5 Lessons I Learned When I Created My App or SAAS: “Consider user experiences of all kinds” with Salvatore Stolfo and Mitch Russo

Mitch Russo
Authority Magazine
Published in
10 min readOct 2, 2019

Consider user experiences of all kinds. In the case of security solutions like ours, the cybersecurity intruder is also a user (although in most cases they aren’t aware of their usage). This is among the hardest issues to understand, how will the adversary test your solution, evade your solution, or disable its proper operation. Seasoned security professionals will understand this and hold your feet to the fire to provide a proper response. For example, detecting the evasion tactics of an adversary, and countering those must be part of the solution. Otherwise, the solution will have a very short shelf-life. Adversaries are very very good. They study defenses. Defenders should study them.

As part of my series about the “5 Lessons I Learned When I Created My App or SAAS”, I had the pleasure of interviewing Salvatore Stolfo. Salvatore received his PhD from Courant Institute, NYU, in 1979 and has been a Professor of Computer Science at Columbia University ever since. He served as Chair of Computer Science and Director of the NYS Center for Advanced Technology at Columbia. He recently was elevated to IEEE Fellow for his contributions in the area of machine learning applied to computer security. He has chaired numerous technical conferences and workshops and has received numerous awards, most recently the RAID Most Influential Paper and the Usenix Security Distinguished Paper, and the “Popular Science Best of What’s New” award. He has published several books and well over 300 papers, and has been granted 89 patents (and counting) in the areas of parallel computing, online banking, machine learning and privacy, and security and fraud detection technologies. He has been an advisor and consultant to government agencies for well over two decades, including DARPA, the National Academies and others. Prof. Stolfo serves as an advisor to private investment firms. Two cyber security companies were recently spun out of his Intrusion Detection Lab at Columbia University. He is the founder and CTO of Allure Security.

Thank you so much for joining us! Our readers would love to “get to know you” a bit better. Can you tell us a bit about your ‘backstory’ and how you got started?

I’m a native New Yorker, and I was always destined to be a scientist. I got hooked on computer science even before it was called that. Having gone to New York City public and parochial schools and graduated from Brooklyn College and then Courant Institute, NYU, I had no choice but to become a professor at Columbia, one of the stops on the Interborough Rapid Transit (IRT). My early days in computer science were focused on database inference and parallel computing to scale machine learning to large datasets. Later, I got hooked on security and fraud detection — an obsession that began when I consulted for Citibank on their credit card early fraud detection system. I’ve been working hard at defending against cybercriminals ever since.

What was the “Aha Moment” that led you to think of the idea for your current company? Can you share that story with us?

I was sitting at a technical meeting with a government agency, where I was working as a consultant, and the topic was insider threats. Everyone kept talking about the same theme: “protect, protect, protect.” But I kept saying, “detect, detect, detect.” Since the dawn of cybercrime, too much emphasis has been placed on protection, but the reality is, we can’t protect against every attack. For every wall we build, hackers can simply build a taller ladder. As defenders, we must assume that systems are going to be penetrated and we must have a plan for what happens next. Defenders need tools that focus on detection and response. The idea of tracking data — essentially, putting GPS tracking on sensitive data — was the key that convinced me to start a company to prove it would work.

Can you tell us a story about the hard times that you faced when you first started your journey? Did you ever consider giving up? Where did you get the drive to continue even though things were so hard?

Driving a startup forward is always hard. But not as hard as other life events. I just never gave it a thought to give up. I believe that detection and response is the right way to go.

So, how are things going today? How did your grit and resilience lead to your eventual success?

I’ve learned a tremendous amount about the value of patience. It’s very easy for most to react to tough situations with panic. I try hard to instill in others the response to hone their patience and their listening skills. Pitching to customers may not always lead to a sale, but it always leads to new insights and valuable information to refine the product to better meet the needs of the marketplace. Listening and learning and improving is a daily act. I believe we are in the best possible position now, and rarely do we hear “no”when we pitch to customers.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lessons or ‘take aways’ you learned from that?

What immediately comes to mind is how easy it is to make a mistake involving language. The language of technical research in academia or in government R&D has its own vocabulary. Commercial language in cybersecurity is far more geared to simpler and more “emotional” terms. It does take time to adjust and recognize what the customer is saying and perceiving, which is not always what you understand a particular technical term may mean. There was considerable confusion about “insiders” and the “insider threat”. Everyone is an insider, but often a prospect would just not understand why an insider is a threat. After all, they are all trusted since they were hired as inside employees. In the enterprise security world, threats were always outsiders. Thanks to a number of high-profile cases and a lot of education, the insider threat became clearly defined for many security professionals. They even recognized their own internal security teams can be a threat, even by accident. Language can be vexing.

What do you think makes your company stand out? Can you share a story?

Allure Security started life as an R&D company funded by government contracts. In the beginning, our focus was on developing technology and then making improvements on it with each new version. Then, we directed our attention to taking this technology to commercial markets. What I learned through this experience of moving from a research-based startup to a company with a commercial product is that private funding of the company was far easier than government investment, since development risk was greatly reduced. It is a pathway that perhaps makes it quicker and easier to develop a commercial go-to-market strategy, and with a product ready to deploy. A note of caution: in my experience, the commercial cybersecurity space is farther behind the government security space.

