Godwill N’Dulor, Senior Security Strategist, Jürgen Hentrich, Senior Sales Engineer, Fastly: Cybersecurity is very much about the technology, but it’s also about winning hearts and mind, while working as a team
November 2024 by Valentin Jangwa, Global Security Mag Yelena Jangwa-Nedelec, Global Security Mag
From personal anecdotes to Fastly’s new DDoS Protection Service, an inspiring conversation between Jürgen Hentrich, Senior Sales Engineer, Godwill N’Dulor, Senior Security Strategist, at Fastly and Global Security Mag at it-sa 2024.
GSM: Good morning, Godwill and Jürgen, Global Security Mag is very pleased to meet you. Can you tell us about yourself and the professional journey that brought you here?
Jürgen: Well, I started at Fastly, four and a half years ago. Working for a competitor, I always came across Fastly and at that point in time, our customers asked us: why don’t you have an API? Why don’t you make use of Terraform? And I thought to myself, Fastly can’t be too bad. Luckily, Fastly had an open position for a Sales Engineer. During the first interview with my manager, who is still my manager now, I felt like it was a must-have job. So, I’m a techie guy, right? And I love all these features, the way we run the CDN, the Edge Cloud, the development within the platform, the development within our services. For example, four years ago, we acquired Signal Sciences, and I think it was one of the best ideas we ever had. Combining these services means that we have that Edge Cloud platform, so we can run ordinary CDN services, such as delivering websites, offering regular streaming services but it also means that we can deliver really big streaming services, like we do every year with the Super Bowl, the Champions League and the Bundesliga, and this requires real banking. If a prospect wants to start with us, they can sign-up online in two minutes, and then they can already play around with the CDN. If they are happy and want to work with us further, they don’t need to configure their account again, we simply migrate it into a paid account, and they can carry on with the configuration. Fastly, is absolutely great for that and it is, as we call it, by developers for developers, because of that API approach. Many people love web interfaces, user interfaces, I mean, the graphical part. Developers hate it. They want to have APIs, and to be able to do their code and anything else they want to get done. No matter if that is a compute service, if that is a CDN service, or if that is a web application firewall, they can use APIs, and they love it.
Godwill: My background is Information Security. I got into Information Security back in 2001, so over 20 years ago. And at that time, it was very much focused on Endpoint Security, Network Security, and over time, my journey has really kind of evolved through the security landscape. So everything from cloud security, data security, and more recently, I’ve spent time working within the software development lifecycle (DevSecOps). DevSecOps is obviously a growing and emerging trend, and it’s interesting to see the role that security plays in order to be able to make sure that DevOps is a successful practice and discipline. And if we think about DevSecOps, it is kind of ahead of the code and the application, it is everything, the process, the sequence of events that code takes before it goes into production… I had the opportunity to think about and understand how we apply security once the code is actually in production and how we make sure that an application still actually retains the confidentiality, the integrity and the availability. The opportunity to join Fastly presented itself, and when I understood the security capabilities that were available within Fastly’s portfolio, it felt like a logical progression in terms of the journey I had already been under for the last 20 years or so. In my role here, as a security strategist, I have the pleasure of being able to work with our teams to make sure that our customers can solve some of their most complex and interesting business requirements through the successful use and adoption of our technology.
GSM: What was your biggest challenge this year and what was the learning you draw from it?
Jürgen: No matter how many WAF demos I did, no matter how many conversations I had in regards to the next gen WAF, it was always all about bot management. I wouldn’t call it a challenge, but for me, bot management is something that is key and the challenge was simply to understand how to do it. At the beginning of the year or the end of last year, it was fairly new for us, and we all learned. I would now consider it as a mature service. So bot management is a big term. And for me, the biggest challenge was to understand what customers meant with bot management, because they could mean crawlers, a DDoS attack… But with the support of my colleagues at Fastly, it worked very well. The internal support within Fastly is absolutely great. If you have, let’s say, a conversation with a prospect or with an existing customer, and you need the CTO or the CEO on the call, they will be there. It might be late afternoon because of tight schedules, but they will be there. When I started with bot management, and I had the first conversations with customers, I couldn’t run them by myself. So I invited Daniel, who’s like the godfather of Fastly’s bot management, and the meetings went great. Indeed, learning from your colleagues at Fastly is easy and the challenge is not much within the team but more when you apprehend a new service and you ask yourself: how in the world does it work?
Godwill: Exactly. I’ve been with Fastly for just over a year, so my biggest challenge was to really understand the breadth and the depth of the capabilities that we have within our portfolio and how they can be used to solve customers’ challenges and requirements, and it is multifaceted and broad. When you’re new into an organization, there’s a plethora of different ways in which you can solve these challenges. Being able to lean on expertise across the organization, whether that’s horizontally or vertically, has been amazing. So what’s my biggest learning? I think the access to quality insight, experience and guidance. That’s what I’ve taken from it because the Fastly platform is designed to be able to solve very complex and very different requirements. But in order to do that, you need to be able to have access to those that can help you demonstrate and share the outcome to the value that the platform can deliver. And that’s kind of been the biggest learning for me, the willingness and the openness of my colleagues within Fastly to help make sure that we’re able to put our best foot forward all the time, every time.
GSM: How do you manage human error and what are your tips for companies, in terms of what we call the human factor, and what some call the weakest link?
