Adopting Zero Trust
Adopting Zero Trust
How to Operationalize Your Company for Adopting Zero Trust
0:00
-46:17

How to Operationalize Your Company for Adopting Zero Trust

Season 3, Episode 14: ThreatLocker’s Rob Allen kicks off our mini-series that digs into how companies prepare for adopting a new cybersecurity strategy such as Zero Trust.

Catch this episode on YouTubeAppleSpotify, or AmazonYou can read the show notes here.

Despite three seasons of exploring various aspects of cybersecurity, we have yet to discuss how organizations prepare for new cybersecurity strategies from an operational perspective.

In this first part of a three-part series, we partner with ThreatLocker experts to discuss how organizations can prepare and align themselves for a Zero Trust approach. Rob Allen, ThreatLocker's chief product officer, joins us for this conversation, bringing a wealth of experience from both technical and market-side perspectives.

From our Sponsor, ThreatLocker

Do zero-day exploits and supply chain attacks keep you up at night? Worry no more, you can harden your security with ThreatLocker. Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high.

ThreatLocker takes a deny-by-default approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation is fully supported by their US-based Cyber Hero support team.

Get a free 30-day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance. Visit threatlocker.com.

Key Takeaways

  • Rob Allen, Chief Product Officer at ThreatLocker, brings experience from both technical and market positioning perspectives

  • The first of our three-part series explores the preparatory stages of transitioning to Zero Trust

  • Education plays a crucial role in changing the mindset towards proactive security measures

  • Organizational buy-in can be a challenge, but vendors are happy to assist in this department

  • Internally, you’re unlikely to find people using the term Zero Trust in place of actual use cases

  • Zero Trust is presented as a mindset rather than just a technology or product

  • The concept of assume breach is central to the Zero Trust approach

  • Practical demonstrations, like the ducky challenge, are used to illustrate cybersecurity vulnerabilities

Understanding the Operationalization of Zero Trust

To kick things off, we cover the basics: Do you need a new strategy or to enhance your existing one, and where do the pillars associated with Zero Trust fit into the picture? By taking an outcome-driven approach, focusing on processes and gaps, organizations are better prepared to work with key business areas to drive alignment. As we know, without a plan and support, scenarios like shadow IT crop up.

That said, security practitioners constantly adapt to changes impacting users and interactions; hence, understanding the operational aspect is vital.

As for our guest and setting the scene, Rob has a rather diverse background, but to sum it up, his journey moved from helping companies recover from cyberattacks to aiming to prevent them altogether. It lines up well with cybersecurity maturity and shows the common, or aspirational, transition from a reactive to a proactive approach in cybersecurity.

The Importance of Proactive Cybersecurity Measures

Today, many organizations only take security measures seriously after a breach. According to Rob, he sees this as much of a psychological challenge as it is technical, and it's often human nature to feel secure until something goes wrong. He stresses the role of education in changing this mindset, highlighting that some people and organizations need a wake-up call, while others proactively seek to improve their security posture.

Neal weighed in, recalling his experiences in consultancy, where companies often react post-breach instead of investing in preventive measures. But nothing motivates a board and executives to properly invest in their cybersecurity program like a public incident.

The Role of Zero Trust in Modern Cybersecurity

For Rob, he sees Zero Trust as a mindset rather than a technology or product. He summarizes Zero Trust in two words: "assume breach." This perspective encourages organizations to operate as if their systems have already been compromised, limiting access to what's necessary and implementing default-deny policies.

At an event, he challenged attendees with a ducky challenge, using a rubber ducky programmed for data exfiltration. Despite warning participants and offering clear instructions, a bank’s security team mistakenly allowed data exfiltration. And before you think: Of course that would happen, it’s by design - That team didn’t actually take the ducky. Rather, they took the script, did not alter it, and exposed their information multiple times in testing the theory. Oops. Misconfiguration strikes again.

Implementing Zero Trust: Steps and Strategies

Fun stories aside, there are multiple pathways for organizations to shift towards Zero Trust. A good example comes from former Forrester analyst David Holmes who walked us through their approach or even the minimal viable product (MVP) via Canva’s Kane Narraway. Before that begins, teams need to understand what's required for business operations, evaluating existing software, and eliminating unnecessary access points. Rob emphasizes that one of the first steps is visibility—knowing what's running on your network. Many organizations are unaware of the full scope of software and tools in use, which can pose significant risks.

To be strategic (vs. an on the fails approach like following NIST CSF), Neal suggested that teams need to bridge the gap between understanding their threat model and developing a Zero Trust strategy. It's a step-by-step approach: securing what's needed, identifying gaps, and gradually implementing controls. Rob acknowledged that while it might seem daunting, choosing the right tools and adopting a methodical approach can make Zero Trust manageable and effective.

Part Two: Electric something something

Stay tuned for part two of our series with ThreatLocker, where we get even more into the nitty-gritty of operationalizing Zero Trust.

For more detailed insights from our episodes, visit adoptingzerotrust.com and subscribe to our newsletter.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello, and welcome back to Adopting Zero Trust. I am your producer, Elliot Volkman, alongside our host, Mr. Neal Dennis, and today we're going to be digging into a piece of the Zero Trust story, which somehow we have not arrived at in the three seasons or so that we've done this across God knows how many episodes and how many experts.

