www.baltimoresun.com/business/bs-bz-maddrix-nsa-20140825,0,7229596.story

baltimoresun.com

Baltimore startup Maddrix lands on list of NSA cybersecurity experts

Lockheed Martin also among companies accredited in new program assisting government in rooting out barrage of network intrusions

By Scott Dance, The Baltimore Sun

6:16 PM EDT, August 25, 2014

Advertisement

When federal databases containing sensitive information on U.S. intelligence or nuclear weapons come under cyberattack, the agencies call on major companies like Lockheed Martin, Verizon and Booz Allen Hamilton — as well as a two-year-old startup in Federal Hill — to shore up defenses.

Maddrix LLC is among seven companies to be the first ones accredited in a new National Security Agency vetting program. The firms use complex data analysis and digital forensics to root out invaders that are lurking or have left behind tracks during their intrusions.

The NSA increasingly relies on contractors to scour for, contain and repair data breaches by what are known as "advanced persistent threats" — repeated, if not constant, intrusions from hackers in other countries. Defense and intelligence agencies not only need to protect their critical information, but also valuable intellectual property and the integrity of key and often vulnerable infrastructure such as the power grid, chemical manufacturing and the financial system.

"The government can't handle it all by themselves," said Stephen Windsor, Maddrix's president, who co-founded the company with Ron Shaffer.

The NSA's website for its National Security Cyber Assistance Program said it developed the private-sector accreditation system because the "growing sophistication and number of cyber attacks necessitates an equally vigorous and rapid response."

Such attacks cost the government and U.S. companies billions of dollars each year, said Rep. C.A. Dutch Ruppersberger, a Maryland Democrat who is the ranking member of the House Permanent Select Committee on Intelligence.

The number of breaches reported by the federal government annually has more than doubled over the past five years to nearly 26,000, according to a Government Accountability Office report released in April. The report found that agencies were failing to implement information security programs required by law.

The efforts required to detect and block intrusions aren't simple, Windsor said. Whereas most home or office computers and networks can use firewalls and anti-virus software that focuses on recognizing known threats, such protections don't stop or slow organizations in countries such as China, Russia and Iran that may want to steal information from the government.

"That's great if you're trying to keep the everyday riffraff out of your network," Windsor said.

Instead, companies like Maddrix use complex data analysis to essentially find files and behaviors deep within networks that just don't quite belong, he said. For example, if the company's analysts find a software program whose code was written only hours before it was executed, it's likely something nefarious, he said.

Despite its capability, Maddrix doesn't look much like its large corporate competitors. The company is approaching $1 million in revenue, about 60 percent from the government and 40 percent in the private sector, and has just 12 full-time employees.

Its website went live only this month, and the company shares office space with ZeroFOX, another startup whose founders Windsor and Shaffer met while they all were working for massive government contractor Booz Allen Hamilton. Though it earned the NSA accreditation back in May, leaders only publicized it this month because, in the meantime, they had to ensure their own systems were ready for the barrage of attacks they are receiving now.

Windsor and Shaffer, Maddrix's chief technology officer, both stumbled into data analysis and networking technology in the nascent days of the Internet. Windsor, a former Baltimore police officer, began exploring digital forensics for the city state's attorney's office and for the state's welfare agency, while Shaffer, a plumber who later learned technology while working for a computer rental company, eventually served as a system administrator for the Republican National Committee.

After seven years working on cyberdefense technologies for Booz Allen, and before that at Computer Sciences Corp., the pair decided to strike out on their own.

"We thought we could be more efficient doing this on our own," Windsor said.

Maddrix already was working with major government intelligence and defense agencies when the opportunity for the new accreditation program came up.

The pilot round of accreditations are valid for a year, and going forward companies will have to reapply every other year, according to Neal Ziring, technical director for the NSA's information assurance directorate. The program's organizers will launch a website soon where companies will be able to apply online, with new accreditations awarded quarterly, Ziring said.

Applicants are judged based on a set of 21 criteria, essentially providing the NSA with case studies of intrusions they have detected and blocked in the past, as well as detailed descriptions of their methodologies and the skills and expertise of their employees.

While the accreditation isn't the same as a contract and doesn't guarantee government work, it gives companies a foot in the door, and what Windsor likened to a Good Housekeeping seal of approval.

"This is an accreditation program based on mission readiness and technical capabilities," Ziring said in an email. "The companies accredited have shown that they have the ability and the processes to deliver state-of-the-art cyber incident response assistance."

For Bethesda-based Lockheed, the other of two Maryland companies among the first batch accredited, the distinction is being used to win business not just in government but in the private sector, said Darrell Durst, the company's vice president of cyber solutions. Cybersecurity technologies are vital for Lockheed's own business, heavy in top-secret defense and aerospace fields, so it's only logical for the company to have strength in offering those services to others, Durst said.

Politicians point to the presence of two Maryland companies on the NSA's short list as proof of the strength of the state's cybersecurity industry. And that is particularly true with a company like Maddrix, Ruppersberger said.

"You don't have to be a major company like a Booz Allen or a Boeing or a Lockheed. You've got some really smart, innovative people who live in this area," Ruppersberger said. "A lot of them have the expertise to apply tech that some of these other companies don't."

sdance@baltsun.com

twitter.com/ssdance