A Windy Road to a More Secure Future: How EVOTEK and Cloudflare partner together

Name: A Windy Road to a More Secure Future: How EVOTEK and Cloudflare partner together
Uploaded: 2020-08-16T07:00:00.000Z
Duration: 30 min
Description: Join us for a fireside chat to discuss one BISO's journey from economic advisor to security officer and learn how his organizations teams with Cloudflare.

Presented by: Rachele Gyorffy, Heath Nieddu

Originally aired on April 19, 2022 @ 1:30 PM - 2:00 PM CDT

Join us for a fireside chat to discuss one BISO's journey from economic advisor to security officer and learn how his organizations teams with Cloudflare.

English

Transcript (Beta)

Hi everyone, thanks for joining. My name is Rachele Gyorffy and I work as a Channel Account Manager here at Cloudflare. I've been at Cloudflare for about the last five and a half years or so and I've really had the pleasure of watching Cloudflare grow from, you know, about 130 people to now north of a thousand people with offices all over the globe. I'm joined today by Heath Nieddu, who is a Business Information Security Officer at Evotech, which is one of Cloudflare's partners. And today we'll chat a bit about, you know, his career progression, how he started really as in finance, right, then moved to an Economic Analyst and Advisor, part of the CIA, and then eventually landing in the information security space working for Evotech. From there we'll talk a little bit more about Evotech, what they do, how they work with customers, and then finally we'll wrap up with, you know, some of the industry trends that Heath and the Evotech team are observing, you know, as they work day in and day out with customers. Towards the end of the session, so for about the last five minutes, we'll be leaving time for questions. So if you guys have any questions, please email livestudio at Cloudflare.tv and we'll make sure that we get those answered. And so with that, Heath, thanks again for joining. Excited for you to be here and, you know, so we'd love to hear a bit more about you, you know, who you are and how you ended up at Evotech and sort of your path, right, your windy path along the way. Yeah, well thanks for the question, thank you very much for having me. You know, short story, I live in San Diego with my wife and child, we've been here three years after spending some time in Portland and we both grew up in Florida, so that's who I am generally. And I really do, you know, kind of appreciate the question and chance to talk about a little bit how I got to this particular role at Evotech because I think it was atypical and I think lots of people in information security actually come from places other than we expect and it helps really with understanding and solving a lot of the information security problems that are out there. But in my particular case, I did start out thinking I'd work in finance. I got a degree in finance, started working at Merrill Lynch doing credit analysis in like 2000 and it really, it wasn't really what I wanted. I really wanted to do kind of like equity valuation and things like that. So I pretty abruptly left Merrill Lynch, I spent a few months doing it and joined the Navy. At that point, I was just kind of over it and I very much expected to work in networking and that's what I was kind of shooting for is that job field. But they gave me a test and they said you'd be great at learning languages and so instead I spent six years in the Navy as an Arabic linguist and there were aspects of the job that touched on information security but more than anything else, it was learning about the Middle East and spending some years living overseas in Spain and being deployed all over the world. So that was a really interesting part of my career. Met a lot of great people. Got out and kind of took the finance aspect of my career and the Middle East target knowledge and went to work for the CIA. I spent an amazing couple years with a high profile account as an overt intelligence analyst, all -source intelligence analyst, whose primary job is to be the point person in the intelligence community and write the presidential daily brief when it was called for. So that involved, again, lots of international travel but most excitingly, you know, getting asked a question by the president and having, you know, a week or two or maybe even five days going through a couple hundred different folks for peer review and, you know, really synthesizing technical and qualitative information even when the data was fuzzy into a one or two page memo to help inform decision making and you'd stay up all night writing that thing. Go through about a dozen different people to get the okay. Finally, around five in the morning, you go to sleep. You come back to work at noon and, you know, the president of the United States would be giving you feedback on what you had just written. So it was a really heady experience. Learned a lot about imperfect information. Learned a lot about kind of demystifying what a technical PhD economist is saying and what those practical implications are for policy, which I think really helped me in this field in particular. But spent a couple years