SBN

Adopting Zero Trust with Dom Glavach: Staffing Up

Catch this episode on YouTube, Apple, Spotify, or Amazon.

This week we chat with Dom Glavach, Chief Security Officer (CSO) of CyberSN (Cyber Security Network) and a security consultant, and we dig into Zero Trust as a journey, the delta between buzzwords and tool upgrades, and the hunt for red teams focused on prodding Zero Trust architectures. For those unfamiliar with CyberSN, they connect cybersecurity professionals to in-demand jobs, and have some of the best visibility into hiring trends and how/if Zero Trust is being staffed up.

PS, in the Austin area? On September 22-24, Neal is helping put on the Texas Cyber Summit. Stop by and say hi!

Prior to his current role with CyberSN, Dom entered the infosec world via the government working in a defense of role and later transitioned to the offensive. After 20 years in the government contract world, he connected with CyberSN to find a new role with a faster pace, and during that time was asked to join their team as the CSO. 

While with CyberSN, Dom also began providing cybersecurity-related due diligence work for PE firms that were seeking out mergers and acquisitions. For those less familiar, the amount of research, data analysis, and interviews that go into a deal worth millions of dollars is extensive, and ensuring their security infrastructure and user/privacy policies are in check can make or break a deal.

Trends Pushing Zero Trust Forward

Remote work, BYODs, the shift towards the cloud; there are many factors that push Zero Trust forward, but the most obvious in recent years has been the pandemic. To date, the technology that secures a remote workforce has been around for decades (VPN in particular), but it does a very poor job of securing resources. Encrypted data between two points? Sure. However, it also acts as a bridge across a moat, letting the intended user and a threat actor full access to resources. 

Instead, solutions like ZTNA, SDP, or SASE (which encompasses the former two), or even IdP solutions to an extent, greatly reduce the implicit trust from the equation. Instead of a single or MFA entry point to all resources, users and devices are only allowed to touch specific applications and databases.

“We are not going back to an office. I mean, there’s certainly there’s government and industries that warrant being in the office, but the assets around them are, there’s not data centers, there’s not large data centers. People are migrating away from or have with either COVID or just the cost,” said Dom.

What is Zero Trust?

Each episode of Adopting Zero Trust, we ask the question what Zero Trust means to our guest. For Dom, it started as a principle, but over the past years market saturation created a drastic shift.

“I certainly know. And I hope everyone agrees. It’s not something you can buy. You can’t Google zero trust, and you can’t buy it from, you know, the top three vendors. There’s not a Gartner quadrant for zero trust things,” said Dom. “The question that it’s almost an academic question is ‘what is trust to you?’ I think it’s a model. I think it’s a principle and it’s certainly something that is continuous because I trusted you to join this.”

While it may be a model and even a set of principles, what most organizations find today is that technology vendors have co-opted the term and in a very confusion sense.

“I really do enjoy the concept of always trust and verify, but adding the trust starts at zero and is constantly reevaluated. When I’m doing assessments for companies that have large certifications-SOC 2 Type 2 or they’re ISO-and they they’ve checked every box they have, you know, all the ribbons that you could possibly have and in their technology stack and their cyber stacking in their strategy, they have great buzzwords, but one of my challenges with zero trust is it really has become buzz and not a principle.”

More specifically, during the review of these companies, Dom found that they would say they follow Zero Trust principles, but rely on the likes of a VPN to give users access to resources. If you have a password that grants access to the castle, that is not Zero Trust. In the end, Dom likens Zero Trust to a journey more than anything in that it does not have a specific outcome or finish line, but is something that requires iterations and constant prodding to shape your architecture in a way that removes all implicit trust.

You Don’t Buy Zero Trust; You Apply it to Your Architecture, Devices, and People

Today, there is no one-stop shop for Zero Trust. Any vendor that jumps into your LinkedIn DMs or inbox touting a Zero Trust solution without clearly stating what problem they are trying to solve still has a lot of work to do. In talking to Dom, Neal covers this scenario well:

“You’re not gonna go buy a Zero Trust. You’re gonna buy pieces where somebody says there’s Zero Trust or they work with the zero trust mentality. You’re gonna get whatever that looks like a firewall or network device, a laptop that has a certain client running on it, whatever that may be, whatever those toolings end up growing into, but you’re not just gonna go outta the box. Like you would buy an actual firewall and be like that firewall is zero trust,” said Neal.

While it’s worth noting, SASE or secure access service edge aims to be that solution in the future, to date it has been an enterprise software suite that sits on top of a mature set of tools and processes that already exist. Some elements are rip and replace though like tossing your VPN for SASE, but there are still some use cases where orgs can take advantage of both.

“No, it’s it is a procedural approach. It is something that it’s part of your implementation that may or may not require you to buy actual new tools. It may be as simple as looking at your ACLS and everything else that’s going on. Right. And thinking about it from that procedural perspective. I think that’s the big thing for people to understand there’s money to be made. That’s why we’re having this conversation in a sense to figure out where the money needs to go versus where it already is based on; what your current methodologies and security stack allow. And then hopefully not go out and buy $2 million worth of Zero Trust architecture when you’re buying the same thing, but it just has better access control and, and allow list or block list structure,” said Neal.

