Resume: Leia Amidon CISSP

Senior Security Analyst / Technologist / Architect

SunStorm Security Group, Partner and Silicon Valley Corporate Anchor
SunStorm Corporate Headquarters: Columbia, MD

Executive Summary

Established proficient security strategist with 15+ years experience with in-house corporate and consulting audit methodologies, policy compliance. Experience in conducting global enterprise risk assessments, penetration testing, security application and architecture development.

Experienced in global enterprise security, and conducting end-to-end information security audits. Other duties included assessment of in-house interoperability, networking appliances (routers/firewalls/ACLs), databases, audit management application, operations best-standards , LANs, VLANs, WANs, web servers, code review, ERP audits, ISP and collocation facility assessment, and the assessment of wireless, and satellite operations.

Hold significant experience in security operations project development, including internal audit preparation, milestone management, and business-correlated metrics. Have directed and delivered successful standards-based audit compliance projects.

Strong working knowledge of risk-based control assurance models. Have conducted authoritative external independent audits as a partner in of a security consulting practice. Audit standard experience includes SAS-70, ISO 17799, COBIT, SunTone, SysTrust, HIPAA, SOX (Sarbens-Oxley), data classification, and multiple ERP application solution audits (Oracle, SAP.) Working fluency with further common US, Canadian, and European audit regulations and standards.

Experienced in investigation and research as a subject-matter expert in developing defense-in-depth architecture and methodology for securing mixed-platform global network enterprises, and distributed computing operating system environments (UNIXes, Linux, Windows, Macintosh, VAX.)

Considerable work in risk assessment and construction of metrics for cost-benefit recommendations and experience with executive-level presentations. Reportage included policy recommendations calibrated to specific business risk and business process.

Security consultant with practical hands-on expertise and certification in multiple facets of intrusion detection, signature identification, penetration testing, computer forensics, and vulnerability analysis.

Experience in authoring, managing, achieving consensus for compliance, and establishing lifecycle oversight for corporate policies. Policy and procedure experience include: organizational general security policies and procedures, networks, systems administration, change control, business continuity and disaster recovery, incident response and emergency escalation, code review and QA security methodologies, code review, intrusion detection and NOCs, third-party connection contracts, IT operations, and other internal security control policies and procedure.

Knowledgeable in establishing security lifecycle programs, goals, and metrics via monitoring applications.

Experienced in curricula development and classroom training.

Veteran at documentation of policies and procedures, data classification, and analysis.

Accomplished in forging consensus among all levels of project and corporate stake-holders in security initiatives and audit compliance goals. Adept in negotiating practical, technically-sound, and diplomatic solutions with project stakeholders.

Have served as both a departmental manager and team mentor in a corporate headquarters environment, and as a Senior Partner in private consulting practice. Background in extensive consultative travel. Exhibited leadership in the conduct and practice of directing audit and penetration testing teams in the field.

Client list includes constituents of the Fortune 50, major banking, brokerage, government and global fiduciary entities, including both major New York stock exchanges. Have consulted to US Military Command and defense contracting organizations, leading information technology innovators and top-tier Silicon Valley firms, hardware and software electronics manufacturers, venture capital firms, space and aeronautics contractors, oil and gas companies, HMOs and health providers, telecommunications multinationals, transportation organizations, and international technology management corporations. 

Adept, articulate public speaker, with strong background in corporate and seminars presentations. Proficient at technical security documentation, security tradecraft, and authoring conference presentations.

Professional Experience

Partner / Principal Security Technologist
SunStorm Security Group
2002 to Present

Invited by the Founder and CEO of SunStorm Security Group (SSG) to partner in building a security consulting practice as the West Coast anchor and Principal Security Technologist. SSG is a privately-held Washington DC-headquartered consulting practice which offers services in architecture review, risk and vulnerability assessments, and security policy development. 

Among other offerings, SSG provides audit assurance for companies requiring legally- and governmentally-mandated adherence to policies, standards, and requirements from their external partners, clients, acquisition targets, and vendors.  Principal Clients: NASDAQ.

My tenure has been based around senior consultancy, forging strategic joint initiatives with vendors, developing core service offerings, developing methodologies for the practice, and representing the company at security conference speaking engagements.

· Responsible for the identification and evaluation of emerging technologies and tools to assess and protect networks, IT infrastructures, and applications for a leading edge security consultancy.

