Taking a Tech Memory Lane Walk with Trey Guinn from Cloudflare

Speaker 1: 0:01

How's it going, everyone? This is another security unfiltered episode. So today's episode is with Trey Gwyn from Cloudflare. Cloudflare actually decided to sponsor the podcast because they believe in what security unfiltered is doing. They like how we present the information and whatnot. And Cloudflare is a very well known WAF solution that is used by thousands of companies worldwide and you know we had some common synergies right. So they wanted to sponsor the episode. But that doesn't mean that they directed the questions that I'm asking or the conversation that we're having or anything like that. That's absolutely not the case. They just sponsored the episode because they believe in what we're doing here. So with that, let's get into the episode. Thanks everyone. How's it going? Trey, it's really great to finally have you on the podcast. You know we've been trying to get this thing going for a while now. I actually think I started talking to Cloudflare back in April or May. It was one of those months right after my kid where, like it's a complete blur, you know, and there was several times where, like I went out to dinner or you know I had like a meeting or something, and you know they would be like, oh, don't you remember? Like we had this dinner, we had this thing right when we discussed all this. They're like I don't know. I mean, that doesn't exist to me right now.

Speaker 2: 1:35

Oh well, congratulations. And you know, you know, in the world we'll know be over in about 18 years, right, yeah, hopefully hopefully 18.

Speaker 1: 1:45

So, trey, you know I started everyone off with telling their background, and the reason why I do that is because there's, you know, there's different sections of my audience, right, that are coming from different backgrounds and they're trying to figure out, like you know, hey, is this something that I can do? Is this something that you know is possible for me? Right, I get that question so many times. Right, I want to get into cybersecurity, but I don't come from an IT background. Is that possible? And so I feel like it's always helpful for my guests to, just, you know, give their background. Tell us where you came from. Did you study IT in college or did you go down another rabbit hole?

Speaker 2: 2:27

Yeah, that's a good question. So I I go like way back. My first job was building computers in the mall and like not the nice mall, the crappy mall, and so building like 46s, this and the other, and I remember getting. I sort of got on the internet at first when it was CompuServe I do dial up at home so built my computer there, sort of played around. I remember like when they added TCP IP to Windows. So I'm really dating myself, but that was like 12, 14 years old. You know, I was kind of a kid and I think what changed that was when I went to university. I I had a job at university but I was working for like the university IT team, which meant like just network management. So I got into like lands and stuff there and started to really learn networking. I ended up working full time while I was in college at a small business sort of networking company. So it was like an IT guy that built, like you know, built networks and installed them. So I do everything from you know, plug a mouse in to you know, build a Windows NT network and and what have you. And then let's see after. After college I kept essentially working the place I was working at while I was in college and did that for a little bit and I just sort of like life decision in front of me. I was living in Austin, I was doing this sort of small business IT thing and it was a small company's, like you know, just a couple of college age kids, you know, fixing networks for like lawyers and what have you. And the owner of that business was like hey, I think I want to go back to school. We could do this like employee buyout thing, so like if you just stick around for three years, we'll give you a third of the business. I was like, oh, that sounds really cool. But I was 24, 23, four years old, something like that, and I was like I'm not sure I'm living in Austin. And I was like I'm not sure I want to spend the rest of like I don't know if I want to spend the rest of my life here. I haven't lived anywhere else. So I actually it was kind of crazy, but I just said thank you so much, but I'm going to quit now instead. And I sold everything I owned and went to go travel around the world for a year you know in quotes but I sort of like ended up in New Zealand accidentally, got a real job, and then there was like building sort of like data centers and stuff like that and I ended up being the guy that just like picked up, picked up firewalls and became like the first Fortinet certified administrator in New Zealand because I just thought those things were really cool. But I ended up being this again it's kind of a smallish economy, smaller company, only like a couple hundred people there, and then after that I would give you the long sort of it then ended up in New Zealand. After New Zealand ended up in Amsterdam and I kept doing sort of infrastructure stuff and then enterprise architecture at a big multinational and then from there I got a job at Cloudflare about 10 years ago as a first solution engineer. So this is slightly abbreviated version but still worthy.

Speaker 1: 5:56

Yeah. So so, trade, you know you bring up an interesting time, I guess, in the computer world. You know when you started, when or at least you said that you remember when they added TCP IP to Windows NT.

Speaker 2: 6:12

I think it was right, and do you use Windows 3 to Windows 3.1? It was like when you actually got a TCP IP stack.

Speaker 1: 6:23

Wow. So you know, do you? Do you think that you know? Engaging with technology back then allowed you to understand kind of the underlying. You know workings of it quite a bit more than what people do today. And I bring that up because earlier on in my career I was essentially a Linux admin, right, and the Linux OS did not have a GUI on it, so it was strictly terminal, and so I ended up learning Linux extremely well as well as learning you know the network stack on the Linux server, learning you know the different security, you know configurations and how everything is configured right, and that kind of opened my eyes because I was used to, you know Windows 98, right, windows 2000, whatever, whatever, windows 7, that's what it was Sorry, and you know I was used to that GUI right, never played around with the terminal, but as soon as I got into the terminal it really opened up the rest of like technology to me. I feel, do you look back on that and think the same thing? Or, you know, is it a different kind of feeling?

Speaker 2: 7:38

Yeah, that's a good question. You know what leads us to sort of go deeper down in this career. Fundamentally, I think what is incredibly helpful has been for me, and even when I, like I built a solution engineering team at Cloudflare, what made folks really good at their role was folks that wanted to understand how things worked right. So you're looking for this sort of sense of curiosity. I'm with you. Like, I remember trying to get my first sound card to work in Red Hat 2 or whatever it was, and you know, and at the time we had this debate in the dorms about, like, is it Linux or Linux? And the demo sound was like hello, this is Linux Store Vaults, and I pronounce Linux, linux. And I was like, all right, we're seeing, like, but it took like two days to get a sound card to work and you learned a lot about interrupts and this and the other. I like I'm reticent to say that that is the thing that makes you understand the material better. I think you're either curious and you dive in because you find it genuinely interesting, or it's so bloody hard to use that you're forced to learn how it works. But I think both of those paths work to get you there, because I mean there's a bunch of new stuff now that like I should be digging more into. Yeah, so, as always, that'll never stop.

Speaker 1: 9:04

Yeah, that's, that's a really good, I guess, analogy or way of thinking about it, right, like it has to be so, so hard that you have to learn it inside and out. I mean, you know, there was a point when I was that Linux admin right where, where I had to learn SC Linux, not because I wanted you know, I didn't even know what SC Linux was but on the call I had a customer that was like, oh, we require SC Linux to run, and whenever we've run it on your server, everything breaks. Like, okay, well, that's really weird. You know, like this thing should just be working right, like and I mean, this was weeks, weeks later. You know, like I finally had it all down, but like, if you looked at my one note that I was taking notes in because I took, you know, copious amounts of notes I took the error that I would run into the command that I ran to fix it, why that command works. And you know, keep on going through it. And the extensive one note that I had at the end turn into the troubleshooting guide for all of SC Linux for the company. And like it was used by the devs to actually say, oh, this is all the changes we need to make. You know, I never would have learned it as well If I wasn't going through those problems, that's for sure.

Speaker 2: 10:25

Yeah, you're like sort of forced through it. You have to, like you have to build mental models as you go, and then you sort of your this is actually. It's an interesting way to learn, Like I find tinkering and playing with things is a fantastic way to learn, and trying to make something function in SC Linux is like the ultimate version of that. You're like I think I have a mental model of correction, Like nope, it didn't work. All right, I'm going to like fine tuning continuously, yeah yeah, absolutely.

Speaker 1: 10:52

So, you know, along your path. You said that you were, you were at a company doing, you know, some IT work for law firms, right, and they offered you essentially one third of the company and you chose to travel. So walk me through, walk me through that decision, right. And this is a really interesting decision for me personally, and I'll tell you why. Right, um, I remember back when I was, you know, younger, right Earlier on in my career, I had just started to develop this mentality of say yes and figure it out later, right. And so I think to myself, if I was presented with that one, I would have taken it, right. But what you did was travel the world and start to experience that. And I have a friend who, very recently, actually just decided to leave his job and was like you know what? I'm not happy working here, I'm not happy doing this. I'm literally going to go travel the world, like I've worked, you know, since college. I want to go do this, and so he did it and I'm extremely envious of him because I have a seven month old. Right, I can't, I can't just up and leave. If I do, I have to take two other people with me and that's very expensive. It's not like I'm a, you know, a single 22 year old anymore. Right, like I have responsibility.

Speaker 2: 12:17

It's possible, anything's possible. You can travel with a family.

Speaker 1: 12:21

It's not impossible. It's very difficult, very difficult, very inconvenient. So you know just talk me through that decision. What did you weigh? How did it look to you? What were you thinking?

Speaker 2: 12:37

Yeah, so it was. It's interesting, I wasn't unhappy, I loved my life, I was having a great time, like the job, et cetera. But I I guess I was aware of the fact that I was like 24 years old and here was this option to take sort of the ownership stake in a business and I said, okay, well, if I do that, like you know, I remember my thought was always like, okay, then all I need to do is find a house, a wife and I'll be ready to die, like like my whole life will just be like laid out in front of me. And I was just like I'm not sure I had this sort of sensation, was like I need to see other options before I commit to this one. And then what really helped was within a couple months of that I mean actually right, similar timing, but like within a month or two of that very fortuitously, I was in Banff, canada. My mom and I have birthdays close to each other, so sort of a birthday trip. We went up there together. But because I was traveling with my mom, I basically spent whatever time I could trying to find people my age to hang out with, and there were these. There was a Irish couple of sort of in their 20s or my age that were working behind the bar, their bartenders at the place, and they explained to me this concept of holiday working visas, the idea that you can get a well one, explain the idea of travel right, like as Irish and Australians and stuff. Like it's a very common thing, like after university go spend a year abroad or you do your overseas experience, whatever you call it and they're like, oh yeah, we got this visa. It's called an over, you know, travel visa, working holiday visa, and you can travel for a year in a place and you work a little bit. And this. And I was like, oh wait, you mean I don't have to have $100,000 saved up to be able to go travel for a year. And yeah, and it was I. Basically that was September when I met them and it like opened my eyes to this possibility and I had left the US by January 1. So, like within a couple of months, I wrapped up my entire life and was like I'm traveling the world and I think I bought tickets to places that I probably couldn't find on a map and yeah, it was a good time and the best part too is I'd never traveled by myself before, and that was that was super, super valuable for me.

Speaker 1: 15:05

Hmm, yeah, you know, the very first trip that I ever took, you know, by myself, was actually to Germany for study abroad. It was a four or six week program, right, and it was two weeks, yeah, two weeks, after donating my kidney. So I donated my kidney, oh my, I told my doctor like, hey, I'm not going to make the checkups, you know, in a couple weeks because I'm going to Germany, and so they, you know, had to tell me, like, what hospital go to go to if anything went wrong, and everything like that. But that experience, you know, really prepared me for the rest of my life, up to this point at least. You know, it was amazing and it's really interesting to me how well traveled you know Europeans are, like they, I mean, they travel all over Europe all the time, right, and I was talking to someone from Russia and he said, oh, you know how many, you know how many countries have you been to, right, and I'm like too, this is, this is number two. You know, then, do America, if you count that right? And he goes oh well, how much of America have you traveled? I'm like, not that much, you know, like I, I had enough states to. You know, maybe fill a hand if I was being generous. Right, and he was very confused as to how lacking in the traveling department I was and I had to explain to him. You know, if you pull up a map, right, we have 50 states over here. Right, you pull up a map and you look at one of our states and it's, you know the size of potentially a couple small European countries. You know, like, like Illinois, right, you could drive in one direction for eight, 10 hours. You know, if you start at the very top, you go all the way to the bottom, that's 10 hours. And you just made it through one state. You know, and, like him, wrapping his mind around that was, uh, was really interesting, because I was also trying to wrap my mind around them being so traveled, because they were like, oh yeah, I'm going to Australia, I'm doing this and I'm, I'm over here. I'm like man, I'm just lucky I made it here.

Speaker 2: 17:20

Yeah, yeah, no, it's, it's I. I highly recommend it. Thanks, folks. Whether it's travel or in any way, just trying to expose yourself to other ways of thinking and other ways to approach problems, just get people to challenge the things that you have assumed that you've been socialized to grow up with. You may still agree with those, but from that very big decision, just because this is the default, is this the thing you really want to stick with? We can bring that right back to tech. I mean, that's also the way you figure out how things work Is like. Can you run with the defaults or do you really need to understand the implications of changing something?

Speaker 1: 18:04

Yeah, now, did you experience a lot of that in your tech jobs overseas, where they were going about a problem differently from how you would have addressed it? Was that situation something that you went through, or maybe?

Speaker 2: 18:24

not Right.

Speaker 1: 18:25

Because tech is universal.

Speaker 2: 18:28

Well, yes and no. Actually, I learned a ton. I lived in Amsterdam for about almost six years. One of the jobs I had there was I was an enterprise architect for KPMG, but like KPMG internal IT, like the KPMG business, not facing customers we had an enterprise architecture team that was largely split between Amsterdam and New Jersey. What I learned there is just this cultural way of going about solving problems. This is slightly exaggeration, slightly hyperbole, but if you came up with a problem, set a set of requirements and you brought it to the Dutch team, which I was on the Dutch team they'd spend a month coming up with this perfect self-healing, every potential solution, considered, every possibility, Like they really thought things through. They're very, very long-term focused. They always think things like 100 years. When they build houses in their neighborhoods they're thinking like 500 years out. We barely think six months out. They just have this very long-term perspective. But it would take like a month to come up with a design for the system, much less than you have to go build it. You'd have the same problem set to the American team and the American team would have a POC running. By Friday It'd be up and running Now you'd have to duct tape it to no end. It's going to cost a fortune. They hadn't considered any of the problems that could arise. I hadn't really thought through anything, but it was running. What my takeaway was is that the ideal is somewhere in the middle. You have to move fast to take advantage of market opportunities and just as opportunities come up, but you also need to somehow balance the short-termism versus long-termism. What I really liked was being exposed to both of those teams and seeing how they functioned, because I felt like I could learn from both. The question was spot on, but that was super formative for me in my career.

Speaker 1: 20:50

Yeah, at my current employer. They're a German company and it's insane how much they actually think through this stuff and everything. I just spent a year doing what they call a POC. To me the POC was only the past six weeks. It was the only time that I was actually doing hands-on keyboard, actually getting into the weeds of different things. I've been working on it for the past year because they want every single T-cross, every I dotted. They want to think about it a couple of times. I learned in that process that when they're designing vehicles over in Germany they'll have button requirements where corporate will say it cannot have more than X amount of buttons in the vehicle. Where you place them is up to you and they will debate this. I guess they were actually debating this for eight months all the way up until the car was actually released and corporate had to put a boundary on these engineers saying okay, you have two months to make this decision because we have to figure out everything else. We can't be held up because you don't know where to put a button. You need to figure it out, which is really interesting. I drive a German sports car and my wife has the same manufacturer. I'm trying not to give away too much information because as soon as I do, everyone's going to be like oh, this is where Joe works. That's what I want to avoid. My wife also drives an SUV from the same car manufacturer. If I sit in her car and I sit in my car one, they're two totally different cars, they perform totally differently, but they are the exact same experience in terms of the cockpit experience. The buttons are in the exact same place. It feels the same. There's very few differences and they do that very intentionally because they want it to be. If you drive our lowest end car or highest end car, it's the same controls, it's the same functions. It performs differently, but it's mostly the same all around. It's really fascinating to me of how much time they will put into making the decision not right but perfect.

Speaker 2: 23:27

Yeah, it's that idea of designing systems with a user experience that people can just appreciate and they can jump in and use. And then, obviously, ideally, you don't want to have to read, you don't want someone to be required to read the owner's manual to figure out how to turn the air conditioner on. It should just be obvious, right, it should be intuitive. And this probably goes to it's always going to bring around to security. Again, like it's shocking. You think about solutions that are not secure by design or it's not intuitive. I always feel like hard to use systems are inherently less secure and hard to use also for end users. Like if security adds too much friction, people will find a way around it, like they won't leverage it. And so it's like, how do you really think about that end user experience? Making it consistent, making it just where you don't even have to think? It should just be intuitive. You're like, oh, I want to do, I want to put the car in drive. It's like it's super obvious what I'm doing and I'm doing the right thing. I'm not accidentally putting the emergency brake on in the process.

Speaker 1: 24:39

Yeah, Right. So, Trey, you mentioned you started off as what was it? A solutions architect at Cloudflare, Is that right?

Speaker 2: 24:50

Yeah, so I was the first solution engineer at Cloudflare. Technically, I was the first hire in the customer facing sales team and I'd never been in a quote unquote sales team I would like really cringe at that moniker. But it ended up being like my favorite job, which, because I had all this background in sort of being I was an SRE before I was like IT guy, built data centers. I like working with customers. I really liked solving their problems and understanding what they're trying to accomplish. And then I feel like it's like designing a LEGO setup. I love hearing what the requirements are, looking at what the tools are and trying to come up with the best solution to meet the requirements and also think like the Dutch do, think a little bit in advance of what's going to be step two and step three after this and how can I sort of prep you for that Turns out I didn't realize that's what solution engineering is Sort of figuring out how to solve someone's requirements, and so I ended up being a sweet gig and I was the first solution engineer and then I ended up managing and building that team up to. I did that for eight years, so I ended up being a global team of 160 people, and so I had solution engineers in I don't know like 20 different countries and just this amazing group of people and yeah, so that's how I started at Cloudflare.

Speaker 1: 26:22

Wow, that is a really interesting start, because now you're a field CTO, which I mean it's I guess this is the best way of putting it right it's obviously a higher level position, but it's almost completely different because it's a different set of problems that you're trying to resolve. You may not be in the weeds every day, like you alluded to previously. You're not in the weeds every day, and so it's more difficult for you to stay on top of all the different evolving technologies and whatnot right, and so how do you find the time even to stay on top of it? Do you have key resources that you go to that maybe give you a quick blurb about something right that you may need to know for a customer meeting, or something like that?

Speaker 2: 27:24

Yeah, that's a good question, I mean one. It is challenging because I'm obviously like, even just with our own products and solutions I'm just like I'm not getting my hands dirty with it nearly as much now. I'm sort of in a way I'm like sort of more focused on the strategy versus the practicality, what you're doing with it. But I think what has served me well is just to try to maintain that sense of curiosity. And what has saved my bacon is, I mean one I'm lucky to work at a company that blogs super extensively about how things work in the background and what have you, and I find that super interesting. I'll read about how different cypher suites function and super low-level kernel things in a Linux kernel which, to be honest, is way past anywhere I've ever actually played around with. But just it helps to build those mental models. And then, critically, I'm lucky is that Cloudflare is in place, is really transparent internally and everyone's really helpful and friendly. So if I find myself curious, I try to. When we worked in the office I would literally tap someone on the shoulder. Now it's a sort of virtual tap on the shoulder. I'm like, hey, do you mind taking 10 minutes explaining to me how this works, because I'm just trying to have that model in my head and so, working with product or engineering, do that a lot and hopefully taking those ideas when we're working with customers, partners, government entities et cetera. And largely it's not even so much trying to convince them to do one thing or another, I just like it's largely trying to just essentially educate what I'm learning from these smart engineers at Cloudflare, like if I can just sort of pass that information along, then these folks can make a more informed decision about what their next steps are.

