What's Up with Tech?
Tech Transformation with Evan Kirstel: A podcast exploring the latest trends and innovations in the tech industry, and how businesses can leverage them for growth, diving into the world of B2B, discussing strategies, trends, and sharing insights from industry leaders!
With over three decades in telecom and IT, I've mastered the art of transforming social media into a dynamic platform for audience engagement, community building, and establishing thought leadership. My approach isn't about personal brand promotion but about delivering educational and informative content to cultivate a sustainable, long-term business presence. I am the leading content creator in areas like Enterprise AI, UCaaS, CPaaS, CCaaS, Cloud, Telecom, 5G and more!
What's Up with Tech?
How GTT Rebuilt Global Security For The AI Era
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Interested in being a guest? Email us at admin@evankirstel.com
The fastest attackers don’t “hack” like they used to, they drift through systems, blend into normal behavior, and move at machine speed. That reality forces a hard question: if you cannot defend the perimeter anymore, what should a modern security architecture look like?
We sit down with James Karimi, CIO and CISO of GTT Communications, one of the world’s largest tier one internet operators, to break down the practical moves behind a containment-first strategy. We talk candidly about the human layer of risk, why awareness training still matters, and why GTT chose a draconian but effective approach: eliminating lateral movement so a compromise stays small. James also shares what it really takes to “unflatten” applications with firewall contexts, explicit network rules, and the painful discovery work most teams underestimate.
From there, we zoom into the GTT Envision platform and how software-based service chaining at the edge improves resiliency, agility, and managed security. Then we get into AI governance and operations: how GTT built AI factories with Dell and NVIDIA, why documenting data is the make-or-break step for enterprise AI, and how they designed secure AI operators that are isolated by default. We also explore behavior-based detection and response, CVE analysis with mitigation guidance, real-time topology for threat hunting, and where autonomous mitigation fits depending on a customer’s tolerance.
If you care about zero trust, microsegmentation, AI observability, network detection and response, SOC modernization, and measurable AI ROI, this conversation gives you a blueprint you can adapt. Subscribe, share this with a security leader, and leave a review with the one change you think every enterprise should make next.
Can't keep up with AI? We've got you. Everyday AI helps you keep up and get ahead.
Listen on: Apple Podcasts Spotify
More at https://linktr.ee/EvanKirstel
Hey everybody, excited to speak with the global networking and security powerhouse, that is GTT, and where DTT is headed in an AI-driven world, with James thinking about uh his role as a security leader, technologist, and CISO, and how AI is both a risk and an opportunity in this new dynamic. James, how are you?
SPEAKER_01I'm great. Evan, how are you?
SPEAKER_00Great. Good to see you. Thanks for being here. Before we dive into the topics at hand, maybe introduce yourself and how do you describe GTT these days?
SPEAKER_01Absolutely. I'm James Karimi. I am the CIO and CISO for GTT Communications. GTT is now the third largest tier one internet operator in the world. But we have a plethora of security and managed networking services that we overlay on top of those services such as internet that we provide to customers. We have a global reach in over 100 countries, and we can provide secure data access to anywhere in the world, to any customer.
SPEAKER_00Yeah, it's an amazing proposition. And talk a little bit about your role as both CIO and CSO, wearing two hats, uh, and uh your journey at GTT.
SPEAKER_01Yes, I've been here at GTT for well over a decade. I started here uh from a company called UNSI, which was acquired. GTT was a very, very acquisitive company. We did 44 acquisitions under my tenure, of which I had the uh role of integrating. Uh, but originally I led the network and the voice teams and the global network expansion, building out the tier one operation. Uh, always led IT for GTT and in previous companies where I was CTO. So I always had IT under me here, but officially moved into the CIO, CIS role in 2017 when the company really uh took off in growth with some large acquisitions such as Hibernia Networks and Interroot, which everyone was aware of. Uh and been leading IT, systems engineering, DevOps, uh, as well as three security departments and the SOC for the last uh eight, nine years here.
SPEAKER_00Wow, what a journey. And the mission is pretty singular to connect people and agents to data and applications anywhere in the world. It sounds so simple, but there's a lot behind it. Uh, talk about um some of the key things that keep you up at night uh in terms of planning and delivering effective security globally.
