Adopting Zero Trust
Adopting Zero Trust
Adopting Zero Trust with J. R. Cunningham: The Moat Has Dried Up
0:00
-48:56

Adopting Zero Trust with J. R. Cunningham: The Moat Has Dried Up

Catch this episode on YouTube, Apple, Spotify, or Amazon.

This week we chat with J. R. Cunningham, Chief Security Officer at Nuspire, and we dig into Zero Trust as a journey. Nuspire is a managed security service provider that provides support ranging from managed detection and response (MDR), endpoint detection, vulnerability management, and of course supporting their customers with adopting Zero Trust. This week we chat about unpacking the idea of Zero Trust when a brand wants to pursue it, the increasing threats targeting the automotive industry, and Nuspire’s ongoing threat reports.

Adopting Zero Trust: Day One

As an MSP, J.R. and team constantly run into scenarios where organizations are seeking to bolster their security capabilities. Whether that be shifting resources to the cloud, managing and monitoring a SIEM, or even the basics like getting younger organizations through compliance requirements by acting as a vCISO. So what happens on day one when a company says they want to adopt or pursue Zero Trust? J.R. digs in:

“It's one of those terms that's extremely ambiguous. It's like when a customer comes to us and says, ‘Help me with cloud security’, or ‘Help me with data protection.’ So really the first thing that we have to do is unpack what problem is that they're trying to solve. And that helps us get to the heart of what is a solution, what are the technologies and processes that they need to adopt in order to solve that particular problem?”

In short, the answer is it depends. For our returning listeners and readers, we know all too well that the term and concept of Zero Trust are ambiguous, so MSPs take a consultative approach to get to the root of their meaning and build backward on the desired outcome.

“What we find is that different organizations, even within the same industry, tend to have different views on what Zero Trust means. It kind of depends upon what the security and IT teams have been reading and absorbing in the past. And so we really have to get to that question. What is what problem is it they're trying to solve?”

The Network Moat Has Dried Up

If you’ve worked in IT or network security, you’ve heard the concept of the castle and moat network model. In past episodes, we’ve discussed the shift from on-prem technology to the cloud and how the perimeter lines of your network are blurred to the point where the analogy is inching towards extinction. Back in the day, securing the perimeter was a bit more straightforward with on-prem technology. This has caused security teams to rethink elements such as access, app security, personnel, and other inherently trusted aspects.

“They actually are trying to just move their demarcation of trust around. And by that, what I mean is if you think of, to use the moat and castle analogy, you know, when we lived in a world of everything was on-prem, you had the moat around the castle. You had perimeter firewalls, you had really robust perimeter security VPNs, you had all this infrastructure that was designed to essentially demark trust at the network layer and say, ‘If you're not on my network, I don't trust you. You're bad.’ Well, the moat essentially dried up, and the whole castle thing doesn't work for the application world,” said Cunningham.

But this doesn’t work today where more and more of our applications live in the cloud, teams work remotely or in hybrid environments, and they’ve moved the demarcation line, the moat of trust away from the network, and kind of up the stack.

“Which applications do we trust or not trust? Which platforms do we trust or not trust? Which identities do we trust or not trust? What is the people side of the equation need to look like? And that's really the journey to Zero Trust is that movement of the moat, if you will, to make it as small of a moat as possible, but still protect the castle, and keep the business safe.”

Unrelated specifically to Zero Trust, but certainly top of mind, is Nuspire’s most prevalent work related to securing the automotive industry.

The Most Profound Change in the Automotive Industry

A decade ago, it would be challenging to say threat actors had an interest in going after consumer entertainment systems within your car, but certainly, they may go after trying to copy your remote access keys (didn’t they even do this in Gone in 60 Seconds?). However, today, cars are as much software as they are hardware, and with the shift to electric vehicles, they are becoming even more connected.

“We are living in the most profound change in the automotive industry since Henry Ford. We are really seeing some innovation that requires not just tip-of-the-spear type innovation and security but also outside-of-the-box thinking with regard to just IT infrastructure. In general, if you think about all of the parts of a vehicle that requires some sort of cyber security, it's way above and beyond what we traditionally used to think of,” said Cunningham.

Today, the most advanced cars come equipped with everything from lidar and radar systems, built-in cellular connections, self-driving capabilities, and a slew of other items connected to a computer. Outside of the car, we even have charging stations, which are also connected to the internet in some capacity. Each of these items poses potential new risks for automotive brands, and mitigating them will become a significant challenge.

“With securing things, when we talk about the internet of things, this is the ultimate thing. You know, we're talking about the car that people get into every day. So it's a fascinating time to be connected to the automotive industry,” said Cunningham.

Key Takeaways

  • Zero Trust is the shift of trust from the network to multiple points

  • Unpacking Zero Trust should align with business goals for security (risks management)

  • The castle and moat network analogy is going extinct

  • Automotive industry is having to re-prioritize cybersecurity with the shift to connectedness

Adopting Zero Trust With J.R. Cunningham Transcript

As always, this is automatically generated, so please blame the robots for typos and other errors.

Elliot: Hello everyone and welcome to another episode of Adopting Zero Trust or a z t. Today we're gonna be covering an area which I don't believe we've actually covered in any aspect. I think we've talked to someone in the biz dev side that sort of has similar vein, but MSPs or MSPs, managed security or managed service security services providers however you want to position it.

They have probably the most visibility into any other organization in our

space because they are, frankly chatting with organizations of all different sizes and many different pain points. So today, Fortunately we have someone who leads up the security efforts for one of such said organizations jr.

I'm going to hand that off to you to give a proper introduction and then we'll kind of just jump into it.

JR Cunningham: Well, thanks Elliot. Thanks for having me on.