doing that and it just, we couldn't imagine raising kids in Washington, D.C. basically. Things are super expensive. It was a great job, a little bit too far from the beach and we were having a discussion about maybe moving on despite this great work and right in the middle of it, I got a phone call from a buddy of mine who works in information security and only talked about a couple times a year, but he said, I've been thinking about you today. I think you would love it out here in Portland, Oregon and you should come out here and give it a try. And we just did it. We went out, visited, and three weeks later we had given our notice and packed our things and moved out to Portland. He's the one that a couple months later helped get me my first job on an information security team. Very cool. And so sort of moving from the CIA then into information security, what was your first job sort of in the security space? Yeah, I was so green those first few weeks. I really didn't even understand my title. It was business process engineer and I was doing some of that work on the information security team, like helping to refine incident response processes, you know, triage and security events, things of that nature, and kind of just helping people work through those issues. But the main part of the job, the guy, the CISO at the time was a former consultant for EDS, understood my government background, and the main business for a $30 billion a year, one of the nation's largest healthcare providers. They had just gone through, they just went through a significant incident. They were under scrutiny from regulators and their board, and he basically wanted me to help all the years he was working with craft messages to them to let them know where we were and help them make decisions about where we need to be. So it was a similar job. It was writing forward-leaning sort of, I looked at the briefs to the board in terms of how to invest, where should we focus our and things of that nature. So for a couple years, along the way, I actually taught a course called Analytic Foundations, like 60 engineers went through it, and I was kind of the point guy. If a new threat would come out, hey, what does this mean? And then Stuxnet hit, and that was really the turning point, like that attack. I really needed to dive into it, start to realize the geopolitics at stake and the way that technology worked just kind of came to my imagination. And after I was done kind of analyzing that, producing that deliverable, I started my CISSP. I was like, this is a fascinating career, I'm feeling useful, and so I dug in. And then after that, it just kind of led to a number of positions. I spent five years there, a couple years at another consulting firm, identity and access management, an insider threat, metrics lead, which all that economics knowledge was really helpful as a metrics lead for one of the nation's largest shoe retailers, and worked in county government. And through a friend and former colleague, Mason was able to be a part of the first two or three people at the security service here at Evotech. Very cool. And for those that maybe aren't as familiar with Evotech, or in the security solutions provider space, can you maybe elaborate more on Evotech, what you guys do, what you specialize in, and I guess how you work with customers? Yeah, sure. So we are a strategic sourcing partner. We really try to make sure, you know, Evotech wins a lot of awards in its category for, quite frankly, its revenue growth, you know, over the last five years, and for being a great place to work. So on the back end, one of the things we're doing is making sure that we have the best people in the best position. And we really help our clients, you know, businesses out there, make sure that they have the right technology portfolios and service portfolios to solve their IT problems. I mean, that's it in a nutshell. And I think the trick of it is just, it's not only having the right people, but having a sense of teamwork so that everyone's pulling in the same direction. And that extends to our partners like Cloudflare as well. You know, we have ways of like, you know, should we work with this partner or not? A lot of the time it comes down to, can we pull in the same direction with this partner for the betterment of our clients to get our goals accomplished, basically. So the security service does everything from virtual CISO to security program assessments. I actually have a lot of fascinating things that I'm working on right now, from OS hardening to really great to see some practical level threat modeling we're digging into, helping with metrics programs, you know, making sure folks are aligned to certain control frameworks. I mean, it spans every issue you think of, and it definitely keeps me entertained and busy. And when you're working with customers, what are some of the trends or what are some of the concerns that your customers are coming to you with, right? And, you know, how do you and the EvoTech team essentially work with them to resolve some of these concerns or that they are expressing? You know, what we've seen, so I guess I would put those in two main