But we're going to be talking about the operationalization of Zero Trust. So we've defined it, we've ripped it apart, we've heard from organizations as large as can be, as how they've adopted it, but what happens in the before state? How do organizations prepare and align for these kind of things? As our audience would know, as security practitioners, you live day in and out of how you have to adopt to any changes, any shifts that might impact users directly how they interact with things.

It it has Side effects, so to speak. So that is where we're going to be starting today. This is going to be the first of a three part series that we are building in partnerships with the lovely folks over at ThreatLocker, and we're going to just go from there. Maybe we kick it off with our guest, which is Rob Allen, the chief product officer over at ThreatLocker, who has had a pretty diverse background, if I might say.

Started in tech, worked in it, but also dabbled on a little bit of the go to market side. Both sides of the coin, which I will say is not easy to be able to dance between. And now you're leading and directing the product an organization, which I will say that we've heard nothing but very favorable things as far as the zero zero trust technology goes.

So Rob, maybe if you'd like to expand upon that introduction add a little bit of color.

Rob: Yeah, I suppose to put it quite simply, Elliot, I have gone from helping companies recover from cyberattacks to trying to stop them from being cyberattacked. So that's where the both sides of the fence thing very much comes in. I spent a lot of the years prior to joining ThreatLocker cleaning up.

Recovering wondering what we could have done differently and why our antivirus didn't stop it and why it wasn't detected, et cetera. So going from that, I suppose, frustration to helping organizations not get hit has been somewhat eye opening, but it's a it was, it's been a phenomenal I suppose career turn for me because it just, it's, it's.

It's so nice to not be constantly worrying about where the next attack has come from. Who's going to call me on a Monday morning going we can't get into our files. Can you help us out? I mean, you guys, you guys know the drill, but going from that to stopping it from happening or hopefully stopping it from happening is, has been phenomenal.

Elliot: would you say that A lot of in our Zero Trust architectures, the concepts, things from like NIST and CISA, those elements help actually get organizations to a more proactive, preventative state instead of the sort of chaos that we've lived in and still see generally.

Rob: I mean, I suppose there's a couple of ways you can look at it. One, one very simple way to look at it is unfortunately, a lot of organizations only take these things seriously when they are victims or when they've had an incident or something has gone wrong. I think it's just human nature. It's not a criticism.

It's literally just human nature. It's look, everything is fine. I've never been hit by a cyber attack. I've never had a ransomware, never had a breach. So everything I'm doing must be perfect. So therefore, I don't need to do anything differently. So I suppose you could sum it up as saying there's two types of people in the world.

There's those who have been victims and those who will be victims. So it often takes It's something like that happening for people to to, I suppose, come around to the importance of protecting themselves. But at the same time, I suppose part of our jobs is to educate people much as it is yours, is to tell people, look, you can be doing more.

There are other ways you can approach this problem that could be as effective if not more effective than what you're doing currently. And I suppose that's why we're all here today. It's about hopefully educating people or at least getting them thinking in a different way.

Elliot: I love the optimism yet realistic approach to that situation because yes if your organization gets popped, that's when the budget comes in and that's when you get people to actually start listening. The board starts taking it seriously and yeah, we, we know the drill, but I am curious if there is a world where organizations just proactively go, Hey, that happened to organization over there.

Maybe I should lock things down a little bit, but yeah.

Rob: think that happens more often than you might think. The problem is though, I mean, realistically, most cyber attacks are not publicized. Nobody knows that they're happening. I mean, I, I saw a statistic one time based on the number of attacks that an attack happens every 11 seconds. Fact is 99. 999 percent of those attacks Nobody knows about.

It's the organization that are cleaning up. It's not, it's not publicized it's only the really big ones that tend to get out there in the public sphere and that everybody hears about and knows about you might have situations where, one person works in company a, you've got hit somebody else and works in company B that didn't and they may talk, but that's a very small number of cases.

But again, it's just generally from our perspective, it's about educating people about the dangers and also how they can protect themselves.

Elliot: That sounds about right. Again, I, I do appreciate the optimism and that there is a balance in the world,

Rob: I am fundamentally an optimistic person. I'm Irish. That's that. We're, we're, we're, we're an optimistic people. As you may have

Elliot: if anything, I.

Rob: Michigan accent.

Elliot: Neal, I'm going to actually shift this over to you for a moment here, so you've seen both sides. I feel like we've had a few conversations where if you've been the victim of one attack, you're probably going to get hit again, especially if it's ransomware.

Do you want to dial down the optimism? What's what's your take? And then we can look into the operational side of the story

Neal: I, I like to take notes when we're doing these conversations all the time so I can try to remember to come back to things if I think they're important so I can focus. And I literally wrote optimism versus skepticism on my note here two minutes ago.

Elliot: I was just reading your face. That's all.

Neal: I'm going to caveat this for people who know my background, I worked at a consultancy company and my first foray into the commercial world after being on the government side for a while was for a big retail box company that may or may not have a symbol that's circular with a dot in the middle.

And so I was brought on as part of that mitigation team through the consultancy firm that I was with. And mitigation They're an example of we didn't do anything technically right until we had to basically right until someone made us and I think we had that whole era of big retail and other breaches for about almost eight years, seven, eight years of just back to back to back, nonstop LinkedIn O.

