71: Chain of Disruption with Joel Burleson-Davis

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris: Joel Burleson-Davis is the SVP of Worldwide Engineering Cyber at Imprivata, where he is responsible for building, delivering, and evolving the suite of Imprivata’s cybersecurity products that include privileged access management, privacy monitoring, and identity governance solutions. Prior to Imprivata, Joe held systems engineering, IT consulting and instructor positions, while serving as one of the founding members of the Linux Foundation certification committee, a global committee of key Linux subject matter experts. Joel, welcome to Barcode man!

Joel: Hey, thanks. Thanks for having me.

Chris: Absolutely, man. I’m looking forward to it. If you don’t mind, talk to me a little bit about your background. I’m curious to know how you got into the security field and what ultimately led you to where you are now.

Joel: Okay, so it’s a pretty wily, windy road that got me into security. I started actually engineer, like doing software engineering. I was 14 years old or something. And I was doing all sorts of different stuff. Cut my teeth, running C drivers for NetGear NICs for Novel Netware which was pretty funny.

10/100 NICs writing C drivers for that. But I grew up in a small desert town in Arizona. And doing funny things like writing software drivers for NICs, installing NICs in Organizations, like computers and stuff like that.

And also running the wires and also setting up the servers and doing, all the different things. Cuz there wasn’t that sort of skills in cities or towns in Arizona. So I got a full breadth of the whole thing.

Chris: You were forced to, right?

Joel: I was forced to.

Yeah. And it was fun, right? Sometimes crawling through rafters, running wire isn’t super fun, but sometimes it’s fun. Sometimes it’s hot when it’s the middle of the summer in Arizona and you’re, crawling through a ceiling space. So that was a pretty actually good education in just, technology and computing, going from, starting from routing drivers for a kernel all the way through, seeing end users, connecting it to an end user system.

So that was pretty awesome. And so I actually moved from there. I did college, did a completely different thing in university. I got a degree in ethics and philosophy. Minored in Greek ancient Greek, which was pretty fun. And then moved to Australia with my wife and got a job there.

Doing about the same thing that I was doing, in my tiny desert town for an engineering company.

Chris: What triggered that move to Australia?

Joel: My wife got a rotary and pastoral scholarship to study abroad and do her master’s degree out there. So I got married, young, married while I was in college.

In Australia, as an immigrant at, 21 years old or whatever. So it was pretty fun. And so, when we got there, one of the biggest industries in Australia is mining. Maybe everybody knows, but the industrial sector also is, a big target for. Cybersecurity attacks and it was, 15 or 20 years ago, it always has been cause it’s pretty valuable if you can derail trains literally and things like that where the threat of doing so.

So I had picked up a role in full, top-down management. Small engineering company’s infrastructure. And one of the biggest focuses there was security when me and my wife left Australia. I look, actually still worked for that company for a number of years.

I ended up being with them for almost six years. Even living in the us. And then I did my master’s degree. And while doing my master’s degree, I studied the interconnection of, like ethics and sociology and psychology with technology. And one of the things that I came out of there was I really, number one liked technology.

Number two really liked education. So I joined a committee for the Linux Foundation for certifications for Linux engineers. And I also decided that my next gig needs to be building sort of a Linux based security appliance. It’s like that was actually when I went on the job search.

It’s my next thing in life, my sort of blue skies, I’m gonna build a Linux based security appliance. Because I think that’s the future.

Chris: And when you say build it, were you thinking of actually. Starting something of your own at that point, or you just knew the space that you wanted to get into?

Joel: I was sitting between the two very much okay. And then I found a little tiny company 10 years ago called Secure Link in Austin, Texas, and that’s basically what they were doing. And I’ve been with them since. And so we’ve been building this privilege access management, third party security Linux based high security appliance.

The last 10 years I did promise that it was a pretty funny, windy road there, but that’s how we got there. And then being with Secure Link with them for 10 years and we recently were acquired by Imprivata and we’re continuing to push our cyber security portfolio forward.

Chris: That’s awesome, man.

So what was this scene like at SecureLink? When you got there initially, was it a super small company or it was a super small company.

Joel: My, my joke is that it was basically a closet with 10 sweaty dudes. It was, but it was very small. Yeah, I think I was probably employee 15.