Really appreciate it Happy to be here. It's such an important topic, and by the way,

confusing topics, so. I'm glad that a z t is here

to you know, advocate for some of the principles in being successful at

this. As you mentioned, Mjr

Cunningham, I'm the Chief Security Officer at nspire. We are a managed

security services provider. That's all we

do. So we don't do a lot of the other IT stuff like keyboards And mice. We focus specifically on security. We serve

some of the largest customers, largest industries on earth.

And we serve a wide variety of industries. Our kind of specialty

in our background is really the automotive industry and the supply chain around the automotive industry.

So, we got our start about 23 years ago as an mssp specifically focused on that. Now we do a lot in aerospace, retail, finance sectors, so we do see a lot of different stuff from a lot of different industries. I'm also responsible for consulting and our strategy programs at news buyers. So, you know, my team does a lot of the leg work on working with customers to figure out what kind of problems are they trying to solve and how can we help and you know, what are the things that are concerning to them.

So, really happy to share whatever I can and obviously you know, you have a lot of listeners that are gonna be interested in you know, the topic at large. So hopefully I can contribute.

Elliot: Oh, I'm certain of that. And I think there's a couple of different things here that I'd love to chat about. So hopefully I don't go too around the rabbit hole. But with your. I guess bread and butter being in the auto industry. I love just some visibility and I know this kind of a sidetrack and then we'll kind of go into the regular a Z t kind of questions, but you know, Cars essentially becoming software today.

How do you see that impacting organizations and their brands from a security perspective? Because obviously

they're gonna be, more connected. You know, if they're doing autopilot or self-driving, some of these other aspects, security is

gonna be absolutely critical compared to computer systems of today.

You know, what kind of visibility do you have into, you know, what your customers are

looking? 

JR Cunningham: We are living in the most profound change in the automotive industry since Henry. We are really seeing some innovation that requires not just tip of the SP type innovation and security but also outside of the box thinking with regards to just IT infrastructure. In general, if you think about all of the parts of a vehicle that requires some sort of cyber security it's way above and beyond what we traditionally used to think of.

As, you know, a car might have a small computer in it to, as an engine control unit, and you know, you have the entertainment center, you know, with your radio and maybe a touch. If you look at what's happening today, vehicular autonomy over the air updates navigation you know, with within vehicle autonomy, even, 

Systems have radar and lidar onboard, you have to have computers to control those systems. and then even stuff outside of the automobile that, that we have to think about securing. An example would be a charging station, you know, a charging station. 

If you think about it, it has to talk to the car, it has to talk to the electric company. They accept payment. 

So it's a credit card processing device. it has to understand what the weather is because charge rates are temperature dependent. And so, you know, there's connectivity there to, to what's happening, you know, with 

The external environment, sensors on board, 

all this kind of stuff. So the security ramifications of 

the innovation that are happening in the automotive industry is amazing.

And by the way, 

we're not just talking about a website getting defaced or something like that. We're 

talking about. If we don't do our 

jobs right, you know, the accidents could happen, people could be injured or killed. So it's 

It's a entirely different world than what it used to be in that industry. And there's an expectation, by the way, that, 

you know, the auto makers are essentially driving 

a lot of this innovation, asking the question of what's possible. They're expecting the IT and cybersecurity communities. To step up and innovate as well and answer the questions, how do we do a better job than we have in the past?

With securing things, when we talk about the internet of things, this is the ultimate thing. You know, we're talking about the car that people get into and you know, every day. So it's a fascinating time to be connected to the automotive industry in any.

Elliot: Yeah. And I think this actually directly ties into a conversation that Neil and I had recently had. I honestly can't remember which guest it was around, but Neil had basically referenced that they brought in, I think, a Tesla to Def

Con and just let people go at it and to see what they could do to

kind of breach in

And his the response was, I guess, the.

It's I'll call it a device cuz it's more than a car at that point. They completely bricked it. Totally unusable. They'll have to re,

you know, flash and,

you know, put the software back on from

like factory reset kinda situation. And I guess for the event that he is coming up for a

Texas cyber event he's going to rent a Tesla a new, a similar exercise.

So good luck to Neil on that. I don't know if I would put

JR Cunningham: Yeah. Have him get the insurance policy. Will you?

On the rental 

Elliot: Right. Yeah. I don't even know if insurance policies would cover software destruction to that extent. But yeah, I think that's pretty interesting. Obviously, you know, with that of mind, they're gonna have to,

Do more pen testing, start adhering to a lot of these other compliance and regulation elements.

So they're also, you know, taking in a lot more risks. So I'm sure they're obviously starting to be a

lot more proactive. They have to treat it like a

hardware. Internet of things, software manufacturer. there's just so much more that these companies are taking on.

So I know even with a push for moving to like e you know, electric devices in the next two years, five years, that's a

lot to take on for our company. 

JR Cunningham: You know, it's very interesting. The automotive industry has come a long way and not just the auto industry, but a lot of industries have come a long way in.

Cybersecurity community when it comes to managing vulnerabilities and threats to, you know, their devices. I remember Andy Greenberg wrote a fantastic article in Wired Magazine years ago about Charlie Miller and Chris Vilsack hacking into a Jeep using the over the air 4G connectivity.

And back in those days when they did that you know, it was a proof of concept for them, but the the whole world was generally very much kind of arms folded when cybersecurity practitioners would say, Hey, I think I found something. It was very much a, you had to kind of really push on manufacturers, not just of automobiles, but of electronic devices, wireless access points, everything to get them to pay attention to vulnerabilities. Today, if you look at how industry B at financial services or automotive or retail looks at the problem, they welcome the good folks you know, the cybersecurity practitioners to attempt to compromise these systems so they can fix 'em better us than the bad guys because, you know, we don't have a propensity for stealing money or killing people, right?

And so, you know, they're very interested in in having the cybersecurity community contribute to the discovery of vulnerabilities and the mitigation of.

Elliot: Yeah, absolutely. And I'm sure you're familiar with Auto ISAC and some of the, their ISACs out there who are helping to create that collective defense. So fortunately there are organizations that are helping connect people, even if the brands are technically competitors when it comes to cybersecurity.

That's kind of out the window, any threat intelligence that one can share to the others. Yeah,

JR Cunningham: That's right. The bad guys are the real competition in cyber.

Elliot: Yeah, without a doubt. There's no reason to ever, you know, sling that kind of competition when it comes to protecting one another. So, I love that aspect of our space. There's no necessary 

competition in that regards. 

So that being 

said I'd love to kinda redirect us back towards some of our basic A Z T related activity.

I have a pretty good assumption that most people that listen to our 

podcast are very well acquainted what, 

Managed security services providers do. But

in the event that they don't maybe you can just

give like an elevator pitch on where you come in and 

how you support organizations.

JR Cunningham: Sure. If you think about what an

organization needs to do

from a

security perspective there the world of the possible is, let's 

call it 200 things you could do in security, right? You know, everything

from authentication 

to vulnerability management to policies and governments and identity and disaster recovery, all of 

those

things and.

And very few organizations have the

capability to.

All of those things. And so, you know, the natural question is, okay, where do I need to go

to you know, to get some 

of that capability? And then also, you know, there's the 24 7 of 

nature, 24 7 nature of 

security now the days of the security and IT teams walking out the door on Friday, 

turning the lights off and coming back on Monday to see

what happened are over. So the expectation

is that organizations have, you know, 24 7, 365 security capability. That's where managed security services firms like NPI

come into play, where you know, we take care of

things like endpoint detection and response, manage detection, response monitoring, sim for the environment you know, in a 24 by 7, 365, always

on kinda capacity. Managed vulnerability services helping clients with the scanning And identification of vulnerabilities in their environment. Things like managing

critical infrastructure, like firewalls and wireless devices, you know, things of this nature. So a managed security services

provider really is designed

to be the security team for an organization that either doesn't have one.

Doesn't have one that operates 24 7 365 or has one, but

has additional capabilities that they need that they've gotta go outside and ask

someone else to do for them. Most commonly you'll see advantaged security services firms handling some of the really complex technology that that an organization might not wanna build the

internal capability around. Sim is a great example. You know, the monitoring technologies, creating rules, event correlation, matching those with threats. And then of course the threat intelligence piece that goes along with that is something that most organizations have to really make a, an informed decision on, am I gonna build that capability internally or is that something that I'm gonna, you know, ask someone else to do?

And that's where we really come to, to bear.

Elliot: Yeah, and I don't wanna give a sales pitch in your direction by any means, but so a life or what feels like a lifetime ago, I essentially worked for an msp. We focused on social engineering. So you know, every organization brand, the bigger you get, the more fishing lures they get and all that. Just the sure amount of volume that you get for the internal stock would be impossible for most organizations to handle.

So, I totally get the need and the auxiliary support for an organization like that. And then mid-market organizations in particular. You know, do they have thousands and thousands of dollars to support Next Gen xdr, or sim, however you wanna pronounce it. The technology that you all probably have and you all have staff to specifically support it's not really easy or cost effecti necessarily for most organizations.

JR Cunningham: Yeah, you know, Elliot, kind of what you're speaking to here also

relates to the talent shortage. Organizations have to fight really hard

to attract and retain

the talent. To manage, you know, systems that are very complex and stay on top of the cybersecurity landscape. And that's a whole lot more of an

expensive

proposition than it once was.

And so, that's another element where an MSP or an mssp, this is true in it as 

well, have become much more important to an organization 

in, you know, bringing modern. 

Capability to bear for an organization. It's hard to hire people, especially if they're the only person who's gonna do that role in a company, you know, that's not a particularly often

attractive thing for cybersecurity practitioner to go do. So, you know, it's, it the talent shortage plays a role in all of this as well.

Elliot: I wanna say some of our 

biggest clients, back in the day, they had so many fishing lures that a security practi practitioner would just. you know, their mind would melt. Most of them were obviously benign. They're reported by internal staff, but you know, the folks 

that you 

know, have the experience, they want to 

threat hunt.

They want to, you know, pen test and be able to do all the things that actually help 

keep companies secure in a proactive state versus more of a. Reactive and constantly looking at really bad 

spam with spelling errors and stuff like that. So yeah more power to y'all 

for basically able to take the brunt of 

it.

And I think that 

transitions to, you know, the core of what we're out here to talk about, which 

is adopting zero trust. So, Obviously it's not necessarily a new term. 

And 

in past episodes, how we've essentially 

come is every single episode there's like a new keyword 

that we focus on around. So there's the culture of it and how it impacts the organization, or zero Trust is a 

philosophy.

But I think even from, you know, the support 

side. Y'all are the champions, the coaches. Even if zero trust is bullshit which I'm not saying it is, we're not here to pass that. We're just here to have

those

conversations. I can't imagine how many organizations come to you and say, I want zero trust, zero trust solution.

We know that it's not technology in itself, but what does that look like? You know, from day one when a company says the magic keywords or trust, you know, what does that conversation look?

JR Cunningham: Elliot, it's one of those terms that's extremely ambiguous. It's like when a customer comes to us and says, Help me with cloud security, or Help me with data protect. So really the first thing that we have to do is unpack what problem is it they're trying to solve. And that helps us get to the heart of what is a solution, what are the technologies and processes that they need to adopt in order to solve that particular problem?

To some organizations, they're trying to solve a problem of maybe secure remote work. You know, we saw that a lot during covid where organizations had built this massive infrastructure to protect their employees on. And then they sent everybody home and were asking, Okay, how do we protect these, You know, these folks?

And the obvious answer was, Hey, let's adopt zero trust. And so often folks would come to us with the term and, you know, the idea would be okay what is it we're actually trying to solve for? And then unpacking that What we find is that different organizations, even within the same industry, tend to have different views on what Zero Trust means.

It kind of depends upon what the security and IT teams have been reading and absorbing in the past. 

And so we really have to get to that question. What is what problem is it they're trying to solve? And what we often see is they don't actually have aspirations of the mythical state of zero trust.

They actually are trying to just move their demarcation of trust. Around. And by that what I mean is if you think of, to use the moat and castle analogy, you know, when we lived in a world of everything was on prem, you had the moat around the 

castle. You had perimeter firewalls, You had you know, really robust perimeter security VPNs.

You had all this infrastructure that was designed to 

essentially demark trust at the 

network layer and say, If you're not on my network, I don't trust you. You're bad. 

Well, the moat essentially dried up, you know, and we have you know, the whole castle thing doesn't work for you know, the application world.

It doesn't work for cloud, it doesn't work for curbside pickup, It doesn't work for, you know, modern business. And so essentially what we've done is we've moved the demarcation line, the moat of trust away from the network, and kind of up the stack, if you will, to where now we need to start thinking about.

Which applications do we trust or not trust? Which you know, which platforms do we trust or not trust? Which identities do we trust or not trust? You know, what is the people side of the equation need to look like? And that's really the journey to Zero Trust is that movement of the. The moat, if you will, to make it as small of a moat as possible, but still protect the castle, keep the business safe.

So, we spend a lot of time with our clients trying to trust.

Elliot: Yeah, I love that, that is the sole purpose really of this podcast, is to have these conversations because I have a marketing background. I fully admit to the pain that can be put out into the world. Fortunately an organization that I, you know, spend most of my time with we make sure that, it's not using buzzwords like that.

So, It's just, it's 

so prevalent that when they pitch CSOs and executives and security folks in the buyer committee, I think they. Unnecessarily creating a lot of confusion. And I think it's okay to kind of maybe hook them a little bit with some shiny object and say, Yeah, we're gonna help you do this, but you know, there is no such thing as a zero trust solution.

And I love that you're able to capture that and help kind of coach them through that. And I think that's one of the most critical areas. Organizations like You all support is being really like a trusted partner. And you know, there's just not a lot of that in security space, especially this security technology space where it's very transactional in nature.

JR Cunningham: Oh, you're so right, Elliot. This is, this particular area is one where, The product companies really haven't been particularly helpful here because so many of the product companies have said we're the zero trust company. And, you know, you have to really unpack that. As a, as an MSS p or consulting organization, you know, you really have to help a customer that's trying to solve a very specific problem or group of problems.

You know, unpack some of that and ask the question, Okay, does this product really work for you or. I know the vendor said it does, because they say they're the zero trust company and that's everywhere. You know, not picking on a particular product at all. It's just pervasive in the industry. It's a new trend emerges.

It kind of reminds me back of like in you know, 2008, 2009, 2010, secure mobility was all the rage and everyone was a secure mobility company, you know? The other question was, well, what does that mean? What does secure mobility actually actually entail? And so, yeah, you're right, there's a lot of noise in the industry with the, with this particular topic and others like cloud security.

Elliot: I know for our repeat listeners, you probably hear me say Neil and myself say that absolutely every time. But I think that's justifiable cuz That's what you'll see when you Google Search Zero Trust. You're gonna be like, Oh, technology Technology instead. And this our, my next question to you is, you know, if you are interested in actually trying to understand what Zero Trust is, you know, do you have a particular resource that you point people towards?

Obviously we've got like N and CSUN and a few other things, but you know, those are very dry and hard to understand. So where does your org organization sort of grasp what that is and help? Disseminate, you know what the true problems are related to it.

JR Cunningham: Yeah, it's a great question, Elliot and I think it all begins with what does the business do. And what are the threats that are relevant to that business? And what are the capabilities that we have to deal with those threats? Really simple risk equation, right? You know, who are the bad guys?

Why are they trying to, how are they trying to get at us? And what do we have in place to, to stop that from happening? And then you kind of start to back into some of the other terms, like zero trust, you know, it it becomes a function of what is it I need to do. The frameworks are great you know, some of them that you mentioned.

We have a lot of customers who run their entire security programs off of like the S 18 or maybe they have a regulatory requirement like pci. And they, you know, they put a lot of work into you know, the PCI part of the equation. So, You know, that those are areas where we certainly leverage those control frameworks, but at the end of the day, it really comes down to you know, how does this business operate?

And by the way, you'd be surprised at how many security people aren't really in tune with some of the fundamentals of what is really important from a cyber perspective about a business. And you know, to use the manufacturing example, cause we talked about it earlier. In the cybersecurity profession, we tend to be wired around protecting confidentiality.

You know, we talk a lot about encryption. We talk a lot about authentication and authorization. You know, a lot of ink gets spilled in our industry around that. But in the manufacturing space, really availability is far more important for most manufacturers. In confidentiality, if your conveyor belt isn't running or your widget maker isn't stamping out widgets, your business is in real trouble.

And so, you know, we often have to help cybersecurity practitioners unpack what's important to the business from a cyber perspective. Then we, you know, we unpack the threat space and start to, to look at, okay, you know, how, not just who are the bad guys, but how are they attempting to hurt that thing that we just identified is really important to you?

And in the case of to, to extend the manufacturing example, you know, we have to think about things like ransomware. We have to think about things. Industrial control systems and IOT security that are extremely relevant to that particular business. Then we start to get into, okay, what does it mean to be zero trust in this environment?

What technology controls do we have to have in place you know, that make it really hard for this attack to be successful? Where does that fit in the regulatory and governance frameworks like MIS or ISO or you know, any of the regulations that an organization has to follow. And so that's really the, you know, it's not so much a.

