Risky Business - Snake Oilers: ConductorOne, Bloodhound Enterprise and Zero Networks
Episode Date: September 7, 2023In this edition of Snake Oilers you’ll hear product pitches from: ConductorOne: PAM, account cycle management and access auditing for cloud and SaaS accounts Blo...odhound Enterprise: Enumerate attack paths in your environment and shut them down Zero Networks: Agentless: heavily automated microsegmentation and a VPN product that won’t get you insta-owned Show notes ConductorOne - Identity security & access control Home - BloodHound Enterprise Microsegmentation in a Matter of Minutes | Zero Networks
Transcript
Discussion (0)
Hey everyone and welcome to another edition of the Snake Oilers podcast series. My name is Patrick
Gray and for those of you who are unfamiliar in these Snake Oilers editions, we get sponsors to
come along and pitch their stuff and that means everyone you hear in one of these editions of the
show paid to be here. And we're going to hear from three vendors in this edition, Conductor One, Spector Ops
and Zero Networks.
So Conductor One makes a product that once they explain it, you kind of think, well,
everyone needs that.
It's a little bit insane that it's not just something everyone has already.
It's basically account lifecycle management, PAM and access auditing for cloud environments.
SpectorOps is the company behind Bloodhound and Bloodhound Enterprise, and they make tools that
can help you remove the attack paths present in your organization by enumerating all of them out
of your Active Directory and Azure AD, and then showing you what you need to do to get rid of those attack paths.
And look, hand on heart in terms of bang for buck, using Bloodhound Enterprise to tidy up your AD,
you know, bang for buck terms, it's very hard to beat. So that's one you should definitely pay
close attention to. And finally, today, we're going to hear from Xero Networks, and they make
a agentless micro segmentation product
that can really tighten up your environment and they also make a VPN product that integrates with
your SSO provider. So it integrates your SSO provider with their VPN and the idea is that
until a user is authenticated they won't even be able to connect to the VPN's ports right and this
is a very good thing when everyone is getting absolutely destroyed
by stuff like Fortinet bugs
and Pulse secure bugs and whatnot.
And this thing, it's not an identity aware proxy, right?
This is a WireGuard style VPN,
but with a dynamic firewall on it,
instrumented via SSO.
So if you're not ready for zero trust web apps everywhere and still need to
use a VPN, this is a way to do it without getting Insta-owned, right? And that's a lot of people.
So I think a lot of people are going to be interested in that one. But yeah, let's jump
into it now with our first snake oiler of the day, and that is ConductorOne. So I got a question for
you. How are you currently handling account life cycles
and privileged access management for your cloud infrastructure and SaaS accounts? Would you say
that's a smooth process? Because it's probably not. So ConductorOne is an identity security
company that does privileged access management for cloud and SaaS accounts, as well as account
life cycle management and access auditing, which is very,
very useful in a lot of compliance regimes, right? Now, as you'll hear, you can hook it up into
whatever directory you're using, including on-prem AD. So if your processes for doing these sorts of
things, like the account lifecycle management and the access auditing, if your processes for doing
those sort of things really suck, you probably want to listen to this one. So here is ConductorOne co-founder Alex Bovee with the pitch. So ConductorOne is an
identity security company focused on helping companies secure employee access and permission.
So you can think about getting visibility into all your identity centric threats and risks in the organization. So,
you know, not non off boarded accounts, orphaned accounts, all the way through to automating the
workflows around permission management, escalation, onboarding, offboarding, user access reviews, and
and like non usage based revocation. So making sure that people have just the right amount of
access that they need, and then removing that access when it's no longer needed.
Yeah, so you're kind of blending a few things here, right?
Which is all of the automations that are required to kind of run a business and manage all of the identities that are associated with that business.
And you're also doing cloud PAM basically, right?
So just-in-time access for things like AWS and all of those cloud good things, right? And you're also doing like real-time permission twiddling and, you know, boosting up those
accounts to have the right privilege at the right time.
And, you know, so it's all those PAM concepts and identity management concepts, but for
cloud.
Yeah, that's exactly right.