While Neal and I typically don’t share a hard stance on Zero Trust and technology, we felt it necessary to highlight that the concept should not come with a price tag nor is only for enterprise organizations. If you search the term today, you’ll see endless tools that may or may not align, and time and time again we must implore those interested to review resources such as NIST and CISA instead.

“Does it replace anything or does it augment things? I think if you had to say, what does it replace? I think it replaces your modeling, your principles, and overall, I don’t think it’s a, what is it? A forklift upgrade? We’re not taking rule based access and tossing out the window. We’re bringing them all together and utilizing them all in a different model,” said Dom.

Are there Pen Testers Focused on Zero Trust?

Of the deals Dom has reviewed, all come with some aspect of analys and required pen testing. To date, he’s not yet seen a pen testing group that focuses on prodding through Zero Trust. While he’s seen organizations with a Zero Trust architecture, in most cases the pen testers still went after their on-prem systems because it’s considerably lower hanging fruit, which of course does make sense in the grand scheme of things.

With that, we have our first call to find pen testers who focus on Zero Trust practices. If you are part of a red team and focus on Zero Trust, we’d love to chat on a future episode. And, if you are looking to network with other cyber security professionals, check out CyberSN.

Coming Up Next

Here’s who we have on tap for the coming weeks:

  1. Bryan Willett Lexmark’s CISO on Sept 8

  2. Maureen Rosado ZT consultant on Sept 22

  3. J.R. Cunningham CSO of Nuspire on Oct 6

  4. Christine Owen Director at Guidehouse on Oct 20

We are also planning a semi-fun Halloween episode, so if you have any infosec horror stories you are open to sharing (please no breaches, we’re talking hiccups and bumps you’ve learned from), please reach out elliot @ elliotvolkman.com. We are also looking for a our final guests for the year, so if you have or are implementing Zero Trust and are not a technology vendor, we’d love to chat.

Adopting Zero Trust with Dom Glavach Transcript

Elliot: All right. Hello everyone. And thank you. And welcome back to adopting zero trust or a C T as we have come to call it. We have another wonderful guest for you here today. And today we are going to branch outside of some of the concepts that we’ve covered before where we go from there.

You know how our usual scope goes it can go anywhere. But that being said, I want to introduce you to Dom. He has a completely varied back. And I’ll just kinda go through a little bullet point list and then I’ll let you handle it and make sure I didn’t miss anything important. So that being said Dom has a wonderful security background.

Currently is the C CSO or even CTO for cyber SN, which is sort of a network that connects cybersecurity professionals to organizations. There’s probably more to. In the past, he has been a security consultant, a CISO and I’d say probably based on some of what I’ve seen in the past. Also a lot of due diligence work and efforts tied to PE firms.

So that is a huge undertaking, which could have huge impacts. And obviously zero trust is gonna have some implications there. But that being said, Don, I’m gonna hand that off to you and make sure we give yourself a proper intro.

Dom Glavach: Thanks Elliot. Thanks now. It’s great to be here. So it came from the government space, spent 20 some years working in the intelligence agencies mainly on the defensive and then transitioned to the offensive side. Had some tremendous opportunities as a research fellow, both applied and theoretical in the space. stayed in government contracting for 20 years and just the pace of government contracting and the burnout and just all the things that accompany traditional cyber professionals as they progress up the chain just started to take its toll on me. And like everyone else I went looking for a position and stumbled onto a company called cybersecurity network, which is cyber SN.

They were helping me find a position in that process. The founder and CEO said, you know what, why Don. Come with us. We’d like to expand our contracting consulting we’re, you know, in the market for a cyber leader. And it’s six years in a blink of an eye. And I assure you too, that the pace between government contracting, the commercial world is a significant Delta, both in pace application.

Facade terminology. Everything is completely different than upside down at times and right side up all at the same time. And one of the great things about cyber SN is there’s many great things. One we’re on the cusp of what cyber professionals and companies are doing trending hiring wise technology tools.

So really an insider look at just the industry as a whole and the consulting and contracting arm. I’ve really had an, a great opportunity to look at large mergers acquisitions in the PE space, in a cyber tech due diligence. And it’s I said to you earlier in the intro, it’s really opened my aperture on just how sometimes for profit and for.

The pur purpose of moving forward. There’s a lot of shortcuts. There’s a lot of good things, a lot of bad things. And a lot of paper tigers out there. When you asked me to talk about zero trust it has been something that just appeared outta nowhere in, in diligence exercises and really accelerated through the, you know, the pandemic and It, I don’t wanna open off on one of just the typical cyber guy and the marketing zero trust really is sometimes a good looking sticker and something products can stick alongside almost akin to when you know, blockchain started to happen.

