Protecting your systems from cyber threats is not just about using the latest technology. It’s about understanding the risks and having a comprehensive solution in place. In this episode, we have Brad Sollar, the Chief Technology Officer of Mainsail Industries, a US security company specializing in next-generation secure virtualization. Brad shares his insights on cybersecurity and cyber risk management, and discusses the solutions that Mainsail has developed to help customers secure their systems. He also dives into Mainsail’s Metalvisor, the foundational element for secure tactical edge computing, and explains how it works. Brad also sheds light on how Mainsail helps smaller businesses with hypervisors and the costs associated with cybersecurity. He also provides valuable information on compliance regulations such as 800-207 and 800-53, market trends, the DOD, and more. Tune in now to gain valuable insights into the world of cybersecurity and the innovative solutions being developed to protect our systems.
Watch the episode here
Listen to the podcast
Next-Gen Secure Virtualization: Market Trends And Insights In Cybersecurity With Brad Sollar
We have an amazing guest who is the Chief Technology Officer for Mainsail Industries. Welcome, Brad Sollar. We always start off our questions here with our key question, which is if the cyber risk was a pizza, and frameworks are the crust, what is the riskiest topping you have ever seen? What topping would you equate that to?
One of the riskiest things, and I always break this into two things with security. It would be anchovies because that is not a favorite top of mind. I do like pineapple. I love it with bacon. You’ve got to have the American bacon, not the Canadian stuff. One of the riskiest things I see all the time is simple misconfigurations.
There is a ton of people who deploy infrastructure, deploy their applications, and think that’s it when a little bit more work can ensure things are configured properly. One of the things that helps with that the most is using automation. Once you understand automation, you are going to be a lot more likely to automate deployments as well as do updates and patching. I always think of those as low-hanging fruit, but honestly the highest impact on an organization.
One of the things that I have seen is the system administrator is getting things up. Once they get it up and they go, “It is working.” They get that fire call and get run off to someone else. That security never happens. That is one of those issues.
Those are always the low-hanging fruit for me, especially as a new company standing up infrastructure doing a lot of stuff on-prem. When you go into the cloud, you are like, “This is public-facing for everyone to bang on.” We are always thinking about ensuring the starting meeting compliance at the start. That is a bare minimum. I like to get into the real security of things to prove something is secure.
The second part of my answer is the things that keep me up at night are the stuff that focuses on APT style, Advanced Persistent Threats, and targeted threats where someone is constantly a target. You are a target. I’m going to continue to attack you until you slip up. I find some zero-day, and I get in, or one of your people answers a phone or email. Those are the things that not your average consumer is going to be able to understand and be able to protect systems at that level. A lot of what we, as a company, are trying to do is make security simple, especially at the lower layers for the hard things.
Tell us a little bit more about that. What is the solution you have developed to help those customers secure that?
We are bringing the first zero hypervisors to market. Familiar with the Type 2 was your VirtualBox or VMware player running on an operating system. Nobody does that for production. Everyone is down at Type 1, which is a strip-down Linux operating system to run virtualization. That is your AWS, Azure, VMware, and all of those types of hypervisors.
We are focused specifically on the edge market. That means the edge is a loose term. We define the edge as anything outside of the public data center or public cloud. It is anything that is out at the edge. Since we are at a Type Zero, we are launched from firmware, and we don’t have an orchestrator. Our hypervisor is able to provide hardware-based isolation for running all the workloads you are running out at the edge anyways. It is like the 5G, AI, and ML.
We are wrapping it with NextGen Security, but at the same time, we are trying to make this as simple as possible. Nobody I know goes and says, “Let me check the firmware on this server and make sure that they are forcing secure boot.” That is something we are doing by default. We are trying to make security simple for the average consumer, especially when you are outside of the cloud protections, where you got a whole SOC and the whole team that is looking after things.
What is your biggest challenge in meeting those regulatory requirements now?
There are many of them. You almost get analysis paralysis when you start to say, “I have a system for the DOD.” If I was going to accredit it, there are many things you have to worry about, from cryptography, FIPS, and meeting like NIST 800-53 or Zero Trust 800-207. It goes on and on, and a lot of times, what is your government customer’s main concern? You can build an RMF and ATO package and get that thing approved. At the end of the day, there is security in that. Are you meeting that compliance? There are a ton of things, especially trying to navigate that, as a small company, can be incredibly difficult.