P. M. Later on in the day and you would think optimistically speaking that people would have learned from that as a whole and that most people would have been like, let's not be the next Home Depot or target or whoever. Right. And let's go ahead and apply some, some dollars to, to preventage, preventing, right?

And I think most of them did. I think most of them looked at that post issues. And moving along the power curve here for me, I worked at a few companies and consulted where that was the case. They're like, we don't want to be the next X, whatever. And so they, they did, but they do it within a very finite space.

They go, what's the bare minimums? They look at standards and they, they maybe realize there's four or five standards that they should map out to and they check a box on one and a half of them and they go, we're good. We're good. And they just don't want to apply funding because It becomes that cost benefits analysis of 1, 000, 000 for the next, every year for the next five years, or 10, 000, 000 on an if scenario.

And Rob, like you mentioned, it's not really a matter of if, if you haven't put the walls up, it's just a matter of when. And brand reputation, dollars applied, so on and so forth, which one really costs you more long term? The couple million dollars a year to make sure it does never happen, or hopefully never happens, or you're able to mitigate it faster when it does.

Or the 10 million, a hundred million, and then the brand rep hit at the end of the day. And I think that's the conversation that I'm interested in from getting started. Cause you got to make the argument around why, and you can no longer just say because target didn't it's a little antiquated, but you need to have other stuff.

And then once you make the question or answer the question, why now you got to talk about the what and how, and I think that's the getting started for me is justification and why you're applying justification and the dollars to the C sweet people. What are the strategies and the dollars tied to that strategy that you can also help educate to show the ROI for mitigation and preventative strategy?

So I mean, how much, how much work have you had to do just on the buy in aspects, right? Before we even talk about actual zero trust strategy, how much of your life or how much have you seen people's life spent on just trying to get someone to even come to the daggum table?

To talk about procurement to be able to move forward in that. And then what are your suggestions on how to get people at least to the table on that effort?

Rob: no. Look, that, that, that is, that is our job every single day. It's about getting people to look at the problem in a slightly different way. It's about realizing there is a problem, I suppose, first of all and again, a lot of that comes back to just conversations.

A lot of it comes back to education. I mean, I'm. Going this weekend to an event and well down the road in Tampa, and it's going to be talking to people showing them what can happen and I've been playing here. I have a rubber ducky in my hand at the moment. We we love rubber duckies for demonstration purposes.

But. One of the things that we've been doing quite recently is showing people how you can use tools like ChatGPT to get malicious code. I've had conversations, or I'm currently having conversations with ChatGPT to try and get it to obfuscate some PowerShell, ReverseShell and PowerShell. It's surprisingly obliging.

Depending on how you ask the question. So taking that knowledge experience, showing it to people, say, look, I've got this little thing here that if you plug it in, it's going to allow me to connect your computer. You won't know what's going on. We've another one that we do, which is basically data exfiltration using PowerShell.

Just a one line PowerShell command that'll recursively go through your data and upload it all to our, our blob. People never cease to be amazed at how easy it is. We've I I mean I could I can tell you mind if I tell you a story about this actually cuz I think

Neal: Have at, we're anecdotal people. We like it.

Rob: Excellent.

Okay, and so we have as part of our presentations we do a thing which is called the ducky challenge So the ducky challenge is basically where we have a rubber ducky With data exfiltration programmed into it. So plug it into a computer. It's going to upload your data. We've tested it and run it against pretty much every major radio audits out there.

And in every single case, we've got the people's data. I mean, we've had dozens of people who have volunteered and allow us to plug it in. The joke we make is we say, look, this is a rubber ducky. It's got to exfiltrate your data. If you think your current cybersecurity solution will stop this from stealing your data, come talk to us, we'll plug it into your computer.

If you win, you get to keep the rubber ducky. If we win, we get to keep your data. Now, most people when presented with that proposition will just laugh politely and go, yeah, you're never going to plug that into my computer. But as I said, we've had dozens of people volunteer, including, and this is a really interesting one.

A, I, I did it in Dubai about a year and a half ago. And two very serious looking gentlemen, the CIO and CISO of a large Middle Eastern bank. Approach me. And they said, look, we don't want to plug the rubber ducky in, but if you don't mind, would you please send us a copy of that PowerShell command, the script that you're using to exfiltrate the data.

We want to do some testing. So I said, no problem at all, gentlemen. I sent them a copy of the script with very clear instructions. You are going to want to change this portion of the script. Yeah, yeah, you can see where this is going, obviously. You're going to want to change this portion of the script because that is our Google Blob.

Okay, if you upload data there, it is going to be accessible to the world. So change this bit of the script. Following day, I flew back to Ireland. It's about a nine hour flight from Dubai to Ireland. Decided I was gonna switch off, okay? No internet, I'm gonna, have a bit of a sleep, maybe watch a movie or two.

Just disconnect. About five hours into the flight, I got bored. And got wifi, got online soon as I did, my teams explodes, including a message from one of my colleagues with a picture of a guy, one of our guys at the event, looking really worried on the phone. And the tagline was Harvey on the phone to a Middle Eastern bank who did the ducky challenge and got their data exfiltrated.

They basically ran the PowerShell script on edited, uploaded 338 files to our blob storage and we're understandably panicking. There's I mean, it just goes to show how easy it happens. I mean, they obviously had some belief that something was going to stop this from happening, but as the evidence would suggest that we're slightly mistaken.