A singular resource, if you will, to go look at, okay, this is what I need to do to get smart in this area. It's more about just unpacking the elephant a little bit and determining, okay, you know, what are the little things that I need to understand in order to see the big picture of, you know, how to protect this organization.

Elliot: Interesting. Yeah. To me it kind of sounds like the basics of, you know, just doing a risk assessment, even identifying where your biggest gaps are, prioritizing them and then seeing if they're I guess on paper is zero trust principle or concept that you can kind of wrap around that, not necessarily just attacking it with a piece of technology, cuz obviously you need processes and inventory everything first.

But yeah it honestly sounds. Something as basic as a risk assessment, risk management program, and prioritizing from there.

JR Cunningham: It's very common for us, and I'm sure Elliot, you've heard this throughout the years as well. It's common for us to be approached with, Hey, I have this technology I want to implement. And when you start to unpack a little bit about, okay why do you wanna implement that technology? What problem are you trying to solve?

Usually a singular piece of technology won't solve a complex problem. Sometimes it does, but very rarely usually solving a problem. And this is especially true in the world of the Zero Trust journey, is a little bit of governance and, you know, risk management and acceptance of certain things that maybe we can't do anything about.

It's a little bit of process and standards in order to make sure that we're consistently doing the right thing. It's the technology, of course, and then it's the, you know, the metrics side of it, making sure that we're measuring and understanding is this technology that I deployed along with.

Those processes and the governance that I've put in place, are they doing the right things to protect the organization and keep me safe? You know, from the threat that I was really concerned about. So yeah you're right. And the script essentially that risk assessment component of it. Is a little bit of a flip of the script.

I'm a, I'm an old school cybersecurity person. We started off with everything could be solved with technology. You know, if it has a light that blinks, it'll fix the problem. Don't worry about it. I've got antivirus, I've got firewalls. We're good. And wow, has the world changed? You know, that that just not the case anymore.

Elliot: And I think that's the other aspect of this, and I know we're sort of preaching to the choir because our general audience, our security folks who live and breathe this every. . But I guess we, we do also have the vendors that like to fall into our inbox and say, Hey, we'll give you money for shouts and stuff like that.

But for the rest of those folks that are listening I think that's a critical aspect for like how they bring these conversations to organizations. So for larger organizations, they already understand that they have, you know, profound and mature. Management programs and they grasp that for those mid-market organizations who are getting approached by technology vendors and sort of being coached towards their product I think it's always important to just reiterate the need for processes and making sure you have the people to the support that technology and if it can actually support it.

JR Cunningham: We tell our customers all the time it you should define the problem that you're trying to solve and then expect us to answer how we'll solve for it as opposed to. Us defining the problem for you and then, you know, obviously presenting a solution that perfectly fits the problem. Imagine that, right?

You know, so it definitely , it definitely works best when an organization has some sort of an idea. And by the way, sometimes the answer is, I don't know. That's okay. You know, we can help any, you know, good cybersecurity consulting organization, you know, can help an organization answer that question.

What problem am I really trying to solve here? But we always get a little nervous when the problem is defined by you know, it's a, it's the whole don't ask the barber if you need a haircut. You know, kind of a saying.

Elliot: Yeah. Yeah, that's a great example. Especially that's why I like to wear my hat so , I dunno what to deal with that conversation.

JR Cunningham: Yeah. But yeah, I don't have to have that conversation with the barber. I'm good.

Elliot: Yeah, I'm heading in that direction too. I feel that. So I know a few weeks ago that you all had put out, I don't know if it's quarterly that you do it, but you put out like your threat reports.

I'm curious. I know this is totally a redirection of conversation, so, but curious what what elements have y'all seened as an increase in threats, especially with, you know, obviously the past few years moving to remote. Has there been any impact on that? And obviously we can kind of tie that back to Zero Trust as well.

JR Cunningham: Yeah, it's really fascinating to have the vantage point. This is actually one of my favorite parts about working with an Ms. S p you the vantage point. Of seeing how the bad guys are operating across a wide variety of industries and who those threat actors are. It's very interesting. We tend to think of the hacker space as, you know, the the kid in the basement.

You know, that you slide a pizza to every, you know, once a week and you know, that kind of thing, right? And that's not it at all. Right? These are very sophisticated nation state actors, criminal organizations. That are extremely well funded, often by their own governments or at arms length, funded by their own governments, and they usually have very specific motivations and desires.

You know, we kind of know. You know, that the Russians and the Eastern Europeans are really after, you know, money and the financial services organizations and the Chinese are after intellectual property and you know, secrets and defense information, things like that. And where it gets interesting is when organizations, and there are a great number of them. Meet the crux of the interest of all of those different bad guys. You know, it's not uncommon for a supplier to have a connection to the aerospace industry and a connection to the retail industry and a connection to the financial services industry. We see that a lot with, you know, the in manufacturers that make electronics or any kind of widget.

Would be interesting to those various industries. And so, you know, the threat actors do tend to you know, be very motivated by a common purpose, if you will. You know, I, some of the examples I, you know, I just I just throughout their, so it's interesting to watch how they all operate and by the way, they might be operating together and not realize it to put a company at risk.

Right. And so we see a lot of that. The other thing that we see is and this kind of pops up in the threat report there certainly is an emergence of the bad guys using older vulnerabilities. You know, it used to be the bad guys were all focused on zero day vulnerabilities and the brand new stuff that there weren't around.

I think, you know, the bad guys, especially that second tier of bad guys, maybe the ones who aren't funded by a government but are a sophisticated criminal enterprise that has, you know, tools and the resources to pull off and attack. They've realized that it's a lot cheaper to, instead of developing your own zero day vulnerability or zero day attack, to go after some of the more well known vulnerabilities that are likely to have not been patch.

