Nov 22, 2022 • 56M

Adopting Zero Trust with Chase Cunningham: The Doctor is in

Open in playerListen on);
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology. We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.
Episode details

Catch this episode on YouTube, Apple, Spotify, or Amazon.

This week we chat with Chase Cunningham, Doctor Zero Trust himself, about the decade-overnight success of Zero Trust, how he got involved with the concept, and methods for navigating vendors wanting to shape the concept. For those initiated into the world of Zero Trust, you are no doubt familiar with his podcast, regular LinkedIn musings, and history as a Forrester analyst. Beyond the podcast, Chase is the CSO for Ericom Software, has a long history in threat intel, and built a significant track record while at the NSA as a chief cryptologic technician.

Chase's Suggested Reading

We always ask our guests what resources they would point people to if they wanted to learn more about Zero Trust, and Chase suggests the following:

Bonus Reading

And we certainly can't forget Chase's book as well:

A Dash of Zero Trust History

When Chase began working with Forrester, he may not have been thrilled with the idea of taking over Zero Trust after John Kindervag spent years shaping and molding it. However, he did take it in stride and pushed the concept to where it is today.

"They were like, Hey, you're gonna take ZT? And I was like, oh shit. Like something somebody else had and now I gotta polish this, whatever. And then I really started looking at it; I think what's missing here is a framework so that the vendors can understand what they do in the context of this," said Cunningham. 

Zero Trust was officially on its way to moving from a purely philosophical standpoint to what we now see from NIST, CISA, and other organizations who have built architectures and other related resources.

"Because the moment that we published the extended ecosystem framework, the deluge of vendors that just came running into the space, were like, oh, thank God, we've been waiting for this. And I think it formalized, like you said, the philosophy into something people could gravitate towards and go, okay, I understand what my piece of this puzzle is, and then you work your way forward from there."

And now, possibly entirely because of Chase, we see every security vendor under the sun using some form of Zero Trust or Trust in their booth messaging at RSA and other events. Insert I'm the problem; it's me, gif here. That's the safe way to highlight TikTok trends, right? Jokes aside, Chase helped further refine Zero Trust in such a way that ZT became extremely relatable to security vendors.

Cutting Through The Noise

If you've ever been part of analyst relations for a security vendor, you know the role is essentially a lobbying position. From SOAR, XDR, and even security awareness training, most categories are based on technology rather than a strategy or concept-based system. 

For these categories to exist, a vendor will start to lobby that their solution has enough differentiation to warrant a new spinoff (such as moving from SIEM > SOAR > XDR), which feeds into things like hype cycles. However, Zero Trust is not about technology, and much of the initial groundwork was born within Forrester itself by way of John Kindervag.

On the receiving end, before his current role, Chase has heard from dozens of organizations who tout Zero Trust solutions while he was at Forrester, each attempting to shape the concept around their technology.

So how do analyst firms and people like Chase navigate these scenarios?

Neal eloquently broke it down to the technology to relate to Zero Trust, which is an entirely suitable method but doesn't need to bury itself in the buzzword. For example, identity and access management is critical for Zero Trust to function, which is solved by policies, implementation, and related tools. 

Does it make sense to call something an IAM or IdP platform, or should they slap the Zero Trust sticker on it? For anyone who has listened to our previous episodes, it's clear the private sector sees right through buzzword bingo. This leaves the question, how does Doctor Zero Trust define this concept?

In Chase's eyes, he throws the weight of his Texan background into his definition of Zero Trust.

"Don't trust nothing."

Advocating for Zero Trust the Right Way

Although Chase may no longer be at Forrester, his work there is clearly impacting and influencing his desire to continue the conversation around Zero Trust with his podcast. When asked what his most significant takeaway is and the motivation behind it, he summed it up to positive industry impact.

"There is an audience for people that want to find the honest side of things between vendors and marketing, doing the work and the government, and whatever else. And I mean, I spend the majority of my time trying to find the needle in the haystack of what's actually going on in there [Zero Trust industry]," said Chase. "The other thing that's been really good for me is all the positive feedback I get. Because I try and make it a point every week to go find vulnerable stuff [in vendor tools/technology] and like to point it out to people. I get cease and desist letters from the companies. I have a stack of 'em here on my desk that I, maybe someday I'll make like a, uh, I love me wall out of 'em or something."

As a journalist, I can tell you firsthand that you know you're moving the right haystacks if you're getting cease and desist letters, which in situations like this are often misused to intimidate or silence people. Fortunately, there are also positive implications for Chase's work, too.

"I've even had some congressional senate staffers reach out and be like, 'Hey, that's good because someone's listening. So, you know, I think it shows that there's a real concern about some of this stuff."

Tune into the full episode to dig into other topics like the standardization of Zero Trust and related regulations, the need for greater clarity around ZT, the impact on cyber insurance, and more.

Episode Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

[00:00:31] Elliot: Hello everyone and welcome back to another episode of a c t or adopting Zero Trust. Today we have a wonderful guest, one that I'm sure actually anyone who's familiar with any semblance of Zero Trust will probably recognize the name. Today we have Dr. Chase Cunningham, aka Dr. Zero Trust, aka the CSO of Ericom software.

[00:00:50] How far down are LinkedIn lister we're gonna go, oh, also used to work with Forrester and a few other organizations. Just a few things on the name on your list. So will be happy to put a spotlight on you know, all the fantastic titles that you have, but maybe you would like to give a little bit of a better introduction so we don't I guess, overdo it a little bit.

[00:01:07] Chase: Sure. So I'm retired Navy Chief. I was in the Cryptologic services there. Don't hold it against me. I know that we've got, you know, Marines online, but it is what it is. Then I got medically retired after my last deployment. I went to work for three letters after that as a filthy contractor.

[00:01:23] And then I transitioned over to Forrester, which was awesome. And I left Forrester, it'll be two years ago in January to do the strategy stuff at acom. In the meantime, I manage to get a doctorate and publish some books and write patents and things.

[00:01:38] Elliot: Yeah, just a

[00:01:39] few things. Pens, 

[00:01:41] Chase: Man, I mean, my, my biggest thing is I hope I'm raising relatively useful humans that will soon leave my home and go off and do other things, but that's the real bar for success.

[00:01:50] Neal: I think the key point is eventually leave the house. That, that, that's the key piece. You know, efficiencies are not, as long as they don't have to come crawling back, I,

[00:01:58] Chase: Oh yeah. As long as you can go somewhere else. I've got you to this point. Now go.

[00:02:04] Elliot: So going off that I fortunately do not have to deal with children, so I don't know how any of that works. And y'all are already significantly further

[00:02:13] Chase: and

[00:02:13] Elliot: life.

[00:02:13] Chase: Yeah,

[00:02:13] Neal: There's a zero trust policy for anything that knocks at the door looking for female interactions. trust whatsoever. That's

[00:02:21] how that works. That's how you get into zero trust as a dad with no cyber security background. Your first zero trust piece is what's knocking on that door and is it here for my son or for my daughter?

[00:02:31] If it's for my son. Congratulations. If it's for my daughter, we're gonna need to bill a sale. 

[00:02:37] Elliot: I might have to do heavy edits on this episode. I can already see it. Jokes aside we try never to edit, especially with Neil, cuz that's our entertainment value right there. So that all out there , sorry, I'm just making this worse for but that all out there, I gotta mute him. So again I think where I probably want to jump into first is obviously with your podcast, Dr.