SPEAKER_01Oh, absolutely. I I think look, for for most folks in the security role, what keeps us up most nights is our employee base. Uh it doesn't matter how much we build at the edge of our perimeter or how much tooling we put in place, it's always that accidental oops that happened by somebody clicking on something, somebody going to a site that we hadn't blocked and they somehow got there and introduced some type of malicious activity into our environments. So we're very, very keen on uh focusing on awareness training and continuing to do. We we like to do probably two a month to keep it fresh in everyone's mind versus the traditional way of doing one large one every October during cyber week. Uh so that that's been very helpful here. But I think the biggest thing we came to a realization uh probably about three years ago that there is no way to defend the perimeter anymore. Uh moving into the uh AI era with things moving at machine speed, uh, you need machine speed to detect. But even with that detection, we really move towards a containment strategy. And what I mean by a containment strategy, we actually went very draconian. We ripped out our wide area networks, we ripped out our local area networks, and we have actually zero lateral movement capabilities within the organization today. So if an infection or a compromise did occur, it would affect a single VPN user or a single office location, giving us that micro segmentation to keep build business resiliency and business operations going.
SPEAKER_00Fantastic. Uh, love the insider perspective here. Um, given the complexity these days, uh, you know, so many vendors, so many standards, so many requirements, so many threats, you're really focused on simplicity, which is interesting in helping customers fundamentally simplify the complexity of securing and connecting their business. Again, it sounds so simple and elegant, but what's involved underneath the hood uh doing that?
SPEAKER_01Uh, it's it's a paradigm shift. I the the first complexity is really getting an organization to understand not having a wide area network, not having a local area network. We are so used to the the last 30 years of being able to move anywhere within our networks to access any type of information. That was fundamentally the the biggest challenge for us was really explaining to our employees they must VPN in, even if they're in an office. They must always, you know, be able to connect to VPN to get to anything. There's no uh way to get to any type of data or source of information within the company if you don't. Uh, but then you know, you always have your challenges, you know, ripping out the wide area network, local area network had some challenges, but I think the biggest challenge came when we decided to unflatten what we call our applications. Uh, we run a lot of premise-based applications still versus cloud simply because we are regulated as a critical infrastructure company. Uh, and we have a lot of regulatory requirements on how we house data and where. So it's a lot easier for us to maintain that solution in-prem. But what we did with our applications, we decided to actually create a firewall context, sort of like a demilitarized zone between applications. In most companies, you have your billing application, you have your knock application, you have this application, and everything sits in one land and can easily communicate to one another. The challenge we brought forward was we said, no, we're gonna put everything between a firewall and only allow specific rules for the specific types of data sets that need to transpire between these applications. And that was probably the biggest, biggest complicated forklift for us because we went to our development teams and we said, okay, what TCP or UDP ports does this application need to use for communication to that application? We don't know. So painful, painful weeks and months in Wireshock discovering all these communications and what was occurring, documenting them so that we could get to that uh last piece or what we considered our phase four of a zero trust framework.
SPEAKER_00Fantastic approach. Uh, there's a lot of buzz about the GTT Envision platform. Um, how do you describe it? What is it, what is it unique, what's uh unique about it in this industry at the moment?
SPEAKER_01So Envision, Envision, we have Envision Edge, we have Envision Core, but Envision is our end-to-end solution uh for how we manage uh different types of uh what we would consider workloads at the edge for a customer. So we bring in a GTT network connectivity, we put a GTT branded box, which is what we call our Envision Edge box. But the thing about that box is we can run a multitude of vendors or different types of services, all service chained. So if you want an SD-WAN, we can put an image on there for your SD-WAN. Uh, we have a routing image, which we wrote ourselves. It's our own proprietary uh solution. We're no longer buying routers. Uh, we can put a firewall solution on there. So basically everything is in software. Some of the value we gain there is we can interchange or interopt vendors with ease without having to redeploy hardware. Uh, hardware tends to have a longer life cycle than does software. So when you have software tied to specific customized hardware, you have to replace both. Where now we're just replacing images every three or four years if they EOL or EOS versus having to change out the whole platform. So that really gives us a lot of agility and flexibility, but it also increases resiliency for the customer and less downtime. Uh, and they can pick and choose and add services as needed. They don't need everything out the gate day one, but it also allows us to enable what we call our AI observability agent. We are no longer in the realm of going out over traditional protocols such as SNMP to collect information. We are now streaming it right from the box back to our core to be fed into our observability AI systems and looked at and analyzed and results given to our NOC and operations centers.