We were quite small. It’s much, much larger. Hundreds of employees now which is pretty awesome. But it was really fun. It is a cool place to be. And the really nice thing about building product at that level especially with a team that’s small, is that you can do some pretty creative things pretty cutting-edge things.

Put conservatism to the wind and say, hey, I’m gonna build the, the baddest thing I can. Yeah. And so we built some really super cool security. And it was, fun doing it the whole time. We also spend a lot of time at the bar. In good sort of legacy fashion. We still have three kegs on tap, at our office. So yeah, so that, that’s very much so where we came from.

Chris: Okay, so you got in there it was really aligned with what you were seeking out, so it seemed like it was a great fit for you.

Over time, over those past 10 years, what have you realized personally has been your driver to continue down the path of security? Is it. The product that you’re working with, is it the evolution of our culture in the industry? Is it the technical challenge that’s associated? I’m just curious what keeps your passion alive for what you do day to day.

Joel: So a lot of it has to do with the mission of making sure that, malicious actors can’t ruin our days, and that’s a lot of what we do. And that the interesting thing over the last 10 years, especially building a product in security, is watching the evolution happen and realizing a few things. Number one, malicious actors are really smart, and they’re gonna keep evolving just like we are, right? It’s almost like an arms race. And so we need our smartest people doing that. And the other thing is, while regulatory bodies and standards are really super important. I’ve talked about this before, like it, they set the floor, but the malicious actors aren’t, trying to break through the floor. They’re trying to break through the ceiling. They’re trying to crack the, your best offenses.

It makes it super easy, right? All these. Different breaches happen when someone gets a password that was password, and it was stupid. So that sort of, setting the floor via standards will maybe protect you from something like that, but it doesn’t really protect you from all the different threat vectors that are out there.

And it’s part of ingenuity and determination and hard work from, super smart people, like the engineers and folks that work for Secure Link or any other cybersecurity company really, that say, hey, like this is a little bit of an arms race and we’re gonna put our best minds forward and we’re gonna win this race.

Chris: Yeah. Do you think we will win the race, or do you think we’ll always be a close second?

Joel: I’m super hopeful. So I’m super hopeful We win we will win. And then at a certain point, hopefully with enough focus on it broad, because I think there’s a few things, There’s numbers on our, on our side.

I think there’s significantly more, like massively more people that would choose to do good versus not. Yeah. So I think that the number of malicious actors out there is really small, right? So we have numbers on our side, so we have resources on our side. We just need Focus and care, to gain momentum.

So it becomes a, it’s something we put resources towards. And actually over the last 10 years, like you, we’ve seen that evolution people are starting to care more and more, and it’s starting to be the more and more impactful the way that businesses have operated, right?

Like sometimes I. B2B meshes where, one company is really, a service company for 50 other companies and one of those companies is also a service company for, another 80 or a hundred companies or whatever it is. So breach somewhere is a breach everywhere. And people are starting to feel that, right.

The Solarwinds hack, the Target breach. The Kaseya hack right. There’s a lot of these sort of supply chain, third party breaches that have happened that like really reveal that to folks and they go, ah there’s a number of people that woke up to, hey, the reality of business today is that we’re all interdependent on each other.

So we all need, pay attention and watch each other’s backs for, malicious activity.

Chris: I previously mentioned that Imprivata specializes in third party risk and critical asset management. So I’d like to discuss supply chain with you, and it’s a threat that I believe has always existed, like you mentioned to some degree. Although at what point in time would you say it has become more prevalent? And an elevated attack vector for attackers to focus on.

Joel: Yeah, I think there’s a couple of different dynamics that have caused sort of the supply chain risk vector to explode. One is that there’s a number of traditional industries involved in, supplying goods or services to other companies that hadn’t modernized, they hadn’t really joined the digital. Manufacturing’s a really good example, right? There’s a number of, manufacturing companies that never really joined the digital age, right? Like they’re manufacturing copper wire. Who cares, right? They may be still manufacturing copper wire with industrial machines that they’ve used for a while.

They’re not connected the internet, they. They’re doing whatever. And those are actually huge businesses, right? That may not have modernized but they’re starting to, right? Most new vendors for those industrial machines are probably expecting some layer level of connectivity.