But the really interesting thing about this, I suppose the sting in the tail of the story is that not only did that one person upload data, I tend to go into that blob from time to time and just make sure nobody's done anything they shouldn't. And I went back in about two weeks later and found more files uploaded by the same bank.

Two other users, right? So they had three separate self exfiltrators in the security department of a bank. I mean, the mind boggles, but as I said, they had some sort of a belief mistaken as it turns out that something would stop this from happening. Something would protect them from their data getting stolen.

But I just think it's a, it's a really good example of. Look, educating people. They now see how easy it happens. I now tell people like you stories about this so they can see how easy it happens.

Neal: I love it. I love it. So I think lessons, at least some quick takeaways right off the bat. You started off lower barrier to entry. I always loved this. Personally, because I mean, I'm not going to presume to know how old you are, but I've been around for 24 years in this industry, one way or the other.

And when you first got started, everybody thought it was a government thing. Only the government's going to get into the big things. Then you flash forward, early 2000s, and magically the Brazilian script kiddies are getting into everything. Flash forward to 2007, the Russian script kiddies and the Russian business network, so on and so forth.

Escalation, escalation, escalation. But it only escalates because the barrier to entry got lower and lower and lower over time. And to your point, I, I think one of the basic things to highlight is look at all the stats just from the last two plus years, courtesy of the chat GPT revolution, and people put articles out about it.

If, if I want to craft an email and pick a language today, I can do that, whether I speak that language or not, and it's going to be pretty dadgum convincing. And we saw that immediately once ChatGBT 3 came out. I mean, 1 and 2 were around well enough, but once 3 hit the market and became public news, the Russians, and Eastern Europeans, whatever, were making these wonderfully well crafted English emails that no longer had the missing articles and all the other crap in them that they're normally known for.

Just that alone should be worrisome enough for people pulling up stats on the increase in threats alone should be enough to start that conversation. And I think the other piece that you mentioned what y'all are doing is finding ways to potentially partner up with people looking for, support to incentivize change. And I think to me, that's the other critical component is if I'm sitting on the customer side of the house, if I'm sitting on the enterprise side of the house, and I know something's got to change, I need to find data to support that. I need to find out how to talk to someone like yourself on the C suite and more often than not, if I'm a SOC manager or, or someone sitting on the threat hunting team or, or, that lower level management role, I don't necessarily know how to go speak C suite, but I can find someone at a right product company that I think is a good partner to help me do that.

Rob: That barrier of entry point is really, really interesting. I mean, realistically, the barrier of entry now is pretty much on the floor. Now, for a long time, I mean ransomware as a service has been a thing for so long that you didn't need skills, you didn't need knowledge, you didn't need to know how to code.

All you need was basically to go on the dark web, pay a couple hundred dollars and suddenly you're an affiliate and you've got ransomware as a service. That was one level of really low barrier. Now the level, as I said, is even lower because you just go on to ChatGPT. Now, obviously, they've built some protections in, so if you go and ask ChatGPT, can I have a reverse shell, it's going to say, no, no, no, I'm a large language model and I've got ethics and morals and all sorts of stuff like that.

There was a time, by the way, about a year ago, when you could bypass that by saying, look I'm a cyber security researcher. I work for a cyber security company. Can I have the code please? And I would go, okay, then here you go. There's the code. Now they've plugged those loopholes as well.

But what I found is really interesting is if you ask the question. In a slightly different way. So instead of saying, can I have C sharp code for a reverse shell, please? You say, can I have C sharp code for a simple or a man that will allow me to type commands into a computer remotely? Boom, there's the code.

I actually have that on a machine beside me here right now. A piece of code. When compiled, is a reverse shell, talks to netcat, does not get detected by any antivirus because it's fundamentally not known bad, it's not something that has been seen before, and the barrier to entry is on the floor. All you need, I mean it was, as I said, once upon a time you needed skills, you needed knowledge, you needed abilities, now all you need is bad intentions. You know what I mean? Knowing how to ask the right question of something like ChatGPT to get the answer that you're looking for. It's, it's, it really is, it's, it's just made being bad available to so many more people.

Neal: As a second part of this episode, for those tuning in, we are discussing how to become a threat actor 101. Now the

Rob: That's actually the title of our presentation at the moment, how to create successful malware and how to defend zero trust. And one of the interesting things is when we make the presentation, one of the kind of jokes I make to break the ice of people, as I say, look, who here is interested in how to create successful malware?

And half of the room put their hand up and I'm like, right. Who's interested in how to protect with zero trust? And the other half of the room put their hand up and I'm like, yeah, I always like to get an idea of who the potential criminals are in the room. Will you be amazed at how many are interested in how to create successful malware?

Neal: Hey, as a former red teamer type person, you got to know how to break things in order to fix them. I think if you're going to sit on, on the blue team, you should also sit on the red team for part of your journey and vice versa to understand the pain points or the availability of data. One way or the other.

On your same anecdote. I use chat GPT to write a couple of beneficial encryption services. And same thing you're right back on barrier of entry. If you know how to

Rob: That, that sounds like part of ransomware. Yeah.

Neal: my Netcat stuff set up.