And so, you know, there certainly is that I will say this, in looking at the threat landscape and looking at TTPs you know, the techniques, tactics, procedures that the bad guys use it's really interesting. How many of those go all the way back to basics, fundamentals, vulnerability and patch management, multifactor, authentication, strong passwords, You know, the stuff that is not particularly glamorous.

And by the way, when it comes to, you know, adopting zero trust, often the stuff that's just assumed, you know, that isn't really considered how critical that stuff is to keeping the bad guys from being success.

Elliot: The way that we keep talking about adopting Zero trust in general, it's more of a repackaging of everything that has been building up to this point. So 10 years ago, I think it was a little more abstract. Today, obviously it's very fractured. But the way that, you know, again I've lived in that world as well, so I had some visibility and had fun analyzing data.

You know, a lot of what we saw were threat actors taking advantage of blow hanging fruit, you know, not people not patching things, people reusing passwords. The account gets popped and, you know, they get hit again. Elements like that, so you know, it, it doesn't even need zero trust, which is removing implicit trust.

It's like the most basic core elements, even beyond, you know, multifactor. Will that help secure them? Absolutely. Not we using a password that's not even 1 0 1. I don't know how to explain that.

JR Cunningham: Right,

Elliot: I totally get that.

JR Cunningham: We see this conversation often with encryption, where organizations wanna adopt, you know, better and better encryption. And when we start asking about their authentication scheme, they're using passwords. They're not using mfa, they don't have privilege to access management. You know, they have privileged users that have the same account as their daily driver account.

And, you know, we have to kind of, you know, pull the cable and stop the train a little bit and say, Hey, you know, you can't have good encryption without great authentication. It's not possible. And the same is true in anything regarding zero trust. We can't move that demarcation of trust around if, you know, we haven't showed up the fundamentals.

Endpoint detection response is another great example. Know I can't really move very far down that zero trust journey if, you know, I'm not doing the right things on the endpoint. And so, you know, there, there's, there, there's a lot of that part of the conversation that happens too. And again, a lot of this is just ba you know, back to fundamentals and doing the, you know, the basic right things for hygiene that enables the freedom to go do some of the other more out.

Things and, you know, more freedom and liberty and digital if you will, comes from, you know, having some of those fundamentals short.

Elliot: I totally agree with that. And I think the other element is, you know, beyond the basics and obviously implementing multifactor I, it's probably not this year. I feel like I've seen the hype die down. There's been a few less headlines around ransomware attacks. I think it's more like just straight up breaches, which probably comes through fishing and other social engineering.

But I'm curious, you know, in your mind, have you seen, and it doesn't have to be a technological element, but have you seen a zero trust related solution towards ransomware, which. Again, I realize this hopefully the hype is down, hopefully if direct actor is there you know, navigating towards other techniques.

But I'm just kinda curious based on that, cuz I, I know that's still always a flagged item, especially in the report you all put up.

JR Cunningham: Yeah, for sure. Ransomware, dedos, continue to be the number one and number two things that our clients ask us about as far as concern. That they have for their business. So, you know that's not going away anytime soon. I think the trend with regards to ransomware, which is very appropriate in a zero trust conversation, is the idea of stopping ransomware as early in the kill chain as possible.

You know, we, when ransomware first really became a thing, we were really focused. You know, detection response, and I think part of that, if you think about it, was a pendulum swing because a decade or so ago, maybe even a little bit longer than that, we focused all our energy on prevention, right? We had antivirus that had lists of known viruses floating around on the computer.

And every once in a while a new vulnerability would emerge. A new threat would emerge that the antivirus didn't have in the list, and something bad would happen and we'd say, Hey, the prevention failed. And we've gotta focus on detection and response. And so the industry pendulum swung toward, you know, detection, quick detection, quick response.

And I think what's happening now is the pendulum is starting to swing back the other way. If I can stop that ransomware very early on in the kill chain, either at the delivery of the fishing link or the attempted detonation of the payload or stopping b lateral movement, the earlier I can stop that threat from occurring in the, the life cycle of the threat, the cheaper it is to mitigate the less likelihood of there being serious damage.

You know, and the more effective I'm likely to be at containing something that could threaten the entire enterprise. And that's, you know, that really goes hand in hand with this idea of zero trust in that I'm not gonna let the creepy crawley get in and infect my whole network before I try and stop it or do anything about it.

I'm gonna try and zap it as early as I can in its life cycle. So that's certainly a trend that we see. You know, I have to give kudos to a lot of the EDR companies who have really embraced the idea of, we've gotta look for not just things that we know about, but we've gotta look for anomalous behavior or things that are happening on a machine that you know, give us pause or changes in executables and things that are running on the device and go, Hey, something's not right here.

And maybe it's okay to error sometimes on the side of, I'm gonna stop this thing from happening and maybe I'm gonna. The operation of that device as opposed to, you know, the old school way of thinking was, we don't want to get in the way of anybody doing their job. We don't wanna interrupt anybody's email or web surfing and then bad stuff happens.

Right? So, you know, that's been a positive change in our industry. I think.

Elliot: Very interesting. And I know considering that you have a vast collection of customers and clients you all probably have greater visibility into any of that kind of anomalous situation that might flag. Because as a single entity, single brand, or even with subsidiaries, you have a narrow view.

You see what you see unless you have a threat intelligence platform, even with feeds. You just don't get that kind of accessibility and viewpoint. So obviously removing implicit trust and lateral movement, that makes sense to me. I'm curious do you all use, I guess, information internally against clients to client to help prevent that and kind of gain visibility into that footprint?

