Security Boulevard Chat: The Evolution of Network Security with FireMon’s Tim Woods

In this Security Boulevard Chat we speak with our old friend Tim Woods, VP of technology alliances at FireMon. FireMon’s mission has moved beyond the management of the firewall to managing your IT security. Recent acquisitions have enabled the company to offer comprehensive security management across the entire hybrid environment.

Tim and I discuss the current state of technology and what large enterprises are looking for their hybrid environments. It’s a great conversation!

As usual, the streaming audio is immediately below, followed by the transcript of our conversation.

Transcript

Alan Shimel: Hey, everyone, this is Alan Shimel, DevOps.com, Security Boulevard, and you’re listening to another DevOps Chat. In this DevOps Chat episode, I’m joined by an old friend of mine, Tim Woods from FireMon. Tim, welcome.

Tim Woods: Thank you, Alan. Happy to be here today.

Shimel: Excellent. So, Tim, is that a Cowboys hat I see you wearing today?

Woods: You know, it’s kinda in my blood, Alan; I don’t have a choice. I was born and raised in Texas, so I kinda have to wear the colors, whether I want to or not. But, no, I’m a true blue, good-or-bad, rain-or-shine, Cowboys fan.

Shimel: That must not go over very big in KC.

Woods: Not always. [Chuckles]

Shimel: No. And, for those of you who don’t know, just a little inside joke. FireMon, of course, is based in Kansas City. And I’ve known the FireMon team for years and happen to know there’s a lot of red and true Chiefs fans out there at FireMon.

Woods: Yes, there is.

Shimel: All right. So, Tim, we’ve kinda already mentioned you work in FireMon, you’re with FireMon. You’ve been at FireMon now for some time, right, Tim?

Woods: About 10 years.

Shimel: Has it been that long?

Woods: It has. Time flies when you’re having fun.

Shimel: You know, Tim, I remember when you joined FireMon, but, for those of our audience who may not maybe be familiar with FireMon, give us a little background.

Woods: Yeah, sure. I mean, we have been around for a long time and I think what that really represents is that we have a lot of deep maturation, deep domain experience in the security field as well, with some really great people. But FireMon, we’re trying to extend visibility across the entire infrastructure. Of course, that spills over into the cloud now because we belief that the hybrid enterprise is here to stay for a long time and just because we’re moving to the cloud doesn’t negate that need for visibility and security as well. So that’s what we’re doing. We’re helping companies, mainly large enterprises. Help them to have better security hygiene and extend their visibility, so it’s – you’ve said it; I’ve said it; we hear it all the time, “You can’t manage what you can’t see and you can’t secure what you can’t see.” So you need that –

Shimel: Certainly not.

Woods: – need that visibility.

Shimel: Yep. And, Tim, just to kinda finish up our intro part, your role within FireMon these days, I’m not even sure what your title is these days anymore.

Woods: I’m vice president in charge of technical alliances, so I’m heading up our partnerships with all of our procurement partners, so VMware and AWS and Azure and Palo and Fortinet and Cisco. And, of course, for those that may be new to FireMon, we are global in nature and, as we said earlier, we’ve been around for a long time. So we have probably over 50 different permutations of devices that we support today and probably some that you haven’t heard of – you know, Wallway, SecQI, OnLabs, Heel Stone – and the list goes on and on. But, yeah, definitely trying to – you know, again, trying to increase the security posture, better the security posture, and help people manage that technology that they’ve invested in.

Shimel: Sure. So, Tim, I think, for a long time, those in the know knew about FireMon primarily as FireMon was one of the first products to market that had the ability to manage rule sets and policy and posture across multiple firewalls. So it wasn’t just if you had ten Ciscos or ten Checkpoints, but if you had three Ciscos, four Checkpoints, and six Junipers, right? That it was hard having some sort of uniformity across that and that’s where FireMon originally cut its teeth. And you’re right; this goes back 20 – I don’t know – 18 years or at least 17 years, right?