Speaker 1: 29:26

Hmm, yeah, it's really interesting. You know when, when you're talking to different customers, is there a common issue or a common thread with your customers that you're seeing? You know it might be consolidating their tech stack, right, because over time the tech stack has grown so significantly it's difficult for even the engineers to keep up with right. And you know, for example, just recently I was faced with an issue that I was trying to solve without a tool that we had bought, deployed and were running that specifically solves this problem right, and I had no clue that it had that capability. I knew that we had it, but I didn't know it had that capability right. And I'm someone who's pretty much in the weeds, you know like.

Speaker 2: 30:21

I'm. I mean, you're on top of this stuff. Yeah, exactly.

Speaker 1: 30:25

Right, you know so like. Is that a problem, or is there more unique problems than that?

Speaker 2: 30:34

I mean we have. We always have those challenges, I mean particularly for ourselves. Like we're an innovative company, we keep shipping new things. I mean it's hard enough for like our own employees to know what we have this week, much less our customers. And then half the customers have sort of been introduced to Cloudflare at some late some date in the past and then when they chat with us today and we were like, oh, this is what the platform does, they, they like they're like whoa, that's like 10. Next, what I thought you guys did. And I think the interesting thing there is that I I really think Cloudflare is kind of a new category of business and we finally actually started like trying to come up with a name for this. And we don't think we're going to be the only one, like we think there's other companies doing this. But you used to have, like you know, your, your WAN company, a firewall company, low balancer company. They had all these different companies that did different things and that worked in a world where lots of compute and applications and users are kind of like we're together. And back when I was building that NT networks for lawyers, like it worked because, like the lawyer, the server, the application, the data was like kind of all on the land, right, but we've seen 10 years of like cloud and SAS and whatever. So now in this world, like things are super, super distributed, you've got users all over the place, applications all over the place, data all over the place, and cloud has worked well for that, like using cloud environment. I hate saying cloud is just basically automation. So automation's worked well for like building, like dynamic sort of store and compute. And the internet works really well for making it possible for you to be anywhere. You've got 5G, you've got all these things. But if you're asking that question like what's that common problem is, I think like, for some reason, like networking and security has been the laggard where the way people solve problems. Back when I was building NT networks and even, like you know, when I was at, you know, when I lived in New Zealand, we had a, we hosted applications, we had our own data center I hope to like build a data center and stuff and we had like a racket you know racks of servers, that model of like okay, you got an application and you got a user here and then in between them you just got to put these functions and you normally do those functions with like VMs or boxes or something like that. You have to choose where they run. Like that sounds very common, right? They're like we're trying to use that model in this world where now the application, the user are everywhere, and so you're like oh so I guess we just need more of those boxes. And that doesn't work well. Like like I talked to a big European bank that runs like 75,000 firewalls and they're in internal network, and so, like I talked to another bank in New York that was saying the other thing is like classic thing was we, you know, we have this clouds great, we can spin up a developer environment in 30 seconds, but then it takes like six weeks to get them access to it because the change tickets to go through, like the 12 control layers and the four season. So that to me, is like the common problem in our industry today is that, like networking and security has like been this laggard, and I think of like, and when I say not security broadly, but like sort of security that you do in the network and because the network is like such a point of visibility for that that has been this laggard and we like we need a new model, and I think this new models we're calling it connectivity cloud. I mean, that's where the marketing people come up with, but it's not terrible but the idea being that you can have a more ubiquitous set of controls so that they you can have the same controls and they can be in, they can be in all these places in a orchestrated way. I think that is this challenge that a lot of folks are running into, and you talk about complexity where they've, like, over the last 10 years, like they added a bunch of cloud environments, added sass. They did all these things and now, like you try to like make a change, like get a developer access to the development environment and take six weeks like that's crazy. Like things have gotten so complex. Like got to find a way to make it simpler and consolidating the number of vendors to is a big part of that too. But like and then go into DevOps and you know DevSecOps and all that stuff and automating. That is really important. But I think, like, the fundamental problem is that, like we took the network stack from 25 years ago and we just tried to, like you know, copy paste it out to like every environment we have a data server or server or a chunk of data and now, and that doesn't work well. That's a long winded thing, but that's that's like. That's literally like the thing I've been working on for 10 years at cloudflare.

Speaker 1: 35:41

Yeah, I mean it's. It's crazy how complex these environments can be. I'm sure if if that bank ever leaves that firewall vendor they'll be, their stock will really take a hit that day, you know there's some.