Every company had blockchain in their name. I’m starting to see more and more cyber products and cyber professionals just throwing. CTA ZT or just zero into something. And I think this conversation in this forum is definitely needed just for the betterment of the community. I mean, we’re all community people give back is a large part of the looking forward to rocking with you guys.

Elliot: Awesome. You hit so many bullet points that I’m about to can of worms on. And I know Neil’s gonna have a lot of this near or dear to his heart because employee growth and retention and being able to embrace people on your organization is very important, especially in our space where there’s a lot of burnout.

The need for bringing people in is just incredibly important. And the comings and goings that you have insight into that probably just not a lot of people have that pulse on. Obviously gives you a lot of insight that we’re hopefully gonna be able to tap into a bit. 

Dom Glavach: no, just trend you. The first thing that came to mind is as it’s interesting being in the staffing and connecting people and having companies ask you for needs. Right before the pandemic really officially hit, there were larger companies that were positioning themselves.

And when you take a look at the data, even you look at it from a defender standpoint, there’s just anomalies across the graph. There’s, you know, there’s a that we always look for and we started to see like a harmonic imbalance of. Companies that don’t traditionally hire full-time remote people starting to prepare for remote cyber.

And it almost the hand of there’s something larger company. So those are the small insights that you have just in one tiny aspect of it. I know that’s way off ZT but it is inside into the

Elliot: par for the course. I think that’s exactly on, on course because the elder element is now they have to have security infrastructure that supports remote teams. You can’t really focus on VPN solutions because that’s not truly zero trust. You need ZTNA or SDP, and you need the people with the professional skills to be able to implement and be able to manage and identity access.

That’s my tangent. I’m gonna throw that over to Neil, cause I know he’s got some opinions on this.

Neal: no I it’s trends analysis 1 0 1, you know? y’all are at the forefront from a hiring perspective, seeing it, like you just mentioned. I think it’s, it is very indicative, like Elliot mentions of what you need to do to prep. You’re not gonna have an entire remote workforce, whether you want it or not.

Without having some adjustment to security processes as a whole you’ve got people who, from the government side we had some spots in the office spaces where you had some, B Y O D attempts in certain lesser echelons of the security world. And then we realized that was one of the dumbest things we’ve ever done, thankfully.

But they tried it, right. Corporations do that today. Right. And then that’s a. Whole new ball of wax that they have to overcome. Now, when it’s not just BYOD it’s your office is your office with your own microcosm of issues, and it’s no longer monitored by the corporation. Right? So this trust layer I think, has to be built somewhere or another to have that that zero trust framework or some new security process flow.

Dom Glavach: Yeah. Almost methodology model principles. You know, you as you were, you struck a memory cord, you know, you kind of think about where we started and where zero trust kind of is today. And some point I’d like to just get Neil’s opinion, you know, is zero. Really zero trust. Is it something that is achievable?

I certainly know. And I hope everyone agrees. It’s not something you can buy. You can’t Google zero trust and you can’t buy it from, you know, the top three vendors. There’s not a Gartner quadrant for zero trust things.

Neal: Not yet.

Dom Glavach: Not, yeah, not yet. Just the evolution of it. I mean, we started our days in ACLS in layer seven rule based access, least privilege.

And now we’re into this mode of trust and. When you talk about zero trust, you’re evaluating zero. Trust. The question that it’s an, almost an academic is what is trust to you? I think it’s a model. I think it’s a principle and it’s certainly something that is continuous because I trusted you to join this.

And you trusted me to join this. As this, you know, progresses over time, almost analog. We’ll continue to trust each other, but we’re constantly evaluating as this conversation goes, which is a key fundamental or key foundational element. I think of what zero trust is. The zero trust architecture, something that’s con starts with nothing is evaluated and continues to evaluate or continues to unwind analog like over.

Neal: Yeah, I think that’s a good point. You know, it to kind of unpack that a little bit at the start talking about that. This isn’t a cots type thing. You’re not gonna go buy a zero trust. And you’re gonna buy, like you mentioned earlier, you’re gonna buy pieces where somebody says there’s zero trust, or they work with the zero trust mentality.

You’re gonna get whatever that looks like a firewall or network device, a laptop that has a certain client running on it, whatever that may be, whatever those toolings end up growing into. But you’re not just gonna go outta the box. Like you would buy an actual firewall and be like that firewall is zero trust.

No, it’s it is a procedural approach. It is something that, you know, it’s part of your implementation that may or may not require you to buy actual new tools. It may be as simple as looking at your ACLS and everything else that’s going on. Right. And thinking about it from that procedural perspective. I think that’s the big thing for people to understand, you know, there’s money to be made.

Then that’s why we’re having this conversation in a sense is to figure out where the money needs to go versus where it already is based off what your current methodologies and security stack allow. And then hopefully not go out and buy $2 million worth of zero trust architecture when you’re buying the same thing, but it just has a better access control and allow, and don’t allow blacklist whitelist structure.

