EP 10 – Conor Callahan of Mantra Bio – SREs and Zero Trust

Speaker 1:
Hello and welcome to Get It Started, Get It Done, the Banyan Security podcast, covering the security industry and beyond. In this episode, our host and Banyan’s chief Security Officer, Den Jones, speaks with Conor Callahan, lead site reliability engineer for Banyan’s customer Mantra Bio. Conor has partnered with Banyan since its early days and offers some great insight into his experience with the company. We hope you enjoyed Den’s discussion with Conor Callahan.

Den Jones:
Get It Started, Get It Done, episode 10, I think, of Banyan’s entry into the podcasting world. Now in this episode, I’m delight to have a customer of ours, Conor Callahan from Mantra Bio. Conor, welcome to the show and thank you for joining. I’d love an introduction. Why don’t you just share with the audience who you are and what Mantra Bio is?

Conor Callahan:
Yeah, so my name’s Conor Callahan, I’m lead site reliability engineer at Mantra Bio. Mantra Bio is a relatively small biotech startup based in south of San Francisco in California. We’re working on a relatively new modality called exosomes. So we’re essentially harnessing some natural vehicles within the body to deliver medication. Mantra’s ultimate goal is to get therapeutics into the clinic and move into clinical trials.

Den Jones:
Wow, that sounds a little futuristic. So in your role as site reliability engineer, you’ve been jumping into this world of Zero Trust or something about remote access, something about users and devices and things. So why don’t you explain what does this journey mean to you, whether you call it Zero Trust or not? Maybe is that a good start?

Conor Callahan:
Yeah, and to add a little bit of context, I’ve worn many, many hats at Mantra. So not just sort of our cloud infrastructure, which is traditional SRE work, but also corporate IT and security so a lot of different hats. As far as Zero Trust goes, what it means to me really is moving away from the legacy idea of everything on the network is trusted. So that means doing continuous verification of users, their devices, what they’re accessing, and really taking in as many factors as we can to get the full picture of what’s going on.

Den Jones:
Awesome. So when you think of the problems you’re trying to solve, so if you move away from the buzzword, right, what’s the top problem you’re trying to solve and how does Banyan help with that problem?

Conor Callahan:
Yeah, so at Mantra is sort of interesting. The problem that we had was really about friction and frustration for end users. So the sort of security benefits we get from moving to a Zero Trust solution was like the cherry on top of the pie really. It’s an additional piece. We have been using a sort of legacy VPN product, OpenVPN, which as the company grew was getting slower, users were noticing it. It’s something you have to log into a lot, there’s many steps involved to it, and it also wasn’t something that immediately made sense to them as being valuable. Majority of our end users are scientists working in the lab and they need to connect to a VPN or now Banyan to enter data, do data analysis, and things like that so they don’t really want to be having a ton of friction in those workflows since they’re incredibly important to the business.

Den Jones:
Yeah, it’s funny because I kind of describe to people like this concept of improving the user experience but also improving security. Very rarely in your career do you get to say, “Well, we improved security but we also improved the user experience.” And it sounds counterintuitive, but less things in the way of a user in order for them to get to their applications and services, it’s goodness for them and then in the background, more security controls for us. So that’s pretty awesome. So first of all, why pick Banyan as a business partner for this endeavor?

Conor Callahan:
Yeah, and the fact that you specifically used the term business partner is super important. I actually was fortunate enough to work with Banyan at the company I worked at prior to Mantra, which was Zoosk, online dating site. Zoosk had been a relatively early adopter of Banyan before the company had pivoted even into Zero Trust. It was more about service to service backend security then. And throughout that process, I really got to know the company and know the co-founders and really understand the technology. And so when it came time at Mantra to start looking at these Zero Trust solutions, Banyan was already one of my top choices because I knew that the core technology was super solid I and had a lot of faith in the company and the people that were at the company.