And so they’re connected, some of the capability’s improvements around efficiency or support or anything like that is probably has some connectivity components to it. So there are whole industries, manufacturing or farming or whatever it is that are coming of age into the sort of digital revolution a little bit late.

But often when you see these, industries they’re entering, in 2022, not 1980 sort of thing. It’s a whole different landscape, right? And so they’re brand new at this. It’s a lot scarier of a place than it has been almost at any period of time. And, and so I think that attack surface blossomed and there’s not a lot of skill behind it or investment or thought about how to appropriately protect that. So that’s one. The second is the sort of B2B mesh scenario where lots of different companies are connected to some of the companies somehow with the adoption of like public cloud services, and all sorts of different companies moving their, offerings to, public cloud versus on-prem on premise.

Offerings. And then, creating meshes, it’s Hey, you can get this service from this person, that service from that person. You can outsource your HR to this company. You can outsource your development to this company. You can outsource your financing to this company.

And it, it makes good sense cuz those companies are really good at what they’re doing. It’s efficient, it’s effective but suddenly you start having this scenario where, all these different companies that are actually involved in your core business and have access to your critical assets. Whereas 20 years ago that wouldn’t have been the case, right?

You would’ve had a sort of castle mote set up you’d have done your own HR that’d have been on premises machine probably running all your records. They would’ve never been connected to the internet, whatever it is. So with the explosion of that service and supplier mesh across all industries, you also see an explosion of the attack service.

Chris: Yeah, that’s very interesting.

And when you say the delivery model, Yeah, when you talk about software supply chain, That’s still a delivery model, right? Can you speak to, what software supply chain is and why we hear about that so often?

Joel: Yeah, software supply chain actually functions very similar to other supply chains as you would expect. Some for as much as maybe software folks would like to think, we’re not super special. So there’s going to be, a capability that we want in a product that we may not be able to offer. That we may not have, but someone else is really good at it. And so we, license out or white label their technology, embed it in ours, and it becomes part of the package that we offer to our customers.

Totally makes sense. Just like for, physical supply chain, something, it’s like, hey, I might not make. Hamburger meat or I might not make the buns, or I might, not make the wire, but I make the wrapping around the wire, whatever it is, right?

There are components of software. Often the best option for, value to customers and speed to market is to leverage someone else’s software. And that, that’s a part of how we do things. So that’s, one, one area of it, which is the sort of private, I’m gonna embed your service offering and my service offering.

Because you do it better than me or embed your software component in my component because you guys are brilliant and do it way better than we could ever have done or thought to do. The other is, open-source software open-source software has it, it basically, won, there’s, you would, I would challenge someone to find a market leading product in the world today that doesn’t use open-source software. If you could find that would be awesome. Email me, whatever. I don’t know of one. And I don’t know of a company that’s been as successful in the market over the last, decade that hasn’t leveraged open-source software.

But if you think about that, that’s also part of your supply chain. You are, there are these other developers, all different sorts of, companies and communities and individual contributors. They’re building software components that you’re then putting in your software offering, right?

So that becomes another sort of, one of the software pieces of the software supply chain is that those open-source components. And I think, that’s been a brilliant change in the industry. Crowdsourcing, innovation. It has worked out brilliantly for us all.

But we do need to be mindful about the sort of security implications of that. Helping that community be more secure. And then, doing our due diligence as we ingest those components or that functionality into our products that we offer customers.

Chris: Yeah, that’s a great point.

And I think a lot of people overlook the fact that open source is an integral part. Enterprise Solutions, even though it’s on the back end, they may not see that. Looking at software supply chain vulnerabilities over time. How have cyber attackers evolved in their methodology of successfully attacking supply chain?

Joel: Yeah, there’s been a few interesting ones that, that sort of look like evolution to the tactic. My, my first Position is, no, there hasn’t really been that much evolution, and I’ll talk about that in a second. Why but there, there has been a few clever attacks on, libraries like infecting libraries with malicious code.

Somehow getting those into the public repositories where other software is gonna pull them in. There’s a number of ones with, Python and PIP and NodeJS and things like that. Being able to infect and look like legitimate software. This is also a little bit what they did with the Kayesa hack.

