Admiral Mike Rogers discusses the current state of cybersecurity and how we can better secure our enterprises from malicious attackers.
Dr. Chase Cunningham, Former Forrester Analyst and Dr. Zero Trust
Creator of the Zero Trust eXtended framework and a cybersecurity expert with decades of operational experience in NSA, US Navy, FBI Cyber, and other government mission groups, Chase is responsible for Ericom’s overall strategy and technology alignment. Chase was previously VP and Principal Analyst at Forrester Research; Director of Threat Intelligence for Armor; Director of Cyber Analytics for Decisive Analytics; and Chief Cryptologic Technician, US Navy. He’s author of the Cynja series and Cyber Warfare: Truth, Tactics, and Strategies.
Zero Trust Reloaded. We’re going to talk about the evolution of Zero Trust. I’m going to give you some simple things to think about. And then we’re also going to get into why this actually makes the most sense for what we’re trying to do and the problem we’re actually trying to fix in cybersecurity.
Look, I love data. I love data so much that it drives my family nuts. Because when they have an argument, I say, “Where’s the data?” And if they can’t show it to me, their argument is inherently invalid. It’s probably why I’m on wife number 3. If you don’t have the data, no. So, I started a survey in July of this year, and I got about 1300 responses from people that are cybersecurity practitioners, leaders, etc. and I asked them some very basic questions. Because I wanted to really see from the ground truth and the people that are doing the work, what do they think about the space? What are the problems that they have to solve? And what are the things that they think are important?
One of the most important questions is, “What is your top reason for considering or implementing Zero Trust? Why would you do this?” 52%, more than half of them say it’s because this is more proactive against sophisticated attacks. So, you want a security strategy that is proactive. We’ve learned the hard way, being reactive does not work. We cannot be reactive and expect to do better. If half of the people doing the work are telling us that the reason they’re enabling this strategy, Zero Trust, is because it helps them be more proactive against sophisticated attacks, if we solve the sophisticated stuff, the simple stuff becomes even easier. Some ground truth, some data some validity to this argument.
Why would you engage in Zero Trust? My company sees Zero Trust as a necessary strategy. And I actually underlined and put that word in there for a very specific reason. Not a nice-to-have, not something I think would be cool, not because I see a lot of ZT swag and I could get like cool ZT stickers at RSA or whatever. But why is it necessary? Necessary? If you don’t do this, what is your other option? Like, we’re in a world where, when you look around, you can see that everyone else is failing. I mean, the world in cybersecurity in some instances is kind of burning. And you’re looking around at all this failure, if everyone else is failing and they’re doing something that you know is going to fail, why would you do that same thing and expect a different outcome?
68% of the folks that said this that looked at the survey, they said absolutely necessary, necessary, not something you think about, not something you consider, not maybe something we get to eventually necessary. You can add in the other 25%, and all of a sudden, this gets up into the 80s. Anytime you can get 8 out of 10 technologists to agree on anything, that’s a win.
When implementing Zero Trust, what’s the first thing you do? There is a maturity curve to this. Right? There is a way to get sort of better as you progress through this. And yes, there are very complex problems to solve, but what’s the first thing that you should do? 42% said, “Identity and Access Management.” Why? Because IAM is the gear around which Zero Trust revolves. You can have the best firewall on the planet, moment an administrator logs into it, that firewall has a screen door with a bunch of holes in it and stuff goes back and forth. It shovels electrons. If you cannot take care of identity and access management at speed and at scale across infrastructure in a globally dispersed environment, you will never achieve a better state of security, period, point blank, end of story. The first thing that you do is solve for IAM. After that, everything else is gravy. And you might have already solved for a lot of this. Great, even better. Solve IAM first.
We have known for a long time that the perimeter-based model of security was going to fail. Does anyone know what this picture is of? That’s Troy. That’s Troy. Right? The Trojans, they lost. They had won. They were doing the right things. They had a big high wall. Like, it’s noted in history that they had kind of done this. They had pushed the bad guys out. They were good to go. And then what happens? A Trojan horse shows up. What do they do? “Oh, that’s cool. Let’s let it pass the wall.” Once it gets past the wall, what happens? Bad guys drop out of the horse. And what do they do? They move laterally and burn the city to the ground, and they win because they let the other people in.
We have known since 1260, 1280 BC that the perimeter-base model of security was going to fail. All that we did was took a failed approach to a problem that we had already defined and we put it in virtual space, and then we said, “Oh, on top of the fact that we know that this doesn’t work, the moment someone gets past the wall, let’s just throw a bunch of electrons into the mix.” So, we have known for thousands plus years that Zero Trust is the right way to do this. We tried to do with perimeter-based security, and we failed, just like the Trojans. And if you continue to engage in that past failed approach, you are failing, just like the Trojans.