Den Jones:
Awesome. It’s funny, yeah, because my team at Adobe, we sort of talked to Banyan as well around about that time when it was service to service and our thing was, “Well, that’s not the problem we’re trying to solve here. We’re trying to improve 40,000 people’s experience,” and that was definitely a great pivot for us, benefited our team at that time for sure. And actually like you, I got to know the founders and the engineers and the team and that was a huge part of my decision to actually join Banyan, which was I knew what I was getting myself into, which was kind of cool. So the podcast is called Get It Started, Get It Done, so I’d love to learn a little bit about how did you start in Mantra to first of all get the approval to move forward with this kind of change and then how did you get started?

Conor Callahan:
Yeah, so throughout my career I think I’ve really been lucky to work under a lot of great leadership who put a lot of faith in everyone reporting to them to take the best of their subject areas and bring them solutions. So with that kind of in mind, at Mantra, when I first started I sort of developed a longer term security plan and around the middle of that, was moving to a Zero Trust solution. So we got closer to that. I’ve brought up some proposals with my boss who was our CTO at the time and she was very receptive to it. I think she very much understood the pain our users were facing and saw the benefits by moving to a solution like Banyan. So it was relatively easy to move forward with that approval.
And once she was on board with that, we did an initial proof of concept with Banyan and that’s really where the Get It Started, Get It Done, comes into play because it’s one of those things where you get set up quickly, you get your team, which in my case is our data team, so it’s data scientists and some software engineers, got that team running on it and myself, of course, got things tested and we eventually were using it every day quite quickly. And then at that point, we were able to start working on rolling it out to the rest of the organization.

Den Jones:
Awesome, awesome. So from a business benefit perspective, do you think that your CTO at the end of it feels like she got business benefit, business value from the investment?

Conor Callahan:
100%. I mean in her own everyday work she saw the benefit herself but she also saw the benefit that our users were seeing. This is one of the rare examples where, whether it’s infrastructure or corporate IT, security, in that world that we do something that’s usually impacting and we actually receive a ton of applause and thank yous and things like that in public for this type of project.

Den Jones:
I was lucky because 2018, we deployed Round Adobe for a thousand people and I remember walking in the cafe during my lunch break and bumping into one of my best friends and he was having lunch with his friends and when he introduced me to his friends, he’s like, “Oh yeah, this is Den. It’s his team that changed the need for you to not do your password change every 90 days, no more using your username and passwords, and no more VPN,” and everyone was like, “Holy shit, we should be buying you lunch.” And you get that level of appreciation, which I don’t think in 20 years of my career I had had people really that enthusiastic about any of the shit we’ve ever done. Normally in IT and security, you’re doing stuff which is either in the background and everybody already thinks it’s super slow anyway or cumbersome or they’re pissed off because you’re throwing more things in front of them in the name of security.
That is the exact opposite of what the outcome of this kind of activity is. So it’s really cool. So one of the things, as I was doing some Googling, I guess… When I have a guest on the show, I always try and learn a little bit about them. And maybe this is really huge in your SRE space, but I notice you’re very much a big contributor in GitHub with that community there. So what do you find in the value of just communities in general as you’re trying to apply it to your career and move forward?

Conor Callahan:
Yeah, GitHub is definitely super important I think in all of our lives these days, whether it’s IT, security, SRE, whatever domain you want to say. We rely on a ton of open software. So I inevitably end up running into some issue and end up Googling it and searching for GitHub Issues and find other people with the same problem. Sometimes we’re able to fix the issue and be able to fix back upstream to that project, which is always super rewarding to be able to fix something yourself and also have it accepted into the community.
So these communities, I think, to me they’re sort of more powerful than… Maybe a little bit controversial, but in a lot of enterprise organizations we rely on enterprise support and being able to submit a ticket and get one person assigned to that case, et cetera, et cetera. Sometimes I find the open source community is even more valuable because of just the amount of people involved and how open they are and how everyone wants to help each other. So you end up finding some project that you’re using and 600 different companies use it. Ultimately, you’re all going to run into the same issues eventually.

Den Jones:
Yeah, yeah. That’s awesome. Awesome. And do you also do things like meetups and stuff like that? Because pre-Covid that kind of community involvement for me was a great place for me to go and learn from others and share what me or my team have been working on, but also learn a lot. So do you find yourself getting involved there?

Conor Callahan:
I haven’t since pre-Covid. I did go to a number of illegal conferences including CubeCon and DockerCon and have been to a couple meetups in the Bay Area when I used to live in San Francisco.

