Case Group-IB: How Ilya Sachkov built a leader in information security in 10 years

    Ilya Sachkov is 29 years old, which is comparable to many of us, but over the past 10 years he managed to develop his own business in a specific market, becoming a global player in the past and current years, despite everything.

    Having started in the second year with friends, today Group-IB has grown to three offices (headquarters in Moscow, a technology campus in London and opening in Innopolis) and 117 people in the state.

    We asked Ilya to share our own experience, skills and knowledge with readers of Megamind - it turned out a lot and the next “case” was born.

    - Ilya, we know that you studied at the University. N.E. Bauman and it was there that the idea came to your mind to create your own company. It has existed for a considerable time, you have large projects and serious work results, how can you characterize the current state?

    The path was right. Like any other, it contained errors that seemed critical at the time of commission, and today it is the basis of our experience and what we are guided by in the future. Although this is unscientific and not related to business, we have made all our mistakes “on time”, as in a fairy tale.

    The main lesson learned from all the mistakes: "Fell seven times - get up eight times." If something doesn’t work, try again. The biggest mistake: to quit, or not to start.

    - An additional question - how much is this related to confidence in our own decisions?

    Again, I, like probably any other person, am not always sure of my own decisions, but, choosing between “do” and “do not”, the choice is always in favor of the first option. And here it is worth adding your own intuition. Many of my decisions based on “feelings” were correct (in a sample of 100, I would say that 75-80% turned out to be true), partly erroneous, but in any case, I believe that the result is good.

    - Let's move on to the second question: what can be called the main mistake, or a difficult task, or several that arose on the way to build a company? After all, few people know that this is an industry, a separately existing section of the market. And for us, “information security” is still in the realm of some kind of fantasy. Is it felt from the inside?

    Yes, there is such a problem. We face it a little differently: most people and enterprises perceive “information security” in a strange way. But since we started with investigations, the need for people in our services arose, unfortunately, by analogy with the way we go to the doctor in case of a serious illness.

    When an organization steals a large sum of money or corporate secrets (editor's note: of course, this is not about physical money or data) and it wants to restore the sequence of actions of the attackers, find out who they are, and finally bring to justice, as well as correct her own shortcomings - she has no choice but to do "information security". This is what we do.

    In general, of course, the market is complex. But now it’s much easier to work with people, after 10-12 years, compared with how things were when we started. Everything is very simple on the western market, because it is a certain standard of what any self-respecting company should do - to have a contractor or a subdivision within which is engaged in this, and this is simply not discussed.

    The difficulties in Russia in this market and its small size force us to work in other countries. Plus, our specific attitude to "security" as a "danger", which, in turn, until it comes, does not bother anyone. However, many companies have become much more mature - primarily banks, of course.

    - Is it possible to delve into some possible limits and talk about the investigations? It's very interesting how everything is arranged inside.

    In general, of course, I can tell.

    Our team has three blocks: prevention, development, investigation.

    First, the last - investigations. This block of our work, in turn, consists of three sections: (1) the investigation department, (2) the computer forensics and malware research laboratory, and (3) the analysis department.

    If the client has a problem and we need to conduct an investigation, first you need to determine its type.

    The first type: something happened in the company that caused damage, and the company's tasks, first of all, to minimize the damage (return the money), to find the culprit and, if the person or group of culprits are in the legal accessibility zone (not in Africa ) so that they are punished in accordance with the laws of the country where they are located.

    The first part of the work is done by computer forensics or analysts. Here it will be most vivid to give an example from real life - at the scene of a crime, for example, murder, criminalists come (looking for fingerprints, pieces of clothing, and so on), collecting information from the crime scene. They take the body, after which they receive information about the autopsy and investigate the matter. This is forensics, in our case, computer forensics. The main work takes place at the crime scene: data center, server, and in addition in our laboratory - the collection and analysis of information.

    The forensic scientist answers the question: “What was that?” And gives a lot of analytical data. All this goes to the investigation department, in the real world of law enforcement agencies the information goes to a person with good analytical skills, who is able to restore the whole chain of events and bring this to some conclusion. It looks like the work of an investigator, we have this person called a "digital investigator." This is a high-level analyst with extensive experience, including in the field.

    This person is subordinate to the analytics department, whose task is to find the missing factors in our "knowledge base" and in open sources: nicknames, IP addresses, there are many examples of such data.

    If there is a DDoS attack on an online publication, the analyst must restore the completeness of the picture: which publications (in addition to the “patient”) were attacked, for how long, and so on, are the distinctive signs of the attack visible (perhaps it is related to the topics covered by the publication )

    For example, in the Russian Federation there was a case of an attack by several media resources, and the advertising platform (banner exchange network) was a unifying factor. After that, we learned that there was really a large tender in which the attacked network was a participant in the competition, and thus they tried to “throw it out”.

    - Ilya, you talked about working from the inside out, and it’s very interesting, but what advice can you give to those companies that are “at risk”? Or is it absolutely all companies?