Speaker 2: 35:56

there's some sales guy on the yacht somewhere who's loving life because of that deal, but yeah, whatever. Yeah, it's on the island, doesn't serve that doesn't serve the, doesn't serve the bank, doesn't serve the bank's customers, and you're like there's got to be a better way to do this. Yeah, that is so.

Speaker 1: 36:12

That's so insane, you know it's. It's been tempting at times to go over the sales, the sales route, but I just don't want to do it. Yeah, I don't want to do it, I don't believe you know I should.

Speaker 2: 36:26

Yeah, I wouldn't push anyone that direction. I was just thought when we were, when I was building solution engineering team, my whole thing was you could find sales people that were, far more than you know, marginally technical, or you could find engineers that like to talk to people and my whole strategy was like, I wanted to hire engineers that just like to talk to people. That was, and I think you, it really varies by company and what you're working in and stuff like that, but that was, that was our strategy with the solution engineering team.

Speaker 1: 37:00

I mean it makes a lot of sense. You know, it's not very common that you find someone so technical, able to, you know, talk to a customer, you know, without having any issues, without stumbling around and not being un talkative and not being too talkative. You know, you got to have got to have a certain level of communication skills, I guess, to be able to be successful at that role.

Speaker 2: 37:28

Yeah, it's an interesting role, To be honest. I stopped leading that team two years ago and it's even more mature now. They have more sophisticated leaders who have done this more. So it's not only being really structured and thinking about how you not only do you have to have good EQ and be able to communicate, but having us structured, a way of trying to extract out what's important to the customer. What are they trying to solve for Ten different ways to ask the same question because you will know this, and every engineer knows this, which is people tend to come to you and say do X. Instead of just saying yes, you should probably ask what are you trying to accomplish? Because what you've come to me with is you've come to me with an implementation. You've come to the expert and told the expert just do this implementation. What you should come to the expert with is I'm trying to accomplish this outcome. What do you recommend is a way to do that? That's a much healthier way, but try to do that in a non-combative way. You're like oh okay, you want X, but tell me why you want X. What are you trying to do? What are you trying to accomplish? And then, when they say something, you're like, oh okay, well, we could do X, but there's this other thing we could do and it has these benefits. What do you think of that? You're like, oh wow, that's great, you guys are helpful. That sort of conversation repeated five billion times.

Speaker 1: 39:04

Yeah, absolutely so. I guess in security and even more of the general public, I guess every maybe let's call it once a quarter, right, we see Cloudflare and the news in a good way, right, for once, we see a security company in the news for something good, right, and it's always Cloudflare. Stopped X attack, right? Or X DDoS attack. That's the new largest DDoS attack ever. One, how are these attacks measured? Because I'm seeing was it 398, 400 million requests per second, which is pretty insane. That's hard for me to picture even what that is, what that looks like. And two, how in the world is Cloudflare able to do that? Right, because I feel like no one else in the world can do that. I mean, it's numbers that are hard to imagine, right? So how is that even possible?

Speaker 2: 40:06

Well, it kind of goes back to that point I was making about like building things in this like very distributed way. For the engineers in the audience you'll appreciate this that Clubhouse is the first company to really build a big anycast network, sort of reverse proxy, and so about 20% of all domain names on the internet today are behind Cloudflare, so we're already running in a big scale. And then you think about like how if you don't mind me getting technical for a second, but if you think about like how you would interact with a website or it's like a web application or an API from your phone, et cetera First thing is you look up a DNS record, you get an IP address, you connect to that IP and then you do like a layer seven request for, or you establish SSL and then you do HTTP generally. But traditionally when you look up an IP address, it was like your phone number on the internet. Right, it would exist in one place. And this was the big problem with DDoS back in the day was because you had like one address to attack. You could the first D and DDoS is distributed and you could build a botnet that's all over the place and it could concentrate and attack in one place and just knock it over. And it's sort of like the law of averages here, like one person can never fight off right, like I don't care how bad as you are, like if enough people come at you and you're just one, like there's nothing you can do about it. And so what? The? Even the founders of Cloudflare actually, from the very beginning, did this. When we have IP addresses on the internet, we advertise them from all of our data centers at the same time. So that's, like you know, 300 different data centers now. So what is weird is that the that it'll be that IP will be out in a data center. The same IP will be a data center in Dallas and one in Moscow and one in Auckland, new Zealand, and Sydney, australia, and wherever else. And so when you've got this distributed botnet that's launching an attack and it tries to attack the IP address, it actually ends up hitting the look the like the closest one and that sort of low balances and attack out in that way. And so, and as you mentioned, like, we just on Tuesday had a big announcement where we basically did a responsible disclosure of this new crazy zero day vulnerability in the HTTP protocol that is leading to just these crazy world record attack types. But luckily we're able to work together with some industry peers and the goal really is to try to get everyone patched and sort of on top of this. But I do think that it represents this sort of like step change where we're going to start probably seeing a lot more layer seven denial of service attacks than we have seen in the past.

