Eagle Eye Vision: Unified Cohesiveness in Organizations

 

After contributing to the early success of my first startup, Prolexic Technologies, I embarked on a new venture: architecting and building Zenedge’s first physical infrastructure network from the ground up. Our goal was ambitious—to create a robust defense against Distributed Denial of Service (DDoS) attacks within a short period of time. We started with a rudimentary plan: the make and model of routers, switches, and mitigation devices were clear, but the rest was up to us. Imagine designing an entire router configuration in a text editor, referencing old configs from the earliest DDoS defenses, and stripping inefficiencies to create a lean, automated network design.

 

The stakes couldn’t have been higher. A potential customer was under active DDoS attack, and as a startup, we were all in. My co-founder, Fausto Lendeborg, and I seized the opportunity to bring our design to life. Equipment was already staged at CoreSite's iconic One Wilshire building in Los Angeles, so we packed our tools and dove headfirst into the challenge. For three intense days, we worked non-stop, racking, stacking, cabling, and configuring hardware, taking short naps on the data center floor. Meanwhile, my phone buzzed incessantly with updates from the customer, anxiously awaiting our solution.

 

By the third day, we had external connectivity and an out-of-band management setup. Another week of negotiations with a transit provider finally brought internet connectivity online. Then came the moment of truth. I generated test attack traffic from my laptop, and we watched in awe as our mitigation gear sprang to life, showcasing those beautiful red and green graphs—red for blocked attack traffic and green for legitimate flows. We were elated! With a GRE tunnel established to the customer’s network, we successfully mitigated our first attack.

 

That initial success left me feeling unstoppable. Fausto and I pressed forward, refining our design for complete customer automation and scaling Zenedge’s infrastructure to support a comprehensive security portfolio. I brought in Jaimin Patel, a trusted colleague, and together we built ten scrubbing centers across the globe within two years. At the time, I thought, David, you can do it all.

 

But life has a way of humbling us. Six years ago, Zenedge was acquired by Oracle, marking my first foray into the world of large enterprises and the cloud business.

 

A Humbling Introduction to the Cloud

 

Just a week post-acquisition, I found myself in Oracle's Seattle office, sitting across from Oracle Cloud Infrastructure (OCI) architects—people who had built the infrastructures for Google, AWS, and Microsoft. As I listened to them speak, I was overwhelmed. It felt like I’d been dropped into a room where everyone spoke fluent Mandarin while I was armed only with rudimentary phrases. I was slated to present Zenedge's architecture, automation, and design, yet all I wanted to do was run.

 

In that moment, I turned to a strategy that has always worked for me: I took a mental step back. I imagined myself soaring above the room, beyond the earth, out into the vastness of the galaxy, gaining an "eagle eye view" of my surroundings. This shift in perspective reminded me of an analogy I hold dear: a mouse sees only the weeds and grass around it, but an eagle can look down from above, spotting the mouse and devising a clear path forward.

 

When I returned to the room, I approached the situation differently. Picking out keywords and concepts from the conversation, I pieced together a narrative. Despite my nerves, I stood up and delivered an overview of Zenedge’s network. To my surprise, the architects were intrigued, asking questions about our customer automation techniques—flawed as they might have been, they still offered innovative approaches worth exploring.

 

This moment, along with many other similar experiences, sparked a transformative realization: large organizations often suffer from silos, where teams focus so narrowly on their tasks that they lose sight of the bigger picture. My “eagle eye view” helped me break through that limitation.

 

The Power of Perspective

 

There’s a popular video that resonates deeply with me. It begins with a woman lying on the grass, zooming into her retina to reveal an intricate universe within—molecules, atoms, and nuclei—before panning out to showcase the Earth, the galaxy, and the universe at large. It’s a stunning reminder of interconnectedness, both vast and intimate.

 

This concept of “worlds within worlds” mirrors the relationships within organizations. Just as every molecule and galaxy are part of a greater whole, so too are individuals, teams, and systems within a company. Visibility and connection are crucial, not just for efficiency but for innovation and resilience.

 

Bridging Silos with Unified Security

 

In the next section, I’ll explore how this principle applies to network security. From edge visibility to IAM (Identity and Access Management), centralizing logs and behavioral data for analysis, and leveraging AI and machine learning, the key lies in creating automated solutions that seamlessly integrate every layer of an organization’s security landscape. Together, we’ll examine how unifying these layers not only mitigates risks dynamically but fosters the cohesiveness organizations need to thrive in an increasingly complex world.

