July 13, 2022
February 14, 2023
 —  
Blog

When BlastWave’s Life Flashed Before Its Eyes

When BlastWave’s Life Flashed Before Its Eyes

CEOs know that the path to success can be a bumpy road. BlastWave’s culture allowed us to survive two near-death experiences and bring our OT cybersecurity solution BlastShield to our customers in critical infrastructure sectors. Our ongoing success comes down to helping our customers reduce security costs and mitigate digital transformation risks by preventing compromised access, unauthorized discovery, and lateral attacks through secure direct remote access, easy-to-use microsegmentation, and device cloaking. Read more below from our CEO to learn how BlastWave overcame some early hurdles to reach our current exponential growth.

Back in 2017, it was clear that cyber-attacks on critical infrastructure were just getting started. Russia had successfully caused a blackout right before Christmas that cut the power to 250,000 homes in Ukraine. This was the second time in two years. Still, the mechanism was much more sophisticated than the first because the malware could automate the key functions to manage a sovereign country’s electric grid remotely.

I spent my first decade in manufacturing working as an engineer, so I understood industrial process control mechanisms and safeguards. I was also a certified safety professional during that period, where I led risk management scenario planning. Upon reading Kim Zetter’s original article and Andy Greenberg's follow-up on the attack, I freaked out and knew something needed to be done. Massive companies like Cisco, Palo Alto Networks, and Zscaler were high-fiving each other for figuring out how to move an on-prem VPN concentrator to an off-prem data center (aka the cloud) to encrypt traffic between users and cloud applications.  

Even though I wasn’t a cybersecurity expert, I knew this approach wasn’t solving the real problem - unsafe connectivity between resources and people. If an adversary could easily phish, steal, or extract a username and password or hijack an auth token that had been created using “normal MFA,” they could implant malware that replicated the Ukraine attack in any industrial control system. In addition, existing vendors were not addressing the root cause of the problem – the human element involved in the authentication process and the presence of unauthenticated attack surfaces at a network level.  

I had to act because security is not only an industry problem - it’s a societal problem. I’m a sucker for analogies, and I think of a recent analogy from Jeff Dotzler of Elevity during BlastWave’s Cysurance Roundtable. We increasingly share the same online “neighborhood” that’s only gotten more dangerous with more devices, more interfaces (API’s), and a more sophisticated, coordinated adversary that can efficiently monetize malware. I needed help.  

Walking away from the light

First, I met my eventual co-founder. They had been in the driver’s seat of the computer revolution and evolution. They understood hardware, operating systems, cryptography, garbage collection, and a whole host of critical interconnected systems. After knowing each other for less than a year, we co-founded BlastWave on an extremely ambitious concept. BlastWave would use a new chip (from Axiado) that had some unique security properties that weren’t on the market. We would build our operating system using a new language that reduced the probability of congestion, buffer overflows, and other methods that hackers exploited to break into systems.  

We would also build our own encrypted peer-to-peer full-mesh networking layer that would replace how the Internet works today. And, we would write our own developer environment so that third-party developers could write “safer” applications. Finally, BlastWave would apply passwordless phishing-resistant multi-factor authentication as a cherry on top. This was a full-stack solution that would solve the problems with prevailing industry approaches to security. Admittedly, it was ambitious and maybe a little crazy.  

We got to work and successfully closed our first round of financing. We hired engineers in 2018 and started to miss development milestones - all of them. One of those hires was our current CTO Peter Alm, a networking expert who wrote the DPI software that global phone carriers use to inspect and manage traffic for billions of users. Within a month of joining the company, it became clear to the team that my co-founder’s vision and execution were not going to turn into a usable, real product.  

The execution pressure got so great that the entire engineering team told the board and me that we could either have a company with only the co-founder or all of them without the co-founder. My co-founder took a 30-day paid leave of absence, and the remaining team produced a solution in one month that we had been unable to produce in almost a year. Without going into the gut-wrenching details, the co-founder resigned in May 2019. The company had survived its first near-death experience.

I went into overdrive, hiring an entire hardware engineering group led by Fazel Taslimi, an extremely talented hardware leader, and other key personnel to quickly design and build two pieces of hardware that could serve as a minimum viable prototype to start testing with prospective customers. Fazel’s hardware engineering team and Peter’s software team worked harmoniously and delivered this “Minimum Viable Product” in eight months by January 2020.  

As we shared our solution with possible customers and partners, there was excitement about the efficacy and protection of BlastShield™, our new game-changing product. Still, people wanted nothing to do with hardware and felt our solution was overkill. The pandemic was starting to freeze the world in its tracks. We were meeting with funding sources and had less than six months of cash remaining, and those meetings came to a screeching halt.  