And what we saw is that companies were, first of all, we saw this spectrum of like needing to onboard users and offboard users and the permission lifecycle is all being this kind of continuum of permission management and making sure that people have the right levels of access at the right time.
I think there's like traditional categories that map into that.
One is the privilege access management category that you talked about.
The other is this category of identity governance and administration.
But when you kind of just zoom out, what you realize is that the goal and the purpose of
those categories and the business problems that those categories are trying to solve
for is to really make sure that your users get the access they need when they need it
and that people don't have permissions that are excessive and really to try to get to
that end goal of preventing identity compromise and data loss from an identity-centric breach.
And so we just realized that you really got to approach this problem from an automation
perspective with cloud-forward companies. It's really about integrating with all these
different technologies. And if you can do that and you can scale it with a really lovely user
experience, you can help companies achieve these privilege access and really automate a lot
of those processes. Now, it's probably worth mentioning that both you and your co-founder
are ex-Octa. And it's funny, right? Because a lot of these good ideas come from people who are
sitting in companies like that and they might want to spin it up as a project internally and
no one wants to, and then they take it outside. Ironically enough, this is how Auth0 was created, because the founder of Auth0 worked at
Microsoft and then pitched it internally, and they weren't interested. So off he went and built his
own company. Was it a similar sort of story for you? Yeah, you could say it was a pretty similar
story. And so at the time at Oktata what I was working on is a lot around
authentication and MFA in particular and device where access and what you realize
is that that SSO problem primarily is focused on kind of like the the front
gate if you will is kind of authenticating the user the device and
making sure that it's the person who said who they say that they are the
challenge is you've got this whole lifecycle post authentication that you that most people talk about in terms of authorization and permission management,
which is, you know, does the user have access to the right applications first and foremost?
Once they're in those applications, do they have the right permissions?
I like to think about kind of the privileged use case around engineers.
Like, does your engineering team need access to production infrastructure when they're asleep?
The answer is no. So how do you get more of like a just-in-time escalation type use case
to escalate permissions and then remove them when they're no longer needed? And that's a really hard
problem because it involves at scale, a lot of workflows and a lot of, you know, escalations
and a lot of automation to do that really, really, really well. And you have to do it contextually, you have to do it in a way that gives people the right
ability to make the right decision. So that was really the problem that we wanted to focus on
solving. So how are people currently handling things like account life cycles, you know,
in combination with things like, you know, their cloud gear and their SSO.
Like, how is all of that stuff,
how has it been glued together over the last sort of, you know,
let's say decade?
So typically what we found is just a ton of manual processes.
I mean, this is part of the reason we started the company too is when we looked out at what-
I mean, this is why I asked, because like this is, you know,
this is everybody's headache, right?
So that's kind of why I asked,
like what have people been doing in the interim?
Like when in early customer discovery processes, I would, I would just ask, well,
how are you doing this today? And the answer almost all the time was JIRA tickets and spreadsheets.
Yeah. And so when you look at that, it's like, well, okay, clearly every single company in the
world has to enable self-service for employees to get additional applications or permissions.
They need to off-board users they need
visibility into all these different permissions and levels of access they're running user access
reviews because almost every company has a sock 2 these days so at a compliance level they're
mandated to do these processes at some some level and so when i look at that and then i look at the
status quo is effectively jira tickets and and um you know manual processes and spreadsheets and hacky Python scripts
that reach out to all these applications and try to pull permissions.
To me, that just feels like a market that is ripe for a better approach.
And frankly, I think with the approach that we're taking, we really focused on the user experience of it as well
to really just make it an enjoyable experience with a quick time to value
so that that employees want to use this product even though it's a security product it's also a
productivity product they want to use the product because it makes their lives better yeah now you
did hit on something just then which is these audits right like these user access audits i
understand that you know this was one of the earlier features of your platform because you understood that people would give you money
to take that pain away, right?
So this is pretty much a button press thing with you
once you're up and running, right?
Absolutely.
So one of the problems that we decided to focus on early on
was to your point, user access review automation.
And as you know, one of the challenges of that
is this just broad set of integrations
that you have to enable.
So you've got to connect to all the critical SaaS and on-prem and infrastructure environments for a customer to be able to connect that technology in and pull in all the permissions and access and users.
Once you can do that, and once you've set up a few of those integrations, then running that process is dead simple.
And what customers looked at is like,
A, we have to do this from a compliance perspective. B, we want to do this more
frequently and more contextually to achieve a better security outcome around least privilege.
But trying to achieve that objective, it was not really possible without a lot of automation in
place. And so what we did was take that process that they might be
running from a manual perspective. Maybe they take a couple of weeks to pull all the data out of their systems. They would plug it into spreadsheets. They put it in the JIRA tickets.
They'd federate things out to managers. We turned that into effectively two clicks in our platform.
So people absolutely love that. And because we can do it in real time and so contextually,
you can actually get a better
security outcome because you don't have to run user access reviews like once a year to just
maintain compliance. You can actually run it much more contextually to make sure that you're
reducing privileges for users and systems appropriately.
Now, what's the number one directory your customers are using? I'm guessing it's Azure AD? So it's about 50-50. Well, we see a lot of, we see, first of all, all the cloud IDPs,
and we have some customers that have just on-prem Active Directory as an IDP.
So you're integrating with on-prem AD?
We do. We do. And the reason why is because there's so many customers that have complex
identity environments.
So that was one of the things that we started this company around.
No, I know.
I know.
You do because you have to, but you shouldn't have to.
It shouldn't be this way.
But I get it, right?
So, you know, it's just really weird when you think about on-prem ID being used as a repository or source of information about who could be trusted to do what in the cloud.
But, I mean, this is just how Babi is made, isn't it?
You would be amazed.
There's so many companies, though, that are on that digital transformation journey,
but they're on step two of step 10.
And so what that means is they still have an active directory on-prem.
They're using a cloud IDP at some level,
but maybe it's to SSO into a handful of cloud applications.
Yeah, and there's a synchronization.
And there's a synchronization.
If you want to modify something, you have to start at the on-prem.
Because to really truly secure identity, you need that full picture.
This is one of the things you have to embrace is that identity is inherently complex and messy
and customers have multiple directories and they have an HR system
and you have to kind of combobulate all that data and that visibility across all those environments.
Yeah, yeah.
So one thing that's interesting there, though, is that you mentioned the IDPs directories
because they have some simpler ones, right?
You know, I always wondered if they're actually getting much traction.
Sounds like finally they are.
I think cloud IDPs are particular, but I think cloud IDPs have mostly been valuable to enable
the adoption of SSO and cloud applications.
Well, that's kind of what I mean is when I think of an IDP's directory, I just think
of like, you know, a pretty simple one that allows you to buy their main product, which
is their SSO.
Like, I don't think of them as being like gold standard directory providers or whatever,
right?
That's going to be...
There are a handful of companies that i think were cloud first
and always right and those companies if you were cloud first and always you probably adopted a
cloud idp and that might actually be your source of truth whether that's google workspace or octa
or jump cloud or solution like that or one login but there are a lot of companies out there that
are azure ad and on-prem adprem AD or using some sort of a hybrid
environment or have an LDAP for controlling infrastructure access that they've deployed
in their own area.
You know, there's just all these complex models around identity from the HR system to the
directory to the authorization systems.
And you really have to have that full view of it.
Now, I guess also when I think about competition for you, it's going to mostly be coming from some of the established PAM vendors who are trying to push into the cloud space.
I'm guessing that's where competition is going to come from for you.
We see a little bit of both.
It's some of the PAM vendors that are trying to reinvent a cloud-centric solution, recognizing that PAM in the cloud is different than traditional PAM. It's also a lot of the traditional IGA vendors that are trying to innovate and also adopt and
deploy IGA-centric solutions for more cloud-forward companies. Because those solutions, I think,
really, I mean, I can get into existential of it, but I think at the end of the day,
it's like all kind of one solution. That's our view. Yes. Yes. Yeah.