    Change the way you think and the way you act. Assess your own risks - you work in a certain field, what are its risks? What should you defend against?

    Hipster shop selling butterflies - what are their risks? Well, like none. However, the online store has Internet banking from which you can steal money, but there will be no money - there will be no butterflies. In their case, the risk zone is a computer on which the general director or chief accountant works, often it is one person or one computer. You need to understand what can happen.

    A large Internet project has completely different risks, that is, first of all, you need to know about them and correctly evaluate them.

    - Prevention precludes treatment?

    In addition to prevention, it is also important to know the correct sequence of actions in the event of an unfavorable development of a situation.

    Here comes the moment “X” - what are we doing? What are the specific actions?

    And the question is not the contractor. The incident response process is the primary way to avoid damage. In most situations, the company has days, and sometimes even hours, to solve the problem, and if she knew the procedure, then everything could be in order.

    - Paralysis?

    Everyone runs, quarrels, nobody understands anything. The consequences of the damage will be difficult to repair (money is gone - cashed), digital evidence is lost, “social” chains and evidence are lost or destroyed. A serious company has a document no more than the first page, which answers in detail the question: "What do we do if X happens to us?"

    - Ilya, now the question is different - what would you “pass on” to future competitors, those who now would only like to deal with information security?

    All these years we have seen a large number of startups: European, American, even Russian in the field of information security. In order for a startup to survive in this area, two simple things need to be done:

    1. Carefully look at the world market. This is from our own experience, since before starting to engage in a new area of ​​activity, we analyzed competitors in detail, weekly. At the same time, we did not copy the operating models of an individual company, trying to adapt it to our realities - we analyzed the market, understood the differences and started working.

    Many companies think only within the framework of a "cool idea", thinking about implementation in the second place. This is a typical problem, but the fact is that if a certain market or niche is occupied by a company with a turnover of $ 12 million, then the likelihood that you will occupy at least the smallest share of this market, especially when working from Russia, is extremely small. You must have a powerful technological advantage, or you must operate from another place and not rely on an internal client, since we have 3% of the global market.

    Do a good analysis, due diligence of competitors, before coming out with new products and services.

    2. Clear business - not to give up. No one succeeds the first time, some take dozens of attempts. But if you took the first step correctly (idea, service, technology, packaging, sales) and are ready to compete, because even if you are unique, there will be competitors quickly.

    But, according to probability theory, having passed a certain number of repetitions, if you did not give up - sooner or later you will come to what you were striving for.

    - And what is your forecast regarding the further development of information security in Russia in general and your company in particular? Say for the coming year.

    - Now what is happening here is what is characterized by the unpleasant word “import substitution”. If a company builds its business on the basis of this thesis, then I think that globally and over a long distance it will die, because, once again, we are 3% of the global market.

    It is extremely difficult to promote Russian goods from the category of intellectual property in the field of information security globally. The size of the company is not important - the Russian giants in this area have exactly the same problems.

    - It seems that you are leading to the idea that global competition is good.

    It’s good, but it’s also difficult. We are doing a lot to not rely on “import substitution” and to be able to compete adequately in the West. For example, we know for sure that we will not be able to sell our iron in the USA or in England - who will put Russian iron inside the network? We can sell something that does not need to be put anywhere and that gives the client significant value from the first minute of use - we have such a product. At the peak of foreign policy tension, we sold our decision to the Netherlands, Germany, the USA, etc. Oddly enough, it was precisely in those countries that joined the sanctions against the Russian Federation, including Australia and New Zealand. This is our Cyber ​​Intelligence .

    Well, if you have hardware that must be physically present somewhere, then it’s insanely difficult to be a Russian company and there are few tips: a whitelabel with a major partner or a foreign residence permit. In the case of SaaS, for example, without access to the corporate network and installation on a computer - this scares a much smaller number of consumers in the West.

    - And the last question, Ilya, we could not help asking him. You met with Vladimir Putin at the conference and told him about your decision, your photos with the president are still walking on Facebook. Did this story and this meeting give you something?

    I will answer briefly. Firstly, I was pleased that the president appreciated our technology. Secondly, I was sincerely surprised that the president understands what we are doing, given that there are few “knowledgeable” people in principle.

    Vladimir Putin betrayed his awareness by asking a very specific question that one of 2,000 people in the world could ask. And I’m sure that they didn’t prepare it, because the question was connected with the data. The fact that the first person of the state appreciates your product, of course, is pleasant.

    Secondly, 16 people left my LinkedIn - mostly English and Americans, some even wrote that, they say, "we will be in touch." However, the company asked to remove their logo from our website from the "Clients" section. Perhaps this is all.

    From the point of view of business, the meeting has not changed anything and we are going according to plan. We are aimed at taking advantage of our product, not in any way connections. We are like doctors - we are for technology, we cannot be for a disease. What we do is generally out of politics, since we are for information security, from all sides.

    Also popular now: