December 9, 2020
Hosted by JD Sherry, Chief Strategy Officer, Remediant
Join us for the first in a series of casual cybersecurity talks that focus on the latest news that the federal government head of cybersecurity was let go by the white house, the potential repercussions of that departure, Zero Trust architectures and the challenges of implementation and adoption and really understanding the needs of the organization.
All right. Welcome to Cyber Whiskey, Water, Wine Wednesday with JD Sherry here from Remediant. I am blessed and honored to have a couple of really smart gentlemen chatting with us this evening. So on the line here - and I wish they could have joined me in my virtual bar here that I really feel is just a nice, cozy place to have a whiskey - I've got Chase Cunningham, AKA Dr. Zero Trust joining us today. Chase I go back five plus, six years now in the industry.
I had a lot more hair back then, and he probably had a longer beard. It tends to come up and down depending on the moment, but also lucky to have Tim Keeler, Remediant CEO, and co-founder joining us as well. And the intent tonight is just, one, get together. We can't really do happy hours like we used to in the industry, which we all loved the conferences and just going out for various happy hours. So this is an attempt to do that. I'm hoping we can talk a little bit of cyber and get our hands dirty on that, and just have a good time with it.
So guys, thanks a million for joining.
Yeah. Thanks for having me. This will be fun. It's crazy when you think I've known you as long as I have. Where does the time go?
No doubt. Well, let's talk about a couple of things. Obviously, lots of things going on with the latest news with the head of cybersecurity being let go, that's on a lot of different Twitter feeds. And this is not going to be a political show, but that's an interesting thing that I think a lot of people have been shattered about. I think all of us want to see elections to be handled fairly and cybersecurity plays a major role in that. I mean, guys, no politics here, but what are some of your thoughts at a high level on some of that latest news?
Well, I mean, if you read through the manifesto for some of these APT organizations, I mean, there is one that everybody knows about that they literally say that chaos is the game. That's the deal is all you want is to sow chaos. You don't have to win, you just have to cause enough insanity that the other group is in a state of turmoil. And I would say in 2020, they've done a heck of a job of winning that. And it's sad that a lot of that turmoil and chaos has come from the inside.
That's a good point. That's a good point. Tim, I don't know what your thoughts are. I haven't had a ton of experience with Mr. Krebs in his background, but obviously he seems very well qualified. I think as all of us would respect and appreciate. But what are some of your thoughts as that news hit, having dealt with a lot of nation state actors in your day, right?
Yeah. Well, I think first and foremost is making sure that everyone is well educated and informed. That gives us the trust and confidence in our election process. Right? And so, when we take our paper ballot, whether you go drop it in the mailbox or you do the physical scan, right? At some point, it goes into this electronic process. And then this is where whenever I have conversations with just citizens that are going through, and it's like, well, how do you know that is safe and secure? And there's a lot of things that goes from the physical process of ensuring your ballot is there all the way through to the electronic means? And then you tie into some of these conversations with technologists that are looking at, oh, how does blockchain tie into the future of voting? Is this something that's secure? Is it something that's not secure?
And as we see so much happening in cybersecurity with breaches all across the news, and it's like, okay, how do we actually build and create a system that does ensure the integrity of these types of systems, right? And we've come to love and trust our banking, right? That's an area where it's like, okay, it's not 100% foolproof, but it's something that I know, hey, all my funds are in my bank, all that's managed electronically. And how do I actually have that same level of integrity when it goes to the election systems? And I think it's, first and foremost is that we have transparency there. Right? And so when you tie this back to Krebs, I personally feel, putting politics aside, that's all of the information that he has been able to put forth has been credible and that he's doing the most diligent job that he can of making sure that, hey, the process is what it says it is. And the election is a confident and stable system there.
It would be good to see that Twitter picked up Mudge, though. That was some good news.
Yeah. Yeah, no doubt. No doubt. I think, just to put a bow on this one, I think the person in that role has got such a, as we all know, as fighters every day in this fight with not national security directly on the shoulders. I mean, I think that job is tough in of itself. And I think whoever steps into that has now got another hill to climb, right? With regard to the precedent of that job wasn't good enough, or you didn't do a good enough job. And it's like, okay, so where do we go? But yeah, I think that definitely in the last 24 hours has been a big headline. And Tim, you come back to trust and ultimately trusting the process.