[00:03:00] Zero Trust, you are pioneering really where we're jumping on your coattail so to speak. I mean, you're helping really educate people bring light to different conversations. That's kind of where we're jumping into. I know you've had conversations with the technology vendors as well which obviously makes sense with your background working with Forrester.

[00:03:19] That's kind of, you know, dip bread and butter, being able to help facilitate cut through some of that noise. But know this is gonna be a very broad question, but over the period of time that you've you know, Your doctors, your trust podcast together, you know, what have you kind of taken away from that?

[00:03:35] Like what is the focal point? I know some of your past posts in the past, like month or two, you know, everything's been very organic and kind of driven by just kind of the idea of telling stories. For you personally, what have you kind of taken away from that so far?

[00:03:48] Chase: Well, I think the biggest thing for me is that there is an audience for people that want to find kind of the honest side of things between vendors and marketing and doing the work and the government and whatever else. And I mean, I spend the majority of my time trying to find the, you know, the needle in the haystack of what's actually going on in there.

[00:04:10] I mean, the other thing that's been really good for me is all the positive feedback I get. Cause I try and make it a point every week to go find vulnerable stuff and point it out to people. I get cease and desist letters from the companies. I have a stack of 'em here on my desk that I, maybe someday I'll make like a I love me wall out of 'em or something.

[00:04:25] But the other folks that are not the people that are, you know, being notified of that, they're actually thinking that it's pretty good. I've even had some congressional senate staffers reach out and be like, Hey that's good cuz someone's listening. You know, I think it I think it, it shows that there's a real concern about some of this stuff.

[00:04:42] Elliot: Yeah, absolutely. And I mean, I think at the end of the day and again, writing your coattails and we'll gladly admit to that, but a lot of the conversations that we see come out of, you know, your podcast in particular and just in the space is that I think it is very difficult to define what Zero Trust is, but People like you and in your shoes are doing a fantastic job of being able to help disseminate what that looks like.

[00:05:04] But if you are actually able to, yeah. Sorry. I mean, I'm not trying to make this like the you're the

[00:05:11] Chase: No, I appreciate

[00:05:11] Elliot: but that's where it is. Yeah.

[00:05:14] Chase: it's all, I mean, what's the, you know, what's the thing is the great, the greatest gift someone can give you is flattery, right? Which is, you know, it's cool coming from people that are actually doing the work instead of, you know, when you have the.

[00:05:25] Some vendor that's trying to get, you know, into yours, into your shenanigans there. Oh, it's, we really love what you do, and whatever else. And you're like, oh, which ones did you listen to? And they're like, oh, well, I don't know.

[00:05:35] Elliot: Yeah, it's if I slip you like a couple of grand, can you just say really nice things about me on the podcast? Yeah, super. Totally. That'll work great. And I mean, that's exactly why we build this podcast. Eh, we're probably just not gonna have conversations about, we'll chat with MSPs and eventually folks like yourselves to be able to kind of have real conversations.

[00:05:52] Cuz you know, at the end of the day, who has the most money and who has the most voice? If you do one Google search as you trust, you're gonna see every single product company that's out there. And,

[00:06:00] Chase: they're all zt.

[00:06:02] Elliot: Yeah, exactly. And I mean, you know, your, you know, history here comes out pretty well.

[00:06:06] So obviously having a strong voice and an advocate for true definitions, someone that has an analyst relations background and a government relations background, it's it's not I don't know, it's kinda like a unicorn in the space. Obviously

[00:06:19] Chase: I've had people, I've had vendors confront me about it. Get in my face at events about not being included in something or whatever, you know? And I was like, you know, one of the couple of times it happened was like, number one, this is not the way to go about the process. And number two getting in my face is a good way to make sure you just wound up on the list of you know, people to mess with.

[00:06:40] Elliot: right?

[00:06:41] Neal:

[00:06:41] have no personal fear. I'll call out vendors for I behavior. I don't care. I'll call out my own company I work for, if that came down to it. I, you know, if you're being a jerk, you're being a jerk. And people, I have, I don't have a non-disclosure, non-compete agreement publicly speaking, so Oh, yeah.

[00:06:56] Whatever.

[00:06:57] Chase: Yep.

[00:06:57] Neal: Anyway, no,

[00:06:59] Chase: I can walk

[00:07:01] Neal: Yeah. It's one thing, obviously when you're working in a community like in my background right now is with the ISACs and ISOs and if you're in a trusted community, you're not allowed to talk pricing, you're not allowed to talk technically, overtly bad per se, but you can share experience, but you're not allowed to talk pricing and stuff, whatever.

[00:07:16] We don't have those agreements, so please bash away, we'll republish it for you and put a big banner up that says, you know, so and so needs to stay away. This is the name of the game. Free publicity. But no, that's good stuff. I think what I'm also finding out is that Elliot might have asked you before me to be the beard in the other side of the camera, but I'm okay with that.

[00:07:33] And you know, I agree. He, you know, he could fill

[00:07:36] Elliot: he does have a better voice.

[00:07:38] Chase: Yeah, it's it's, I just trimmed it down my wife for for Halloween. She like did a big Viking deal and I spent like hours with glue in my face and all this beard stuff or whatever it was. It was, it looked great, but man, it was a nightmare.

[00:07:54] Neal: now I'm gonna avoid beard bobs. Anyway, moving forward, we're gonna, we're gonna spend way too much time talking about bullshit. That's good. This is a good part. People like you well, we get there, right? That's part of the journey is in the thing. Real quick on that same note though, back on target slightly, we talked very quickly about the vendor piece.

[00:08:13] I love bringing this up because going to big name brand conferences, whether it's RSA or Gartner, earlier this year, instead of Forrester you know, With all the new tech stacks that have been sold, everybody's very hot to trot on what it means to try to define zero trust. And I think where Elliot's getting to is maybe asking you for what you personally consider the definition, at least at a high level.

[00:08:33] When we think about the fact that vendor A, that's working in actual identity access management says they're only zero trust. And then we've got another vendor who's working in Buzzword XDR and they're like, no, we're zero trust, but they wanna look at the next door name and say, no, you're not doing it.

[00:08:49] We are. And so on and so forth. But really they're maybe chunks of the larger picture. But to, I think we're Elliot's going your definition of zero trust and construct of what you kind of think it is at a, you know, 50,000 foot level to dive into.

[00:09:01] Chase: Yeah. So the simplest way that I put zt for people is I just say, don't trust nothing. I mean, as far as my Texas background goes that's as clean as I can make it. And it's meant to be slightly, I guess you'd say obtuse, because I want people to understand, I, I mean, don't trust anything in a system, in an, in infrastructure by default or because there's a perceived reason to allow trust to occur.

[00:09:26] And Kinder Bog to his credit a long time ago, has been saying this, that trust is a human emotion that we took and shoved into digital systems. And then we've tried to whittle away at it for forever, and we continue to get there. So that's really what, in my opinion, is. Take that position of default zt and work your way backwards.

[00:09:44] And I think that, that's a point to make very quickly too, is I get so much heming and hawing from people about, oh, well you'll never get to zt. It's manageable, trust and whatever. Yeah. It's the same thing as if a bodybuilder tries to go for zero body fat, they die. If they ever hit zero body fat, that's the game over.

[00:10:00] But you're trying to get towards the lowest level possible to still have the results that you're looking for and that's achievable. But the market is not sophisticated enough to go off and go do manageable, trust, do blah, blah. It's, you gotta be pretty flat with it. Zero trust. I want you to try and get there.