buckets, like medium-sized organizations and large-sized organizations. The medium-sized organizations, and I mean that in terms of revenue, because it can be anything from, hey, we've got 30 people to, you know, 150 people in that regards. It's growth. You know, we are a successful organization. We were built on certain principles. Now we're kind of growing up getting more attention by regulators or the threats. Like what's version 2.0 of information security for us beyond compliance? That's a trend that I think brings a lot of people to the table. And then for the larger firms, it's complexity. It's all about how do we rationalize the tools? How do we demystify a certain topic? How do we apply security into something like a CIC pipeline? Or how do we secure a certain application? So that could be tools rationalization or it could be help us kind of get clarity around a single issue is usually the shape of engagements that I'm saying. Gotcha. And, you know, from an industry perspective or, you know, working with security minded customers, what are some of the trends that you're seeing in the industry? Yeah, I am. I have been pleasantly surprised with a couple, a couple things. First is the number of clients exploring platform engineering or CIC pipeline. You know, when I first started, it was the cloud and that was going to be new and amazing. And there was this debate about whether or not people would do it and at what pace. And now it's not. And as that developed, like, like many things, it's not like everyone went whole hog into the cloud. It turned into a hybrid situation. You know, you know, some folks tried to lift and shift, maybe certain pieces, not all those pieces went over. Some of them remained in their on -prem data center. So we've, it's, it's kind of developed into a hybrid, hybrid thing since then, but it was embraced. And right now I see more and more of those either application projects, or let's say they're going to, there's going to be a migration from on-prem to the cloud, but instead of lift and shift, it's more of, okay, how do we actually adopt a CIC pipeline? And that may be old news for some folks with, you know, big budgets and on the bleeding edge, but to see it from medium size up and coming biotechnology firms and things like that, it's, it's really neat and really encouraging. So that, that's one thing. Another thing is consolidation. This is also what I would consider kind of a second wave of consolidation in the tools since, since I've been doing this over the last 12 years, that first wave, it was like the big companies would buy too many different point solutions, try to put them all together at once. And, you know, I'm not going to name names, but the experience was not cohesive and effective basically. And right now it just seems more deliberate, more strategic partnerships one at a time, making sure they work. And then even, you know, I've been pleasantly surprised by the work that Microsoft has done. I mean, there's a lot of solutions that they're wrapping together that makes for folks who are already on Microsoft 365. I mean, that being said, there's always work to augment it. We had a client a couple, a month ago, and they had an issue with an employee leaving, deleting a lot of emails, they needed to retrieve them and they could only go back a month because they were relying on some of those default Microsoft archiving procedures. So we did have to bring in a point solution that gave them, you know, a more instantaneous and reliable, complete archives that they could retrieve. So it's not a panacea, but it feels better this time, the consolidation that we're seeing, and I think it ultimately reduces complexity and is going to work for our clients. Definitely. And so talk to me a little bit more about the consolidation. What do you think is driving that? Do you think it's the buyer, right? It's a more savvy buyer. Do you think it's the technology companies? I guess, what's driving that consolidation? I mean, I think it is, at the end of the day, it is, there's an economics piece. There is a, you know, economies of scale piece that drives that. But the willingness for clients to, because there's pros and cons, of course, for our clients in that arena, you know, with okay, if I go all in with a fully integrated solution, then I'm somewhat locked in for how long and what have you. So the fact that it's not a sweeping platform that is trying to cover every hour of security, these are more of like just certain pieces of the security, like networking and SOAR, or CICD and SOAR, SIM and SOAR, things like that. I think the arrangements just make more sense from a client perspective. And the benefit for clients is the reduction of complexity. And when you have, you know, we did a tools rationalization for a financial firm with over 100 different security solutions. And there are no easy answers. I mean, we, you know, we could spend a couple months talking about hard decisions with that. But I think that there's just from the client side, a real drive to reduce complexity, basically. And then for the providers, it's they're smart partnerships instead of let's get together just for economies