Case Group-IB: How Ilya Sachkov built a leader in information security in 10 years

Ilya Sachkov is 29 years old, which is comparable to many of us, but over the past 10 years he has managed to develop his own business in a specific market, becoming a global player in the past and current years, in spite of everything.

Having started in the second year with friends, by now Group-IB has grown to three offices (headquarters in Moscow, a technology campus in London and opening in Innopolis) and 117 people in the state.

We asked Ilya to share his own experience, skills and knowledge with the readers of "Megamind" - it turned out a lot and the next case was born.

- Ilya, we know that you studied at the University. N. E. Bauman and it was there that you had the idea to create your own company. It has existed for a considerable time, you have large projects and serious results, how can you characterize the current state?

The path was right. Like anyone, he contained mistakes that seemed critical at the time of the commission, and today this is the basis of our experience and what we are guided by in the future. It may be unscientific and not related to business, but we made all our mistakes “on time”, like in some fairy tale.
')
The main lesson learned from all the mistakes: "Fell seven times - stand up eight times." If something does not work - try again. The biggest mistake: throwing, or not starting.

- An additional question - how much does this relate to the confidence in your own decisions?

Again, like any other person, I am not always sure about my own decisions, but, choosing between “do” and “not do”, the choice is always in favor of the first option. And here it is worth adding your own intuition. Many of my decisions based on “sensations” were correct (in a sample of 100, I would say that 75-80% were correct), some were erroneous, but in any case I think that the result is good.

- Let us turn to the second question: what can be called the main mistake, or a difficult task, or a few that arose in the way of building a company? After all, few people know that this is an industry, a separately existing slice of the market. And for us, “information security” is still in the realm of some kind of fiction. Does it feel from the inside?

Yes, there is such a problem. We face it a little differently: most people and enterprises perceive “information security” strangely. But since we started with investigations, the need for people in our services arose, unfortunately, by analogy with the way we go to a doctor in case of a serious illness.

When an organization is robbed of a large amount of money or corporate secrets (ed.: It is, of course, not about physical money or data) and she wants to restore the sequence of actions of intruders, find out who they are, and finally bring to justice and also to correct her own shortcomings — she has no choice but to tackle “information security”. This is what we do.

In general, of course, the market is complex. But now it is much easier to work with people, after 10-12 years, compared to how it was when we started. In the Western market, everything is very simple, because this is a kind of standard for what any self-respecting company should do - to have a certain contractor or division within it that does this, and this is simply not discussed.

Difficulties in Russia in this market and its small volume force us to work in other countries. Plus, our specific attitude to "security" as a "danger", which, in turn, until it comes, does not bother anyone. However, many companies have already become much more mature - in the first place, these are banks, of course.

- Is it possible to go deeper to some possible limits and talk about the investigations? It's very interesting how everything is arranged from the inside?

In general, I certainly can tell.

Our team has three blocks: prevention, development, investigation.

At first about the last - investigations. This unit of our work, in turn, consists of three sections: (1) the investigation department, (2) the laboratory of computer forensics and malicious code research, and (3) the analytical department.

If the client has a problem and we need to investigate, first we need to determine its type.

The first type: something happened in the company that caused damage, and the company's objectives, first of all, are to minimize the damage (return the money), find the culprit and, if the person or group of perpetrators is in the area of ​​legal accessibility (not in Africa ), so that they are punished in accordance with the laws of the country where they are located.

The first part of the work is performed by computer forensics or analysts. Here the most obvious example will be a real-life example — criminologists come to the crime scene, for example, murders (looking for fingerprints, pieces of clothing, and so on) that collect information from the crime scene. They take the body, after they receive information about the autopsy and investigate the case. This is forensics, in our case - computer forensics. The main work takes place at the crime scene: data center, servers, and additionally in our laboratory - the collection and analysis of information.

The criminalist answers the question: “What was it?” And gives a lot of analytical data. All this goes to the investigation department, in the real world of law enforcement agencies the information goes to a person with good analytical skills, who is able to restore the entire chain of events and bring it to a certain result. It looks like the work of the investigator, we have this person called "digital investigator". This is a high-level analyst with extensive experience, including in the field.

This person is subordinate to the analytics department, whose task is to find the missing factors in our “knowledge base” and in open sources: nicknames, IP addresses, there are many examples of such data.

If a DDoS attack is launched on an online publication, the analyst must restore the fullness of the picture: which editions have been attacked (aside from “patient”), for how long, and so on, are there any visible signs of an attack (perhaps it is related to the topics covered by ).

For example, in the Russian Federation there was a case of attack of several media resources, and the unifying factor was the advertising platform (banner exchange network). After that, we learned that there was indeed a large tender in which the attacked network was a participant in the competition, and thus it was attempted to be “thrown out”.