Den Jones:
Yeah. Living in San Francisco, but you have moved, right? You’re Denver based now, is it?

Conor Callahan:
Yeah, I was in Denver until a couple days ago. In Denver for about two and a half years. I just moved to Buena Vista, Colorado, which is a lot more remote. We’re out through the center of the state, near the collegiate peak so Mount Princeton, Mount Harvard, that sort of thing.

Den Jones:
Awesome. So now being out there in the wilderness, does that mean that you have an interest in skiing or boarding or any of that kind of stuff?

Conor Callahan:
Yeah, I definitely love skiing. It’s a big part of why my husband and I moved to Colorado in the first place is to be a bit closer to skiing, not have to deal with the three hour commute to Tahoe because I’ve been really fortunate to do a ton of skiing in the two seasons since I’ve moved here and I’m looking forward to really good ski season this year or this winter.

Den Jones:
Awesome, awesome. Yeah, a great choice of a place to move, especially for all the outdoor activities and stuff, right? So now talking about this in the other side of life, if you’re at a dinner party, how do you describe your job to people that don’t work in tech?

Conor Callahan:
Yeah, I’ve had a lot of iterations of this. I think my favorite one that worked really well when I was working at CSO, security kind of the role was, “Me and my team work on the railroad, the tracks and sometimes the cars for the application teams to be running their trains on.” So they’re responsible for, maybe it’s the cargo, could be the whole train. Stretching the metaphor a little bit, but it’s a lot of really the base pieces that other people are relying on.

Den Jones:
Awesome. Years ago, I used to try and tell people I didn’t even work in tech, especially when I lived in Scotland because everybody wanted me to fix their computer and it’s like I’m not a bloody workstation technician any longer. So I then adjusted it when I moved to California and decided to tell people I was an igloo repair person. Mainly because in California there’s not a lot of igloos to be fair. So people would laugh at me and realize I’m a bit of a clown anyway to begin with. I’ve got a joking sense of humor.
So I deviate over the years and almost now in this kind of CSO role, I almost feel like sometimes our job is to keep companies out of the news. I mean reducing risk is how you do it, but really the ultimate goal is you don’t want your company’s name up in the headlights. So in the end, I’ve got this kind of twisted version I guess of how I’d explain that to people. So as you’re growing your career, how do you keep up with technology, where do you go to learn the most about how the world is always changing?

Conor Callahan:
The place I spend the most time learning about this and I’ve gotten the best information tends to actually be Twitter. Once you follow one person in security or in container world, whatever it is, you find a hundred other ones. That’s the way I found out about all of the newest vulnerabilities, attacks, things like that. I took my phone and ended up finding it on Twitter. Of course, with what’s happening right now in the world, with the Twitter acquisition, we’ll see maybe I’ll move more to the Fediverse or Mastodon and that type of thing but haven’t really gotten too into that quite yet.

Den Jones:
Yeah, it’s funny, right, because over the last couple of weeks with Elon taking over, lots of layoffs, and last I read, I think that there’s their CSO, their chief of legal, privacy, I mean almost all of the executives are gone, which from an FTC perspective I’m sure will be a bit of a kind of dodgy area for Twitter right now. And I’m not even sure they’ve got enough people to keep the lights on. So I guess we’ll find out in the coming months what happens.

Conor Callahan:
Even from I think a lot of the European regulators as well, things like not having a data privacy officer, it’s a lot of the things that, like you were saying before, keeping the business out of the news. You don’t really think of necessarily as being the most important people in the business but it can also have a lot of negative impact.

Den Jones:
Well, maybe Elon likes them being in the news because from a PR perspective, even bad PR can be great PR, right?

Conor Callahan:
Yep.

Den Jones:
So maybe he is a controversial guy so maybe that’s part of the plan. For me, on the whole Twitter stuff, it’s just going to be interesting to see who’s got the guts or who’s greedy enough I guess to want to step into those roles right now, because I can’t imagine… In the executive community, there’s a lot of really smart people that might be interested to jump into that fire, but they’re going to have to fill some positions. So yeah, we’ll see. We’ll see how that plays out. Now in your career, what’s one of the best pieces of advice you’ve ever received and what’s one of the best pieces of advice you’ve ever thought you’ve given?