Jürgen: I mean, we have different roles, right? In my role as SE, working really close together with my sales colleague, I can compensate their errors and they can compensate mine .If indeed one person is not performing, or is not doing very good, because we are working as a team for an account, the other can compensate, and another time it will be the other way around. I think this collaboration mindset is essential and it starts with a proper onboarding and then continues with cooperating and working as a team. I think working as a team is key, especially in front of a customer. And you can help your colleague in front of a customer with appropriate remarks, but also afterwards, right? I mean, if you fight each other in front of the customer, that does not look good. So if your colleague doesn’t know the process, help them.
GSM : DDoS attacks is a big of topic of 2024. What is Fastly’s strategy to help prevent them?
Jürgen : At the end of October, we launched a DDoS protection service called Fastly DDoS Protection. Since the beginning, we had been protecting our customers against layer 3 and layer 4 DDoS attacks, which was easy for us, as we automatically block anything that is not HTTP or HTTPS traffic. That is blocking 90% of DDoS attacks, so it is really effective. It is easy to set up and is something we run for every customer, for free. However, there’s always a gap within that, and the traffic of the DDoS attacks slipping through these gaps can now be dealt with. That DDoS protection starts with the deployment and it’s a one-click deployment, which is pretty cool. It kicks in within seconds, so it’s quick once enabled. It is developed by Fastly itself and we call it attribute unmasking. It is analyzing layer 3, layer 4, and layer 7 information, building signatures out of that information and then making the clever decision about which request need to be blocked. Attackers are not stupid, so even if the IP addresses are changing, we are able to find the attack traffic and block it. This is brand new.
Godwill: From Fastly’s perspective, it’s security. We follow the tenets of the security triad: confidentiality, integrity and availability, and this DDoS protection service is very much about the availability part of the triad. So to Jürgen’s point, it’s being able to reduce the time it takes in order to be able to actually identify that there is actually something potentially malicious and nefarious that requires attention and that could compromise that availability. Then it’s about simplifying how we actually go about making sure that our customers are actually mitigating that risk and then actually receiving the protection that they need. That’s exactly what the DDoS protection platform is designed to be able to do. It’s designed to shorten that window in terms of identification and then in terms of mitigation as well. It is removing a lot of the friction that can be involved in responding to a DDoS to then ensure that the right steps or procedures of protection are actually in place.
Jürgen: One of the big differences between the DDoS services we already had in place and our new platform is that it is protecting cached content. Indeed, we have a service called Edge Rate Limiting that is protecting the backend of the customer, but also sits behind the CDN service. This new DDoS protection service is running in front of the CDN. That means it kicks in immediately after decryption and can protect even cached content. Which means, again, saving money for the customer because we do not deliver cached content to bots.
GSM: To which extent do you think that DDoS attacks and geopolitical events are related? And how can Fastly help mitigate those geopolitical risks and the struggle that many states could have if other states were blocking their servers?
Jürgen: One example I use to explain how effective our platform Fastly DDoS Protection can be is the following. Consider a customer who is streaming live events. That means you start with zero traffic, the traffic goes up, the live event starts, it goes up to 100 % and then goes down. That very moment, when the traffic is raising to, let’s say, 100%, it might be considered as a DDoS attack and the traffic could immediately be blocked. With the Fastly DDoS Protection Service, that traffic is not blocked. And that is amazing. That might be related to geopolitical problematics like the elections, for example. Because I mean, even when you usually have a certain baseline of traffic on a news outlet, and then it goes up when the election starts and especially after the elections’ first results, it then goes through the ceiling, as we say. And that needs to be very well managed. You do not want to have false positives. Estimating the traffic of live events, especially within geopolitical problematics is hardly doable and when managing live events, customers do not want you blocking the live events because your platform automatically registers it as a DDoS attack, but with our platform, we can manage that.
Global Security Mag: What would be your key message to our readers in terms of advice, on what to prioritize for example ?
Godwill: I think the first thing that I’d say is when it comes to security, it is very much about managing risk. So being able to actually quantify and identify what the risk is, is the starting point. From there, you’ll find the corresponding controls in order to be able to mitigate what are effectively the most valuable aspects or assets within the environment that face the most remote risk. Nowadays we rely on applications more and more. They play a lot of different roles in our lives, they are there for work, for play, for social and they’re also there for travel. Applications are an integral part of everything that we do. And so making sure that we understand their value to our lives is one thing, but then also understanding the fact that the majority of breaches actually occur as a result of successfully compromising an application is also incredibly important to bear in mind. If we start thinking about risk, we start thinking about trying to mitigate risk. Focusing on the application layer is certainly something to think about and when it comes to security, in order to be able to make sure it is effectively deployed within an organization, I would say it’s very much about the technology, that’s obviously a key part, but it’s also about winning hearts and minds and actually trying to break down silos within an organization as well. Indeed, collaboration and actually finding ways to be able to actually get stakeholders from other parts of the business into becoming a security veteran is incredibly important as well. If you actually start thinking about embedding and integrating security into the fabric of the business, not just the network, you have a chance of actually being able to make sure that that rollout of security is more effective, right? Because then everyone feels like they’re invested, everyone’s a stakeholder within security. So for me, the keys to security are the following: identify risk, quantify it, manage it, find the corresponding controls, but then, as you start to go on that journey of actually deploying or as you continue to press on on your journey within security, don’t forget hearts and minds, don’t forget collaborating, don’t forget trying to break down silos so that you’re able to get others to go on the journey with you.
Jürgen: My key message would be bring it to the Fastly Edge Cloud.
Related articles: