Adopting Zero Trust With Ismael Valenzuela

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google.

This week we chat with Ismael Valenzuela, VP of Threat Intel at Blackberry, a 13-year SANS instructor, and has balanced his time between educator and practitioner for decades. Before peppering Ismael with our usual questions and falling down the rabbit hole, we dug a bit deeper into his background and what drives him to split his time between educating peers and working for some of the biggest names in tech. 

For most (maybe just Elliot), you’d imagine it was for the mission; it’s the idea of helping people better understand how to protect their data, finances, and privacy or actively doing it directly. Though partially accurate, Ismael is driven by a sense of curiosity, a common attribute shared by some of the most intelligent practitioners who constantly hunger to learn more about our space.

This week we talk about Zero Trust as a philosophy, why Less Trust is a more applicable term, and the need for a threat model to narrow down your protect surface. As a side note, Ismael also just published a new post highlighting findings from BlackBerry’s new global threat intel report. The team will also discuss these findings today (Jan 26) on LinkedIn live.

Editor’s Notes

Before we dig in, Neal and I want to thank those of you who tuned in for season one, but even more so, the amazing guests that helped make it happen. Next week we will showcase our new format where we bring on our first technology vendor into the mix, and balance things out; we are bringing back a crowd favorite guest: Andrew Abel. Check back in two weeks for that episode to drop. Lastly, I was having some audio issues halfway through, so it’s not you.

Now, onto the recap.

Key Takeaways

• Zero Trust is about reducing, not removing implicit trust [Ref]

• A key Zero Trust goal should be reducing implicit trust over time

• Defense in depth is a tactic that can be deployed alongside Zero Trust

• You can’t defend everything, you need a threat model [Ref]

Reduction is Reality, Elimination is a Pipedream

Throughout this episode, one thing has been made clear: Zero Trust is a preventative strategy. In order to prevent something, risk reduction is key. However, to be grounded in reality, there should never be an assumption of full elimination, full prevention, or a proper finish line.

This is to say Zero Trust isn’t the best terminology, and Less Trust is closer to reality. Unfortunately, that’s not quite as buzzy, and that would make a terrible podcast name.

According to Valenzuela, the philosophy behind Zero Trust is based on constant verification. In many cases, this comes in the form of:

1. Continuous monitoring of data

2. What users are accessing the data 

3. The context around accessing the data

4. Then, based on the above, detect anomalies and respond accordingly

So, where does an organization start? Identify a non-critical area with significant implicit trust. From there, Valenzuela recommends looking at the metaphoric crown jewels, the data most important to the organization, or an area where users may have too much privilege. 

Weekly Zero Trust Headlines and News

Most of the content about Zero Trust is opinion-based, but here are some impactful news stories from the past couple of weeks.

• Gartner Predicts 10% of Large Enterprises Will Have a Mature and Measurable Zero-Trust Program in Place by 2026

• NSA red team will attack JWCC providers to test zero trust security

• To Have Security, You Need To Have Zero Trust: Satya Nadella At WEF 2023

• [Tech use case] Athletic shoe maker Brooks runs down cyberattacks with zero-trust segmentation

Dishonorable Headline of the Week

We won’t link to the press release or call them out directly, but the headline below encapsulates a lot of what drives negative perceptions around Zero Trust. The resulting press coverage at least toned it down.

[COMPANY] Just Solved Zero Trust with One Line of Code

Episode Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello everyone and welcome to actually season two of Adopting Zero Trust or a Z t as we have come to know it. This season, or actually this year, we’re going to change things up a little bit. So last season we made it pretty clear that. Zero Trust is by no means a technological solution, even though cybersecurity very much loves to relate it to that.

This year we’re going to hone in on a few different things since we’ve kind of nailed that and stuck it in the ground. We’re going to talk to educators practitioners different organizations and basically. Tie in those practitioners and vendors that we were missing from the equation from our previous season.

So to kick things off, we have, as per usual, a wonderful guest, someone that actually checks all of these boxes for us. So I’m gonna just kind of go right into this, but Ismail, val, Val. He is the VP of threat intel for Blackberry. He is for more than a decade a SANS instructor. And beyond that, he has been a practitioner, an instructor, and covered anything from what was once information security into the world of cybersecurity.

And I guess now we’re bridged into the world of zero trust. So that’s my rambling aside. I’m going to actually do a quick handoff to. To reintroduce yourself, and then we’re gonna actually give the keys to the castle to our wonderful guest.

Neal: Awesome. First off, Ismail, welcome to this podcast. Thank you for taking time out to come join us. Looking forward to the next 45 minutes, to an hour, to four hours, whatever we end up going down with your rabbit hole availability. But that being said, Neal Dennis once again, threat intel analyst by trade practitioner for a while, both military and post-military stuff.

Been doing this stuff for, I think this is the start of year. Three ish for me, 22, 23 in some way or another, linguist and some other weird stuff all mixed in there. L e ent, all sorts of weirdness in my background that makes for fun conversation pieces over lots of beers out of the skiff, obviously

But once again, thank you again and looking forward to this conversation and kicking off the year here with you in particular and seeing how we go. So thank you.

Ismael Valenzuela: Thank you guys for having me. Yeah.

Elliot: Excellent. You know, I gave a quick red down about your LinkedIn profile, which is a pretty good touchpoint of what you’re doing today, but can you give us a little bit of a background of what led you to. Be both a practitioner and an educator and why you feel, you know, I mean, that alone, being a practitioner is obviously a bit time consuming.

But why are you also, you know, sharing and splitting your time between that and educating others?