of scale. Sure. Yeah, that makes a lot of sense. So going back to, you know, cloud transformation or digital transformation, you know, and sort of the lift and shift from on prem to the cloud, you know, how do you think that that will continue to change? Or, you know, will that continue to be a priority in the next five to 10 years? Or, you know, based on the conversations that you guys are having with customers, right? How is that going to change? Yeah. And, you know, I'll try not to prognosticate too much and try to keep this based on my experience and what I'm seeing, because I think that's, you know, we get to see a certain slice of, of clients that I think is pretty diagnostic. But I do think that platform engineering and CIC pipeline is not just for cutting edge application security companies anymore. I think that there will be, you know, service by service, you know, that that move will continue. And, but that doesn't mean the old stuff's going away. I think there's still be hybrid arrangements, you know, I, I kind of learned a long time ago, and this is something I took away from my C, my CIA experience is that when you do retrospectives, by the way, the CIA is really good at looking at how well it does at telling the future, you can go on their open source website, and there are all these magazine articles of retrospectives that we said it was going to turn out this way. How did it actually turn out? They'll assess their judgment making ability. And, you know, one of the things I came away with is that the future is usually a combination of a lot of different people's realities and, and old technologies and old things, they never really go away. They may not be defining the issue, but they're still there to be managed. We, you know, people are out there still using Morse code, basically. And so I just, I think there's going to be more and more projects for mainstream companies to engage in more of a platform engineering concept. And that it's going to create probably, because it will still remain hybrid, you'll have these, okay, how do these two systems talk to each other? How do we get compliance and security and a risk posture, when we have these, these architectures that are from different families, basically? Sure, definitely. And sort of related to that, right? How do you think buyers or buying patterns have changed as we've moved from, you know, on prem to more of a cloud based model? Yeah, I mean, the easy answer is subscription, I guess. The buying pattern is, it's a different ROI equation, not that I've ever seen, you know, like a nitty gritty ROI equation. I mean, we do proxies of that, I think a lot of times in this business, but when you're doing subscription, you know, sometimes you really have to show what those offsetting costs are going to be in speed. Because just because you're doing something like infrastructure to service, whether it's lift and shift, or CICD, you know, for some services, there can be a little bit of a premium for the reduction in complexity. So the ROI really needs to demonstrate how that's reducing costs in other areas, I think. And it's, that's a tricky thing, from an economic perspective, from an engineering perspective, you know, and hopefully those are one of the same, you know, there's, there's lags, but it's just, it's going to make more sense. It's just the right thing to do. I think so. Yeah. So we talked a little bit about cloud transformation. You talked about consolidation, right, and this really being the second wave of consolidation. I guess, you know, if you had a crystal ball, and you were to project sort of what the next trend, right, in the security industry will be in, say, the next five to 10 years, what would that be? Well, I have a wish list. And I think it's, it's pretty likely. So I'd like to see two things. I'd like to see, I would like to see more automation. And, and as a side note, I think that, well, so I learned a lot about technology in general, and about some of the more advanced security concepts by picking up Python in the first place. And that kind of opened up a world for me with studying, you know, vulnerability management data, and getting into the metrics. And, you know, now I can pick up a book on Python forensics, I understand things. And there are many SOAR tools being developed out there that rely on these sorts of scripts, and Python being among some of the some of the scripting languages you can use. So I really think that there, if we have the right attitude, there, there are a lot of things that mainstream not cutting edge companies can do for automation of responses. And it's that classic, you know, automate the commodity activity. So you can focus on the really hard stuff, which will always remain, there will always be things you can't automate. But there are more and more things that you can and more and more responses that you can. So I see that. And I also see based prioritization approaches becoming even more important. You know, we've spent a few years, I think, trying to fingerprint assets and get a better idea about the value of assets and having that remediate, like prioritize a remediation for vulnerabilities