mnemonic security podcast
The mnemonic security podcast is a place where IT Security professionals can go to obtain insight into what their peers are working with and thinking about.
mnemonic security podcast
Risk Hunting
In this episode of the mnemonic security podcast, Robby is joined by Tony Fergusson, CISO EMEA at Zscaler. They start with a market update on Zero Trust and discuss the challenges relating to adoption that he has observed (ever heard of the Popcorn Theory?).
Fergusson then introduces the concept of risk hunting – a proactive strategy to identify and mitigate risks before they escalate into breaches – and explains how it relates to threat hunting. He emphasizes the importance of least privilege, continuous evaluation, and what Zero Trust looks like for users and workloads.
From our headquarters in Oslo, norway, and on behalf of our host, robbie Perelta. Welcome to the Mnemonic Security Podcast.
Speaker 2:By now. You've probably heard of the concept of threat hunting. Now, whether you feel that's relevant for your organization or not is one thing, but keeping the concept of threat hunting in memory replace the word threat with risk. My brain at least led me to think of some GRC resource wearing a Patagonia vest, stressfully reading through all of your policies and procedures and trying to identify gaps, and apparently I wasn't that far off. What I didn't immediately connect with the thought of risk hunting, however, was the concept of zero trust. What does zero trust look like for users and workloads, and what does it mean to hunt for risk relating to them? So stay tuned for that, as I have a verysuited guest to guide us through that conversation.
Speaker 2:But before that, I just wanted to take the opportunity to say thank you for tuning in to the Mnemonic Security Podcast this year. After recording this intro, I will be taking a vacation from podcasts until 2025. But don't fret, I have plenty of episodes in the pipeline for next year. So happy holidays everyone, and Merry Chrysler, as someone on the internet once said. Over to you now, Mr Tony Ferguson. Welcome back to the podcast.
Speaker 1:Hey, thanks for having me back Nice to be here.
Speaker 2:I'm not sure if it's the second time or third time. You've also spoken at a bunch of our events, so either way, how many times it's been, it's always nice to see you again.
Speaker 1:Yeah, likewise.
Speaker 2:So I don't want to introduce you, I'll let you introduce yourself. Who's Tony Ferguson 2024?
Speaker 1:Yeah, so I'm the SUSO in residence. It's recorded now. So, yeah, working for Zscaler. And yeah, I spend most of my days talking with other CISOs and other customers and, yeah, really being that sort of trusted advisor and helping them along their Zero Trust journey.
Speaker 2:I want to say you taught me what zero trust is, but I feel like that'd be really rude to you because I feel like I don't really understand it. Yet you have all these new terms like SASE and SSE, and I'm not sure if those are the same things. There's a lot to unpack in this zero trust journey.
Speaker 1:Yeah it is, and sometimes when I look at the number of vendors out there and all these acronyms that Gartner love to create, then I'm like no wonder we're all a little bit sometimes confused. And what is zero cost? What is SASE? What is SSE? Yeah, so that's something I'm also spending a lot of time on Cool, trying to educate and make sure people understand what is zero trust yeah, perfect.
Speaker 2:Well, you're in the right spot. I would say a little biased there, but hey, so, uh, we're gonna get around to zero trust. I want to know, like, what's the lay of the land look like for that, for that space? And, uh, in our point in time, uh, you also. Last time we had a chat at the ICS conference in Denmark it wasn't that long ago, but it feels like it was a long time ago you actually taught me the history of Zero Trust, which I thought was a fun story which I didn't know about, so I think we should like the term Zero Trust. So, if you don't mind repeating that, that'd be awesome. Yeah, and you also touched upon something I've never really heard before. I'm not sure if it's something you made up, but it sounded really smart, and it was the concept of risk hunting.
Speaker 1:Yes.
Speaker 2:So let's start with the history of the term Zero Trust and then Wiggle, figure it out and we'll end on risk hunting, yeah.
Speaker 1:So, look, if you don't know where the term came from, if you don't know where the term came from, it actually came from Forrester, from a guy I know, john Kindervac. So he was a researcher at Forrester and actually I met him in 2010. I was actually at his seminar or his session, and it was actually called no More Chewy Centers. And the reason he called this paper that he wrote around it was he saw that networks were soft in the middle and hard on the outside right. We had a perimeter around the organization and he was saying there shouldn't be any soft inside right. We need to adopt the zero cost model around the organization, and he was saying there shouldn't be any, you know, soft inside right. We need to adopt the zero cost model. Um, so yeah, so I sort of got introduced to this concept, this idea, very early on, right in 2010. But, um, but you know, now I've sort of been researching and you know, getting curious about it more. You know you find out that actually some of these ideas go further back. So if you go back to 2004, there's actually something called the Jericho Forum, and the Jericho Forum was just like people like myself. A group of CISOs got together and said, hey, the whole perimeter is disappearing and people are more remote and we can't secure the network like we used to. Right, there needs to be a better way, right? So they made these 11 commandments. So I do try to get people to go Google this, look it up, there's 11 commandments and they're fun to read, right? Because when you read them you go, huh, okay, they actually make good sense today, even though this is, wow, yeah, 20 years ago, right, yeah.