What do you consider a small company from that standpoint?
Anywhere under $10 million, from your smaller under 50 people, especially when you start talking about having to get CD certification done as a business. If you are not doing it yourself, you are hiring an auditor. The pricing for that is almost the price of hiring another person. Depending on your size and scale, if you are larger, those are going to be known costs to you anyways. If you are trying to get into a market as a smaller company, this can be a little bit challenging.
How does Mainsail help with that for the smaller businesses? The hypervisor, but let’s make it, so the business owner understands because the person that is a $10 million company isn’t dealing with the hypervisors on their normal day-to-day basis. Give me a high level of how Mainsail helps with that.
At the high level, we have done a lot of the missed mappings for Zero Trust, especially down at the compute layer. People look at Zero Trust as a network base construct. People looked at Google’s BeyondCorp and not using VPNs anymore. On the network side of things, it is clearly understood in terms of compliance. When you start talking about the compute, these are things in the NIST guidebook and DOD guidebooks do not have people worry about until 2027 to 2030. That is what they are calling Zero Trust Advance for NIST 800-207.
One of the things we are doing is we have done our mapping to NIST for advanced compute. We are able to help organizations meet that compliance for compute now. We are based on top of Red Hat. I’m a former Red Hat solutions architect around security. The great thing with that operating system is they have gone and done common criteria and FIPS certification for the crypto modules. They have Ansible Playbooks. It can help you configure to meet NIST 800-53 and several others or any other compliance nature you are going under.
We are trying to put all that together. What we are trying to do is have a turnkey solution. By taking your application and running it on top of us, there is some level of inheritance that you will be able; if you are going waste the government speaks, you start to look at inheriting some of the controls we would be able to provide.
As a business owner, how does your solution change things now? Mention what it brings. Does it bring down the cost? Does it bring down the time to market? It does help with the regulatory part. We got that with the 800-207 and 800-53, but can you tell me a little bit more about that?
When we talk about costs, they can manifest themselves in a lot of different ways, especially as a business owner. You might start with one solution and finally realize, “I need to hire a couple of people when you start growing in terms of a SOC, network monitoring, security monitoring, all compliance, and all of these types of things.” You are looking at, “I need to have SIEM or IDS and host intrusion devices. We can XSOAR and SOAR. That build can start to grow over time.
One of the things that we offer with our solutions is we have built-in exploit protection. We work in conjunction with a lot of those tools. If you want to bring those as an extra layer, great. In terms of starting from a secure foundation, we are trying to help lower the security costs for all the additional toolings you might have to bring to a solution. We are trying to help bring down those costs from that perspective.
They are under-spinning in my head on this one. From an edge perspective, there is the traditional edge and the modern edge. What does that look like? In concept, it makes a lot of sense. Have you heard of FirstNet from AT&T? Do you know what that is?
Allegedly, it was called one of the first private nets for a first responder. I always think about those situations. Whether you have a private net, you have a public internet, or you are presenting, you still have this edge problem and many derivations. Do you have specific markets that might be embracing it? FirstNet was an example of focusing on first responders.
We are coming from the DOD. It is our first market. We see a definite use case with that. We have done a lot of work with the Army futures and looking at where they are trying to go with their unified network. They are doing a lot with SD-WAN and 5G. A core component of that is the servers and devices they run on and being able to secure those when they are out at the tactical edge.
You also have to worry about physical protection, things where someone has control of the hardware. In most traditional senses, if someone has control of the hardware, they usually win. They were able to do something to get inside, especially with the confidential computer. If you are able to pull the memory from a server, especially when we start talking about terabytes of memory, you can pull the memory, plug it into another machine, and read what was on that.
Another thing we enabled was confidential compute, which blocks those attacks. We think that a lot of those markets out there don’t have those physical protections, for the DOD is one market. We also look at finance, oil and gas, and critical infrastructure. If you look at the oil and gas with some of the pipeline attacks that have happened and ransomware, to get ransomware, you have to have some exploit.
One of the things that we are able to stop a lot of is these types of exploits that happen. We see oil and gas out in remote areas and settings. Who knows when is the next time someone is going to drive by, pick that box up, and do something with it? We see that since we are trying to provide this full stack protection from the silicone all the way to the application runtime. We think that is a good set of features that a lot of those markets would be interested in, especially when we are talking about critical safety-conscious industries.
