Learn how Zero Trust needs to change and how it can be done better.
Admiral Mike Rogers, Former NSA Director and Operating Partner at Team8
Mike Rogers retired from the U.S. Navy in June 2018 after 37 years of naval service rising to the rank of four-star admiral. He culminated his career with a four-year tour as Commander, U.S. Cyber Command and Director, National Security Agency.
During his service in uniform, Admiral Rogers held positions afloat and ashore around the globe focusing on cyber, intelligence, maritime operations and national security.
So, how is everybody doing today? Excellent. Hey, for those of you that are physically here, thank you very much. For those of you who are joining us remotely, thank you as well for taking the time today. Hey, my job is to kind of be the scene setter. And I’m going to focus broadly on the state of cybersecurity. I really want to make 3 points. I want to talk a little bit about the state of cybersecurity. I want to talk what I think those implications are. And in fact, that’s why we’re here today. And then thirdly, I want to talk a little bit about, so given all that, what organizations kind of looking for? And what do we need to be thinking of?
So, first, we are all shaped by our experiences. So, for me, former military guy, former government guy, spent 37 years in the United States Navy, ultimately retiring as a 4-star Admiral, spent the majority of my career focused in cyber and intelligence. In that time period, I was either part of teams or was leading organizations, penetrated networks for a living, defended networks for a living, developed all the encryption from the mathematical algorithms to the actual generation and distribution and control of all the keys for all the classified systems in the Department of Defense. Was part of an organization that shifted to the cloud about a decade ago. We thought that the cloud really was going to be the way to go. And then lastly, was part of organizations that had lots of data, I mean, massive amounts of data. And so, security, maximizing the utilization of data, very important to what we were doing.
So, all of that has shaped my experience. And now I’ve spent the last several years involved in many of the same things, but absolutely no longer penetrate networks for a living, but involved in an industry and trying to address many of the same issues. So, I find myself very fortunate that I’ve been able to look at this problem from a government perspective, from a business or private sector perspective, as well as I’m a user, like all the rest of you. And we’re all trying to figure out how we’re going to do this individually.
So, let’s think for a minute about, so what is the state of cybersecurity, and where are we? Look, I believe that COVID was much more of an accelerant than a disruptor in terms of cybersecurity. I think that it served to accelerate trends that were already there, advice, blowing up everything and forcing us to create something totally new. I think it served to be much more of an accelerant. I think you saw trends towards hybrid work models already. I think you saw trends towards companies focusing on digitalization as a primary part of their business model. I think you saw, prior to this, the idea that, hey, we were going to have to work in this model where not everything was going to be built around a heavily defined and centralized perimeter with essential security stack, and we weren’t going to be able to control all the accesses through that security stack. And that’s exactly what COVID has done to us.
So, as a result of COVID, in the last 18 months, we have had to disperse our workforces. And in so doing, we have had to disperse and restructure the IT and OT systems that they used to execute their missions. Because business doesn’t stop. And so, think about what the implications for that are. We no longer live in a world where the perimeter is well defined. We’ve kind of blown that up. We no longer find ourselves in a world from a cybersecurity perspective where we have strong centralized control of all accesses, and all accesses are done through the central security stack. That’s just not the way things are working these days. I mean, many of us find ourselves doing a lot of our work at home or from remote locations, and yet we’re still accessing the cloud directly, remotely from our home workstations now. And yet, several years before, we had built our security around the idea, “Well, nobody’s going to access the cloud enterprise, unless they’re going to do it through this well-established perimeter, through this very centralized security stack. And that’s how we’re going to provide security.”
And that’s just not the case. We have blurred the lines between what is work and what is personal in many ways, not just in our everyday lives. I don’t know about you, but I find one of the challenges in the current world we live in, there seems to be no well-established time or boundary as to what is work and what is personal life. Everything just blurs. It doesn’t matter what the time of day is, seemingly, somebody wants to talk, somebody wants to get involved, somebody expects you to do something. It doesn’t seem to be, in my experience, at least, my remembrance when we all worked in offices was there seemed to be a much cleaner break between what was work and what was home, what was personal.
