to others. Another example is the rise of ransomware as a service.
I believe we will see a similar industrialization of social engineering as a service. In fact, we might have already seen the earliest signs of this taking shape with the recent campaign dubbed “0ktapus.” In these attacks against organizations such as Twilio and Cloudflare, a group of threat actors collected information from LinkedIn to identify desirable targets and then mixed that data with data broker information and third-party region information to create comprehensive target packages. These target packages were then used to attack specific individuals in an effort to socially engineer them and gain access to enterprise systems.
This large-scale data collection and the target-package-building process have become largely automated, and I anticipate we will see more attacks like this in the future. As a result of its success, I think we will see social engineering as a service being offered by threat actor groups with particular skills in that arena. This will unfortunately make sophisticated campaigns like 0ktapus more commonplace and more difficult to stop using traditional reactive methods.
The only way to effectively prevent these kinds of attacks is to reduce the attack surface of humans. If you can trick the person with sensitive access, then ultimately it doesn't matter how many layers of security an organization puts on top of its infrastructure– it's game over.