I get really tired of doing workshops with folks and they talk about, “The bad guys only got to be right once.” Right? I was a bad guy, you could say that. I worked for the government. I worked for the military. I actually worked for Admiral Rogers. He was way, way up here, and I was way, way down here. But I did a bunch of work on those systems. The bad guys only got to be right once, but they have to maintain access to continue to win. If you can kick them out, you win. If you talk about the Lockheed Martin Kill Chain, which everyone likes to revolve around this, there’s things that I can control and things that I can’t. Actually, when you look at it, you control more of the lifecycle than the bad guy does. I can’t control recognizance. Just like if I’m at home, I can’t stop some weirdo from walking up and down the street looking at my house. I mean, it’s probably creepy and I probably don’t want that to happen, but if somebody is just walking up and looking around and kind of doing this thing, I can’t really stop it. You come unto my property, okay, I got a Doberman, like problem solved. But if you’re just walking down the street, you can recon all day long.
I can’t stop weaponization. There’s always going to be new stuff that’s released. There’s always going to be ways to exploit it. There’s always going to be ways to change binaries, etc., etc. I can’t stop weaponization, just like I can’t stop that weird guy from walking up and down the road and going and getting a weapon. When they start to deliver and they do things like lateral movement, exploitation, installation, command and control, exfiltration, that’s when I can take back the power. Because what do they have to have for all that to work? They have to have access and privileges to make all of that effective. So, there are things that I can’t control, reconnaissance of weaponization. Everything else in the Kill Chain, if I have really good identity and access management, I take care of access privileges, lateral movement, etc., all those things that are key and core to them being victorious, I start to flip the script. That is why this is so important. If they can’t move laterally, if they can continue to stay and I can get rid of them, I win. So, yeah, they’ve only got to be right once, but you have to continue to allow them to be right within infrastructure as they move so that they continue to win. You take away any one of those things along that Kill Chain, you take back control. And how do you do that? Something very simple.
Let’s look at the data. Right? I talked about how bad this is in my house. Let’s look at the data. 80% of breaches start with misuse of privileged credentials. “Secrets, secrets everywhere,” says Buzz Lightyear. Why would you solve for something else? If I told you that you can solve a problem where I know it’s gravitating around an 80% definition, wouldn’t you focus on that first? 80% of breaches start with misuse of privileged credentials. I’ve done the math on this, I don’t have it with me, but there is roughly 3 usernames and passwords for every 1 person that uses the internet on planet Earth available right now. Mathematically speaking, it’s pretty easy to get a good username and password and find somewhere to go after a system. If you can stop them from using those accesses, you can stop them from getting into that system, you begin to take back control.
The problem begins at the 80% mark. Everyone talks about 80-20. Solve for this. If I can remove privileged credentials, if I can remove access, I start to win. Zero Trust requires (and this is from that study that I did) identity and access management for humans and machines. Now the problem gets a little bit more complex, a little bit more muddled. Most of the traffic you see with an infrastructure is not human-to-machine, it’s machine-to-machine. Humans get to something and then we usually do what we’re going to do, unless you’re an administrator, you’re actually running a system. But we kind of get to something, do what we need to do, and that’s where we sit. Everything else happens because machines talk to machines. So, you have kind of two 80% problem spaces. Again, this is where the problem is big. This is where you want to fix the issue. Solve for this.
So, take care of human, stolen privileges, accesses, credentials, etc. Take care of the ability for machines to talk to other machines ad nauseum without authentication, without all those things that you should have. If you can do that, you are taking back control from the adversary at a very high percentage rate, 80%. I love solving 80% problems. Those are relatively simplistic. I don’t want to solve 2 or 3% problems. A lot harder to do, lots more stuff involved. Do these simple things, begin to take back control.
But if we only take care of those 2 pieces, there’s something we’re missing. We’re like this poor dude on the boat who’s sitting there going, “Man, this boat sucks. It doesn’t go very fast.” I paid for the upgrade, the trailer is attached. But he hasn’t seen what’s below the water. And a lot of folks are sitting there trying to solve these problems, and they’re like the poor guy in the boat where they’re smashing the gas, thinking, “I’ve got it. I’ve solved for humans, and I’ve solved for machines. But there’s another issue that we have to throw into the mix as well.” All these applications talk to other things as, just like humans do and machines do. You have to have that capability. Everything inside of these systems is interconnected. Everything accesses something else. And it accesses it how? With some form of a credential, a token, a password, a username, a certificate, whatever. So, you have to solve for all of these things, and you have to do it at speed and at scale.
