CyberWire Daily - Zeroing in on zero trust. [CyberWire-X]
Episode Date: May 16, 2021The Zero Trust security model asserts that organizations should not trust anything within its perimeters and instead must inspect every traffic and verify anything connecting to its systems before gra...nting access. While Zero Trust is generating a lot of buzz in the cyber world, it’s often hard to determine the implications of this security model. In this episode of CyberWire-X, guests will discuss the origins of the model, cut through the hype, and discuss what you really need to know to design, implement, and monitor an effective Zero Trust approach. John Kindervag of ON2IT Cybersecurity, also known as the "Creator of Zero Trust," shares his insights with the CyberWire's Rick Howard, and Tom Clavel of sponsor ExtraHop joins Kapil Raina from their partner CrowdStrike to offer their thoughts to the CyberWire's Dave Bittner. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, a series of specials where we highlight important security topics
affecting organizations worldwide. I'm Dave Bittner. Today's episode is titled Zeroing
In on Zero Trust. The Zero Trust security model asserts that organizations should not
trust anything within its perimeter and instead must inspect all traffic and verify anything
connecting to its systems before granting access.
While Zero Trust is generating a lot of buzz in the cyber world, it's often hard to determine
the implications of this security model. In this program, we're going to do our best to cut through
the hype and discuss what you really need to know to design, implement, and monitor an effective
Zero Trust approach. A program note, each CyberWire X special features two segments.
In the first part of the show, we'll hear from industry experts on the topic at hand,
and in the second part, we'll hear from our show's sponsor for their point of view.
And speaking of sponsors, here's a word from our sponsor, ExtraHop.
ExtraHop. forensics under one platform for faster response. And don't stop there. Gain greater, more reliable threat context, accelerate security operations, and get more out of your SOAR by integrating
ExtraHop Reveal X and Splunk SOAR. Learn how by visiting extrahop.com slash cyberwire.
That's extrahop.com slash cyberwire to learn more.
And we thank ExtraHop for sponsoring our show.
To start things off, my CyberWire colleague Rick Howard speaks with John Kindervog, the creator of Zero Trust from Ontuit Cybersecurity.
with John Kinderwag, the creator of Zero Trust from Ontuit Cybersecurity, and later in the show,
my conversation with Tom Clavel, Director of Product Marketing at our show sponsors ExtraHop and Kapil Raina of CrowdStrike. Here's Rick Howard. I had the chance to sit down at the
CyberWire hash table with an honest-to-goodness Internet celebrity.
His name is John Kinderwag, currently the Senior Vice President of Cybersecurity Strategy and Group Fellow at the Ontuit Group.
He's also an old friend of mine and colleague.
We both worked at Palo Alto Networks together for about five years.
But more importantly, he's the guy that wrote the original white paper on Zero Trust back in 2010 that we all base our Zero Trust deployments on today.
The paper's called No More Chewy Centers, Introducing the Zero Trust Model of Information Security.
And he wrote it when he was working for Forrester, a cybersecurity research and consulting firm.
In that paper, he became the first person to say that we should all just assume that our networks were already compromised by the likes of FIN7, Wicked Panda, and Cozy Bear,
and that we should design them accordingly to reduce the probability of material impact.
To be fair, John didn't originate the zero-trust idea.
After all, the concept started kicking around security circles in the early 2000s.
The Jericho Forum started talking about de-perimeterization as far back as 2004. The problem they were trying to solve was that most
of us install an electronic perimeter, a wall that bars access to our digital assets. But once you
have legitimately logged in, you have access to everything inside the electronic wall. By
de-perimeterization, the Jericho Forum meant that verifying identity and granting access
authorization would happen away from all of our digital assets. In other words, it would happen
outside the electronic wall. Once granted, the user would get access to the asset they needed,
not all the assets within the perimeter. The U.S. military incorporated some of these ideas into
their Black Corps initiative in 2007.
Somewhere between then and 2010, the community started to refer to de-perimeterization as software-defined perimeter, or SDP.
