Enterprise Security Architect · Engineering Leader · Computer Scientist

FROM: <2019-04-01>

• As an Enterprise Architect, I participate in the design of future products and solutions offered by Swisscom, in collaboration with architects from all other divisions of the company.
• As Solution Security Architect for Swisscom’s Cloud Platforms —which include Enterprise Service Cloud, Enterprise Application Cloud, Dynamic Computing Services, Enterprise Cloud for SAP Applications and related services— I am responsible for the security, compliance and data governance of those services. I define, prioritize and drive relevant product features and business goals. I also lead the IT Clouds Security Community of Practice and advise engineering teams on compliance, governance and operational activities.
• Selected achievements and activities:
  • Ensure cloud platform and service compliance with internal, contractual and regulatory standards, including ISO27001, ISAE3402/3000 and GDPR.
  • Establish and currently lead a community of around 30 Security Champions from different teams, who drive security initiatives and promote the security culture within the Swisscom IT Clouds organization.
  • Coordinate threat modelings, audits, penetration tests and security compliance reporting.
  • Coordinate organization- and team-wide processes for risk and vulnerability management.
  • Development of the Swisscom Platforms vision for 2025.

FROM: <2016-03-01>
TO: <2019-04-01>

• I built and led a team which evolved on par with Swisscom cloud platforms to provide their monitoring and logging capabilities. My responsibilities included people management (up to 16 people), definition and prioritization of requirements and roadmaps (in collaboration with Product Managers and other stakeholders), technical architecture, and managing the planning and execution of team activities.
• Selected achievements:
  • Led the transition of the Enterprise Cloud LEMM (Logging, Event Management and Monitoring) and Access & Inventory frameworks into maintenance mode as the platform was retired.
  • Defined the scope and mission of the Health and State Management (HSM) team as part of the new Enterprise Service Cloud project, and later of other platforms as the IT Clouds scope expanded to Application Cloud, Enterprise Cloud for SAP Solutions and Dynamic Computing Services.
  • Defined the logging and monitoring architecture for the Enterprise Service Cloud platform based on VMware vRealize Operations and vRealize Log Insight.
  • Led the transition of the Application Cloud platform monitoring from the Orchard framework to a TICK-based framework.
  • Defined architecture and oversaw implementation of the Customer Log Forwarding service.
  • Managed business relationship and technical implementation of OpsGenie for alert management in IT Clouds.
• Main technologies involved: VMware vSphere (ESX, vCenter, NSX), VMware vRealize Operations Manager and Log Insight, Ansible (configuration management), OpsGenie (alert management).

EMPLOYER: Swisscom
LOCATION: Switzerland
FROM: <2015-08-01>
TO: <2016-03-01>

• Managed a team of three people and led the Orchard project through its implementation, production release and further improvements and development.

FROM: <2014-08-01>
TO: <2015-07-31>

• Designed the architecture and implemented the initial prototype for the Orchard health-management and self-healing framework for Swisscom’s Application Cloud Platform-as-a-Service service.
• Main technologies involved: OpenStack (cloud computing infrastructure), Cloud Foundry (application platform), Consul (health management and service discovery), RabbitMQ (message bus), Riemann (event analysis).

FROM: <2013-08-01>
TO: <2014-06-30>

• Managed the CFEngine language roadmap.
• Coordinated the CFEngine Design Center project.
• Coordinated the work on CFEngine third-party integration (e.g. AWS EC2, VMware, Docker and OpenStack).
• Developed code for both the Design Center core and its integrations.

FROM: <2011-10-01>
TO: <2014-06-30>

• CFEngine Advocate, with a special focus on security.
• Wrote the book Learning CFEngine 3, published by O’Reilly Media, which became the de facto introductory text to CFEngine.
• Gave talks, wrote articles and blog posts, taught classes, and in general spread the word about CFEngine.
• Developed and implemented the strategy for CFEngine as a security component.

