Dave Mareels CEO of SOC.OS talks to teiss about the experience of launching a cyber security spin-off during the coronavirus lockdown.
The last thing you would expect from a well-established industry giant is the launch of an office-free, venture-capital backed cyber start up targeting SMEs. But that is what BAE Systems did when they launched SOC.OS.
“We would never have done it if our hand wasn’t forced, but now that we’re getting accustomed to working well using remote technologies, we love it. Moving forward, we’ll probably only book a room for a day, a month or a week on an ad-hoc and needs basis,” says SOC.OS CEO, Dave Mareels.
Apart from office cost savings, the pandemic forced adoption of the tech needed for remote working, changing its recruiting philosophy. Mareels says, “Because we know we can function productively with the help of collaboration technologies, we’re now no longer restricting our hiring based on geographical constraints (whereas before Covid-19 we would have). We can hire the best person for the role and working 100 percent remotely is now an option. Our first hire was in Cambridgeshire and we have staff in SW and NW London, Portsmouth, and Guildford.”
Mareels explains that they have not met face to face as a team since spin out, however adds that they, “might get an office space in the future for those that want to get out of the house and collaborate together in a workplace environment.
Zoom and Teams are used, not just for work but for social activities including monthly team yoga. It’s all part of a drive to ensure the mental health benefits usually associated with an office: checking in with people and dedicating time to carve out opportunities to replicate the social stuff. “It has taken more effort and thought to synthetically replicate (a drink after work etc). We need to keep everyone engaged, e.g. we recognise that those with kids have different priorities, so we need to cater for everyone.”
On the work front Mareels says: “We work on a 2-weekly sprint basis; everyone agrees what they’ll do and delivers against this. For example, one team member goes horse riding daily from 1 to 3 pm and carries on with her work later in the afternoon. Everyone has become more flexible.”
As with any organisation it has been difficult trying to predict how long the pandemic will last and what impact it will have on customers and future pipeline. SOC.OS has assumed it will take six months longer to hit its growth targets. It has been able to focus on other workstreams than just sales – such as building out its core development team, improving performance of the product and establishing internal processes in lead up to accelerating sales in Q4 2020 and 2021.
Cyber security that was born in the future
SOC.OS was born within the Futures team of BAE Systems Applied Intelligence – an internal innovation and venture incubation hub. The problem Mareels’s team was given to tackle was that of mid-market companies facing too many alerts. Speaking to customers and BAE’s own SOC analysts, it was clear there was a huge problem with alert fatigue, a proliferation of tools and analyst churn, and these problems are only amplified within the small team context.
The aim was to take BAE’s expertise and SOC experience and embody this in a SaaS product to help smaller firms with smaller budgets. Within the Futures team, “we developed the nascent tech capability, assembled the core team, productised the solution and acquired early adopting and collaborative customers to help iterative development and shape the product via feedback (lean startup style).”
The parent company strategically decided to divest its commercial cyber and product business to focus on larger and more complex government and financial services sectors. It was left with an early stage venture that appeared to have great potential.
Mareels explains, “They said, ‘let’s see if we can spin it out,’ so it canvased support to go to market, and pitched to venture capitalists to gain investment– take the team, the intellectual property, and the solution (and BAE to keep a small share). Seven weeks ago, two top-tier cyber and deep tech venture capital partners, Hoxton Ventures and SpeedInvest, invested £2 million in SOC.OS as a stand-alone entity to help us scale and get to market quicker.”
Accelerating growth in the cyber space
The company joined the Cylon accelerator which is primarily cyber-focussed – BAE Systems already had an existing relationship with them. “Sitting with them in Hammersmith for a 13 week programme filled with mentor meetings, was really great, providing invaluable learnings, and making connections within the VC world.”
BAE remains an ally, providing customer introductions. “Though they target larger enterprises, they can say to companies that if you want a solution for smaller organisations, such as in their supply chain, see SOC.OS. We are currently looking at partnering with a (BAE-introduced) customer as we speak.”
The offering differs from SOAR (Security Orchestration, Automation and Response) which caters for large enterprises needing consistent responses for consistent inputs. Within smaller organisations, “They have a more fundamental problem which is having six tools generating 100s and 1000s of alerts per day and only one or two people to look at them on an ad-hoc basis, so as a first and very essential step, they need help with visibility and prioritisation, before they can then start thinking about how to respond.”
The core technology is its ‘stateful correlation and prioritisation engine’. It correlates alerts based on the MITRE ATT&CK knowledge base. For instance, a web server being probed for vulnerabilities over a 3 month period leads to 4,000 alerts and SOC.OS is able to classify this as the same external attacker and MITRE ATT&CK technique, presenting it to the analyst as one single, time-based incident. It also ingests business context to help prioritise these incidents.”
Born within BAE Systems, SOC.OS was able to implement best practice security assurance which other start-ups couldn’t typically afford, contributing to the success of working with early adopting customers such as the UK Atomic Energy Authority and The University of Sussex.
BAE Systems, “could have divested and pulled the plug but they saw the value to spin this out for the greater good,” concludes Mareels.
Tony Morbin is a freelance journalist and editor in chief at IT Security Guru.