10 Security Questions for Barry van Kampen aka "Fish_" from The S Unit.....
As some of you well know, ITQ did not always have a 100% focus on VMware. Not surprising, because we started ITQ in 2001 and although VMware already existed (founded in 1998 as far as I know), it was mainly occupied with desktop virtualization in the early days. ITQ actually started investing in VMware in 2008, but things really took off in 2014.
During that period, we had a few smart eggs within our company who were completely focused on security. Especially offensive security. Back then, we called them hackers 😉 Nowadays, offensive security is quite a normal thing, but the first time I peeked into that world, there were a lot of grey areas filled with cowboys. Together with Barry van Kampen and Bertwin Oudenampsen, I fully immersed myself in security around 2007. We went to various international hacker conferences, facilitated Hack In The Box to start in Europe and helped to set up hacker spaces, and many more wacky things.
Somehow, it became a hobby that completely got out of hand. I even was asked to give presentations at IT events to give my vision on security. Good guy like I am, I climbed onto stages and delivered my opinions, but that was the first time I realized how young this world was. Why? Because, if I (of all people) can say anything sensible about security, then something is wrong 😉
Fortunately, at ITQ we were surrounded by a number of security talents such as Dirk van Veen, and our services were increasingly taking shape. We sold pentests to the best customers and we built quite a name in the industry. But. This was becoming a problem from a business perspective. Firstly, we wanted to focus more and more on VMware and secondly, we were a company that specialized in building new infrastructure and our security guys mainly wanted to show that they could break things.
Also, I noticed selling offensive security was not quite the thing that gave me energy. That is why we decided in 2014 to separate this business unit and to rename it to “The S-Unit” led by, among others, Barry van Kampen. Soon after, we also made the choice to sell this business unit and I have personally been involved as an advisor until the end of 2019. To this day, I am very proud to have been part of this label and it is too bad I am no longer involved as an advisor, but everything comes to an end 😊
Why then, am I writing a blog about this? Well. Carbon Black, NSX, AppDefense are some of the products ITQ is focussing on today. We are actually very busy with security right now, but not like before. We have a 100% focus on defensive security. In discussions, I notice it helps me to have been involved in offensive security, because I understand the problems and the theories. But dealing with defensive security still gives me the most energy. Now, I speak to Barry van Kampen regularly: he still is one of the chiefs within the S-Unit and we are increasingly crossing paths again. That's why I thought: "Maybe this is a nice moment to interview Barry about what's going on in the world of security". As a side note, I will be up to date again and perhaps it would be nice to share it with others as well.
I asked Barry whether he would participate, he agreed and I sent him 10 questions. Read on to find them and Barry’s answers as well 😊
I already mentioned you, but can you give us a short pitch about yourself?
Well, if you talk about Barry “Fish_” van Kampen, you are talking about a guy who wants to create transparency for our customers on their security level. Most companies are defending their data with firewalls, antivirus, procedures and many more precautions: we are taking on the challenge to see if all these protective measure are really working. And let’s be honest, we do invest more and more in security products, but are they really working as we expect them to do?
What services does The S-Unit provide? I am especially curious how and why they are helpful to customers?
When we started the The S-Unit, we mainly focused on the so-called “Penetration testing”. When executing these pentests, we are trying to break into the infrastructure of a company or a certain part of the applications. When time went by, we saw opportunities to advise our clients after the initial pentests. For a few reasons this made sense. First of all, it is kind of strange we perform a one-time only pentest and then stop: criminals don’t stop either. Second, we gather so much customer knowledge during our activities, so we can be an offensive partner, rather than a one day fly. And last, but not least, the world is changing very fast: today, the systems can be safe, tomorrow, it can be different. With OaaS (Offensive as a Service), we continue the one-off test in a Deming Cycle (Plan - Do - Check - Act) and we see our customers improving over time, because they make offensive security a part of their daily security operations.
I talk about offensive and defensive all the time like it is the same as black and white. For those who have no idea, can you tell us about the difference and what it actually is?
Defensive Security is building walls and hope they are high enough 😊 Offensive Security takes on the challenge of actually testing your wall is high enough. Nowadays, we are connecting to clouds and build cross platform functionality, and you have to ask yourself where you position your walls. To me, you should focus on the endpoints and the locations of your data.