Ismael Valenzuela: that’s a good question. And sometimes I wonder that myself, especially when before start. Class, you know, on a Monday morning, early Monday morning, or even like Sunday, usually Sunday night, heading out somewhere as well, like really far away, you know, from home and the family and your cozy place and then going somewhere where.

you know, you have to just present to in front of a lot of people for quite some time. But I think the reason for me to do that is what happens towards, not at the beginning of the training session, but at the end of that session. And I’m pretty sure that you have felt that before as well, right?

When you’re presenting or teaching something and somebody walks up to you at the end of a, in this case, a six day class, because it’s a lot of time and somebody walks up to you or writes in an evaluation. . Wow. This really changed my know what I’ve been doing. This changed my career.

I’m going to be able to do my job much better now. Or you talk to people that after you’ve taught the you taught a class for some time, They come back to you and they say, look, this helped me to, you know, get a promotion. It helped me to you know, achieve things that I haven’t achieved before.

And that gives you a feeling of reward, right? So it’s not that much about the technical pieces as you were saying before. It’s about how you can influence others to do a better job or to defend the organizations better in this.

Elliot: Interesting. So if you don’t mind, I’d like to make an assumption here, and maybe it aligns. The reason why I’m still in the cybersecurity world itself too. But it sounds like the mission around supporting and helping others is pretty integrated. Is that possibly related to why you are in it, why you went from information security into threat intelligence and I guess your state as a practitioner today?

Ismael Valenzuela: Obviously the mission is very important, right? But the truth is that, you know, you can help people in many other ways, even on a daily basis with simple things that, that don’t necess necessarily have to be like cybersecurity, right? But I think that in general, what started me that what got me started in cybersecurity was curiosity, and I think that is something that is probably common to everybody that started in this field, at least back in the days.

Right. When Neal, you were saying 23 years ago, I was thinking, wow, that was about the same time I started, you know, doing this. , and I think it’s about curiosity. We didn’t know what it was. We just started to play with technology and found things that worked in a way that were not supposed to work in this way.

Like why is this happening? Oh, you know, like somebody could take advantage of this. And one thing led to the to the other, another thing specifically with cyber threat intelligence I feel that throughout my career I’ve been going. Back and forth between one aspect of, or one field within cybersecurity to another one.

It’s also related like, you know, zero trust, threat intelligence instant response. Even the, you know, the world of forensics. Attack, you know, def attack and defending. All of this is related. So if you spend quite some time in security and you’re curious as I am inevitably you end up like, you know, going into different fields at different times in your career.

Neal: I will be very upfront and honest. My step into this world was not outta curiosity. It was out of a desire to not be stuck at a desk at NSA for longer than I had to between deployments. It then became a curiosity path to be fair. So I think that’s ac that’s a very fair statement. I think the people who stick around the longest and or more productive in the early years in particular, are those who are willing to ask the questions why and how and all the other fun stuff, right?

And chase the rabbits down the holes in, you know, respectfully in what they’re trying to get answered. And then, you know, giving back, whether it’s a podcast or whether it’s education through something larger like Sands, or whether it’s, you know, just answering the right email. , those are the steps that people who have been here long enough understand we need to take to help get the next people who are gonna be here for 20, 30 years up to snuff so we don’t have to be here for another 20 years.

Hopefully

Ismael Valenzuela: Exactly. Yeah. Mentoring you know, that’s something I enjoy with a little time that we have. But, you know, every now and then mentoring somebody I’m doing that right now with somebody that it’s not affiliated to any of the companies that I work with or the organizations that I work with and.

Just like somebody reaching out right through LinkedIn Hey, can you help me? I don’t know what to do, right? I want I know I want where I wanna get to, but I dunno how to get there. And obviously, you know, we cannot do this with everybody. But every now and then helping somebody to at least, you know, give them some direction, that’s also a positive experience.

Elliot: That’s amazing. So I don’t want to pull us too far away from this. In fact, I’d like us to further dig into it, but to preferably set us off, I feel like we should maybe talk a little bit about the elephant of the room, which is always zero trust. To put things into context, I’d love to just ask the basic question that we’ve gotta ask everyone, but what do you feel, or how do you feel that Zero Trust is defined?

Ismael Valenzuela: I think that, let’s start by, by saying what is not right. I think Zero Trust is not a product despite what many are intended to, to convey, right? It’s not a product, it’s not a one point in time solution. Unfortunately, it’s becoming a buzz word, but I think little by little we’re starting to. To define more clearly what it is.

And with the help of nist, you know, recently, the last few days, it’s been a, there’s been a new set of documents, very well detailed documents on how to implement zero trust architectures with some particular examples that help to convey the idea that Zero Trust is a strategy. It’s a. it’s a way of thinking, right?

And it’s not too far away from other things that we have discussed in the past. You know, defense in death, list, privilege, all of these, you know, things that, people that have been in the industry for quite a long time we’ve heard and we’ve, you know, preached about this and it’s essentially the same idea, but obvious.

Technology changes, the needs change the way we’re accessing, you know, data and applications is changing as well. So we need to continuously refine these concepts. But but it’s a concept. It’s a strategy.

Elliot: I love it. That is music to my ears.

Neal: Yeah, I think that’s now on the head with pretty much the consensus from what we talked about. At the, you know, last year’s round I think most people that are paying attention agree that the term is just a term. The concepts at the core have really been around for a while. It’s just putting a larger wrapper around them to more conceptualize this as the next phase of what it means to be secure.

Elliot: Absolutely. So obviously removal of implicit trust is one of those core elements. But I actually want to pose a kind of confusing question perhaps. Mostly for my own self is nature. I’ve been working a research port that digs into all concept of trust. Though when you go to a conference, r s a Gardner zero trust is absolutely everywhere.