I'm guessing anyone listening to this knows by now whether this is a product they want to
investigate. So we'll wrap it up there. So Alex Bovee, thank you very much for joining us on
Snake Oilers to walk us through Conductor One. Very interesting stuff. Thank you so much for
having me. Appreciate it. That was Alex Bovee there from Conductor One. Big thanks to him
for that. Links, of course, to everyone in the show notes
to all of the vendors that are featured on this podcast.
Now we are going to hear from Spector Ops,
the company behind Bloodhound Enterprise.
So I'm going to stick with the question format
for this introduction as well.
So here we go.
What's the state of your Active Directory?
Is it properly configured?
Or are there misconfigured group policy objects lurking in it
that any user can modify and use to take over your domain controller?
You know, no?
Well, how do you know that?
Now, Bloodhound is an open source tool made by SpectreOps
that first gained popularity with penetration testers
as a way to enumerate attack paths in Windows networks that would take you, that would take them, sorry, the pen testers from where they landed,
which would usually be a workstation, to where they want to be, right, which is your crown jewels.
Now, obviously, defenders have also figured out that enumerating attack paths is quite useful to
them because they can start closing off those attack paths. So SpectreOps developed a more
powerful enterprise version of Bloodhound for defenders. And that's what we're talking about
in this interview with Justin Kohler, the vice president of products at SpectreOps. And he starts
off here by explaining what a typical attack path actually looks like. And here he is.
Yeah. So a common attack path might be we get like initial access is gained on some user and then they have rights onto a machine.
And that user may have like, let's say, local admin or some other rights on that machine.
So we can escalate privilege through that.
We can also see where that user has rights elsewhere in the company.
And let's say that that user has rights over a server in a different
portion of the environment. So we'll pivot over to that server. That server may have an admin
logged in. We could dump their credentials. We could inject into a process. We don't even need
the password at that point and just move on. So it's theoretically very easy. Well, not even
theoretically, we just prove this all the time to take our initial access and turn
it into something much greater because of overprivileged and bad administrator behavior
where they don't understand that they're opening a lot of risk because of that kind of their daily
management tasks this problem is massive right you might have millions of attack paths and people can
feel overwhelmed what we do is help them break that down into bite-sized chunks that they can remove
very specifically and see the results of that. How are they reducing their overall risk?
We measure that based on the exposure within the domain or how many users have a path to your most
critical assets. You can actually see that reduce over time. And that's actually one of the most fun
things to do with a customer is,
after we talk them off the ledge to a certain extent
when we first deploy,
is show them how they will be able
to cut that risk down over time
with very specific actions.
Now, that was going to be my next question.
Well, first of all, tell me what,
and I'm guessing what you will say
is the experience for an attacker
landing in an environment which is better managed
as a result of these
sorts of exercises is they just won't be able to get those easy wins.
Exactly.
I mean, one of our favorite things to do, you know, when we originally created this,
our first customers were our old penetration testing customers.
And so we've deployed Bloodhound Enterprise.
And then, you know, they would ask our consulting team to come back in for a penetration exercise,
a penetration testing exercise the next year. And gosh, I can't tell you how good those tears taste from our consulting
counterparts when they wouldn't be able to reach their objective, right? Because we've removed
those avenues that they could use to take the following year.
Pen tester tears seem to be the most coveted substance in the you know defensive security uh landscape these days
because it's something i often hear from vendors which is we stopped pen testers and we made them
mad you know it's just it's the it's the new hotness uh yeah i mean it uh we go back and
forth quite a lot and i'm very good um very good friends with my sir my services counterpart
inspector ops but um i will say you know that's a very clear indication if we are successful,
it's kind of hard to prove a negative. If you weren't breached this year versus last year,
if you do regular penetration tests and you do markedly better because of the actions that you've
taken, that is a very clear example of, you know, how much cleaner we've made the environment.