I have been less active in the security world for about five years now, so what are the major developments in recent years? From a commercial point of view, but especially from a community perspective? What are typical, major customer problems?
In my opinion, we are addicted to technology and functionality. If we don’t stop building only for functionality, we combine more and more “weird systems”: how can we protect our data against systems who all have their issues? We can’t protect it all, but we can protect the right functionality and data, if we do assign it with the right priorities.
We see changes, but we also see a lot of customers who get stuck (we call them legacy). The ideal environment is built with automated testing, application releasing every 5 minutes and real-time monitoring of possible data loss (almost nobody is capable to do this btw). These legacy environments are mostly reactive and they act when the shit (almost) hits the fan while building on their 20 year old designs of Windows. And cloud? Yes, let’s connect it to our legacy and make sure we don’t have any sights anymore on the perimeter! 😉
Pat Gelsinger (CEO of VMware) has been saying for years the security market is broken from a vendor perspective. Too many players on too many domains. Everyone does their own thing and customers actually have no idea anymore. Do you agree with that?
Yes, I agree and it’s more than the amount of players. It’s also about the promise we make as security industry. Most vendors are selling their products as the holy grail for security problems, but patching problems by adding licenses and boxes isn’t the solution. It’s temporary fixing issues by adding more functionality; more functionality is also more attack surface; more surface means more operational workload, more fixing and patching. LCM and monitoring is needed to control this and we all know how good we can handle those processes. I would like to turn it around and let’s go back to the basics: be sharp on what’s really important, which is not vendor based, but more functionality (applications) based! Why don’t we include functional security in our applications and secure-by-design? (i.e. fraud or abuse detection).
What is your opinion about the choices VMware makes in this area? And will this actually help customer?
VMware certainly makes progression in this area. It’s great to see a more central strategy whereby implementation is much more focussed. Also, by limiting the attack surface, it becomes harder for attackers to abuse the services. Furthermore, I’m interested to see which direction VMware will take towards Defense in Depth (not only rely on one protection system) and how they will integrate security across the various product chains. In general, I think the security industry should adapt by adopting the problems of its customers: security isn’t a box or a license you buy, it should be a state or guaranty you buy from a security supplier.
Imagine this. You are VMware and you have enough money in the bank. What would be a logical choice to invest to close the gap that really helps customers?
I would bridge the security gab between applications and infrastructure: if your applications become more ‘security aware’, you can counter most attacks and abuse of functionality. In that perspective, VMware is uniquely positioned in the stack with their hypervisors for compute and networking. They can have full visibility and control, so bridging that gap from a technology perspective is absolutely possible.
If you talk about attacks, it’s all about chance and impact. Most companies use protection like firewalls to limit the chances attackers can access their network from the outside, but how about the inside? We call this a soft boiled egg: a hard shell on the outside, but if you break the shell, you can easily gather the inside. Take a look at typical IT security incidents in the news. The biggest problem isn’t hackers can break into a vulnerable system. The problem is they can roam freely within the internal networks once they’re in, hopping from one system to another. NSX is a great way of providing microsegmentation for your workloads. You are basically placing a firewall around every workload while maintaining scalability and manageability, thanks to smart security policies. We have so much network connections and information nowadays, you cannot manage those rules with a CLI anymore. And did I mention roaming IP’s? Or even better, roaming users or applications?
What is your opinion on VMware Carbon Black?
We have been aware of Carbon Black for quite some time: we have tested the solution at one of our clients. At the time, it was “yet another vendor”, but one with an interesting security strategy and certainly different than others in regards to endpoint security. I do understand why VMware acquired Carbon Black and once they truly embed it in their products, it will be a very interesting new dimension in the VMware stack.
If someone wants to consult with you or use your services. What can they do best?
Ask yourself what you really need to protect within your organization. Then ask yourself “Do we really protect our holy grail?”. If you don’t know the answer to both these questions, we can help you 😊 We are happy to help our customers to start today and stay secure tomorrow.
@Barry: thanks for the interview; I learned some new things 😊
If you want to know more about VMware and its security proposition, please contact me at firstname.lastname@example.org