and how we make investments. But I think that we can augment that now with threat, threat modeling and threat assessments. And it can be a little, we do see clients, I do have some clients that are setting up complete threat teams, and they can go all out. You know, let's just rationalize the spectrum of skills needed to do threat intelligence. I mean, it's a it's a agency level activity. You know, at the far end, you have people building aliases, and they, they can, you know, get to those places on the dark web and other places where they can get the true cutting edge intelligence. And that's fine for some folks, if you've got the skills, I'm talking more about practical threat assessments using just open sources, taking two or three weeks to depict what your threat landscape is, using the MITRE ATT&CK framework, and looking, you know, MITRE ATT&CK Navigator is a great resource, using it at the techniques there, and saying, all right, you know, here, after three weeks of research, here are our most likely threats who can make the biggest impact. According to the MITRE ATT&CK Navigator here, the techniques, you know, what is our portfolio of security solutions? Where are our gaps? So you can use that threat piece to drive investment and to drive vulnerability remediation. So yeah, those are the two things that I wish list, basically, and I could see actually happening. That's great. How do you think, like machine learning or AI will play into threat modeling? Yeah, there's, there's a lot, there'll be dragons there. I mean, there's, there's, so I view it as my role, you know, for many years is when I'm providing intelligence to a decision maker, I, it's my role to demystify it and to make sure that there's not mathematical precision being implied that's not really there, or technically that's being implied that's not really there. I mean, I've used, you know, natural language processing, you know, packages in Python, you know, like just on my own, that's, that's fine. So I, you know, I think it could, I think for certain problems, I think anytime you're engaging in an investment like that, you have to take it seriously, and you have to really research it. And I will be the first to admit that I'm just going to assume my own ignorance. Anytime I approach a solution, and they tell me that machine learning or AI is being used, I'm going to assume I don't know anything and dive all the way in to understand that. And I'm going to be skeptical, basically. There, there are just some intractable problems that I'm not convinced that AI can serve, can solve certain problems and certain issues in certain contexts, but, but we can't overpromise with it, basically. Definitely, definitely. So I think we're going to switch gears. So thank you, that was super insightful, and really enjoyed chatting with you. I think we're going to switch gears and answer a couple questions. First question is, how has the security environment changed with EvoTech and your customers since COVID-19? So we did get that initial wave of, everyone's got to work remotely now. So, and we're still kind of, we're still kind of going through those sorts of, network security, VPN, and for EvoTech, we can kind of approach that from a number of angles. And so it's various teams, not just the security team helping with those issues. And then there's the non-security related issues of just the capacity needed for everyone to be working remotely. So I got to tell you, it's, I feel like over the close to three years I've been here, since the beginning of the security program, and that's kind of an eon in EvoTech years, you know, five-year-old company. We've never been busier. I mean, we are busy right now, whether it is increasing capacity or increasing security. And maybe a little bit more emphasis on network and VPN, but my portfolio right now is pretty broad in terms of the types of security issues that we're tackling. Gotcha. Are you seeing customers, you know, so with Cloudflare, right, we're certainly seeing just like the overall, a number of attacks go up, you know, for a variety of reasons. Is that similar with EvoTech or customers, you know, reaching out about, you know, I need to improve my security posture because I see, you know, more attack traffic on my network? Yeah. And it's really hard to say because we always prioritize phishing because it's kind of like this, I don't want to call it low level, but so, so with those maybe COVID style attacks, there's a whole avenue, new avenue for phishing. It's always a priority for us. It's for a lot of our clients. It's one of the things that, you know, email security is one of the things that we hammer home in terms of just trying to take advantage of new network configurations and maybe openings. So, you know, I'm starting to read and hear about attackers looking for weaknesses and multi-factor authentication architectures. You know, I know of one client who just happened to start getting hammered with scans all over everything from all over the world. Awesome. Thank you so much, Heath. Hope everyone watching enjoyed our session and thanks a lot. It was a pleasure. Thank you, Rachel. Thanks, everyone. Thanks.