With the backing of the Department of Homeland Security (DHS), a WPI computer science professor is gearing up to show off his network security start-up at one of the world’s largest and most influential cyber security conferences.
Craig Shue, associate professor of computer science and founder and CEO of ContexSure Networks Inc., will demo his security technology and give presentations as part of the DHS exhibitor booth at the RSA Conference, April 16–20 in San Francisco (about 43,000 attendees expected).
ContexSure Networks uses software dubbed PEACE, designed to stop attacks on individual computers from spreading throughout a company’s entire network by distinguishing between user-generated information and surreptitious malware. The software, which is installed on each computer in the network, not only uses fine-grained permissions for each user but can send information about each computer’s activities to company IT analysts to help them pinpoint and quarantine the problem.
The system, conceptualized and researched at WPI, was developed with a 2014 National Science Foundation grant. In 2016 Shue received a DHS grant to further develop the system under the agency’s Transition to Practice Program, which seeks to commercialize promising cybersecurity technologies. The technology was licensed from WPI and the company was created in September 2016.
With his RSA Conference debut fast approaching, Shue talks about the inspiration for the technology, the role students played in its development, and plans for his future at WPI.
How did you come up with the idea for this technology?
There were news reports coming out saying how different organizations kept getting compromised. And I was on the incidence response team for a company that had an attack spreading through its network. They couldn’t tell which machines were infected and which weren’t. It’s hard to clean up the mess when you can’t tell where the mess is. My main goal was to make corporate network security better than what it was. What could we be doing to make them more secure?
How big a role did WPI students play in your research for this project?
Whenever I pitch a research project, I’m already thinking about which grad students could be involved and how MQP teams could contribute, testing ideas, and seeing what will make something work. They’re exploring the boundaries of the possible. We had two MQP teams on this. For those students, I was thinking about what they could build and evaluate and then someday talk to future employers and say, “Hey, I built this.”
We also had one master's student working on this, along with two PhD students, one of whom worked on the basic research elements, figuring out what the pieces would be. He did that on the Linux operating system, but that’s not going to get you to the commercial product since Linux market share is about 5 percent. We brought in MQP teams to work on how to implement this in Windows.
How important has the student work been?
It’s been essential. I used to work at Oak Ridge National Laboratory, where I could work on whatever I wanted. But I came to a university because I wanted to tap into students. They help me. I get to hear their thoughts and they act as sounding boards, giving me additional ideas. There’s the joy of teaching and there’s the additional energy of working with students. Their help was essential.
Did WPI act as an incubator for this project?
It definitely is a place that made this research possible and gave me the resources I needed for it.
"[Student work has] been essential ... They help me. I get to hear their thoughts and they act as sounding boards, giving me additional ideas. There’s the joy of teaching and there’s the additional energy of working with students. Their help was essential." -Craig Shue
At what stage of development is ContexSure Networks now?
We've finished our first round of product development and have something people could install on their computers and use. Now we’re looking for people to try it out and act as pilot testers, telling us where the papercuts are. Where are the tweaks that would make the technology easier to use? It’s essentially beta testing. We’ve also submitted technology for independent evaluation through the DHS. They’re testing our software, making sure it does what we say it will do, and giving us feedback.
What’s your timeline for moving forward with the company?
Ideally, we’d be getting our pilots done this month or in May so we can get their feedback. Then by July, we’d like to get this in front of paying customers.
You’ve been on sabbatical since July 1 so you could focus on transitioning your technology into a working business. How much has this project taken over your life?
This has been what I’ve been doing—all that I’ve been doing. How do I get this in front of customers? How do I do the marketing? I am a jack of all trades and maybe a master at software development. It’s been busy!
You're launching this exciting start-up company. Why do you plan to stay at WPI?
When I was an undergrad, I knew I wanted to be a college professor. I certainly wouldn’t want to give up after having achieved my goal. The company is exciting, but my goal is to keep building the next new thing. The company goal is to say, “This is the next new thing,” and sell it. I’m more interested in saying, “We’ve done this but what can we do now?” Maybe next we look at the residential sector. Let’s look elsewhere. I want to go back to the beginning and do it again with something else.
Right now you’re CEO of ContexSure Networks. What do you want your role to be going forward?
Likely I’ll be the science advisor, providing the staff with insights into what they can be doing but not involved with day-to-day management.
Will it be difficult to give up that granular control?
Yes, it’ll be hard to give that up. I have mixed feelings. I know a specialist in marketing and sales will do a far better job with that than I can. I know I can keep a company running but there are professional CEOs who can make the company really big.
How soon do you think you’ll have a new CEO on board?
As soon as I can. The main challenge is finding someone who knows what they’re doing in this space but who isn’t already running a company. We need someone looking for something new and exciting. With what we’ve invested in this, I feel obligated to find a CEO who has experience and who already has taken a start-up and transitioned it.
How critical has your backing from the NSF and DHS been to this work?
Without either of them, this wouldn’t be possible. If the NSF hadn’t funded the research to explore the technology, we wouldn’t have come across what we did. We had the good idea but until you spend a year or two working on it, you don’t know if it’s going to work. Without that time and work, you just have a hypothesis. You need to show it can work to get people excited. And as a professor, my goal is to train students. It is not to create start-up companies. So without the DHS saying, “We’ll give you money to do this, to pay for your students to work on this and for you to take a sabbatical,” we wouldn’t be starting a company. We’d be saying, “Look at all these research papers. Aren’t they great?”
How excited are you about going to the RSA Conference to talk about your technology and new company?
RSA is a gathering of security professionals from across the world. I’ll be able to talk to people from different companies, to be part of the overall show as one of the companies showing off its products. This is a major thing. I’m very excited to be participating in it. It will be cool to see what other people are offering and to show what makes us unique.
What are you hoping to get out of going to the conference?
I want feedback. I want to hear from customers about what they like about the product. What could be added to it? What do they not care about? That will help me refine the product. Hopefully, we’ll find an organization or two that want to try the product out and be pilot partners. We really want to get people’s time and feedback about what they want so we can match their expectations.
- By Sharon Gaudin