We have seen that in the white box switching market, where new protocol designs are being established. They are using a white box switching a platform. From the common Ciscos of the world to unique deployments, that hypervisor problem is something that is considered the stability of the network itself, traffic, and motion versus traffic at rest situation.
I can imagine the number of different applications that might exist that go beyond what the DOD is and some of the manufacturers of some of the products the DOD might acquire. That is one of many examples white box switching might apply. It sounds extremely open in terms of where you might be able to go next. I’m curious how the vision might be as you get beyond DOD.
One of the things we have done is partnered with Red Hat. We have reference architectures where we are able to run things like OpenShift on top. One of the great things with this architecture is now since we are providing this hardware-based isolation, we can run low latency and real-time operating systems all on this platform because you can’t do that on traditional virtualization. There is too much interference between the context switching and sharing of resources between virtual machines. Since we are using hardware-based isolation, we can get incredible determinism and quality of service.
You can reduce the space weight and power by being able to run software-defined radios, 5G, and all of these things on an OpenShift platform and be able to use all the modern DevOps and DevSecOps techniques to deploy your application. This adds another architectural tool to your tool belt for designing systems. We are in the infancy of this new Type Zero hypervisor. We got a lot of partners that are trying to use this to build all different types of things on it.
Brad, what events are you going to? How does somebody learn more about the hypervisors you are creating and the technology?
We have been attending a lot of FCO events. We came back from FCO West, which is a Navy event. We had a booth there with Western Digital Federal. Most people know Western Digital but might not know Western Digital Federal. They are a newer group within them. They are making purely customized hardware for the edge.
We have partnered with them because they have ruggedized and hardened servers. They are fantastic for this edge use case. We have been to a lot of the FCO events. We are looking at a couple of more events, basically the FCO. There is Baltimore Cyber. That is in October 2023. There is the AUSA. We will have a booth in 2024.
What books would you recommend for learning more about this?
One of my favorite books that I have been reading is there is a whole series of books by an author called Sparc FLOW. It’s not even a real name. It is a pen name. He uses that pen name to be vivid with his writing. He takes you through a lot of hacking scenarios, looking at secure industries, and how to hack into them.
It is fictitious, but it is fantastic because he takes you from the attacker’s perspective, from how to set up anonymous connections to how to bypass them. You can walk all over a network and do the things that an attacker would do. There is one called How to Hack Like a Ghost. That one is required reading for all my engineers. It is mainly so that people can get them inside the mindset of how little misconfigurations can end up leading to massive security breaches. Those are a great series of books.
What excites you about the future? What do you see coming?
One of the things, at least for us, is getting our message out. We have spent a lot of time in stealth mode as a startup, and now we are finally out there getting ready to promote a product called Metalvisor and looking at building out new reference architectures and seeing what people are building on top of us. It is incredibly exciting to see people take something you have built and start to incorporate it into everything they are doing. That is fantastic.
As we look towards the future, we are looking at proving some thought leader things that we are doing with The Aerospace Corporation. They are an FFRDC in El Segundo. They are a multi-level security lab. We are trying to be thought leaders and showing race isolation is something that can host multiple levels of security. In the future, that will be something we might be able to come back and talk on your show about it.
Tell us more about you. Where did you come from? How did you get this experience? You mentioned a little bit about Red Hat. Tell us about college.
I consider my first real job was to join the Army. I was airborne and a radar technician. That was how I first got into computers and electronics. I started on some old actual Navy radars that they were throwing away in Army. We picked them up. We were like, “We will take them.” I worked on those with old transistor tubes and high voltage.
We eventually went into more digital with tactical radars. From there, I got into getting into computers and networking. When I went to school and came out, I was lucky enough to get a shift job working as an IDS analyst. I spent a lot of that time learning from people that are experts, already knew a lot of things, got some sands training, and got into cybersecurity.
My cyber career took off when I was able to work with INSCOM and 1st IO. They are now part of ARCYBER. I worked there as a contractor. What we did was a lot of offensive cyber as well as how to defend against it on a lot of red-blue teaming type of things. That was fun. For a long time, I did that. I got a job. I got an offer from MITRE. It is an FFRDC. This was right when the cloud was a huge thing.
