Philippe Humeau graduated in 1999 as an IT security engineer from EPITA (Paris, France). He founded his first company at the same time and quickly oriented it towards penetration testing and high-security hosting. He was also deeply involved in Magento’s community creation & animation in France and versed in eCommerce (he wrote four books on the topic). After selling its first company in 2016, he founded CrowdSec in 2019, gathering all his experience to create a new Open-source security engine based on both Reputation & Behavior to tackle the mass-scale hacking problem. Investor in several different companies, his crush is and will forever be IT security, SecOps, and entrepreneurship.
Waze, Airbnb, Amazon, and Uber have one thing in common: they use the power of the masses with applications to benefit an even more significant number of people. All are innovative ideas powered by data. What if we could do the same for the cyber world and give cybersecurity professionals an advantage by crowdsourcing data? Philippe Humeau explains how CrowdSec is making this happen daily.
[00:00:00] KRISTINA: Imagine a Ferrari losing La Mans to a 40-year-old Pinto with a broken headlight and two flat tires, is how Chris O'Brien summed up the cybersecurity space in a single sentence. And I love it.
[00:00:11] INTRO: Welcome to The Power of Digital Policy, a show that helps digital marketers, online communications directors, and others throughout the organization balance out risks and opportunities created by using digital channels. Here's your host, Kristina Podnar.
[00:00:29] KRISTINA: For just a few hundred dollars, hackers can cause millions of dollars in damage to companies that are struggling to keep up with sites for security advancements. Today, Philippe Humeau joins us to discuss the imbalance and what can be done to change the dynamics. Philippe is the founder of Crowdsec, open-source multiplayer firewall, that's able to analyze visitor behavior and provide an adapted response to all kinds of attacks. In addition to being smart on cybersecurity, Philippe has created five startups and seeded 10 of them. So he has not only good ideas and can execute upon them, which is why I asked him to give us a hand today and understanding and making a smarter about cybersecurity, but he's interested in solving the business problem, which at the end of the day is what we need to understand how to do so. Philippe welcome.
[00:01:19] PHILIPPE: Hello, Kristina. Happy to be on the show.
[00:01:21] KRISTINA: Glad that you're here, because honestly, I don't know which way is up. And so you're going to help set a straight. Tell us what's the biggest issue right now, or what are the biggest issues that currently are facing organizations in cybersecurity land?
[00:01:35] PHILIPPE: My point of view over this is like, we are facing a huge, tremendous growth in the hacking activities and the cybercriminal activities, because basically on the table, there is something like the GDP of the second largest country on Earth. It's here to be looted for the guys. So they see it as a huge opportunity to breach, loot, run, and never get caught. And this applies both to small organizations, small hacking organizations, like ransomware groups, or even lower in the scale, up to governments and states activities that are usually sponsoring a lot of those trips.
[00:02:15] KRISTINA: So, to me, it seems like what we should be doing is throwing millions or billions of dollars at this problem. And yet here you are arguing that open-source cybersecurity platforms are the way to go; how?
[00:02:28] PHILIPPE: Yeah, it didn't work. I mean, we've tried for years to, you know, toss money at the problem, and you should a candidate, like, let's take an example. Like Easy jet or JP Morgan or whatever retirement, with billions of dollars in their pocket. Those people that budget close to the GDP of a small country, right? It's, it's insane. Some of them like have $800 million under and just for cybersecurity. Hello. And they got breached. And the thing is it's, it's not that they're stupid. I mean, they got breached by people that $20,000, $10,000 in investment, meaning the money is as symmetrically not playing in your favor, it doesn't make any difference. We are probably working in one of the only spheres where money doesn't make any difference or close to because when JP Morgan got hacked, they got hacked by people that spent what, 10, $20,000. So not even one chance out of 40 thousand. Would you play in such a case? This is basically what every company is doing now. Nowadays, every day they wake up in the morning, and they have one chance out of 40,000 to win against cybercriminals. And they played this case every day.