You know, you've spoken about how you can help people remediate, you know, do remediation over
time in bite-sized chunks and make it easy. Like what would be a typical, you know, list of, give
me, you know, give me three example changes that Bloodhound Enterprise might recommend, you know,
when you run it as a, you know, the first time, right? Like, what are three things
that it's going to tell an organization to do to start paring back that risk? Just to give people
an idea of like, how difficult this is going to be, because I think, you know, some security tooling,
it might recommend that you do something very difficult or something quite exotic, you know,
whereas you're saying that the sorts of things
this thing is going to ask you to do
won't be like some monumental challenge,
like, oh, you need to remove local admin from everything.
And that's step one.
No, no, no, no.
Or disable SMB, you know,
the SMB V1 from the environment or something like that.
Like you should, or NTLM, right?
Not stuff like that.
So what we're talking about is,
let's say you have a group
policy object that applies through the inheritance structure of Active Directory and randomly applies
to a server. And that server is part of tier zero. It's not a domain controller, but it's part of
your tier zero. So an example of this could be your Azure Sync server. that's contained in a random OU within AD and you have a GPO that is
controlled by users that they could affect that server and that could be extremely detrimental
I mean you can you can DC sync against the directory and basically do whatever you want
that's that's the whole network right there right that's the entire yeah you can do whatever you
want right so you want to protect that asset well a lot of people don't understand how their group policy applies and so we have we
find all the time like uh we did this a couple weeks ago where authenticated users had um generic
all over that a group policy that did exactly that so that is a very clear misconfiguration
first of all authenticated users should never
have any right like that anywhere in Active Directory. That is basically everyone in the
forest that authenticates to it. Anybody, anywhere where they have that kind of access, like again,
just to be very clear, somebody in some random subsidiary could make a change to that group
policy object and take over that asset. So that is very, very, like we make those changes in customer environments
in like in a discussion.
Like when we first deploy,
they will fix that in 30 minutes.
It's not monumental.
It is remove that, right?
That is a very clear example of,
oh, wow, that was really bad.
And it's instant.
It's not re-architecting.
I mean, how else are people finding issues like that?
Because I'm guessing that sort of stuff,
it's just so buried
that unless you've got tooling to dig it up,
I mean, people just aren't finding it.
They don't.
I mean, that's...
So we've deployed in so many environments
and I can't tell you how clear it is
when we deploy and we just show people exactly.
It's eye-opening.
Some people can articulate this.
You know, I would say to your listeners, maybe you know that this problem exists or you feel that this problem exists.
But you can't articulate where it's coming from.
Like you can't articulate what risk Active Directory is posing in your environment or Azure is posing in your environment.
You know that people are overprivileged.
We can give you that visibility instantly
and show you how you can fix it
with very specific remediations.
So like, again, I mentioned it,
we kind of talk people off the ledge.
When we first deploy, it is like a Christmas tree
of like 20 years of misconfiguration debt.
Now that doesn't mean
that it's gonna take 20 years to fix it.
Again, we can chop off so much risk instantly just by those like very, very small changes that
have massive impact. But like you said, they're so buried that unless you're doing what we're
doing, you're never going to find them. Um, you simply can't find them with ADUC or, or the built
in like, um, visibility tools that that that microsoft or or whatever directory
systems have so who is buying this in an organization who is the buyer because you know
i'm guessing it's got to be some sort of team who's responsible for the ad or is it the security
teams like who is actually doing this so the the security teams are like some, you know, if you're one of the few companies that has an internal red team, they understand the need, right?
They've either been on the receiving end of a penetration test.
They've done that internally for themselves.
They understand where the problem is coming from and they're struggling to articulate how bad that is.
But our ultimate buyer is like a security, like a director or risk
manager. They understand that they have to manage risk across the business. Now who fixes it? It's
at the active directory team or the Azure administrators. And sometimes it's the
workstation admins, right? You could have the domain users group added into the local admins
group of a random computer. That's a workstation administrative fix. That's not the Active Directory team. So to answer your direct question,
it's somebody who's charged with risk in the company, but the fixes might be farmed out across
multiple teams. Now, look, we don't normally talk about pricing in these segments because, you know,
it's typically when you ask a vendor about pricing,
it's kind of like, how long is a piece of string? I mean, to a degree, it's kind of the same
with Bloodhound Enterprise. But I figure it's perhaps worth talking a bit about the pricing,
because, you know, bang for buck, it seems pretty good. What can you tell people about
how this is priced and what it will cost for a typical enterprise so a typical enterprise um we start out around twenty thousand dollars per year so
we're not very like for the hundreds of customers or like companies with hundreds of people yet we
do have plans in solving that i'd say the average, like large enterprise customer with 50 to 100,000 is somewhere in between 100 and $300,000 per year.