· Responsible for security of standard network applications and protocols in a defense in depth architecture.

· Developed client relationship and provided end-to-end security assessment and attestation for Kaiser Permanente’s web-based HIPPA compliance project.

· Developed and executed business continuity and disaster recovery planning projects.

· Developed methodologies for assurance and compliance policy audits, including SAS-70, ISO standards, HIPAA, SOX, and GLBA compliance assessments.

Principal Security Technologist
Grand Central Communications
2004

Recruited by the Vice President of Operations for a key position as part of the “Quick Launch Team” for Grand Central Communications, I acted to oversee corporate headquarters IT security issues, coordinated standards and audit-readiness strategies; wrote the corporate security policy, privacy statement and data classification documents; responsible for physical and collocation security. As chief technologist, I built and assessed emerging technologies for scalability of corporate end-to-end services security architecture.

The Grand Central architecture challenges included specialized work with XML, SOAP, and SOA security, customer-facing data integrity and availability strategies, data resumption planning, and extrapolating a reliable security architecture in the face of rapid services scaling, and protecting the integrity of corporate proprietary code.

Technologies, Protocols, and Methodologies:

Security Assessment and Management of network edge devices and technologies, including audit of ACLs and routing protocols, penetration testing and risk assessment, defense in depth re-architecture and troubleshooting of network devices, including routers and VLANs.

Firewalls: Cisco, NetScreen.

Technologies: Cisco IOS, load balancers, BGP and RIP, VoIP.

Intrusion Detection: SNORT.

Anti-Virus: Symantec’s Norton Anti-Virus, Trend VirusWall.

Global Security Policies: Microsoft Active Directory

Audit and penetration testing.

Security policies and lifecycle: Symatec’s Enterprise Security Manager, nCircle Risk Assessment Suite.

Principal Security Technologist
Napster, Inc.
Napster / Bertelsmann AG
2001 to 2002

Recruited by the Vice President of Operations, the former founder of Logictier, to lead Corporate Security for Napster as a member of the Bertelsmann AG-sponsored Napster turnaround launch team.

Bertelsmann AG, the world's largest entertainment and media corporation with FY 2001 revenues of over 20 billion Euros, in November 2001 re-launched Napster, a global, high bandwidth file sharing network, as a secure e-commerce subscription service. With support from Bertelsmann AG, Napster projected a subscriber base of over 50 million North American subscribers by end of year 2003.

Previous to Napster's involvement with Bertelsmann, the Napster name and logo were among the world's most recognizable symbols. The peer-to-peer architecture, at that time, used 110 servers supporting a peak volume of 370 million individual titles shared by 86 million users worldwide.

The re-architecture of the service was a ground-up endeavor. This involved facing and resolving well-publicized legal, technological, and logistical issues, including a corporate rehabilitation of the company's reputation. Security played a central role in all facets of this effort.

Napster Security addressed  a number of exacting challenges:

· Restructured the security infrastructure for the file-sharing service.

· Strategic re-architecture of firewalls, load balancers, intrusion detection services, and other defense-in-depth security infrastructure.

· Established security conventions for the beta test service (two million users.)

· Audited and restructured collocation security.

· Instituted corporate security policy and attendant operational procedures.

· Established internal and external audit program to enforce policy compliance.

· Initiated plan for security metrics reporting, so as to quantify security posture efficacy.

· Conducted penetration tests and vulnerability analysis of re-engineered network configuration.

· Secured the new e-commerce subscription environment.

· Worked closely with Legal on security projects involving intellectual property protection.

· Coordinated events required to pass a VISA International e-commerce standards audit.

· Coordinated consultants and vendors to architect an integrated PKI (Public Key Infrastructure), which included worldwide (European) encryption and privacy standards.

· Liaison meetings with Federal and local law enforcement regarding anti-fraud initiatives.

· Close coordination with corporate Legal to maintain strict compliance with all Federal and Superior Court sanctions and investigations.

· Provided attestation to the integrity of documents and electronic files subpoenaed by the Department of Justice.

· Assisted in the security management required in digital fingerprint integrity verification for over 250,000 individual music titles.

· Orchestrated a path to methodical code review for the Napster client software.

· Developed and implemented business continuity/disaster recovery plan.

· Developed and implemented internal PKI and Certificate Authority. Also developed and stood up RSA Encryption systems, VPN technologies, PGP and internal mail certification infrastructure.