[00:10:21] You never will. But that's the.

[00:10:22] Neal: Yeah, I think there's a lot to be said for hype words, right? That gets people's attention. And at the end of the day, it's up to us to actually define what that hype word means, and hopefully push, if you're on my side of the fence as a vendor, hopefully push the marketing team beyond the hype board and actually start showcasing true value prop around the hype instead of just trying to sell the term.

[00:10:41] And obviously your experience at Forrester, I know you never saw any hype words, just specific for pushing product, right? That doesn't happen.

[00:10:47] Chase: Yeah. They have entire budgets for that stuff.

[00:10:50] Neal: No kidding. Yeah. I mean, if you can't market where you're trying to sell and drive attention to it, you know, that's goal one. Goal two is for us to come in and fix it after the hype is there and actually define what it really means, which is, I think, what we're doing now. This is part of the fun, the terms there.

[00:11:06] People recognize it as a concept for ill or for better, one way or the other. And now we get to work within the confines of that and kind of come up with the procedures behind it, which is.

[00:11:13] Chase: It's strategy. I mean, and that's I'm actually working on a paper that I'm gonna put out pretty soon. That's I kind of took the position of, cuz I got so sick of arguing with people about zero trust, whatever else. My position in this paper is, you know what, if you think you can do it better with what you're doing right now, go ahead cuz it just makes my life easier cuz you are the target.

[00:11:32] Like we're running around the Serengeti and if you want to ignore the lions and all the other stuff, by all means go right ahead. This is not a rising tide lifts all ships as long as Chase survives. It sucks for you. And I'm okay with that.

[00:11:46] Neal: Yeah. It's no joke. Yeah. I mean, you, there's only so many lessons learned to pass around and you're right. You know, if your infrastructure survives, whatever apocalyptic scenario comes down after log four, well, whatever happens this Christmas, cuz we know something's gonna happen. Then congrats to you for whatever you did to get there.

[00:12:02] And, you know, maybe you get to write a wonderful blog about it in January about how, you know,

[00:12:06] Chase: You'll be at RSA doing lessons learned in April.

[00:12:09] Neal: Yeah. No, yes. That's no joke. . 

[00:12:12] Elliot: Cool. So I'd love to kinda poke a little bit into your your backlog working over at Forester. I think just having your experience as, you know, with analyst relations and working in the behind the scenes. So obviously organizations like that help breed and create these kind of concepts, buzzwords, or not.

[00:12:31] The structures behind it obviously have rippling effects, so not all of them stick. Some are very much focused on the product concepts around it, and obviously there's basically like lobbying from organizations that maybe Neil and I might be affiliated with. But, you know, what does that look like for a concept that is more philosophical like this to move forward?

[00:12:51] You know, just hopefully like a little bit of cracking the door open and giving us a little bit of behind the scenes, you know, how does that function? How is something I guess still 10 years in the making how long does that really take until it kind of bubbles up into the world?

[00:13:04] Chase: A, a decade long overnight success, right? Yeah. I think what's interesting there is if you look at kinder's early work on zt, John was preaching the gospel and he hitched his horse to that wagon. He was gonna ride it to the wheels, fall off credit to him. But when I came in and John had left, they kind of said, I was actually pissed about it, to be perfectly frank.

[00:13:23] They were like, Hey, you're gonna take zt? And I was like, oh shit. Something somebody else had and now I gotta polish this, whatever. And but then what I really started looking at it, I was like, you know, I think what's missing here is a framework so that the vendors can understand what they do in the context of this.

[00:13:41] Cuz the moment that we publish the extended ecosystem framework, the deluge of vendors that just came running into the space, were like, oh, thank God we've been waiting for this. And it, I think it formalized, like you said, the philosophy into something people could gravitate towards and go, okay, I understand what my piece of this puzzle is, and then you work your way forward from there.

[00:14:04] So it, you know it. The thing about analyst firms that I really love is there's really smart super people doing really good work. But you're paid to kind of run on the knife's edge and some of the stuff that you suggest might just die on the vine. Some of it might take off. It's roll the dice.

[00:14:22] Elliot: Yeah, so I think what I took away from that is it is your fault that everyone at RSA and Gartner

[00:14:28] Chase: Oh, I totally 

[00:14:29] hose 

[00:14:29] Elliot: the That is a hundred percent you're doing. So thank you for that.

[00:14:34] Chase: me. I've ruined everyone's rsa.

[00:14:37] Elliot: Oh, love it. Yeah, I mean, I think that's a really good segue into just kind of the overuse of Zero Trust in general. So I think I think Neil might agree with me on this is it is very safe to say the term zero trust for government space. They have mandates that they're moving towards. So terms there, it's acknowledged they have missed and cisa and other concepts that they're kind of building around.

[00:15:00] For the private sector where obviously we're seeing most of the marketing dollars kind of push towards enterprise organizations or whatnot where's like the diffusion there? Like, How would you, if you had I don't know, an elevator pitch that said what is safe for you to actually say zero trust is as a company not your definition, but like obviously what level is bullshit and what actually is meaningful to a company like an enterprise company?

[00:15:26] Chase: I mean, in my opinion, I'd tell them in the commercial space, it's zero trust, not zero. You don't, you can have faith in your people. You can have faith in your plan. You can have faith in your the work you've already put into your systems to make them, you know, generate revenue and all those things.

[00:15:40] But the reality of it is that if you look at it and you step back, you've got decades of proof of where failure lies. It's a pretty binary choice. You either choose to do something different and the results will be different. Or you try and take the same thing and put some new flavoring on it and it still winds up tasting like a turd cuz it's still a turd.

[00:16:01] You know what I mean? And that's what it boils down to. And it, I think too that to tell a lot of the commercial organizations I speak with the first thing I have 'em do is I have 'em do a red team op. And if they won't do a red team op, I just tell 'em, when you're ready, let me know cuz you're not, I can't fix what I don't know is broken.

[00:16:17] And if you're not willing to actually address the reality, like the adversary would, You're not ready for the adversary.

[00:16:24] Elliot: Yeah, that's that's a really great point. In fact, Neil and I fortunately just had a conversation with an MSSP that was kind of looking at pen testing against zero trust concepts. But that was like our call to action a few episodes ago. We have not really seen organizations who really kind of tore into it.

[00:16:41] From that, obviously they'll go for the low hanging fruit. But from your perspective, you know, are you seeing these organizations who are offering zero trust products, actually, you know, tearing into their own systems? Or are they, like you said, kind of bypassing that? Okay, the face tells me a story.

[00:16:56] Chase: yeah, I mean, there's a lot of them that are doing it and I don't want to knock anybody cuz progress is progress. But I do, you know, you, you do wind up drinking from the same poison well that you're putting your own water into, you know what I mean? So if they're an identity company, obviously they're gonna solve for identity first, and then you kind of look at it and you go.

[00:17:16] I would think being an identity company, you probably should have solved with this when you launched a product. But, you know, it's kind of tangential, but progress is progress. I I think that it's good that they're engaged in it, but it does, you know, if you went and really matter of fact, I'll tell you a little story.

[00:17:32] I went and did a consulting engagement with a vendor, I won't say who. And when they were running through the whole thing, they were talking about their ZT offering or whatever else in my line. I said, hang on a second. There was a bunch of execs and whatever board members room. I said, how many people in this room are using the solution that we're offering right now to do ZT for yourself?