In 2010, John Kinnervog, working for Forrester, published his essential Zero Trust white paper that solidified the concept and expanded upon it.
zero-trust white paper that solidified the concept and expanded upon it. That same year,
because Google got hit by a massive Chinese cyber espionage attack coined Operation Aurora,
their site reliability engineers rolled out an internal version of SDP as part of a network redesign. A few years later, about the same time that the Cloud Security Alliance adopted SDP as
a best practice, Google launched a commercial
offering of their internal SDP architecture called BeyondCore. But let me be clear, SDP is not a
complete zero-trust solution, as John Kinderbog would likely point out. There are many things you
can do to improve your zero-trust posture, but if you deployed an SDP architecture, you would be a
long way down
the road on your zero trust journey. John would disagree with that. He really is annoyed with
vendors who claim that their SDP solution is a zero trust solution. And he would be right.
At best, they give you a framework to hang your zero trust policy on. At worst, they are a
collection of new and shiny tools that security practitioners would have to deploy and maintain.
of new and shiny tools that security practitioners would have to deploy and maintain, and we already have too many of those we are responsible for. I personally like the frame idea, but that's just me.
Regardless, since I had John at the hash table, I asked him what drove him to write the original
paper in the first place. I had been a security engineer and architect prior to coming to Forrester in 2008. And I had always been frustrated with
this idea of trust in digital systems, because when you installed old school firewalls, which
is still true today, but even worse back then, you had to assign an arbitrary trust level to
various interfaces in order to get traffic to flow because that was what policy was
based upon. And in fact, if you were going from an internal interface that had the highest trust
level 100 to an external interface that had the lowest trust level zero, you wouldn't have to have
an outbound rule on it at all, which I found to be just scary. Why don't we put outbound rules on
this? Well, because we just don't. We don't have
to because we're going from trust to untrusted. I thought that was silliness. And then I started
to investigate trust. I met some people who thought about it a lot and started explaining
the differences between, say, direct trust. I know you for a long time, so I trust you. And then you have a friend who you tell me about and you say he's a good guy.
That's transitive trust.
And I understood it at a human level, but I realized those concepts didn't translate well into the digital world.
The poster children for why we all need a robustly deployed zero trust posture are Edward
Snowden and Chelsea Manning, because according to John, these two government whistleblowers
prove that identity is not sufficient to prevent data leaks. Well, Snowden and Manning are still
the two most famous because they're like the Beyonce and Madonna of cybersecurity. They were
trusted users on trusted devices. They had
the right patch level, the right antivirus, but nobody looked at their packets post-authentication.
They're still the two best use cases because it automatically shuts down this idea that zero
trust equals identity. I've proven to you with two words, Snowden, Manning, that zero trust does not
equal identity because the identity of those packets,
what user they were tied to, was not in question on those networks. Just no one looked at them.
No one cared. They had way open access. Remember, John wrote the original paper over a decade ago.
He also wrote a bunch of follow-up papers after, but the Forrester leadership team decided to hide
all of that behind a paywall. As such, most of us have never read them, including me, and I'm one of John's
friends. The result is that there has been a void in pushing the idea forward. Other authors and
researchers have jumped in to fill the vacuum and put their own spin on the idea. Evan Gilman and
Doug Barth published their own book on the subject called Zero Trust Networks, Building Secure Systems in Untrusted Networks.
And security vendors have begun claiming that all of their products provide a zero trust solution, which, as you might imagine, has caused some confusion amongst us practitioners.
And that annoys John to no end, and rightfully so.
Trust is a human emotion that's been injected into digital systems for absolutely no reason.
All data breaches are caused by trust because it's a vulnerability,
and it's exploited by malicious actors who just get on your network.
So the whole goal of Zero Trust was to eliminate this silly word trust from our vocabulary when we think about systems.
Because once you have a word like that, it causes you to
do a lot of bad things. Open up your network because we trust somebody. It has huge ramifications.
Language has value. Oh, it's a misunderstanding of the word trust. You don't need trust.
There's no trust flag in TCP. Trust, again, is a human emotion. You don't need to have any trust.
Trust, again, is a human emotion.
You don't need to have any trust.
You might have to have a high degree of validity on the assertions being made by the packet.
But at the binary level, trust is of no value.
And people get that, right?
When I say trust is a vulnerability,
that is how you must think about it.
