SBN

Adopting Zero Trust with Chris Reinhold: Pen Testing Zero Trust

 

Catch this episode on YouTube, Apple, Spotify, or Amazon.

This week we chatted with Chris Reinhold, Director of Innovation at Core BTS, a managed service provider (MSP) and IT consulting firm. We dig into the long-awaited answer to our previous call, pen testing Zero Trust systems. Plus, we chat about the idea of Zero Trust as a certification and the always relevant factoid that compliance is not security.

Before joining the MSP, Chris spent much of his time and experience at Microsoft working in their security division. Since then, he’s evolved from a solutions architect to a leading role in helping the MSP drive innovation.

Quick note: We have two more episodes in season one: a special guest just before Thanksgiving + Neal and I will do a debrief episode before we break for the holidays. We have some exciting changes for season two, so stay tuned for our last episode of the season. And, sorry for the one-week delay; I was busy relaunching a brand and website.

Pen Testing Zero Trust

Pen testing is a common way to validate your security posture and infrastructure, especially since it’s also a critical element of compliance. In a previous episode, Neal and I were chatting with a hardware manufacturer interested in seeking out a pen tester who wouldn’t just follow the standard roadmap and go after low-hanging fruit. Instead, they wanted third-party validation and gut checks into their systems related to their Zero Trust strategy. During that episode, we put out a call to find an organization that does this, and that is where we connected with Core BTS.

Fortunately, Chris was kind enough to share some insight into how they prod into the systems of organizations that have started their Zero Trust adoption and implementation.

Chris sets the scene:

“It’s usually a couple weeks, right? It depends on a variety of factors there, but at the end of the day, the goal is to do penetration testing externally, and to look for those common vulnerabilities. Look for the bad configuration of firewalls, and so, and start out highlighting that,” said Reinhold. “We also look at what’s the patching level of your servers. That could be an opportunity for us to identify a vector from that [zero trust] perspective. So all that comes into play.”

For these organizations, they get the standard red team experience, and the outcomes flag risks on a spectrum from high to low. From these risks, the organizations typically can identify what aspects of Zero Trust they are interested in pursuing or prioritizing based on the most significant impact on their business.

“What we’re starting to do too is, is start to kind of take that and say, Okay, how can we help you? And it goes right back to the zero trust. Let’s figure a way out of addressing that and taking a much more holistic way. Maybe it’s not just the network interfaces we need to look at or the network devices we need to look at or the servers. Maybe it’s how we’re authenticating. Or maybe it’s how we protect that data net on that server. What tools can we bring into that equation for that client?

As mentioned countless times before, Zero Trust is not a set of technologies but a philosophy, and it certainly follows an all-encompassing model. So Chris and the team infuse that into their pen testing approach, giving them a unique take on third-party validation of systems.

Zero Trust… Certification?

While Forrester does have a certification that allows professionals to attest they understand the concepts as the analyst firm lays it out, today, there is no organizational certification. Certainly, there could be one in the future where organizations align to elements such as NIST or CISA’s architecture or pillars, but to date, we are still just trying to define what Zero Trust even is. Chris explains his usual take when this comes up with clients:

“So from a Zero trust perspective, we ask what does that mean? I think there’s a lot of information out there, and clients don’t understand what Zero Trust is. Some clients almost get the feeling they’re looking for a certification. What you can get zero trust certified. Well, not really,” said Reinhold. “The way I break it down to clients… we talk about Zero Trust and they really don’t get the idea. And the way I explain to them is to consider I’m taking over your Azure directory environment. I have now locked it down. You’ve gotta tell me what access here you need in your environment. They go like, ‘Wait a minute, how do I get access to it?’ Let’s talk about that.”

It’s a simple question, but access has so many implications and is one of the core pillars of Zero Trust. If a company is used to loose access controls, this is a great entry point for shifting the culture. Chris continues on to ask, “Who that person is? What systems should they be using? So I start that conversation that way. One thing I do start talking about very quickly is expand that out to the Zero Trust pillars. It’s identity, it’s workstations, its networks and so forth. And really trying to bring that together for them.”

Compliance is Not Security

Coming from a compliance automation company, I can safely claim that compliance in and of itself is neither security nor a replacement for it. A jumping-off point for most younger organizations into cybersecurity? Absolutely, but it’s limited, and many of the headlines we see today that involve breaches are from fully compliant organizations. That said, Neal brings up a great point about organizations still intermingling the two, and as Chris navigates a lot of conversations with organizations of all different sizes and maturity levels, he confirms as much.

Neal asked, “you need to be compliant, but there’s more to security than compliance, right? So, Are you still having to fight the battle of moving people beyond just base compliance to actually get them secure as you go through this type of process?”

As expected, Chris confirms this is a typical conversation, and organizations are still behind the compliance curve. “Yeah, I would say in a couple of ways that shows up. Either they don’t have the right policies in place, right? We don’t have good compliance policies. The other one we run into is that the policies they have in place are old.”

Episode Transcript

Elliot: Hello everyone and welcome back to another episode of AZT. I am your producer Elliot. We have co-host Neil, and we have a wonderful guest here who’s going to dig into a much requested item basically flagged from a previous conversation. With that said, Chris, I’m gonna actually hand off the introductions to you so that I don’t ruin anything that might be floating around on your LinkedIn resume.

I wanna make sure we present you in the best way possible. But Chris, why don’t you tell us a little bit about yourself and core bts.

Chris Reinhold: Yeah, I’m Chris Ryan, Hold. I’m a director of innovation at Core bts. And to look at what we I do within the organization, you really have to think about, I work with a lot of our clients and my goal is really. To pull technologies together from both Microsoft and Cisco stacks to address clients specifically, more security related challenges.

So, I get involved with, you know, like I said, from the Cisco networking, talking to our networking team, talking to a Microsoft security team. Even working with our team that does network penetration and also governance risk and compliance. So pulling all those things together and projects work with our clients to understand the requirements and then pulling those into our projects and building a project form is, was really my focus.