Speaker 1:So it all sort of started with Jerego4, and then, you know, 2010, we had at least the term Zero Trust. And then I think what happened next was, you know, implementation-wise, when I actually remember sitting down with John and saying, hey, john, love this idea, zero cost, least privilege, only allowing people what they need access to removing the tax surface. So I really liked the idea. But when I went and thought about how do I implement it, that's where I was like somebody, please help me, how the hell do you do this? Right? And I can tell you now that in 2010, there wasn't a lot of ways of doing this. Luckily, a little earlier, software-defined networking was starting to catch on, and I think that's what's helped us today to be able to deliver this type of technology, but it was actually Google. Have you heard of BeyondCorp? I've heard of it.
Speaker 2:Didn't know what it was. Yeah.
Speaker 1:No, so BeyondCorp was, if you remember, there was a breach with Google very early on the Aurora, I think it was called breach with Google very early on the Aurora, I think it was called. But after this breach, google then started to think about, okay, how do we stop this, how do we design our systems? And they did this Identity Access Proxy, it's called. This was their design. So they actually shortly after I think it was 2006, released a whole lot of information. You can even go beyondcorpcom and you can actually see they've actually shared this out. So they started to really lead the market in saying actually we're actually starting to do Zerocast. That was pretty exciting right Now where it really started to, I think for me, when it started to really sink in and when I started to realize the power of this technology and this concept was around 2015. I was one of the first companies in the world to actually beta test in production what we call today zero trust network access. So this is almost 10 years ago now that, looking and testing this technology and trying to understand it, it was mind-blowing to think about what we were able to do back then. And then, you know, fast forward all this time.
Speaker 1:Right, I've always been an advocate of zero trust and always saying, hey, you know, we need to adopt, we need to adopt zero trust. And Gartner was saying I remember doing a presentation in 2018, it must have been and, uh, presenting that in 2021, 60 of organizations would have dropped their vpn and they would be using zero trust network access. So I was like, yes, we're gonna, you know, we're gonna be more secure. It's we're to have less headlines of breaches and other things for organizations. And then I remember getting to 2021, and I think we were a little over 10%, 15% or something like that, right, nowhere even close right. And then they had the stats for 2023, and I think that was 70%, and now there's a stat for 25%. But again, we seem to always believe that the adoption is going to be a lot higher. But unfortunately, it seems that companies are. Yeah, it's hard, change is hard and it's not so easy for companies to adopt this technology. It seems.
Speaker 2:But, tony, it was something about a firewall like the word zero trust. What was that that? That that was like the new part for me.
Speaker 1:Yeah, so yeah, that's a, it's a good point. So look, um, the actual term zero cost, um. So so you might not be weird, but john kindervac, he was a practitioner a practitioner like I was, and worked on the very first firewalls, right, the firewall like the PIX Cisco firewall. And these firewalls, the way they were built and designed, they had like a trust model. So, to put it very simply, when you would take this firewall out of the box and you would plug in your RJ45 and plug it into your computer and you would start getting on the console, right, and you configure it, the first thing you really had to configure was, hey, this interface was outside the internet, so you would give it a name outside. And you have another interface on the inside, which is your corporate network. You would say, hey, the name is inside.
Speaker 1:And then the next command you would actually do is you would set a trust level, also known as like a security level, so a trust level, and what you would do is you would say, hey, the inside interface, that would be 100. Trust it, the, that would be 100. Trust it, the outside would be zero. Don't trust anyone on the big bad internet, right. And then if you had other interfaces that would be somewhere between one and 99. So if you had a DMZ, that might be 50, right? And when you set up it in this way, the trust model on the firewall would say all traffic from 100 to 0 is allowed by default. So all traffic is allowed from the trusted network inside the network towards the internet. All traffic from the internet towards the internal network is not allowed. So that's the basic rules you would have as the firewall. And I actually do remember when I started actually now this is going back probably around 2008, when I started. I remember looking at the firewall configuration and going why are we allowing everything outbound?
Speaker 2:from our data center?
Speaker 1:Right, and you know what the funny thing is? I still see even this today. Companies actually say, well, you know, it's just easier for me to have an outbound rule that says allow everything out Because everything in my data center is good. Right, and you probably remember, do you remember the SolarWinds right, the SolarWinds tech? Right, that was on some infrastructure that was in the data center, for those people that had a zero trust model that said, hey, my SolarWinds server can only access these resources on the internet for updates. Sure, you would have got the bad update, but that's it. Right, it wouldn't have then communicated to these other areas. So, yeah, those companies that have really adopted the zero trust mindset of saying the server only needs to communicate to these things on the internet and spent the time doing this, right, they were saved by some of these sorts of attacks. Right, and that was a hard one. Right, that was a very difficult one to stop.
Speaker 2:Okay, but the term zero trust comes from a Cisco Pix firewall from back in the 90s or something like that basically yeah because what he asked was shouldn't all the interfaces be zero?