(Cont.) How GTT Rebuilt Global Security For The AI Era
SPEAKER_00Amazing. Well, I could talk speeds and speeds with you all day, but we'd probably lose the audience. But let's let's touch uh on the people side of the equation. I mean, even you personally, how has the rise of AI and this just uh tsunami of change that's that's hit us over the past couple of years changed the way you think about your role, your team as the technology and security leader?
SPEAKER_01So three years ago, I would say we were very skeptical of what was to come with AI, uh, but we knew we needed to get on that bandwagon simply because with the amount of data we see in our network, our telemetry data alone is somewhere in the realm of 16 gigabits per second uh all the time. That's a significant amount of information, and it's humanly impossible to go through. And in a world where we're trying to improve posture of security for our clients and improve the intelligence behind the products we offer them, we knew we had to get on that bandwagon. So we were an early adopter. We built three AI factories about 18 months ago with NVIDIA. Uh we did that in New York, London, and uh Prague. Uh, we chose those locations because we have corporate facilities there that we operate, but also we knew that AI sovereignty would eventually become a thing, just as data sovereignty. So we wanted to be in a position to run workloads where a client chose uh if necessary. But the way we looked at it, um we we took a very different approach to AI. Uh we heard all the stories, we heard stories of large companies failing, trying to do 800 projects or use cases. Uh, and working with NVIDIA, we came up with a model where we said, okay, the first thing we need to do is we need governance. If we have no governance, then how do we know what to ingest from our user base? Everybody's gonna come out of the woodwork with every type of use case, and we don't really know what the benefits are. Second, without a proper governance model, how do we get the proper requirements and a subject matter expert who understands the workflow and the procedures for the department requesting this use case? Without that SME and those perfect requirements, you know, you you're just not able to turn these things around. It's not, you know, it's not like people think you go build a rag, a knowledge realm, and this thing just learns. It's a lot more to it when you get under the hood. Uh so we structured a governance model where intake is our PMO, subject matter expert comes from the department requesting it. We have security and IT in that workflow to approve the data sets that are gonna be utilized and make sure we have no regulatory uh requirements around that data set. And then it goes to FPNA because if we're gonna do a use case, there's cost. My my teams have a cost of their man hours. So FPNA will put together a model on this business case of what is the benefit versus the cost. And those benefits have to be more than efficiencies for GTT. Efficiency is great, but you can get efficiencies out of the box with simple things like Gemini and Copilot. We're looking to really replace manual efforts with a lot of what we did. Once we had that stood up, we paused for six months. And for six months, we did nothing but document and study our data. We went to every system, every platform. Is it structured data? Is it unstructured data? How do we access that data? Is it an API? Is it a database call? Is it an RPA screen scrape? And we built this large matrix so that when we came time to build out our AI, we really had a fundamental understanding of our data because we found that most organizations that failed did not have a good handle around their data. And the reality is without data, there's no AI. You have to feed massive amounts of data to train, teach, and have our AI operators do the things we want them to do. So we really spent a lot of time, and I'm happy to say we've been very successful. Uh, we've now delivered over uh a dozen uh enterprise use cases, as well as, as I said before, we built out an observability AI agent. We've also built out a product that we will be releasing soon. It's a network real-time detection and response system, looking at any type of anomaly or behavioral change in any system, user, or device that can send a log, net flow, or a packet capture. Um, so a lot of focus there. But some of the successes that I would talk about, we always had a real fear of what the security risk with AI was. Uh, so we spent a lot of time around security and that risk. Uh, we got to a point where we took a lot of case studies away from NVIDIA. So one of the first things we did was we made a decision that no operator can ever know about any other operator in GTT. Why? Well, we found that operators they love to talk, they love to tell each other what they do, how they do it. And what they do is they start training each other so that you now have an operator that was intended to do one thing and now it's over permissive, knowing how to do many, many other things that we never intended it to do. So we kind of took that DMZ zero trust philosophy and we built that in at our operator level. Now we do have an overall operator at top that we secure with role-based access, like you would in a traditional Active Directory. Uh, but what we did is because that operator does need information or pieces of data from many, many different operators, we built a complete secure orchestration layer that operates between what we would consider our chatbot operator and all of the operators that do work or interface with knowledge realms and MCP servers to our different systems and platform. So we really uh took a heavy hand to security with our AI. We've run it by NVIDIA as well as others that we work with in the partner ecosystem we have. Um, and by far, they feel that we have built one of the secure models of modeling out an AI factory in the fashion we did. Uh so to answer your question, yes, we were very concerned about the risk, but we took a very heavy hand and approach, almost draconian, to make sure that we weren't going to repeat the mistakes or the errors that some of our peers made.