Speaker 1: 43:09

Wow, that is, that's really interesting. You know, I've never I guess I've never thought about it quite like that, where DDoS attacks were very successful because they could focus, you know this, this huge like army of devices on a single point. But by eliminating that single point it doesn't really matter, right? Because, yeah, you can take down, let's say, you take down one, right? Well, we have, you know, 300 other data centers or CDNs, right, that are projecting the same thing out there. So, good luck taking all of that down at once.

Speaker 2: 43:49

Yeah, you want to distribute your defenses just as much as the like the. The attack is distributed, so that's, that's really. The trick is like you stop a distributed attack with a distributed defense.

Speaker 1: 44:02

Wow, that is. I mean that makes a lot of sense. It's just I can't believe it's. I mean I don't want to call it simple, you know, but I can't believe it's that simple of a thought behind it, right? Because I just always, I don't know, I didn't think about CDNs in that way of being able to be used to load, balance the traffic like that, but it makes. It makes complete sense as to why you can do that.

Speaker 2: 44:29

Yeah, the, I mean one. I don't mind calling things simple, because I think the most brilliant things are simple. They also are very. Some brilliant simple things are really hard to pull off. But I would even say, though, that this idea of doing anycast, where you're advertising over BGP, the same IPs in different places, is Cloudflow is essentially one of the first companies to do that for stateful protocols like TCP, and, historically, you know, we actually we hate being called the CDN because we're like, oh, it's like calling a car an Astra, like your car has an Astra in it, but like we have a CDN, but we do a bunch of other things, the. But the way that, like I guess, the other players that have been in this market for a long, lot longer, what they did was they would load balance with DNS. So if you, if you looked up the IP address, you know, do a DNS lookup, you would get a different response depending on where you were. So they did only have single IPs in one place, but they would just give different IPs to different people, and that generally works, because that's another way to sort of low balance. But if, if you, instead of attacking, like a domain name, you would, and where you're resolving it and getting different IPs. If you just attacked a single IP then you could still like load up on it and by having the IP itself advertised in different places with any casts that like it raises to then like the next level up. And plus, not to get too much in the details, but with DNS giving different IPs, you run into these like replication challenges. And how long is it going to take for sort of DNS queries to fall out of caches and stuff? I'm sure you've seen this before as well. Anyone that's learned sort of IP config commands you know to flush your DNS cache. You know why. So that's the, that stuff.

Speaker 1: 46:25

Yeah, that is such a headache, especially when you're you're trying to like deploy a proxy and it has other settings on it. It's not taking the new stuff. So frustrating and just like it makes, it makes the product look a little bit worse to the organization because it's like oh, this is supposed to be flawless. You sold it as flawless. You know it's always. It always makes for interesting situations, those small nuances like that.

Speaker 2: 46:53

But those are where you this is where we learn right, like when, like we're forced to make something work and you're like this isn't working, my mental model didn't function. It's like right back to our first conversation, which is like how do you get yourself in the position where you have to learn how something, how how something functions at at like, at a very basic level.

Speaker 1: 47:12

Yeah, absolutely. So you know where. Where is cloudflare going, because I feel like cloudflare has been around for a while now. You know and cloudflare has always been known, as you know, that that, that DDoS protection right, that CDN, almost right. Where, where do you see cloudflare going as a whole? Are you guys working on new offerings that you plan on releasing in the future? Are you stepping into other other domains and needs of security? I would imagine that if you do go down that path, you'd actually be pretty successful at it. You'd have a good product. You'd have, you know, provide good quality to the, to the industry, because of your track record with what you're doing already. Where are you guys going?

Speaker 2: 48:03

Well, so when I started 10, over 10 years ago, we had we had some basics protections for web applications, right, and so you think about this as sort of like and and for for many years we were just sort of expanding out like what you could do. So, whether you're talking about web apps, to other things like TCP and UDP, but like, basically, how do you shield an application from DDoS? You can do load balancing, rate limiting. Then you start to like fraud detection, bot management, all this stuff. But from the very beginning, cloudflare is sort of like a networking and security company and I don't like oversimplify. Networks connect users to applications, and we were doing that first part, which was protecting applications. And then back in 2020, like sort of like right around the time COVID came out, we started launching a set of services for protecting the users, because you're like, okay, we're on this, on the, on the, where, the network, so that's a lot of sort of forward proxy, protected DNS as the email, phishing protection, like there's, there's a ton of stuff you can do there, like DLP, et cetera, so that security side. And then we also, at a similar time, launched more network services. So we, we can do, we can protect sort of site to site. We can replace your WAN and we can do like firewall there, like IPS, ids, things sort of in the network itself. And to me that's really cool, cause you've got like, okay, wherever the user is, you can. You can get all the protections for the user. Then you know on cloudflare, and then the cloudflare itself can be the network that carries the traffic to wherever it's going with the network services, and then you protect the application itself with the application stuff. So that's sort of where we are today. And then if the interesting thing, the where we're going sorry, give me the long answer of this is how did we build that? Well, right, we, we, from the very beginning we had built this idea of running the same things in all these places, et cetera, in this natively distributed way, and so to make our own developers productive, and so, like we have a developer that will build, like you know, they'll build a new load balancer, they'll build a new, you know, deep pack inspection capability. We didn't want them to think about how, how that, like where to run it. Like, do they deploy to Dallas or Moscow? They just deploy it to the network and it runs everywhere and that's, that's super compelling, like it literally runs all over the place, and so there was all this work that went into building this sort of like natively distributed environment and we finally were like, oh, customers probably want that too, and so that's turned into this like this whole serverless platform, and I think that's the the unknown future. But like if the world starts really developing things in serverless, that becomes like super compelling. But then we're like competing with, like Amazon and Google. So that's a if that, if that plays out well and the sort of industry moves the direction we are, that's a big future for us also. So it's a long answer to your question. All four areas, I think, have futures, but that's some of them are we've been doing for a while and other things we're. We're just sort of like ambitiously, sort of stretching into.

