Introducing Illumio Insights — breakthrough AI-powered observability, detection, and containment.
Read more

Experienced a Breach?

|
Contact Us
|
+1 855 426 3983
A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Zero Trust, Mapped and Matured
Season Three
· Episode
8

Zero Trust, Mapped and Matured

Zero Trust pioneers John Kindervag and Dr. Chase Cunningham reunite to reflect on the strategy’s evolution from bold idea to global imperative. They break down why better maps, graphing, and AI are key to stopping attackers — and why Zero Trust is no longer just a security issue, but a leadership one.

Transcript

Raghu N  00:12

Welcome back, everyone, to this very special episode of The Segment. Well, every episode is special, but this one is even doubly so, because we are joined by two luminaries of the Zero Trust world. In the red corner, we have John Kindervag, the Godfather of Zero Trust. In the blue corner, we have Chase Cunningham, the Dr. Zero Trust. And I remember Chase saying to me, “Hey, well, I got to Forrester, and I inherited someone else's baby, and that parent of that baby was John.” And he was like, “What do I do with it? And how do I how do I rear this baby?” Well, I think I hope they both feel that the baby is growing up and sort of probably turning into a troublesome but maturing…  

Chase Cunningham  

Angry, angry teenager.  

Raghu N  

So gives me great pleasure to have both these wonderful gentleman…

John Kindervag  00:59

Do we have to share college expenses? Are you going to pick that up?

Chase Cunningham  01:02

No, I think, yeah, we should have started a 529, a while ago.

John Kindervag  01:06

Okay. Well, maybe your GI Bill. We can get your GI Bill.  

Raghu N  01:12

John, Chase, welcome again to The Segment. Our first return guests. How are you both?

Chase Cunningham  01:20

Good, good. I'm in Maryland, so, yeah, it's I'd rather not be here, but Maryland's

John Kindervag  01:26

Maryland, and I'm home in Dallas, and I'd rather be here than very nice.  

Chase Cunningham  01:31

I'd rather be at John's house too. Yeah, yeah.

Raghu N  01:34

All right, all right. So where we you both have everyone knows you both have been essential individuals and actually sort of collaborators in the development and adoption of Zero Trust. So let's start there. Let's talk about where you feel Zero Trust is at today compared to where you maybe hoped it was when you kind of first started working on it. Chase, I'm going to give you first go at this. What do you think?

Chase Cunningham  02:02

Oh, all right, well, so I think, I think ZT is in a really interesting spot. I mean, I do think we've crossed the chasm on the doubters. I mean, the haterade still flows everywhere, but that's just how people are on the internet. I mean, the fact that I'm, you know, able to get invited to go do ZT workshops. I'm going to Mexico City next week. I was in Switzerland. I'm going back to Switzerland. I was in Cartagena, Columbia twice, and see or Taiwan twice this year. So, like, the global nature of this is getting bigger. I think John, you know, John was just over in Europe doing ZT stuff. So it's, it's where it is. The government's cut big checks for it. I think all signs point to positive stuff for ZT, in my opinion,

John Kindervag  02:46

Well, I never thought it would be to this place. So this is amazing to me, right? I mean, I think there were my first speech that I did at one of the Forrester security and risk events were there were 14 people in it. And so it wasn't like it took the world by storm, and I had a whole lot of people tell me I was a complete idiot. It would never go anywhere. Quit doing it. You're a fool. Those, those were the nice comments. So I'm always amazed. But you know, you have to have, you can't do this on your own. You have to have a group of people who have your back and help you out. And I mean, Chase, I've known for a long, long time, and he's been one of the primary guys. And if you want to have a guy have your back, have a guy who's a six-foot-four, ex Special Operations, communications dude who is six-foot-five. Sorry, I apologize.

Chase Cunningham  03:43

Why you're making me short. Man, yeah.

John Kindervag  03:47

And so, you know, you want that kind of person who has a strong opinion, we've got a great ecosystem of people who just keep marching along, and we're all kind of heading towards the same North Star. So, you know, there's a lot of room for different ways of accomplishing a single goal when that single, single goal is to prevent data breaches and stop cyberattacks from being successful. And when you have that, and when you understand what you need to protect, you can, you know, you can cast a wide net and bring lots of people into it, and they can benefit from it, and they can make careers and companies and products. And so I would say overall, overall it has to be rated as success.

Raghu N  04:34

Awesome! So, I mean that that's kind of like, uh, positive scores from both of you. And in fact, I think the first time I saw Chase in person was at a gym at a hotel, and I sort of quickly moved to a different corner of the room, because, because clearly, he and I were lifting weights at different sorts of orders of magnitude. When you’re both at events, and you're at Zero Trust events, and you have vendors. Presenting on Zero Trust, or partners presenting on Zero Trust, or customers. So what's your reaction? Do you look at that and say, Oh, no, no, no, no, that's all wrong. That's not what I kind of sort of had laid it out to be. Or do you say, actually, this is just continued validation of things I put in place, and I just want to encourage them to do more of this. Like, what's your perspective? John,

John Kindervag  05:19

Well, I mean, you know, they say all publicity is good publicity. So that's one thing also, even bad marketing is a force multiplier for marketing, right? Because people hear about it. So I think, you know, kind of eventually, when people, if there is something that is pretty wonky, eventually that kind of tires out. And people come back to people like me and Chase and George Finney and other people and go, “Hey, that person said this. Could you give me, you know, expand on that?” And so, it's pretty easy then for to get them turned heading the right way.  