[00:03:37] KRISTINA: Which seems insane, right? Because it seems like, what do they say? If your definition of stupidity is to keep doing the same thing over and over again and not changing your methods. So you're trying to change the method, which is really exciting.
[00:03:52] PHILIPPE: Yeah. Thank you. Well, what we saw, I mean, it's a lot of fears of a philosophical concept, more than technical concepts. So it's really easy for me to describe it to the diocese as non-technical. So basically, what we did was we behaved like Captain America. We thought to ourselves. Okay. If we over equip ourselves with like laser eyes, jet pack, an invisible shield and a Batmobile, we can win against enemy. Well, the sad truth is only in Hollywood do you win alone. It never ever plays out in your favor when you're facing as an individual or as a single entity, a herd of people that want to skin you alive. So, you know, we prefer the Sarge, the Sargent wisdom who will never ever say to his troop, you know what guys, we're besieged by a hundred terrorists. So what we will do, we will go out one by one to try to take them out. A Sargent will never ever issues, such kind of order, it would say, you know what, whereas thousand a hundred let's all get out at the same time and wipe them out. And, you know, it's only by teaming can you tackle large-scale problems. In this case, in this concern of cybersecurity, we didn't do that. Actually, every entity acted on its own, as an individual. And this is how you solve a complicated problem. Like Einstein, solve the complicated problem with gravity. If we exclude the role of his wife in this, let's say he did it alone, right? So one complicated problem can be solved by one person, but one complex problem like sending people to the moon cannot possibly be dealt with by one person alone. It needs collaboration on a large scale. And the thing is, cyber security is not a complicated problem. It's a complex one, but we are trying to solve it as if it was complicated for the last 40 years. That's what we think.
[00:05:45] KRISTINA: Now it's starting to make more sense because I read the term open source multiplayer firewall. And honestly, I never thought I would hear that term. I don't know what it means. Explain the concept to us.
[00:05:57] PHILIPPE: Yeah. So after we thought about this for a long period of time with my team, we were like, okay, now you know, push a table and, and change everything. Like, changing the way we think about it. And we're like, okay, let's make a system where every person that is aggressed, and use our system or use our product, we'll be reporting the aggression. Not only blocking it, but it is also the first step and is for free. So you can block it for free. Now, every time you block a malevolent, individual, and malevolent IP address that is trying to break into your system, you will share this IP address with us with a context like a timestamp one, an IP address that was aggressive. And the scenario it tried to play at your place. Like, credential stuffing, crusher, brute-force post-scan web scan, whatever, you know, how they try to hack into your system. We get this information in a central place. If it's real information and not someone who tried to poison us or trick us into thinking something that is wrong, and that it's not a false positive, very important point. Once we are sure about that, this curation process sends back the IP address to every person in the network, meaning that you're not only protected, as seen in your logs but also on a global basis at the scale of our network we see all the IP address, reputation is evolving and we are sending you IP addresses constantly that we know are dentures and aggressive toward either your vertical or the software stack you are using.
[00:07:32] KRISTINA: So, are you seeing organizations willingly jump on board with this concept? Because as you're describing it, I'm thinking to myself, wow. I can see a French company being very, very open to this idea. Whereas maybe a company in North America, that's a little bit more of me and only me attitude being less community-driven or less collaborative. But is that the case in this instance?