And that's one of the things that I want to bring up and chat a little bit about with Chase and obviously Zero Trust architecture, his background. And I remember working with another fellow, a Nebraska Cornhusker, John Kindervag. Obviously Chase and John go way, way back in their days. And Chase has got a really interesting project he's got going on that I wanted to give him a forum to talk a little bit about with Dr. Zero Trust. So Chase, do you want to clue in our listeners a little bit about what you're doing there and your MO behind that?
Yeah. So basically, it's just an open call to any vendor in the industry to say, look, if you've got a product that you think does what we talk about in the context of Zero Trust, give me access to it. I'm going to go in there and play with it. I don't want training. I don't want you just sit there and game the system or whatever. I just want to use it for the purposes of which it's intended. And then I'm going to put a video together and just run people through look, here's the use case, here's me doing the clicks and this is what you should expect from it. And the reason I did that, was because I've had so many folks that to your point about, John Kindervag and all that have said, we get the theory, we get the concept, the biblical prophecy, we are a good man.
We see that there's value here, but there's what? 300 vendors that talk about ZT. So show me what that ZT thing does. And I just had an opportunity to go, you know what? I can do that. I have some bandwidth and, oh, by the way, I can happen to throw that into the public forum and just make it available for anybody. And so far, it's been very, very well received. And I plan on continuing to do those. As long as, vendors willing to let me use the system and demo it without trying to game it, then I'll bring it on and try it out. I mean, if nothing else, it should be good for a laugh for people seeing me screw it up.
Yeah. That's awesome. No, I think that's important. And with everybody at home now, we're all looking for ways to expand our mind share in areas where I've heard you talk many times. People have been doing this concept for a long time. Right? And we just haven't been calling it that. Now, are there ways that we can evolve and adapt? Absolutely. Look at all the different technologies that we saw at RSA before all this stuff shut down.
It's possibly happened that I've said some things. Yeah.
That's always good for me to follow that, but so I think everybody's looking for a way to get on and learn more about it. And from what I'm seeing in my role, and when I'm talking with customers, this is a concept they are really trying to wrap their arms around, including where are we with our maturity in this. And also in the different spheres or the different parts of their security program, Zero Trust means different things. And they might have different maturity levels within that. So, I mean, what are your thoughts? What are some of the common mistakes you see people making when they're like, hey, I'm going to do this Zero Trust thing, and they think they're going to go do it. Where do they fall short on certain things?
Well, usually it's that they go too big, too fast. And I mean, I've worked with organizations that have got a hundred plus thousand employees globally and whatever else. And usually once we started to get into the plot plan, scheme side of this, they say, let's go do this for 5,000 users and whatever else. And it's like, that is whoa, man. That's way too big. Let's start really small. And I said, okay, well, we'll do it for 2,500. Let me tell you, we're going to do this for 50. Let's start with a really small number where we know when we get it right, we've made a change that matters, and then let's evolve that process going forward.
And I think usually where you see things go sideways there is either they don't realize that this is going to take them time, which is fair. Right? You've been digging this rut for God knows how long. You can't just easy button your way out of it. And I mean, this is a big deal about having leadership that will actually say, I believe in this, this is the strategy that deals with the physics of the problem. Follow me to victory and really run forward with it. Because, I mean, like you said, JD, we have the technology to solve this. It's there. It's all about how you use it and how you leverage it to actually do the work.
Yeah, no doubt. Tim, I mean, based on your experience as a practitioner, I mean, obviously you've created a platform that at the time you probably didn't think had elements of Zero Trust in it. You just saw it as a better way to solve a big, big problem. How have you seen the Zero Trust evolution.
I wholeheartedly agree with everything Chase just said. And in fact, my former life of incident response, this was always a topic that came on hand, especially when you're dealing with a breach and you're trying to build and set up new security architecture. And I would often just have folks come up to me and say, hey, we really like this whole Zero Trust model. What do we start doing in order to really embrace this? And just taking this and the small iterative approach in chunks is absolutely the most common sense. That's the most common sense advice that I hear, and I give out every single time. And really, take the easy stuff.