It

Dom Glavach: Correct. Yeah. Yeah. And I really do enjoy the concept of always or trust and verify, but adding the trust starts at zero and is constantly reevaluated and It, when I’m doing assessments in Companies that have large certifications. They’re, you know, SOC two type two they’re ISO, and they’ve checked every box that have, you know, all the ribbons that you could possibly have and in their technology stack and their cyber stacking in their strategy, they have great buzzwords.

And one of my challenges with zero trust is it really has become buzz and not a principle and not a. A VPN does not therefore mean you have zero trust. So when you’re trying to explain this I think one of the best starting points aside from thinking about what the outcome is is what does zero trust replace?

Does it replace anything or does it augment things? I think if you had to say, what does it replace? I think it replaces your modeling, your principles. Overall, I don’t think it’s a, what is it? A forklift upgrade? We’re not taking rule based access and tossing out the window. We’re bringing them all together and utilizing them all in a different model. Some of the technologies that you mentioned that Neil mentioned in the stack are still usable today. NextGen firewalls, even, you know, the EDR that is in place now for on organizations are large part of the zero trust architecture. 

Neal: I think that’s a wonderful point too, though. It’s. You’re not taking something to get rid of something else. You’re not buying something to remove something per se. And you’re not even necessarily getting away from what you’ve been doing as a holistic thing. You wanna still have this layers, this onion approach to your security stack.

I hope. So even if you go through it and do everything zero trust conceptually, that’s still just one idea of security model. Right. And just even if you do it perfect. And you understand what that means to your organization, there’s still other security mechanisms you probably wanna fall back on and have as as additional layers wrapped up in there, you know, at least in my thought flow, Taking zero trust, conceptually looking at your current stack, applying it, but then understanding that the layers that you already built in there from a security perspective, if you’re not oblating them out per just to do the zero trust piece, you might still keep them there as an additional buffer for if this falls apart as well, at least in my thought flow.

Dom Glavach: No I think you’re spot on the defense in depth definitely resonates. It’s harder to see in zero trust until you really go through. Plan it out. And look, we all start our career hands on keyboard, running as fast as we can and implement, you know, as we get time behind, as you start to see the value in the preparation stage, I mean, we’re all great incident responders and all those other phases don’t mean crap, unless you have good prep. And one of the challenges I’ve seen with misaligned zero trust architectures or zero trust models is they said, I wanna do zero trust. I have a VPN, I have two FA I have users. I’m gonna say these are my digital assets, which is, you know, a user and a computer, or, you know, some device they’re gonna connect to the VPN.

And, but there’s no context behind it. It they’ve essentially digitized the castle. Everyone’s connected to a VPN and they’re going to the cloud. They’ve just shifted hardware to a cloud based platform and called it zero trust. Cause there’s no planning. There was no, just no prep and identifying identity network data applications.

What am I missing? What was the fifth data applications? Oh, the network glare. Yeah. Well, if you don’t start with those five pillars and really inventory, understand your flows and just think about for a second, a normal, just pick one person in your enterprise or in your company and say, what is their workflow of the day?

And start with something simple, like email. They need to get access from email. Are they access again from their phone? Are they accessing from the company asset? Are they accessing it from home, from the office in the car? What data do they have access to once they get to the server? Where is it stored?

Who else can see it? There’s this lineage of workflow decisions that you really need to consider as you’re building zero trust and. The other downside I’ve seen to zero trusted architectures is AR arch nemesis, which is complexity. We can overcomplicate things, not by design, but because of interest and, you know, you know, just think about the amount of protection.

Monitoring auditing and automation and threat detection that goes into someone logging into email and over complicating that in a zero trust is easy to do because you can make that continual cycle of am I, who is it Dom that is logging in, is it the right device? Is that the right time? Is he in the right country?

How many times did he do it? You can really make that evaluation, that continu. Trust evaluation, extremely painful and complex. Which is our nemesis. Complexity is hard to D it’s hard to sustain and it’s certainly hard to maintain.

Neal: That’s a good point. I think traditional security stack is more hierarchical approach, right? So we’ve got end user all the way up through gateway and everything outside. But there’s some layers behind it. Default layer and in a zero trust implementation, you start to break down some of those walls, a little.

Not all of them there. There’s still gonna be DMZs firewalls, things like that in a sense. But when you start to put in those layers, you go from more of a hierarchical stair step approach to more of a mesh topology mentality around how you’re doing things. And then like you mentioned that is a layer of complexity that most people are not ready to deal with where, you know, there’s that 5,000 laptops now instead of.

Up down, they’re just going straight across to do something depending on, you know, from the authentication and access controls and all that stuff. I think for me that, that does appear very daunting in my perspective,

Dom Glavach: I love your perspective because when you were saying that there is an aspect of, is zero trust really, right. For this particular workflow. Does zero trust work with IOT devices? I mean, yeah, they are devices and they do authenticate, they access data. They should have a strong surface.