[00:17:50] And I had one hand up and I was like, that, there we go. You know what I mean? It's like you're selling something to someone based on a strategy and you're not even using your own thing to do that. Not.

[00:18:02] Neal: Yeah, I'm sure a forester, you found that a lot too, where that's a. Unfortunate trend around product providers is it's oddly fewer and far between who actually use their own product for what it is they're claiming. And, you know, yeah. SaaS providers are predominantly in the cloud and they leverage AWS or Google or some other managed solutions for their own whatever it is they're doing.

[00:18:24] But at the same vein, if you own a if you own an EDR solution or whatever it may be, and you have a network that it should be on, and you're really just meh, I've got a Juniper firewall, I'm good, kind of thing, what's the point of selling the product? And to that point, you're right, there's a lot of zero trust companies out there that I've personally talked with as well.

[00:18:44] But especially on identity access management type stuff, ID p I amp, whatever that. That aren't doing what they're doing, they set up protocols and procedures and then you ask them the question, can I see your own self-audit of your own stuff? And they're like, yeah what is that? We offer an audit, we can help you.

[00:18:58] I'm like, yeah. So you've done it for yourself? No. We're using this other company to do this. I'm like, oh, thank you for telling me. I'll see you all later. It's, it is kind of a good thing to think of, you know, if you're getting down to those third party solutions, I think it's a good question to ask, are you using your own thing?

[00:19:13] Not too many people do that enough. Truthfully,

[00:19:15] Chase: Yeah, if you ever wanted to be in an uncomfortable boardroom meeting, do that.

[00:19:19] Neal: Yeah. Yeah. Been there. But yeah, no, it is a weird world to live in where people aren't eating their own dog food in the right manner for the products they're offering. 

[00:19:29] Elliot: Cool. So I hope you don't mind me. Talking about your day job a little bit since I'm, no maybe your PR guys probably happy that we'll bring this up, but, you know, on that concept of eating your own dog food, which I guess for my day job, they like to say drinking your own champagne, which I feel like has a little bit better flavor to it.

[00:19:47] Obviously you all work in that zero trust spectrum. You have products and solutions and services, how as an organization are you tackling zero trust? And are, is it like a model that you kind of exude when you're chatting with your clients and customers?

[00:20:02] Chase: Yeah. So the thing that, that we've put together really is to take what I think is pretty critical to, I would call it initial zt and say, here's the ZT and a connectivity side. Piping the resource you need, policy engine powers that. And then the other piece is, I want the control plane to extend to the user or the asset on the.

[00:20:21] And what I mean by that is making it aware, you know, how are you interfacing with stuff right now? We're running through the browser through an application. I wanna put controls in front of the user there. So that's been the way that we've put that together. And then the last bit of it is to say not everybody needs everything all the time.

[00:20:39] And the beauty of software means you can kind of have modules that you might use. So one business might need lots of zt and a, another business might need more remote browser isolation. And then a third business might need just really crazy, powerful policy controls on all their stuff that's already up and running.

[00:20:56] So that's been the approach that we've taken as far as making that work. The biggest, I would say difference sort of crazy IP thing is I wrote the patent for we can actually run virtual meetings inside of a container in the cloud. So if someone's trying to drop a malicious link to you in a teams call or like on this thing or something, we can actually put a policy control in front of that.

[00:21:18] And if you can imagine, lots of government clients are freaked out about teams and Zooms and whatever else. So being able to say, how would you like to run it in a container and then put controls and then at the end of it, oh by the way, you just nuke the container and the call never happened.

[00:21:31] Elliot: Wow, that is pretty intense. I'm not gonna lie, I've not heard of a concept like that. Obviously wherever you can remove verticalization for, you know, breaches like that's, 

[00:21:41] Chase: Yeah, cuz I mean the, if you think about the Zoom call, like if I go back to my red team for days I'd love to drop somebody a Phish link and a Zoom call. Cause no one ever thinks about it. You know, so it'd be really easy. So that was when we kind of said, well, what if we just solve that problem?

[00:21:56] And all of a sudden a lot of our government clients were like, okay, interest.

[00:22:00] Elliot: Yeah, that's actually, I mean, I know it was probably two years or early in the pandemic where Zoom was definitely getting some of that heat for people popping into like classrooms and all that. I mean, I still

[00:22:13] Chase: Zoom bombing or whatever they called it. Yeah.

[00:22:15] Elliot: Yeah, exactly. I mean, I could only imagine how concerning that would be for someone with a, you know, not just the corporate side, but the government side.

[00:22:22] And if you're able to kind of contain your eyes around that's highly logical. That makes sense. That's very cool.

[00:22:27] Chase: Yeah. It was a fun patent to write cuz then, you know, you also gotta get the patent people understand it and it's you know, have to draw with crayons.

[00:22:34] Neal: So out of a quick curiosity question, how many how many patents would you say that you have then relative to the construct of zero trust or something that applies in that general modality?

[00:22:43] Chase: Me personally or,

[00:22:44] Neal: Yeah, for you. I'm not trying to get street, obviously you have that. I'm just more mildly curious and I kind of wanna maybe ask

[00:22:50] some questions about those

[00:22:51] Chase: I think directly applicable to zte, probably six, something like

[00:22:56] Neal: So we talked about containerized logic and stuff of that. What's another good one in that bucket?

[00:23:01] Chase: So I was really lucky to work with some guys when I was at Armor that we put together a patent on how to do real time difference measurements on cloud resources. And so basically the idea was you're taking a super quick, super minimal snapshot on a cloud resource. Somebody comes along and changes something.

[00:23:20] If that Delta meets this thing, then it must be a change you should investigate. And then that bubble it's way, and it's part of a product line at Armor now. So that was pretty cool. And you know, patents are, you write one patent, it turns into four. So it wasn't like I wrote four separate patents. It was one thing that we got four awards on.

[00:23:37] Neal: Nice. So on that thought flow that sounds kind of a stepping stone or kind of constructively getting towards the construct of distributed ledger mentality

[00:23:47] in 

[00:23:47] Chase: I run a node within the Indio network. Yeah,

[00:23:50] Neal: Nice. So I was at a conference three weeks ago out in Colorado Springs for space related stuff. And it's kind of interesting looking across the industry verticals as a whole.

[00:24:02] When we think about, in, in my mind, when I think about Zero Trust and a necessity to do things, the distributed ledger mentality, the blockchain structure is not to me so much as a nicety, but should be a requirement in the approach of how you do this. What are your thoughts on that approach then at that point?

[00:24:22] Chase: Yeah, I mean, I'm a fan of the distributed ledger side of things. Like I said, I run a note on, in dco and in DCO is running into some actually doing some collaboration work with them on your digital sort of identity, the self sovereign side of it. And that, that I think is, if I pontificate a bit, I think three to five years in the future, we're gonna see the distributed ledger stuff powering identity for individuals globally.

[00:24:48] And they're already starting to show that the covid certificates kind of proved that was a way to do it. Now there's some major airlines that are starting to do like passport and biometrics and whatever else, and all that's running on a node system in the rear. Or back end in, I don't know why I said that, but back end.

[00:25:03] But that's where I think we're seeing it go. Because as we become more digital, it's it fits so well into that practice. And then ultimately, where that fits into ZT is if we get to that we can run where we actually have a verifiable way of making sure that either a an entity is who they say they are, or B, a transaction is supposed to occur because there's a validation that's occurred.

[00:25:26] Oh, and by the way, we have the ledger record to say that it, you know, took place.