We had no customers. We had a hardware-based MVP that nobody wanted to buy. And we were running out of money. Through no fault of Fazel and the hardware team, who delivered, customers had different ideas. I had to make a second gut-wrenching decision to eliminate hardware and cut our burn rate by 70% to buy us time to get a software-only (SaaS) product developed and out the door before we ran out of money. This enabled the company to survive its second near-death experience. Peter and the team delivered the SaaS product, enabling me to raise a small bridge round and get us from development to product-market fit.  

BlastShield – 3 levels of disruption for network security

If you step back and squint your eyes at our digital world, there are only two entities: digital devices and the network connecting them. Digital devices can be a PC, a server, an iPhone, an Alexa smart speaker and other IoT devices, a connected car, a Docker container, or anything that has compute and storage. These devices don’t work without a secure network or trusted connectivity.

Cybersecurity mirrors the digital world in that all digital devices can be used for good or evil. Applications and operating systems are just software that enables tremendous capabilities. Malware (ransomware is just one type) is software that can tremendously cripple those devices. So, the real challenge at a macro level is protecting the digital devices (aka endpoints) and the network that connects them.  

Endpoint protection evolved from anti-virus to EDR, and companies like CrowdStrike, Sentinel One, Sophos, Palo Alto Networks, Cisco, and others do it well. These companies monitor and collect activity data from endpoints that could indicate a threat. They can identify threat patterns, notify security personnel, and respond to remove or contain those threats. Collectively, EDR vendors represent over $100B in market cap. BlastWave doesn’t compete in the EDR space. We protect devices in a highly disruptive way…by enabling the devices to actually protect themselves and not just monitor for threats. We are pioneering a new security model by creating a software-defined perimeter (SDP).

Existing network protection is performed by companies like Zscaler, Palo Alto Networks, Fortinet, Cisco, and others, representing over $100B in market cap, too. BlastWave’s flagship SDP product BlastShield performs the same secure encrypted transport that existing vendors provide. But, unlike the incumbents, it eliminates the top three ways adversaries attack their targets:

  1. Discovering vulnerabilities through unauthorized network sniffing and reconnaissance
  2. Compromising access by stealing credentials and leveraging vulnerabilities
  3. Exploiting weaknesses and delivering weaponized malware through lateral attacks

Our strategy is to guarantee the user's identity and use that as the bedrock to build zero-trust policies, giving the right people access to only the resources they’re authorized to access. The wrong people can’t even “see” anything on a customer’s network unless they have been authenticated first. So, the first level of disruption is to have an environment that is completely cloaked from outside and inside threats.  

The second level of disruption is to greatly simplify identity validation by eliminating the number one method hackers use to gain access to the network and deploy malware – compromised credentials. BlastShield solves this problem by eliminating usernames and passwords altogether. There are no passwords to create, remember, forget, or change. There are no 6-digit codes to enter. There are no push notifications to validate that a user is trying to log in to a Chrome browser in Germany. Users aren't even presented with an opportunity to make a mistake. That is the key to reducing human error - reduce the number of decisions and actions humans have to take where they can screw up.

BlastShield’s authentication process is multi-factor (three surfaces) and is as easy to use as Apple Pay. It takes less than five seconds. This easy-to-use, highly secure process discourages users from finding workarounds and subsequently sacrificing security for speed. Unlike every competitor, we don’t have a single public-facing TCP port. There is literally zero attack surface for unauthenticated users. This means that existing bugs or CVEs can’t be remotely exploited. Users are even protected from zero-day viruses. No one else on the market can claim this.

The third area of disruption is simplicity. We combine the functionality of secure remote access, virtual private networks (VPNs), microsegmentation, and device cloaking into a single solution that also provides blazing-fast performance due to our peer-to-peer architecture. This replaces third-party MFA, VPNs, secure remote access, firewalls, and data diodes while saving our customers millions of dollars per year.  

The cockroach mentality: refusing defeat

Our people and culture are the reasons that we survived these near-death experiences. Our “cockroach” culture is shorthand for no-nonsense, no ego, learn what you need to learn, figure it out and get-it-done execution. This is the competitive advantage that allowed us to create three breakthrough components to our BlastShield product - direct secure remote access, microsegmentation, and device cloaking - any one of which standalone is far superior to anything on the market. But we combined them into a single platform that solves the network security problem while being easier to use, faster, and more secure than anything else. Stuck with the old layered networking security model, Zscaler, Illumio, Palo Alto Networks, and Cisco aren’t even close.

OT Secure Remote Access
Network Cloaking
Network Segmentation

Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.

Schedule a Demo