Think about the infrastructure now we are using to work out, I don’t know about you, but not everything I do these days is on a device using either hardware or software that’s been provided to me by the company I’m working with. I’m using the same infrastructure that my children are using to game. I’m using the same infrastructure that my children were using to go to school remotely when they had to get pushed out of school, and we couldn’t do it physically. I’m using the same infrastructure my wife uses to work on with her business. And I’m using the same infrastructure I use personally, trying to make sure my family and my friends are doing okay in the midst of this challenging world we find ourselves in. And in the midst of all that, I’m using the same hardware and the same software to do work.
So, companies’ knowledge at times about, “So, what is the IT network and hardware, both hardware and software configuration of the user community?” isn’t like it used to be. And much of the home systems that we’re using were not necessarily designed with security as a primary design feature. The majority, I often have this conversation with some of my friends, and they just look at me and I’ll go, “Have you reset the default passwords on your home router system?” and they just look at me like, “What?” Trust me, guys, the manufacturer has set a standard password and protocol system that’s in place unless you change it. And trust me, there’s people out there who are interested, potentially, in accessing that home router system if it gives them access to what you’re doing, either professionally or personally.
And so, we find ourselves in an environment where the challenges of cybersecurity are only growing. And as we’ve blown up the perimeter, we have created this massive new amount of endpoints, for example. And as a person who used to penetrate networks for a living, the analogy I like to use with people is, look, the house used to have about 3 doors in it. Well, the house today has about 100 doors. And every one of those doors now becomes a potential access point for an unintended or unauthorized individual. And I don’t see this as a short-term phenomenon. I wish I could tell you that, “Well, don’t worry, we’re going to redefine the perimeter. We’re going to move back to the way things were. We’re going to cut back on the proliferation of endpoint devices. We’re going to restrict remote access. And we’ll work everything through a very centralized and well-established security structure.” I just don’t see that happening. I don’t see that changing.
So, given that, what are the implications for us? And that’s really what brings us here today. Because one area I want to particularly hone in on that I think is a big implication for where we are in cybersecurity is the idea of identity and the concept of identity. And what does that mean in the world we live in now?
Before we get into identity though, I do want to say a couple other things about cybersecurity. Think about what this has done for those actors out there, whether they be a nation state, criminal group, individual. In the last 18 months, you have seen nation states ever more aggressive, their risk tolerance much higher. Look at SolarWinds. Look at the Microsoft Exchange hack. I mean, nation states out there are willing to be really aggressive right now. And they are working really hard to undermine security and to do it on a significant global scale. We’re not talking about events focused on just a single entity or a single target. We’re looking at nation state strategies that are designed to enable an author unauthorized access and intrusion at scale on a global basis across multiple sectors, multiple segments, and not just government or not just the private sector. So, we have to account for that.
Think about how things have changed from a criminal perspective. It’s not that criminal gangs haven’t been there before. Hey, if there’s a way to make money, there’s a human endeavor, both legal and illegal to attempt to do so. And criminals represent the illegal attempts to generate revenue, and the use of cyber as a tool. So, we’ve seen the emergence of significant numbers of criminal actors, gangs, if you will, that have, again, much like the nation state, say to themselves, “There is opportunity here. And there’s opportunity that we can use at scale, and we can do on a global basis.”
Criminals are all about return on investment. It is about maximizing return, minimizing effort, and minimizing risk.” And think about what risk is to them. Risk is about, “Am I going to be arrested? And am I going to be indicted? Am I going to be extradited? Am I going to wind up in jail?” As an individual, I sat and ran in an organization that’s involved in the penetration of networks outside my own nation for national security purposes, I never worried that I was going to wind up in jail somewhere. I never worried that I was going to be extradited. I was acting within well-established legal norms, and a well-established history of espionage as an authorized activity associated with nation states.
On the other hand, criminals, very different for them. So, criminals are all about, you want to hit as many targets as you can, as quickly as you can, as simply as you can, and you want to minimize your risk. So, you tend not to dwell on targets for an extensive period of time. For a nation state, if there is something of that you believe to be a value, in my previous life, it was not unusual for us, we would sometimes spend months and years focused on particular targets, because we felt the value was very high. And it merited the effort, the focus, the prioritization, and the allocation of time and resources, money, people expertise against the target.
Criminals generally don’t think that way. Why? The longer you’re on a target, the higher your risk that ultimately, you’re going to get detected, you’re going to get caught. But even criminals are changing their behavior. And until Kaseya’s event earlier this year, I had never seen a criminal entity use a supply chain attack. Why? Supply chain attacks generally take longer. They require you to focus on the supply chain element, because they require you to gain deep knowledge. And the only way to gain neat knowledge is you got to dwell on a target, you got to focus on a target, and you got to monitor it for a long time. You got to get inside and you got to watch how it works. You got to understand it. Then once you understand it, you co-opt it to become the host, if you will, and the method of transmission for the malware that you want to inject. But all of that takes time.