[00:07:57] PHILIPPE: Well, you're right in the sense that we have very different behavior based on the country and the mentality. The thing is the U.S. is business-driven, as we all know. And that's very good in this case because what they see is a net benefit. If I partake in the network, I am stronger myself, and if I don't want to partake in the network but still benefit from the network findings from the crowdsource information, I can pay to get it. So I'm not out of the game. If I don't want it to partake in the network, I can still access it with my money, and if you are looking in all directions, like in Europe, we have this GDPR framework, which is very protective of personal desktop, and I'm pretty sure your audience is very aware of it. So this GDPR framework says basically that IP address is private data so that you cannot trade it, exchange it and publish it, and so on, so forth. So we had to go under the scrutiny of a lot of regulations to be sure that we can actually practice our art to be sure to help everyone. Beyond this difference, in the mindset, everybody actually recognizes the problem. We have to team together to be efficient. And if I look to Russia, it's because everybody has been teaming against them, then sanctions are being efficient, you know? So there's no way you can sanction Russia; you alone is because everybody or close to everybody else in the world is doing it that it's efficient. It's the same thing for cyber security. We sanctioned as IPs, we severe, we actually cut all targets to be more accurate. The weakest link, we crippled the cybercriminal to the weakest fleet, which is IP address. IP address, you can think there was an infinity amount of them, which is not true. IP addresses are a limited number. And owning them, maintaining them, extending your software as a cyber gang on it, and keeping them alive and working is costly. It takes time and money, and we saw it during the Conti leaks, the leaks that touched this, a Russian cybercriminal group, a ransomware group. We have their internal exchanges in between the group members because they've been dismantled. They forgot that Ukrainian people were in their ranks. So when the war, actually, broke out the, the guy said, okay, you supporting Russia, we're supporting Ukraine. So we will spill all your secrets publicly. So we looked into this; it was the first time, however, that with this insight, deep insights into what is happening on the other side of the curtain. And we sow crazy things there, by the way. But one of the interesting things is that they are all in short supply of IP addresses. And this is why we precisely target this weakest link in their industry.
[00:10:35] KRISTINA: That's very interesting. And you brought Russia. If I think back maybe a year or two, malevolent IPs hacks always have kind of been perceived as negative, especially in the media, but with a current Russian invasion, is this perception changing you think, especially if you can use those attacks to protect the country, instead of having to send in people and troops and tanks.
[00:11:00] PHILIPPE: Yeah, I wouldn't call it new. Actually. It's been out for two decades already. What we call it is it's a green war zone. You should think you could think of it like this. Like if you have an atomic bomb, right? It's the most powerful weapon ever built by humankind; you cannot possibly use it because if you use it, you will kill a lot of people and destroy a lot of infrastructures. And the retaliation will be off another magnet. So, it's, yes, it's the most powerful weapon, but no, it's not usable daily. On the very far side of the spectrum, the opposite side of the spectrum, you have cyber-criminal activities because they don't kill people most of the time, they don't destroy physical goods or places most of the time, meaning you can use it daily. You can say, okay, I sponsor this group, and this group report to me. And in the meantime, I'll just not look at what they are doing and covert them against extradition laws and stuff like that. So, you know, and the day I need them, I will call them and say, okay, now you need to help me. You need to hack for me. And this is why these gray walls this taken place over the last 20 years, because when China aggresses the U.S. All the other way around, by the way, Well, if it's on the cyber, in the metaverse or over the internet or whatever, it doesn't cost much trouble. It doesn't cause as much damage; it's just virtual internet property being stolen, and potentially money and things it like this. But, you know, you can survive that, then nobody will retaliate against you. So all the states nowadays are using this as cyber weapon welfare that can be used every other day. There's no limit to the usage.
[00:12:36] KRISTINA: A few minutes ago, you mentioned GDPR; you're dealing with a lot of data and metrics. How are you handling data privacy laws and especially GDPR, which, as you mentioned, is top in mind for everybody?