Some organizations have trust everywhere. , if you are removing implicit trust and for the purpose context of everyone that is listening obviously zero trust does not mean no trust. It just means you have a baseline of zero and you build trust. But in your mind, how does an organization who is trying to pursue zero trust concepts and remove implicit trust actually find ways and pathways to building.

Ismael Valenzuela: You know, that’s a very good question. I’m glad we have four hours ahead of us to answer that. So let me just start by saying that you’re writing reducing implicit trust. I’m not saying. Removing implicit trust, but reducing implicit trust because that’s essentially what we can do, right?

I’m gonna get philosophical here. You know, big warning. I always say that secure is not digital. It’s not zero or a hand or a hundred or zero one, right? Going back to the digital analogy, and I always say that security is more like any of you guys play an instrument or a guitar?

Elliot: poorly, but yes,

Ismael Valenzuela: Then we’re all on the same page. And, you know, I have here in my basement a bunch of ams with a lot of, you know, knobs. I feel that security is more like that. You’re always adjusting a bunch of knobs. You’re never gonna be. At the perfect, you know, peak to the perfect sound. Everything, you know, things are changing constantly.

You always have to tune and to adjust. And in the same way that we’re never gonna say that something is a hundred percent protected because we have already assumed, you know, that, you know, we do risk management. There’s no such thing as no risk or a hundred percent protected, therefore, just the term zero trust in itself.

Seem like pH to me, right? Because there’s no such thing as zero trust. We can have less implicit trust. And I think that’s actually the objective of the whole you know, philosophy or strategy of zero trust, reducing implicit trust over time. And that is a journey, right? So to your question, how can a company start implementing this?

Easy. Said right to easier to say this than actually to implement it. But the idea starts to start looking at places where we can have maybe too much implicit trust and start reducing this. You can start looking at what, what’s your most valuable data? Where is it? And you know, we usually say the crown jewel.

Some people just hate this term. But essentially the data that matters the most to your business. Where do you have users that. Maybe that have too much privilege, and we can start looking at privileged users in your active directory, you know, across your cloud and start reducing the amount of implicit trust that you already have in them just because they’re your employees, for example.

Oh, I know them, right? But you don’t know who’s actually abusing those credentials to access the data. Therefore, can we implement. Trust, right? Or just based on the location of a specific asset. Oh, that’s behind the firewall, right? Don’t worry, it’s protected. How many times have we heard that ? Oh, it’s, but it’s running as domain admin.

This service is SQL Services, you know, running as domain and ah, don’t worry, it’s behind the firewall. Those are places where we have too much implicit trust based on wrong assumptions and where we could look at, you know, implementing less.

Neal: So from a layered approach, obviously, like we’ve talked about, so you mentioned earlier, You know, defense in depth kind of strategies. Right. So I think from a zero trust perspective to that point it’s still defense in depth has to be taken into account. And there are always exceptions to every policy, no matter how good the policy may be, everybody’s got something that they’re like, eh, this really can’t do that for whatever their rationale may be.

But to your point, you know, reviewing architecture, looking at some of those things that we really didn’t even take the first step of defense and. The right way. Get a Loan Zero trust model, and maybe starting to apply that, that construct a little more wholeheartedly as a first step perhaps, right?

Like look at defense in depth and then look at the zero trust mentality and what that brings to bear as my thought, as kind of a stepped approach if you haven’t already done so.

Ismael Valenzuela: And if you, that’s a good approach. And if you look at the documents you know, again, coming from the US government, they start to acknowledge this, that zero trust is not about like, okay, throw away everything you have and then start from a scratch. Obviously if you have a greenfield project, Let’s say, you know, some sort of a cloud infrastructure, a new application, it sounds great.

You know, you want to start with that foundation. But in most cases, if you have a hybrid architecture, you have on-prem architecture, you will have to start with what you have. And so how do you incorporate you know, the NextGen firewalls that you have in your environment into this zero trust architecture or.

Things like int nutrition detection systems, int nutrition prevention systems controls that we already have on the endpoint, E P E D R how do you incorporate all of this to achieve the this security outcomes? That’s actually what my, my, my class, it’s focused on, not much on, you know, new fancy products, but more on how do you leverage what you have, what you’ve already paid for to To, to implement this.

call it a journey, right? This journey towards zero trust, a journey that will never end, by the way, right? Will never achieve a state where we say, you know what? I achieved zero trust. Just give him my cert, my certification, . Which by the way, I see it coming. Somebody’s gonna come up with something like that, right?

But that’s another story.

Neal: no, it’s worth it. Keep the crying. It’s a good punctuation to the statements made. And that being said though in the true sense you early on in that. topic there. You mentioned something around, you know, the, these hybrid workforce, or not workforce apologies, hybrid infrastructure, right?

So cloud versus on-prem versus whatever the heck’s going on something in someone’s closet, right? Regardless there is a larger push towards, Quote unquote, cloud-based infrastructure for traditional enterprises who normally did a lot of stuff OnPrem. And coming from a company now who does both cloud services as well as on-prem solutions for our product offering, it’s one of those things where the bulk of this is being pushed towards cloud-based solution in general.

And then I think. To elaborate a little bit more, that brings with it a whole wonderfully more complicated approach to what Zero trust means, as well as the rest of the defense in depth strategies and things like that, right? Because. . Now you as a service provider have more onus on the zero trust structure and that goes in cuz you’re no longer just responsible for the vulnerabilities in your product.