It is a vulnerability that you must mitigate
in your organization because it is always bad.
But the other thing I would say, Rick, is that there aren't multiple definitions of zero trust. There's a single definition of
zero trust. I wrote it down in 2010 in a report called No More Chewy Centers. But what we've had
here with people who've always said, well, there's all these different interpretations.
No, there's not. Yeah, there's different meanings. No, there's not. You are just
intellectually dishonest because you haven't gone back to the primary source and taken into account
prior art, which is what any good researcher would do. Researchers go back to prior art,
go back to the original source, and learn about what it actually means from that instead of making
it up on the playground with their friends playing a game of telephone. Over the years, John has traveled around the
world explaining his zero-trust philosophy, and he uses a literary homage to help people
understand the basic concepts. This is called the Kipling Method. Rudyard Kipling gave us the idea
of who, what, when, where, why, and how in a poem in 1902. He's talking about Kipling's
poem called I Keep Six Honest Serving Men about his young daughter's endless curiosity and how,
as we all get older, we tend to lose that sense of wonder. Here's Jonathan Jones reciting this
short but lovely poem. I keep six honest serving men. They taught me all I knew. Their names are what and why and when and how and where and who.
I send them over land and sea.
I send them east and west.
But after they have worked for me, I give them all a rest.
I let them rest from nine till five, for I am busy then,
as well as breakfast, lunch and tea, for they are hungry men.
But different folk have different views.
I know a person small.
She keeps 10 million serving men who get no rest at all.
She sends them abroad on her own affairs from the second she opens her eyes.
One million hows, two million wheres, and 7 million whys.
And so this is my personal homage to him because who, what, when, where, why, and how,
I'm trying to determine who should be allowed to access a resource.
Here's a way to write the policy because ultimately zero trust is a layer seven policy statement
when it's implemented.
Who should be accessing a resource?
That's the asserted user identity that's been validated by something like multi-factor
authentication or some other authenticator.
So it's highly validated.
Where a statement is, where is it located?
When statement is, when does this rule need to be turned on?
There's a lot of rules that should be turned off
at various times because no one typically uses them.
We need a lot more time-delimited rules.
The why statement is because this is mission-critical data.
It's highly classified, top secret.
That's where we can tie classification levels
into the policy.
We have a how statement.
What kind of processes are we
going to put to the packet? At Palo Alto Networks, you'll remember, we delivered all of our high
level services as cloud delivered service. So instead of having a separate product,
you would just turn on that content ID, you turn on IPS or sandboxing or SSL decryption or DLP for each individual rule.
Made this very granular, easy to understand, easy to create, and easy to audit policy statement
where we can instantiate zero trust in an easy, simple way without touching on concepts
like trust.
What application should they have access to that protect surface?
The protect surface, of course, is the shrinking down of the attack surface orders to magnitude
to something that is small and knowable.
We put a data type or a single application or a single asset or a single service inside
of a protect surface, break it down into a very small chunk so that we can solve that
one problem and move on to another.
The what statement is the application typically that you're accessing.
The what from Kipling's poem and from John's homage
is probably the most important piece to the zero trust puzzle.
The people who had this attack happen to them
and then they had the bad stuff happen,
you got to wonder what they were protecting.
They were protecting probably their endpoints and their users, but it doesn't appear they were protecting
the keys to the kingdom. I had a CEO, when I was doing some work for him, he said,
we accidentally caught malicious actors trying to exfil our source code. And I asked the IT and security people, how could this
even happen? Oh, well, we don't put controls around that. Well, why not? Well, we just care about
users and endpoints. And he said, but you realize that 100% of our revenue comes from this software
product. And they were like, oh, no, wait, no, that's not how you do security. You do security
on endpoints. That's where security goes. And he was like, no, that, wait, no, that's not how you do security. You do security on endpoints. That's
where security goes. And he was like, no, that doesn't make any sense. If you even understand
what you need to protect, which most organizations don't, you're way ahead of the game versus your
peers. Because everybody else is thinking about old concepts like defense in depth, which my
friend Rick Holland, when he was at Forrester, coined the term expense in depth. You spend money you don't have on things you don't need because you
don't know what you're supposed to protect in the first place. That's like half the battle.