Conor Callahan:
So this is really a bit of both and this thing I think has been passed on to me from many people I’ve worked with, ultimately actually probably starting with my grandparents even, but really is to stay curious and always be learning. It’s really easy in technology to kind of tune out for a while and we all have to do that, we all need breaks, but being able to come back and say, “What’s new? What are we doing?” Maybe you start a new company, “Why were these decisions made?” Don’t go out guns blazing, trying to change things. Ultimately, I think that helps in every aspect of our careers, both on the tech side but also the organizational and leadership side as well.

Den Jones:
Awesome, awesome. Yeah, as a leader for me, I’m trying to hire people who are smarter than me, which actually I’ve done many times in my career to the point where even our Zero Trust journey started off with one of the architects in my team who convinced me that this is the path we should go down. And he spent a lot of time convincing me on it because maybe I wasn’t smart enough, I didn’t see the light. But interestingly enough, I mean I’d say it has pivoted my career to the point where I’ve landed in Banyan doing my CSO job. So I think sometimes you’ve got to look to those around you. And I tell my kids this all the time, which is you can learn anything from anyone if you keep an open mind and even unfortunate homeless people that are on the side of the street, if you have a conversation with some of those people, you’re going to find stories and journeys of their lives that you should learn something from it when you have that conversation.
So I kind of try and think of that continually as I go through. And the organizations, some of the junior early in career people that I’ve had conversations with over the years, I’ve been blown away by just how smart they are or how well they think or how well they want to grow themselves. So I keep that in my mind as I continue and grow in this journey for sure. Yeah, so any questions for me? I mean I try and focus all on the guests and stuff, but sometimes if there’s any questions for me, I’d love you to throw a curve ball my way and try and trip me up somehow.

Conor Callahan:
Yeah, I’m curious as a customer of Banyan, I know a lot about what the product is good at and what we’re currently doing with it, but where do you see the next frontier in, maybe not being specifically, but the next big opportunity in the security world, kind of building on Zero Trust, moving us to the next big thing?

Den Jones:
Awesome, awesome. So internally we talk a lot about SSE and SASE and things of that nature. So we’re definitely going down this path. I mean if you think of it like most, not most, but many of the companies out there, they want to centralize and funnel traffic through, they want to inspect packets. We’ve got a client that sits on your devices, on your endpoints, and our belief is that client should be leveraged in a way that enables the endpoint to go directly to the application or service. Now in the journey of protecting people, we see that as one of our core responsibilities, we’re trying to make sure that you can get to an app or service that’s in your data center. So that’s the remote access piece of it. But then the posture checking, the device registration, using certificates instead of passwords, that side of it is all geared towards protecting and ensuring that the device meets a minimum bar.
The backend integrations that we’ve got with people like CrowdStrike is so that if you do get malware on your device, then CrowdStrike will catch it, we’ll cut your session. So that is kind of where we are. But to play on that even further, things like URL filtering or blocking threat feeds. So the reality is if I get an email and I click that link by mistake, how about we use our technology at the backend to block and prevent you going to something which we know is a bad site? So if we can do things of that nature, that’d be brilliant. The other thing is DLP Lite. I hate talking about DLP because DLP is a really hard game, but what I do care about is mass X fill of data. So if you could imagine either a disgruntled employee or a gang that’s taking over that device somehow and they’re trying to download all the stuff from one of your data repositories and they want to move that somewhere else, well, we’re still a client on the device, we still have an ability to do something.
So ideally the journey is that we take advantage more of the client and that if you look at SSE and a tenant of what SSE encompasses for us right now, it’s doing things like the URL, DNS, things of that nature. That’s a really good start. So I know from a roadmap perspective, and this isn’t a roadmap committal here, but I know we are working on that right now and it’s right around the corner. So design partners are welcome to give us a call and get involved and stuff. So all of our customers will be able to benefit from that kind of advancement and we’re very close. So looking forward to that.

Conor Callahan:
Yeah, those are super interesting, especially from the sort of defense and depth perspective. A lot of us are using say Google Workspace, which tries its best to combat phishing and malware and all that kind of stuff, but having another layer on top of that is just another beneficial thing, especially given how dangerous phishing has been lately.