You’re now responsible for the entire potential exploit path from AWS server, even though they’re responsible ultimately for their own. But it’s your stuff on an AWS server all the way down to the bill of materials, down to what you’re using, right? So I, I don’t know what your kind of thought flow is.

zero trust onus and how people can kind of think about it from, you know, where they should be asking certain questions of their vendors versus where they should be looking to take more blatant ownership of that process flow. And then the last nugget of that, you also mentioned certificates and stuff like that.

I would love to harp on the fact about my opinion that it’s coming, but it’s a bad idea. 

Ismael Valenzuela: Yeah. 2, 2, 2 big questions there. Let’s start with the the whole cloud and ownership and responsibility. I mean, definitely one of the things you cannot. Transfer. The responsibility of is you know, the responsibility you have towards your stakeholders, your customers, your users as a business, right?

I mean, yes, you may have an agreement with aws, with Microsoft Azure, whatever. But at the end of the day, you are responsible you know, liable to your users and to your customers. And one of the things that people. I think we, people realize more about that now but at the beginning, especially when we said, oh, let’s move to the cloud, right?

Yes. It’s cheaper, right? Yes. maybe not now. Maybe it’s not that cheap as we thought it was. Second oh, somebody’s gonna manage everything for me. That’s great. Right? But then we went back to the level of visibility that we had back in the eighties where we didn’t have much visibility. And it’s funny because, for example, going back to the government the US government has been trying to implement continuous diagnostics and mitigation, right?

The CDM for so long, which is based on continuous monitoring, visibility, logging, analytics, and in, in the, what I get from talking to some people when we talk about zero trust is that, oh it’s prevention, right? We’re going to prevent all bad things from happen. and no. If you actually look at the philosophy behind Zero Trust is we’re trying to essentially monitor everything we’re gonna be, yes, implementing less trust.

By doing that, we may prevent certain bad things from happening in the first place, but what we’re essentially doing is we’re gonna continuously monitor how users are accessing data. , what’s the context around that access? And then we’re going to detect anomalies and respond to that fast enough so we can prevent a biggest impact, right?

A, a bigger impact at the end of the day. So let’s go back to what we have been discussing for many years. That’s just shortening detection and reaction time. So what we’re saying is, yes, we’re gonna protect certain things, but then we’re gonna invest a lot in behavioral analytics, in monitor. Maybe the next gen of nutrition detection systems, if you want.

So detection is super important. And what type of, I mean, detection is built on visibility. If we don’t have visibility, we cannot have good detection. So just by saying, oh, we’re gonna do everything cloud-based, it doesn’t necessarily enable that. It actually opens up other questions like, who’s gonna be doing that monitoring for you?

A lot of people are quickly realizing that enabling logging in the cloud is expensive, and if you enable those logs, what are you gonna do with those log. . Oh, I wanna bring them to my sim. Yes. So more money. Right. Good luck with getting all those logs, what, into on-prem? No, you’re gonna, you know, keep those logs in the cloud because that’s what it makes sense.

And, you know, cloud providers have, at the end of the day, set up everything, so you end up relying on their services for that monitoring. So that again, adds an additional cost. In, in, in general, these capabilities that we have in the cloud make implementing zero trusts easier, but also adds additional you know, costs related to, to, to this.

And also depends on whether you have infrastructure as a service or you know, SaaS software service makes a huge difference in what you will be able to monitor and what you’ll be able to.

Neal: Yeah, that’s definitely fair points on that front. So I think this thankfully bridges into the second part of the question here is when we think about ownership and onus and all this other stuff and where things are going currently, most of the vendor space product offerings So what software as a service, things of that nature.

Nobody out there is really saying, Hey, look at us. We’ve adopted Zero Trust, right? I know there’s a few service companies that have, but by and large, the only ones really speaking to Zero Trust are the ones that are trying to get you to be zero trust and pay them to do it. So you have the service companies, you know, professional services and the product offerings in and of themselves that are zero trust solutions, right?

So moving that forward. this year in particular, how, and maybe out to. , you know, 2024 included in the next two years. How important do you think it is for one , something to certify a vendor or SaaS or some other company that, that they can have some kind of approved standard outside of just nist, that they can say, look, we’ve gone through the Riga road, this is where we’re at and this is where we’re improving constantly, like SOC two, type two, kind of compliance and efforts like that.

And then do you think within the next year to two years it would be a very important thing? SaaS companies and others that aren’t producing the product but are needing to become compliant with the mentality to jump on board with some kind of standardized solution and compliance.

Ismael Valenzuela: I think it’s gonna be hard for ones to say, oh, this is zero trust approved. Because as we said before, it’s such a large concept that anything can go in there. Going back to something I. Elliot mentioned before I remember going to RSA this year and there was a vendor talking about zero trust passwords. It’s like, wow, my head is exploding, right? What does that mean, ? So when a vendor says this is zero trust what do you mean? What do you do? Explain to me more. And unless I can see that in, in some sort of an architectural diagram, I can see, you know, the flows. The capabilities and how that integrates with other things.

It’s gonna be hard to say, oh, okay, yeah, this fits within an architect within a zero trust architecture. So I think that the closest thing to that is what I’ve seen lately, again, in the latest documents from NIST were they’re saying, look, none of these products that are we’re featuring here are the zero trusts.

, but this is an example of a zero trust solution. And I think that’s a lot more than what we have seen for the last few years where, you know, zero trust was something like super abstract. And as long as we see more of that, and I think I agree with you, Neal, that should come from, especially from mire, from nist, from Des.