Which tips would you recommend to your colleagues in your industry to help them to thrive and not “burn out”?

When burnout is apparent in someone on my staff, I generally take them out for a drink or dinner. As for me, I bought a farm in upstate New York to embed myself in the sounds of nature…no city sounds at all. It’s like flushing out toxins with a gallon of water in one gulp.

None of us are able to achieve success without some help along the way. Is there a particular person who you are grateful towards who helped get you to where you are? Can you share a story?

There are many people and they certainly know who they are. There is no substitute for an experienced business person who has demonstrated patience and a core integrity. They are generous with their time and thoughtful in their advice. They know who they are, and they know how much I appreciate them. I’ve told them so.

Ok thank you for all that. Now let’s shift to the main focus of this interview. Approximately how many users or subscribers does your app or software currently have? Can you share with our readers three of the main steps you’ve taken to build such a large community?

We sell our SaaS solution directly to large enterprises with very broad customer bases. Most of our customers work in highly-regulated industries where they face regulatory mandates to keep customer data safe, such as banking and financial, healthcare, and higher education. We also work with customers who are concerned about the loss of intellectual property, such as manufacturing and technology companies.We generally do not know how many users they serve, so instead of charging per user, our model is set up per data stream. This is much more cost effective for our customers, because judging by the data streams, one customer alone has many thousands of users touched by our security solution.

The simple strategy we have is to demonstrate the value of the solution and its ability to scale to very large customer bases. To do this, we start with a proof of concept (POC). Technical evaluations are fairly straightforward measurements of server capacities, and testing efficacy of the security solution in pre-staging environments. We need to be able to prove that our SaaS solution has no impact on the user’s existing experience. This includes measurements bounding the computational cost on the client machines, since our solution is agent-less. Service and continuous involvement with our enterprise customers is key. Large enterprises cannot afford any negative impact on their customer base, and we commit to ensuring that is always the case. This leads to continued trust and establishes the level of trust for other prospects that our solution would work and scale for them, too.

What is your monetization model? How do you monetize your community of users? Have you considered other monetization options? Why did you not use those?

Our present model is based upon server data streams generated by the customer base. The larger the stream, the more capacity is necessary to scale, and thus a higher price is charged. Charging on the basis of “number of customers” is, in my view, an inaccurate model of the actual costs in servicing that customer base. We cannot know a priori the distribution of customers to the data stream they create. Some heavy hitters are more expensive, for example, than a larger set of infrequent customers. Hence, the model is far more fair and defensible based upon the total data stream generated by the customer base.

Based on your experience and success, what are the five most important things one should know before one wants to start an app or a SAAS? Please share a story or an example for each.

1- Design and build the app/SAAS for test and evaluation. Any critical sections of the logic/code should be logged for subsequent testing for POCs. This sounds suspiciously obvious, but the choice of what to log and when isn’t.

2- Design your solution to scale quickly and seamlessly. There are a variety of different enterprises in different verticals with different network traffic environments. Designing for “an average” is quite hard. Designing for scaling automatically is a first-class principal.

3- Be prepared to address any bugs, no matter how small. Subtle bugs, totally innocent bugs, will reveal themselves in odd ways after deployment. At times they are only revealed by odd response rates and effects on the GUI. The output was correct, but displayed far longer than it should have been. In one case, under a very special corner case, an internal DB operation caused unexpected delay in painting a dashboard report. This subtle bug was finally tracked down to very oddly formed SQL expression that was only revealed by running detailed tests under varying database sizes. Essentially, it was a form of “fuzzing”. Be prepared to test your solution post-deployment.

4- Consider user experiences of all kinds. In the case of security solutions like ours, the cybersecurity intruder is also a user (although in most cases they aren’t aware of their usage). This is among the hardest issues to understand, how will the adversary test your solution, evade your solution, or disable its proper operation. Seasoned security professionals will understand this and hold your feet to the fire to provide a proper response. For example, detecting the evasion tactics of an adversary, and countering those must be part of the solution. Otherwise, the solution will have a very short shelf-life. Adversaries are very very good. They study defenses. Defenders should study them.

5- Plan a detailed product roadmap. Because our SaaS solution deals with security, we know that we would need to plan for the increasing “self-defense” mechanisms in future versions. Knowing that our solution is meant to foil hackers, we have to expect an adversarial response when our solution is successful and shuts down an attack. It’s inevitable that adversaries will lodge an attack against your solution, but smart companies plan for this and will be ready with a new version of the software that counters this attack. Plan for the future to reduce the risk that your solution will be obsolete faster than you think. You must continuously learn and improve, because that’s what cybercriminals are doing, too.

You are a person of great influence. If you could start a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger.

I would like to start a movement in the academic and security communities where, collectively, we can defend the internet so that it is safe for all.

How can our readers follow you on social media?

Follow me on LinkedIn: https://www.linkedin.com/in/salvatore-stolfo-996171/ or check out my blog at https://www.alluresecurity.com/blog.

This was very inspiring. Thank you so much for joining us!

--

--

Mitch Russo
Authority Magazine

Author of The Invisible Organization — How Ingenious CEOs are Creating Thriving, Virtual Companies & Power Tribes — How Certification Can Explode Your Business