But that's like, I mean, you're...
I mean, that's a mega enterprise, right?
And that is loose change for a security budget for a company of that size.
Yeah, I would say it's the best bang for your buck in terms of lateral movement.
Like this is the easiest thing that people abuse today in terms of like taking over your environment. I mean, it is like, there's so many
paths and, and, uh, addressing this is going to make all of your other security investments much
more effective. Um, otherwise you're just gonna be getting alerts kind of from everywhere.
So, well, and speaking of that is like the, the sort of force multiplier thing, right? Like I
hate that i'm
unironically using those two words together but um but i would imagine that this would make
user event-based detection uh actually more effective because you are going to be cutting
out a lot of noise right and and things that you know that the dodgy things are going to be clearly
more dodgy yeah yes very much so so like active director from our perspective
active directory is like a uh there's not even a door there's not even hinge for a door to go on
like it is that open right you're trying to monitor events that that like there is no door
to walk through it's just completely open right now so why would you even try to triage alerts
like there's millions of different paths you have to
make that make uh be a sane problem to answer that's why we allow you to like cut those down
and people put monitoring on the paths that you know they haven't gotten to yet um or the remnants
of paths that they um they may like there's accepted amounts of risk right like let's let's
give you i mean you cannot have a risk-free active directory.
Well, I will say that we've gotten people down to 0%.
Like that is an achievable bar.
Zero people in your environment
that have an attack path to any tier zero
or domain controller or domain admins or global admins
or the tenant object itself in Azure.
There are zero paths.
That is a bar that our customers clear,
which is pretty cool.
All right, well, Justin Kohler,
thank you so much for joining us
and ending that pitch on the mic drop moment.
Pleasure to chat to you and all the best with it.
Thank you.
That was Justin Kohler of Spectrops there.
The product is Bloodhound Enterprise
and yes, solid endorse on that one.
It is time for our third and final snake oiler for today and that is Zero Networks.
In essence, Zero Networks is a micro-segmentation play but it has a couple of differences. So
firstly, you can deploy Zero Networks without an agent which will be wonderful news to a bunch of
you out there. It does micro-segmentation magic with the existing
firewalls your computers already have. So the idea is if a workstation on your network wants
to connect to a funny port, well, it can't unless that user passes an authentication challenge
via your SSO provider. They've worked pretty hard on making this easy to spin up. Some of the other
micro-segmentation tools out there wind up being shelfware because it can just be tricky to use. And I'm sure some of you listening to this would be nodding along to that.
So I'm going to talk about that with Xero Networks founder, Benny Lukunashok in just a moment. And
we're also going to talk about their other product that they call a Zero Trust Network Access
Solution, but really it's a VPN, right? And what makes it zero trust-ish though,
is that it's a VPN at your network edge that doesn't have any open ports on it.
When users sign on via Okta or whatever, zero networks will then add a temporary firewall rule
to that VPN device that will allow the user to connect to it from wherever they are, right?
Whether they work from home or on the road or whatever. So this means you can have a VPN
at your network edge
that only authenticated users can connect to.
Now, obviously, this is extremely useful
considering how many enterprises are getting owned
by exploits in VPN concentrators,
let alone brute force attacks and whatnot.
But yeah, here is Zero Networks founder,
Benny Lukunashok, to tell us all about Zero Networks.
Enjoy.
So we can essentially remotely control the host-based firewall of every machine,
as well as various OT devices, and automate what needs to remain open,
and then automatically close everything else in a very unique and deterministic and accurate way to don't break stuff while segmenting literally 99%
of the things that are otherwise open. We do this agentlessly, so we don't need any agents,
and yet we still can manage to take almost 100% of assets an organization owns, clients, servers, on-prem, cloud, OT devices, and segment them.