I come from a, I guess a long background. Security started in a. Worked in presidential communications, which is pretty darn secure in those days. So you had to really think about, you know, who was accessing data, how they were accessing course. Back in that day, we didn’t really have the internet.

But then I joined Microsoft, spent 17 years at Microsoft, and most of my time Microsoft was in various areas of security, whether it’s consulting with Microsoft clients or actually working with Microsoft security technologies and helping clients understand how those technologies apply to them.

Joining Core BTS about almost 10 years ago, And again, just been really focused around the security area.

Elliot: Very cool. So I think one of the questions I’m just gonna throw out there, and it’s kind of like a, the root of some of the issues that we usually focus on for the show is the buzz. Definition of zero trust. So, we’ll dig into what you feel. Zero trust means a little bit later on, I’m sure.

But I think because you are working between the private and public sectors I’d love just some general insight and maybe this does breach down to the definition, but you know, where do you feel like the term, So in previous conversations that Neil and I have had with folks government side super clear that with mandates and.

Some of the items coming down in the next couple of years. Zero trusts, top of mind. Totally fair game to use that term. Private enterprise organizations, maybe not too much, but I love just insight from your side as far as terminology goes, and what seems to work best as far as that.

Chris Reinhold: So from a Zero trust perspective, you know, we ask what does that mean? I think there’s a lot of information out there, and clients don’t understand what Zero Trust is. You know, some clients almost get the feeling they’re looking for a certification. What you can get zero trust certified. Well, not really.

Right? And so way I kind of break it down to clients and it’s not often un or often that I go into a client and we talk about zero trust and they really don’t get the idea right. And way I kinda explained to ’em is consider I’m taking over your Azure directory environment. I have now walked it.

You’ve gotta tell me what access here you need in your environment. They go Wait a minute, how do I get access to, Let’s talk about that. Right? And I kind of start leaving that. So, okay, first thing you probably need is a global administrator, right? How are you gonna let the global administrator, how do you know that person?

Who that person is? What systems who should be using? So I start that conversation that way. One thing I do start talking about very quickly is expand that out to. Areas of the zero trust pillars. I call ’em the pillars, right? It’s identity, it’s workstations, his networks and so forth. And really trying to bring that together for ’em.

Cuz what I find with clients today is they’ll focus on one area. They don’t really think about, well, there’s identity, then there’s works stations. How do I bring those together? And I think that’s the key with Zero Trust, is that you’re taking an approach. I’m gonna, you know, basically assume my environment’s compromised, how do I start minimizing impact?

And you gotta really bring those different pillars together to really put that solution to in place for the client. So that’s been one of the challenges, is really getting the client think about that. Right? And that’s why I kind of go into that first conversation with a client and say, You have no access to your environment.

What do you. And then taking ’em from there, but then also bringing those other pillars, which a lot of times you’ll get a client that’s gets focused on maybe just the workstation side or just the identity side. They don’t think about their networks or what apps are accessing, or more importantly is what data is out there and how should what the rules around accessing that data.

So a lot of clients don’t kind of get into that until you start expanding that concept out to ’em do, to really get what Zero Trust is.

Elliot: Excellent. Yeah, I think that makes a great deal of sense. And I’ll say, I think one of the core pieces. Around zero trust is something that you’ve reflect. And I don’t think we’ve actually come across this on conversations with previous episodes, just kind of weird. But you had mentioned that you should go into the notion that your network is, or maybe com compromised.

How do you kind of navigate that as a conversation? Because obviously that could, you know, scare some people and they’re like, No, I’m totally secure. I’ve got this locked down. But like how do you navigate it around a conversation about that when you know that is a critical talking point. The, you know, you should run under the notion that you are com.

Chris Reinhold: Yeah. I think that’s an area you gotta pro carefully, right? You don’t wanna upset someone and saying you’re compromising and say, How do you know that? it is with a concept that most organizations today, and it is changing though, really think about security from their internal network. They were able to put firewalls up in place, block the traffic.

They had the key cards at the front door. Now they’re participating in this you cloud centric environment. They really gotta think beyond that, and that’s where you start asking questions. How do you know where this person is logging into? Do you know what workstation they’re logging in? . And if they come back and say, Well, we really don’t know, we don’t have good way of defining that that’s where you say, Well, how do I trust that workstation?

Right. That could be a compromised workstation. You search conversation that way. I don’t necessarily go in and say, Your environment’s compromised and we’re from there. It usually kind of, I would say, kind of stops the conversation pretty quickly. , cause

Neal: But yeah, the moment you start throwing up flack about how bad they really are without, you know, without proof just yet, even though you know it’s likelihood, then people do get a little overly defensive. I kinda actually wanna take maybe a step backwards if that’s okay. Real quick on a question.

So, I try to keep copious notes. Now I’m learning my lessons on how to be a good orator here and write stuff down so I can come back to it and actually pay attention during the meantime. That being said you kick this off really straightforward with people. Look for certs or people look for something to rubber stamp and say, I am this.

Right. So I want to just quick anecdote and then the question. I was at Space ISAC conference last week, their Value Space Summit and DHS was presenting and that question. Literally do you think, or someone asked, is there a cert for zero trust? And if not, then will you think that will happen? So throw that question back out to you a little bit.

I know what my personal response is, but outta curiosity, given where things are going, do you think there will not necessarily rubber stamp to say, Congratulations, you’re done because I don’t think you’re ever done, but necessarily a. Third party entity that meets government standards to help you provide and understand what that actually is as a standardization. Do you think that’s a plausible outcome? Sometimes,

Chris Reinhold: I think at some point in time there might be a good audit. Right. Are you falling good practices around? Zero trust and the way I kind, the reason I don’t think there’ll be, I go in your environment, I check to make sure you have the right switches in place. Is that each of that, each of those switches might be different for different clients based on scenarios.