Because the thing you are protecting will tell you how it needs to be protected based upon a
whole lot of attributes. But you'll find a threshold where you say that information,
that data, that asset isn't sensitive enough to
be protected that way. Wherever it is right now is fine. We don't care if somebody gets it because
we're trying to get them to download this document. So we don't care, right? And so you have to
determine that too. Zero trust focuses on what you need to protect. And most people don't know
the answer to that. I'm always amazed when I ask that question, what do you need to protect?
And they go, oh, hmm.
Zero trust is one strategy that practitioners can use to accomplish a cybersecurity first principle goal.
John and I disagree slightly about exactly what that first principle goal should be.
He thinks that it should be to stop all data breaches.
goal should be. He thinks that it should be to stop all data breaches. I prefer a much more forgiving goal of reducing the probability of material impact due to a cyber attack. Regardless,
understanding the what we are trying to protect is essential to both goals. Well, they can think
about it as a strategy because it focuses on a grand strategic goal, which is stopping data breaches.
Zero Trust is designed to stop data breaches because it focuses on what needs to be protected,
not all the things that are trying to get into your system.
It starts at the protect surface.
What do we need to protect?
That's the fundamental question.
Everybody else is working on the edge of all this stuff and saying, here, my widget goes here, my widget goes there.
And I've been on a lot of calls.
I was on one for government not too long ago.
And all these vendors were trying to position their product as a zero trust product. And you need to use it here, here, here.
And finally, I just said, so what are you guys trying to protect?
And the whole call just ground to a halt because no one had ever thought about that.
So zero trust is about protecting things that matter.
I've always defined zero trust
within our grand strategy tactics and operations framework.
And I define the grand strategy of cybersecurity
is to stop data breaches
because data breaches are the only thing
that can get a CEO fired.
John is one of the cybersecurity community's great thinkers. His original white paper on
Zero Trust and his continued evangelism about the idea has propelled the industry forward to
a much more robust security posture. You can keep track of what John will be doing next on Twitter.
His handle is at KinderVog. And we thank John for being on the show.
Next up is my conversation with Tom Clavel, Director of Product
Marketing at our show sponsors ExtraHop
and Kapil Raina of
CrowdStrike.
Why don't I start with you, Kapil? How do you define zero trust? If you're explaining it to someone who really doesn't know much about it, what do you say? Yeah, that's a great question.
From a layman's perspective, we think of a zero trust simply like this. You have a person or an
application that wants access to another resource. And all Zero Trust says is,
at any moment in time, when that person or human wants to get access to a resource, you always,
in continuous fashion, real-time, monitor and say, should they have access to that resource
at this very moment in time? So you look at risk, you look at other factors, and then make a decision, yes or no. And so the tricky part about, of course, zero trust is you
have to do that in real time. And you cannot assume that because you were trusted at one point,
you'll be trusted again, hence the term zero trust. Tom, anything to add there?
Yeah, absolutely. And I completely agree with what Kapiel was saying about zero trust. I would add that zero trust is an evolution in security framework.
Zero trust really is a response to the fact that enterprise networks tend to,
I mean, now have more and more remote users,
and they're bringing their own devices.
There are a lot of cloud-based assets that are not located
within the enterprise-owned network boundaries.
So zero trust really comes from the fact that we no longer control
the perimeter of the network.
So having a perimeter approach to security, it doesn't make sense anymore.
And that's the reason why we have to have comprehensive inspections,
comprehensive visibility into the packets,
into what's going on on the network,
because we can't control what's getting connected
and where the network is extending.
Can you give us some insights?
What is the transition like when an organization decides
to adopt a zero trust approach?
How does that work? How do they get started?
Yeah, so from the CrossRace perspective, that's a great question.
What we found was, in fact, there was a Forrester survey done at the end of last year.
They found about 82% of all enterprises said they absolutely need zero trust, but less than half have actually started an initiative. So this idea of transforming security to match what we're seeing in the digital
transformation. And so the challenge has been when we think about zero trust, what are the
components you need? And we follow the NIST 800-207 standards at CrowdStrike, right? So industry
standard, and that way it's easier for customers to go best of breed. And so based on that, we found when we talked to customers,
there are basically three phases. And Tom alluded to one of them here. So visualize, right? You want
to understand the entire context of what are you trying to protect and what is the information you
need. Mitigate, you eventually want to take that real-time action, both in terms of understanding
security and deploying policy. And sort of the third maturity phase is really optimization.