And on top of that, we also, and one of our coolest features is to MFA-enable stuff.
And that's patented.
So we take your MFA of choice, and we make that now at the network layer,
by default only to privilege ports or protocols, likedp ssh winrm stuff like that
that attackers love and only it likes and make that mfa so that port is always closed let's say
the rdp port it is open temporarily only after you mfa so mfa enablement as well by default
it's for the privilege stuff you can in a click also enhance that to any port
you want port one two three four with application x now is mfa enabled the application is not aware
of it you don't need agents and you just get mfa right segmentation essentially so essentially this
is micro segmentation but you're using the firewalls that people already have because
everything already has a firewall in it these days.
I mean, that's basically the pitch, right?
And you've built like a control plane
for all of these zillions of little firewalls
that organizations have already.
100%.
Yeah.
So who do you compete with?
Because, you know, we think of others
who offer micro-segmentation products.
Like how are you different
from what's out there in the market already?
We're very much different
than the other vendors in that space
because the number one is that
you require a lot of people and time
to segment with them.
Humans own the segmentation process.
You need to see what's going on.
So you need to own the process of the rule creation,
own it, flip a a switch play you don't
break something rinse and repeat for pair amount of machines you own that's not a scalable process
second you need an agent with them and third it's static there is no dynamic based on mfa based on
temporarily giving someone access it's either open or closed. So RDP will just be open to a
bunch of people instead of being all closed. So those are the three differences. We fully automate,
we are agentless because we use what's there, and we have MFA enablement. So those are three big
things that are very different. Okay, now you've got another product line, which is around SaaS zero trust network access.
Tell us about that.
So we want to be, again, the network one-stop shop for network security.
There are two big pillars to do that, segmentation, and there's also connectivity.
So we've created two products.
By the way, they are both in one UI, one platform.
So it's really, really cool for the people managing them.
It's much easier than traditional stuff.
But essentially, the second product, so the first product is Segment.
And now we have Connect, a connectivity solution.
It's essentially a VPN, ZTNA, SASE hybrid, where there are bad things about ZTNA and good things.
ZTNA, for those who don't know, is the Zero Trust Network Access.
It's the VPN replacement.
It's essentially tunneling through someone's cloud
without having a VPN port open on the internet.
That's one of the biggest bad things about the VPN.
Well, people can hack it.
I think a month ago, there was a 40, you know, mobility.
Our listeners are well familiar with the trials and tribulations of running Fortinet at the
edge and Pulse Secure and all of the others, right?
Yeah.
I mean, all of them, all of them, all VPN servers, because it's like on average two,
three million lines of code, they will have a bug once a year, statistically, each vendor,
and it will have a vulnerability.
And if you don't patch immediately, someone can in so that's the biggest problem so the zero trust model is essentially no zero
trust by the way by definition which is a word i hate although it's right here on the logo zero
it's port not open it won't be open maybe later maybe you know temporarily whatever right so the
cta model for the external connections
says no ports open.
You tunnel through someone's cloud.
Now, that's the good aspect of the security.
But the bad is that, first of all, it's more expensive
because that vendor who is paying for that cloud,
guess what?
You're paying, not them.
So it's more expensive and cloud networking is expensive.
Second, the performance usually sucks
because you're tunneling and then getting back potentially,
or there are different scenarios there.
So the experience is bad, the bandwidth is lower.
And lastly, it's a NATed device.
And usually that means, you know,
1,000 users connecting,
they all appear to come from one IP address inside.
So all of your internal detection solutions
and EDRs and whatnot,
they are now blinded
and creating either false positive
or just missing stuff
because it's all coming from one IP.
So what we've created is made a hybrid of that.
We have the direct connectivity,
but the port, like Segment,
is always closed.
No one on the internet sees that only so your
stuff sort of acts as a port opening broker right so you authenticate port pops open bang you're
authenticating you connect to it off you go and then you could use what like a normal vpn through
that port it's our vpn wrapper around wireguard which is the fastest, most secure open source peer-to-peer technology
out there today. So we didn't have to develop the tunnel itself. That's all code based on WireGuard.