SPEAKER_00Amazing. Wow, congratulations on that. And you mentioned this AI factory, which you know sounds a little bit like marketing hype, but it's actually, I think, enabling you to enhance threat detection and response. Maybe talk about the AI factory you created, the blueprint, the architecture behind it.
SPEAKER_01Yeah, so the AI factories, um, it's it's complete Dell and NVIDIA, uh, which are the two partners we've partnered with. Uh, we're running, you know, all H100, 200 GPUs uh still. We'd like to get with some larger ones, but we're waiting for our data centers to catch up with uh water cooling. They're not all retrofitted just yet. Uh, but yeah, we built that out on their on their standard platforms. We're running somewhere in the realm of 32 going to 64 GPUs, if I remember correctly. Um, so yeah, these factories, in addition to you know, all the GPUs and processing and memory that go into these big large servers, there's an enormous amount of cabling that goes behind this. Infiniband, uh, all these interconnects because the GPUs need direct network access to different parts of the system and the server. So they're pretty massive build-outs. Uh, the first one we did with a partner so we could learn how to do it right. And then subsequently, we did the second two ourselves. But what we've done with the network detection, we've originally started out, as I said, we wanted to monetize our data and look how to improve security posture across all our products for our customers. Uh, but what this evolved into was what not what we expected. Uh, a couple of things that we enabled there, uh, we decided to really focus on behavior. And when I say behavior, we created ingestion models to ingest any type of log, any type of net flow, and any type of packet capture. Then we created operators that actually review, given AI analysis on any event that's notable that comes in. And then it looks, is it a system, network, or security event? And it prioritizes that. If it's a security event, match it against the MITA framework and categorize it. Is it authentication? Is it authorization? Is it a brute force attack? And if it is a security event, we have an additional operator that runs an algorithm that scores it on a zero to 10. Uh, what we also did, we because we wanted to use machine learning, we did something we call, we like to call dynamic scaling. As each new unique host is learned or sends a new log, we dynamically spin up a small language model dedicated to that host. And every subsequent 100 events learned from that host, the model retunes and retrains. So if you have 10,000 hosts in your environment, you'll have 10,000 SLM models running within our platform. But the uniqueness that this gave us, we are detecting everything that can occur, change. I'll give you an example on routers or even Linux servers, we're seeing if a new service or daemon gets spun up that wasn't noticed before, wasn't running before. Why is that so important? Well, we had zero visibility in the telecom world three years ago to salt typhoon. And everyone saw in the news what they did. Uh, had we had the capability to monitor new daemons spinning up, they would have been caught right away. So, watching these behaviors, another example of every engineer, we're more focused on engineers who have right privileges to make changes within systems and platforms. We're able to see everything they log into, what commands they run. If they log into a system at a different time they never did, it's an anomaly. If they run a command they never ran, it would show up as an anomaly. So we are detecting way more than just security events. Our accuracy, uh, we've probably cut out about 32% of noise at the last uh check we made. Uh, so we're really up in the high 90s right now of accuracy for actionable events uh that are occurring within the environments. Uh, the thing we also didn't really intend for was the potential to replace monitoring systems because monitoring these behaviors, we're seeing when the database disconnects from the web front end. You're seeing everything now. So we're actually taking our monitoring data and feeding it into another system just like this and seeing what the results would be. Uh, but it's been a game changer for us. We built two other fundamental, very unique features in there that we didn't have today. One is what we call our CV e-analyzer. And what that does, it basically goes in our inventory systems twice a day, pulls all our customer inventory, our inventory, as well as our network core inventory, corporate inventory. We track the firmwares. Netbox goes and dynamically detects the firmware running on all of our systems every day. And twice a day, we have it run against the CVE database to see if there's any known CVE. And then we have AI analysis on everything in here, giving us the analytics, the analysis, and what to do. The importance there is generally when a CVE comes out, you don't have a patch. It takes days, sometimes a week. So the AI insights are giving us mitigations of how to address this without a patch so that we can have some form of safety for the next couple of days while the vendor works on getting the appropriate patch out for that platform or that specific bug. What we also did was we built a stateful topological view of what we call the system galaxy, which is basically a huge galaxy. As you drill in, it shows a dot for every single host within our environment. It shows the network communications between them. And if something showed up red anomalous, we could click on it and in seconds see a line to every other device that's communicated with it. Click on that device, see. So what took us two weeks in threat hunting is now done in real time and seconds. Uh, so it's been a real game changer. Now we're very comfortable here at GTT with AI. So we are doing, we're also using what we call command where we are deploying virtual SOC operators. We are doing real-time autonomous mitigation for ourselves, but we do understand every customer is gonna have a different tolerance level. So we're prepared that if you want this to go to your SOC, fine. You want it to open a ticket and service now over API, fine. You want a Teams chat or an email, fine. Uh, if you really want to be up to par in this day and age, and what Mythos has all shown us in a few weeks, you need machine speed mitigation. It's gonna be humanly impossible. What is the point for machine speed detection if you're not gonna mitigate at that same speed? My personal view.