So the way I kind of have that conversation with clients is really I start backing that conversation up. Above the technical, really above the technical infrastructure and say, Okay, what policies, what regulations are you under? As, as an indivi, as a company? That could be your, you know, HIPAA regulations, it could be gdpr, it could be CMC type of reg, you know, guidance or regulations you’re under as organization.

So my next step with the client says, Okay, where’s your organizational governance? How are you taking those regulations you’re supposed to follow and taking those and operationalizing with the organization. So do you have a policy out there that says, as an example, here’s my MFA policy. , Here’s where it applies.

Here’s where it doesn’t apply, right? Do your end users know about it? Are they trained about, Do they understand it? Does your IT team understand it? Right? So that way when I look at organizations and say, Okay, here’s your policy, Great, I’ve got that. Now I know what we need to do with from a zero trust perspective.

I know what pieces I need to bring in to accomplish that policy. I think that’s where we’re gonna see the certification kind of, or approval or where, what do I call it? Kind of start focusing on, right, what are you under? Cause each organization’s different, right? You might be a government organization, but you’re dealing with healthcare information.

You might be dealing with. Drawings for the next weapon system, and maybe in the government perspective, you’re dealing with D O D, right? It’s all about how you take those policies, transform them into the organizational policies, and then as technical individuals, we’ll come in and say, Okay, how do we transform those for organizational policies into a framework that applies those to a technical side of it.

There might be also, at some point in time we’re actually investigating. Within our organization is do we do some sort of network and physical assessment with that client. Right Now that we got it in, how do we know we got everything fitting in place? Right? Did we miss anything as part of it? Or, you know, a lot of organizations we go into as a consulting organization we’re kind of dropped the middle.

We really don’t know the infrastructure, right? So how do you validate that? So we actually have a penetration testing. That is able to do both physical and network related. So that’s kind of the validation. So I would think at some point in time we’re gonna get to that point where we can actually, you know, just like clients today wanna do HIPAA certifications or have HIPAA audits, right?

They’re doing that today. Right. How do you actually take those policies, operational organizations, and then how do you probably the controls to those policies?

Neal: That makes sense. Yeah. I think that might be a better approach than one overarching, Here you go. Rubber stamp thing.

Chris Reinhold: You know, I kind of look at what would happen with nist, right? I have clients that go out and they’ll go look at the NIST requirement, say, Look at, here’s a configuration. They’ll throw it out and say, Okay now we’re this compliant. But they’ve created themselves a bunch of problems. In fact, a client that did that, and that’s why I don’t see that for Zero Trust, they did that in Active directory, right?

They hit in this for active directory, create the group policy object. Well, it was only an organization, about 200. There were executives out of 200 people, they had 280 group policies cuz they had all these exceptions. Right. And I said at that point in time, you don’t have group policies anymore. You got individual policies, users.

And I think that’s where, that’s, it’s important right? To make those decisions and make sure the organization’s aligned with those policies. Right. To me, and there’s been times I’ve gone into or organizations and said, Yeah, you know, based on Microsoft recommendations, Approach in this particular industry, here’s what I recommend from policy perspective and a active director or Azure directory, you put it in place, then all of a sudden you get these complaints back and the complaint is, why do I have to do this?

Well, cuz of it’s, you know, recommended practices. And the next question comes in where of policy that supports this? Well, there isn’t one. And now you gotta kind of step back and figure out the policy. So we talk about, we would much rather have the policy drive the configuration of zero trust versus the configuration of zero trust drive the policies.

Neal: That makes a lot of sense. Now. It’s a good take. For sure. So on that same note, thinking a little bit further down, and I know Elliot and I both wanna get back to the PIN test stuff a little bit on how you approach it, that direction. But. Moving through it. Thinking about when we talk about compliance versus policy

Are you still seeing a lot of people who are overly fixated on compliance versus actual security?

When you go into this are you like seeing people who that I mean, you gotta check the buttons. You definitely gotta check the little cogs off for sure. You’d need to be compliant, but there’s more to security than compliance, right? So, Are you still having to fight kind of the battle of moving people beyond just base compliance to actually get them secure as you go through this type of process?

Chris Reinhold: Yeah, I would say in a couple ways that shows up. Either they don’t have the right policies in place, right? We don’t have the good compliance policies. You can make the decisions. The other one we run into is their policies they have in place are old and they don’t support the new technologies within the Microsoft, I’ll just use the Microsoft framework, right?

We can use different tools today, but if their policies don’t allow us to use those, we’re kind of stuck. We often will do a review their policies and make sure that your policies will allow us to leverage those new technologies to support the zero trust framework. So that’s, yeah, that’s one thing I do see today is is that type of situation.

So for a good example, right, we’ve been getting a lot of calls here recently around cyber security insurance. And as part of that they’re saying we need multifactor authentication. And I go and talk to client, Well, does that mean well we need multi. and it really what they’re asking for is strong authentication.

Can I use other methods that may not need a traditional multifactor, I don’t have to put a pen code in or respond to a Multifactor verification request. Maybe I can use 5 0 2. Maybe I can use biometrics. The problem is The policies that are given or guidance are given by that cyber security insurance company don’t allow that.

It’s where I have to have some conversations. We need to go back and say, these are actually better authentication methods. So that’s a great example. We’ll see some of the, That’s where I kind of bring up the policies are lagging the technology I can bring to bear to sell these situations.

Neal: I love that and I think that’s a great example. You go out and someone’s No, you will have an app on your phone and you will do some kind of two fa, not even MFA in the true sense, but just basic two FA tokenized oath. And then I always like to bring up distributed ledger and other weird things along the blockchain.

I’m like you realize if we were to go this route, the insurance company probably never have to pay you because this is actually secure. Or at least for the time being Now that, that’s a really good point. Awesome. So when you come into stuff like that and we think about. We think about the MFA piece, we think about the policy pieces, and someone’s got all that in place.

What is your kind of first step then to like you getting into the actual assessment and basically obliterating them and showing them that they really haven’t done what they think they’ve done. in a nice, polite manner. So I mean, you we talked about policy, procedure, having those discussions, I think those are important, but when you start to actually get into the network and things like that, what is it that you’re really like in the system?

