Before joining ThreatX, Jeremiah Cruit was no stranger to Web Application Firewalls. As a seasoned CISO with 20+ years in the industry, he tried dozens of WAF solutions along the way. And with each solution, his faith in the effectiveness and usability of WAFs dwindled. So how did he end up at a WAF company? IDG Connect explored this and more about his past in the following interview.
- What was your first job?
My first real job was working at a training company helping set up labs for teaching token ring, Novell Netware, Lotus Notes, and the brand new Windows 3.51 that came on a stack of floppies. The instructor for all the classes taught me so much and I learned like crazy just setting up the labs, when he quit suddenly I had to stand in and start instructing classes.
- How did you get involved in cybersecurity?
Go watch the movie War Games and you will have a sense of how I got into cybersecurity although no computer I connected to asked me if I wanted to play a game. As a kid I had access to the university systems through free and open (very open) mainframe terminals just sitting out for anyone to use and I had my mom’s account information which she never used so I started to play in the systems, it started because I was bored waiting for my mom and it became a game and an addition.
I found that they had modem banks for people to dial in and with some playing around I could make connections outbound which completely opened up the world for me. I was part of a BBS (precursor to Facebook, look it up) community and we shared phone number ranges and prompts that people couldn’t get anywhere with. I was a hero on the board as I had access to full modem banks that were barely used at night and I wasn’t paying long distance charges so I was WAR dialing massive ranges and sharing many of the connections I found on the boards.
- What was your education? Do you hold any certifications? What are they?
I started college in Chemical Engineering and found I just liked the math and Fortran classes which I excelled at, but when I got a summer job working at the training company I thought college was going too slowly and just started working in the industry.
I currently still have my CISSP and CEH certifications but have held Cisco, Juniper, SANS, RSA, Secure Computing, Arcsight and was certified to train CEH and RSA.
- Explain your career path. Did you take any detours? If so, discuss.
From building labs and teaching classes I moved to working in networking helping build one of the first wide area networks across Wisconsin. My wife and I moved to Seattle so she could go to college there and I joined the Seattle Public Library helping build the first Microsoft library online labs which was an exciting challenge trying to secure public terminals without the benefit of modern lock down software. But being in Seattle during the dot com bubble I got too many offers to ignore and hopped around Seattle helping companies with networking and security eventually ending up helping build a successful security practice at a reseller. I moved back to Minnesota doing security architecture, penetration testing, incident response and back to teaching classes in hacking.
I took a position at MoneyGram where I got to experience a company truly under attack all the time as they handed out cash across the world, we had dedicated crime rings from Romania and Nigeria as well as many other random attackers. It was an amazing challenge and lots of fun and I ended up developing a method to do secure transactions with insecure systems and reduced their cyber-fraud numbers by 98%.
After that I got the opportunity to take a bank that had security issues and transform them into a truly secure organization that has not had a system compromise for the past 3 years. I basically worked myself out of a job there which is an amazing end result for any security leader. During this period my family had moved to Colorado while I continued to commute and I was looking for a local position.
A good friend of mine suggested that I talk to ThreatX but I was hesitant as I’ve hated every WAF I’ve ever worked with. The founders had to convince me that they actually made a WAF that works by focusing on attacker-centric behavior rather than on signatures. After being impressed with their technology I decided to take the leap and join them as CISO.
- Was there anyone who has inspired or mentored you in your career?
Lots of famous people inspired me in overall computers like Grace Hopper, Dennis Ritchie, and Ken Thompson. But the one person that really helped me focus fully into security was Preston Hogue, I had been working heavily in networking and systems, but he helped me realize my true passion was security and gave me the path to fully specialize in it.
- What do you feel is the most important aspect of your job?
Protect and serve. I like to describe my job as not preventing people from clicking but making sure nothing happens when they click. You can take that concept into just about any area of security, not assuming that programmers will make perfect code but protecting them when they don’t, hoping that third parties will be secure but if they use your name protecting them like they are yours.
- What metrics or KPIs do you use to measure security effectiveness?
3 years without a single system compromised is a great indicator of effectiveness. But one other major metric is impact to customers and employees from security measures. I’m always measuring tools and solutions against that, security value versus impact to users/customers. Some tools I’ve had great success with like a malware solution that reduces memory, disk and cpu usage but does a great job stopping attacks. Versus tools like traditional DLP that causes massive impacts but really doesn’t protect against data loss.
- Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill?
I’ve been very successful finding talent or building talent, especially as what I look for is passion, integrity, ability to learn, and work ethic not necessarily specific skills. This has been very successful for me over the years. One of my best hires ever was for a senior IAM engineer position, the person (who knows who he is) came in with extensive scripting experience but no real IAM background and having never worked with a dedicated IAM tool. But he had the passion, integrity, ability to learn and the work ethic plus listening to him he had basically built an IAM framework with PowerShell. He was one of the main reasons for success in our major IAM project.
- Cybersecurity is constantly changing. How do you keep learning?
Read, play, play and play. I really enjoy security so I have fun learning and playing with new technology, it really helps keep me up to date. I read a lot of blogs, listen to podcasts on my commute, follow a lot of people on Twitter, and have a feed of overall technology and finance.
- What is the best current trend in cybersecurity? The worst?
I like the trend of taking old technology everyone has always had to buy but had dubious security value and making it actually work. We are seeing this in the WAF, DLP, and AV/EDR areas. Add to that digitization of all things, if you are still buying physical hardware you are probably doing it wrong.
The worst still remains a focus on compliance above all else, compliance while required should never replace actually making your company secure.
- What advice would you give to aspiring security leaders?
Get people on your side, don’t ever consider punitive measures against the people in your company (e.g., if someone clicks on phishing links three times your internet is removed, your fired, or you have to walk around with a fish hat all day).
- What has been your greatest career achievement?
At MoneyGram we had a serious problem with our agents’ computers getting compromised as they were all independent, we had no control over them and agents around the world basically used them to browse the web all day long. We tried a number of solutions that all failed and had a call with Marcus Ranum who said we were screwed. I had the idea to use Yubico tokens to authenticate the transaction and not the user, after getting this fully implemented we reduced the fraud by 98% with the remaining fraud all being social engineering.
- Where can we hear more about your perspective on cybersecurity?
The future of ThreatX is reliant as much on the fluctuation of the cybersecurity industry as it is on the members of the team responding to those fluctuations. Jeremiah helps to define the culture here at ThreatX where each and every day is focused on improving the experience and effectiveness of web application security. Stay tuned for future posts where we will introduce other members of the rockstar ThreatX team.