I had not thought to myself that we would see criminals doing this, because I always thought to myself, “This takes a lot of time and there’s increased risk.” And look at what happened in this particular event. 1700 approximately, if my memory right, 1700 different systems penetrated. And the criminal group itself is overwhelmed, “I can’t do 1700 simultaneous ransom negotiations. I’m not scaled to do that.” So, what do they do? They go back to Kaseya and say, “You’re going to act as the gatekeeper. We’re going to negotiate with you. You’re going to responsible for unlocking 1700 entities, not us.” So, criminals, just like nation states, continue to evolve.
So, another element of the current state of cybersecurity is it is not static. It continues to change and evolve. And the solutions, whether it be a nation state, whether it be a private entity, whether it be an individual, the solutions that we’re using to address those challenges, they have to change as well.
And now let me focus really on identity. Because I think, given all those things that I’ve talked about already, identity becomes a really challenging concept. In this highly dispersed world, in this proliferation of massive amounts of endpoints and devices, in this destruction, if you will, of what had been a very centralized, well-defined perimeter with a very centralized security stack, if you will, with the loss of that, the ability to ensure positive identity becomes really important. And we need to think about the identity more than just people. identity, to me, is about identity of individuals, identity of devices, and identity of not just hardware, but also making sure the software that we’re dealing with that we think is X is really X and not something else.
And so, we find ourselves in this world where identity becomes really challenging. Look, it’s the whole foundation behind the Zero Trust idea. Zero Trust is built on the fundamental premise, we can no longer assume identity is accurate based on a single verification. We must continually reassess identification and the accuracy of identity. And we must build an architecture that is built around this idea, “You can’t trust unless you verify,” so to speak. And so, we find ourselves in a world now where Zero Trust is kind of becoming the building block.
So, as we think about the importance of identity, think about the tools that we use to verify and ensure the accuracy of identity. Credentials, passwords (excuse me), encryption, keys, certificates, those are the digital devices we use to actually ensure the accuracy of identity. And all of those things, again, having penetrated networks for a living, trust me, to an adversary, all of those things become incredibly attractive as targets to go after. Because if I can co-opt your password structure, if I can co-opt your encryption keys, if I can co-opt your certificates, I literally can control and own identity. And if I can control and own identity, I get really strong lateral movement and I can escalate my privileges, because now I am somebody that you don’t think I am. And that gives me great… as an attacker, that gives me great flexibility, and that maximizes my options. I get great movement and great accesses. And as an attacker, that’s exactly what you want. You want to optimize your ability to move, and you want to optimize your ability to access.
And so, the protection, if you will, of the mechanisms of identity becomes incredibly important. Those are key targets that adversaries are out there going after. And think about the challenges of trying to do this. We need to be able to do this at scale. As we have proliferated these devices that we’ve created endpoints, I wish I could tell you that, “Well, the jobs getting easier, because the number of passwords, the number of keys, the number of certificates is getting smaller.” I would argue it’s going in the opposite direction. The proliferation of passwords, certificates, encryption keys, etc., is only growing. So, the problem is getting bigger, it’s not getting smaller. And as it’s getting bigger, it’s getting more and more challenging.
And think about the implications, I’ll only give you my experience, so take it for what it’s worth. In my experience, most organizations do not have a true sense of just how many of those secrets, if you will, they truly have. They don’t… almost every time I was a part of a team that responded to a penetration and attempted to drive the adversary out, invariably, the network owner did not have a true appreciation for just how many elements of identity, if you will, those certificates, those keys, those credentials, those passwords, they didn’t have a good sense for just how many they had.
They also didn’t have a good management system for, “Well, how do you revoke them? How do you secure them? How do you purge them?” I always thought to myself, “So, it seems to be, once we issue a certification, so to speak, or a password, it just seems to never go away in a lot of organizations.” That becomes really attractive for an attacker.
And so, companies are trying to grapple with this, “Okay, so I understand intellectually, that you’re telling me that identity is becoming incredibly important. I understand that you’re telling me that the key elements that you build identity around, passwords, credentials, certificates, I understand that they’re important. But you have to help me understand, so what do I do about it? I understand the need case, the theory, now helped me understand what I’m supposed to do about it. And how does this relate to my ability to ensure cybersecurity?”