Speaker 1:Shouldn't we just configure the firewall with zero, zero, zero that means no traffic is allowed in any direction, and then you would specifically have to put in policy least privileged policy to say this resource is accessed to this resource. So that was really the idea and that's where the zero came from, zero on the PIX firewall. So probably not many people know that, but it gives you a little bit of an idea, a little bit of the history and where it actually came from.
Speaker 2:I always learn more when there's a story involved. That's why you're here, Tony, Okay, but you said in 2016,. You were at MAN, right, Huge I don't even know what to call them a bus company, they just make big machines company, Exactly. You said zero. Yeah, manufacturer. Yeah, that's the word for it. You said zero. I just ZTNA. What does that stand for? Again, Zero, Trust Network Access. Yes, Was that your first?
Speaker 1:encounter with zero trust as an idea. So, look, as I said, like about five years prior to that, I had been introduced to the idea by John Kindervic, um, so I sort of knew of the concept and knew of the idea, um, and I thought it was a great idea and I was trying to, at least in places where I could, for example, the data center. I could apply zero-cost principles on my outbound traffic from my data center.
Speaker 1:And I managed to do that right, and that's probably one of the first sort of things that I did, but it wasn't until that 2015, where then I had some technology that was able to do very granular policies, not just for workloads but for users. Right, I could apply it to my users, I could apply it to contractors, I could apply it to my OT environments. And then when I started to go down this, then I think that's where it really, that's where it sort of said in my head okay, now I'm getting an understanding like how this can impact the security and the posture of the company if I just stop real quick like why do you want to?
Speaker 2:I'm thinking of the use cases for why you want to block traffic from inside your walls to outside. I'm thinking like callback to Cobalt Strike. Or I'm thinking of stopping of data leakage. How many other use cases are there? I know it's a dumb question. I should probably know the answer to this.
Speaker 1:You know it's sort of interesting, right, because I actually always thought I had a plan. I drew up a plan like a 10-year roadmap, of implementing zero trust, and I actually remember having zero trust completed like it's done, but I just laugh at myself now they would ever be done. Right, because the actual concept itself says you, as a user, you should have access to maybe this application, but you can even take it further you should have access to this application, but only this data set. So how far do you want to go with that sort of least privilege? Right? And of course, the idea is like, if you only have access to some systems and some data, then if you're breached, then of course that reduces the risk of what I could leak from your company.
Speaker 1:And one of the biggest problems we have today and we still see it with many companies is obviously VPN. Right, because what a VPN does is it just gives you complete network access. That means I have access to the entire network. I may not use all the applications in the network, but I still have access, and I suppose that was the fundamental change in 2015, where we switched these around the other way. So think about it A VPN gives you access.
Speaker 1:Then I would connect to the application and say, hey, it would say who are you Authenticate, who are you, and you would say who you were. But now we flipped the model and said, no, no, no, we are going to find out who you are first. We're going to say who are you, what device are you on? I'm going to check all the things I need to check first, and then, and only then, will I connect you to where you need to go. And that was a complete, fundamental change from where we had been and giving network level access to then actually giving access to an application based on context, based on who you are, what device you're on.
Speaker 2:And I'm just thinking is that why people are never done with the zero trust journey? Because all of a sudden I moved to London and I worked there and I have access to different stuff and so then I have to keep that process going? Or is there more than just the fact that people move around in a company that makes it so that the journey is never done?
Speaker 1:Yeah, I mean, that is still a problem today, right, and there's a lot of technology out there trying to solve some of those problems. That, yeah, you and your role, you get access based on your role. But, yeah, often what happens in companies you and your role, you get access based on your role. But yeah, often what happens in companies, you move and we don't revoke those accesses for the role you used to have, right, and probably you just get more and more access. But I suppose that's why you know, nist did a pretty good paper 800-207, if you want to look it up, it's called the NIST Zero Trust Architecture and actually in that paper there's some really good references of what you need to do architecturally to be able to build a zero trust environment. And they talk about continuous evaluation. So it's not okay just saying, hey, robbie, you have access to this application and it's all good, and then leave it like that, right, we need to continuously evaluate.
Speaker 1:Has your security posture changed? Has something changed that I may need to revoke your access? Yeah, and if you think about, the very first implementations of zero trust in the network was network access control. I mean, this came many, many years ago and there's still companies that are still trying to go this way. But network access control is fundamentally. I do some checks, you are then allowed onto the network and away you go. We don't continually validate who you are and validate your device and validate everything every time you connect to an application. No, no, we just inherently trust you always until you come in, maybe the next day. Right, yeah, so that is not yeah. So that's why we are always continuing to improve and try to get more granular, get more context, because context matters. If you don't have good context, how do I know what policy to enforce?
Speaker 2:I'll say it like this so if network access is getting into the, I don't want to use the castle because we're going away from the castle. There's no more castle in Moat, with zero trust. I know that, but just just just an analogy. Listeners can think of something else themselves, but like getting in the castle, getting to that front door, is like network's access and then getting into the room you want to go to, the further you go in, the more controls you want to have, and that's the kind of the journey that you want to do. Right, but where is that? It Is it just always? That's it.