Again, you solve 80% of the problem by taking care of people. You solve 80% of the problem on the other side by taking care of machine-to-machine. But if you ignore this, you are leaving that last sort of 20-ish percent available to the adversary. If you want the adversary to back off, we want to take back the initiative, we want to start to win it that Kill Chain model, we have to throw this into the mix as well. Don’t give them an easy route to win. Bad guys love easy stuff. I can tell you, most of us are pretty lazy. You find easy accesses, you find easy stuff to go after, you continue to do the same thing over and over again, and you just push your way through the system. They don’t want to put a lot of time and effort into this. If you can take back that level of control, you remove them from the power position, things started getting better for you.
To put it really, really simple, if you control access, you control compromise. A very, very simple premise of Zero Trust is that everything will be compromised at some point. Microsoft calls it Assume Breach. Google has their term for this with BeyondCorp. In reality, it’s everything is compromised until proven otherwise. And then guess what? Once it’s proven otherwise, it’s compromised again, and then we’ll prove otherwise again. If I control access, control, compromise. I can’t stop things from being infected. Like, I said back to the Lockheed Martin Kill Chain, I can’t stop weaponization, and I can’t stop recon. I can’t stop that one time the bad guy gets to win. But I can control their access, and I can control the ability of them to move laterally, then I can control the compromise. If I control compromise, I’m in the power position, not the adversary. This is where you want to be. By the way, can you tell I like memes by now?
Let’s boil it down and be even more simplistic with it. Right? Because I talked about that this is not supposed to be a very difficult problem. This is supposed to be something you can solve currently right now today. This is where the strategy side of this equation comes in. Let’s talk about making this so simple, it’s 3 steps. Three actionable IAM concepts steps to actually wrap up around the reality of what ZT is, what you have to start with.
I need to justify what’s going on. I like to call these the 3 Js, justify. Machines and humans must justify who they are and why they need to get access to something to access a system, a secret, a token. Why? Why is this occurring? Just like if somebody walked up to your house and said, “Hi, I’m Chase,” do you go, “Okay, cool. Come on in. Welcome to my home and do whatever the hell you want my house,”? No. You go, “Why? Why are you here? What do you need? I don’t know you. Oh, okay, you’re supposed to fix the plumbing. Alright, tell you what, come on in. There’s a reason for you to be here. Fix the plumbing. I won’t unleash the Pomeranian on you. Like fine, do your thing.” This has to happen in systems. So, you’ve got to justify the reason for this to take place.
It’s got to be just in time. It’s not forever. It’s not always. I’m not going to give you access, and then until the sun burns out, you still have that access, and you can do what you need to do. A temporary secret should be created on that request, the justified request, and then you give it to them with the least privilege possible all the time, every time.
Just in time. Do this thing. You need it now if there’s a reason for it to happen. Here, you can get to this thing. And there’s a time horizon. You have it for 10 minutes, 24 hours, a week, a month, whatever, but there is some sort of time horizons. You do this anyway. How many folks in here love changing your passwords every 90 days? It sucks and it’s annoying, but you do it for a reason, because that is a just in time thing where there’s a time horizon around it, where even if a bad guy has access to you and you change your password, eventually because you go from Password to Password1!, you’ve kicked them out and they have to go back and start over again. Just in time makes a heck of a lot of sense. We do this, and just once. That secret should be deleted, it should be obliterated after the use of that access and after that given time. It’s not available. Pass the Hash, Golden creds, Mimikatz all those things that we talked about in the red team world, that needs to go away.
So, just once. Justify why, just in time, and you only get it just once. And then if you need access again, I’m going to give it to you again, and you can do it again. Right? Just like if someone comes to your house, and they say, “I’m here, I need to do something.”
“Hello, plumber. Sure, there’s a reason for you to be here. Oh, you need to be here for an hour? Okay, do your plumbing thing. Great. And then you leave. Oh, you need to come back in? I’m at the door to greet you again. And you need to do that whole thing one more time.” Justify why, just in time, just once. If you can do those 3 things, very simple things at speed and scale across infrastructure, you are solving 80% of the problem for humans and machines. And now with these capabilities that are starting to show up, that last 20% for that nether region between applications to machines and all that other stuff, you’re starting to whittle away at that as well. Three things. This doesn’t have to be that hard. This is not rocket surgery. This is how it should work.
