CUJO: AI-driven Cybersecurity and Data Access Platform For Anti-Hacking Protection Across Devices and Networks

CTO of CUJO AI, Santeri Kangas – a dynamic entrepreneur with a broad cybersecurity background, came on  Relevant Founders to talk about the modern-day arms race against hackers, the evolution of IoT for your household, and the future of cybersecurity in this ever-changing industry. Santeri is responsible for all CUJO AI affiliates and operations and wants to create a future where digital experiences are private, secure, and personalized. So, let’s dive into his journey with CUJO AI.

Challenges – The CUJO AI way

“When you launch a service for a live customer, you end up with a version that isn’t perfect yet. And you find yourself in a situation where the runway ended when you’re up in the air and have to fix it while flying. It means you need to scale under a heavy load and need to make big changes fast. In architecture, that’s probably the most laboring challenge because you need to cover all the corners.

200+ companies from 25 countries outsourced software development to Relevant

We provide companies with senior tech talent and product development expertise to build world-class software. Let's talk about how we can help you.

Contact us

In engineering, migration of data or data models is always a swear word. If the upgrade doesn’t go right, you will have to change the data models you need to migrate. 

I think the key lesson is to build scalable products early on. In our case, we were lucky to scale early from a business perspective, but for engineering, this is a significant challenge. 

The other challenge comes from AI and machine learning. It’s not a one-trick pony. You can’t throw AI like a sledgehammer and then expect everything to be resolved.

It doesn’t matter if you’re trying to detect the device, a malicious website, or malicious behavior on a device. You have always added noise.”

The arms race

“I’ve been on cybersecurity for nearly 30 years since the first antivirus products were introduced.. It’s been an arms race ever since the late 90s. Technologies advance, but so do hackers, so the challenges will always be there. 

Android devices are the biggest target due to the widespread use of Android globally and the open-source nature of the OS. If you’re on the dark side of the fence, you always try to find the weakest link to target the biggest crowd. 

On the contrary, operating systems like Windows are no longer the target. They have hardened security and continue to do so. Apple has also locked its ecosystem from day one, which is a wise thing to do from a security perspective.

For hackers, it is easier to attack IoT devices. Humans are the weakest link; phishing still works like a charm.

The techniques change all the time. Every time we develop a cure, a new technique or tactic comes along because, at the end of the day, cybercrime is a big business.

When building software, you have a supply chain; you buy components, you have open source, and different companies do various things for you as a software product supplier. Cybercriminals also have players who provide other pieces of their supply chain; you can use specific malware for a particular device, purchase a botnet, and buy credentials. 

Some companies are just developing ecosystems for software stacks for attacking; some are connected or might have been born from governmental interests.

For example, techniques cybercriminals use are also used by governmental players, like the military from Russia and China. It’s an arms race, as I mentioned. So that’s why we are here.”

How CUJO is utilizing AI governance

“We have a lot of data, and there is a clear separation of who can access production in the first place and how we run algorithms in production. And then, we have the research part, where we process the normalized data in our environment, anonymize and aggregate data sets, and remove all personal identifiers and unique data points. 

When you start contracting with network service providers from US and Europe, they have rather strict requirements for suppliers, which you must comply with before you go to production or any of the services. 

The ISO 27 001 and GDPR standards are derived from who has access to what and why and who approved it. When we abide by this, we know who has the right to do what. So we are quite transparent in our actions and take privacy and safety at the core. It is an intersection between compliance and technical management.”

The key problem with IoT

While the world faces an unavoidable surge in consumer IoT devices and smart gadgets continue to settle living spaces, our home networks are becoming highly complex environments that require careful management. This complexity is one of the primary challenges for service providers.

An approach to cybersecurity that focuses primarily on antivirus software is becoming less effective. Too many mobile or IoT devices don’t support such software, and consumers have too many devices to manage separate security options for each gadget. While large enterprises are installing security across all devices, things are different in homes, where devices remain unprotected and are increasingly being attacked.

“We’re seeing a huge growth of devices in consumer homes – over 20 in an average US household,” says Santeri. “IoT devices are launched very quickly to the market. Big companies have internal processes and governance to ensure they launch devices of good quality from the operating system upwards. However, for smaller companies, this is not necessarily the case  – there are a lot of vulnerabilities to be exploited. 

As consumers, we are lazy. If we don’t have an automatically updating IoT device, vulnerabilities come up; we don’t fix them or even notice that they need updating. iPhone, Android, Windows, Microsoft, Google, and Apple have resolved this problem in an effective way. They push those updates automatically. However, this is not the case for many other devices that populate our home networks.

Given the attention cybercriminals have on what we have at home, devices need to be protected. Endpoint protection covers only a few areas, and home networks are still vulnerable, but now the onion security model previously used in enterprises has finally reached our homes.”