They need maintained. Are they in an environment that zero trust will be more comp, more complex, more costly than traditional, just micro segmenting and layer three NA. So there, there is a, you know, a cost trade off and I think zero trust is a model and principle and tossing the perimeter away and stop focusing on the perimeter is where the industry’s heading.

We are, we’re not going back to an office. I mean, there’s there’s certainly there’s government and industries that warrant being in the office. But the assets around them are, there’s not data centers. There’s not large data centers. People are migrating away from or have with either COVID or just the cost.

It, it will still remain for the near term three to, you know, three to five it’s that’s such a hard crystal ball. Zero trust is a journey. It’s not a It’s not microwaveable popcorn. There’s not instructions that you can put in and set time and eat it when you’re done. It’s.

Neal: a website quote right there. I think we’re gonna get a t-shirt zero. Trust is in microwave popcorn. I think that if we do any public presentations panels at conferences and stuff, that’s the shirt Elliot. I want zero trust is not microwave popcorn. That’s what on a shirt.

Elliot: I’ll get us bumper stickers to go with it.

Neal: yeah. And then, or we could just have, you know, the sticker like this does not equal popcorn. Fuck it like that. Next

Elliot: there go.

Neal: I like that. 

Elliot: Who needs the marketing guy? We got it right here.

Neal: No, that, that being said though, I mean, that, that is obviously a very fair statement. You know, everybody always is looking for an easy button. Everybody’s looking for a single pan of glass. They’re looking for EDR that does everything they’re looking for next generation. So next generation this right.

And zero trust terms. And for the part of the vendor side of the house vendors do a really good job if they’re paying attention playing up those marketing terms to do that and present it that way because that’s expectations. But in reality, you know, you’re right.

It’s not microwave popcorn, you know, just throw it in there, hit start and walk away for five minutes. There’s a lot of things to consider. And so my question back to you on that you mentioned in a roundabout way kind of cost benefit analysis, right? From your perspective today, thinking about the market and where it’s going with zero trust or just security in general do you see a potential for a subcategory in this market to be that consultant who comes in and says, here’s your current stack?

Here’s what zero trust would mean in your stack. And here’s the cost differential and the ROI potential ver vice versa. And yes, you should move. No, you shouldn’t move that thought.

Dom Glavach: I don’t think that is there today. I think that it’s something that is on the horizon. Companies are still quite frankly, struggling with cloud adoption. I mean, I say that with a bit of grim there’s there’s many factors why and. the shortage of cyber talent. The pace that it, it needs to the pace that it takes to complete the planning.

Let me re let me reset that companies are struggling with securing the cloud today. Not being successful in the cloud. They understand that they have assets and data when breach or compromise occurs, they’re still lost in the cloud. Minutia. Companies are very effective at using the cloud. The trust model, the shared security model people have forgotten about that.

They, there is still a large percentage of the world that fills once I put it in Amazon, once I put it in Azure, all is. They we’ve forgotten the shared responsibility. So it is on the horizon because of the way that the workforce is evolving. Regardless of your craft people, aren’t going back to the office.

Digitization is happening. I mean, I IOT’s been here forever. I mean, go to showdown and just see just what the world looks like. We have more data being transferred from non-carbon based things than we ever have in the past. complexity of access data and loss is, has tremendously changed from a year ago. And companies are now stabilizing. We’re all in this, in this decision tree now. What should my Perus architecture look like? I have people that are coming back and I have people saying never coming back. So this hi building this hybrid, this is a long answer to your question. It’s on the horizon.

We’re still struggling with IAM like that. First part of zero trust is identity access. Pick a company, run ping castle against active directory. That small foundation. I mean, active directory is not IAM. I mean, it’s if you’re gonna start in zero trust and that’s all you have, it’s a great starting point.

And I urge you to make sure that it’s tight. When I mean tight, I mean, it’s resilient to attack. Are you willing to put your active director structure on the other side of your current castle and moat model? If you are you’re ready for zero trust, if you’re not you’re you’re still in the planning stage or you should migrate to some other identity provider, you know, commercial IAM.

So there, there is space for that. Now. The cost benefit analysis is still in. The eyes of the people that hold the budget. You’re cyber leaders and podcasts like this, that educate on zero trust that are beyond a Google search. And I mean, everyone goes to talks. I’m the, our industry is well educated but we’re under pressure to make decisions that enable the business and drive the next innovation, the next revenue target all while we’re protecting, responding. Gathering intelligence, analyzing data and helping each other, caring for our people, you know, retaining the people that we have. So there’s not a ton of time afforded to a cyber leader to make great decisions on a large architecture. And there’s now pressure in certain industries. To adopt zero trust MIS has a, was SP 800 something, 2, 2 70 or something like that.

MIS release guidance. The OMB released guidance that everyone needs to work towards a zero trust. NSA has their own documentation and it’s easy when you’re in the commercial side and say that stuff doesn’t it doesn’t apply to me. It does in. you know, as the supply chain evolves and the government agency successfully adopt this, it’s, you know, it starts to work its way.