[00:12:47] PHILIPPE: Yeah, it's a complicated thing because one would think IP address or changing ends and that they are not bound to a person, but actually, the European councils thought differently. And I understand the why. So we have to come to IP addresses as being private, privately held, and potentially something that can identify 1% exactly. So what we do here is we collect them, but the GDPR thing is on our side, right? So we export the data to us, and we are in charge of dealing with them. So basically the company using our product doesn't have to wonder about it. It's on our own. And the thing is. The GDPR says that you have to collect the minimum you need for the treatment, one. And the second thing they say is that you have to keep it for the least amount of time, right. And the least amount of data. So what we do is we collect only three things, the timestamp, the IP address, and the type of aggression that was sent to you, this is a minimum we can collect and everybody agreed on that. So that's fine on their end. The second thing is we keep it for the least amount of time, which is six months. We could go up to one year, but it doesn't much make much sense because IP addresses are changing so often nowadays that it doesn't make sense to, I mean, any data is outdated, basically 72 hours. We keep them for six months because some players are constantly aggressive with the very same IP over decades. So if we need it, we still have this information, but in a bird anonymized way, The IP address had used to be A, B, C, D becomes abc.zero/ 24. It's one among 256. And it's enough not to point the finger at the precise person eventually. And then the timestamp is also blurred. It goes from 12 hours, 34 minutes, 56 seconds, down to 12 hours or between two hours, 12 hours, and 1:00 PM. It means basically, you have a block IP address of block timestamp. And that is not a single entity that can be pinpointed.
[00:14:50] KRISTINA: You've thought about this when I can tell. I appreciate that; as you're talking about this, what strikes me is that you're very, very transparent. And at Crowdsec, you're also open source. So that somehow goes hand in hand for me, but what's the business model. How do you turn a profit?
[00:15:08] PHILIPPE: Yeah, these IPS intrusion prevention systems, the tool we are offering for free, is a means to an end; actually, it gathers a lot of data, and when I'm, when I'm in a lot, I really mean it. The network is growing something that 0.6% per day. We're getting 1 million events per day already. 1 million aggression. It's like if you had cops in the streets seeing 1 million aggressions per day, so it's absolutely tremendous. And, this is a gold mine of information. And as I used to say to my investors, and I'm going for a fundraiser soon, when you have a gold mine, you will find someone to lend you a Caterpillar machine. There's no problem here. You know, it's, it's super easy to explore. Like, let me give you an example. If you don't want to partake in the network and collecting the data and sharing the data, you can, but you have to pay to get your access and you will want to pay to get your access because we have the best that on Earth regarding this. You also get extra services like reporting, compliance, SSO, you name it, multitenancy, so there are plenty of services we can develop on top of that as a SAS model so that the people can pay us for what we do. And we don't have to aggressively monetize to what the community, although it's for the community is going to be for free forever, the tool and the data, but for the one, that one, just to benefit from it without partaking into it, basically have to pay.
[00:16:27] KRISTINA: And that's a great model; there's choices there to be had. And it sounds like you're meeting the business where they are, right? It's their choice.
[00:16:36] PHILIPPE: Absolutely. And on top of that, the VCs are not scared for a simple reason. They understand that we are building one of the most precious assets on Earth regarding cyber security. I mean, don't get me wrong. Waze, for example, did have real-time traffic worldwide data. This is an asset. It's not about the monthly recurring revenue they weren't doing, it is really about the value of the data they have. They understand that we are building one of the most precious assets on Earth, this real-time map of the cybercriminal control IP addresses over the internet, and this has value. Interestingly, even though you're not selling like tens of billions in turnover, they know that the asset itself is worth billions of dollars. So that's why they're investing in us. And that's why they are not scared about when we do monetize everything. We will be doing it. It's not a, it's not a problem, but it's not stress either. W first and foremost, we are a product-led growth company, and we want this network to grow to them after, you know, we have all the time to monetize.
[00:17:34] KRISTINA: You have data, which, as you said, is like liquid gold, but you also have Crowdsec ambassadors. What are they?
[00:17:43] PHILIPPE: Oh, they are very precious people to our art. So what they are doing is we need to educate a lot of IT companies, a lot of CSOs, a lot of DevOps, DevSecOps, SecOps about what we're doing, why it's different, how we do it. And I cannot possibly do that alone and my marketing team either. So what we need is relays on the ground, boots on the ground that will go and evangelize, discuss with the communities, tell them they can protect themselves for free, and they will, by protecting themselves for free, they will protect the next-door hospital. They will protect your brand new retirement house. They would protect everything that is cherished by us for free. And this is really what it is about. And through this, we have people through this network of ambassadors. We have people in Japan. We have people in Australia. We have people in South America, in America, in Germany, in England, and they do the job that we cannot possibly do in 140 countries because we are in another 140 countries. And we have ambassadors in like 20 of them.