From you know, Anisa in Europe and other countries. You know, same thing as Australia with the Australian direct rates. Examples of vendor agnostic implementations where we can see how identity management fits with, you know, traditional perimeter devices with the use of you know, int nutrition detections or int nutrition prevention systems with endpoint security, E P E V R, how all of this comes. And with exception of maybe a few, a handful of vendors that may own most of the Zero trust spectrum. And you know, there’s very few vendors that actually have everything from identity management to, to all these policy enforcement points, right across network endpoint applications. With exception of a few of these, the rest of the vendors out there, they only own a little. Of the puzzle. So it’s gonna be a lot about integration and we may go back to a discussion of things that we have, you know, discussed in the past. How are these solutions going to change to exchange data between them to enable these type of security outcomes, to shorten, you know, detection and response.

There’s gonna be a lot of you know, normalization, a lot of correlation to be able to enable these type of. Detections to be able to orchestrate a response, right?

Neal: So it’s almost like the industry needs a a open source data standard to rely upon maybe to kind of help move forward. 

Ismael Valenzuela: And again, that’s where, you know, mire, of course we have talking about threat intelligence. We have sts, taxi, you know, these type of protocols and languages. These, all of these things help and we may see more of these normalization and standardization in the coming years to facilitate to facilitate this.

And in the past there’s been a lot of. You know, initiatives from big companies. I worked for, you know, one of them for a long time. And but usually it’s like three, four vendors. They get together and they say, okay, we’re gonna build this ecosystem. We’re gonna exchange information in this particular way using this platform,

Neal: Yep.

Ismael Valenzuela: but only those companies will adopt it.

Not everybody else out there.

Neal: Yeah, no. So that’s a slight tangent. Good point. You got the Cloud Security Alliance you’ve got the what’s the other one? Open Cloud, O C

Elliot: it open Oasis or something?

Neal: Oasis

Elliot: Yeah, Oasis. Sorry.

Neal: The thing. Four Sticks Taxi now moved away from Mire. But yeah, you, to, to that point though, you know, we have, I think this is the big problem though, is we do have a lot of bigger companies that just kind of come together because we’re the big four in cloud, so why don’t we do our own thing?

And then nothing inherently, unfortunately, nothing really trickles down to the smaller entities. would benefit greatly from that collective defense mentality that they bring to bear. But that being said, industry standards, data standards for sharing. I’m glad you mentioned sticks because that was where I was and unintentionally teeing off as a data standard.

But yeah it, I do foresee to your point, that it is a little difficult in getting people together to say what that looks like. And so hopefully, you know, to that, Being able to share the right input at the right pace, and having this interconnectivity across multiple tooling offerings, multiple asset types from different vendor spaces is a very key thing.

And at the very least, having a tool intermediary that understands how to do that dialogue just to, you know, by proxy. So like orchestration, automation tools. Decoupled from the sore side of the fence as they should be, in my opinion. Because they can do a lot more than just instant response flow. They can do a lot of things to help bridge that gap, I think.

I don’t know if you have any particular flavor insights on that. Take of the business side and where, you know, leveraging the automation outside of just the heuristics nature of identifying a threat, but leveraging automation to help with the identity, access management and all the other things. I think that brings back implied trust to at least one particular aspect of the tooling, but helps remove it from a lot of other things potentially.

Ismael Valenzuela: yeah, I’m a big fan of orchestration automation tools. But, you know, u usually something I’ve a, again, this is not something new, right? I’ve worked in a stock for a long time and I’ve been using, you know, automation orchestration tools, but I usually set this. . Just because you do something faster, you’re not gonna do it better.

In other words, if your process is bad, you know it’s crappy , and you do, it’s just faster, guess what’s gonna happen? It’s not gonna get worse. If anything, it’s gonna, it’s not gonna get better, right? It’s gonna be, sorry, it’s gonna get worse if I can speak today. Just because you do it faster. So same thing. nobody can tell for you what is important to your business. What are the logs that you really need to look at? What are the assets where you need to have more visibility? There’s still a need for doing all those things that kind of you know, assessment, that kind of threat model. To be able to enable those logs enable the visibility on the high value assets, on activity for high value users, and to be able to focus on detecting anomalies for those. And that’s where, you know, automation tools can help analytics. And the orchestration is gonna be very important to to create that agnostic layer where you.

Now go and enforce policies as close to the data as possible. Could be endpoints, right? Could be network segments, could be applications. Even implementing new policies when you are in the middle of an incident, right? Maybe increasing the level of login while you’re investigating an incident.

And you think that the attackers on the network. Right. Or it’s you know, accessing some valuable data and then going back to a normal state of logging orchestration is gonna be super important for all of that.

Neal: So I, I just realized that we’re already like 10 minutes away from close time. But I want to ask one more question before I let Elliot

Ismael Valenzuela: these four hours went really fast.

Neal: I know I will say real quick, I don’t personally have a firm stop at four 30, so if, depending on where y’all are at I’m for once in my life actually.

Good to keep going. If we wanted to That being said though, I, I did have kind of a follow up question then on all of this. So we’ve talked about, you know, the technology stack a little bit. We talked about cloud and hybrid dynamic for deployment, infrastructure and all that fun stuff. Little bit about the orchestration automation to some extent and my, I guess my personal wham bam question to use if you have any thoughts on what do you think’s going to be.

Or what really should be, in theory, the most complicated outside of the human aspect of getting towards a more zero trust mentality. Like where do you feel like when we think about, it’s an always improving process, but there’s always gonna be something in this loop that we have to consider that has an implied trust mechanic behind it, outside of you and me.

Where do you might think that might end up laying in? Or where do you think the more difficult aspect of that’s gonna be to get towards this?