If you can, if you think about the government as the center of, you know, cyber explosions, you know, does build so zero trust is on the horizon, whether we enjoy it or not.

Neal: I Don I think that you literally just stole the words outta my mouth. And the cyber industry well and most tech industry as a whole here in the us in particular and overseas to some limited extent as well. Our I’ll give our government props on one thing. I think from that security implementation perspective, they’re always, you know, four or five, six years ahead, depending on the tech.

But they’re always. Which has been really kind of neat to see cybersecurity just in general monitoring threat actors and fingerprinting threat actors, instead of just blocking an IP address and calling it a day. Things like that. The government’s always been steps in front of that idea. And I think you make a good point that if the government’s taking the time to prioritize, adopt and stipulate what this means to.

Chances are adoption rates out here on this side of the fence are gonna start happening in the next couple years as well, or at least be more of a requirement from a conceptual perspective of what that means. So we look at threat Intel, you know, five, six years ago, threat Intel was really just getting adopted concertedly on this side of the fence.

Right. But now if you’re on a, if you’ve got a sock with four people and that or even if you’re just an MSSP, there’s somebody in there who thinks they do threat. Whether they do, or don’t, that’s a different debate, but their title threat intelligence, something or another right. Or an Intel analyst, blah, blah, blah.

So that’s awesome. think that’s a great point to see to highlight, you know, governments codified it. They’ve actually built it in some instantiations. We had a guest on prior to this who helped with with a federal deployment of this. And and so, yeah, it’s there. It’s not going.

The idea is there to stay. And now it’s time for us on the private side of the house to realize what that can or can’t do for us on some

Dom Glavach: Yeah. And the luxury of being in non di space is it can be at your own pace. And the downside to that is you’re at your own risk.

Neal: true.

Dom Glavach: yeah, which brings another talking point the risk portion of it as we’re adopting zero trust and we’re it’s again, it’s not microwave popcorn. It just doesn’t happen.

We’re gonna be in some migration because it’s a journey over time. I have yet. And if Neil, if you’ve spoken to someone, please enlighten me. I’ve not spoken to a pen tester or a red teamer that has evaluated a zero trust architecture. And that was their point of compromise, or that was their exploitation or their proof of concept because there’s still easier targets to, to there’s lower hanging fruit.

I’ve seen very well implemented zero trust that still have an on-prem legacy. That the pen test was the target of I’ve seen large mergers acquisitions that do pen testing at a, you know, every 45 day interval from major pen testing firms where the zero trust. Architecture’s not even a target of evaluation.

It’s forgotten about. One of the things that I’m dying to know is do we have pen testers that with that have zero trust craft.

Neal: Yeah, for our part, we haven’t found someone yet. But now it’s kind of my mission personally, to see who I can find. But I mean, I think that’s also a fun highlight too. We look at. Like any war, you know, you bring a pencil, someone brings a big stick, you bring a big stick. Someone brings a knife, right?

Everything is just layers and layers until ultimately we either all destroy ourselves or we get to a layer where it’s just so overly complicated that everybody just gives up that won’t actually obviously happen, but long and short, you know, what was it? Everybody as we’re moving to the cloud and we saw this uptick in ransomware, even before ransomware back in what was it?

20. 2012 ish was the day of the exploit kits like angler and those right. That was their heyday. That I think set the community off on the whole MFA or at least, you know, tofa mentality at least a little bit. So all of a sudden, all these websites started offering up MFA and two FFA type components some kind of T O compliancy and then duo security and Okta just skyrocketed, but we got there to that layer.

And then the next thing. And oh, now we can kind of defeat in certain circumstances, certain types of T O T P, but not consistently, but people still don’t focus on it because it’s an echelon above where they really have to go. And I think from an adoption and hierarchal steps up the mentality of zero trust is that layer that’s been missing behind where we started with MFA and trying to remove.

That singular point of contact from security protocols and procedures. And do you mentioned, make it so complicated right now where when the bad guys do try to get in, they’re having to look for that legacy stuff at the moment because the trade craft isn’t there yet, hopefully. And then that’s where you get to find your missing links and, you know, move things into that next layer.

But zero trust will. Exploited in some way or another, I’m sure the concept will be there. And some way we find a way in and then we’ll come up with something new, but for the time being you’re right, there’s zero trust. And then there’s all the other stuff we haven’t fixed yet, even when we’ve adopted and people get to focus on this for the moment.

So,

Dom Glavach: take a little bit of common in what you’re saying, because as you described how that stack has evolved, it’s all. Access. I mean, you can rewind the tape and say, pick a breach. I know there’s RCE. I know there’s zero day. And you, and I know the frequency in when they’re used, it’s low I’m not gonna give my best when I don’t have to.

Adversaries are people just like we are, if they there’s a lot of lease resistance, that’s what they’re gonna do. But it’s all about access. Zero trust does evaluate access along the way and the things you were mentioning. The, and one other thing that I do enjoy about zero the zero trust model is context around access.