Speaker 1:So if you want to think of an analogy of like, how does you know, because you talked about the castle right? So the castle is the old way, right? You just open the door, you live in the castle and you know even better VPN, what is that? But if you want to think about it, it's just like underground tunnels from everyone's houses, right? I mean, you know everyone is allowed in the castle, right? And if that user is compromised and they're at home, guess what? They have access to everything in the castle, right? So that's a great analogy. But if you think about zero-cost in this way, think about it when you come to the office, the office, and you're going to visit somebody. So let's say, I come to your office and I come to the reception, then I'm just not going to walk in and walk around your building. I'm going to come to the reception and she's going to say, hey, who are you here to meet? I'm Robbie, okay, who are you? Can you show some ID meet? I met Robbie. Okay, who are you? Can you show some ID? I'm Tony, right, so I'd show my ID and she would go okay, yeah, yeah, check.
Speaker 1:Yes, the policy says, yes, you're allowed to go and meet you. So, rather than just letting me go and walk around your building and pop in all the different rooms, she would escort me to your room and I would have a meeting with you, and then you would call her to come back or him come back, and then I would be escorted back out again. So what did I get access to? I only got access to your room and you. You can think about your room and you being the application, right, but I wasn't able to roam around the whole building. I couldn't go into every room and see what's there or steal anything. Right, I didn't. Nothing was stolen, yeah. So I think that's a good analogy. If you think of zero trust, it's really just allowing people to what they need access to.
Speaker 2:Yeah, so, and that's like a constant thing, since everything's changing all the time and you know new things get added. Where is it like? I've never seen on LinkedIn that somebody has like a. Well, I have seen people call themselves zero trust soldiers, but I didn't know that was like a job role. So who I mean? What is like a typical? What does it look like today to operationalize zero trust from a people perspective? The best ones that you meet I'll rephrase it, so keep everything inside. That's a question but also just like the ones that have, the ones that you're most impressed over, the the clients you meet today, uh, that just have their shit together when it comes to zero trust and are I've just done. They get an, a plus from you. What does that even look like?
Speaker 1:yeah. So, um, you know, I get to see so many companies, in so many different ways, are doing this right, and the biggest problem I see is that because zero trust is not something that sits in your network department, it doesn't sit in your security department, it doesn't sit in your identity, right, it sits across all of us, right? So if you think about all the teams that need to be involved in a strategy of driving a zero trust architecture and concept, you need lots of people in your organization, across from your identity teams, your network, your security teams, and they need to all work together. And often we've built companies in the past being very siloed, right. So we have the network department. That's doing one thing. We have the security department trying to secure everything. The network department they have a goal to make sure, you know, packets are moving as fast and reliable as possible, yeah, and then the security are trying to secure them yeah, and they're quite different goals, and so what we often see is that there's a misalignment with these two and that can really really slow you down. So that's one thing we see out there.
Speaker 1:The other thing that I've talked a little bit about this before, but zero cost is a journey and I think that complexity is also the enemy. I think complexity is the enemy of security. We ended up now. Many companies have, I think, on average, like 50 security products, so you have a lot of complexity and that also slows you down. It doesn't mean they're secure. I can tell you that now I look at the many companies that have lots of products, it doesn't mean they're secure.
Speaker 1:I can tell you that now I look at the many companies that have lots of products, it doesn't mean they're secure. It means that they've invested a lot into a lot of products, but are they configured well? Do they have good policy? Often not Legacy. That's also really hard in organizations. You've got an old system or something and you need this in the corner and no one knows how it works and that's holding us back. And then, probably the last part is the mindset. This people don't like change. I actually quite actually call it the popcorn theory. Have you made popcorn before? Like the way in the pot, in the old pot? Have you done that?
Speaker 2:before. Yeah, you, oh, wow, yeah. You put some butter in the pot, throw the little whatever those bead things in there and they pop eventually.
Speaker 1:Yeah, yeah, and you notice that when you do this, right, there's always a few of the popcorn that pop first, that don't pop. Yeah, ah, there's also right, there's always a few of the popcorn that pop first, that don't pop. There's also yes, I'll get to that, but there's a few that pop, right. People like me, right, I pop early and boop.
Speaker 1:I'm on this journey, I like change and I think you know 20% of the people in your organization love change and they will lead and they're change agents. They want to, you know, be the person to stand up and go. We're going this direction, come along with me and then you have the 60%. They're all the other popcorns that pop along during that time and they will come along with you. But the disappointing part is there's always people resistant to change and there's those corns left in the bottom, the ones that don't pop, and I always say don't underestimate how they can hold you back, especially if they're in certain positions, because they will try to say no, we've always done it this way, we need to continue to do it this way and there we just really need to make sure we you know the majority wins right, you want the 80%. Make sure you get them and empower them right. Empower the 20% that want to do change and empower them to drive change.
Speaker 2:We talked about it earlier. The word is inertia, right? So I guess the ones that you're never done with it because it's an ongoing thing, but most a lot, just don't get started because they're don't fix it but it's not broken, they think in their minds and they don't want to change whatever they have going on.
