Cybersecurity Spotlight is back, and this time I sat down to chat with Mathew Chase. Based in the Washington, D.C., metro area, he most recently was vice president of IT for Inovalon, which provides cloud-based platforms and data analytics for the healthcare industry. Even though Mathew isn’t in a dedicated cybersecurity role, his deep experience with DNS and its implications for cybersecurity and other digital transformation initiatives makes for a worthwhile conversation to add to our series.
With young aspirations to be a commercial photographer, Mathew accidentally got his start in IT in the mid-90’s at the Las Vegas Review-Journal, Nevada’s largest newspaper. Working in layout, he got pulled off his evening shift doing desktop publishing and was asked to put the newsroom’s new computers on a network. With the help of a few O’Reilly books, he built the paper’s website and email server and launched its online division. He parlayed his experience into a start-up and a few IT consulting gigs, and then forged his executive career path as the IT operations manager for resident shows at Cirque du Soleil and as the CIO for a federal government health insurance commission.
Is there much to be learned about IT from a theatrical entertainment company like Cirque du Soleil?
Most people say, “Oh, it’s the circus, it’s got to be this mediocre IT environment.” It had, at the time I was there, an SAP implementation with payroll that was more complex than ExxonMobil’s. They’re managing touring shows on six continents. Moving in and out of taxation jurisdictions. They hedge currency. They have to deal with all the immigration issues. They manufacture their own costumes. It was 200 plus applications that were developed internally supporting this large organization with people from 50 to 70 countries, speaking different languages, all over the planet, with this common goal of entertaining people. It was completely exhilarating. It’s where I first got exposed to Adaptive DNS and globally distributed networks. How do we make it work so that, when a tent show lands in a new city, it’s completely seamless and connected to all the resources that Cirque had to offer? And how does that all get managed day in and day out across the globe? It was really impressive.
“Learning and understanding cybersecurity, it’s a special niche. It’s not a point-and-click thing.”
What’s your take on the cybersecurity product market these days?
It’s a bit of an unwieldy beast at this point. There are a million ways to get it wrong and only one guy has to succeed before the security team has lost its job and everybody’s outraged. I am dumbfounded every time I listen to a security expert talk about creative ways that people have thought of to get into or exploit a particular system. When I learned about DNS exfiltration, I just about lost it. I didn’t even think that was a thing you could do, to basically run command and control out of port 53. How do you defend against these things? Your goal is to put in as much layered defense as possible, and everybody has a new angle to block the next hole or a new layer to add. It seems like you need an ever-increasing army of people and vendors and solutions just to keep up.
What are some stereotypes about people in cybersecurity and IT, and how do you overcome them?
All of the great current sitcoms that are IT-related all do a spectacular job of exploiting every single one of them. Silicon Valley just makes me laugh every single time, The IT Crowd, every Dilbert comic. They’re all mostly spot on, which is the horrible, funny thing about it. The supremacy problem that technology people get into, where, because they know something and they know its importance, that they can be demeaning to other people. I’ve seen that happen. You can’t be full of yourself. You have to be able to clearly communicate complicated situations or technologies that are complete Greek to everybody else you’re talking to in a way that makes sense. You can’t talk down to people. You have to be approachable.
Psst…Interested in hearing more from today’s expert? Mat and Jim dive into more detail in this video: “Busy IT Executive’s Guide to Leveraging DNS“.
Why do you think cybersecurity professionals are so hard to come by?
Learning and understanding cybersecurity, it’s a special niche. It’s not a point-and-click thing. Your understanding of the full networking stack has to come before you can deal with most of this stuff. Your ability to understand so many different aspects of technology and how they’re exploited, how to hunt and search for that, how to secure that, and best practices – it’s super complex. And even if you begin bringing entry-level people in on that, it’s a rare breed. It’s probably not for everybody. You have to be beholden to the screen and the systems in front of you. It is not an overly social job. You are looking for traps and errors and alerts and chasing down rabbit holes. Even computer programmers probably spend more time socially interacting than probably some cybersecurity engineers do.
“I am dumbfounded every time I listen to a security expert talk about creative ways that people have thought of to get into or exploit a particular system.”
How does this dilemma of finding good cybersecurity people impact the overall challenges facing the industry?
The challenge is complexity. There are so many avenues to go down, it’s very easy to get lost and hard to keep moving in a forward direction. And so that leaves you with partial implementations of many things. CEOs that I’ve talked to have been increasingly upset and annoyed by complicated, expensive technology deployments, only to watch those deployments then be obsolescent within a year. If you don’t have enough weight behind stuff, and you’re not really committed to going all in with that technology, supporting it, and giving it the care and feeding that it needs, then it dies off. You have to know the ones you’re going to know and you have to be confident in those. And once you’ve decided, you have to support them.
What advice do you have for others starting out in your field?
I hate to be cliché, but it’s always so good: Fail quickly. Because I have never learned more than when things break. In IT, when you have to figure stuff out because it’s broken and everybody’s barking at you, you are so much better at what you do than if it all works seamlessly.
Whether the industry is theatrical entertainment or healthcare data analytics, certain truths holds fast for Mathew: Fully commit to what you know works, learn quickly from your failures, and be approachable. Cybersecurity’s increasingly complex and numerous layers of defense can lead to a chaotic product marketplace and network deployments that quickly become difficult to manage. With so many avenues for attackers to exploit and internal challenges to maintain deployed technology, Adaptive DNS management solutions—which control how people get on your network, get assigned IP addresses, and are able to communicate—are critical.
SUNBURST/Solorigate Situation Briefing
BlueCat leaders discuss how the malware attack via SolarWind’s Orion platform exploited DNS and how BlueCat Edge could have helped to detect it.
January 21, 2021: Learn more about how the SUNBURST/Solorigate malware exploited DNS to execute its attack.
Customer situation brief on SUNBURST/Solorigate
Learn more about the attack via the SolarWinds Orion platform and how BlueCat products use DNS to help protect customers against compromises like it.
On the road to platform hardening, consider a STIG
Security Technical Implementation Guides standardize security configuration on networks, servers, and devices. BlueCat uses them and you can, too.