And I think the Solarwinds hack as well, is they infiltrated legitimate software, embedded malicious code. Somehow got through, code signing and all the different other things that would’ve gotten through, and then you have a distribution mechanism from a customer base.

And that’s been, clever in the sense that they figured out ways around that that vector’s existed for a long time, basically since inception of consuming, open-source libraries. But in more recent times that seems to be a go-to vector that malicious actors have leveraged.

But I’ll go back to that original point about, the evolution. There hasn’t been a significant evolution, I think, in the way that folks are attacking because it’s still so easy for a lot of places. With the sort of B2B meshes that haven’t been created. When they do reconnaissance, like as a malicious actor, you just gotta figure out the relationship message meshes, and they’ll find the weakest link.

There was a Texas school hacking that happened, I dunno, two years ago. And they found, eventually they found their way to a, very small, boutique service provider and like Plano. There they. Rough security and infiltrated there, gave them access to, one of the largest school systems in America.

And right now they can do that. They can just walk the sort of mash, do reconnaissance, figure out where the weakest link is, get a foothold in, and figure out where they can spread from there. So there hasn’t been a lot of need for, many of those malicious actors to really evolve tactics because old tactics are still working, tactics like that. And if it’s, if it works, why fix it sort of thing. And I think that’s some of the thinking behind a lot of it. Which is sad cuz things like that, things that we’ve seen in a bunch of these breaches recently are absolutely fixable. We’ve known about, vectors around, like password control or permissions creep or leaving open access to parties that shouldn’t have it. Like we’ve known that’s a really serious vector for breach for. I dunno, decades.

And we we’ve come up with solutions to solve that. It’s whether or not people have put those in place. So it’s a fully avoidable breach, but it’s still, I think, pretty easy for a lot of these malicious hackers.

Chris: Yeah. You led me right to my next question, which is the fact that you mentioned software supply chain deficiencies playing a role, a significant role, in recent cyber-attacks that have gone mainstream, do you feel like it’s still an underrated threat through the public eye?

Joel: Yeah I think that depends on how you define, the public view of it. If you talk about the security community at large, I don’t think it’s looks any worse or different than it always has been. Cause it’s always been a little bit terrifying, right?

You’ve always had to be mindful of it. There’s been controls in software to secure things like that. And standards around supply chain. Component scanning, vulnerable scan, vulnerability scanning that sort of existed in this larger security community for long time.

So I think they’re fully aware. Most everybody in security is fully aware of what that looks like, and when it happens, they go, oh, of course it did. That’s not super surprising. The larger public like outside of the security community, just like the general population I think it scares them.

They’re at the same time, software for a lot of people feels like magic anyway. And so this is like good magic and bad magic. It’s the Good Wizard and the Black Magic sort of fighting each other and they’re like not really sure what’s happening and how it works. And they hope, the Good Wizard wins sort of thing.

And I don’t mean that to be condescending to like the general population, but it, but I understand the sentiment that, often software feels like magic. And as a software engineer, when people feel like your software is magic you’re like, I nailed it. This is exactly what I was trying to build.

You so there’s a sense that we’re, ideally software is creating that, that sense of magic. It is, but easy. It’s. But it’s a double-edged sword, right? Because it, once it’s magic, it’s hard to understand. And so I think the general population, although may fundamentally understand what the supply software, supply chain issues are it’s a little hard to grasp.

Chris: Yeah. Yeah, that totally makes sense. So I want to talk about A shift that happened within recent years, which is the Covid Pandemic. Obviously we can’t really talk supply chain issues without bringing this up. It’s definitely impacted supply chains and cause concerns and awareness around supply chain industry towards the security and the public eye, like we had mentioned before.

And as we phase out of this pandemic, has there been a lingering impact to supply chain due to Covid? And what are some of the other factors that are currently causing supply chain issues? That’s more of an impact from. External forces.

Joel: Yeah. In general, yeah. COVID gonna have a lasting impact on supply chains of all, forms and versions.

Actually even software supply chains, right? They’re, software’s built, companies that build software, build it from, people work from all over the world, right? Open-source software does this thing. Most multinational companies do that, right? There are teams building software everywhere.