Really starting to try to probably look at.

Chris Reinhold: It’s a couple different things, right? We kind of break it down Within our team, we’ll have team of experts that take a look at certain parts, so to make sure that those systems are in place and we’re following those policies. So far at any perspective, we’ll sit down with them and understand how you’re managing the, in any, That’s the area I get quite involved with with our clients is understanding how secure is that at any, how you maintain that in.

You know, a lot of people think that, Hey, I just put multifactor on an identity and Azure to directory. I’m fine. We step it back even further than that, we’ll go look and say, How’s the active directory set up? How do you maintain that? Because that’s a source of identity for Azure Directory. And we even go back on that and say, Okay, how do you know that person was hired yesterday?

How do you know that her title has. So it’s really evaluating kind of the end to end, to make sure we’ve got good processes in place. We do the same thing workstations. How do you build those workstations? How do you validate that image or validate that initial build? How do you maintain that image as you move forward?

Because you, as part, as zero trust, you’re making decisions on, is this device or identity compliant? Can I trust this identity if I can’t go back to the source? Let’s put it that way. And validate from the source up that, yep, that everything is compliant, it fits the model it fits the process and the requirements of the organization who really can’t say we’ve got zero trust.

So we do tend to step back with our experts. You know, from, you know, where does that, where do we start establishing trust? Where does that really need to come from and make sure that’s in place?

Neal: No, it makes a lot of sense. It sounds like from. A consultancy perspective. Y’all, y’all take a little bit more hands on holistic approach than probably the one or two people who get tasked, obviously at a company like, congratulations. Go make zero trust a reality. And I, you know, so I worked as a consultant for a little bit off and on.

I was with Booz Allen and a few others back in the day. Mostly government had one commercial client. Government versus commercial. In the commercial world, they bring us in for a couple months to fix a problem. Government keeps you there to fill a seat, right? But that being said, y’all coming in and actually addressing a problem coming in and being that third party.

External source of information. I kind of maybe for me personally, love to hit on that, just a little bit around the intent and impact of that. So we get in the wine industry, we get what we call a cellar blind, where you’re only drinking your stuff and you think it’s the greatest thing because you haven’t tried anything else out in the whole world, right?

So 10 years later it tastes like gasoline, but you still think it tastes like some dough from 1980 from France. So, I mean, from that perspective, you know, maybe hit on like why it might actually be important to have a company like yourself come in and provide those third party interests, those third party assessments.

I, I think that’s a key thing.

Chris Reinhold: I think that’s good for an organization to bring an outside organization, You know, from our perspective is that we’ve got experience, Let’s say you’re a healthcare organization. We do a lot of healthcare industry type of work. We’re working with other healthcare organizations, so we’re bringing our experiences and lessons learned and also called bumps and bruises, right around some of these deployments, into that conversation with that client.

So you’re getting that broad perspective, looking across multiple clients. In that field to say, you know, here’s what we see from that part of the, you know, here’s what we see the industry going. Here’s the challenges we see. You know, if you do this in a healthcare organization, this is a challenge you could run into.

We would consider you move this direction. So we can provide a lot of that guidance in. So that’s, you know, organizations, you know, as you said, You know, get focused on their technology. We’re thinking we’re doing a great job, but you know, we can bring that broader industry experience in and kind of give ’em that broader perspective.

Give ’em some other things to think about. It did A lot of clients, you know, we do assessments, right? Clients will ask us, come and do an assessment. We don’t know where we are. We don’t know where. Our weak points are, help us identify that. So, in our organization, we’re kind of unique in that we can go from, like I said, oh, we’ve got a couple team members that can look at the organizational policies and say, do we have the right policies in place?

Are you educating users? A as part of that. Okay. But that’s good to know. We can do the technical part of it and say, Is the environment configured up? We’re looking at those policies and lying that to how you’re managing your environment. We can do that. And the other thing we’re starting to look at is how do we take our penetration testing team and say, Okay, let’s take the, let’s take an outside view, right?

Let’s assume we don’t know what’s configured in there. Let’s try to use the common techniques that people that are wishing to, you know, harm you as an organization would use to come into the organization. So our team will do that. They’ll do, they’ll sit down and it’s kind of interesting. You could talk to ’em.

They’ll do research and organization. They’ll understand how they’re put together, what services they have out. If we’re doing physical they actually try to figure out what the physical of the organization looks like. Good example is that for one of the clients, they were able to figure out a floor plan and knew where the various offices were.

And so they’ll try to do that because if you look at zero trust, we don’t talk about, you know, the building, but if I can’t trust the building that I got my people in, yeah, that’s a bit of a challenge. So I think that’s where we’re providing a lot of value to our clients, is that we can take different views of that compliance of what it means to make.

Everything is starting to line up with our organization. We’re taking also that outside kind of, I don’t know what’s in there, but I’m gonna try to figure out how to get into it. Right. That type perspective.

Neal: I’m gonna unpack this one. I love this. I, one of the very first things I did after getting off of active duty, I went very part-time, worked for a tiger team back in the early, like 2000 6, 7, 8 timeframe. So we did full throttle, like you’re talking about physical and digital stuff. I think it’s very important to highlight.

The aspects of what a physical assessment goes into play with the digital assessment. So I think from, you’ve, you touched on this a little bit, Finding building specs, figuring out where the server farm is, or figuring out where the security desk is from the physical aspects of Zero Trust. What are some of those things that y’all have kind of helped highlight whether it’s, you know, back to policy and batch policy door policies? Whatever that I, sincere curiosity around what that starts to look like outside of what I’m used to in the government world, where it’s one giant door with a guy with a gun, you badge in, and once you’re in, everything’s pretty much done. Right? So yeah, I, I’d love to hear from that perspective what y’all end up

Chris Reinhold: It’s, yeah, it is certain to highlights, you know, definitely weaknesses we see with, you know, various parts of building. So how do people discriminate? Who should be in that building versus not be in that building? You know, how easy is to get a key card from someone and actually scan it, Right? And that’s.