That really is the challenge that brings us all here together today. So, how do we address these challenges associated with identity? How do we ensure that these mechanisms that we use to actually certify and create identity or secrets, how do we ensure that we manage them, we truly understand what we have, we truly…? Also, another element, I also found interesting, a lot of times, people didn’t know where their identity elements were. “I not only don’t know how many certificates I have out there, I couldn’t tell you exactly where they all are.”
And I always thought to myself, “The first thing you always start with in cyber defense, in cybersecurity is, if you don’t have an accurate knowledge of just what ground truth is, you got a really low probability of a successful security strategy. Because if you build your strategy around a foundational analysis that is grossly distorted from the reality that your network lives every day, you get a really low probability of success.” Now, quite frankly, as an attacker, we used to love that. It made our lives a whole lot easier. But I will also tell you, as a defender, I hated it because it made my life a whole lot more difficult, more challenging to achieve the objectives.
So, as we’re thinking to ourselves how we’re going to move ahead in this, I think some of the things we need to keep in mind, we’ve got to come up with solutions that are scalable. We’ve got to come up with solutions that have some measure of speed and agility. This is not a slow static problem set. It tends to be a very dynamic element that requires a lot of agility. We’ve got to keep in mind that whatever system we use, we’ve got to meet international security standards, and we’ve got to meet our own ability to create forensics, documents and logs over time. There’s got to be a digital record of what we’re doing. You can’t run control systems like this, with the idea that you’re never going to have to recreate what you’ve done. That’s just not the way this is going to work.
And so, we’re all trying to grapple with how we’re going to work our way through this. But it all starts with a fundamental recognition and acknowledgement of just what the problem is. And one of my concerns is, quite frankly, we still, at times, seem to take identity almost as a given, that it’s just something that happens and we have high confidence in it. And one of my concerns is, in the world we’re living in now, I’m not so sure that that is a solid assumption. And hope is never a good… one thing my life in the military taught me, hope is a terrible strategy. It’s got a really low probability of generating the outcomes you want. And it brings high risk with it. And yet, too many times, I just looked at the situation and I think, in essence, you’re bowing down to hope as your approach here. It’s just not going to work.
And that’s really what the key lesson today are all about. How do we create a capability or a set of capabilities that enable us to work this? And think about who’s involved in the identity challenge. I wish I could tell you, “Well, is just one small element. It’s just the IT world.” Well, it’s not. It’s the info security team. It’s your cloud enterprise team. It’s your DevOps team. If you think that one element or an organization is going to deal with this all by themselves, I don’t think that’s got a high probability of success.
So, as we’re working through solutions, as we’re trying to work through what we’re going to do, we’ve got to remember, it’s got to work across multiple teams and multiple elements in an organization. And it’s got to be able to scale. And it’s got to be able to show flexibility. Because the problem is growing. It’s not getting smaller. There’s only more certificates. There’s only more passwords. There’s only more keys. I just don’t see this as a problem set that, fundamentally, the elements within it are going to get smaller, better defined. I think they’re going to proliferate. I think they’re going to spread.
So, gaining knowledge and insight and having capabilities that help us understand, “So, just what are my mechanisms for identity? Where are they located? How do I ensure that they are enforced in accordance with my security policies? How do I make sure I got a mechanism that I can actually revoke or remove access? How do I make sure that I’ve got a record of everything I’ve done? How do I make sure what I’m doing is in accordance with international security standards? How do I make sure that I can recreate what I’ve done?” Because, again, having had to respond to multiple penetrations, among the first thing we always wanted to do is, “Let’s see the logs. And let’s go back and see if we can recreate and look at the activity levels.” Because somewhere in this activity are the indicators of a problem. And we want to go back and look at the breadcrumbs. So, this is not a problem as well that’s going to go away anytime soon, as I said. I think it’s the nature of what we’re really looking at.
And with that, I’m mindful, I want to keep us on time. We started a little late, so I want to give us a little time back. But I thank you all for taking the time today. I thank you for your willingness to be here, whether you’re physically here or your virtual. But it’s going to take all of us working together to address the challenges associated with identity. Because the current state of cybersecurity has made identity even more important. And with that, I say thank you all very much. Everybody, have a great day. Thanks.