Independent Consultant/Information Security Subject Matter Expert
Technology and Marketplace Viability Assessments
2001

Client: Kleiner, Perkins, Caufield & Byers

Served with partner (Harry Regan, CEO/Founder SSG) as subject matter expert to analyze the viability of emerging security technologies and new technology companies for their viability as candidates for venture capital.

Independent Consultant/Information Security Subject Matter Expert
Emerging Technologies
2001

Client: Mazu Networks, Cambridge, MA

Recruited by Mazu to serve as subject matter expert for emerging security technologies.

While with Logictier, Mazu and I developed a strategic vendor relationship where we worked together to closely test, benchmark, and evolve their MIT award-winning distributed denial of service (DDoS) intervention technology to handle hyper-capacity web event environments (e.g., the 2002 Winter Olympics.)

Principal Security Technologist
Logictier, Inc.
1999 to 2001

Logictier was founded by the former webmaster of Netscape and Discovery Channel, and other former "Web Monsters" such as technologists from CNN.com, WashingtonPost.com, Level3, and Pogo.com to create an infrastructure for massively bandwidth-intensive web events.

Logictier offered "cradle to launch" client services, including custom architectures, QA and code review, statistical reporting, and end-to-end security services. Logictier achieved this aim by maintaining aggressive adaptation of emerging technologies in a high-performance culture.

I was recruited to research, develop and implement strategies that secured the Logictier infrastructure model, which required high availability, reliable delivery, and a multi-tiered "defense-in-depth" security architecture. My area of participation included supervision of infrastructure security, policy, audit compliance, corporate security presentations, business resumption plans, incident response (CIRT), collocation and other corporate physical and facilities security.

Clients ranged from Sony Pictures Digital Entertainment and Enigma Digital/KNAC and massive online gaming environments (Duckets) and auction sites (eBay, Iron Planet) to the company's role as official Internet Operations Sponsor and Supplier of the 2002 Winter Olympics in Salt Lake City.

As part of the initial team at Logictier that presented to, and won, the honor to act as Official Internet Sponsor of the 2002 Olympic Games, I was Principal in charge management of infrastructure security and security architecture for this event, which was forecast by Logictier capacity planning to be the largest event in web history. Traffic was estimated to be between 20 and 40 billion hits.

In addition, I forged strategic alliances with vendors such as Cisco, Symantec, Mazu Networks, and others, to develop custom security technologies for our leading-edge technological requirements.

Logictier was the youngest company (18 months-old) to ever qualify for the Sun Microsystems "SunTone Security Certification," an effort in which I crafted the audit compliance component.

Technologies Employed:

Firewalls: CheckPoint, Cisco.

Intrusion Detection and Honeypots: Symantec’s Intruder Alert, Symantec’s NetRecon, Cisco NetRanger, Manhunt, (honeypot), Tripwire, and Mazu Network DDoS net-edge solution.

Audit: Symantec’s Enterprise Security Manager

Anti-Virus: Symantec’s Norton Anti-Virus

Two-Factor Authentication: RADIUS, RSA SecurID, and RSA ACE Server

Senior Security Consultant
BBN/GTE Internetworking
1999

· Security Architect with BBN Consulting for the Common Access Point project, a major re-architecture of the New York Stock Exchange’s (NYSE) information security infrastructure.

· Senior security consultant specializing in new technology implementations and security architectures.

· Lead in developing and writing professional services methodologies for penetration testing and war dialing offerings.

Principal Security Architect
Secure Network Consultants, Inc.
1998 to 1999

· Principal vulnerability assessment and controlled penetration analyst. Managed projects, debriefings, and lead a satellite location team of up to five penetration test engineers in the field performing both white-hat and red-team penetration assessments.

· Lead report documenter for SNCi-branded vulnerability analysis reports, exhibits and collateral.

· Designed custom audit policies and client compliance programs.

· Designed network security architecture based on strategic deployment analysis.

· Performed installation and configuration of security, audit, and intrusion detection programs, firewalls, and two-factor authentication products.

· Hands-on implementation and deployment of a broad range of security tools in Global Area Networks.