SPEAKER_00Wow, what a what a blockbuster approach. Your your clients must be really excited uh with this technic technology.
SPEAKER_01We've had a lot of great feedback from both analysts and our clients. Uh, we're getting a lot of positive feedback, but also some good feedback of things, you know, to improve, which is always good.
SPEAKER_00Amazing. So you mentioned the SOC. What other parts of the operation do you think have the potential to be transformed by AI and and and with opex savings and all the other benefits around that?
SPEAKER_01Sure. So two two big ones we did. Uh the other one is not a C VE, it's a CV analyzer for resumes. Um, we generally have a department that does recruiting, and 12 people spent 60% of their year reviewing resumes.
unknownWow.
SPEAKER_01Uh we built a CV analyzer um in record time that basically looks at the job description, the education requirements, and it matches it with the actual resume and then gives it the score to give us the top 15 candidates. It does this in minutes versus days or weeks. Uh the long poll in the tent there was going through all the works councils in Europe to make sure it's not looking at age, it's not looking at gender. How to make sure that you're obfuscating all that stuff so that it it's meeting the laws, the employee movement laws in different countries. Once we got those approvals, we not only gave 60% of time back to recruiters, that 60% of time became interview time. We are onboarding, and this is a real metric. Um, you know, I'm not a finance guy, but finance has a metric that says by onboarding at 10 to 14 weeks quicker, there's a metric that shows how much more revenue that salesperson will generate within that calendar year. So there's some hard metrics here. One, we gave a ton of time back to people to do what they really need to do, which is interview and hire, but we've also been able to onboard at a quicker pace, giving us uh some demonstrable metrics there, uh, revenue-wise. Uh, another big one we did was our cash app, where you got all these invoices coming in. They have to be OCR'd, put into a system by a person, then they get matched to our billing system, it gets matched to our general ledger system, and then somebody's got to go and match in the bank account and make sure that payment went out. Uh well, we now have an app that does all of that. It's all done with AI operators, and it's taken a two-week job down to minutes.
SPEAKER_00Amazing. Well, you're quite the Renaissance CIO looking at all 360 degrees uh of the business and the security side. Well, well done. Just a final question. I mean, you've you've shared this journey with partners, customers publicly. Um, for other organizations looking to transform their operations with AI. I mean, what's the best way to proceed? Any tips, tricks, best practices you think you can share briefly?
SPEAKER_01Absolutely. As I said, for us, and and we think we got it right because we've been successful. Uh, Nvidia said we're one in few on the enterprise side, non-hyperscalers that are doing this successfully. Uh, governance. Governance, governance, governance. You can't boil the ocean, you can't take on everything. And if you're not going to demonstrate uh cost savings or reductions or driving revenue, then what's the point of focusing all that effort on doing it? So a strong governance model with a strong business case capability is key. I think the second is really spend the time, even if it takes months, if you don't have the resources in-house, look for a partner, understand your data, document and understand your data, your data sets, how to access that data, how to access that information. And last is build your AI solutions securely. Uh, you know, I mentioned before we don't let operators see other operators. The other thing we really did and took to heart here is we dedicate an MCP server and a knowledge realm per platform. There's no shared realms, no shared operators across platforms. So have that siloed mentality uh at least for the next couple of years until other improvements come out in the greater AI working area.
SPEAKER_00Brilliant. Well, thanks for the update. Uh, congratulations on all the success. You know, we like to throw around things like game changing, game changers in our industry. Yeah. But for once, I feel that you are changing the game and networking and security as a service. Really well done and uh best of luck.
SPEAKER_01Thank you very much. And thank you for having me, Evan. You take care now.
SPEAKER_00Yeah. Thank you, and thanks everyone for listening and watching. Also check out our TV show, techimpact.tv on Bloomberg Television and Fox Business. Thanks, everyone. Thanks, James.
SPEAKER_01Thank you.