And now, of course, the world changes with the advent of cloud and we see not the deperimeterization, but we see the hybrid, as you called it, right? The hybrid infrastructure, the hybrid network, that most of us are running in today. And I think a lot of people said, “Oh, my God, this is the death of the firewall,” right? And how many times have we heard that in the last 10 years?

Woods: Many times.

Shimel: “Oh, firewalls are dead. Long live the firewall.”

Woods: We do see –

Shimel: But yet – you know, FireMon yet – I’m sorry. Go ahead, Tim.

Woods: I just wanna say, I mean, we do see that. The what I’ll say the grain of the perimeter taking place, right? And so we can debate where that perimeter exists today, but the perimeter’s still there, healthy and strong, and it’s pretty much managed by ACLs across those –

Shimel: Absolutely.

Woods: – bounds of controls _____ –

Shimel: And this is – you know, firewalls remained relevant, though, too, Tim, right? If all you did was manage firewalls, we wouldn’t be talking today and you wouldn’t have a job. Right?

Woods: That’s correct.

Shimel: So FireMon has evolved beyond pure firewall management and you’ve very evolved in the hybrid technology. And, most recently, you guys have made some acquisitions and some technology around cloud, right? And so –

Woods: We have.

Shimel: Share with our audience that –

Woods: Yeah. We recently acquired a company called “40Cloud,” which some great people, is real technology, that we’ve acquired there with some really great expertise. And then also we acquired – most recently, we acquired Lumeta, which a lot of our listeners may be familiar with. Lumeta’s great technology – again, extends that visibility, helps us find that unknown that’s out there. Kind of a continuous query about the cloud and on-premise. Whether it’s cloud or premise or public cloud or private cloud or partial cloud, multi-cloud, whatever it happens to be, we still need to know what is out there.

And the bigger thing and the bigger need, of course, in cloud, is that it can be dynamic also, right? Or it is more dynamic – things spin up; things spin down; things are there one minute; they change; they move – and we need to know. And then we have kind of these challenges with shadow IT, where you can literally swipe a credit card and, next thing you know, you can deploy an application or a service.

And the people responsible for managing the security of that application asset or resource may not necessarily know that it’s even there. And so, number one, knowing what we have out there that we have to be responsible for managing is very important. So we’re very excited about the Lumeta acquisition and what that’s going to do to our overall product suite.

Shimel: Sure. You know what hasn’t changed, Tim? Security, the goal of security, at its core, really hasn’t changed. And that’s to keep people secure, manage the risk. And, in order to do so – you said it earlier, right? – you need to have visibility into not only your infrastructure ’cause it’s not just hardware, you need to have visibility into your whole infrastructure, meaning software and hardware. Right? And, with that visibility, you need to have the ability to have actionability. And, in my mind, that’s what it’s about.

Woods: Yeah. Actionable intelligence. It’s one thing to have the visibility, but you need the information at your fingertips so that you can do something with it. You know, you need that context around those things that you’re trying to protect or that you have responsibility to protect.

Shimel: So, Tim, let’s now – so we’ve done a good job here in the first couple minutes of laying out kinda the history of FireMon and where we are today. Let’s talk a little bit about where we’re going tomorrow. Right? So how does FireMon now build on this terrific legacy on these new acquisition, in this brave, new world of automation and scale and hybrid? Right? What’s the mission, going forward?

Woods: Well, there’s a couple of truths here that we know to be facts and one is complexity is not yielding. Growing complexity is not yielding. That is a continued issue that large organizations and enterprises, and small too, are faced with. And, as complexity goes up, as complexity within our – and, when I talk about complexity, I always say this: I talk about unnecessary complexity; I talk about that complexity that just absolutely doesn’t have to be there.

You know, if we take the firewall as an example, when we typically engage with a new client, we’ll take a legacy firewall – and I use the term “legacy” very loosely because a firewall that’s been in place 3, 4 years, it’s not uncommon for us to find 30, 40, upwards of 50 percent of the rules that are on that firewall unused. Just absolutely serve no purpose. And, in and of itself, that’s not a big deal, but that represents unnecessary complexity. It represents holes in our security blanket that doesn’t need to be there, the potential for exploitation. It’s just a lot of problems with firewall bloat and growing and stuff, but that’s just one example of complexity.

You know, the other thing that we see, Alan, right now, is we see a shared responsibility taking place for the security of those assets, resources, and applications that are being deployed into the cloud and not always in a manner in which they are sharing information between each other. So we see new cloud security teams popping up. We see application owners themselves taking responsibility for the things that they’re deploying in the cloud. We still do see also the IT security team taking responsibility for those things. But we see that there is now a – it’s not just one individual or one team. And what we’re seeing is we’re getting away from following a common or a central security doctrine; we’re getting away from that single source of truth, as far as what our security policy should be or what our compliance initiatives state.

And the people that are taking responsibility – and the reason for it, we believe, is because – and it’s not a bad reason – the reason is business has accelerated beyond our ability to secure it. Business has – of course, they’re taking advantage that the cloud allows and they’re developing these cloud-first strategies and things like that so that they can remain not only competitive but relevant in their respective industries. But still security – and we see new regulatory compliance initiatives popping up, like GDPR, and they clearly state, “Security by design and default,” where we’re trying to put security back in the forefront of individuals’ thoughts, that security can’t come in – you talk about it all the time, with DevOps. We now talk about SecDevOps or DevSecOps, wherever you wanna put it, but we’re definitely putting security back into the conversation.

And that’s where we’re going. We’re trying to elevate this conversation to say, “Hey, we need to get back to creating this abstract layer above the discrete implementation of security rules on a firewall, but create a common security policy that’s collaborative across the lines of business. And so that the business has an input to that policy; the application owners have – the stakeholders have an input into that policy; compliance has input into that policy; and security can create the guardrails necessary, almost creating a collaborative, self-service type portal so that we can help make sure that our security policy, our written security policy, is an actual reflection of our security implementation across the hybrid environment.

And that’s where we think the focus and that’s where we think – so I’ll use the term, again, cautiously, when I say “security intent,” because it encompasses quite a bit and it means a lot of different things to a lot of different people, but security intent, when I say “security intent,” I’m really talking about security intent, compliance intent, business intent – all of those things kinda wrapped in together, as it applies to those applications and assets and resources that we need to secure, whether they’re on-prem or in the cloud.

Shimel: Absolutely. So, Tim, so the thing in there, though, is the genie’s somewhat out of the bottle, I guess, in that, now that we’ve got developers involved in security and QA folks and ops folks and business and so forth, it’s not enough – and I don’t know if it ever was enough – for just the security folks to say, “Hey, this is the policy. This is what you gotta do. Here’s the rule.” And I’m not talking a firewall rule; I mean more of a security policy rule.

And now I think today’s IT folks, they are somewhat – they’re more invested in security than they were 10, 20 years ago. And they wanna know why – “Why am I doing this?” And it can’t just be “Because the security guy says so.” Right? They wanna understand the driving reasons behind this because we need their buy-in. Right?

If we don’t get that guy who’s about to pull his credit card out to open a couple of instances on Amazon, to understand that he’s putting the whole company at risk when he does stuff like that. Right? If we can’t make him understand that, he’s gonna continue doing it. Right? One of the lessons, I think, of security is we can stomp our feet and say, “No,” all we want, but, if we don’t get the buy-in from folks, we’re not as successful as we need to be. And how do we deal with that?

Woods: just came back from a week at AWS, at the AWS Reinvent show last week in Vegas, and it was a great show. Probably 20,000 more people at the show than there was the year before. I think _____ _____ thousand –

Shimel: No, it was like 77,000.

Woods: Yeah, it was crazy, the amount of people that were there, but I think it underscores where we’re at in the industry today. I think it underscores this need for continuous access to data and how people are taking advantage of the cloud to accelerate their business activities. I think that all makes sense, and so I think it’s no surprise that there’s a growing number of people attending conferences like this.

