About his business, Harris says, “I was talking to an investor and we came up with a nice way of describing what we’ve built: It’s a cyber weapon, but painted pink.”
Traditionally organisations hire consultants to discover vulnerabilities, yet a weakness in this approach is that it is point-in-time, and a highly expensive method of identifying flaws. However Harris thinks that the cyber security threat landscape evolves too rapidly for these approaches to be relevant any longer. Instead, watchTowr helps organisations to comprehend and detect weaknesses in their cybersecurity defences in real-time, and in a manner friendly to end-users.
With a team highly experienced at determining how to breach some of the world’s largest organisations, watchTowr marries the team with sophisticated data-driven technology to continuously analyse and discover vulnerabilities in an organisation’s attack surface. By using similar tactics and techniques to those of high-level adversaries to breach organisations, including by state-sponsored Advanced Persistent Threat groups (APTs), watchTowr aims to arm organisations with real-time information that is authentic, relevant and derives from continuous testing.
The company is only six months old (it was founded November 2021), and yet, watchTowr’s customers already include leading financial institutions and leading regional ecommerce brands. They see the value of an always-on security system that discovers vulnerabilities before they can be exploited by attackers.
watchTowr’s platform monitors all systems, including the organisation’s third parties and cloud environments, which for CIOs increases the visibility of their attack surface by some 300-400%.
Running a web hosting company by the age of 12
Harris terms himself an “offensive security expert”. Although he has attained a slew of certifications from institutions such as CREST and ISC, he prefers to lead with his grounding in real-life experience of simulating APTs.
He touched his first computer aged 7 (“Windows 95”), and was quickly bitten by the bug. By the time he was 12 he was running a small web hosting company of Linux servers, with the training wheels very much taken off. Then came the fascination in security – “I was able to break into systems but never understood why it worked!”, he recalls. “So I would go through the application code and understand what was going wrong.”
This was not what his parents wanted for him, having sent him to a prestigious music school with ambitions of becoming a professional cellist. “But instead of practising my instrument for four hours each day, I was on the computer until 4am.”
By 17, he left school with only his GCSEs to show for it. Two weeks later he was sitting in a job interview at Portcullis Computer Security (which would later be acquired by Cisco).
“I think they saw a 17 year old who didn’t really have didn’t have an educational background. But they put me in front of a computer and said, “Here’s a valuable system, hack it,” he remembers. “And I did and then they gave me a job offer on the spot.”
Finding a better way
Over the next few years, Harris worked as a security consultant. He became a part of the organisations’ “red teams”, spending six months at a time reconnoitring customers’ systems, finding vulnerabilities that could be used to steal money, steal customer data, or irrepairably damage a business.
Harris believes that while organisations invest millions of dollars in protecting themselves with the latest technology, they may be losing sight of the basics, due to incomplete visibility of their exposure within their attack surface at any point in time. An obstructed view, combined with a rapid increase in the pace at which new vulnerabilities are being discovered, could mean that point-in-time security assessments or consultancy fail to keep organisations secure.
He points out that over the last decade the time taken to exploit a new vulnerability has gone from weeks to hours. “Even if an organisation can update its defences in a few days, it’s likely to be too late.”
He knew there had to be a better way: “How can we help organisations look at their attack surface with the same speed, same agility, same aggression as a real-life adversary?”.
watchTowr answers this challenge. With US$2.25 million in seed funding led by Vulcan Capital and Wavemaker Partners, watchTowr opened for business in Singapore in November 2021.
This capital meant he could hand pick a team of security experts who have real-world experience and understanding of how attackers try to compromise their targets. Now watchTowr’s secret sauce is two fold: their offensive security expertise has been built by experience of breaking into the world’s largest and most protected organisations, combined with an ability to leverage technology to collect, analyse and understand data at scale, continuously.
Benjamin credits his success in part to his ethos of just saying “yes” to every opportunity that would come his way, including agreeing to move to Singapore with only six weeks’ notice. “And that’s worked exceptionally well for me.”
With watchTowr, Harris aims to expand the business beyond Southeast Asia, creating a leading global brand. “Ultimately, I see watchTowr as a market leader globally. That’s where I hope we will be in five years time.”