[00:25:29] Neal: Yeah. So I, on that same vein then I just started reading up a little bit more on the concept of that WC three put out for decentralized identifiers.

[00:25:38] And, you know, from a historical perspective, the, I guess the basic construct for that was more to help support like you and I being able to collateralize our who we are, right?

[00:25:48] So like an athlete I am me, pay me money for you using me. And, you know, in a roundabout way, everything always comes back to some kind of ledger mentality. And in this case, you know, coming back to You know, irrefutable evidence of who you are and what you are both physical and digital. And so that, that decentralized identifier construct with WC three to me is kind of an intriguing idea around both you as an entity as well as what that's gonna mean for the digital aspect.

[00:26:13] And then tying all that back into the distributed ledger and hopefully, you know, having that piece. So I guess I see a world where I'm getting at, I guess I see a world where you know, everything we have IDs for everything digitally, right? Everything has a Mac, everything has now maybe an I P V six address.

[00:26:28] The whole point of that was to give everything an actual address, right? Stuff like that. But, you know, Actual proof of who you are, proof of work, proof of concept, proof of identity, all those fun things that go into all this stuff. You know, I guess that's why I like distributed ledger mentality because not only do you get your IP or your Mac or your actual physical hardware identifier and your decentralized identifier, whatever that may be, but now you have that ledger to call back to from a, there's still obviously some layer of trust implied because that's just how it's always gonna be.

[00:26:56] Like you mentioned, it's not about going full scale, it's about, you know, getting there enough. So yeah, I guess that's where my brain is at for the last couple weeks is around that. I've been very caught up with trying to figure out ways to implement a distributed ledger, both from a doc repo perspective, cuz there's companies who provide that layer both from me as a persona and some other constructs that are coming around within this whole mentality.

[00:27:16] Chase: Yeah it's a fast developing space and there's some really cool things going on in there that I think are, as adoption becomes more of a, you know, blockchain was oh, we'll do blockchain for, I don't know, those A and fts, or whatever the hell that was. But really now people are starting to go, okay, distributed ledger, these ecosystems can power.

[00:27:35] Systems where you have to have verifiable things take place and that's gonna happen just because of the nature of the market. I think,

[00:27:41] Neal: Yeah hope so as well. . I like to

[00:27:44] Chase: I don't like having to carry my, i my phone and my IDs and all that stuff. Like for me, I should just be like, look, here's my biometrics. It's all there, you know, and go on about my way. And I mean, yes, if someone happens to have my thumb thumbprint on, okay, sure, but that's a risk I'm willing to.

[00:27:59] Neal: Yeah. But that gets us into, you know, multilayer, right? You know, there that I think it's where distributed ledger as a security structure and the way it can be applied comes into fund space Here is, you know, you can just set up your policies and like we, everything's always gonna come back to some kind of policy.

[00:28:13] But if we look at the basic fundamental model of sharing a document and I create a a T O P red PowerPoint presentation or PDF to share with the next, Select a group of people inside of a larger community. You know, distributed ledger allows me to maybe portion mark that out and have a tear line, right?

[00:28:33] So here's tlp, red, here's t o p, Amber, amber, strict green, so on and so forth, all the way down, whatever this presentation model is. And then if some person shares it, wittingly or unwittingly to someone who's not cleared for that access, you know, then it calls back to me and says, Hey, by the way, here's Joe Schmo accessing your dock or wants access grant access or not.

[00:28:53] So that's stage one, right? So yes, and only grant access to piece A, B, and D instead of A, B, C, D. And then the flip side of that is in a policy perspective, the idea of being able to say geofencing is something as simplistic as that. You know, if this document is opened inside of bad country, X I'm not gonna call anything out specifically like China, you get the point.

[00:29:12] Don't allow anything to happen with that document. Completely scramble it, delete it, erase it, explode it, do whatever you have to do to make sure that someone doesn't maintain an offline copy that can eventually be accessible, right? So I think that the policy piece of what you can apply with the right distributed letter methodology is really intriguing.

[00:29:29] And then same thing with you, like you mentioned biometrics, right? So if I'm still inside the United States, going through the airport right now, I use clear has three different methodologies for identifying you eyes, left hand, right hand. Any one of those is considered an applicable value. And then the other piece of that is the physical check, right?

[00:29:45] They see you, they know you, they compare the picture. But let's say if you're out. Ireland and there's a server issue and the image doesn't come up well, what's the next step? Obviously, probably an actual ID on top of what you did. Fingerprint coupled with who knows what else, right? So you can put means and bounds in play to escalate or deescalate based off of thresholds and what you are comfortable with.

[00:30:07] And I think that to me is an exceedingly intriguing piece. We do that already, but we don't do that at that micro level that we could do.

[00:30:14] Chase: Which I hope we're getting towards.

[00:30:16] Neal: Yeah. And I'm with you as much as I pour digital fingerprints for me. It is the way everything's going to go and Being able to further understand that, take advantage of it and then yeah, carry around like you mentioned with the vaccines, carry around your phone and be like, Hey, you know, this is who I am.

[00:30:34] What do you want me to type in my passcode? That authenticates to your ledger of record, whatever for this. Cool. Let me do that real quick and then boo and then you're on. I think it's clever and I think we'll be there the moment they start putting the microchip in my arm, like demolition man style, I'm gonna be looking for Wesley Snipes to chop my arm off and we're,

[00:30:49] that's 

[00:30:49] Chase: Get your three C shells. Yeah.

[00:30:51] Neal: I know he doesn't understand the seashells. 

[00:30:53] Elliot: At least you get good Taco Bell,

[00:30:55] Neal: So we talk about I was very curious about your patents only because, you know, one, it's obviously a good talking point and two I'm just a very curious guy. I like to meet people who've done stuff like that. I find when I can have a conversation about what you've created and actually got it legalized to say is is kind of fun and should be motivation for other people with ideas to realize that it takes some work.

[00:31:15] But at the same vein, you know, it's fun work hopefully. And it's a good thing to check off on your to-do list. I think personally I don't have any, so that's just me saying I'm jealous, but

[00:31:25] Chase: I got other stuff. I just, I don't have the energy to patent it, so

[00:31:28] Neal: I'm gonna try to patent something for beer making, but I gotta figure out something cool and innovative there. I dunno, . So moving back over onto the zero trust side of the house, Elliot, I'm gonna throw it back to you.

[00:31:39] Elliot: Yeah, totally. So I think we can get back to some of the core elements. So obviously you you know, the bread and butter and the resources firsthand. Usually we'll ask this basic question and there's one of four different things unless we man what is his name? Oh, Nick. He's the only one that probably went across the edge cuz he has his own series called In The Nick of Time or something like that.

[00:32:01] But if you had to Yeah. Our friend from space Force. If you had to point someone towards one resource that let's say you were at my level, not necessarily your levels to understand what Zero Trust is like, where would you point them? Like where is something that like a layman's person like myself could go and actually start to understand Zero.

[00:32:20] Chase: I think George Finney at SMU just published a book called Project Zero Trust, and it's a narrative rundown on kind of a whole scenario, like a book on an organization putting ZT in place. I think that's a really good number one, George is a great writer, but number two, it it's a good sort of way for someone that's not super geeky into it to understand here's kind of the business drivers and the other pieces and the politics that become part of this.