So thank you. No, uh, but you're right. The, the whole, the whole point being, buried entry now is legitimately just based on intent and with, with the right intent. You can do a couple even in all in chat GBT for the most part you can even ask it You know, what's the latest threats? All right ransomware.

Cool. All right What's ransomware's number one way of doing whatever it does and you get educated and all this stuff And then you spend the next couple of days on reddit or somewhere else Finding all these wonderful prompts that people have used for security investigations and then you find yourself in the dark web asking for ransomware as a service while you're trying to build your own tool,

Rob: It's a slippery slope,

Neal: It is yes, and

Rob: but the other, the other thing I would say that's interesting, I mean, obviously we're talking about malicious code. We're talking about bad programs. One of the things that I've slowly not even slowly. One of the things I'm increasingly aware of is the fact you don't actually need malicious software to do malicious things.

We've seen instances where tools like WinWare are used for data exfiltration and encryption. I mean, that's, that's basically most of ransomware right there. And it's done with an otherwise legitimate program. I mean, any, any desk is the remote access tool of choice of ransomware gangs.

It, but they use the thing.

And again, something we've seen a lot more often is a tool called now, this is going to cause an issue with my accent. Okay. And I apologize for this in advance, but every time I say this, everybody looks at me like a dog with a, I don't know, or clone. Okay. So the number of the letter or clone. I don't know how you pronounce Orclone, but that's how I pronounce Orclone.

Orclone is the data exfiltration tool of choice. Right now. Okay, I mean, anybody who's listening, go look around your network. If you can see Orclone there, there's a fairly good possibility or probability that it has been used by a threat actor to exfiltrate data for your environment. Again, what do Anidesk and Orclone have in common?

Neither of them are ransomware. Neither of them are malware. Neither of them are bad. Neither of them, something that EDR is going to stop. Can they be misused? Absolutely.

Neal: yeah, which gets

Rob: they misuse? Yes, very much so that, that's why detecting known bad things is not the answer. It's not the solution. It's not going to protect you.

Neal: and that is a great transition into what will, and into the Zero Trust start. Talking about, generating some kind of cognizance around buy in, the barrier to entry, all that fun stuff. If you get people to the table, now you got to obviously present them with an idea or a strategy, whatever that may be.

And highlight stuff exactly like this, the things that are in your environment for day to day use are the things that threat actors are going to try to take advantage of first and foremost. And that is, as sad as this is, people don't realize that that has been the modus operandi for threat actors since the 90s, heck, since the 70s with ARPANET.

The moment you could get on there and find something that would do the job for you that's not blocked, within reason, you're going to use it. Why am I going to go and install Mimikatz or something else if I can just remote from something that's native? The last anecdote I have of that, I had you remember putty?

I don't know if people still use it that often, but I, I do. Not on this box, anybody paying attention, don't try to do it on this box. But, back when I used to wear the other side of the hat it, it blew my mind how many people just had something like putty just there, with everything loaded in, not password protected, with all the various shells and everything else just ready to go.

So you get onto the box and just go, boop, and the whole world opened up right in front of me. I didn't have to install anything. I just had to get in to the initial exploit point. And there it was on that box. It was beautiful. So it brings us back to the other point though, the zero trust strategy, right?

So we talk about using the commonplace tools. We talk about the fact that it's more often than not, that's likely what's going to happen and will happen period. So bringing it back to a strategy perspective, we get buy in. We at least get people to the table. What's the next thoughts around post highlighting threats?

Thanks. And now we've got the initial talk to discuss what that strategy might look like. Where's a good way to start thinking about the strategic level for the zero trust strategy. Where would people want to get started for that to actually present the next steps for resolution or, or attacking the problem?

I should say,

Rob: I mean, first of all, it's about attacking the problem from a different angle. It's about accepting that your traditional approaches are not going to work. Sorry, your traditional approaches will probably work most of the time. They're not going to work all of the time. If they did work all of the time, there would be no such thing as breaches.

There wouldn't be no such thing as ransomware. So except that, I suppose, I mean, the other thing is, it's like one of, I suppose, one of the challenges is one of the things that we try to, to, to talk about. And again, I, I'm, I'm going to show myself as not a constant and always listening to listener to your podcast now by saying, obviously you guys talk about zero trust.

Yeah.

How would you define Zero Trust? In fact, let me, let me put it even differently. How would you define Zero Trust in two words or less?

Neal: policy strategy.

Rob: Okay. Elliot?

Elliot: I'm a word guy. I can't do two words or less.

Rob: Okay, you can have five words.

Elliot: I mean, it's more like a baseline of zero trust.

Rob: Okay one of the ways that I like to define it, and there's a much longer definition, but I mean, least privilege is one way of looking at it. Probably my favorite one is assume breach. So work in the back, work in the perspective that they're already in. They're on your network right now. They've got full domain access, full or full administrator access to your network.

What, what can they do? Assume breach is another way. And to be honest, our perspective on it is denied by default. So basically there's a few aspects of that and we can, okay. Default denied.

Neal: No, you're good. You're

Rob: mic drop, etc. Yeah, so default denied. But as I said, assume breach is a really good one. I mean, it was part of the the executive order mandating zero trust for the federal government.

I think it was two years ago, but one of the parts of the definition of zero trust was assume a breach is inevitable or has already likely occurred. So constantly limit access to only what's needed. Now, as I said, assume breach, basically. Look, they're in, they have full access to everything. They're on my computer right now, what can they do?