The time the location, the frequency, and as your model matures, you can start to use other context frequency. Flow size. The potential is not endless because it’s, it is compute power and it is complexity. We don’t wanna bump up against that complexity, jagged edge, where we, you know, defeat ourselves in it.

The thing that is kind of overlooked in the zero trust is all the context that you can put all the method, all the protection. Sometime forensic, just the whole protection and the defense continuum. That’s zero trust, really addresses access.

Neal: so a few moments back thinking about this from the access control perspectives, which once again, it is what it is. You talked about the world IOT or embedded systems in general whether that’s a SC O or PLC or some other kind of logic or control systems, but OT side of the house versus the it side of the house in a roundabout.

And for me, when I think about this securing the human aspect is always going to be difficult no matter what you do, right? I think especially like you keep coming back to the remote world, you know, you can do everything you wanna do to my work laptop, but the moment I pick up my personal laptop, To do what I should be doing on my work laptop.

Completely done. Right. You don’t know what’s on that laptop or the other part of the network. But what you can do is look at all your other embedded systems, all your IOT type stuff. And I think for me having worked on the OT side before I, I find that as. Potentially the low hanging fruit of zero trust implementation.

You mentioned doesn’t make sense to do it because of the scale or should we keep it within those echelons that we’ve already built from data diodes and all the other fun stuff that we’re already doing. And I think once that cost benefit analysis plays out a lot of the OT networks will be, I hope ground zero for like full zero trust evaluation at.

Dom Glavach: there’s a very nice dovetail with them because you can consider them untrusted already. And it’s kind of been the model. Unknown to us. We just didn’t. When these first came on the scene, you probably much like me, someone came in and said, we have all this OT equipment. I have a digital directed joint manufacturing monster device that has, you know, seven network connections.

What do I do with it? So we kind of said, they’re just untrusted, you know, in the ACL role based access, we just kind of quarantined them off and said, you’re untrusted. And then they needed to connect everything else. So there’s a super foundation for that OT network to build the workflows and understand the data flow.

Because that they’ll have a harmony, you’re an intelligence guy, you know what harmony looks like, you know what expected, you know what anomalous is and you see a. When you see Aran it’s outside of your trust. So it, there, there is a nice dovetail a starting point because there’s not necessarily humans involved.

Neal: Yeah, exactly. Yeah. Yeah. With that thought flow in mind, two things passwordless security as part of this construct. And then gonna come back to that and then Well, no, let’s go ahead and start. I literally just forgot where I was gonna go with the second one. Cause so hyperfocus on the password list security, cuz it’s one of those weird ones for me.

And you mentioned, you know, the fingerprinting construct, which is basically what that password list security ultimately is it’s taking the fingerprint of who’s behind a keyboard or a device. And then being able to say, this is the persistent fingerprint when it doesn’t meet these parameters, right.

Then flag something. So do you think just that, that basic concept. Important or at least the technology mentality behind it to do that. Algorithmic fingerprinting, even if you’re still using an actual password, but the concept of that heuristic approach how much do you think that needs to happen to be able to really have the right security protocols in play for when something does go sideways or at least to monitor in case something goes side.

Dom Glavach: I think it has. A place in environments that require that type of authentication the entire world’s not ready for that. Just the people the maintenance of that in the convenience of it are tremendous. Is that met for every small business? Is it met for every enterprise?

It is a great cyber UOP. It really is because it has predictability. It has resiliency and there is some fault tolerance built into it. Adoption is what I struggle with. Practical adoption. So think it is a advanced stage of zero trust models. I think that if. is your first bite of the pie on identification.

I, you know, authorization identification, you’ll spend a lot of time where you could have traveled many more miles with multifactor of some aspect that has some geofencing behind it. Some other context I’m a major fan of password list authentication because of those three things. But I do understand its place. My travel agent, who books, my travel, which is intelligence information. Part of my supply chain. I don’t expect to have password a, I mention that zero trust has to consider our chain and. If your supply chain, isn’t using identification as at least as strong as what you are. So if you’re setting your bar at passwordless authentication, you’re raising the bar, you’re raising the tide of your entire trust architecture, your zero trust architecture again, because it’s zero trust.

We can constantly evaluate and put more context behind it. As much as I enjoy it I turn the squelch back to at least two FA MFA.

Elliot: So I’ll jump in a little bit on that one. Only because I literally in the ZTNA space with doing all the competitive intelligence. Companies that can yield that kind of output. And that’s definitely still future stakes. I don’t know how much I can say without getting in trouble, but device context is definitely a huge ask for organizations because if they can do it through automated intelligence where they can do that fingerprinting, basically knowing what device you’re on, where you’re at, who you are should this person be accessing various different element.

There are very few pieces of technology that allow people to access certain things today that even breaches that level of context. I know that a lot of organizations are trying to but on the technology side, it’s still a little bit weighs out.