Take the things that are most straightforward, and start applying those principles to this, right? Because when you take a look at the Zero Trust model, it really is this high level philosophy. And then you really have to drill down into the technology aspects to adopt that. And one of the things that I often heard was, okay, where does privilege fit into Zero Trust? And how do we address some of these bigger problems? And that was actually a really big inspiration, because I was a huge fan of Zero Trust from day one. But I often heard from companies, hey, we're not Google and we don't have this unlimited money and unlimited tech resources to build all of this ourselves.
We're dealing with legacy systems on prem systems. We're trying to go into the cloud. And how does this whole privilege fit into all of this? And how do we get this under control? Because these are the things that we're dealing with from a [inaudible 00:12:36] perspective. And so when I would start building that platform, it was always just ingrained into my DNA is, the best security approaches means simplicity. It's a guiding hand. This doesn't have to start off and being this big major undertaking and do the things that are the most impactful and the easiest things to do, and then start building on top of that. So I definitely agree with everything that Chase just said.
Yeah, no doubt. The thing that I find a little bit fascinating as probably the last four years as I've been with Tim on this journey in the identity world, coming from the cloud world, it was, the perimeter is dead. Right? And Chase, I know you dove in pretty significantly into the new NIST 802-207 spec. Federal government is finally coming away from the perimeter as the panacea. We have a firm philosophy here, and you're starting to see that through IDSA, we're a part of that group. The Identity Defined Security Alliance, where it's an identity centric, security approach. And I think the thing that I see personally, and I'd love to get your take, Chase, where people are struggling with Zero Trust is at the identity level.
What we see in nearly every organization that we have as a customer, or that we look at as a prospect, they have this concept of it's complete trust, with regard to privileged access. And one of the folks that we've been talking to coined a phrase, I just absolutely love it. It's their, just in case access, that access is going to be there just in case you need it, versus where Tim has really pioneered the technology of true Just-In-Time. And we believe Just-In-Time when you need it to the resources you've laid out many times, it's now Zero Trust to the resource, really is where companies are struggling is because they just have access to everyone. And what are your thoughts from an identity perspective as it applies to Zero Trust?
Well, I mean, identity is you can look at it in reality, right? Identity is the mechanism around which cyber sort of evolves. I mean, if you think about it, and everyone says this, the most secure system in the world is one a human never touches, but humans touch systems. I mean, it's how this whole thing works. So if that's the case, where do humans interface with machines, it's through the identity. And identity is if you look at ransomware, if you look at compromises and exploitation, whatever else. And I mean, I wrote a book on this stuff. You can see that's where things begin, they become a problem. And that's where they proliferate, it's with that excessive privileges, excessive access and all. And it's got to be vectored in and dialed in on.
And most of the time, like you're saying, I mean, doing my own red team in the past, you would see that people had access to stuff that you don't need. And it's weird when people will say, I like that you're thinking about just in case access. Because if you boil it away and said, if we were in a physical place and you had a building with 100 doors on it, would you leave 100 doors unlocked with your stuff behind it and just go, well, someone might need to enter that door. No, you would put a lock on it. So why is that so hard to do or conceptually agree that it's important in the context of a digital space?
Yeah. I love the door analogy. Sometimes I float analogies and they don't work. Sometimes they do, right? That's the nature of the game. Our whole concept is the door shouldn't be there in the first place. Take the door off, remove the portal. And I love hackers ingenuity sometimes, but most of the times they're just lazy. And if they walk the neighborhood and that door is not on the house, well, they're probably not going to try to go into the front door.
Yeah. It doesn't have to be post-quantum encryption and blah, blah, blah. If you look up and you go... You remember the old ADT commercials where they had the folks where they didn't have an ADT sign and whatever else, but then they had the houses where there was a dog and prickly bushes and an ADT sign? People were like, well, I'm not going to rob them. I mean, that's the same thing.
That's exactly it. And you take a look at, and this is just the commonality and the reality that we're living in with companies when you have large sets of IT users, whether it's your support staff or server admins, or application developers or DevOps teams, they generally have this admin level access to so many systems. And a lot of the cases, and I definitely saw this from dealing with post-breach remediation is that, most of these folks they have 24 seven access to every single system out there. They're either domain admins or they just run these highly privileged groups, whether it's intended or unintended, and people just didn't even know how much admin rates was out there.