 

DDoS Mitigation at the Edge

 

Network security, particularly DDoS mitigation at the edge, has historically been treated as a standalone function, often disconnected from broader security efforts. This approach stems from the nature of DDoS traffic:

 

  • Inbound Traffic: Generated by botnets or infected hosts outside the network, targeting internal resources. The goal is to mitigate this traffic at the network edge to prevent collateral damage to core infrastructure. Techniques include rate limiting, access control lists (ACLs), flowspec, and the use of devices supporting advanced mitigation techniques such as SYN authentication challenges, behavioral analysis, anomaly detection, geo-IP blacklisting, and threat intelligence feed blacklisting, among other common methods. These devices inspect traffic at layers 3 and 4 of the OSI model (IP and protocol levels), dropping malicious traffic while forwarding legitimate traffic to the intended destination.
  • Outbound Traffic: Originates from infected internal hosts, often part of a botnet or engaged in malicious activity such as data exfiltration or spam generation. Mitigation focuses on identifying and dropping this traffic as close to the source as possible—typically at the host NIC, vNIC, Smart NIC, or at the distribution or access layer—to minimize downstream impact.

 

These differences in traffic direction dictate the application of countermeasures and often require separate teams to manage them. This segregation marks the start of siloed ownership in network security.

 

Asymmetry in Traffic Handling


Effective DDoS mitigation relies on asymmetric traffic handling, which means traffic does not necessarily follow the same path inbound and outbound. This flexibility enables the network to "peel away" bad traffic while preserving legitimate flows. However, this approach also introduces challenges:

 

  • Asymmetry and the OSI Model: Distributed handling limits mitigation to IP (layer 3) and protocol-level (layer 4) filtering. Advanced mitigations that require application-layer inspection (layer 7) often depend on symmetry, as stateful inspection devices need to see both directions of a session.

 

Web Application Firewalls (WAFs)


WAFs add another layer of security, designed for symmetrical traffic inspection and equipped to handle encrypted workloads through integrated certificate management. These devices inspect traffic at the application layer (layer 7), targeting vulnerabilities identified in the OWASP Top Ten, such as SQL injection and cross-site scripting (XSS).

 

However, WAFs come with constraints:

  • They typically operate on public-facing ports (e.g., 80 for HTTP and 443 for HTTPS).
  • They rely on high-performance hardware or virtual appliances to process encrypted traffic efficiently.
  • Mitigation dashboards and logging are often siloed, separate from other security systems.

 

Expanding the Security Scope

 

Beyond DDoS and WAF applications, modern network security encompasses a broad range of functions, including:

  • Authentication and Access Control: Internal and external authentication for remote clients using overlay services such as VPNs or SD-WAN. Identity and Access Management (IAM) systems ensure secure user and device authentication.
  • Compliance and Governance: Adherence to standards like PCI-DSS, HIPAA, GDPR, and SOC 2.
  • Endpoint Security: Monitoring and managing the devices that connect to the network to ensure they comply with security policies.
  • Data Security: Encryption, data loss prevention (DLP), and secure data transfers.

 

Centralized Logging and Incident Response

 

A separate silo often handles centralized logging and event management. Security Information and Event Management (SIEM) platforms like Splunk or QRadar aggregate logs from across the network, providing a unified view of activity. These platforms feed data into:

  • Detection and Response Teams (DART): Responsible for analyzing threats and responding proactively.
  • Incident Response Playbooks: Predefined actions to manage and mitigate security incidents effectively.

 

The Problem with Silos

 

The siloed nature of systems—such as DDoS protection, WAFs, IAM, SIEM, and endpoint security—creates gaps in visibility and coordination. Each team focuses on its own domain, but the lack of integration hampers the organization’s ability to respond dynamically to evolving threats.

 

Toward Unified Cohesiveness

 

To overcome these challenges, organizations need to embrace a holistic approach to network security. This includes:

  • Visibility Across Layers: From edge traffic inspection to internal authentication logs, a comprehensive view is essential.
  • Centralized Data Repositories: Logs, behavioral data, and metrics should feed into a single source of truth.
  • AI and Machine Learning: Leveraging advanced analytics, like User and Entity Behavior Analytics (UEBA) and Threat Intelligence Integration, enables predictive and dynamic responses.
  • Automation: Implementing Security Orchestration, Automation, and Response (SOAR) tools ensures real-time responses with minimal manual intervention, increasing efficiency and accuracy.

 

The Bigger Picture

 

Security is not just about tools and technologies; it’s about breaking down silos and fostering cohesiveness across teams. In the next post, we’ll explore how to integrate advanced mechanisms like Behavioral Analytics, Endpoint Detection and Response (EDR),  Extended Detection and Response (XDR), Network Detection and Response (NDR) tools, and Zero Trust Architecture into a dynamic, unified security framework. By leveraging a central logging and event correlation system, and empowering AI and machine learning for dynamic decision-making, we can apply real-time mitigation across every layer. This framework not only enhances security within an organization but can be shared through APIs, enabling other organizations to automate responses and strengthen their own security posture.

 

Author: David McKinney

Thank you for reading! Feel free to leave a comment below or connect with me on LinkedIn to continue the conversation.

 

About David McKinney

 

David McKinney has over 25 years of experience in the Network and Security space, specializing in DDoS engineering, network protection, and product development. As a leader in the field, David is passionate about creating cohesive, unified frameworks that address complex security challenges. In addition to his professional endeavors, he’s an avid runner, surfer, and musician, balancing his career with family life and a love for outdoor activities.