[00:18:48] KRISTINA: Oh, that's great. That's, that's a megaphone for sure. As they're going around the world and evangelizing your services, it also makes me wonder about the everyday person such as myself. How can we protect ourselves and our data? What should we be thinking about and doing as individuals?
[00:19:05] PHILIPPE: So as an individual, the first thing I would think about is already having two different networks if you're working from home, which is the case for a lot of people, specifically in the marketing and sales department; it was one of the easiest people to keep home, as opposed to people working in a factory, for example. So what you should do, what I advise you to do is to buy a smaller WIFI access point, leave your family on one access point and use the other one. Network separation, networks segregation between your work and your family using the internet because it's so easy to catch hack on your Android device, all is through your PlayStation or whatever. Also, use VPNs that are efficient and specifically the corporate ones and apps with strong password. It could look simple in 2022, but most people still have weak passwords and bad, bad password hygiene. I mean, you would never go to bed without brushing your teeth, right. But you still are using very critical services day in, day out in your life with a shitty password, not just you, everyone, and anyone. And it's like 90% of the population. So my advice here is like, as a password policy for yourself, think about it, change them, and have a password wallet. Google Chrome can do it for you but are other things like Lastpass, Onepass, you name it, and there was still a password for you. And that's really, really important and that don't leave any default password. Don't use the same password everywhere and change them. Like every three to six months. An issue: I have a hard time remembering what your password was. Here's the real trick. I think about two bands you like, like, I dunno, Rolling Stones and Pink Floyd, right? So you already have full words, right? Pink Floyd and Rolling Stones. And you can use instead of an I, you can use a pipe or exclamation mark or something like a special character. So make like an uppercase P exclamation mark. And K and then Floyd, if you want. And then after, put the name of the service you're trying to protect, say, I don't know your Amazon account or eBay account or whatever. That's what every, an old password would be different. Every single password you will be able to remember. And, you can change the root of the password, like the pink Floyd by rolling stones, or you can mix match them, and you will never, ever forget. And those are very, very resilient passwords. So it's easy to build a strong password. It's easy to remember, and then it's easy to change them. It's easy to store them. So if you don't do this, you're putting yourself in danger, uh, unnecessarily; I would say the same goes for education. Educate your kid, for God's sake. You would not leave them on the streets with a car without a driving license. Nobody does. But we, we don't have any driving lights since for the internet. We don't have any new digital citizenship check before you can interact with the internet. So, it's on parents to educate them about those topics.
[00:22:01] KRISTINA: I love what you just said because I'm very passionate about ensuring that individual rights are protected in cyberspace. And I agree, in the U.S., at least in my county, we're teaching keyboard. In seventh grade, and I'm sort of laughing, right? We're still teaching keyboarding. And yet nobody's teaching kids how to protect themselves by using a strong password. So, I think it demonstrates well where we are as a society. And speaking of that, we're hurling towards the metaverse and all of the emerging technology that, that entails, we're talking a lot about, hacking of websites, using strong passwords so people can't break into our email. But should we be worrying about things like connected devices, IOT, virtual reality. What does that look like? And is Crowdsec looking at that space as well?