Den Jones:
And we keep trying to train our employees out of this, but the reality is you want to do training, you want to raise their awareness and stuff, but at the same time these attacks are becoming more complex and they’re becoming increasingly sophisticated and not all employees are brilliant. Actually, I’m writing a blog post right now that will be published in the next couple of weeks and one of the things I’ve always thought of it is it’s like playing Russian roulette. But we’ve got like 40,000 or 100,000 or 20,000 employees. As the CSO, you’re gambling on the fact that you trained them all well enough and they’re not going to click a link. But the reality is it’s like playing Russian roulette. At some point, that link’s going to get clicked and at some point, that person’s going to end up on that website and they’re going to get phished.
So from our perspective, let’s try and add another layer, like you say from the defense and depth, add that other layer to try and prevent that website, you landing on it. So we’re playing around in that space. It’s a fun place to be in. When I joined Banyan, about a year ago now, it was one of the earlier conversations that I had at dinner with Jayanth and Tarun, two of the co-founders, which is, “Hey, where does the company go next? What’s the evolution?” And it’s really fun to be in a company that can be nimble, where we can talk about this and then execute really fast. So I do love that side of the gig for sure. Now as we start to wrap up, Conor, couple of things. If you were going to give an aspiring young technologist one piece of advice for their career to get to where you’ve got, what would that be?

Conor Callahan:
That’s a good question. I’m trying not to just say stay curious and keep learning because I said that earlier. Probably what got me the furthest in my career, and I’m saying this as sort of a lifelong Linux nerd, was breaking my own systems, fixing them myself, figuring out how to find answers on the internet, and that was in the forums and before the IRC days. It’s gotten a lot easier now and a lot has changed in the Linux world since the 2.0 Kernel and stuff like that. But working on your own, working on labs, and there’s so many ways to do that nowadays, I think that’s some of the best stuff you can do.

Den Jones:
Awesome. Yeah, it’s funny. So curious, breaking stuff, stretching yourself is always great. And then for me, it was building my network, trying to grow your network. Quite often that means you’re helping others and hopefully when you need help, they’re going to repay the favor. Now I want to wrap up with one personal question. It seems as if what I discovered was your into amateur radio and that world. Is that a true statement?

Conor Callahan:
That is true.

Den Jones:
So what things do you think have you’ve learned during that adventure that translates over to your work and how has that helped?

Conor Callahan:
So there’s sort of a saying sometimes in the amateur world where people say, “Just spin the dial.” This comes into play when you’re tuning across the bands and you find somebody transmitting and spewing garbage or something like that because it’s regulated, but it relies a lot on volunteers to regulate it and it’s kind of self-regulated. So you’ll find people just spewing random stuff and the idea is you can just tune past it, move on. You don’t need to waste your time or spend your effort combating that necessarily. Certainly can.
The way that I translate that into my professional life is really pick your battles and no matter what sort of domain of IT, security, whatever it is you are, there’re going to be a million different things you can do, a million different things you can suggest to your team to do, but not all of them matter, and certain things you can just let go. I think it’s especially relevant in security where you can be the boy who cried wolf and tell people that things are on fire every single day and that’s really not the case and then when something is on fire, nobody listens to you. So it’s sort of a way to stay sane at work, but also make sure you are making a meaningful impact.

Den Jones:
Yeah, actually that’s a brilliant point to end on because picking your battles is so vital in our business because there’s just so many that you could jump on top of, and in the end, maybe there’s too many that are distracting so parking them or waiting until situations change and focus on the ones where you’re going to be more successful or more likely to find willing participants and partners as you’re trying to still make progress because the reality is, if every day we can just make a little bit of progress and continually do that on a daily basis, on a weekly basis, then we’re going to improve the security for the company and the experience for the employees. Conor, it’s been a pleasure having you on the show. Thank you very much for joining. Really appreciate your time and love to catch up again in the future. So thank you very much.

Conor Callahan:
Thank you too. This is a lot of fun.

Speaker 1:
Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track, Summer Silk, and all their music at urbanpunks.com.

Close Transcript