We're really thinking about extending protection to things like SaaS apps, legacy apps, and really
thinking about the user experience as well to make it at least disruptive as possible.
So when we think about zero trust, we think of these three stages. And depending on
where an organization is, they may be at the visualize stage, mitigate, or optimize stage.
And so then based on that, they can then tailor sort of implementation of a framework.
Tom, when you're talking to folks, are there any particular things that make them hold back,
that are sort of roadblocks to keeping them from either perceived or reality,
that keep them from moving forward?
Absolutely. There are some roadblocks or perceived roadblocks.
I don't think they're entirely real, but they are still in the perception.
And one of them is the fact that zero trust is often seen as something very complex to implement.
Inspecting all the packets, inspecting all the traffic
is very often perceived as a complex process.
And really it's not.
Another roadblock is mandates and the fact that some industries
are lacking the mandates to move to zero trust
and therefore they don't see an urgency to doing it.
What we answer to that is, first of all,
we provide complete visibility of your Zero Trust architecture
and that is a very simple solution to get.
You get extra help and you get that visibility.
Second thing that we provide that is very simple
and easy to implement Zero Trust is real-time detection of
disruptive threats to Zero Trust safeguards.
So we can detect those things. And the third element that is very important
to Zero Trust, which we also provide, is intelligent response.
With extra help, you can respond in real time
to events happening, and we can also integrate
with other environments, such as CrowdStrike,
to provide more comprehensive response to these events.
So in a word, Zero Trust is actually a very simple thing
to implement when you rely on
the key vendors such as CrowdStrike and Extra Help.
One of the reasons zero trust is complex, right?
So there's a perception of all or nothing, right?
I have to implement components.
So to give you an idea, and you can pick your favorite vendor, some large vendors, there's
anywhere from 15 to 30 different components these vendors typically require in the reference
architecture to play zero trust. So this is between hardware, software, hybrid environments,
things like that. So that's a lot of pieces just to provide additional security, or at least in
this model. And to Tom's point, right, so we at CrowdStrike think of this idea, you know, the
reason we're having this conversation is because digital transformation, things are moving to a cloud environment.
So if you have a cloud native environment to begin with, like we do at CrowdStrike, right, you basically need two components.
You need a component potentially at the endpoint or the identity of the workload there, et cetera.
And then you have what we have is a security cloud that does a lot of the processing analysis and enforcements.
is a security cloud that does a lot of the processing analysis and enforcements and so by simplifying that down to a few components it does alleviate the issue of complexity that we find in
zero trust implementation so far and in you know in in terms of mandates you know what we've seen
is you know for example you might have seen the only a few months ago the nsa and the
cisa put put out a notice saying that you know
because of all the recent supply chain and other breaches that agencies must use your trust and
they went through their own sort of journey mapping and explanation there and again it goes
back to okay if you're going to do it and even if you have a mandate the complexity if you're going to do it, and even if you have a mandate, the complexity, if you don't have sort of a cloud-native solution,
still remains.
While we're focusing on the elements that are preventing people
from moving to zero trust, what we do see in the market today
is an acceleration towards zero trust.
And we see really five factors, five very important factors
that are driving that acceleration.
And those factors are very dependent on the current context, but we think they are going
to last over time, even after that current context is over.
We mentioned the mandates, and there are more and more mandates on IT departments for modernization
efforts.
We see also a lot of growing remote and distributed workforce.
I think it's very obvious right now, but it's going to continue over time.
And we see also institutional interdependencies and data sharing
between enterprises, vendors, third parties, and so on.
And so networks are becoming much more complex
with more people interacting on that network.
Fourth, we see an increasing reliance on contractors and partners.
And the fifth factor that we see accelerating the adoption of Zero Trust is the accelerated adoption of Internet of Things and automation.
What is it like when folks are on the other side after they made the transition and they have an effective zero trust program up and running?
What sort of feedback do you hear from them?