FROM: <2012-07-01>
TO: <2014-07-31>

• I advised and coordinated teams working on teaching- and security-related products, consulting and services.

FROM: <2010-10-01>
TO: <2011-10-01>

• Acted as first point of contact for all security-related issues for five HP enterprise customers in Mexico.
• Initiated, advised and managed security-related projects.
• Handled communication and coordination between technical teams involved in security initiatives.
• Involved in all security-related decisions at the sales, design, implementation, delivery and ongoing maintenance stages of IT Outsourcing projects.

FROM: <2009-11-01>
TO: <2010-10-01>

• Helped multidisciplinary customer teams (software engineering, IT management, networking, sales and support) by solving complex problems in customer environments.
• Performed analysis, design and implementation of solutions in multiple areas of expertise, including system automation, configuration management, system administration, system design, virtualization, performance and security.

FROM: <2001-10-01>
TO: <2009-10-01>

• I was a member of the Global Security Analysis Laboratory (GSAL), where I worked in intrusion detection, malware detection and containment, and virtualization security research projects.
• See Research for details of my research.

FROM: <1997-05-01>
TO: <1997-08-01>

• Developer for the Bruce host vulnerability scanner, later released as the Sun Enterprise Network Security Service (SENSS).
• Designed and implemented the first version of the network-based components of Bruce, which allowed it to operate on several hosts in a network, controlled from a central location.

FROM: <1995-08-01>
TO: <1996-08-01>

• Founded UNAM’s Computer Security Area, the University’s first team dedicated to computer security, which has evolved into the Information Security Coordination (UNAM-CERT).
• Managed up to nine people working on different projects related to computer security.
• Managed security monitoring for a Cray supercomputer and 22 Unix workstations.
• Provided security services to the whole University, including incident response, security information, auditing and teaching.
• Established the celebration of the International Computer Security Day (sponsored by the Association for Computing Machinery) at UNAM. Acted as the main organizer of the event for two years (1994 and 1995). This event has grown and evolved into the Computer Security Day and the Computer Security Congress.
• Designed and headed development of an audit-analysis tool for Unix systems (SAINT) \cite{zamboni96:saint}.

FROM: <1991-11-01>
TO: <1995-08-01>

• System administrator at UNAM’s Supercomputing Center, managing a Cray Y-MP Supercomputer and related systems.
• Managed the Network Queuing Subsystem (NQS),
• Managed and provided support for 22 Unix workstations.
• Monitored the security of the Cray supercomputer and related workstations.
• Other responsibilities: user administration, operating system installation, resource management, security policies.

FROM: 2008
TO: 2009

• Security for VMware virtual environments using virtual machine introspection (based on the VMware VMsafe API) to provide intrusion detection and prevention capabilities.
• Publications: \cite{Christodorescu:2009:CSV:1655008.1655022}.

FROM: 2002
TO: 2008

• Billy Goat was the first instance of what is today called honeypots and honeynets.
  • An active worm-detection system, widely deployed (at the time) in the IBM worldwide internal network. It listens for connections to unused IP address ranges and actively responds to those connections to accurately detect worm-infected machines, and in many cases capture the worms themselves. Billy Goat is engineered for distributed deployment, with each device containing standalone detection and reporting capabilities, together with data centralization features that allow network-wide data analysis and reporting.
• Publications: \cite{riordan06:_build_billy_goat:first2006, riordan05:bg_techreport}

FROM: 2005
TO: 2007

• An active worm-capture device deployed at the network boundary and coupled with the border router, that allows the Billy Goat to effectively and automatically spoof every unused IP address outside the local network. This makes it possible for the Router-based Billy Goat to accurately detect local infected machines and prevent them from establishing connections to the outside, limiting the propagation of the worms to the outside network.
• Publications: \cite{zamboni07:sruti07-rbg}

FROM: 2005
TO: 2007

• Integrated device containing multiple security tools: intrusion detection, worm detection, vulnerability scanning and network discovery. Precursor to what is today called Unified Threat Management systems.

