
Geoffrey F. Cameron, Jr.
- Cloud and Legacy Security|Risk and Vulnerability Management|Cloud First Architecture
- Atlanta, GA
- Member Since Mar 18, 2023

|
Senior Security Consultant Cloud and Legacy Security|Risk and Vulnerability Management|Cloud First Architecture |
SUMMARY
|
Versatile and performance-oriented Senior Security Consultant with more than ten years’ experience in making extraordinary contributions in the fields of risk management, regulatory compliance, security architecture, operational security policies, and infrastructure design. Used the last eighteen years to deliver projected results consistently and successfully facilitated security adoption for clients from both the public and private sectors. As a subject matter expert, with a focus on Information and Cloud Security, I have successfully led clients through security assessments, migrations, or new deployments. Highly regarded for the ability to provide the most appropriate solution, which is always the result of thorough research, efficiently drive, and take away from previous projects. Acquired IT Security experience is extensive and will be of great value to the company that can recognize these attributes and the benefits of a properly designed security program. Most importantly, I’ve completed project for some of the most significant Fortune 1000 companies in the United States of America. |
CORE COMPETENCIES
|
¨ Azure Cloud Architecture ¨ Azure App Service ¨ AWS IaaS, VPC, ELB, EC2 ¨ AWS ESB, Elastic Beanstalk ¨ Web Application Firewall ¨ Enterprise Security Design ¨ Azure Key Vault |
¨ Iaas, PaaS, SaaS ¨ Azure Container Service (AKS) ¨ Cloud Identity Management ¨ Cloud Security Controls ¨ Azure Virtual Machines ¨ PKI Infrastructure ¨ Windows Server 2008/2012/2017 |
¨ Cloud Security Architecture ¨ DevOps and DevSecOps ¨ Next-Generation Security ¨ Azure SQL Database ¨ Network Security Groups ¨ AWS Direct Connect ¨ Azure Express Route |
PROFESSIONAL EXPERIENCE
|
DATA BLUE, LLC, Atlanta, GA |
Nov 2017 – Current |
||||||||
|
PALO ALTO 5050 AND CISCO FIREPOWER 9300 CONSULTANT, Firewall Migration Project Worked with a successful Cisco Partner to migrate Palo Alto 5050 firewalls to Cisco FirePOWER 9300 firewalls with throughput up to 1.2Tbps crushing the current slow Palo Alto 5050s. Responsible for the end to end design of the solution and then the migration of the policies, NAT settings, routing, logging, and VPN configuration. Responsibilities include: - Configure the FirePOWER chassis in clustered and then after HA mode to meet the clients ever changing design requirements - Review the client’s Palo Alto configuration and map it to Cisco FirePOWER 9300 features - Use configuration text files and screen shots with eventual access into the Palo Alto firewall to map objects, firewall rules, and NAT configuration to the Cisco world - Migrate 40 NAT statements from Palo Alto NAT logic to Cisco NAT logic and documentation in spreadsheet including Static and Dynamic NAT with customer MAC addresses on some interfaces - Understand OSPF configuration and authentication settings to migrate routing over to the FirePOWER platform - Integrate FirePOWER with unsupported up and down stream switches so deep understanding of network concepts were required to driver project success - Enabled remote access VPNs with Cisco AnyConnect to allow IT staff to authentication with machine certificates and still permit them to complete cut overs and work remotely increasing moral
|
DDOS MITIGATION ARCHITECT, DDoS Mitigation, Internet Edge Hardening Led the mitigation of on-ongoing DDoS attacks by analyzing server logs then implementing mitigation on premise and off premise. Identified infrastructure components that would become a bottleneck during a DDoS or offered inadequate security then created a 30, 60, and 90-day plan mollifies. Gained trust of IT management and staff buy mitigating an application DDoS attack on my first day and after that followed through on my plan to prevent or mitigate any future DDoS. Responsibilities include: - Spearheaded Q Interactive’s initiatives to stop DDoS attacks on the application and network layers, led all related projects, and successfully stopped active attacks by using experience from two prior enterprise DDoS projects this year coupled with sixteen years of IT Security experience - Compare and contrast modern cloud and on-premise application, DDoS solutions from Cloudflare, AWS CloudFront, AWS Shield, Radware, and Akamai then implemented appropriate solution - Evaluate cloud or off premise network DDoS solutions from Arbor, AWS Shield, Level3, and Radware then implemented appropriate solution - Identified an on-premise data center network based DDoS solution from Arbor or Radware then implemented appropriate solution - Developed and deployed an out of band network VPN solution to increase availability of the management network during DDoS attacks - Enhanced edge router’s security by applying an ACL to mitigate common DDoS attack characteristics such as spoofed packets
SECURITY ARCHITECT, DDoS Mitigation, Internet Edge Redesign, PCI DSS Gap Assessment Annihilated constant DDoS attacks by deploying a combination of application and network DDoS solutions on premise and off site, while configuring all edge devices sent logs to Splunk to help ensure immediate remediation and send logs to law enforcement. Also, I focused my attention on bringing the Cisco FirePOWER solution up to production standards and completed outstanding PCI DSS tasks in preparation for an audit. Responsibilities include: - Formulated the architecture of the new Internet Edge, created hardening templates for the network team to deploy and devised a strategy to move onto Cisco ASR routers and FirePOWER Threat Defense or Check Point firewalls - Configured Nexus 5000 switches to integrate with Cisco ISE features for device control and 802.1x - Took intuitive to travel to the Equinox data center and implemented Chewy’s on-premise DDoS solution rather than waiting for professional services saving the client capital and stopping our problem sooner - Stopped volumetric application and network DDoS attacks from disrupting production traffic through use of on-premises and cloud solutions from Level3, Arbor, and AWS CloudFront - Conserved capital by preventing