- A tiny security startup called Kolide is starting to make waves within the computer security world.
- It was launched by the folks who developed a popular project inside Facebook that helps protect Macs, Windows and Linux computers from hackers.
- Apple was polite but uninterested in his work at first. But now some security pros inside Apple are starting to take notice
A tiny security startup called Kolide is starting to make waves within the computer security world.
It helps businesses dive into the guts of their employees’ Macintosh computers to find all the sketchy things a hacker could use to break into a corporate network.
Kolide is on the radar because its 27-year-old founder CTO, Mike Arpaia, created a popular open source project at Facebook called osquery.
In just four years, osquery has grown to become a hugely popular security project used by companies like Dropbox, Stripe, Palantir, Heroku, Airbnb, Yahoo and others.
Arpaia’s career illustrates that the single most important thing you can to do for your career is to believe in your own ideas, advocate for them and reach out to other for help.
Landing at Facebook
Arpaia’s first job after college was for a New York security company doing “penetration tests.” That’s when a company hires security consultants to try and break into their networks to test their security. (This type of work is often the subject of movies, like the 1992 classic hacker movie “Sneakers.”)
“I would suggest all these things that these companies should do to improve,” he said. “You’d go there the next year and they hadn’t done any of the things you suggested and you keep finding the same bugs over and over.”
That sense of fruitlessness has powered him ever since.
He got poached by Zane Lackey to work at Etsy. (Lackey has since gone on to found his own security startup Signal Sciences). At Etsy, Arpaia worked on a system that detects when hackers are trying to break in.
The homegrown intrusion detection system gained the attention of some Facebook engineers and that’s how Arpaia met his next boss, Joren McReynolds, the guy leading the Facebook team.
Arpaia called McReynolds and told him, “What I built at Etsy is cool, but I have an idea for something even cooler and I want to build it at Facebook.”
McReynolds was game to hire him but first Arpaia had to pass Facebook’s grueling interview process: weeks of interviews and infamous whiteboard tests, which means demonstrating a solution to difficult engineering problem on the spot, writing it on a whiteboard.
He happened to be good at whiteboard tests and he prepped for the rest by learning all about the people interviewing him. “I had a sheet on each person,” he recalls.
He landed the job and he immediately told his new boss, “I’m going to have a lot of schemes and I’m going to pitch them to you,” he said. “And I have an idea.”
It was a crazy, even grandiose plan. He wanted to write a new computer programming language that would allow security pros to ask the operating system questions, the same way a database administration could query a database.
They could ask what applications were installed and when, if any of those apps had tinkered with the operating system settings, and so on.
There were tons of tools that could answer such questions for Windows, thanks to Microsoft’s popularity with businesses and IT departments. But not much for Macs and Linux, two operating systems heavily used at Facebook and other big internet companies.
McReynolds agreed to let him try and this became osquery. “I often attribute the existence of osquery to Joran and the general Facebook culture of, ‘yeah, that’s pretty out there, but give it a go, see what you can do,” Arpaia says.
It also helped that there were numerous engineer teams at Facebook also writing their own complex tools, and one of them suggested that Arpaia short-cut his work by using a popular open source database called SQLite.
SQLite is one of those rare open source projects that secretly runs the world, but is written and managed pretty much by one guy, Dwayne Richard Hipp. Hipp noticed that all of a sudden, Facebook was using a little-known feature of his project, and he reached out and offered to help Arpaia.
And things took off from there.
Within eight months, Facebook was not only running osquery internally to investigate the health of internal PCs and servers, but had released the osquery to the world as an open-source project, free for anyone to use and improve.
Not for Apple
Creating something new is one thing. Getting a lot security people to use it is something else. So Arpaia and his osquery team went on a roadshow in the Valley, showing it off to other big companies, including Apple.
With Apple’s enormous installation of Macs, Arpaia thought that those folks would love osquery and it would spread like wildfire inside the company like it had at Facebook.
But it didn’t.
“They were genuinely nice folks. but it’s a complex company with a lot of competing priorities,” Arpaia remembers of the meeting.
It turns out that Apple’s decentralized, secretive nature meant that engineers tended to work in pockets and silos. They didn’t easily share and spread cool new software tools like they did at Facebook or Google.
Apple’s stamp of approval or not, osquery did take off, and today dozens of big companies use it and hundreds of developers contribute to it.
Another big idea
Arpaia now had another grand idea: to create a cloud service based on osquery that would let any company automate the work of protecting its Macs. He envisioned a cloud service that did for a firm’s PCs what he used to do in those penetration tests in his first job.
On top of that, life in Silicon Valley was getting old, he said.
He wanted to buy a house and spend more time climbing and skiing. He talked about his ideas to one of his buddies who had left Facebook to go out on his own, Zachary Wasserman, and they decided to fire up their own startup.
They met Jason Meller, an exec from security company FireEye, who signed on as the cofounding CEO and they’ve since landed just under $10 million of VC funding.
And Arpaia moved to Boulder, Colorado.
In the spring of 2018, Kolide released its first cloud product, which focuses on Macs, although it will eventually support other operating systems, like Windows and Linux, he said. A security pro uses it to scan the computer the way a hacker would, finding holes.
Given the popularity of osquery, Kolide instantly signed up about 100 companies. “We already have a bunch of customers who have already rolled it out to 100% of their workstations,” he said.
It has spread by word of mouth so far. The security pros try it on their own Macs, gets shocked by the stuff it finds even though they are security conscience and wonder what the heck it will find on employees’ computers.
Kolide also now employs about a dozen people, all working remotely.
And the mighty Apple has started to take notice. Kolide is sponsoring the first ever conference for osquery users in two weeks which sold out. And Apple will be sending a team of its security people to attend, schmooze and learn, Arpaia tells us.