[00:32:46] So I would say that's, And then I think on the other piece is really, there's a book that Jason Garbus and Jerry Chapman published called Zero Trust Security. I think that's it's biblical tone in my opinion for people that are looking to understand zt. And then there's an O'Reilly book from Evan Gillman on ZT that I think is worth reading as well.

[00:33:05] So that would be kind of my progression would be George's book then Jason and Jerry's, and then Evan Gill.

[00:33:12] Elliot: Excellent. Cool. That is probably the first time what we've actually had people fly specific books towards Zero Trust. I know there's quite a few resources out there. Product companies are creating their own eBooks and all that stuff. Not quite the same, but yeah, usually I think our typical cup of tea is oh yeah, like the cisa or pillars and frameworks and, you know, folks like myself are probably gonna look at that and just glaze over I have no idea what the hell I'm reading here.

[00:33:37] Something about an architecture, but it's missing a lot of the business implications. And I think there's probably more business implications when you're looking at a concept like zero Trust versus just adopting a piece of technology. Yeah, so I, I think that is probably the biggest piece that is always missing out of those initial conversations for Zero Trust, which is why I appreciate organizations like Elle who are able to kind of position people in a little bit better way.

[00:34:02] So obviously there's products and strategy involved, but, you know, being able to dial it in from basically the CISO perspective of, you know, cybersecurity and where Zero Trust comes in,

[00:34:12] Chase: I mean, it's all about business. That's why we do what we do. Nobody's starting up and just going, I'm gonna be secure for the sake of being secure. You're doing it for some purpose. So business is gonna be that purpose, whether that business is taking care of patients or, you know, managing billions of dollars or whatever it is.

[00:34:29] But I mean, that's why we're in the game is ultimately to secure something. At least I hope you know, you, you can be super secure and just sit in a cave in the middle of nowhere if you want.

[00:34:38] Neal: Well, that doesn't work out for everyone does

[00:34:41] Chase: It's good for that person. , I guess.

[00:34:43] Neal: depends on who decides to come hunting you down. But so actually I kinda have a slight back step question if Elliot will let me go this way real quick. I've asked this question a couple of times. Not everybody, but just a couple here around legality and standardization.

[00:34:56] So we brought up nist. I agree with both of you all that. That's, it's a good reference point. You gotta start somewhere. You might as well look at that. But when we get down into the weed, there's definitely some material to really drive home. But you also mentioned this at the very beginning. Oh, it ask this loosely from a policy perspective, standardization, you know, 10 days and forever kind of, or 10 years and forever response, right?

[00:35:15] So when we think about this, when we think about what Zero Trust could be, is would be or was when we look at the government side of the house we looked at, they have technically in a roundabout way, defined what that mentality is. Obviously very recent. They've officially stated that they're moving towards this mentality publicly.

[00:35:33] And then, so my question for you is, do you see a, do you see the potential for us to have a publicly consumable. Document that says Do A, B, and C. And yes, knowing it's always gonna be shifting, there's never none of these standards that we ever create. Security are always here, right? They're all compliance driven to get you started and then you gotta build into what the actual security will has been.

[00:35:57] But do you see a compliance standard being ratified in the public space outside of the government side, or rather the private space slash commercial sign rather than the public government side of the house. Gotta remember my term switch around here when I start talking about them.

[00:36:09] Chase: Yeah, so I would say that there's already some machinations in place with a variety of organizations to do some of that. I on the fence as far as the value proposition from going too deep into that. And the reason that I'm hesitant about it is a real strategy is not something where it is gonna be from on high.

[00:36:32] And then everything kind of funnels around that. And I think we've, if we look at the market for cyber, We've created so much of the self licking, ice cream cone of misery around compliance standards and requirements and all this, that it's almost impossible. It's good for auditors, it's good for, you know, those folks, but it's really super difficult to say, I'm gonna take this thing and go subscribe to that standard and it's gonna yield me an outcome.

[00:36:58] Because along the way, other things creep into that. I'm hesitant to say how much I personally wanna throw into that mix, but I do think that there's value in people understanding the big strategic initiatives that we're trying to put in place, and then kind of adopt what you need on your own.

[00:37:14] If you are, if you know, if you are better defended today than you were yesterday, I think you're progressing along the lines of zt. You know, it I think we need some I think we need some clarity. I'm hesitant on standards.

[00:37:26] Neal: Fair enough. Do you think this will impact like the whole cyber insurance? Hell, 

[00:37:33] Chase: sure hope so.

[00:37:34] Neal: Yeah.

[00:37:37] Chase: Cause cyber insurance makes my skin crawl for a whole lot of reasons. Yeah. I'll never get an invite to an insurance company's event, but

[00:37:45] Neal: that's probably for better. No. Thank you. So once again asking the question, cuz your perspective is a little different than the previous perspectives, obviously. Not just cuz you're doing zt, but because your actual position at the company you're at as well. So it's that's a solid take.

[00:37:59] I, I am personally concerned that we will get some kind of official compliance model. But that it would be like some of the ones in the past where it's not like an i e, it's a company A that paid Gartner enough money, forester enough money to get it out there in the limelight, and everybody starts, you know, well, I guess we gotta jump on that bandwagon.

[00:38:15] And then it becomes, I mean, we've seen that with other stuff, but

[00:38:17] Chase: Yeah, Sarbanes Oxley, pci, HIPPA High Trust. I mean, you know, the alphabet soup there so

[00:38:23] Neal: most of them were not independent. Most of them were. Someone got smart and

[00:38:28] Chase: Well, and there's no teeth to them. I mean, they say, you know, the GDPR and whatever GDPR was supposed to be, the second coming of, you know, data security or whatever else. Find me a business that's gone out because of a GDPR violation, even though that there's still, I mean it's Marriott's last breach.

[00:38:44] I actually, I published it, I did the logistics sort of analysis on how much Marriott pays for toilet paper per year and how much they paid for their breach. Fine. They pay more to wipe your ass than they did for the breach. Fine. So

[00:38:57] Neal: Yeah.

[00:38:58] Chase: What

[00:38:58] Elliot: our preview for the

[00:38:59] Chase: How is that punitive? You know what I mean?

[00:39:01] It's until, and I guess the, cause I do a bunch of work on Capitol Hill. The question I keep having is, okay, Congressman, Senator, if you're telling me that cyber is critical to life, health and happiness in the United States, and they all say yes, then by definition, if I am doing things that are negligent, that could endanger said outcome.

[00:39:22] Shouldn't I be treated the same way as if I'm building an aircraft and I knowingly decide I'm not gonna bolt the engines on, right? But I still let people get on and fly and they all say yes. But the moment you start saying, well, what's the impact of this and how are we going to legislate it?

[00:39:40] They kind of back up I'm, I don't know. And it's, you know,

[00:39:43] Neal: well, the, what was it? Our wonderful colonial pipeline prompted a, an update to an already established construct of critical infrastructure, information sharing, right? It was just a regurgitation and stuff. It did the only plausible, decent thing, I guess, legally was the whole bill of sales mentality.

[00:40:00] But even that, you know, yeah, I don't think that's getting enforced, nor will it at the moment, but, Yeah I'm, I agree. It's, they can pass what they want, but who's actively enforcing it. At the end of the day, it comes back down to the trust communities that are within those particular verticals to, they're not gonna find each other, but they're gonna help try to keep each other semi accountable and maybe help write standard specific to their industry and whether it's with their partner liaison agency back to the federal government or eu, wherever they're based outta, or their ISAC or ISO or other community that they're involved in at any point in time.