But you’re right. When you say, “No,” as the person responsible for security, whether I’m a CIO or a CISO or whether I’m that security director, soon as I say, “No,” to the business, they’re gonna look for a way around me. They’re gonna look for a way to – they’re not – you know, business – we know this to be true – business always trumps security. And so we have to look for a way to say, “Yes.” Security can’t be a tax; it has to be an enabler. And so we have to look for a way to help enable the business.

So we have to understand that person that’s swiping a credit card to load an application in the cloud, to make available some service, education, it always – and I’ve heard you say this too – you know, it starts with education, across the board. But it also – we have to educate them on the risk that they’re faced with, when they do that, and especially as we weigh the priorities or the value of that information that you’re putting out there. Should it get into the wrong hands or if becomes exploited by the wrong person, nefarious individual, what is the risk that you’re placing to our customers’ data and to the business and to our reputation? Things of that nature.

So it all starts with education, but I think, more importantly, it starts with collaboration. There has to be tighter collaboration between the various lines of business, especially as we get into this new cloud-first, as people start adopting this new cloud-first strategy. And so business – you know, IT security has to start talking to the compliance team. The compliance team has to start talking to the business team and the application owner. So collaboration, I think, is the key, going forward, in the future.

Shimel: Absolutely. And it’s cross-team collaboration, not just – for too long in the security industry, collaboration meant collaborating with our fellow members on the security team. So, Tim, geez, we went off on a bit of tangent here and 20 minutes later. What’s happening with FireMon? What can you tell our audience to be on the lookout there?

Woods: So we are working, as we talk about security intent, we’re working on a security intent orchestration platform, so we do want to help to not just talk about elevating the conversation to a higher level, but we wanna help people – we wanna arm them with the technology that can help them accomplish that as well.

So we’re feverishly working on technology that will enable them to do that. It’s called “Global Policy Controller,” or GPC for short, is the new product name. Lumeta will be part of the engine behind that, for helping us discover the context out there that we’ll need to bring in as metadata, to help build on those security policies and creating that portal that people can go to to enable their security services and creating those guardrails that IT security will be able to establish.

And, of course, we’re not gonna completely remove the human and we’re not trying to boil the ocean either, but we can take responsibility for part of a policy or part of a zone or an entire zone or part of a security doctrine, to be that central point of truth, to be that central location of truth, to know that our implemented security is a reflection of our security doctrine, whether that’s our compliance – again, I go back to what I said earlier. It all rolls together. It’s compliance, it’s our business objectives, and it’s our IT security objectives. They all have to kinda come together to form that security policy. So that’s kinda what we’re –

Shimel: Excellent.

Woods: – we’re hard at work, working on, but, you know, it’s funny, Alan. And, as I look here, in thinking back on how long we’ve known each other and how long we’ve worked together, you know, the problems that we were talking about ten years ago are still problems out there today. They haven’t went away. And so, while we are facing some new challenges and we’re working on this new hybrid strategy and working on a security intent orchestration platform, some of our basic security hygiene has to take place, has to continue to take place as well.

I was at a oil and gas industry summit here recently, down in Houston. Cybersecurity summit for the petroleum industry. And I think it was the CISO of Chevron that stated, he said, “If we just start doing the things we know we need to be doing and increase our security hygiene, it’ll solve 80 percent of our problems.” And I thought that was an interesting statement.

Shimel: Agree with ya. Agree with ya. Hey, Tim, I gotta pull the plug on you, man. I will – well, it’s the end of the year. I may not see you until RSA maybe, which is March, but hopefully before. Maybe we can have you back on before then even, _____ _____ RSA security show –

Woods: I’d love to. Anytime.

Shimel: I know. Say hello to all our friends at FireMon for me.

Woods: Thank you very much. Talk to you guys later. Take care.

Shimel: All right. Tim Woods, VP of FireMon, here on DevOps Chat. This is Alan Shimel and you’ve just listened to another chat.

Alan Shimel

Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 81 posts and counting.See all posts by alan