Tim Nary of SnapAttack
An exclusive Tech Tribune Q&A with Tim Nary (co-founder and Chief Product Officer) of SnapAttack, which was honored in our:
Tell us the origin story of SnapAttack – what problem were you trying to solve and why?
The concept of SnapAttack started in 2016 under Booz Allen’s Dark Labs. We were tasked with creating and standing up a scalable threat hunting program for the federal and commercial markets. There was a team creating the architecture and tech stack (collecting, normalizing, and enriching customer data at scale), and another team creating the Hunt Analytics Library (HAL), where red teams (offensive experts) would simulate real-world attacks to help our blue teams (threat hunters/detection engineers) create behavioral analytics to detect them.
The nature of our approach required us to ingest terabytes of the client’s log data, then normalize it to our model. The benefit that yielded us was an ability to write an analytic once in our own query language, then hunt across all of our client’s security tools. We all know how many SIEMs, EDRs, and NDRs are out there, and this gave us a way to support them all.
Eventually, we learned that instead of bringing the horse to water (client data to our analytics), we could bring water to the horse (our analytics to the client’s data, in their data model, and their query language). This is an even more difficult problem, and one which had no viable solution in the market. This directly led to the creation of SnapAttack.
We believe that in order to be confident in your defensive posture, you must prove your analytics actually work. They must reliably catch true positive attacks, which is challenging because hackers are always evolving and refining their tradecraft. They must not be high in false positives as noisy security tools are the bane of security teams worldwide. And they must reflect attacker techniques actually used in the real world. To do this, we had to have our red team capture and catalog known attacks – something that didn’t exist widely. SnapAttack took our attack knowledge and analytic library out of spreadsheets and turned it into a live, operational proving ground where red and blue teams could collaborate asynchronously.
However, savvy customers needed more. They needed validation across the analytic lifecycle, in their environment. This led to the creation of our own implementation of adversary simulation, and partnerships with existing breach and attack simulation (BAS) tools. And while all these features are great, sometimes customers just want the “easy button”. Our customers know the value that we bring with our curated library, trust our process , and just want to deploy proven analytics to their environment without investing significant resources in developing their own detection content. So we’ve made it easy for them to find and deploy analytics to specific threats they care about, in the tools they own but struggle to optimize.
There is no other tool that does everything we do. We’ve created the Aberdeen Proving Ground of threat detection, where we can rapidly prototype, prove, and deploy defenses that actually work across the spectrum of adversaries, attack scenarios, killchains, security tools, and environments.
What was the biggest hurdle you encountered in your journey?
Creating a product takes a lot of capital, and even a large company like Booz Allen has limitations on what it can fund. Patrick Gorman, an Executive Vice President of the Strategic Innovation Group focused on cybersecurity, had a bigger vision. He saw an opportunity to incubate capabilities internally, and then scale externally with outside VC funds. This cultivated an entrepreneurial model within Dark Labs, where ideas would be minimally funded and evaluated for viability before being matured and spun out as new entities to scale. Harnessing our team’s expertise and achieving market-readiness with very limited budgets was a big challenge that we overcame with good decision-making, prioritizing the features our customers demanded, and focusing on solving the unsolved problems.
SnapAttack ultimately became the first company spun out of Booz Allen’s Dark Labs. We were fortunate to have a slew of investors excited about our novel approach. Despite a long and sometimes challenging process, we paved the way for this model to work for other Dark Labs innovations in the future.
What does the future hold for SnapAttack?
SnapAttack is the right product at just the right time for the current market, with Fortune 500 companies and the US federal government prioritizing cybersecurity more than ever before.
We’ve already seen President Biden release an executive order on improving the nation’s cybersecurity , which aims to modernize cybersecurity with new approaches across the federal government for years to come. This includes removing barriers to threat information sharing, deploying endpoint detection and response (EDR) tools to all agencies, and improving detection and remediation capabilities. SnapAttack is uniquely positioned to help solve these challenges.
On the commercial side, we know that organizations are demanding more and more from their security tools and vendors. Traditional indicators of compromise (IOCs) are not enough, and we can’t simply hope our defenses are going to work – we have to prove it. We need proactive detections to look for suspicious and malicious behaviors, and the ability to integrate and deploy more and more tools as the industry grows.
There are also amazing opportunities for machine learning and artificial intelligence in this space to create more robust analytics, lower false positives, and uncover patterns in data that are imperceptible to human analysts. None of this will happen overnight, but SnapAttack will prove to be the premier platform for labeling real-world attacker data, enabling the creation of ML and AI algorithms in the future.
What are your thoughts on the local tech startup scene in Columbia?
The DC metro area is the best place for cybersecurity startups, in part because of the talent that comes from working with the federal government and intelligence community. The DC area is to cybersecurity what San Francisco is to consumer tech startups, or New York is to fintech. There are many exciting cybersecurity startups whose founders’ roots are in solving big problems for the government. This is wonderful for the community, as it allows local tech professionals to work and learn alongside these individuals.
There are also several VCs and accelerators in the region to help tech startups grow. Hank Thomas, the CEO and co-founder of Strategic Cyber Ventures (SCV), was an obvious partner when we were raising our series A round. SCV has several other cyber companies in their portfolio, and Hank spent over a decade at Booz Allen, so he quickly understood why we developed a product like SnapAttack internally to help solve our client’s challenges. More local to Columbia, there are investors like Ron Gula and Gula Tech Adventures, which invests in companies and nonprofits that defend the nation’s cyberspace.
What’s your best advice for aspiring entrepreneurs?
First, it’s never too late. I and my co-founder Fred have over 30 years combined experience with Booz Allen – certainly a long tenure at any company, but even more so considering the stark differences between a large Fortune 500 and a startup. There are also many non-traditional paths. We wouldn’t have considered that working for a large company would lead us to founding a startup, but here we are.
As a founder, you’ll have to wear many different hats and will be exposed to many new things, but you can’t do it all alone. We’ve been exceptionally lucky to have large personal and professional networks, which helped us build our core team with people who also share our vision and that we know will have our back. We also have support from other founders who have been in our shoes, and have offered advice on what did and didn’t work for their companies, so we don’t have to make the same mistakes. Surrounding yourself with the right team and mentors can make all the difference.