But we wrap around it. And as you said, after MFA, device attestation, and yada, yada, yada,
we open the port only for you to connect. And then you have the benefits of direct connectivity,
lower cost, much better performance, and the benefit of the zero trust
where the port is never open to anyone,
only to those that have the MFA
and prove other things as well.
Well, how do you do that?
How do you do that?
And we're going to get sidetracked for a moment here,
but I'm just curious, right?
So once I've authenticated
to your port opening broking thing, right?
Like it pops open that port.
How does it pop open that port just for me?
Does it create like a rule that that port's only open for my originating IP? Is that how it works?
That's exactly what we do. We use IP tables. Again, we don't want to reinvent the wheel.
We use what's there. There is IP tables there. It's a Linux, very small, thin virtual appliance
by Linux. So there's IP tables blocking everything. And it's only open to a specific IP set.
And we add your public public ip set so that now
you can do that right yeah i mean i gotta say benny like this is something that people need
right now right which is a replace and so it's and and then once that off process is done the
user is authenticated they just have the typical experience of a normal vpn usage they don't know
for them to speak for their experience they just connect All of this is orchestrated in a second, essentially.
And then they just connect directly.
They don't even know what's going on,
but that's behind the scenes.
Yeah, yeah, yeah.
I mean, that certainly solves the Fortinet problem.
And that's interesting because that's one
we've been talking about a lot on the show,
about how that's a very difficult problem to solve.
So well done.
And I will find it very, very funny
if this becomes your most successful business line.
Because it's probably the least impressive thing that you do.
But that's life, you know?
That's life, exactly. Look, just going back to the micro-segmentation stuff, you know,
I'm guessing the primary use case for something like that is to make lateral movement through,
you know, the post-compromise phase in an enterprise network to make that a lot harder.
Now, I know there's multiple use cases for this sort of thing,
but I'm guessing that is the primary use case.
Is that accurate?
That's very accurate.
It's that, stopping ransomware, stopping a pentester.
We stop pentesters left and right.
That's the most fun part of my week.
Usually it's every week now.
I get an email from a customer or a potential
in the POC, hey, I could not pen test this CDR versus this CDR to see the differences
because the pen test couldn't do anything.
I had to turn you guys off so that I can actually pen test, right?
So passing pen tests, which is essentially stopping an attack, right?
There's another one.
There's a lot of zero trust initiatives.
And zero trust usually means
micro-segmentation and a ZTNA project,
both combined,
give you true zero trust,
both internally and externally.
So those initiatives for zero trust
is also getting fulfilled
with both solutions.
Some start more with the ZTNA
because it's just easier.
And then others start with micro-segmentation.
So where does your software live?
Is this offered as a cloud service and you have some sort of connector that you have to deploy locally?
Like what's the actual deployment model for zero networks?
Yeah, so it's a SaaS solution.
Most of the brains is in the cloud.
There's a virtual appliance that you deploy on-prem.
It can be multiple for scale and high availability.
And essentially, they are the ones remotely managing host-based firewalls of clients and servers.
So your cloud tells the on-prem thing what to connect to and what to do.
Yes, there is also an agent version for some use cases.
So you can have a hybrid, let's say, agentless with the virtual appliance for some,
and then agent for others, maybe some laptops for specific scenarios.
You can have virtual appliance for everything agentless, like it's a mix potentially.
All right, Benny Lukunashok, thank you so much for joining me to talk through Zero Networks again, because we've done this once before, not recorded.
Very interesting stuff. I wish you all the best with it. I'm sure there's a bunch of listeners who found that very interesting. Cheers. Thank you.
That was Benny Lukunashok there from Zero Networks. Big thanks to him for that.
And that is it for this edition of Snake Oilers. I do hope you enjoyed it. We'll be running part
two of this round of Oilers in a couple of weeks. And I will, of course, be back next week with more risky business news and analysis.
But until then, I've been Patrick Gray.
Thanks for listening.