Speaker 1: 51:35

Yeah, it's really interesting seeing all the different tech trends and you know where they go and everything like that. And you know the past couple of years, every company that I've been at, every company that I've even talked to or know people at, they're all going serverless right and they're kind of dipping their toes in the water right now with serverless my current company they're probably the most serverless that I've that I've seen. Yet you know they go like serverless first. You know so it's. It provides interesting challenges, especially for you know someone to just learn the serverless side and like kind of wrap your head around that. It's a whole. It's a whole other like game that you're playing, that you're trying to figure out and you know from a security professional, how do you secure it, how do you make it easy for your developers and everything else. So it just it opens up a whole other can of worms, I guess, which is really interesting to see Cloudflare go into. That, you know, because as this space is kind of evolving and growing and turning into a more mainstream, you know, deployment approach, it's really interesting to see Cloudflare, you know, also identify that and say, oh, you know what, why don't we take this tech and move it into this, but we have to build it from the ground up, you know, for this architecture, because that's the only way that anything runs in this in this serverless world.

Speaker 2: 53:02

Yeah. Yeah, it's just sort of like if we say that one's moving from sort of centralized things to very distributed, where this network that helps like move, you know, connect to your user, to your application, no matter where the user is, where the application is. But then, like the logical, if things get really distributed, the logical like next step is like there are certain things that you don't even want to run in your data center, like can you just make them run in the network themselves, and so I think that's what we're starting to see is like there's certain use cases or even like storing of data, like we have a, we have a like an S3 compatible object storage, and so we're finding like some AI companies are using that to hold their training data and they can like move makes it really easy to like take the training data to whatever cloud they're using to build their LLM and that kind of thing. So there's just certain use cases that make sense just to put it in the network itself. And that's that's exciting. When you start thinking about serverless in that way, going oh okay, and also from you and I like thinking about like making something super available at low latency, you're like oh okay, before, if I wanted something to be available, I had to. I had to, you know, have a master with a slave and like manage orchestration et cetera. And then, if I was lucky, I'd have two or three instances where, if you can like deploy to a serverless environment like Cloudflare, you're like, oh, there's now literally like tens of thousands of incidents, incidents or incidents of it running, and I don't have to orchestrate it at all, like it'll, just it'll, sort of like that's part of the platform. That's really cool.

Speaker 1: 54:38

Yeah, it makes for a interesting future, that's for sure. We'll trade, you know we're. We're unfortunately at the top of our time here. I feel like I go another two, three hours with you, but you know I got to respect everyone's time, especially my own. I'm sure my wife will kill me if I stay on any longer, but before I let you go, you know why don't you tell my audience where they could find you, where they could find Cloudflare, if they've been living under a rock for somehow, you know, for the past 10 years? And yeah, you know, give them all that good information so they can they can learn more if they want.

Speaker 2: 55:14

Yeah, well one. Thank you so much, joe, and thank you to your wife for lending your time. This has been. This has been a blast. I could I could chat with you for ages. You can find Cloudflare at cloudflarecom, and actually where I recommend people start is blogcloudflarecom. We got a really, really good blog and, and if you want to just geek out on some stuff, there's a thing called radarcloudflarecom and the radar will. You can get stats on like IPv6 versus four and what kind of DDoS attacks are happening, which countries on which networks. There's some, there's some really cool sort of like real time dashboards of the internet, and if you want to find me, you can find me on LinkedIn. It's probably the best place to get a hold of me and I would love to connect with folks and answer questions and hopefully you and I will meet in person sometime soon, joe.

Speaker 1: 56:10

Yeah, absolutely, that'll be great. Well, thanks, trey, and I hope everyone listening to this episode enjoyed it. I will have all of the links down in the description of the episode. Make sure you go check them out. Thanks, everyone.