“Oh, it’s so simple. Like ZT is so complicated.” I get so tired of dealing with people that, “Man, this is… I can’t do this. It’s too hard. I’ll never catch up. It looks like a bridge too far.” Like, no, it’s really, really that simple. Do those 3 things because they make a difference. They take away the power of the adversary. They flip the model to where you are actually in control. Because if I control access, I control compromise, and things become really simple. Are there a lot of more complex things you need to do to have a total security posture and stack and all these other moving parts? Absolutely. Get to that when you’re past these other simple problems. It can be this simple. I swear to you, because I do these workshops with organizations all the time, if you take this road, you will get that much better that much quicker. And ultimately, you are winning, because the bad guys are not in command and control of that entire lifecycle.
Justify why, do it just in time, and just once. What does that equal? Zero Standing Privileges. If you get rid of those privileges, the adversary uses those to move through systems that cause compromise to do breach, etc., etc. You take back the initiative. You take back the high ground. You will see more. You will know more. You will have more command and control. And you can whittle away at the ability of someone to stay inside of your infrastructure and win. No one wins in the hacking lifecycle in 6 minutes. This takes hours, days, weeks, months. The longer that they’re there, the worse it gets for you. If you can move to this model and you can get to Zero Standing Privileges where those privileges don’t exist other than in this 3J sort of methodology, you begin to take back that initiative. Not really, really complicated. Even if you don’t like math, we can solve for 3.
IAM in practice, ZT IAM in practice looks like this. Remember, justify, just in time, just once. It’s controlled with a policy engine. Policy engine does all the cool things between systems. This is the hardest part of Zero Trust is policy management, maintaining, and controlling. If you have a technology that enables you to do it that at speed and scale, it’s really not that difficult. You’ve got to do it for things where machines and human IDs are available. And you’ve got to do it for stuff in critical infrastructure. You can’t do this on a spreadsheet. You cannot do this with drawing stuff on a whiteboard. You can’t do this with Ricky, the intern. Right? This has to be done with a technology, with a system that sits in the middle with that type of policy control that can do this at speed and scale across all those things, always applying those 3 very basic principles. You have to do it ad nauseum. Not one and done, it’s got to continually happen. This is a marathon. This is not a sprint. But that’s what it looks like. That’s what sort of your reference architecture, I guess, you could say for this model in place with the policy engine should look like.
And yeah, there’s other stuff. There’s other things you might add down here at the bottom. Anytime you start talking this type of thing with a group of technologists staff, there’s somebody’s going to come and go, “You forgot that.” Sure. There’s more stuff. Broad strokes, this is what it looks like.
Now lastly, I want to wrap up because I want to talk about the business benefits of ZT. And I’m moving quick here so that we can get back on schedule. There are business benefits of Zero Trust. I honestly am not worried about security technology. Security technology continues to evolve. It does very good things. We have really good stuff in place. There are studies out there (again, back to the fact that I love data) that validate that this makes the most sense. This is what practitioners have said in survey responses, “What is the business benefit of ZT?”
“It’s helped us be more agile.” What businesses does not want to be more agile? What businesses does not want to do bigger things better and faster and bring more stuff to customers in a lifecycle that moves at the speed of business? You won’t find one, not that’s going to be in business very long.
Zero Trust increases employee productivity and satisfaction. Why? Because you as the employee are not doing all those things that you hate to do to do security. How many folks in here like doing VPN access? How many folks in here like resetting passwords? How many folks in here like jumping through hoops to do security things because you’re protecting the business, when they’ve hired security people that are supposed to be taking care of you in the first place? If you remove that and you boil it away and you put stuff in place that enables security to just be secure, users are happier. I’m a security person. I don’t want to do security. I just want to do my job. Right? That’s the way that it’s got to be.
Zero Trust has reduced organizational security cost. Why? Because you get rid of things that you don’t need. I have yet to do a workshop with an organization when we crawl through their stack and actually look at security strategy and start mapping technology to solve problems, to eliminate the ability of hackers to live that life cycle where we don’t get rid of 2 or 3 or 4 things. Most of the time, you see stuff that does a little bit of this, a little bit of that, maybe this thing over here, this doesn’t talk to that. It’s just this disjointed, Frankenstein monster of cobbled together stuff that’s really, really running really quickly in most instances, but it’s also really expensive. If the strategies in place and you use very simplistic sort of approaches to the problem that remove the power of the adversary, you get rid of things that you don’t need. And when you do that, that money becomes available to do other stuff. So, find the business that does not want to be more agile, does not want to have more engaged and productive users, and that does not want to reduce costs, and they’re not there. This is how we want to be. This is how we want to operate.
If you do Zero Trust, and you follow along with those 3 simple principles, and you apply it the right way, at the right time, to the right problem space, you begin to win, you take back the power from the adversary. And your organization will become more secure, more productive. Your users will be happier, and you will be more agile. This is what it means. This is where you want to go. This is the real value of ZT as it stands today. Thank you.