That the trick our team will use will act like there’re a security and say they need to check your card and it’ll actually be able to scan it and duplicate it. So it gets in various areas of the, in infrastructure and understanding what you, how do I get in that building? What was interesting in some of these examples is getting into the building may not always been going to that server room.

And the cases that we put in place in some of the organizations will create a fishing campaign, will take a, you know, little poster stick up in the office you know, bunch room or break room or by the printer and say, Hey, there’s a free offer here. You sign up. Well, it’s inside a bill. You must be okay.

Right . And we’ll use that as a fishing attempt. So, we’ll also go in and, you know, tap in behind, let’s say use tools to tap into various parts of the network to start gathering data. Understand who’s logging in and do the, are they using good security methods? And also it’s an opportunity for us to actually, with, again, not being in that server room, but also can I do.

Start attacking the domain controllers. Can I get those, access those domain controllers and start compromising an environment? So that really highlights the need for that physical component of that conversation. When you do zero trust, is that I can’t trust the building I’m in and letting buy you in.

You know, there’s could be a lot of interesting things going on there.

Neal: Yeah, I know we like to say a lot. Physical access trumps anything else at the end of the day. No, that’s good. I love the poster idea that’s honestly not what I’ve thought of. I’ve done some other weird stuff, but I’ve never thought about as simple as putting a poster up with the website.

Chris Reinhold: It was a, It was surprising how effective that was. And within a very short period of time, they had some credentials they could do some work with, Let’s put it that way. It didn’t take much.

Neal: I’m gonna do that one next time if I ever get back into that that, Yeah, no, thank you. That’s good stuff. So, I mean, it, it all makes sense. So I think for the sake of what Ellie and I have done on the show before, we’ve never really talked about the physical aspect. We never really talked about blatant assessments post.

Implementation or figuring out where you needed to go during an implementation. So that’s why this is a fun chat. The you know, we’ve talked about people who have built things, but they’ve never necessarily had to really worry about someone like yourself coming in and ripping them a sender post implementation even.

So that’s cool. So thank you for that. The physical aspects are very near and dear to my heart cuz I was the guy that used to have to go into the building and get thrown out by security when

Chris Reinhold: usually the guy that had to defend against you guys. So, , military face,

Neal: Yeah. Yeah. I, You might have, well, I mean, I know you were in, in the nineties and I was doing this in the mid two thousands, but someone like you probably probably handcuffed me, put me back into a SP car at one point in time a few times, but,

Chris Reinhold: Pat we we would do that. We’ve you probably familiar, we would’ve people penetrate, try to penetrate the base on purpose. We would try to figure out where they are and take care of it, you know, so,

Neal: Yeah, good response times at some places, you know, Air Force could be a little slower at bigger bases, but, you know, never had to worry about the Navy guys, man. They seemed to only just do nothing but walk the fence line all day. But on that note, so thinking about this a little bit more I don’t know why they were always a little quicker to respond.

They had bigger facilities to protect, but there’s usually like half of the manning at the Air Force facility. Maybe it’s cuz the Air Force had better lunches and they were usually in the ca you know, the

Chris Reinhold: It’ll be a nicer base is definitely, Yeah. We won’t get into that

Neal: no that being said, so coming back to the penez light of the house, So you do physical, you mix the fun stuff with the digital you do the fishing aspects, both, you know, once again paper and online.

I love that. That’s good stuff. And then, when you come back into this moving from the physical to digital aspects, again, you’re doing these assessments out of my curiosity, you know, I know engagements can vary. It’s all based off of what they’re paying you for and what kind of engagement they want.

But let’s say if you’re doing just a pure digital engagement and they want just a straight up pen test. No, no external consultation, pre pen test. Other than that, we’re hiring you do this basic assessment, pen test, actual pen test, and then come back in. At run on average, what does y’all’s engagements tend to look like for something like that?

I mean, is it a couple of weeks, a couple of months? I know it’s client dependent at the end of the day, really. But you know, as an average rule of thumb, what can someone expect if they hire you to do a PIN test, to do that zero trust argument? What would that could

Chris Reinhold: It’s usually a couple weeks, right? It takes us to do a pen testing. Again, it depends on a variety of of factors there. But at the end of the day, you know, the goal is to do those the penetration testing externally, is to look for those common vulnerabilities. Look for the bad configuration of firewalls, and so, and start out highlighting that.

We also look at, you know, what’s the patching level of your servers? That could be an opportunity for us to identify a vector from that perspective. So all that comes into play. And we do say you have tip of pen testing. You run your set of tools against that environment. Also use some tricks up your sleeve to kind of exploit it a little additionally, right?

To find some other areas. But at the end of the day, the client gets, you know, the list of, here’s what we found here’s the high, low, medium type of risk we see in environment. . What we’re starting to do too is start to kind of take that and say, Okay, how can we help you? And it goes right back to the zero trust especially of our client that does, you know, simply is looking from outside in, Okay, well we found some open holes there.

Let’s figure a way out of addressing that. And you know, much more holistic way. Maybe it’s not just the network interfaces we need to look at or the network devices we need to look at or the servers. Maybe it’s how we’re authenticating. Or maybe it’s how we protect that data net on that server.

What tools can we bring into that equation for that client? Cuz as you think about, you know, you always assume a potential compromise is what if I lose that data? How can it maintain control that data? And there’s ways we can do that with an organization that is, it leaves, inmate inadvertently leaves the organization.

How can we maintain control of that data, prevent it’s being.

Neal: that makes a lot of sense. So I think on that next steps coming back in consultative, once again we talked a little bit about, you know, third party impact and why it’s important to get that type of assessment. And then kind of thinking about the driving force and next steps on that.

So on the, on that note when we think about, well, I guess slight different question. Do y’all ever get hired just to come in and do policy procedural reviews? Or is, or do y’all tend to do kind of a more holistic package? Let’s do the reviews, let’s do the assessments, let’s do or do y’all even take it back a step instead of a full throttle pin test kind of perspective?