And then when you're trying to scale that back and break that down, and I would just spend time talking to these IT admins, well, what systems are you really logging into? And it was amazing, right? They would have access to everything in the environment. And they would just be logging into a small number of systems at any given time. And in going from that, it was like, oh, but don't take away my admin rights, because if something breaks, I need to be able to log in. It's that just in case access, and that just got into so much trouble for organizations, because that's exactly what attackers are exploiting.
And actually that statement alone was just the whole progression of, oh, here's where we really just need to bring this Just-In-Time concept forward. So we're not stripping away everyone's admin rights, but we're adding another, this ties back to the always verify, adding another layer of authentication. And just giving them access to the direct system for as long as they need access to. And when you break it down there, I hear so many times, they're like, well, why wasn't I just designed that way. Right? But here we are, we're dealing with that.
Yeah. Reinvent the wheel that the [crosstalk 00:18:45] already left the station. But I mean, I think that's a point that's a valid point too, right? Is a lot of times why people will balk at this, is because they go, oh God, that's going to be really difficult to do. And if you're able to go at it and say, and I think that that's becoming more commonplace with all these systems that I keep getting my hands on demoing and using is, they don't have to be hard. And honestly, if they are, then that's probably indicative of a problem with the vendor's solution, right?
If I need to have a PhD in the system to actually fix the problem, that's not going to help. And I've gotten a lot of people will send me some of the hate mail when I've said, I fundamentally, and I'll die on the hill. I don't believe we have a lack of human capital in the cybersecurity space. I believe we have a lack of effective use of technology to solve the problem. And then we have the people that do it. We're trying to dig the Suez Canal right now with a spoon. We're never going to get there. We need lots and lots of spoons to do that. I would rather use an earth mover.
Well said. Well, guys this is good. Any other thoughts you want to tap into?
I mean, I just think that folks should [crosstalk 00:19:58] really understand that there's a progression to this. And if you're going to get into it, like we talked about earlier, and you're going to align on a long-term plan, solve relatively simple problems first that also happen to be very impactful. And identity is a relatively simple problem to solve if done correctly, that has a massive opportunity for fixing problems within infrastructure. There's to my knowledge, and maybe I'm wrong. I'm not sure, but there's never been an exploit that didn't require some sort of identity and access to actually make it do something.
Yeah. Yeah. I mean, no better way to think about what's top of mind. I know people are sick of hearing it, but ransomware needs that too. Ransomware needs access to take off, right? So you're spot on with that. I think before we wrap up and this has been great guys, I appreciate you being the first to come through the cyber wine, whiskey, water, whatever your drink choice is, Wednesday. We'll try to keep this thing going. So cheers to you guys. I appreciate your effort in the mission. [crosstalk 00:21:09] And we all know this is not an easy endeavor. And actually we have a tremendous amount of empathy for all of our fellow fighters in this, that are working in different companies, working in public sector, public private, you name it.
This is not an easy task. And I think we've got to find ways to work together versus create friction. So I appreciate you guys coming on. Chase, we're going to probably try to take you up on your Dr. Zero Trust challenge. If you're willing to take it, we'll take the Chase Pepsi challenge on that one. And hopefully down the road, you can see if we stack up to that, because we would love to get your perspective on simplicity, because this doesn't have to be a hard problem. I think a lot of times when people look at it, they want to go full ostrich and stick their head in the sand, and hope their cyber insurance will cover them.
I mean, Lord knows. That's the other thing I've been hearing too. I mean, I only want to unpack that. I hear some people are relying on cyber insurance as the crutch to handle some of the things around proactive information security that they may not get to, because maybe they're a short timer. I don't know. This is just bonkers to me. And they're using the crutch of cyber insurance to go, well, if we have a breach, that'll cover us. I mean, we can't think that way. I don't want any practitioners to think that way. It doesn't have to be that way. Let's work together to figure out how to solve those. Right? So guys, appreciate it. Any other parting thoughts before we wrap up for the evening?
No, man. Thanks for having me on this was a blast.
Yeah. This has been absolutely great. Love chatting with you all.
Thanks guys. Appreciate it. We'll talk again. Chase, maybe we'll have you on next time down the road, and then we'll go from there guys. Be safe, have a Happy Thanksgiving and we'll talk to you soon.