Ismael Valenzuela: I think I’m gonna go back to, it’s a very good question. I’m gonna go back to critical security control number one. Know your assets, right? Know what you have. If you look at all of these recommendations coming from D and how to implement zero trust, first thing is identify your data, right? Who’s accessing the data how the data flows across your environment. That’s big. You know, if you need to identify. Also users who’s accessing what and then create correlations, detections, analytics around who is accessing the data from what type of device? What’s the context around that? You need to have a, at least an asset inventory. You need to know what you have.

and what it is. And even though that seems simple I think all of us, we know that in large environments, sometimes, even in smaller environments, it’s a challenge. That’s why there’s been some companies that have also been coming up in the last few years that are going back to the asset management solution to try to help companies to to figure out where the valuables are.

I think that’s gonna remain one of the biggest challenge.

Neal: I completely agree. And I feel like this entire conversation has just been you reading off of the notes for the answers I was hoping to get. So thank you for being in sync here

Ismael Valenzuela: We didn’t prepare this, I can tell you, like I, I jumped in here, know, knowing what you were going to ask. So

Neal: You’re good. This is good stuff. I think it’s the Intel analyst mentality. We’ve been there, done that a little bit more than some others and. avenues of approach. That being mentioned though I spot on. Agree. I think the. Identifying assets isn’t always, to me, will always be the biggest crux of anything in the security world.

You know, whether it’s some kind of i, OT or control systems environment especially with the new, you know, internet of things in general construct. But whether it’s ic s scada, whether it’s traditional IT versus OT networks, there’s always someone somewhere that decides it’s a great idea to leave a random port open on a physical device that.

thought would make their job less complicated or enable wifi on pick something that’s out in the field because they didn’t wanna get out of their truck or whatever that may be. Those are all the little pieces that are always going to be persistent and consistent across, I think any enterprise network, any solution that you have out there deployed.

And I do feel there are some tools that, you know, we went through this. Device management access or rather this device discovery phase for the general IT environment about maybe 10, 15 years ago where it was, that was the big thing is, hey, let me help you find everything on your network. And those companies are still around and the refining, but now we’ve got the same thing for the OT and control system side of the house as a whole, whether it’s medical devices, whether it’s.

you know, energy devices, things like that, that are now kind of been around for about four or five years as a hardcore construct. But they’re there for a reason, because it’s an ever-present omnipresent issue. . So I, yeah, spot on. I think that’s a good take. You know, you’re never gonna probably find everything as much as you hope you do in the moment you do, there’s more crap that just came online,

Ismael Valenzuela: And I’ll give you just some examples. During the last year, we’ve seen incidents with. , you know, ransomware that came up from somebody connecting a VMware Horizon machine to the internet just temporarily, because I need to get updates, right? And this machine was not connected to the internet, but I’m just gonna expose it there just for a few seconds, right?

Until we get all these updates. Guess what? Everybody’s scanning the internet. Guys like don’t do these at home, right? Everybody’s scanning everything, and all you need is just that little window of opportunity for that asset to get compromised, you know, from there. They they installed the payload and they move naturally.

And, you know, they started to ransom everything. And of course the attackers love to ransom VMware servers because with one single server, you get, you know, to create a lot of havoc. But but yeah. And the other thing is related to that, you know, I know this I can open another can of worms, but supply chain attacks if you dunno what you have, how are you gonna mitigate that, that, that.

Neal: Yeah. I think the that’s probably slightly the one good thing that came out of the pipeline deal, right? Was that kind of congressional executive order mandate for bill of materials. Bill of sale materials. Right. I am, I. Slightly against and slightly for, I guess, in some aspects of that requirement from critical infrastructure in particular.

If it stays in critical infrastructure, cool. If it migrates down to other things as a requirement, then I get a little testy here on what that looks like personally. But, you know, being able to, as a SaaS company of any sort or any, Whatever you’re providing back as a service, being able to understand just your own bill of materials at any point in time, and then have that down to the granularity of even the firmware that’s running on each of those particular aspects of the data, right?

That goes back to asset discovery, in my opinion and how we need to drive down. You’re never probably ever gonna get it completely. But at least having understanding when pick a C P E gets listed and then the c v e maybe may or may not come up afterwards. And being able to track that down, right down to the, you know, the d l even at some layer, right?

And being able to pivot through that through your infrastructure is very key in my mind.

Ismael Valenzuela: And I think that’s the goal. We just said there we’re never gonna be perfect at this. Like for how long have we been talking about patching? I mean, it’s probably the most boring subject ever, you know, but it’s part of basic security and good security is, It’s boring. It’s, it is what it is.

And no company what you know out there can ever say, oh, we got patching down to a hundred percent all the times and I’m doing this perfectly. So same thing with everything. Asset discovery. Therefore, we’re never gonna be able to say, oh, we have, you know, full zero trust implementation. Let’s move on.

Now I can go and play golf, right? All day long. I don’t have to worry about my infrastructure. Sure, yeah that’s cool in an ad, but we know it’s not real life.

Neal: That’s fair points. I think one of the things is real quick that I’ve, that I’m getting excited about now in the market space, when we talk about asset discovery there’s these companies that have done really good jobs at especially on the control system side, at helping you do that without knocking the network.

And then on the IT side, like I mentioned before, you know, we’ve kind of been attempting to do that now as a service for at least 15 plus years as a standardized service offering. But the other piece I’m excited about now is firmware. Research discovery of vulnerabilities and service offerings at that more granular level that’s kind of been a new up and coming fun topic for both control systems and it side of the house as well, where, you know we’ve had a lot of people who understand standardized packages of things.

You know, if it’s an A and B chip set, what does that look like? If it’s intel, blah, blah, blah, you know, the typical things we see in a laptop or a desktop. Get a lot of love, especially at the firmware level, when we start talking out bounds of those things, you know, what is Juniper putting in their product, whether it’s cloud-based or still a physical device.