And that, that got fractured a lot, right? When lockdowns happened. If you may have outsourced in and then war happens, right? The Ukraine conflict now, like if you were to source contractors outta Ukraine, which is a great development hub right now, you are suddenly your ability. Build and generate software is hampered until you figure something else out to do.

So I think disruptions like this in general, like especially at this scale, is going to have some sort of lasting impact. There’s a lot of supply chains that. Are pretty hard to probably start up and get going. And then once they’re going, if they ever stop, it’s gonna take an enormous amount of effort to start them back up again.

And I think we’ve seen a lot of that in manufacturing particularly. There’s still I don’t know if you’ve heard, but there were like, there were stories of, foam waiting for nine months to show up and people couldn’t get refrigerators and, all sorts of different funny things that you would’ve never expected to happen.

It’s hey, happened to be a foam shortage, and so you can’t get a refrigerator. It’s Oh, man. Like what? And the larger public wouldn’t have thought about that. But I think it does point to something that folks in the security industry have known for a long time, that disruption to a supply chain is really impactful. It’s been happening for a while. This isn’t new. There’s been supply chain attacks against all sorts of different industries for a long time. But I think it got a lot more noticeable during Covid because it was already, there was already a large disruption not caused by a security instant but caused by a pandemic or caused by a war.

But you have a pandemic and a war plus a security breach, and now you’ve like its insult to into it. You’ve really, you. Put salt on the moon sort of thing. And people really feel that, and they see it and it becomes highly visible. But this sort of thing, this, the dynamic fit impacting some level of supply chain somewhere.

Influx actually quite a lot of pain. We’ve known that for some time. It just has never been so visible. Because at this point there’s multiple factors of, impacting that It’s not just, malicious actor who breached the system that shut a supply chain down momentarily. It’s, Covid has changed the ability for workers to work, which Change the ability for us to produce or ship, a war has changed, the way that, you know, raw, re raw materials to produce the things that we need to produce or whatever it is. And then, increase cyber warfare because of, global politics that are, the way they are now as well.

You go, oh, you mix all three of those together and it feels a little bit just like pain.

Chris: So Gartner just released their 2023 planning guide for. And the number one key finding stated that escalating geopolitical and supply chain uncertainty continue to drive strategic risk and the need to develop more efficient and effective security programs.

A hundred percent agree.

In addition to that I think I read yesterday a new SAP survey found that many senior business decision makers expect supply chain disrupt. To run until late 2023. What are your thoughts on that, and do you see the need to zero in on the supply chain issues and do you feel like that is more vital moving into 2023, or do you feel like that threat may level off?

Joel: So yeah, number one, I agree with them, and I think that absolutely we have to focus on that threat. And one of the other, things that we’ve often talked about is, supply chain breaches or, some version of third-party relationship leading to a breach, has been the most common reason.

The breaches happen again for years and years and. So like absolutely we need to keep focusing on that, right? That needs to be, we need to close that hole as much as we can and, put resources towards it and investment and activities to make sure that we close that cuz we know statistically speaking and from research and from experience that yeah that’s how we’re gonna get breached.

And then breach causes disruption. And if we haven’t at large. As a an entire, country or world, really homed in and solved that problem, we can guarantee breach. That’s probably going to happen. And then when breach happens, especially in this interdependent, business world that we live in with a weekend supply chain.

That will result in supply chain issues, right? Like it, un unless we focus on it and solve it like that, of course it’s a, it’s almost an obvious conclusion that, will these supply chain issues continue into next year? A hundred percent. Cuz we haven’t really solved one of the primary reasons, outside of pandemic and more, which is a really hard things to solve for as well, but outside of those, one of the most common reasons that you would have a supply chain disruption, we haven’t solved for that.

By and large. And so until we do, yeah, it’s gonna keep happening. And when you have a weekend supply chain, yeah, you’re gonna cost disruptions.

Chris: So then optimally, what do we need to do to minimize the supply chain threat?

Joel: Yeah, there’s two things that you should really think about doing. Number one, you probably need to figure out who all the third parties you are, you’re working with. If you don’t know who everybody is, that’s gonna be coming in and outta your bar you have no idea how you’re gonna protect yourself, right?

You have no idea what’s actually gonna happen. So if something does happen hopefully it doesn’t knock on wood like this bar would there’s no way you would know, you know who did what to, when and how and why and whatever. So you need to inventory your vendors, right?