Speaker 1:Yeah, exactly, and you know, like you just said, don't fix what's not broken. And actually I think and I've been in this position we are sometimes scared to make change because you know if you make change there's always risk You've got to break something. You know technology is complicated. You can have the best plan and you can go into migration and we see it all the time and, oh, things don't go the way planned and they take a lot of effort. So you know, sometimes we're not wanting to do change because we're scared of breaking something. But then the problem is, yeah, the company gets broken in another way, right, yeah, right, by an adversary, by a ransomware attack, yeah.
Speaker 1:So, it's, like you know, being able to balance that risk of change but the risk of the unknown. I think that's been difficult for many companies and I think there's two types of companies right, the ones that are almost breached and then maybe accelerate their change, or the others that are just too far behind and end up in the wrong place.
Speaker 2:I feel like everything you just said kind of sums up to the, the companies that are doing zero trust. Correctly, there they're, like the most aligned, like they they've understood that, yeah, identity network to have their, their goals. I have to understand their goals and try, we have to come together to make this work and operationalize it for for one common good, basically, and we have to understand that this is actually, this is a. What we're doing today is not ideal. So we have to go towards this new path, even though it's going to be hard and we have to figure out a lot of things. We have to, we have to do it. Those are the ones that have come the farthest in your, in your mind. Okay, interesting.
Speaker 1:Yeah, no, we, we. I mean change. Change is good, especially in you know where. If you think about technology and the acceleration of technology, think of AI and ML and everything now and adversaries leveraging that, you know we also need to leverage it as well. Right, so we have to adapt. And you talked about inertia. Right, the adversary, they don't have a lot of this. They don't have much inertia, but we do. Many, especially like organizations, have a lot of inertia and that's difficult.
Speaker 2:Elephants can't dance. I was thinking zero trust, right, let's say you said when you started using Zero, ztna. I never remember the Zero Trust Network Access. When you start there, what's the evolution of products look like from a, because I assume that is a product. I think that's what Z scale causes ZTNA, right, but what about all the other acronyms that you guys have as part of your product? Where do those fall along that journey? And are all those SASE? Sse is something that is never-ending.
Speaker 1:It is more of a concept and a change, a mindset change, and you have to get started, right? I quite often have companies and they go, hey, we're just not ready. I'm like ready for what? Like, oh, but we don't have our identity. You know, we don't have our identity. We need to do a lot of work on that before we can do the zero. I'm like, okay, one thing is clear that there's never, ever, a good time to start. There's never a good time to start, and the longer you wait, the further behind you're going to be.
Speaker 1:And I always sort of try to look at this from a risk point of view. So, for most organizations, what is your biggest risk? And find out what that is. Now you could go to the business and try to work out what do we do and what processes and technologies are there. But you could also look at it from the other point of view and go okay, what brings the most risk to my organization? And if you look at it, you will say my users do. It's the people. So it's the user that gets the phishing email, that clicks on it, that downloads the malware, and then that device ends up being the risk because the adversary has now got command and control and they're going to now laterally move into my crown jewels.
Speaker 1:So if you just take that as one example and go, okay, let's forget about OT, iot, workloads and all that, let's just focus on doing zero trusts for the people in the corporation, the users, and just start at that point the users, yeah, and just start at that point and just go, yeah, let's deploy. And you know, you don't even have to do a big bang, you can slowly deploy, you know, thousands at a time or hundreds at a time. Right, you don't have to do a big bang. You can slowly move them away from VPN. You can slowly move them towards zero trust. So it doesn't have to be a big bang, it can be over time. And then, once you've done that, then you can think about oh okay, now what about my workloads? Oh okay, what about OT? What about IoT and manufacturing? If you're a manufacturer, what about my factories, my warehouses? But you need to start somewhere. Yeah, and picking where that is is yeah. You just need to start somewhere.
Speaker 1:Yeah, and picking where that is, yeah, you just need to find an area and say, okay, yes, this is end of life, like for me. When I started this, actually I had a firewall that was a third-party access firewall, right? So actually the very first people to actually get this stuff was consultants and third parties, because I had a problem, I had something that was end of life and I was like, well, let's just, yeah, that would be a great place. I want to reduce third party risk. So I think, yeah, just finding that area and then just putting a plan in place and you know, biting you talked about the elephant right, don't eat the whole elephant. Just, you know, take small pieces, right, and then you'll get there in the end.
Speaker 2:But, by the way, I really liked your analogy there, like, okay, if users, they you know, they're the I have a device. It's that device that becomes a risk, that starts, you know, doing lateral, allows for lateral movement, blah, blah, blah. What does zero trust look like? So that was zero trust for, like, a user. What does zero trust look like for the? You said workloads, you said IoT, you said OT. Just give me a quick example for those other ones, because I really liked the one that you gave for users, so I want people to remember what you're going to say now for the other ones, yeah.
Speaker 1:So you know workloads, that's a. I suppose that's an easy one in the sense that we've always been trying to do this. Your public attacks are on your data center, whether that's cloud or on-prem, right. Your attack surface is always a target, right, I mean you know it's, you're public on the internet. Any vulnerability, whether that's in your VPN or an application, that's going to be found pretty fast. So that is, of course, when you think of data center, that's your first area of biggest risk.