JR Cunningham: Oh, it's a, it's an expectation of our business and our industry that we'll do that. For instance, if we see an attack emerging in the healthcare space. And we figure out, okay, here's a way to, to work that attack. We need to immediately propagate that to our other healthcare customers and say, Hey, we just saw something and there was an attempt against, you know, client, you know, patient zero, if you will.

Right. And you know, here's the mitigation to that. So Absolutely and that's one of the benefits. You know, of being an MSSP is that we're able to peer across industries and then within each industry, peer across customers and answer some questions around, you know, what is a threat actually trying to do?

And is it something that you know, we need to be worried about for a particular type of customer? A great example of this would be in the healthcare space, attacks against providers and attacks against payers. Tend to be wildly different types of attacks. Both of those organizations are regulated by hipaa, so they have the same fundamental compliance requirements.

They're putting the same checks in the boxes for their security programs, but providers are really worried about medical devices and ransomware shutting down parts of their. You know, their operation. Whereas on the payer side of the equation they're more like a financial services, you know, entity.

And so that's an example of, as an Ms s p, we might have the vantage point of being able to see, okay, even within peering within a particular industry what sub-verticals in that industry are the bad guys really going after? And it's a critical part of what an organization should expect out of an MSSP is the ability to, to.

Elliot: Awesome. All right, so it looks like Neil slipped in here.

Neal: would it be a little too, Preemptive to talk about 

just the general transition of the impact of MSPs versus at homegrown spun security relative to getting things done. Maybe that's 

JR Cunningham: Yeah it's Neil, it's a really hot topic. 

Matter of fact, we we just did a study and we did a webinar on the study and we're actually continuing to do some work around the study on what parts of a security program is an organization most likely to outsource, what problems are folks trying to solve.

And what we're finding is really multifold one organizations have, you know, we obviously know about the talent shortage and all of the issues that that come with. So organizations are viewing their security practitioners that, that they have internally as a much more precious entity than they once did.

So they're, on one hand, they're looking to outsource a lot of the commoditized stuff. That, that's more, if you think about it, kind of the grunt work of security, vulnerability scanning and patch management endpoint detection in response, you managing the EDR platform, managing sim and the whole detection in response side of the equation.

And then on the other hand of the equation, we have all this new stuff coming out that organizations aren't equipped to deal with. You know, cloud configuration management, cloud security, posture monitoring managing a remote workforce in a unique way. Business transformation where. You know, apps are going more mobile and digital and, you know, than they have before.

And so their, our application security requirements and organization might not be comfortable with. So what we see is both ends of the spectrum being prime candidates for outsourcing the commoditized stuff, that's the grunt work, the stuff you have to do, and then the really far out there, stuff that it's really hard to grow internal talent for and find folks that can do that for you.

Where we see organizations, Recognizing they need to continue to have internal capability, number one around security governance and knowing the business. No MSSP is gonna understand your business the way that you do and. Having the governance and the risk side of the equation internal is a great thing as well as a lot of the security architecture and that connectivity between security.

And it is really important to not outsource, you know, it's trying to move the business in a fast way. Business is moving faster than it ever has. And so, you know, having a security function internally that's really connected with the business and also connect as that liaison to a third party, like an MSSP to say, Hey here's a new problem that's emerging for me.

Here's what I'm looking to solve for. Can you help me? That's capability that an organization almost always wants to have internally in order to be success.

Neal: Definitely. Yeah, I think that's kind of a fun thing to think about. I personally see a couple different aspects, like what you mentioned, New tech. Sometimes it's nice just to bring in that consultative or even that contractor status to help with the new tech. Third you or second you mentioned like the labor issues and stuff like that.

My own personal opinions on how to go down that rabbit hole whether it exists or not, but regardless that it does exist for some reason or another, Right.

So supplemental staff. So what I've seen in the past, I've seen a lot of people take and just do basic supplemental post post office hours stuff, Right.

So they're not a full 24 7 service provider, but they get them the after hours piece. So that way, you know, the mundane things are still getting taken care of, or they leverage them exclusively for a tier one response effort, right? And then, Let the team focus on those tier two, three more research and depth type things.

And then the last third part of that, like you mentioned the tech piece as a whole, where you know, you wanna make sure that the core competency of what goes on in your tech stack is still you and not necessarily that contracted labor force. Right? So I think in the format of zero trust, You know, we've talked about this on previous discussions.

You know, there's a whole new world out there of technology that's zero trust, right? There's a lot of people wanting to sell you something that is or isn't, that repackaged. May not be repackaged, may be net new, may not be net new, but the concept is there. And so I think I have yet personally to see a service provider, mss P.

Promote zero trust in the sense, I imagine they're there. I don't know if y'all have seen one, but have you seen that from a service approach

to say, Hey, look at us. Where's Zero Trust? We're not just gonna come and help you build it, but we are a MSS 

P that focuses on monitoring Zero trust stack as a whole kind of thing.

JR Cunningham: Yeah, Elliot and I kind of talked about this earlier where really it's about unpacking the problem for the customer. What problem is it you're trying to solve? And often they'll come to us and say, I need help with Zero Trust. And we don't necessarily know where they got that term from. Did it come from a technology provider who's trying to say, Where're the Zero Trust company?

Or you know, did it come from you know, some sort of reading somewhere about a concept in general? So we really start with what problem is it we're trying to solve and how do we go with you on the journey towards zero trust. You know, what do things look like for you today? What are your capabilities?

And, you know, how does a business operate? What are the threats that are relevant? And so, you know, I think we. We tend to try to not define the problem for our customers and say, we're the zero trust managed security services provider. What we do is work with the client to understand, okay, what problems, what are the acute problems you're trying to solve for your business?

And then, you know, what technologies and processes and governance and operations capability do we need to deploy in order to make sure that we get you there to solve that problem? And by the way, when you get to the end, Kinda looks like zero trust, right? You know, it's just the natural evolution of all this.