DDoS attacks over holiday weekend allowing executive IT management and staff to enjoy the needed time off, in effect increasing moral and cementing the effectiveness of the solution - Reconciled enterprise Cisco FirePOWER deployment by updating software on the sensors and the management server, tuning the various policies, and piloting unused features such as Cisco AMP for Networks, URL filtering, and application control - Optimized IPS signatures on the Cisco FirePOWER management center to reduce false positives by disabling unnecessary rules and using the threshold, suppression, and pass rules features - Enhanced the firewall rule request processes, for PCI DSS audit purposes, by suggesting a new input method that would streamline firewall requests between the DevOps and IT Security departments - Spearheaded the initiative of central logging by sending logs from all edge devices, firewalls, A/V software, FirePOWER sensors, and DDoS solution components to rapidly mitigate DDoS attacks - Introduced Cisco Security Manager to serve as the central configuration, monitoring, and software update repository for Cisco ASA firewalls within the data center, at fulfillment centers, and corporate offices which lead to the consolidation of firewall objects and reduction of redundant and shadowed rules
|
|||||
|
|
|
CLOUD TECHNOLOGY PARTNERS, Boston, MA |
April 2016 – June 2016 |
|
CLOUD SECURITY ARCHITECT, Cloud Security Readiness, and Gap Assessment Developed security controls for an Azure and AWS migration with the financial industry. Also, providing lessons learned from prior engagements to help clients achieve a smoother transition to cloud computing and automation. Covered all best practices per Cloud Security Alliance (CSA) guidelines, logged into AWS environment to validate findings and provided a report on gaps afterward. Responsibilities include: - Add advanced security controls by applying experience gained from delivering similar large scope cloud security projects - Created a prioritized strategic architecture roadmap to bring cloud security objectives in line with overall business goals - Used the CSA cloud control matrix as a guide for client interviews and the CSA enterprise architecture as the guide for security controls within a SaaS, PaaS, or IaaS cloud infrastructure - Performed a gap assessment against Cloud Security Alliance (CSA) enterprise architecture standards by interviewing IT staff and verifying statements - Focused on next-generation IDS/IPS and firewall capabilities and malware behavioral solutions to cover network and host based threats - Maintained a high level of communication with external and internal stakeholders, so project deliverables and expectations were aligned |
|
EPOCH UNIVERSAL, Irving, CA |
Feb 2016 – Feb 2016 |
|
CISCO ISE CONSULTANT, Device Identity and AAA, Secure VPN Access Worked with a government client during their pilot of Cisco ISE 2.0 and helped them achieve their AAA goals. All users and devices on the network required authentication, authorization, accounting, and posture which only Cisco ISE could provide. Network administrators also used Cisco ISE with TACACS+, so they were also audited. Finally, remote access VPN users fell into the ISE bucket, so all wired and VPN entry points led to ISE. Responsibilities include: - Deploy ISE virtual appliances because of the reliable VMware infrastructure and to keep costs down vs. purchasing a physical appliance - Requested and imported the appropriate certificates for Cisco ISE EAP authentication and the administrative portal - Apply in-depth knowledge of 802.1x and end point authentication behavior and characteristics to enable strong client authentication successfully for wired devices - Showcase thorough understanding of authentication, authorization, accounting (AAA), posture, and profiler and how to tune each feature based on the client’s endpoint diversity and peak authentication load (authentications per second peak). - Stage and implemented configuration on Cisco switches and ASA firewalls including TACACS+ for the network administrators - Well versed in overcoming the challenges faced when deploying Cisco ISE and used experienced with the different authentication and authorization models within ISE 1.2, 1.3, 1.4, and 2.0 to implement the solution rapidly and meet the clients’ demand |
|
|
CHART INDUSTRIES, INC, Garfield Heights, OH |
Feb 2016 – April 2016 |
|
CISCO ISE CONSULTANT, Global Cisco FirePOWER Deployment Participated in the design and implementation of Cisco FirePOWER on a global scale. Created unique policies per country that considered the diverse global IT Security reequipments based on location. Upgraded 50 Cisco ASA Firewalls with FirePOWER to version 5 including the FirePOWER manager. Tuned IPS signatures, AMP file control, DNS policies (blackholes), and Threat Intelligence to meet the client’s IT Security policy. Responsibilities include: - Review the FirePOWER management server configuration and offer recommendations based on prior experience. - Created individual polices based on hardware requirements and regional locations. - Tuned false positives by using trust or allow rules, the threshold feature, suppression, fast-path rules, and pass rules. - Configured SSL Decryption on data center FirePOWER devices to inspect inbound SSL traffic. - Setup firewall to send syslog messages to Splunk to facilitate an incident response plan. - Tied FirePOWER to Active Directory to enable username and password in firewall logs, to better track down IT Security incidents - Worked with Check Point Smart Domain Manger, Smart Dashboard, SmartView Monitor, SmartView Tracker, and SmartUpdate to manage the environment. |
|
TeleTech, Denver, CO |
Nov 2015 – Feb 2016 |
|
FIREWALL MIGRATION CONSULTANT, Next-Gen Firewall, Next-Gen IPS, and Next-Gen Internet Edge Participated in the design of an Internet edge solution that serves as the base of the design for the next 5 – 10 years including next generation firewalls, next-generation Intrusion Prevision Systems (IPS), and Cloud DDoS mitigation functionality supporting over 30,000 users and 61 lines of business (LOB). Worked with the client’s senior architects to design, review, implement, and document the solution for the Tier 1, 2, and 3 support staff. Finally, le |