All those things are still grossly missing on that firmware discovery aspect. Right. So once again, asset discovery, but at the firmware level. and being able to tie that into a larger picture of, you know, your architecture because just because of the physical device, you’ve locked it down to some kind of authenticated pass to one other device and that’s it.

You know, the vulnerabilities might still be there at the firmware. That still allows someone to come in and do other things, and people don’t pay enough attention at that microcosm level. So there’s some new up and coming companies that I think, especially on the OT side, that are striving to do exactly.

and give you that bill of materials once again for even the firmware layer and allow you to pivot through those discoveries to see where that, that DLL or whatever it may be, lives in the rest of your architecture. So anyway, something I’m excited for. I like seeing that stuff. 

Ismael Valenzuela: You know, I, as I, as you’re thinking, I’m thinking about analogies, right? And . I just think that way and I’m thinking like, how, you know, people is now. More conscious about what you put in your body, right? What you eat, like you want to eat, like, you know, clean foods, organic stuff, and but are we conscious about what we put on our net on our network, right?

Physical devices, products, software that we install, you know, what are the components? What’s the what’s the attack surface, right? How can that change your at risk posture? Is that making me more vulnerable to supply you know, chain attacks? So I think there’s gonna be a lot more attention into that space.

You know, product security testing, being able to know your dependencies and know what you have, right? Which is much more than just scanning your network and or scanning assets or listing users or,

Neal: So I think on back on the full throttles, the your trust thought flow here around supply chain risk. If we think back to everybody’s favorite supply chain issue is SolarWinds you know, what had happened with that and the way the updates made it into the product right there. Some funky things with permissions and access controls, right?

So if we think about it from a service provider perspective, I think some kind of layer of around the at least identity access management piece for zero trust in that solution probably would’ve stopped that threat in its tracks, or at least identified it a lot sooner. At the very least in my mind. I know there was a lot more going on than just simple access controls, but, you know, there anyway, so I think to your point, supply chain risk, you.

you gotta start somewhere. And knowing that your third party assets at least have some construct. To kind of wrap this back around in my SAS certification question knowing that your service providers are at least finally taking ownership of the zero trust mentality, standardizing a little bit, and then also supporting some kind of zero trust discussion flow between what they’re providing and what you’re trying to do to further secure assets or update even.

Ismael Valenzuela: absolutely. And as we said before, it’s not just about the prevention, right? We’re never going to be you know, doing a, a. Preventing all of these things from happening. So even if something like that happened, which could have been mitigated in various ways, including not having, you know, systems like that connected to the internet why should we go into, back to the reducing implicit trust?

Why should these key servers have continuous access to the internet for outbound connections? Right. That’s one thing. The other thing is even if that, if there’s a malicious activity on that system now being able to reduce the possibility of lateral. Through segmentation at various layers the ability to identify an abnormal, you know, connection or somebody knocking on a closed door, being able to react to that fast enough.

So I go back to my, one of my favorite topics, which is time-based security and, you know, shortening detection and reaction time. Which is effective. It’s an effective way of doing cyber defense.

Elliot: Excellent. So I do not want to open up the biggest part of the can of worms, which is pretty easy for us to go to. I’ll definitely be asking you on to join for this topic. But with that caveat in mind, I want to tie two pieces together. So from your educator background and your threat intel background. I think one thing that I’ve not really heard too much, and we certainly haven’t asked on our shows is that for Zero trust it’s more aligned with maybe like prevention or proactive measures. But as a threat until practitioner emerging threats are obviously. A huge concern. Maybe not as big of a concern as what some organizations will like to overblow.

That’s just how, you know, we sell more products Sure. Whatnot. But in regards to zero trust and emerging threats. More specifically threat intelligence. Where do you feel threat intelligence plays a critical role in maybe alignment with zero trust? And I know it’s kind of like a rambling abstract question, but I feel like there, yeah.

To sum it up, essentially, you know, where does threat intel really play a critical role in reduction of like emerging threats?

Neal: We gotta give Elliot at least one Good

Ismael Valenzuela: that. That’s a very good question, and I’m gonna say the same thing I said Neal said before, it’s like, it feels like you’re reading, you know, my mind, my, my answers ahead of time. And again, we didn’t synchronize on questions before, so this is totally you know, unexpected. So it’s funny you mentioned that because the way I start my zero trust was, is. Cyber defense defensive security architecture class, and you know, it’s a journey towards zero trust. So how you implement zero trust in, in this way as a journey. And the first exercise we do is actually threat modeling with mire attack. So if you think about it threat modeling helps you to focus on the threats are more likely to cause an impact in your organization.

If you look at, for example, all the threat actors out. what’s the likelihood that you will see any of them in your. . Now, of course we have, you know, APTs, the APTs, the nation states. We have all these groups. Yeah, the fancy staff, which most people will not see on their network. But we also have cyber criminals.

And now we also have, you know, the combination of both and you know, all these initial, a initial access brokers that are going to be just accessing the network first and then giving the keys to somebody else for them to access your environment. But as I always say, you cannot defend everything, right?

You cannot defend all your assets. You have to have a threat model. So if you’re in healthcare, what are the. The threat actors are most likely to cause an impact in your organization. And you may say it doesn’t really make a difference to me because it’s a hospital. I don’t really care whether it’s Iran or China or Russia, or a group of cyber criminals called you know, Monti

All I care about is the impact true? But if you know, who is already targeting the healthcare industry today and you know, Weapons they’re using, you know how they’re behaving. You will have a bigger chance of focusing on detecting these behaviors and reacting to that because you cannot defend everything, right?