Speaker 1:Yeah, attack surface yeah, and of course, in the zero trust model, you should really reduce that to what actually John Kindervac calls protect surface, so only the things you need to oppose, right, and you have a protect surface. And then the rest of it you can maybe hide, you know, behind the technology. And then, of course, in workload, you of course want to stop that If one workload gets compromised, they're able to move laterally in workloads. You of course want to stop that If one workload gets compromised, they're able to move laterally to other workloads. So then that's all about segmenting, segmenting workloads, and that's part of the direction of principle, least privilege within workloads.
Speaker 1:This workload should only talk to these workloads, same as these users can only talk to these applications. So that's, of course, a great area to improve on and there's lots of products and other things out there to do this. And then I suppose the OT and you know we met at the conference and this area is still evolving. I feel there's not enough talk about zero trust and OT. I feel, and look, it's a difficult area. We know that OT is a lot of legacy, it's critical infrastructure, it's a lot of areas that are difficult to maintain, difficult to even change anything in these environments, right?
Speaker 2:You think IT had inertia.
Speaker 1:Yeah, yeah, yeah exactly the OT inertia is like massive right and yeah, so that one. We need to be obviously careful going into that and you know we need to make small steps again. But again we've seen now new innovative technologies like AirGap and, you know, putting everything in a network of one. That's fascinating right. So there are technologies out there to start to segment out the OT network. So I'm hoping, I'm hoping that we will get there and OT will come along with the journey. But as always, always, I think some of that is always lagging the corporate technologies yeah, just really quick.
Speaker 2:I know it's a product pitch for you, but I thought it was interesting. You said that you bought a company. Zscaler bought a company that just put like a 30 slash 32 and made it its own network or whatever. Can you just explain that really quick? Just because I thought that was uh.
Speaker 1:Yeah, look, it's really interesting because I'm sure many listening may be on their mobile phones. But the telcos have done this for years, right? They always put you in your own network. So if you look at the IP on your mobile, you'll see that it's an IP address over slash 32. So it's in its own network, in its own subnet. So that was segmented. That means my telephone can't talk with your telephone, even though we're on the same mobile network. And that's good. That's good for security, right? My phone shouldn't be able to directly talk with your phone.
Speaker 2:Unless I call you right Now. I'm confused.
Speaker 1:Because when you call you right Now I'm confused. Yes, that's different, right, because when you call me, you will call Apple or whoever, or your telco, and then the call comes back back. Right, so there's actually an exchange, right that you connect to, you connect to the exchange and the exchange will call you back. So call the other person. Authentication yes, exactly as you will like our zero cost exchange. Right, Like a switchboard. We especially call it like that because we are like a switchboard, connecting the right user to the right app.
Speaker 1:But, yeah, if you think about this idea of just putting everything in the network of one, if you think about this idea of just putting everything in the network of one, then you prevent lateral movement. But the advantages are that you haven't reinvented the whole network, you haven't restructured the network. Right, you still have the same IPs, you still have the same VLANs, you still have the same infrastructure. So you haven't changed a lot, you've only changed the subnet, yeah, and then, of course, if we can become the default gateway and that's one obviously migration point you need to do then we can now see all the east west traffic and now we can use machine learning to tag it and make policy a zero trust policy. So a very simple approach. But I think we need simple approaches because we're not going to make it if we just say we're going to have to rebuild all our networks and upgrade all our switches and redesign everything while you're in the middle of manufacturing.
Speaker 2:I'm aware of a company that has done that and they realize that whatever they spent two years, it's not going to work. Maybe I should tell you to give them a call. We could take that offline. Anyway, I love the conversation we're having so far. What does it have to do with risk hunting?
Speaker 1:Yeah, risk hunting, so, oh yeah. So this one's a bit of a team effort actually, and a lot of my colleagues and us. We obviously get to talk to lots of customers and we also get to talk internally with each other, and one of the things we've always sort of talked about is, man, you know, like, oh, I went to this big customer and we do this thing called a policy review, where we actually look for areas that are maybe not configured properly or areas of our platform they're not leveraging right. So basically what I'm doing is trying to get our customers to leverage our platform as good as possible right, so that corporation is protected as much as possible with what they've got. And when I go in sometimes I see like, oh my God, like you know the firewall rule, the last you know they've got firewall rules, but the last one is allow any any.
Speaker 2:One rule to rule them all. The last rule.
Speaker 1:Yeah, yeah, yeah, exactly. I'm like. So what are all these rules for, when the default is, you know, allow, and you know I take it back? And I just think, oh, like, why is this? Why are? You know? These are big companies that have a lot of resources, a lot of people, a lot smarter than me. I'm like.
