Security at Scale
We recently had a chance to sit down with Tony Perez, the CEO for Sucuri. Sucuri is one of our go-to partners in assisting with our client’s security needs.
Pixel Jar: For readers who aren’t familiar with Sucuri, tell us a little bit about how you got started in the security space.
Tony: No problem.
Sucuri was established back in 2010, but the idea originally started in 2008. It was founded by Daniel Cid, also the Founder of the open-source Host Intrusion Detection System (HIDS) OSSEC project.
We originally started off as a project and we were focused on looking to see if we could monitor the integrity of a site (i.e., malware scanning). This evolved into fixing the integrity issues (i.e., malware removal) and later into stopping the hacks (i.e., Cloud-based Website Firewall). We established as a company January 2012 and the rest, as they say, is history.
So today when people ask me what we do, we keep it simple – We clean and protect websites.
As for me personally, I was first introduced to the idea of security while working as a defense contractor. There was a certain time in my history where I was considered a subject matter expert in geospatial technologies (GIS) and would travel the world providing insights to various US and Foreign military organizations. In doing so, especially in the US, we had a lot of guidelines and standards to comply with such as the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG). As the project manager on a number of custom software projects we were responsible for being familiar and ensuring our solutions were in compliance. This was my first foray in the world of information security, but it was not my core focus. This changed though in 2011 when I was invited onto the Sucuri team to help with operations.
Pixel Jar: What are the services that Sucuri offers?
Tony: I like to divide our solutions into four platforms: monitoring, response, protection, and backups. Most of what our direct buyers leverage these days is comprised of our complete security package which combines three of the four platforms (i.e., monitoring, response, and protection).
One of the things you’ll notice with the way we’re structured is that we’re very transparent with consumer buyers. This is the price, there is no ambiguity to the process. Our security stack is an annual payment and takes the guess work out of the equation for buyers. This ensure that they get the best of all worlds. If a website is dirty, we’ll clean it. We’ll continuously monitor it to ensure its integrity. And of course, we’ll deploy a protective perimeter to help mitigate external attacks. We also always encourage all customer and non-customers to leverage and deploy our WordPress security plugin. It was designed to be a complementary solution to your existing security posture. It provides website owners visibility into what’s happening at the application level (i.e., who is logging in, what changes are being made, what application integrity issues arise).
The backup platform is made available only to our customers.
Pixel Jar: What makes securing an enterprise site different from securing a typical WordPress installation?
Tony: For us, the core of the technology is based on the same engine and process. The biggest differentiator comes in expectations.
Organizations that place a heavy emphasis on their site, and whose security concerns are often a bit more elevated, fall into a fundamentally different category, often requiring a very different level of engagement. It can range from customized service level agreements (SLA) to technical customizations in the way rules are built and deployed to account for their unique applications. Many will also have some driving force behind their security requirement, whether it be governance set internally or industry standards like what you find in e-commerce (i.e., PCI) or health (HIPAA). How you support and engage these organizations is key and very different than what consumer based sites might require. In many instances, crossing the security divide with larger organizations is a lot easier as well. You’re not having to explain or dive into the “why” of things – why should I worry about security? Rather the focus is on the “how” – How will this be deployed? How will it integrate with existing systems?
As for the application itself (WordPress), the concepts are very similar. You might have some deeper integrations you have to make with existing controls like a security information and event management (SIEM) system or lightweight directory access protocol (LDAP) for authentication but the concepts are very similar. You might have to deal with more stringent change control processes that delay the deployment and acceptance of your projects and even the integration of technologies like those we offer.
I actually wrote an article that some might find insightful around how to account for open-source CMS applications within your enterprise: https://perezbox.com/2016/04/open-source-cms-security-enterprise/
Pixel Jar: We’ve worked with you for some time and in conjunction with some of our client’s hosts. Talk a little bit about partnering with other providers for your enterprise clients.
We’ve always enjoyed working with Pixel Jar as well as many other providers. We find this to be the most effective approach. Organizations have already built a relationship; why should we interfere with that? Of course, the biggest challenge is ensuring we don’t let our partners down. When we have problems that arise we take note, learn from the issue, and work to continue to improve.
Personally I think that agencies and development shops are the front line of the conversation with customers and that shouldn’t change. We are very aware we’re a very small piece of a much larger process and we want to be very sensitive not to take over customers and interfere with existing relationships. Instead our goal is to work with organizations like Pixel Jar to help provide solutions for your customers. In many other instances we’ve even become part of the scoping and engagement process where we function as a trusted team member during the scoping process to ensure expectations are set early. This comes from my early days a program and project manager.
I wrote an article other agencies might find useful on and when to account for security in a project: https://perezbox.com/2014/10/accounting-for-security-in-website-projects/
Pixel Jar: One of the things we love about you guys is your connection to the WordPress community. Can you talk a little bit about that?
Tony: The WordPress community has been close to heart for a very long time. We work in a number of different communities, and it’s by far one of the more vibrant ones. Over the years how we interact has definitely evolved. I’m very happy with where things are right now. We still engage at WordCamps around the world through talks and sponsorships, but have also expanded our engagement through our research and support with the WP security team. We try to stay very focused specifically on how we engage by sticking to our core, which, of course, is security. I’m most proud of consistently putting together content that continues to push how people think about security in WordPress and websites in general. Our latest contributions being some of our webinars: https://sucuri.net/webinars/ or information on our blog: https://blog.sucuri.net/
Pixel Jar: Is there anything else our customers should know about Sucuri?
Tony: One of the things we’re proudest of is the fact that we’ve fully embraced a fully remote work force. We have an office in Temecula, California that we use as a central point where we have team meetups, but everyone works from home. We currently have 100 employees spread across 27 different countries and that’s actually something we’re really proud of. In fact, if you look closely at our site: https://sucuri.net you’ll see that we’ve started to integrate city pictures for the cities in which our team works from.
We’re also pretty excited about some of the things we’ve done over the past few years in regards to our infrastructure. These days we have a presence in 6 Datacenters around the world, our latest deployment being in Tokyo. This is pretty exciting. We’re going up against all the odds against some of the biggest players in the space and being successful. We’re like the little engine that could, and I love every minute of it!!! It speaks directly to our ability as a company, and shows it’s not always about being first as much as delivering real value.
We’re also purists when it comes to security, believing in the idea of openly collaborating and sharing what we find. Some could argue it’s to a fault, but I can’t help but think it’s what made us who we are. We’re driven, not by our desire to make money, but by our need to solve problems. So we don’t aim to have this self-professed title of our awesomeness, instead we like to let our support and product speak for itself.
Pixel Jar: Thank you so much for taking some time out to talk to us. We think you offer a great service. For even more information on Sucuri visit Sucuri Security.
How Can We Help You?
We want to build your next project.