I had gotten certified as an AWS Architect. I was in high demand there at MITRE. I was going across many different organizations. That was great looking at bringing new technology into the government, and I liked doing that. When I got the call from Red Hat to become a solution architect, I jumped at it because that was when containers in Kubernetes were coming out around the 2013 and 2014 timeframe.
I worked in Red Hat Public Sector. That was a blast because containers were a new concept. No one had an idea what it was. I did a lot of workshops and taught customers how to take a monolithic application and break it into microservices. I got into container security pretty heavily still to this day. I do a lot of work around that on securing things.
From there, I worked at a company called Presidio and tried my hand at commercial sales. I found I was still a DOD guy. I ended up finding my cofounder. We started Mainsail when we had both worked around this technology we are bringing to market. He is Navy. I’m Army. We settled on the Mainsail name. I was compromised. We have the Navy name.
If you could go back in time and give your younger self advice, what would it be?
I would say, “Don’t be afraid of specialization.” When I was younger, I chased a lot of things that would come up, “This is the new thing. With the new technology, people are getting paid. They are going and doing it.” As being older and looking back, seeing certain people that have solely focused on one area and become subject matter X is incredibly valuable.
I have seen a lot of people. If they can take that knowledge, start a business if they want, start an open source project, and become a consultant. There is no such thing as bad learning, earning, or wasting your time with that. If you specialize in one field, you can reap the rewards rather than being more of a generalist. Being a generalist can be good as well, but having focus would have been a good bit of advice I could have given myself.
Both are needed there. There are problems you walk into where a generalist is needed because it is wide. You can bring in those specialists for those needed pieces. It is a good point.
I was down to a specialization path. We worked for a company called NTT. I ended up being almost one of the key designers of ISDN. Broadband made that irrelevant over time, but the journey of pursuing something and specializing in something was always neutral. It doesn’t matter who builds the technology. That is where I learned that it is about the right tool for the job rather than what the vendor’s name is on the front of the box.
There were some ways to innovate and specialize that mattered for a long time. As you get into the space that you specialize in, you make connections. What ended up paying off are the connections, at least in my career. There is nothing wrong with specialization. Don’t be afraid to focus. Even though ISDN withered and died, when you are the go-to, you build all these relationships, and you get to learn other things. I’m with you.
I have seen that at Red Hat too. It is such a great company to work for. If we had a problem, there was like, “You can talk to Dan Walsh. He knows security containers. This guy over here knows the colonel at whatever level.” It is a flat organization where you can reach out and talk to people. A lot of those relationships with working on problems or customer issues together, there are still a lot of people from Red Hat. Even to this day, I still talk with them. I understand the deep connection, especially around subject matter experts. It’s fantastic.
Choose your toppings. Take some pizza. There is more out there than you thought.
Brad, in your spare time, what do you do?
I don’t think I have had a lot of spare time since starting a company, but I do like to trade stocks, options, and futures. That was always something I have always been into. I like the mental challenge of it. Sometimes it is fun. Sometimes it is like, “Why did I do that?” It would be a bit of a love-hate passion of mine.
Brad, how can somebody find you?
I’m around MainsailIndustries.com. I can be reached at [email protected]. On LinkedIn, I’m Brad Sollar. We are launching a big social media push. If anyone is following Mainsail Industries, we will be pushing out a lot more content. We are doing a lot of joint branded things with our partners. Western Digital Federal, Red Hat, and several other customers are partners of ours. We are going to try and be as active as possible on social.
[bctt tweet=”Mainsail Industries is launching a big social media push. They are doing a lot of joint branded things with their partners. ” via=”no”]
Brad, thank you very much. It has been informative and technical in nature, but we appreciate that. To our audience, we like to thank you for reading. If you learned something or laughed, tell somebody about this show. This has been another great episode with your hosts, John and George. See you next time.
About Brad Sollar
Former Army Radar Technician (Airborne)
Former offensive/defensive cyber (contractor w/ 1st IO/ARCYBER
Former MITRE cloud/cyber
Former Red Hat Solutions Architect.
Capitol Technology University – Masters Information Assurance
University of Phoenix – Bachelor of Science Information Technology
Present: Chief Technology Officer of Mainsail Industries- SDVOSB building next-gen secure virtualization. Mainsail’s Metalvisor is the foundational element for secure tactical edge computing.