Speaker 1:So why are we sort of stuck with companies that have great technology but the actual adoption and the way they've operationalized it and implemented it is not right? So then we started talking about what do we actually? What are we doing when we're talking to customers? And we came up with this term risk hunting, because what we're actually doing is we're looking for risk. So I'm going to a customer and saying, hey, where is their risk? Oh, look, here I found a policy that is way over permissive. It's not agreeing to the policy, it's allowing everyone to the internet. Yeah, one I really like to often talk a little bit about is you know, many customers are connecting to Microsoft and that's becoming a threat. You need to see what traffic's within Microsoft. Threat actors are now leveraging Microsoft, google, aws platforms to do their attacks Just abusing their trust.
Speaker 2:It's Microsoft. You have to trust it right.
Speaker 1:Exactly, and the zero-trust principle is look sure, there's companies you can trust, but you can't trust all the consumers that are on those platforms. I can go and buy a credit card and buy my Microsoft tenant, yeah, so that is that and that is a problem. So if we just say, hey, I just allow a big rule that says allow everything to Microsoft, yeah, but that's not. That's not how we should think. We should be thinking okay, my tenant, that's okay, cause it's my tenant, my data allow that, but for other tenants my users are connecting to, yeah, then we should think do browser isolation or or at least inspect the traffic or do something else to make sure that nothing bad comes down to the user and none of your data leaves.
Speaker 2:Interesting concept Because obviously my mind went to threat hunting. I think the question I asked you at the conference I think we were drinking a beer at this point maybe but I think I said yeah, you're a mature client, You're doing threat hunting at that point because you have your other basics of security monitoring in place. And You're doing threat hunting at that point because you have your other basics of security monitoring in place and you're doing threat hunting. Is risk hunting kind of like a mature function for GRC, or where should I put that in my head?
Speaker 1:So my other colleague, sam Curry, he would say GRC is big G, little r, right, yeah, and it's the r, the risk part, that we need to work on right, because we often do a lot of the other two. Right, we're trying to be compliant, and yeah, and we're trying to do all that. But then if we look at the risk part and say how well are we actually evaluating risk and doing this part, then if you think of, I would say, like threat hunting is good if you're trying to find a threat actor that's already compromised, a device or your systems, for example, a nation state, a nation state. They will come in, they want to stay undercover, they want to sneak around, collect intellectual property. So for those threat hunting makes perfect sense. But for ransomware attack, these happen fast. I mean, crowdstrike gave some good figures around this. I think what?
Speaker 2:was it Two minutes or something?
Speaker 1:now yeah, Two minutes between the breakout time they call it from when you compromise for when the threat actor then actually moves. So that amount of time is coming down, down, down. I think it was like nine hours about five years ago, right, and we've got down to literally minutes, so that's coming down. Then, to prevent a ransomware attack, I can't react, I can't have my security operations center save the day. So then we need to look for risk and that's a proactive measure. It's been proactive in the way we look for risk and find risk. And if I find risk then of course I have to mitigate it right, mitigate the risk before it happens. So I sort of look at threat engine being more of a reactive type of way of doing security and I look at risk hunting being a lot more proactive and I really feel we can do a huge amount out there on this. We can do a lot more and let's hope that AI and ML will also play a part in helping us find risk right?
Speaker 2:Yeah, I just had an episode on. Have you heard of the term CNAP? Yes, yeah, cnap. So I just what I learned about the CNAP thing because I was asking the guest, like can you do this as a human without having the tool? And he's like, yeah, well, you can. You can read those api calls and try to map it all out in your head, but good fucking luck, you're going to be sitting there forever, right? So like it's not, like it's impossible, but it's just machine learning and ai, if I can call it that, that will just understand and be able to point out hey, this isn't good, this is good, this is good. So you kind of need ai or ml to help you with risk hunting too, because you just don't have manpower or you won't have an employee very long if you make them do that with their own eyes, right, yeah, yeah, if you think of it, it's like when you talk about tech service management, but it's also a tech path management, right?
Speaker 1:So if I compromise this, then what does that lead to? And that's also around CNAP, that's very much involved. But, yeah, understanding, if I compromise this server, what business process is that going to affect? I mean, going down to that level right and mapping all of that out is going to be really important. A breach attack simulation could we even use MITRE, which has a great framework? Could we use that to simulate attacks and make sure we find out where is the risk for my organization and my vertical? Where can I close the gaps? I think that's going to be an area that we need to do a lot better at.
Speaker 2:That's interesting. I think the way you just described that right now you would help sell a lot more breach and attack simulation than anybody else has ever sold, because nobody. I feel like that's like in my mind. I thought that was like advanced pen testing, like you have to be really have your shit in order to do that, but it's almost something you should be like starting with, because it's proactive, right, like hey, let's, we won't be able to. Yeah, I don't know. I think that is a different way of looking at it. It's interesting. I haven't heard it before.
Speaker 1:Yeah, yeah, I think we're starting to see some of this, right, we're starting to see breach attack simulation picking up and look, it's not easy, right, to do that type of simulations, but I sort of feel that's where we need to move. We need to move in that direction, right, because technology is complex and attack paths are infinite to some extent. Right, and, as you said, we're not going to, humans are not going to be able to look at the systems and go, oh yeah, yeah, look look there is the problem right yeah.