Again, by taking the approach of default deny, can they run things? No. Whether they be good, bad, malware, ransomware, antidesk, or clone, doesn't matter. If it's not allowed to run, it's not going to be allowed to run. But Expanding on that. And I know we're going to get into a little bit more detail that you mentioned ring fencing earlier, but expanding on just the what can run and what can't run, what things can do.

And that's, what's going to protect you against this rubber ducky stealing your data. It's saying, look, PowerShell doesn't need access to my files. So why would I allow PowerShell access to my files? It doesn't need to access the entire internet. So why would I allow it to access the entire internet? So by putting limits and restrictions on what things can do, again, But the principle behind it being default deny, you're going to be in a much better position to protect yourselves against all of these threats.

Neal: Yeah, I agree. I agree. From standards perspective, we would talk about implementation. You bring up the government, U. S. government piece, which two ish years ago, give or take. I think that came out season one of us. We were only a handful of episodes in when that, I think, got announced. And then we shifted gears for a few to talk to some people who had worked on that policy.

Elliot likes lawyers. I like them. They're fun to chat with no, it's, it's perspective, right? It's, it's unique ideas around how they approach it versus how we apply it. But that being said, so we talk about that. We talk about default deny. I think that's a good slogan for today. I'm going to catchphrase default deny.

When we think about actually implementing that and from our perspective, at least mine, it's, it's more about. Your approach and your policy decisions around doing this. So as much as it is about having the right technology stack, which most of us tend to already have chunks of it, if not already various layers.

Cause I know ThreatLocker didn't start off as zero trust, it's not what y'all were building, if I'm not mistaken, as a, as a terminology concept. It's just where the market takes terms first off, but building into what we already have and then looking at the holes we're missing to be able to apply the right tech stack to fill in those gaps.

And I think that strategy comes into play with once again, understanding zero trust isn't a product, it's a mentality, the products themselves exist to help fulfill the mentality of making yourself secure and making you get to that default deny policy. Right.

Rob: Yeah, no, absolutely. I, I was asked probably about a year ago now by our marketing guys to do a one minute on Zero Trust. Now that one minute on Zero Trust, I think it's knocking around on YouTube somewhere, but that one minute on Zero Trust literally took me about an hour to record because I kept on making a mess of it.

But it was the, what I came back to was basically what you said, which is, it's a way of looking at things. It's a perspective. It's not a technology. It's not a product. It's a way of approaching things. So it is quite interesting that you describe it in pretty much the same way.

Neal: Yeah, it's definitely browbeat me a lot. When we first got started, it's no, you can't go hire a technology to solve the problem. That's what everybody wants to do. No.

Elliot: I mean, there is some argument against that now ish. I mean, we've had I think it was with Kane, who works over at Canva, he's you can buy what you generally need now, but like, when we started this, not even close.

Neal: Yeah. We were, we were sitting in our houses trying to figure out ways to get away from COVID and here we go. And I think apparently so is everybody else, but the but that's, that's a fair statement, three years ago, even two years ago, trying to find blatant, just zero trust in a, out of a box kind of piece, know, I, I still, I think that's a fairy appropriate for most people.

I think most people have a, have a desire to avoid massive technology acquisitions right now, unfortunately, for some of us who work in the product space, but anyway, that being said. So growing that, moving into policy, We get them, we're talked about ROI and how to generate that response based on ROI and applicability.

Next step policy procedure, default, deny. And then Elliot already mentioned some things around the standards and flow around, various ISO, pick a flavor and stuff like that. So moving it forward. If you had a, like a day one kind of piece, like you, you've got to buy in whether you're buying something or you're trying to look at what you currently already have, you What does a day one rollout or day one start, even not even raw, but day one look like for you once you've gotten the dollars behind you to move forward, are you looking to hire you looking to buy you looking to do a lot of network awareness type things that already don't exist and trying to do all that artifact control and awareness or where you at?

Or, sky's the limit. Let's go try to do everything.

Rob: No, look, it's it's obviously going to be a step by step approach. From our perspective, the first step or the first thing that you need to do is figure out what, what is required. Thank you. . So what do I need to run on my network? What my, what do my users need to be able to do their jobs? Again?

That that is pretty much a fundamental tenant of zero trust, which is to allow people to the bare minimum, to allow them to function, to allow em to do their jobs. Do they need to run Angry Birds on their machine? No, absolutely not. Did they need Minecraft on the machine? Did they need, Cooper, the coupon clipper. To do their job. Oh, they don't but the first step is to figure out what they actually need. What do they have as well is going to be the second step. So look, we need this. We have all of this stuff. Okay. Do we need all of this stuff to be able to perform our business functions? No, absolutely not. Those five of the six remote access tools that are running on our computers right now are probably not needed.

We're gonna block those five of six remote access tools from running to close down those holes in our, in our infrastructure. Again, step one and two is going to be figuring out what's there right now, figuring out what's actually needed, and basically, not filling those gaps, but, Getting from where you are now to where you need to be.

And look, it's not difficult. It sounds daunting, but genuinely it's not difficult. But you can't know where the holes are if you don't know what's there. So I suppose that, that, that sort of evaluation, reconnaissance you might call it, that, that period where you basically evaluate everything you've got.