Yeah, from CrossFit's perspective, when we talk to customers and we've actually done sort of analysis around this,
for them, they just have a basic understanding of what across their environment, hybrid environments,
you know, what are sort of the attack paths and the blind spots,
right, that visibility.
An example is, you might not think about it,
but with this idea of digital transformation,
you have all these applications running, right?
So service accounts, which are used to access
other applications on behalf of these apps, right?
How many service accounts do you have?
Who owns it?
And typically, it's the business owner, not IT that kind of manages that, et cetera.
So that becomes a big blind spot.
And as we've seen, again, in the recent attacks, that's been a big issue.
As you kind of move into the maturity along those lines, what we found was that there
is an actual material return on investment.
And that return on investment is what we at CrossFit call frictionless, right?
So, yes, for the users, it's definitely return on investment, right, because they're not calling the help desk as often because you're trying to do a password reset or some other issue.
And we've found that organizations have saved quite a number of hours per user, especially when they're contractors or
field workers, et cetera. Other areas we've found benefits in is for frictionless for both IT and
security. So think about when you have, you know, in a typical system, almost everyone uses machine
learning today, you sort of have a sort of a, you don't have a yes, you don't have a no, it's kind
of in the middle. So what do you do today? You have to send it to a SOC analyst and they have to look at it, etc.
Or you stop productivity altogether. With a proper zero trust implementation,
you can then decide when the risk level is sort of in that middle, you can go back and challenge
that user and only interrupt them then, perhaps with an MFA, and then basically take out the
false positive. So it doesn't even have to go to the SOC operator.
So we have actually seen return on investment benefits,
and even if they're in an early stage or later stage, around that.
Tom, how about you?
I agree with everything that Kapil said.
Better integration, I would say.
And I would add to that the simplicity of Zero Trust.
While Zero Trust might be perceived as something complex,
it actually leads to a very simple architecture,
a simple architecture to monitor and to secure.
We see streamlined operations from one integrated workflow
for cyber network operations, cloud, and DevSecOps teams.
We are able now to detect the activity
that is happening on the network anywhere on the network.
So easy ease of visibility, I would say,
and pervasive visibility into the network.
And so that simplicity leads to more security
because once things are simple to manage, simple to secure, you increase the level of security of your network.
Is there any question in either of your minds that this is the future, that this is the direction that not only things are going, but it really has to go this way?
Well, Dave, if all the marketing is any indication, then everyone's talking about zero trust, so it must be the right thing in the right direction, right?
So I think for us, really,
the tipping point really was these last six months,
the supply chain breach and the attacks on Active Directory
and even Microsoft saying that, you know,
don't maintain AD on-prem, go to the cloud,
because Microsoft themselves say we can secure it
better. And that really became a fundamental shift because they went from saying zero trust is this
framework, which, you know, by all accounts has been around for quite a number of years, to, oh,
this has to happen. And that acceleration, I think, was a tipping point. So even though the workforce
has been shifting for the last year plus for COVID, it is this tipping point where everyone
realized, look, we have to do zero trust. It's no longer just an option. And the real question
to Tom's point is how do you simplify it so that people can really implement it? So yeah,
I think it's here now and it's definitely going to keep growing. And you're starting to see a lot
of interesting ideas and innovations building upon the basic frame of zero trust in the market today.
I would add that there's no turning back. I think the
time that we were securing the network on a perimeter-based
model or on a point-based model is
over. And we now have the perception and
the reality is that there's no way we can build walls
on the network, even in specific and located areas. We know that threats are coming from
everywhere and anywhere. And so zero trust is really right now the way to secure that network,
but also to simplify, to make it easy to manage that security. Without the zero trust model, things become much more complex and very quickly.
I don't think the industry is coming back from that zero trust model.
I would see the next model to be building upon that zero trust model, but not the other way.
On behalf of my colleague, Rick Howard,
our thanks to John Kindervag for sharing his expertise and to Tom Clavel and Kapil Raina for joining us.
CyberWire X is a production of the CyberWire
and is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity startups and technologies.
Our senior producer is Jennifer Iben. Our executive editor is Peter Kilby. I'm Dave Bittner. Thanks for listening.