Do y’all ever do just actual. Affordability assessments instead.

Chris Reinhold: We’ll pretty much do all those, right. The team actually we work with at Core bts. We were actually, I was part of another company that was acquired and we started integrating with core bts. Actually the governments and risking appliance team, penetration testing team was pretty much set off on its own.

We didn’t really integrate a whole lot with the organization. That’s one of the big changes we’ve made over the last year or so is really integrate that as part of our processes. But that team has definitely set up to, to do the policy and procedure reviews. And in fact, we’ve got clients that. Yearly basis will have us come in and do a review, and do an assessment.

And I help understand where they are with the policies and procedures. If necessary, we’ll come in and actually have set, help them with it, you know, here, let’s provide some base policies for you. Let’s help you go through this process to make sure those policies are in place. So what we’ve done over probably the last year and a half is really start integrating these various components into the overall flow of a project we have.

Core bts. So, you know, years past, you know, four or five years ago, our team would go in, do the technical work and, you know, the problems I would typically run in are the ones I kinda described early. Well, why we’re doing this, right? Or we go ask clients. So what is your B Y O D policy? Well, we don’t have one.

Okay, well, we kind of need one so we can figure out what we need to do here. So now that we’ve got this team integrated within core bts, we actually now are able to do from. policy procedures, let’s see what you have. I mean, we can just do those type engagements or we can just do the you know, the typical we’re, you know, migrating a client to Microsoft 365 or doing some sort of work with them.

Let’s make sure we include security or after the work we can, you know, do that too. So we now have brought all those components together for our clients to really provide that comprehensive end-to-end type of solution. And, you know, our organization, What’s interesting about it is from a technology perspective, you know, is that we get involved from, as I’ve talked about, network infrastructure.

We’ll get involved with the data, how the data’s being managed. We even do application development within core bts. So even our team with, when we do application development, we’re helping that team. How do you integrate some of those core core zero trusts principles into your development technology?

Or when we deploy that technology within a like cloud environment, like Azure or other services similar to that, how do you make sure that infrastructure is ready to support that environment? A lot of it’s based on zero trust principles.

Neal: Yeah. Yeah, definitely. So thinking some more on this a little bit and then maybe I’ll let Elliot finally say some things here. . I know he still got some questions to go through that, that I’d love to hear. Kind of thinking about the totality of this then the would you agree that when you go down any security rabbit hole, not just your trust as a whole, but in general that it is very important to set up a recurring thematic within the company to assess and reevaluate those policies and procedures you put into play?

Yeah. I.

Chris Reinhold: And there’s so many things it changes, right? The policies could change. The, you know, we see constant updates to the regulations are out there like HIPAA or gdpr, so you need to evaluate that. But one of the things that, you know, from just technology perspective in I deal lot the Microsoft technology there’s been a number of times I’ve looked back at projects I’ve done in the past and say, Well, gee, there’s this new capability from Microsoft.

If I had that capabil, , I’ve been able to enable new scenarios or improve that scenario for the end user. Cuz ultimately what we try to do is make sure that at the end of the day, you with zero trust, there’s definitely a security side of it, but you also, you have to consider, you gotta enable the business.

That’s the real purpose of it, is to enable the business to take on new opportunities, be competitive. So you always look, how can I make this situation better for the end user? Make it. More friendlier for em, right? So they’re not saying all, you’ve seen all these barriers and trying to work around them, we’re actually working with those end users and help them understand, here’s the technology, here’s how we can improve your environment, make it easier for you.

So that’s actually a critical part of a lot of our interactions with our clients is is that constant conversation around, you know, how’s this affecting end users? How do we educate the end users so they’re part of the equation, not just something. They have to deal with, you know, a lot of it people, you know, tend to wanna put the technology and not really think about the end users, unfortunately.

Neal: That’s funny. Yeah I worked in the OT side of the world a little bit too, and it. It’s interesting to come across the IT people like you mentioned, who don’t really understand what they’re actually supposed to be providing which is access you know, availability versus other stuff. Anyway Elliot, I’m gonna throw back over to you.

Elliot: Yeah. So let’s get into some of those most critical questions about zero trust in general. So I know we had sort of jumped into this a little bit in the past, but you know, just as the rawest form, how would you actually define Zero Trust today? If someone came up to you and said, I want to adopt it?

Usually it’d probably come in the form of they think it’s a product, or maybe they think it’s checkbox. But you know, in your mind, how would you.

Chris Reinhold: I kind of describe it, right, And you’re right. Your people think it’s, you know, a set of technologies where, hey, I pull this toolkit and I click these buttons. And album zero Trust I kind of really described to, to clients I work with. It’s a way of. , right? It’s a way of thinking about your environment, and it’s really saying, what scenarios am I willing to support for people access services that I’m providing with the organization?

How do I verify that is the scenario that I’m gonna allow, and how do I make sure that, you know, if there’s something that changes as part of that scenario, I can immediately identify that and remediate that issue. So I really think about it as, how do I think about Zero Trust, right? It’s all about, as I kind of mentioned that first is, Understanding what you’re trying to do with the service you’re providing, Identifying the scenarios and make sure those scenarios are secure.

And that’s why a lot of clients, you know, it’s kind of interesting. Clients have come Oh, we’re not ready for zero trust, we’re not ready for the certification. Don’t worry about it. It’s a way you think about it, right? And it’s how we think as our team goes out and works our clients. It’s not something we kind of do a tagline and say, you know, we’re gonna implement zero trust.

It’s just the way our team thinks of that when we work with our clients, how we approach.

Elliot: Yeah, I think that’s a wonderful way to approach it. I think there’s just a lot of ingrained notions that come along with our space where. You know, obviously cloud, that’s very much a product driven concept. If you’re looking at SOAR or automation a lot of these kind of buzzy terms are relevant to some sort of piece of technology.