Get full visibility over what's on your machines because the amount of organizations that just don't know what's running on their machines is terrifying. It really is. I mean, I did an exercise for a relatively small organization in the UK at one stage and found six individual different remote access tools running on their machines. You know what I mean? They had LogMeIn, they had BombGuard, they had TeamViewer on, and this is not an exaggeration, 20 percent of their computers were running TeamViewer. That organization did not use TeamViewer. Okay, there was no good reason for TeamViewer to be running on 20 percent of their machines.

But look, we all know how it happens, which is at some point in the distant past, some third party said, Hey, I need to get into your computer. Will you install this, please? They installed it. It sits there forever on their machine as a potential way into that network. I mean, on a similar note, one of my, and I, I shouldn't use the word favorite to describe cyber attacks, but one of my favorite cyber attacks in the last few years was one on a water treatment facility.

I think it was actually here in Florida. Yeah. Where basically somebody got into a machine and they started changing the levels in, of chemicals to basically dangerous levels. Now it was described as being an advanced cyber attack. It was TeamViewer.

Neal: Heh heh

Rob: That's not an advanced cyber attack. You know what I mean?

That's some dude who installed TeamViewer in his computer at some stage because, again, some third party needed to get in. You open up TeamViewer and it says do you want to log in? And they go, Oh God, I better log in. So I'm going to create a username and password. And they probably use their personal email address and the same password that they use on 50 other websites.

One of those 50 other websites gets breached. All of a sudden their password is out there. Hang on a second. I can get into TeamViewer. Oh look, what's this machine? And it's the water treatment facility. I mean, it's not difficult to figure out how that happened. But again, does something like TeamViewer need to be able to run on all your computers?

Absolutely not. So why would you let something like TeamViewer run on all of your computers? Deny by default.

Neal: heh. Deny by default.

Rob: Sorry, default deny.

Neal: default deny.

Rob: Two words, not three.

Neal: Default deny. The I lost my train of thought earlier cause I was, I started laughing about the team viewer piece cause I was paying attention to that from a different lens. Uh, default deny. Back on that, what's actually required. I think that's a fun thing.

Oh, I know where I wanted to go I have a very small tangential question around how far down the rabbit hole you really go with what is being used So the whole flavor last year and courtesy of Congress with s bomb and and the things like that, right? So I I'm I know this is a it depends question But I'm just curious your take on when we identify the things that were required to have How, how would we want to rack and stack them?

And should we spend time on key things or critical things, understanding what actually makes those things tick? I, as my SAS provider using SolarWinds or Kubernetes or other things, or as the tool I've got on prem, same thing, right? Same question. Should I spend a lot of time prioritizing aspects like that?

Or should I just stick with what I blatantly know and worry about those answers later on down the rabbit hole?

Rob: So I suppose there's two sides of that. There's the supply chain aspect. And there's the vulnerability aspect. So organizations need to worry about supply chain. I mean, you're using software from probably 10 different vendors. I mean, I've probably got 10 vendors worth of software on my computer right now.

So supply chain is obviously a concern. Vulnerabilities is a huge thing. It's a massive concern. I mean, I think that we're on track as with most years for over 20, 000 CVEs this year alone. I mean, you guys know how many. How many criticals are fixed on an average patch Tuesday? I think last one was four or five, zero days actively being exploited.

I've, there was an Adobe one yesterday. You, I mean, look, what was 160, 000 organizations were affected by the exchange vulnerability a couple of years ago. So both supply chain and vulnerabilities are Similar, but different, but equally concerning, but the way I like to look at it, and it comes back to this idea of assume breach is assume the software that you're using is full of holes.

Assuming, assume the vendor that you're working with could be hacked and something could be used to, something could be pushed down to your machines without your knowledge. I mean, it's happened so many times. I mean, the SolarWinds is an example you mentioned. It's a great example. I mean, they, that, that was a.

Fairly complex attack, it wasn't just we get into SolarWinds, we're gonna push down Ransomware. I mean it was a lot more involved than that, but I mean fundamentally what happened, what the SolarWinds agent that was installed on all of these machines started reaching out to a C2 server.

A C2 server sitting in, and nothing against people from New Jersey, but sitting in New Jersey. Now, again, attacker's perspective made perfect sense because if I, I like, if I start reaching out to Russia, then this alarm bell is going to go off all over the shop. But now I've got a AWS server or a server in AWS in New Jersey, nobody's going to notice that.

But again, restricting what things can do. I mean, again, vulnerable software is on your machines right now. Assume the software that you use every single day has bugs and vulnerabilities and issues with it that can be exploited. But what's the next thing that happens if vulnerable software is exploited?

Something tries to run,

Neal: mm

Rob: or something like PowerShell or Run DLL tries to reach out to the internet. So if you can stop things from running by default and stop PowerShell from accessing the internet, you're going to stop most of these attacks pretty much in their, in their tracks. But similarly with, supply chain, sorry, the exchange vulnerability, again, it's a, it's a brilliant example.

I mean, we had a customer contact us about when the exchange thing was going down, customer contacted us to ask us about a batch file that they saw blocked on one of the servers. We saw the process that created it was IIS. We saw it was an exchange server, got the batch file, brought it back into our labs here, ran it in some machines.