- Ilya, you talked about work from the inside, and this is very interesting, and what advice can you give to those companies that are “at risk”? Or is it absolutely all companies?

Change the way of thinking and way of action. Assess your own risks - you work in a certain area, what are its risks? What should you protect yourself from?

Hipster Butterfly Shop - What Risks Can They Have? Well, like no. However, the online store has Internet banking, from which you can steal money, but there will be no money - there will be no butterflies. In their case, the risk zone is the computer on which the CEO or chief accountant works, often one person or one computer. You need to understand what can happen.

A large Internet project has completely different risks, that is, first of all, you need to know about them and evaluate them correctly.

- Prevention precludes treatment?

In addition to prevention, it is also important to know the correct sequence of actions in the event of an unfavorable development of a situation.

Here comes the “X” moment - what are we doing? What specific actions?

And the question is not the contractor. The incident response process is the primary way to avoid damage. In most situations, the company has days, and sometimes even a few hours to solve the problem, and if she knew the order of actions, then everything could be in order.

- Paralysis?

All run, quarrel, no one understands. The consequences of the damage will be difficult to recover (money is gone - cashed), digital evidence is lost, “social” chains and evidence is lost or destroyed. A serious company has a document not larger than the 1st page, which answers in detail the question: “What do we do if we have X?”

- Ilya, now the question is different - what would you “pass on” to future competitors, to those who now would only like to deal with information security?

All these years we have seen a large number of startups: European, American, even Russian in the field of information security. In order for a startup to survive in this area, two simple things need to be done:

1. Carefully look at the global market. This is from our own experience, as before starting to engage in a new activity, we analyzed competitors in detail, weekly. At the same time, we did not copy the work models of a separate company, trying to adapt it to our realities - we analyzed the market, understood the differences and started working.

Many companies think only within the framework of "cool ideas", thinking about the implementation in the second place. This is a typical problem, but the fact is that if a certain market or niche is occupied by a company with a turnover of $ 12 million, then the probability that you borrow at least the smallest share of this market, especially from Russia, is extremely small. You must have a powerful technological advantage, or you must operate from another place and not count on an internal client, since we have 3% of the global market.

Do a good analysis, due diligence of competitors before leaving with new products and services.

2. It is clear - do not give up. From the first, no one succeeds, some of them have dozens of attempts. But if you took the first step correctly (idea, service, technology, packaging, sales) and are ready to compete, because even if you are unique, competitors will quickly find themselves.

But, according to the theory of probability, having passed a certain number of repetitions, if you did not surrender - sooner or later you will come to what you were striving for.

- And what is your forecast for the further development of information security in Russia in general and your company in particular? Say for the coming year.

- Now we are having something that is characterized by the word “import substitution” that is unpleasant to me. If a company builds its business on the basis of this thesis, then I think that globally and in the long run it will die, because, once again, we are 3% of the world market.

Russian products of intellectual property in the field of information security is extremely difficult to promote from Russia, globally. The size of the company is not important - the Russian giants in this area have exactly the same problems.

- It feels like you lead to the idea that global competition is good.

This is good, but it is also difficult. We do a lot in order not to hope for “import substitution” and be able to compete adequately in the west. For example, we know for sure that we will not be able to sell our hardware in the United States or in England - who will supply Russian iron within the network? We can sell something that does not need to be put anywhere and that gives the client a significant value from the first minute of use - we have such a product. At the peak of foreign policy tension, we sold our solution to the Netherlands, Germany, the USA, etc. Oddly enough - it is in those countries that have joined the sanctions against the Russian Federation, including Australia and New Zealand. This is our Cyber ​​Intelligence .

Well, if you have iron, which must physically be present somewhere, then being a Russian company is incredibly difficult and there is little advice: whitelabel with a large partner or a foreign registration. In the case of SaaS, for example, without access to the corporate network and installation on a computer - then this scares a much smaller number of consumers in the West.

- And the last question, Ilya, we could not help asking it. You met with Vladimir Putin at the conference and told him about your own decision; on Facebook you still walk your photos with the president. Did this story and this meeting give you something?

I will answer briefly. First, I was pleased that the president appreciated our technology. Secondly, I was genuinely surprised that the president understands what we are doing, given that in principle there are few “experts”.

Vladimir Putin issued his awareness by asking a very specific question that could be asked by one of 2,000 people in the world. And I am sure that it was not prepared, since the question was connected with the data. The fact that the first person of the state appreciates your product is, of course, pleasant.

Secondly, 16 people retired from my LinkedIn - mostly Englishmen and Americans, some even wrote that they were supposed to be “in touch”. However, the company asked to remove their logo from our site from the "Customers" section. Perhaps that's all.

From a business point of view, the meeting did not change anything and we are going according to plan. We are focused on using the advantages of our product, not connections. We as doctors - we are for technology, we cannot be for disease. What we do is generally out of politics, since we are for information security, from all sides.