Speaker 2:Yeah, so you actually can't use humans for exactly that risk? I mean the way that you and your colleagues are doing it. By the way, I wish every vendor would actually look at what their customer has bought and like, hey, by the way, you guys should be doing this, this, this, uh, but so? But in your in the Z scale context, you were literally looking like, hey, here's their portfolio, what they have from us, at least we think they would get value, or this is a risk for them, for a client. The risk hunting approach is that. Have I understood it correctly that it's kind of like a combination of breach and attack simulation with crown jewel protection, or what do you want people to walk away with? Risk hunting as the yeah.
Speaker 1:So, look, I think what our idea around risk hunting is is that, you know, I wrote an article a while ago a fool with a tool is still a fool, right, and that was my frustration, right, my frustration of, hey, sometimes we have great technology and we often do. My frustration of, hey, sometimes we have great technology and we often do, but often we lack to operationalize it and actually have people that understand least privilege, understand how to write policies in the right way, and that's always going to be. You know, we lack a lot of resource in that area. That's always going to be a problem. And I think risk hunting, I would hope, would be a, you know, a service or an idea of you know making sure it's, you know, call it sec ops or you know AI ops, whatever you want but to help the humans do a better job, right In combination.
Speaker 1:If we think of AI and us creating policies together, you know, and getting some feedback. Oh, maybe this policy could be done in this way. Yeah, it's a pretty bright future when I think of that. On our side of the fence, we can start to leverage some of these technologies to make sure we're actually, you know, we're going to take the fight with the adversaries and we're going to keep up with them, right.
Speaker 2:And one more last thing on this topic of risk hunting. How does that relate to zero trust? Just to bring it full circle.
Speaker 1:So zero trust is least privilege and we often see that is best practice. I share least privilege policies but often risk is there. We need to find the risk and do some risk hunting to find out where are my policies? Do I have misconfigurations? Where are my policies? Do I have misconfigurations? Where are my policies? Do I have risk? How do I get that zero trust concept to be that really least privileged access, very granular and I don't have gaps in my policies, because that's always hard right. It's really hard to get to that place where you say, look, I've finished, I've got every user and every application, I've got every policy in place and it's perfect. Right, there is no perfect. So we want to just be able to get as close as possible and I think risk can help us at least get closer towards the zero trust concept.
Speaker 2:And I want to let you go on that, but I can't. Is there a product for this today somewhere? Or is it just an idea that you have to put different strategies, slash products together to accomplish that goal?
Speaker 1:Look, I always think we never lack products and innovation and other things, and especially here at Zscaler, we're always innovating and trying to think up new ideas. So, look, I think there is some. You know, there's certainly products out there and certainly we have some of them right, and we don't have all of them right. We don't have all of them right. We're not a believer in you know. Don't come to us and say, hey, Zscaller, can I please buy Zerocust?
Speaker 1:I hope everyone's takeaway today is that Zerocust is a mindset and it's a concept that involves many products and many moving parts. And don't go away and also think that you can just do zero costs with one vendor. Don't think you can go away and do it with 50 either, because that probably won't work either, because you end up not having the integration. But then pick an identity provider that you want. Pick somebody that's going to be your policy enforcement point, Like Zscaler. Pick somebody that's going to be on your endpoint to do another layer of protection, like CrowdStrike or whatever, and then together make sure they work together to give you that zero trust concept.
Speaker 2:It's the best vendor neutral answer I've ever received from a vendor, Tony. I try, I try 10 out of 10, A plus. So do you have any closing thoughts, anything that you're going to use your brain on moving forward?
Speaker 1:No, no, no. I'm just look, I get up in the morning and I talk with lots of customers and it's also great to be on your show and, you know, get to be heard a little bit and make sure that I can, you know, add some value out there, right, to make the world a more secure place, right? So, you know, I'm trying to help my customers be secure. But if I can just help even somebody that's listening out there say, oh, actually, maybe we should start there, maybe we should just get rid of our VPN, right, and that could prevent that ransomware or that me reading in the headlines, then I think okay. So so, yeah, my job is done. It's never done, but at least I'm making a slight impact. So I appreciate the time.
Speaker 2:I really appreciate the time I was thinking about. The other day I've had like I don't know, we've had 130 episodes or something like that and somebody's like you know, it's just kind of like your blog, you're just learning with other people listening, and I was like, oh my God, that's not good. And I thought, well, you know, it's kind of sometimes nice when that one guy in the crowd asks a dumb question or you know he thought it was a dumb question but a lot of the room actually like appreciated it. It was like that was definitely something new for me, yeah yeah, no, no.
Speaker 1:It's a great field to be in. We're always learning right and that'll never stop.
Speaker 2:I'm looking forward to having you on here next time, Tony. Take care in the meantime. Very quick Thanks, Cheers. Well, that's all for today, folks. Thank you for tuning in to the Mnemonic Security Podcast. If you have any concepts or ideas that you'd like us to discuss on future episodes, please feel free to hit me up on LinkedIn or to send us a mail to podcast at mnemonicnh. Thank you for listening and we'll see you next time.