Senior Security Consultant/Analyst
AXENT Technologies (acquired as a subsidiary of Symantec, Inc.)
1997 to 1999

-- Concurrent With --
Senior Security Architect
Secure Network Consulting, Inc. - SNCi
(A subsidiary of AXENT Technologies)

As a Senior Security Consultant I was personally responsible for consulting and on-site project management for my account clientele, which included constituents of the Fortune 50 and the Global 2000, global fiduciary entities, US military organizations, and US and Canadian government agencies.

While serving as a consultant I identified and quantified the need to integrate the technologies acquired by Axent via mergers and acquisitions. I successfully led projects to integrate Raptor firewalls, Axent intrusion detection systems, and the Defender two-factor authentication tokens, thereby assisting the company in their goal of gaining competitive advantage through an integrated security product offering. During this tenure I also worked with engineers in the Utah office to write 133 rules which were packaged for release with our Intruder alert malicious code analysis and intrusion alert software.

I followed on the integrations projects with testing of these enterprise security applications in military and industrial live tests at US Space Command (SPACECOM), SAIC, Hughes Space and Aircraft, Thiokol, MCI and Sprint.

I also developed a methodology (SecureCheck) for conducting vulnerability tests as a service offering of AXENT's consulting practice, when AXENT acquired Secure Network Consulting, Inc. I was assigned to re-train SNCi in the SecureCheck methodology, and to lead penetration testing teams in the field, with penetration testing assignments at PG&E Energy Trading, Houston, and EPA, Las Vegas, NV, among others. Worked closely with Sales Executives from first call through invoicing of projects.

As a result of the success of both the integration project and the vulnerability test service offering, I became the first consultant to win the AXENT President's Award for Outstanding Contribution.

Clients included Fortune 500 companies, banks, other fiduciary entities, government and military command organizations, as well as manufacturers of electronics, software, space and aeronautics technology, oil, gas, brokerage, transportation, communications, and international technology management corporations.

Technology Expertise Areas:

Enterprise Audit Team Leader
Firewalls: CheckPoint, Raptor.
Intrusion Detection Team Leader: Axent (now Symantec) Intruder Alert, ISS.

Single-Sign On Technologies (SSO) – Axent Enterprise Resource Manager

Partial Axent Technologies Consulting Client List:

· US Space Command (SPACECOM) / Cheyenne Mountain - Colorado Springs, CO

· MCI Network· and Sprint

· VISA International

· National Energy Board of Canada

· PG&E Energy Trading, Houston

· US Federal Reserve

· Wells Fargo (Fiduciary entity with extensive, particular requirements.)

· Environmental Protection Agency

· Kimberly-Clark

· SAIC (Science Applications International Corporation)

· Thiokol

· Hughes Space & Communications

· Chevron

· Oracle

· TDS Metrocom

· Salt River Water; Mesa, Arizona

· City of Palo Alto, California

Systems Engineer
Barclays Global Investors
1995 to 1997

BGI's Fremont Street office housed its global investment trading floor, which grew to place one-half trillion dollars under management during my tenure. As a Senior Engineer I afforded services in person to the trading floor, wire-transfer accountants, and via the phone and dial-up support to Barclays' global offices, and trading partner firms.

Security duties I administered included account controls on wire transfers of up to $24 million, trading floor phone transaction tapes, critical machine backup and restore operations, Enigma authentication, and firewall troubleshooting. I was also assigned responsibility for security configurations of corporate Mac, Windows, Sun, VAX, and Novell NetWare accounts and resources. 

· Tier 2 serving global user-base and world's fifth-largest trading floor. Global network integration analysis, including Tivoli, Enigma, Bridge, OpenSystems, Cabletron and other third-party software packages in a broadly-inclusive cross-platform environment.

· Identified firewall vulnerabilities and scripted UNIX bastion host countermeasures (C2 architecture.)

Network Administrator
RIDES for Bay Area Commuters
1992 to 1995

· Managed and was responsible for the availability and security of 9 county rideshare WAN, 60+ employer client sites, database of 100,000 California car and vanpoolers, architecture, purchase decisions, and IT project development.

· Contributed as a liaison to the Association of Bay Area Governments (ABAG), CalTrans, Pacific Bell, and local government cities regarding emerging technologies, telecommuting, and the Internet.

· Responsible for writing and researching departmental quarterly reports, RFPs, and grant proposals.

· Private-public partnerships projects leader: SmartVehicle project, RideShare public kiosk project, SONY GIS/ETAK/RIDES geocoding project, Vanpool/cellular connectivity project, etc.

Education

Accomplishments