[00:40:32] It all comes back to just being tied to some kind of lobbying firm to help them avoid getting in trouble when something like that

[00:40:38] Chase: Well, yeah everything's up on the up and up until lawyers get involved, so 

[00:40:41] Neal: Yeah. That's no joke. A lot of information sharing groups I'm a part of get ruined when one lawyer starts sniffing around too much. Yeah. Even the communities that are. Lawyers. Funny enough that was a fun one, but no, that, those are a good points. I think on that final thing for that piece, you know, when we think about regulatory compliance, when we think about industry verticals I will say that the cyber side in general, the way that I see that we've approached as a government, we've left cyber as not defined as critical infrastructure.

[00:41:16] Structurally speaking, we define the pieces that put into it whether that's telecoms, whether that's financial services, even retail or health industry. And then we leave it up to those bodies and regulatory communities to define where the cyber compliance and modalities are within them.

[00:41:30] But to your point, nobody's really defined the space, which is now an AOR by definition has been since 2010 officially militaristic speaking. But you're right, nobody's really clearly said that this is a focal point. Individually, we just left it up to everybody else to move forward 

[00:41:44] Elliot: So I think my 2 cents, and I'm only speaking cuz I have excessive exposure and my colleague Mr. Troy fine, would probably mean me to death if I did not state. Like once again, that compliance should be like the outcome of good cybersecurity and security posture. So I think if they tried to put together some rails and compliance around zero trust specifically, probably doing a disservice if it.

[00:42:10] As philosophical in nature as it is today they would probably have to neuter it in some capacity where it was like a, you know, control based concept or something to that extent, and it probably just wouldn't have the same functionality. Now my guess is like maybe they'll adopt some concepts, zero trust in to things like Cmmc or some of these other elements that are already you know, out there that make sense to do that.

[00:42:34] But until, like you had said with HIPAA or pci some particular industry wants to fully adopt it and kind of do it on their own. Yeah, hopefully we won't ever see anything like that. Otherwise I think the philosophical nature of it'll just kind of degradate.

[00:42:48] Chase: Yeah strategy. I mean it, you know, you look at the the realities of any space and you figure out what you gotta have to be successful, and you work your incrementally towards that's strategy. And then you adapt because of the requirements that come in front of you. And that's strategy too.

[00:43:04] So the you know, what's the Star Wars thing, only a sif deals in absolutes. I mean, there's no absolute here. This is your organization, your strategy, however you should base it in the realities of the space in which you operate and then build, you know, things around that. There's no real need for Kentucky Windage and cyber you know, One of the only spaces where the bad guy, the adversary, will tell you what they're gonna do.

[00:43:27] It's up to you to do something about it.

[00:43:29] Neal: I mean, those proof of concepts are legit.

[00:43:31] Chase: I mean, if somebody walks up and they're like, I'm gonna punch you in the face. Take it at gospel, they're gonna punch you in the face.

[00:43:39] Neal: thinking forward then on this do you think Zero Trust is a. Do you think zero trust modeling and construct is going to stay from a nomenclature perspective, or do you think we'll finally reach a threshold where it finally becomes an ingrained principle and we're no longer just saying, well, let's go do zero trust.

[00:44:00] We're saying, Hey, we're just at security level, right? We're at what's perceived security. Do you think we see a future where that concept is more holistically applied instead of just being a fad word in the mix

[00:44:12] Chase: Yeah, I think it has already achieved critical ish mass as far as the industry being aware of it. I think the fact that government's writing EOS on it is helping to kind of push that down. I think ultimately what we're gonna kind of see evolutionary here is a lot of organizations are gonna subscribe to their version of this, and they're gonna put those controls in place and they're gonna become harder target.

[00:44:34] And then you're gonna have all the, you know, naysayers and the slow gazelles that are gonna be trying to catch up. They're gonna get tired of getting neat and alive, and they're gonna start subscribing to the approach. So over time, I think that will, they'll work its way across the broader ecosystem, and you'll have almost some semblance of a zero trust internet, if you will.

[00:44:54] But it's gonna be based on, you know, a whole bunch of different things coming into to make it more, more operational now. And the final piece of that will be as cloud and other technologies and APIs and these things continue making interoperability more doable the masses will move into that space as well.

[00:45:12] And the reason that I have a lot of hope in that is when I talk to the younger generation you know, kids around my kids' age and slightly older, they're starting to, without being beat to death by the nerds, understand things like two-factor authentication. , you know what I mean? So that they get this stuff and it's because it has a very realistic use case for them, which is usually protecting their V bucks or whatever the hell, but they're starting to get that, and security, the digital way of life is becoming a thing.

[00:45:40] Like you, you won't see a lot of kids when you walk by and you try and grab their phone. They don't leave them unprotected. There's a pen code or something like that. So I think in a perfect storm, we kind of evolve into that space over the course of the next decade. Plus,

[00:45:57] Neal: Oh, well, there you go. That answers my next question. 5, 10, 15, 30 years out kind of thing.

[00:46:03] Chase: I think a decade or two kind of is how it's gonna work. I think also kind of what you and I were talking about before is that these ledger based things become more, and you have a lot more auditability and track traceability of particular transactions. I think that will play its way.

[00:46:17] Enforcement of these types of things, you know, that'll be that'll be part of the whole sort of mo of the space. Then again, it all, I'm crashing down day after tomorrow, and it's back to beating each other with rocks and whatever. So

[00:46:31] Neal: Yeah, that, well, that's a whole nother conversation about the criticality of space and how it's not defined as a critical infrastructure. Officially it's defined as supporting to critical infrastructure, but it like cyber in a sense, right? But yeah, knock out a couple satellites. We'll see how critical it gets, won't

[00:46:46] Chase: you should you should read the book that general Two Hill and I published called Riptide, where we basically put that scenario into play and it it, you know, he was the big muckety muck with the government side, and I was the bread team, bad guy side. And we wrote each piece and it came together.

[00:46:59] And the whole thing without ruining the narrative is what if you injected malicious randomly generated numbers into the GPS system for satellite? That would be a really bad thing. So I'll let you think

[00:47:10] Neal: here's the fun fact. You don't even have to do that right now. 5G itself operates in the same bandwidth space, so you've screw up a 5G implementation at an airport like happened three weeks ago. And planes at DFW can't land on a fricking runway 

[00:47:24] Chase: heard about that. 

[00:47:25] Neal: yeah. And yeah, once again, whole nother fun conversation there.

[00:47:28] But thinking about zero trust and the mentality on that side there, there's a signal. Fidelity, not just, it wasn't, they haven't released notes on what actually really happened, but the implication is that it was a 5G overlay issue. But even then, unless you're blatantly pushing out a bandwidth specific to the thing coming in and just flat out signal loss In that signal noise, the signals are still making it through.

[00:47:49] The signals are still available. It's just you know, you don't know which one to actually respond to and from. And I that, that's a 5G GPS issue. So if you could do some kind of legit overlay with inside the raw signal to say A versus B outside of just an identifier, there's a lot to be overcome with that, even within the GPS realm.

[00:48:10] But going back, I keep hitting my mic here. Going back a few seconds. When you mentioned the phases of how things go, you've got the primaries, you've got the middle guys, and then you got the tertiary stragglers who eventually come along. I think this is a good opportunity to think about lessons learned from past security issues past trends and analysis pieces, thinking strategically around how things tend to go and the evolution around things.