You manage your inventory, as it is for your, beer, whatever you stock, but you like, need to manage an inventory of the, like interconnections you have with other businesses that are helping you run your business. Once you do that, then you figure out what they need, what they actually really need.

Do you really need your, beer distributor to be able to come into your bar without you there, in the middle of the night, right? Does he really need to deliver six cases of light beer at, 3:00 AM Like, no, they don’t. You need to be really mindful about, what do these people really need?

What do you really need from them? And make sure that you’re super clear about that. It’s like figuring out who the identities are, who the organizations you are, that you’re interacting with, why you’re interacting with them, and what they need.

And then once you figure that out, control, figure out what sort of controls you need to put in place to make sure that they can’t, do something nefarious.

Chris: Good to know. Good to know. Hope they’re taking notes. Joel. So Joel, you’ve traveled the world, Arizona, Australia. And now you’re in Austin, is that correct?

Joel: Yeah. Oh, wait, Arizona to Texas, To Australia to Oregon. Back to Texas.

Chris: We don’t have to keep this next question scoped in, in those areas, but because you have such a wide array of areas that you’ve spent time in, where would you say the best bar is that you’ve ever been to?

Joel: A few. It’s a tough way to answer, so I will answer. We’ll talk about two bars. First just cuz it was fun. When I was traveling to New Zealand once on a layover I had a few hours in Auckland, didn’t know what to do and it was like 9:00 AM and, but it’s not 9:00 AM my body’s time.

And so I’m like walking around the pier and I see like a container that says something like open bar. I’m like, cool let me see what this is. I walk in and it’s an ice bar. And they like with the jackets and they’ve carved stuff outta ice and for real was open, and they’re like, hey, you want an ice-cold vodka shot?

And absolutely I do. This is absolutely what I was after. I didn’t know that this is what I needed, but it is super cold in here, which is great cause I always run hot and yeah, I needed to drink at 9:00 AM on a layover halfway across the world. And that was. Yeah, that was a super fun bar.

So that, that’s one of the sort of coolest bars I’ve ever been to. The, just for the sort of timing of it. And the other, one of my favorite bars that I’ve ever been to is in New Orleans. I haven’t been there in a while, but the Maple leaf, just cuz the, if you know about it, they almost always have a funk band going.

And it’s just a super cool place. And so if I can go somewhere and get a drink and there’s just some awesome funk playing in the background, in a crowd around me, like that’s a great bar. And so that, I would say, it’s hard to choose between the two. It’s like classically awesome bar.

It’s probably like the Maple Leaf in New Orleans, or this, whatever ice bar, I don’t even know what it was called, but the ice container, the ice container in New Zealand.

Chris: Yeah, I’ll see if I can get the name of that place. That’s pretty different. So I see the bartenders now, man, they’re closing up.

I think you got to ’em. I think they’re realizing that the problem here. If you decided to open a cybersecurity theme bar, but would the name be, and what would your signature drink be?

Joel: Oh, interesting. So, I think gonna be super obvious.

I would absolutely open a cybersecurity theme bar called social engineering. Cuz I love a good pun sort of thing. You’re showing up to a bar to see people right. Social engineering seems like it just fits in my, I think my signature drink would just be a whiskey neat.

 Every single person that works in security just needs a shot of whiskey. it’s rough out there. Sometimes it’s so if you walk into my bar and you work in security, it’s guess what? You’re getting shot of whiskey. That’s what you need.

Chris: You can call it the remedy.

Hey, Joel. Thanks, man. I appreciate the time today. I had a great time speaking with you and appreciate all the knowledge that you shared. Before we go let us know where our listeners can find you and connect with you online.

Joel: I’m not particularly on social media, and so you won’t be able to find me on, the standard social media channels.

But you can. Go to www.imprivata.com and learn more about, the company and the solutions we offer cuz we can definitely solve a fair number of your cybersecurity issues.

Chris: Sweet. Hey, take care, man. Be safe getting home and we’ll hopefully catch up soon and have a whiskey neat together.

Joel: Yeah, maybe real drink. Sounds great. It’s good to chat with you.

Chris: Yeah, you too, man. Take care.

Joel: All right, cheers