Dom Glavach: Yeah, boy, I’d love to say to you. Well, there is, MTLS the TLS where there’s a client that authenticates to something. That’s hard. I mean, PKIs PKI is not an easy pill to swallow And, you know, implementing certificates on devices that don’t have people. I can’t agree with you more. It’s a challenge

Neal: Yeah. I remember the glory days of my tax and running around trying to

Dom Glavach: and

Neal: sure you, yeah. Oh my gosh. That may or may not also be one of the reasons why I decided to not be in the government space anymore. Every two days, Hey, you got a new, you got a new PKI. You gotta go to the help desk and show ’em your ID and all your birth records and your shots and everything else.

And by the way, we’re gonna make up some pin for you. But you gotta remember it to get back, cuz we can’t write it down. So then when you walk two miles back to your desk and you forget the pen, then you get locked out. Yeah, it’s a wonderful world. 

Dom Glavach: Right. And again that’s the beginning early in person, days of zero trust. They wouldn’t trust you until they verified your identity and you had to provide other context. And they did it often.

Neal: Yes. Yeah. And so I’m wrapping that back around context is key. Zero trust has been around conceptually for a while. We just haven’t provided nomenclature to it. I think I, and I think that’s the fun part about this discussion is I’m hoping personally I’m hoping people realize that. The things that you need to do to reach this concept.

Once again are not things that require heavy purchases necessarily. And it’s also technically not really anything overtly new from a technology stack. It’s just how you apply the things that have already been made available. And then maybe go out and buy one or two nifty little bells and whistles to help roll it all together.

And I think, especially from our conversation, I feel like you kind of agree with that mentality at least a little bit from where it should start and finish.

Dom Glavach: Certainly and I think when you’re looking at zero trust, having some craft in multi, in micro segmentation, software defined networks really understanding what strong identification and authorization is are keys to success.

Elliot: So considering where you’re at right now, I was just curious if you have any insight into seeing if there are. An increase in request for people with background in zero trust explicitly, or if basically where we were chatting earlier, where remote elements, remote teams supporting those use cases, which roll up into zero trust and concept obviously that’s on the table, but are you seeing any increase in, in explicit request for people with any kind of zero trust, background framework?

Concept? Yeah.

Dom Glavach: Mainly in IAM. Everyone’s still in that foundational stage. I am. And cloud security engineers that are software defined network wizards. So, the I in the IAM space and cloud security engineers are really the, on the cusp of it. CTA and just ZT are just starting to appear in people’s career lineage.

I wouldn’t put CTA on, you know, my career profile yet. Because it’s still, it’s conceptual. I’d be willing to speak to it. I would be more prone to do software defined networks and microsegmentation from, you know, an overall standpoint. So I am and cloud security engineers are driving the asterisk is DevSecOps is a whole nother zero trust discussion, just data containers and that world. In some ways ahead in some ways chasing it.

Neal: So I just have one final question from a getting started perspective. And you touched on skin on this early on as well. If you had a resource or a concept, or just like a 32nd thing for them to go look up just to get their fingers wrapped around where they should start where would you point people to dictionary Google type things or actual resources that you’re aware of?

What should they Google, whatever it may be, what would you be? Your one?

Dom Glavach: while you’re putting me on the spot, it, I think it’s zero trust.gov is the repo that lists the OMB, the NSA docs and the N standard that although they’re heavy The N defines it very well. There’s seven bullet points that say, this is what zero trust is. And if you have two things to look at the N definition and look at the O OB OMB maturity model, cuz it says there’s a, you know, preparatory phase.

Baseline midline and advance. So baseline, intermediate advance, and they list some bullets on whether you’re ready for that stage or not. Those are two resources that really are, you know, technology, product agnostic that are at the model level.

Neal: That works. I appreciate it. I’m asking more. So I know where to go. Look is really what this question’s for, but,

Dom Glavach: That’s where I put people. It’s been great guys. I wish I had a little more time. 

Elliot: thank you so much, Don, for joining us today. And I think before we wrap up, there’s two things that we wanna highlight.

So if there are any patent testers that are out there that have tried to break into zero trust driven organizations, Definitely reach out to Neil myself. We would love to chat with you. I think that would be a great follow up for this, but why don’t we just do a quick little chat about exactly what you do today.

Maybe point people towards the resources that you’re providing.

Dom Glavach: Yeah I think visiting cybersn.com and creating a profile and joining our network will help you connect with other like cyber professionals. We’re all about the community. So cybersn.com and just build a profile.

Elliot: Perfect. Well, thank you so much. We really appreciate you

Dom Glavach: my CEO I’ll be so happy.

Neal: thank you. Do, man. I appreciate it. Thanks for the good conversation.

*** This is a Security Bloggers Network syndicated blog from Adopting Zero Trust authored by Elliot Volkman. Read the original post at: https://www.adoptingzerotrust.com/p/adopting-zero-trust-with-dom-glavach