[00:22:48] PHILIPPE: Yeah, because we are looking at the end of the line protocols, actually the internet was built in the seventies with the IP addresses and the protocols to exchange. And nowadays we are still using those. They are amazingly resonating. There was amazing creation in the first place by those engineers back in the days because it scaled to the roof beyond far beyond their expectations. If you build metaverse, if you build a blockchain, you are still relying on those protocols, at the lower level IP addresses, TCP, UDP. API, our common place for all of those. I mean, metaverse, for example, is more or less visualization of whatever you want to entice. So it, it could be like a visual experience could be a ventured touching, feeling, whatever. What is under its in an IP address is to put a call in two API calls and still all of this. So by protecting those layers, we're protecting whatever is built on top of them. So we don't focus specifically on one or the other; what we want to do, though, is be API-driven. Actually, nowadays, 80% of whatever is exchanged over the internet is API-driven. It's machines to machines, machines talking to machines. It's not that humans are interacting a lot, but what's happening in the background is even bigger by an eightfold factor. Basically, people don't see it, but machines are constantly chatting with each other. And AI tomorrow is going to book your vacation to the other end of the world without even you knowing because it knows what you like. And it would be interacting with other AIs of tour operators and, and hotels, venues and stuff like that. And car renters and whatever. So, you know, it's just going to, to grow as a market, this API-driven internet. So we wanted the API first, and the point is we want two machines to be able to establish that they can discuss with each other safely by checking before the two IP addresses the two machines that will interact with each other. Want to be sure that the other one is not infected, that the other one is not used or driven by a cyber-criminal. And by doing just an API query to our services, it will make sure that it's safe enough to connect together. And this internet API-driven world is now a reality for blockchain, for IOT, for cameras, for whatever you want for metaverse and relies on those underlying protocols. And we are protecting those underlying protocols. We can show that no one is infected.
[00:25:12] KRISTINA: So should everybody be talking to Crowdsec, whether they're an individual or an organization, or is it mostly organizations?
[00:25:19] PHILIPPE: Well, you can use it at home. It requires a bit of Linux OS savviness; let's put it like this. It's not very complicated. We will have a Windows agent soon as well. So pretty much everybody can use it. A kid with a bit of a background in installing Linux products on a machine can make it for your home. We are highly encouraging people to install it at home because once again when they're protecting themselves like this, they're also protecting the next-door hospital and everything that we cherish with that benefit from Crowdsec for free. So yes, an individual can partake, and actually, it's a 50/50 ratio nowadays, but over the long course of time, we know that the businesses are making the biggest volume in terms of signals because they have far more IP addresses than any single individual. Like if you take AWS or Azure or GCP from Google, they have like literally tens of millions of IP addresses and machines. So we will collect more information coming from those. But it's very precious to have diversity here because if we see only one point of view over a problem, we are biased, and we don't make the right decision. But if I see google reporting your problem, a person inhabitant in Iceland, reporting a problem with his own connection, a small business in France reporting and say problem. We can safely infer that this problem is real because we have too many different points of view on it, to be just an artifact or a mistake.
[00:26:46] KRISTINA: So what I've gathered so far, Philippe, is make sure I changed my password to Pink Floyd. And go check out Crowdsec! So folks who want to do that, where should they head to to get more information?
[00:27:00] PHILIPPE: Yeah, they can go to Crowdsec.net. Please, don't put the X at the end. It's a totally, entirely different website. And you can download the software, install it wherever you fancy, play with it, try it. You can also use the console and check IP addresses for free online, and we have a product for that. And it will tell you what we know about this IP address, or to be more accurate, what our community knows about this IP address, whether it's aggressive or not dangerous or not. If it's a snowball that you sit on your logs and if he's interested in connecting with it, so crowdssec.net, and he should just simply type Crowdsec to Google.
[00:27:36] KRISTINA: Well, I'm excited because I know we have a segregated network at our house. IOT devices are completely segregated, except for my pond pump, which cannot be for some reason protected, but I figure it's my pond pump. I'm okay. Still sitting on a segregated network, but I'm going to go see if I can stump the expert by introducing Crowdsec and see if I can do some damage at home on the home front. So, thanks so much for all of your insights, Phillippe. It was great chatting with you today. Appreciate your time.
[00:28:05] INTRO: Thank you for joining the Power of Digital Policy; to sign up for our newsletter, get access to policy checklists, detailed information on policies, and other helpful resources, head over to the power of digital policy.com. If you get a moment, please leave a review on iTunes to help your digital colleagues find out about the podcast.