[00:48:33] So I, you mentioned this and I got to thinking about Angler Exploit Kit and all the other fun crap with Adobe Flash, right? Back in 2000, what was that, 2012? 20 13, 14. I don't remember. Eight to 10 years ago. Whenever that was. We think about this and people, when Angler first came out and was writing these net new zero days for Adobe, all the smart companies like fine, we're gonna go to what was then new HTML five or transition to some other type of Presentation file within the browser, or just completely cut it out and say, oh, well, whatever. We ain't got a replacement, but at least we're secure. I don't care if you can see the little pretty pictures and a flashy giy thing on the side. Stuff like that. But to that point, we had that happen. Flashed didn't go away for almost another, had another six years roughly before Adobe finally killed it.

[00:49:22] And then they tried to replace it with their own iterations of other stuff between shock wave flash and other variations. But long and short stragglers, we had the primary people say, this sucks. We're done. We had the middle row. People realize it sucks a few years later say it's done. And finally, you know, roughly six to eight years down the road, everybody's oh yeah, we got it.

[00:49:39] We're done. And then Adobe finally sunset it. So I think from that perspective, do you think you mentioned 10 years as a mark? I think that's I think that's a. Generic, hopeful, wishful mark. But do you think when we start getting this true adoption, like we're starting to get now, do you hope or think that people might actually increase that, that curve a little faster and that s curve launch could be a little a little more than, you know, three to five years to start getting the middle road in four to five more years to get the tertiary people at the bottom?

[00:50:07] Do you really? Yeah,

[00:50:08] Chase: I think it really, I think it really more, in my opinion is around the commoditization of security technology and how it works its way down market. Where, you know, we see that average everyday person, if they wanted to, they could set up a pretty secure Azure oh 365 or G Cloud instance and do business that way.

[00:50:28] And then you can do things like on your personal phone, set up, biometrics and whatever. So I think is the nerd factor for security configuration moves down market and people can do things more on their own and it becomes part of that. It's the opposite of the trickle down. It's the kind of push bubble up, I guess you'd call.

[00:50:46] Security solution set. And then that begins to expedite stuff because you don't have to go off and number one, educate people, but number two, the B Y O D and these other things, it's gonna be more okay to say, you wanna run your own stuff? Fine, great. Go, whatever. I'll just do z t and A for your work and whatever else.

[00:51:04] You keep your little machine and go look at whatever you look at on the internet. I think that kind of is where the groundswell will happen. And you know, again, back to that other point is this is this is herd mentality where when people see, you know, the leaders at the herd doing better, they'll kind of go, well, what's, what do you got going on there?

[00:51:21] Neal: Yeah. Yeah. I think that ties into your previous statement about, hey, kids today, what a security for them versus us when we first got our phones.

[00:51:29] Chase: They've never been a day in their life without wireless. Like they it's a foreign concept to them that wireless, you know, is not like my kids. If wifi goes out, it's army. You know,

[00:51:40] Neal: that's a no joke. Well, it's a good thing that we have other ways to look into what our kids are doing on the network even if their phones are locked away from us. But,

[00:51:47] Chase: oh I tell my kids I, you live in a surveillance state in my house, I see everything

[00:51:52] Neal: yeah, ditto. Anyway. Once again, that's another podcast. Dads, how to Take care of the Kids Networks in your house. Brought to you in part by dads with guns but moving a little bit more on this.

[00:52:04] Elliot: I think that's how you end up with kids that end up in cybersecurity.

[00:52:09] Neal: That's true. 

[00:52:10] Chase: trying to get around It is how they get there. Yeah.

[00:52:12] Neal: you buy 'em their first cono computer and the next thing you know, they're yeah, they, you don't have to worry about their phone. You have to worry about the computer. They hidden a spider hole outside by the tree that they're using to covertly talk to their friends. Four doors down via some weird off the wall.

[00:52:25] 8 0 2 11 standard that just came out. Pipe Dreams. If Mike Kits could do that, I will be happily accessing,

[00:52:30] Chase: I would hire them. I would, you know.

[00:52:33] Neal: but congrats kids. You got around. You have a job tomorrow? Anyway, but thinking about the rest of this idea and adoption and growth, I think these are big things for people to understand is culturally indicative pieces here is that you know, once again, 10, 15 years ago, or I mean, how, right now, even to some extent, when you tell someone of a certain age bracket or a certain cultural upbringing relative to their exposure to cybersecurity, cultural exposure to that you tell them, Hey, enable Google Authenticator as a basic right.

[00:53:01] Most people today, unfortunately still go whatever, but the younger crowd, to your point that grew up with this you're right. They're like, yeah, why didn't we do that yesterday? So I think culturally, I think that's probably a big boon for us is that we're at this little tip of the spear now where you know, as leaders we get to push the idea, but culturally it shouldn't be as difficult as it was 15 years ago to get that type of security mentality down to not just the security staff, with the actual employee base consuming.

[00:53:27] The processes, right? Or at least I hope we're always gonna have some guy who's whatever stuck in his mom's basement and doesn't care. But that's a whole different thing too. Outliers not the norm, thankfully. Well, maybe we should get the good doctor back on with our PIN testing friend from a week and a half ago, two weeks ago, whenever that was. And then I honestly think this would be a wonderful conversation to have with you. Our wonderful PIN test crew and then maybe a. Heck, maybe even err Elliot.

[00:53:55] I'd love to get some perspective from a community driven idea and how they're helping drive policy from perspectives like the Good Doc here and the actual vendors providing the assessments. I think that'd be a wonderful cool roll up to have actually if you're on board with that. So stay tuned people.

[00:54:10] We're gonna have a panel at some point in time, probably season two, so look forward to that one. And yeah, I think that'd be amazing.

[00:54:16] Chase: Oh, that'd be fun. That'd be fun. I could talk about that. That'd be a long session, I think.

[00:54:20] Neal: Yeah, we, well, you know, nothing to say if we can't find the time that it's not a two hour block and then we chunk it up into 30 minute episodes. Focal point question abc. Anyway, we can talk about that later. Elliot I'll throw back to you for wrap ups here.

[00:54:31] Elliot: Yeah, so that's actually a prelude for our next episode, which is gonna wrap up season two, where we're gonna chat about hopefully whatever we're gonna do for the next season. Thank you Chase for joining us to help us kind of like really close this out on a high note, someone with your level of experience and expertise is honestly not super always accessible to people and I appreciate that you are not just hosting, you know, podcast, but, you know, putting out content that's incredibly useful for people.

[00:54:58] But yeah, so for a deal and I hopefully we'll have additional voices kind of coming into each episode so that it's not just in interrogating people yourself going forward as much as we appreciate the conversations. Yeah we'll add a little bit of extra spice going.

[00:55:12] Chase: You guys are awesome. Thank you so much for having me, and if I can ever be of assistance to y'all or anyone else, just please reach out. Love what you're doing and thank you for your.

[00:55:20] Elliot: All right, Neil, you wanna close this out, man?

[00:55:23] Neal: Ah, dude, doc, it's been great. Like I said, this has been phenomenal like Elliot mentioned, I think you're gonna be the feather in our cat for the end of the season. And man I really do hope we can get you back on a larger discussion path. And thank you for, you know, obviously you do this more than we have.

[00:55:39] So thanks for letting us come in and pick your brain and get some fun stuff outta you today. So if anybody learns even one thing from this, I hope it's that everybody's still learning and there's still a lot of things to consume and go through. So thank you very much.

[00:55:54] Chase: awesome.