And then within two hours, the entire network was encrypted. Now that was all through a vulnerability in Microsoft Exchange. And again, there's so many different examples of this. yeah. Another great example. And I've actually seen this in action. I've seen this in operation was a print nightmare vulnerability a couple of years ago using the print spooler.

I, it was so cool. I mean, there was proof of concepts out there and literally all you, again, one of the things that we offer is complete visibility over what's running on machines. But when the print nightmare vulnerability was exploited, basically the print spooler was used to drop a DLL, malicious DLL on the machine, which then executed.

Now, again, if you block things by default from executing, then the fact that the Prince Builder was vulnerable and could be exploited didn't matter because nothing was able to run.

Neal: Yeah, I think that's where it all boils down to, right? Is at the base level, the construct is simplistic in, in, in what you want to try to do. Implementing it is where everybody decides to take their little chunk of flesh and make it more complicated.

Rob: I don't like complicated. The easier the better. Okay,

Neal: I'll bite my tongue about past experiences for that one. But yeah, later maybe in Florida in February. So

Rob: can we agree then? I think I may know where you're going with it. Can we agree that some tools make it easier than others?

Neal: yes, a hundred percent, a

Rob: so I, I, I, and again, I'm, I'm conscious of who I'm speaking to and who they work for. I am aware of a very large organization in the UK who have been trying to implement an allow listing with a tool that they have readily available to them.

So by, are they the largest software company in the world? Are you the largest software company in the world? Anyway, with a tool that is available to them. They've spent four years. Four years on a project to try and implement the LListing and have yet to turn it on. Okay. So it doesn't have to be that hard.

It doesn't have to be that difficult. So the choice of tool that you use to implement these controls or the use to implement Zero Trust is really important. And if you do, if you try and do something with a tool that is not suited, Or that is too difficult to use. It is going to take four years and it's going to end up getting thrown in the bin because everybody's going to just throw their hands up in the air and say, this doesn't work.

It can work. It does work. We have 40, 000 businesses who are using our solution, who will attest to the fact that it can be done, but it is, as we said, a step by step approach. So first things first, okay, control what's running. Okay. Now we're going to move, move on to what things can do. Okay. Excellent.

We've got that all sorted. Okay. Now we're going to move on to what things have access to what data in my environment? Can I reduce the potential for damage if something bad gets in or can I reduce the potential for data exfiltration by restricting what programs can access where? Can I take away local admin rights?

Lots of users have permissions that they don't need. So can I take them away without impacting people's workflow? Yeah, I can do that as well. Okay. Fantastic. Now we're going to get onto the network layer. Okay, so can we block anything that shouldn't be allowed to connect to my servers from connecting my servers?

Yay! So there's more to it. It is a multi stage process, but there is a lot of controls that can be put into place that makes environment, that will make environments so much more secure.

Neal: Awesome. I love it. I love it. It's a good start, Elliot. I think it's a good start to the series.

Elliot: It is. Yeah.

Rob: I look forward to part two and we can get very much into ring fencing.

Elliot: Oh, yeah, we certainly can. I, I do have 1 final question, which I won't give you a word count or character count, but I suspect it would be a short answer. So we, we already bridge that gap, the conversation about you have buy in or to an extent relevant to buy in you're going to your board or executives, you're saying, hey, it's cybersecurity strategy.

This said, we're going to reduce risk. Blah, blah, blah. Are you going to throw out the words zero trust in that equation, or is there going to be normal human language as part of that?

Rob: For the most part, I mean, in most of our presentations, I tend to avoid the term zero trust. And it's not because it's a bad term. It's not because it's frowned upon. It's because everything and everyone nowadays seems to like to call themselves zero trust. So to some extent it's present company excluded, excluded, I'm not sure which.

But no, I tend to keep it to concept. Descriptions, explanations, rather than going, we're going down zero trust route. And everybody goes what's zero trust? Let me tell you, it's a way of looking at things. Yeah. So I tend to not use the term. And as I said, even when we're speaking to people in public presentations, I tend to not use the term that often.

DPD,

Neal: called Deny by Default. And it's going to be a, a tri letter company for me to,

Rob: DPD, that could work actually.

Neal: yeah, see, there we

Rob: Have we trademarked it? We've probably, I'm not going to lie. We've probably trademarked it. If we have them, we're gonna run out and get them to do it right now. Yeah,

Neal: got our next startup for the room here, denied by default. So I think once again, Rob, I'm going to close out my spot here and let Elliot do his thing for the last couple of minutes, but I appreciate the conversation and I'm looking forward, like I said, to the next two, Elliot, back over to you, sir.

Rob: Thanks,

Elliot: Yeah. All right. So that wraps up part one of our three part series into how we operationalize Zero Trust. So we will progress, get a little bit more technical, a little bit deeper. Obviously as all things are with Neal, we, we get a little technical anyway. So hopefully you don't gloss over. I think probably by episode three, you'll be like me and I've just. I cannot absorb any of that information, but that's why we have Neal. And then we have fortunately wonderful folks like Rob Allen, who is able to come in and share their perspective and really guide us through that. So anyways, thank you to ThreatLocker for allowing us to have this conversation, kick this series off, and we will continue this with our next episode, where we get a little bit deeper into the equation.

Stay tuned and check out Adapting to Zero Trust for more!

Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neil Dennis to learn more about zero. Go to adopting zero trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers,

Discussion about this podcast

Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.