And you cannot de defend against every single threat out there. Going back to analogies, we do this on a daily basis, right? You’re gonna jump in the car and you look at the temperature, I dunno where you’re living, but I live in the Northeast, right? , it could be rain, it could be slee, it could be snow, it could be a lot of different things.

And based on that, I may change my behavior, right? I may not go out or I may just, you know, drive the car that has the winter tires or like, you know, things like that. We need to change our threat, our behavior based on the threat model. And that’s what intelligence gives you, right? It’s not about knowing whether it’s Russia or China, it’s about what is most likely to affect my organization.

So you can focus as a defender. My efforts on those behaviors and those weapons.

Elliot: Excellent. Yeah, so realistically, I mean, that does align very well with that proactive state, which Zero Trust is. A philosophy pushes people towards, so that makes sense to me.

Neal: Yeah, there’s I’m, I slow clapping as you were talking about, you know, why should we care about threat actors and who was doing what and. . I mean that, that is the statement of the day for me is we should simply because it helps us prioritize more. But back to mire attack in general, you know, it’s a twofold framework, right?

It initialized against figuring out where your gaps are on what you’re seeing in your environment from a threat perspective, and then leverage to. Produce fingerprints and what threat actors are doing as a secondary impact of what that framework brought to bear. And both exceedingly well played and placed in the right places nowadays moving forward.

But yeah, I mean threat actor awareness and not just saying this cuz we’re intel analysts by trade, but saying this because we’re guys who’ve had to go out and figure out how to rack and stack priorities. And at the end of the day, understanding your. Threat landscape and what’s attempting to get into your fence is an exceedingly important aspect of being able to whittle away at the layers of what’s important versus what’s not.

And you can’t, in my opinion, can’t do that without understanding who the threat actors are, at least. The constructs of what they’re trying to do against you. You don’t need to go and name it. You know, George in Puerto Rico and Ivy and Germany, you just need to know that there’s a consistent, persistent group of some sort that leverages X, Y, and Z toolings every time they do this.

Right? And I think that’s probably where people miss out, is they think they’ve gotta put a face to the impact. No you need to understand the tooling of the faces that are using it and understand that it is a concerted effort. Targeting you with a predefined set of tooling, and then that helps you rack and stack what comes next from where you need to impact your security stack.

Sorry,

Ismael Valenzuela: So

Neal: whole nother conversation. Tangent. Sorry. No.

Ismael Valenzuela: Yeah no. I was gonna say that to finalize the thought of the process, right? So we start with the profiling. Okay, these are the threat actors, this is how they behave. We map it to the mire attack matrix, we use navigator. And then you start saying, okay, out of the, I dunno, 200 or 300 TTPs that are in the attack matrix, let’s focus on the ones that are most common to all of these threat actors that are targeting the healthcare industry.

So we go from 300 possible, you know, behaviors or, or techniques to something like, Top 20. All right let’s start with this. Yes, you may also worry about the other ones, but let’s start with this because you know these are being used against you. Now you can translate that into active countermeasures, right?

Or passive countermeasures, for example, in order to detect this type of behavior, what’s the logging, what’s the visibility you need to enable I need to have these power share logs, right? Or I need to have net flow data, or I need to have these, or I need to have. now you can start building your defensive playbook based on, you know, what’s required to have visibility and to have detection for these techniques.

And that maps to the zero trusts model. Cause again, it’s about shortening detection and reaction time. If you’re able to detect that somebody is going to do lateral, trying to do lateral movement. Okay. What’s the reaction now you’re going. To take that, you’re going to orchestrate based on the policy enforcement points that you have, so it all ties back to your threat model

Elliot: think we just got our first panel idea for the season. We need to focus on emerging threats and it applies to zero trust,

Neal: Yeah, I think it’d be a fun one

Ismael Valenzuela: look,

Elliot: Excellent. 

Neal: One of the firmware analysis companies into that to take their perspective on, on that granular level too. That’d be kind of fun and how they identify things before. Preemptive identification of vulnerabilities that don’t make it into the CVEs or even the CPE level because most of these companies are microcosm providers of services to larger companies.

And this goes back to asset awareness, right? And you’ve got all these tiny companies that build like a single chip or a single transistor or a single program into a larger subset of data. and they’re all like we’re not vulnerable because AMD’s using it. So if they’re the ones that are vulnerable, but then you run it and you realize it is your D lll, that’s actually exploitable and not something that the other people put in.

Anyway, wonderfully different discussion topic, but I think that’d be fun to have as well. 

Elliot: With that said really appreciate you joining us. We are top of the hour, so we’ll want to be you too much with our interrogation skills. But thank you so much for providing some insight having both a practitioner and an educator come in and be able to share some of that. I guess your trusted journey with us is just.

Something that we’ve been missing. But to Neal’s point, yeah, we are absolutely going to have to bug you again and bring together a panel focus on some emerging threats and whatnot. I feel like that is definitely a piece of the puzzle that we haven’t really covered in the past. But otherwise, thank you so much.

We really appreciate you joining us.

Ismael Valenzuela: Thank you so much to both of you. I really had a lot of fun you know, talking to you today. So it didn’t feel like an interrogation at all. It felt like a really nice conversation with with friends.

Neal: I gotta work on my technique here, a little bit more No, thank you once again. I appreciate it.

Ismael Valenzuela: Thank you.

*** This is a Security Bloggers Network syndicated blog from Adopting Zero Trust authored by Elliot Volkman. Read the original post at: https://www.adoptingzerotrust.com/p/adopting-zero-trust-with-ismael-valenzuela