So we tend to back into zero trust with our clients more than kind of starting with zero trust as a conversation up front and working backwards from there. And you're right, Neil you know, very few service providers. Want to get out there and talk about Zero Trust as a pure concept.

And I think in part, Elliot and I talked about this a little bit earlier, in part that's driven by the product companies over the course of the last half a decade, have really kind of tried to define what zero trust means. And so what we find is we have to undo a lot of that, right? We've gotta unpack, you know, no, there's no single box you can plug in.

Makes you a, you know, a zero trust organization. And so, I think that's why a lot of us have been really shy about you know, going to the market with the term as service providers.

Neal: Yeah. I think that's kind of a wonderful thematic that we've gotten out of this so far is everybody we've had. Agrees that Zero Trust is not just a plug and play every one stop shop from anyone. Now, we haven't really talked to any of the legit vendor providers.

Right.

The technology stack, Right.

We've talked to people who actually are doing something here. So when we get there, it'd be fun to see from a vendor's perspective that promotes the OR trust as their tool stack what they consider it to be. But that being said, it's nice to see thematic. The consistency of everyone who's actually doing it says, No, you're not gonna get it from just me.

You're not gonna get it from just them. You may already have, some of it may already not have some of it. This is a multitier effort, a multi technology effort, and we just gotta find the right ways to make all these other things come together. So That's good to see once again, thematically that it's still there.

So thinking on this a little bit more the one thing that I think that you mentioned that, that is a little slightly different than some of the other approaches, you know, you talk about backing them into the Zero Trust piece, which I think is a great approach. I think, you know, if we think of Zero Trust as a security goal, mark, you know, the where we wanna be instead of just leveraging it as a term to promote engagement.

I think it's a good approach. There's a lot of people who would come in and just say, Hey, I've defined zero trust. Here's the standards of zero trust, and now we're gonna go from that term down, down the stream. And I think you probably, you know, there's pros and cons to either side of that. I, I think, you know, if you start with the definition and you work your way backwards through that definition, yeah you're probably still gonna get to the same piece, but I think you're get a little more fixated on kind of that.

Marketing fluff that goes with it. But in your perspective, you know, you have your own ground of principles of what it means to do these security elements that just happen to coincide with the concept of getting to zero trust. And I think maybe from your perspective, probably you go from that side towards the zero trust mentality with what you know works well.

And then you can 

use the concept of zero trust to back in to make sure that you've checked the right bells and whistle. , you know, down the line probably. Does that sound kind of accurate from a deployment

JR Cunningham: absolutely right. It's a journey. It really is. It's like answering the question, when will I be. 

You know, and, you know, it really is a journey that we have to go, you know, down the path together. And the fascinating thing, and one of the things I think that makes our profession such a unique and wonderful profession and vocation is that it's ever changing.

And so the journey is not linear and. The idea of getting there you know, it's a recipe for disappointment to say, I'll be really happy with my work performance when I get there. Right. When the company's secure, I'm gonna feel great about the job that I did. It is a journey. And, you know, zero trust is a journey.

Even the, you know, thing, there are a lot of ambiguous concepts like cloud security or what about security training and awareness? These are all journeys. They're you know, you determine where you're at a particular point in. You try and get better over time and more effective over time.

And by the way, behind you in the journey, the bad guys are chasing you. Right. So, you know, you have an incentive to keep going. It's a meandering slow walk in our profession's. Definitely a high speed journey, but nonetheless, 

Neal: Yeah, we're never done are we? ? No matter what we do, we're gonna get through zero trust and in five more years there's gonna be something, I don't know, biometric only trust, or I don't know. I'm trying to think of what the next trend's gonna be as a whole. But yeah, always a 

constant battle no matter what.

For sure. So Jar, once again, appreciate you coming on board. So one final question that we like to ask, 

In general, you know, if you had to point to someone, to one or two key resources to get started, what would you like to throw out to people that kind of poke and prod for the whole Zero Trust journey? 

JR Cunningham: Yeah. Here's kind of an odd one, but I would say start with, as a security 

practitioner, start with the leaders of your 

business and, understand what is the single most important thing to that business that you as a cybersecurity practitioner need to protect. And it's amazing to me how many cyber practitioners have never really walked into a, you know, a product owner or a VP level or a C level individual and said, I'm here from security.

Would you just spend five minutes with me and talk about what it is that I need to protect in this business? And. I think that opens itself up to so many subsequent learnings and conversations around you know, where in the journey towards zero trust do I go, Where do I start? What things do I need to be thinking about?

And so I think that the number one resources, often that office down in the corner, That we, you know, we tend to stay away from and it can be a wealth of information that guides some of the things that we go into further. And then of course, there's all the learnings that are, all the learnings about, you know, okay, how do I get smart on a particular attack and whatnot?

And they're innumerable resources out there for that. But it all kind of begins and ends with, as a practitioner, what is it I'm trying to protect? I think that's really the first place to.

Neal: Oh my God. I wish I would've been here sooner to have more fun that, that I'm an Intel analyst, so you just 

hit that nose on the head for me. Start with business risk requirements in a roundabout way. Figure out what 

those are and go backwards from there. Yeah. Awesome. Thank you.

Elliot: Well, Dar, it's been absolutely a pleasure to chat with you. Love the insights that you were able to provide. I'll give a little bit of shout out. So if folks go over to jr's LinkedIn profile, you'll dig back a little bit and see that threat report that they put out. I don't know if y'all put it out quarterly, but I think it's pretty interesting as a resource.

That said again, thank you so much for joining us. We love chatting with folks like yourselves who have just an immense amount of his ability into our.

JR Cunningham: Well, thank you both and please keep up the great work, fantastic podcast. We really appreciate you having it.

0 Comments
Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.