Or maybe it could be like a process thing. But yeah it absolutely is just ingrained in our industry where if we are using a new term it is either some sort of process or technology based thing and there’s not a whole lot in between. So I think for Neil and I in particular, that’s why we’ve kind of dug into this and why there’s so many different flavors for every single you know, group or person that we chat with.

It just, you know, it’s gonna change and I think that actually is fine. I don’t think that we need like a proper, unified definition of what this looks like. As long as we know people start to navigate a way that this is not about technology. It’s about, you know, building a baseline from zero or something to that.

Neal: I think Chris made a good mention at the beginning of this when we asked, when I talking about certifications versus not right, and data standards. You know, Chris, you mentioned in, in a roundabout way that at the end of the day should be incumbent upon the industry vertical that you’re trying to be compliant with and secure within to kind of help define and shape what it means to be.

Zero trust within like the healthcare industry or the financial services. Cause what thresholds that a customer is willing to put up with in, in a banking environment is not the same as what one might be willing to put up with when they go get their medical records to take to a doctor. Right.

Different thresholds of experience and expectation. So kind of thinking about the roundabout way of you go to a conference right now and to Elliot’s point, there’s zero trust over everything. Right. . So I think it’s incumbent upon us to help people understand that, you know, just because blank company says zero trust, they’re that what they really mean is they’re doing the same thing with new names.

Yes. It is technically still zero trust by what definitions we currently have. But don’t just go out and buy it because it says zero trust on the package, on the printing.

Chris Reinhold: I think that the good thing about Zero Trust, what’s help highlight, right, and is. , you can’t focus on one thing. Right. And as we go back to, I mean, legacy infrastructure, legacy it days, right? Was the network. That was everything. I had a firewall that was my protection. Barry.

Everybody focused on the firewall and assumed everything was okay on side because the mock firewall’s good. I think today was zero. It’s trust, but it’s really, Brought about is this, it’s actually different parts of it, right? I can’t solve all my problems with just one of those areas. I can’t just be identity, It can’t just be workstations.

I’ve gotta include all these conversations together. So it’s really what I’m seeing is organizations having to really say, Okay, now I got, I really gotta talk to the workstation guys. Make sure we understand what we’re doing right? If they say that’s compliant, I need to understand it’s compliance. So, When I build my zero trust policy or build my Azure directory conditional access policy, I can say, Yep, I know it’s a compliant device cuz this is why, this is, why this device, or you know, what data am I going against?

Right? Is this sensitive data? So let’s define the data, right? No one ever talks about is this public data, It doesn’t matter what everybody can access it. Or is this highly confidential data that this release could cause financial harm to the organization? There’s different policies there and different tools you bring to play.

And I think that’s where I’ve seen zero trust. Aid us in that conversation is, you know, all these e even though you go and everybody’s got kind of different variation, what’s kind of common is they’re talking about different areas. You know, bringing those areas together to bring that cohesive solution together versus the it, the workstation guys do their own thing and they go apply the N principles and so forth where we’re done.

You know, we don’t have to talk to the identity guys. Well, that’s only part of the equation,

Elliot: Absolutely agree with that one. So I think if we’re looking at bridging from definitions, Kind of splitting our different flavors. I’m curious on your side of the house, so no one just kinda understands Zero trust, obviously there’s a lot of critical resources out there cist. But you know, how do you wrap your head around that?

Because obviously you are being, you know, brought into the equation for how do we bring this to an organization multiple times? But yeah, how do you wrap your head around what Zero Trust is and then how do you convey that back out to.

Can be as simple as just resources that you kind of get started with.

Chris Reinhold: yeah. That’s where, I guess that’s where our governments come risk and fine team comes in. Very helpful, right? They help us understand what’s important, what needs to be in place. Because it, you know, part of their function is also looking at the security methodologies they’re implementing. Are they implementing nist?

Are they implementing other frameworks? And how do we bring that together in part of that conversation, you know, our team members are very familiar with various those frameworks so they understand what’s in those frameworks and definitely have conversations around that. But that really helps us align the organization why we’re doing this and applying the right principles in the right places.

So that’s, you know, I would say that goes back to reason why we’re starting to bring in the GRC team in more often is to really help us define and make sure. We’re focusing the right thing. Cause those policies, those regulations, those frameworks change all the time. So it’s, you know, I don’t sit there unfortunately, read ’em all day long and, you know, it’s my favorite thing to do on a nice Saturday night, sit down by the fire and arena, a compliance policy.

But this team is involved with it. Plus they’re seeing, again, from their perspective, they’re seeing across industry too. So if a hospital organization’s implementing certain policies, they know that, hey, we need to look at this at other organizations. Make sure we see alignment. Through all those

Elliot: Yeah. I’ll be honest, I don’t think that many people that we’ve had conversations with have really aligned around the compliance aspects of this. So I work in that world right now, so I totally understand that is just like baseline materials for organizations. So it’s kinda interesting that it’s just not like a repetitive concept that

Chris Reinhold: No, and I think a lot of clients do too, right? And the word I hate to hear, right? When I go into the client, well just do what’s best practices. And I said, First of all, let’s get the first, let’s established. There is no best practices. I have recommendations, and it’s based on your organization, how you’ve, how you need to apply those policies in your organization and how you manage a, you know, the requirements around those regulations and policies you’re supposed to follow, that is what I’m gonna be helping you with, right?

It’s not, I’ve got my toolkit, here’s my power shell script and I come in and you know, two seconds, I’ve got you zero trust cuz that’s what’s best for you. There is no best practice. And that’s something we’ve, even internally with core bts, we’ve started removing that term. We don’t do best practice, we do what’s recommended for you in your industry,

Neal: Amen to that. I ain’t got much else to add to that statement. That’s awesome.

Elliot: No, I, I. I mean, I think that’s what everyone’s hoping eventually will be tied to the next, you know, cyber security related buzz. Where it is, it’ll be that silver bullet. But I mean, anyone that’s ever spent, you know, five minutes in this space, there’s no such thing as that silver bullet. There’s no magical solution that you can just follow the rails and it’ll solve all of your issues.

