Before joining ThreatX, Jeremiah Cruit was no stranger to Web Application Firewalls. As a seasoned CISO with 20+ years in the industry, he tried dozens of WAF solutions along the way. And with each solution, his faith in the effectiveness and usability of WAFs dwindled. So how did he end up at a WAF company?IDG Connect explored this and more about his past in the following interview.
What was your first job?
My first real job was working at a training company helping set up labs for teaching token ring, Novell Netware, Lotus Notes, and the brand new windows 3.51 that came on a stack of floppies. The instructor for all the classes taught me so much and I learned like crazy just setting up the labs, when he quit suddenly I had to stand in and start instructing classes.How di d you get involved in cybersecurit y?
Go watch the movie War Games and you will have a sense of how I got into cybersecurity although no computer I connected to asked me if I wanted to play a game. As a kid I had access to the university systems through free and open (very open) mainframe terminals just sitting out for anyone to use and I had my mom’s account information which she never used so I started to play in the systems, it started because I was b ored waiting for my mom and it became a game and an addition.
I found that they had modem banks for people to dial in and with some playing around I could make connections outbound which completely opened up the world for me. I was part of a BBS ( precursor to Facebook , look it up) community and we shared phone number ranges and prompts that people couldn’t get anywhere with. I was a hero on the board as I had access to full modem banks that were barely used at night and I wasn’t paying long distance charges so I was WAR dialing massive ranges and sharing many of the connections I found on the boards.What was your education? Do you hold any certifications? What are they?
I started college in Chemical Engineering and found I just liked the math and Fortran classes which I excelled at, but when I got a summer job working at the training company I thought college was going too slowly and just started working in the industry.
I currently still have my CISSP and CEH certifications but have held Cisco, Juniper, SANS, RSA, Secure Computing, Arcsight and was certified to train CEH and RSA.Explain your career path. Did you take any detours? If so, discuss.
From building labs and teaching classes I moved to working in networking helping build one of the first wide area networks across Wisconsin. My wife and I moved to Seattle so she could go to college there and I joined the Seattle Public Library helping build the first Microsoft library online labs which was an exciting challenge trying to secure public terminals without the benefit of modern lock down software. But being in Seattle during the dot com bubble I got too many offers to ignore and hopped around Seattle helping companies with networking and security eventually ending up helping build a successful security practice at a reseller. I moved back to Minnesota doing security architecture, penetration testing, incident response and back to teaching classes in hacking.
I took a position at MoneyGram where I got to experience a company truly under attack all the time as they handed out cash across the world, we had dedicated crime rings from Romania and Nigeria as well as many other random attackers. It was an amazing challenge and lots of fun and I ended up developing a method to do secure transactions with insecure systems and reduced their cyber-fraud numbers by 98%.
After that I got the opportunity to take a bank that had security issues and transform them into a truly secure organization that has not had a system compromise for the past 3 years. I basically worked myself out of a job there which is an amazing end result for any security leader. During this period my family had moved to Colorado while I continued to commute and I was looking for a local position.
A good friend of mine suggested that I talk to Threat X but I was hesitant as I’ve hated every W A F I’ve ever worked with. The founders h ad to convince me that they actually made a WAF that works by focusing on attacker-centric behavior rather than on signatures. After being impressed with their technology I decided to take the leap and join them as CISO.Was there anyone who has inspired or mentored you in your career? Lots of famous people inspired me in overall computers like Grace Hopper, Dennis Ritchie, and Ken Thompson. But the one person that really helped me focus fully into security was Preston Hogue, I had been working heavily in networking and systems , but he helped me realize my true passion was security and gave me the path to fu