The DTC Interview: Halcyon CEO Jon Miller taking on ransomware
On May 9, 2021, then President Joe Biden declared a state of emergency after the Colonial Pipeline was forced to shut down operations due to a ransomware attack. The pipeline, which runs over 5,500 miles from Texas to New Jersey, supplies nearly half the East Coast’s fuel. The situation caused panic and disruption across the country; gas stations saw prices spike and lines of staggering length form across states, and the airline industry endured jet fuel shortages and disruptions at some airports.
The world watched as Colonial Pipeline paid a bitcoin ransom equivalent to 4.4 million dollars to the group responsible for the attack, known as DarkSide. For many people, it was the first time they’d seen a cyber-attack at such a grand scale. However, for Jon Miller, a seasoned veteran in the cybersecurity field, this event meant so much more.
Miller and his tight-knit team knew that it was time to bring a higher level of ransomware defense to the masses. Halcyon was formed the same year, and the team has worked tirelessly to build a platform that can defeat ransomware for everyone ever since. We got the chance to speak with Miller, no stranger to the media as an expert in information security and nation state warfare that been featured on the likes of 60 Minutes and Bloomberg.
WHY THIS, WHY NOW?
Q: In layman’s terms, what are you building with Halcyon?
Jon Miller (JM): Over the last 20 years, antivirus (AV) protection available on the market has been generalized to cover all kinds of viruses – Trojans, rats, pups, adware, fireware, and ransomware.
And so, with Halcyon our thought process was let’s leave that there and for the first time, build a complementary agent, right? Defense in depth, a second layer only. Instead of having that second layer be broad like AV is, let’s just focus on ransomware. What can we do to identify ransomware before it runs? And if we fail at that – and the CrowdStrikes and the Windows Defenders fail — how do you recover?
It’s a new paradigm with Halcyon. We’ve built a protection endpoint agent, but with recovery. So, it’s the first endpoint that’s ever been built where we’re cognizant of the fact that somebody’s going to evade us at some time and instead of having it be some catastrophic, your whole network’s down for a bunch of weeks, we can capture enough data that we can undo it right quickly in minutes or hours.
Q: There’s a lot of buzz around CISOs wanting to consolidate their tools. Why is it important for customers to have a tool focused on ransomware right now?
(JM): Ransomware attacks keep working – even companies with well over 100+ million dollars invested in a security stack are failing to these attackers. The tables have turned, and some hackers now have more resources than the defenders; they have billions of dollars of profit they can invest into finding that single vulnerability and carrying out their attack.
To defeat them, you need a focused approach to identify exactly what they’re doing. Halcyon has malware analysts tracking these groups and their techniques day-in and day-out to engineer the product to offer the most resistance for how companies are being hacked today.
Q: It seems like humans are often the weak link in ransomware attacks. How are you solving for that?
Humans will inevitably make mistakes: they’re going to click the phishing link, they’re going to choose a weak password.
We are constantly trying to expand our defenses around initial access. However, attackers repeatedly use the same tools to carry out their attacks, and if you can identify and stop those tools reliably, you can completely break the attack.
THE GROWTH EXPLOSION OF RANSOMWARE
Q: How is generative AI playing a role in ransomware, on both sides?
(JM): It’s a similar effect on the offensive and defensive side: generative AI enables scale. It’s not like gen AI is suddenly attacking people on its own, but it has allowed attackers to do more with less, communicate better, and automate better – it’s helping everyone pick up speed.
Interestingly, the effect of generative AI has not been noticeable in ransomware because the industry is going through a growth explosion right now. Around the world, everyone’s figured out you can join ransomware groups or their affiliate programs (with new groups popping up every day), or you can build your own malware off GitHub. More and more sophisticated attackers are coming online, and their first entry into the public presence is through ransomware.
The knowledge required for ransomware is more obtainable than ever before; if you want to learn how to code malware and you have internet access, you have all the education resources you need to teach yourself how to do it. It’s not just beginners, either; people with high technical skill, such as DevOps admin, are converting over because they can make millions a month doing this.
The Colonial Pipeline attack in May 2021 was a tipping point in which people figured out they could get away with these sophisticated attacks as long as you aren’t affiliated with a government entity. Since the pipeline’s attack was carried out by cyber criminals, it wasn’t classified as espionage and there was no real response. This has opened the floodgates for more groups to try their hand.
FROM BUILDING BESPOKE MALWARE TO PROTECTING EVERYONE
Q: The company you founded prior to Halcyon built software for the government; now your customer base consists of Fortune 2000 companies, with the potential to serve everyone – from large enterprises down to individual consumers. How did you make that shift?
(JM): I started off in the industry with ten years as a penetration tester, and then moved on to a company called Cylance, where we built the first machine learning antivirus. After Cylance was acquired by Blackberry, I founded Boldend, which specialized in making undetectable malware for the government; essentially, we made anti-antivirus software.
Throughout our mission to make undetectable and unattributable malware at scale, we were able to see issues that were actively being exploited by attackers and the protective industry wasn’t even aware of. There’s a reason there isn’t news about the US government hacking people – they’re fantastic at not getting caught.
Halcyon started because we wanted to build a defensive engine that could protect someone against that level of attack. We were building a penetration test-style product for government customers when the Colonial Pipeline was hacked, and with that event we realized these attacks were going to become a widespread problem. We focused ourselves on delivering higher efficacy in ransomware defense than anyone else, and built the technology to be universal, so that it could work in small settings as well as the largest environments on Earth.
ON STARTUP LIFE & LEADERSHIP
Q: You’ve spent your career working in startups. What keeps drawing you back to this kind of work environment?
(JM): My favorite part of my job is building new things, based on what I think is a good idea (much to the dismay of my engineering team – I have grandiose visions, especially for an industry as dangerous as ransomware).
It really comes down to the team that I’ve worked with for 20 years. We’ve moved together from company to company, and we’re collectively always learning, experimenting, and trying to get better. We’ve carved our career paths together.
Q: You’ve chosen to take on the role of founder and CEO, which is much different than joining a startup as employee 25. What draws you into building the business?
(JM): For a company to be successful, its people need to take the role they’re best at. I don’t have an intense drive to be a CEO, but I have natural aptitude for it. Back when I was a penetration tester for some years, I became a manager even though I was younger than my peers. When someone asked why I was chosen, the response was, “He’s the best at talking to people. He is the most social hacker I’ve ever met.” Most of my job as a CEO is communicating; email, phone, Zoom, etc.
It’s about doing what’s best for the company; I’d be willing to step down if somebody introduces me to a CEO that would make our company more successful than I could.
Q: It’s an uncertain time for venture-backed companies right now; media is predicting “mass extinctions” at the early stage in 2024. Can you compare the general zeitgeist of being a founder today versus with Boldend or Cylance?
(JM): It’s a completely different experience being the venture backed CEO of an offensive cyber weapons company. Most people don’t want to touch that. Ransomware is great because it has mass appeal but you still need the ability to go upstream and show a massive Total Addressable Market. The dollars aren’t flowing like they used to.
I’ll tell you this, three years ago, I’d be a unicorn right now while there’s still access to funds, you have to be really compelling. You have to be fundable as a CEO and you’re not going to get the value that you used to get.
You also have to be more frugal in running the business now than I’ve ever seen, and you need to extract maximum value from every employee, or you’ll run out of cash.
Q: What have been some contributing factors to your success throughout your career?
(JM): Mentors. They were able to elevate me technically in my early career, and then professionally when I started taking on leadership roles. You need mentors that won’t just give you advice, they’ll give you the right advice.
It’s all about the team you build – both below and above. Boards are hyper-influential throughout a company.
It’s easy to take money from someone because they’re willing to write you a check, but the wrong investor will kill your company.
Q: When you aren’t building companies or saving Fortune 2000 companies from ransomware attacks, what do you do to balance it out?
(JM): I have a six-year-old daughter, so that’s full-on everything in my life. I’m either working or trying to be present for my family. I’ve got Confessions of an Economic Hit Man on my desk right now, but most of my free time gets devoured by calls.