But yeah, I think every single episode, I don’t care if we have to hammer this into people as head you know, it’s just, there’s I fully agree. There’s no such thing as really best practices. Every organization’s different. They all have different technology and being able to map things even.

The compliance framework level makes sense where, you know, you align it and you customize it towards your, to your needs, and we just need to continue to communicate that.

Chris Reinhold: I think the other thing, the organizations don’t take in consideration the best practices. The other thing I always have to kind of dive into is exceptions, right? There’s always gonna be exceptions. So plan for it the way we go, for example, the conditional access policies and Azure directory, we are assuming it in exception.

So let’s build it in. So as long as you get a process to request an exception, manage that exception, then assistants should be able to respond to that. What you don’t wanna have is exception becomes the norm. And that’s where we try to work to get to that point. But I think that’s what also challenges people when it comes to zero trust, is it’s gotta be zero trust.

I can’t do anything and it’s gotta be this hard cover, right? I put around, there’s no way to, well, I need to do this for business purposes. So what’s the exception process?

Neal: Yeah, I think that’s the hard part, right? You’re trying to build these policies and procedures these workflows to be zero trust. But in all fairness, at the end of the day, there’s always, more than likely, at least on a current tech stack, going to be at least a few things that are gonna have exceptions to that capability.

And they’re gonna require that other additional layer of monitoring within the team to make sure that everything’s good to. You can’t go and tell the CEO that you know, he’s gotta use eight different ways to log in now, and that he can only log in from this laptop between the hours of eight and five.

And God forbid the man gets on a plane to go to Singapore for a conference and then you tell him, Nope, sorry, you’re completely geo bound. Good luck.

Chris Reinhold: That’s right.

Neal: Yeah. Always exceptions, unfortunately, to every security implementation, no matter what you do. There are definitely ways to minimize that impact.

Elliot: with zero trust and obviously there is a technology component especially cuz we’re seeing a lot of startups rally around concepts. So, be it zero trust, network access or something to that degree.

What are your thoughts on the necessity that comes along with integrations into existing tools and whatnot? I feel like that is an area that seems to hang out on the side where we’re seeing a lot of really cool concepts come out of startups and a lot of VC dollars are fueling it.

But, you know, where is your head as far as the necessary integrations and how important an organization should I guess look at tools that have those kind of integr.

Chris Reinhold: As far as integration. So you’re looking at integration with whether tool sets, right? As we’re kind of gathering here or,

Elliot: Yeah, exactly. So making any, be any of the primary stuff that you use now. So Cisco, Microsoft.

Chris Reinhold: It’s important to have that integration in place and that’s why I kind of talked about, you know, a lot of times organizations, they took a look at that tool and you know, they’re taking only look a part of their environment. That’s why I kind of talk about, you know, we still have to deal with on-premises.

A lot of people think about Zero Trust. They’re thinking about the cloud. . That’s why in our organization we take a look at what are you doing on-premises, right? How do we start integrating those tools with on-premises? Can we provide additional information that helps us make decisions? So we do look for solutions that help us to kind of address all those frameworks or all those areas, I should say, Oh, a solution.

And make sure that we’re not leading something that’s. Not being monitored is the best way to describe it, but not being part of that zero trust equation. You know, as an example of today, you know, when we go and do active directory work, you know, active directory is kind. Where everything starts. You know, we work with clients to deploy the Microsoft tools that are able to identify potential threats in that active directory.

Cuz you know it, you see a lot of things in Azure. You see a lot of events, you see a lot of technology there. But if I’m not understanding what’s going on with my active directory, that can be a open area that allows a person that’s malicious in nature or maybe even accidental, create a lot of damage within the organization.

So when I look at tool sets there, I try to look at is it addressing all those area. Are we missing in areas? And what are tools actually? What are tools maybe we need to bring into that conversation with a client to make sure that we do have a good coverage of all those areas so we understand what can we trust Is really what you get down to.

Zero trust. I gotta trust it. Right? So you start with this idea too. I don’t trust anything. So how do I start establishing trust? And it’s okay, do I trust my HR team to hire a person correctly? Well, hopefully, yes. Can I trust the data outta the HR system that goes my active directory? And then you kind of go down the road there.

Sure. Establishing that. You know, that kind of chain of trust.

Elliot: Wow. I wish I asked that earlier because I guess. Aspects of third party vendor management and security reviews is always a fun can of worms crack open. But with that said, I think we’ll save that for another episode. But that’s quite alright, . So with that being said, yeah, exactly. Yeah.

So with that being said Chris, absolutely thrilled that you were able to join and share some of your expertise here. So I think we’re gonna getting to wrap up this episode. So thank you so much for bringing some visibility into what you all are doing at Core PTs and just kind of, some of these other aspects that Neil and I have been kinda wonder about.

Everything from on-prem aspects of zero trust to pen testing. So you have finally checked some of those boxes for us.

Chris Reinhold: Well, thank you and thank you for having me.

Neal: Appreciate your time. Like I said, this great conversation, so thank you and hopefully Ellie can find time to have you back again. I mean, we all know Ellie, it’s the brain’s mind in the operation, so let’s get straight to that one. But yeah, hopefully we can get you back again.

Or maybe, Ellie, this might be a good preface for us to finally do like a legit panel of some sort, like an extended like hour and a half. Chat like this format, but, you know,

Elliot: Yeah.

Neal: That’d be fun. I’d love to have Chris back on that if we get to there. So,

Elliot: Yeah, I think we can set up a format that’s a little less interrogation style.

Chris Reinhold: can compare and contrast approaches

Elliot: Yeah. Perfect.

Neal: Awesome

Elliot: well, thank you so much.

Chris Reinhold: Thank you.

*** This is a Security Bloggers Network syndicated blog from Adopting Zero Trust authored by Elliot Volkman. Read the original post at: https://www.adoptingzerotrust.com/p/adopting-zero-trust-with-chris-reinhold