FROM: 2001
TO: 2002

• Host-based, behavior-based intrusion detection using sequences of system calls.

• Study of data collection methods for intrusion detection systems.
• Implementation of novel methods for data collection in intrusion detection systems.
• Analysis of the properties, advantages and disadvantages of internal sensors and embedded detectors as data collection and analysis elements in intrusion detection systems.
• Publications: \cite{zamboni01:phd-thesis, zamboni02:sensors_detectors, kerschbaum00:network-embedded-sensors, zamboni00:thesis-proposal, zamboni:raid2000}

• Design and documentation of an architecture (AAFID) to perform distributed monitoring and intrusion detection using autonomous agents.
• Implementation of a prototype according to the architecture. This prototype is published as open source.
• Exploration of research issues in the distributed intrusion detection area.
• Publications: \cite{spafford00:intrus_detec_auton_agent, zamboni:aafid-acsac98, zamboni:aafid-architecture, zamboni:raid98, zamboni00:build_aafid_with_perl, zamboni:raid99}.

• Collaborated in the analysis of the SYN-flooding denial-of-service attack against TCP and in the implementation of a defense tool.
• Publications: \cite{schuba97:synkill}, awarded the 2020 IEEE Security & Privacy Test of Time Award.

FROM: 2005
TO: 2007

A system installer that allows arbitrary system installation and configurations, allowing for both proprietary and open source components to be installed in an automated fashion. Open source components can be downloaded directly from their original source to avoid distributing them.

FROM: 2005
TO: 2007

A specialized Linux distribution containing multiple security services for integrated security monitoring in small and medium networks. Implementation includes also backend infrastructure components for system installation, configuration and upgrade; and data centralization, analysis and reporting.

FROM: 2002
TO: 2007

A specialized Linux distribution containing multiple sensors for detection of large-scale automated attacks. Implementation includes also backend infrastructure components for system configuration and upgrade, data centralization, analysis and reporting.

FROM: 1999
TO: 2001

A system of sensors for intrusion detection developed in OpenBSD through code instrumentation. Developed as part of my Ph.D. thesis work.

LABEL: Internship advisor
FROM: 2009
TO: 2009

• Project: Design and implementation of process injection using virtual machine introspection.

LABEL: Internship advisor
FROM: 2007
TO: 2007

Project: Implementation of a proof of concept Hyperjacking attack on Intel platform.

LABEL: Ph.D. co-advisor
FROM: 2005
TO: 2008

• Thesis: Data Mining Approaches for Analysis of Worm Activity Towards Automatic Signature Generation

LABEL: External Diploma Thesis advisor
FROM: 2005
TO: 2005

• Thesis: The Router-based Billy Goat Project

LABEL: Diploma Thesis tutor
FROM: 2002
TO: 2003

• Thesis: Desktop Firewalls and Intrusion Detection

LABEL: iNetworks, Mexico (remote class)
DATE: 2020

LABEL: Multiple venues
FROM: 2011
TO: 2013

LABEL: ETH Zürich
FROM: 2011
TO: 2013

LABEL: University of Lausanne
FROM: 2005
TO: 2005

LABEL: ITESM, Mexico
FROM: 2003
TO: 2003

LABEL: Purdue University, U.S.A.
FROM: 2000
TO: 2000

• Co-designed eight security-related lectures and taught two of them.
• Co-designed the class project.

LABEL: CSI NetSec conference, U.S.A.
FROM: 2000
TO: 2000

LABEL: Schlumberger, U.S.A.
FROM: 1997
TO: 1997

LABEL: UNAM, Mexico
FROM: 1991
TO: 1996

• Designed and taught multiple courses (10–40 hours long) on the following topics:
  • Introduction to Unix
  • Unix utilities
  • Unix security
  • Basic Unix administration
  • Advanced Unix administration
  • UNICOS system administration on Cray supercomputers