Raghu N  05:55

George Finney—we had him on Season One of the segments, so we need to have the three of you here next time. Chase right on continued on the theme of positive reinforcement around Zero Trust. What's been the most impressive Zero Trust deployment that you've been part of or witnessed?

Chase Cunningham  06:15

I mean, the ones that I've valued the most have been the pro bono small business, stuff that I've just been blessed enough to help with, like, I just worked with old folks on where my dad is actually because he's got dementia. Helped them set up a ZT infrastructure for their networks, because old people get phished all the time. But we took the little bit of money that they had and we invested in a ZT build, and I don't have to worry about my dad and all the other old people that are there getting phished which, to me, is great, like, I like enterprises, enterprise, and they got plenty of money, and they'll do their things. I’m not really losing sleep over whether an enterprise is getting breached, because, Lord knows, that's the thing. But for me, if you ask me, like, what you know, what I feel is rewarding is when I am lucky enough, blessed enough, to be able to help those small businesses and the people that can't afford it, and we put ZT in place, and then I don't have to worry about them. They're good, they're up there, they're doing those things. And only other tangent to that I don't think people are giving enough credence to nowadays is ​     ​it's not typically the mega enterprises they're breaching, you know, kind of breaching themselves. They're getting breached by former vendors, third parties, and SMBs. Continue to go after the whales, but the whales are not necessarily the totality of the problem. It's everybody else that didn't ever get security.

Raghu N  07:30

It's that whole supply chain problem, right? We need to be increasingly focused on it, John, what's the most impressive or well-thought-out Zero Trust implementation you've been part of?

John Kindervag  07:42

Oh, man. I mean, I've had the good fortune to be involved in some really incredible stuff. But I think the things that are most gratifying or impressive when somebody who's outside of it, who's a leader, becomes the champion and drives the process. So I can think of a couple of examples. One was doing a workshop a number of years ago, and everybody was like, “Why is the Chief Legal Officer of this entire Fortune 500 company in this technology workshop?” And at the end of it, he stood up and he said, “You know, I've been trying to figure out how to secure our intellectual property, because we make X 100 millions of dollars on patents, and I'm worried about stealing our IP. And this first time anybody's given me an idea of how we might protect that. So I'm going to be the champion of this project.” And it moved much faster when he was the champion than when, like the manager of IT was the champion, right? And a similar thing happened at a manufacturing plant, manufacturing company, again, a Global Fortune 100 where they had manufacturing machines that were run off of PLCs, programmable logic controllers that ran on Windows XP and could never be upgraded into a different operating system because the PLCs weren't made anymore, and so it would be a billion dollars to change them out, and I showed them how they could put that in a micro perimeter and control it and, you know, have the security that they theoretically would have gotten with a upgrade of an OS, although I think that's kind of dubious, but still, They got enhanced security. And the executive VP of manufacturing became the champion of that. He understood it. And then, most recently, I was talking to a three-star Air Force General, and did a workshop and for him, or more of a briefing. But it was still pretty extensive, and he just said, “Thank you for explaining this in a way that I can understand because people have been talking to me about this for a long time, and I could never make heads or tails of it.” And so just being able to communicate to those leaders is very gratifying, because they're the people who have the power to get things done right. They're the grand strategic actors. And so, when the message resonates up to that level. That's gratifying.

Raghu N  10:22

Yeah, and I think what you said there, right? And you and I were at an event recently, and it's like the technical community, the security community, are, by and large, sort of, they acknowledge the benefits, they understand the benefits. And the question now is that, how do I communicate this, and how do I engage the stakeholders, the business application owners, et cetera? Because I realized that I need to bring them on this journey in order for this to be successful in this beyond, I mean, we all know that security is not just a technology problem, but absolutely like the Zero Trust of executing that strategy in any organization is absolutely no longer a Zero Trust problem. Chase, what's kind of your perspective on that.

Chase Cunningham  11:02

I mean, I enjoy it. Now, I used to get a little bit kind of amped up when somebody would send the DM or whatever bash in the ZT strategy. And now I actually enjoy it, because I just go, okay, cool. There's one more slow gazelle that will feed the lions. It's, I mean, we've kind of reached the zombie herd sort of space here, like if you decide that you're going to trip and tie your shoes when the zombies are coming after you, I'll just laugh and run away. I'm not going to sit there and try and drag you up. I don't think the market and the people that actually are engaged in doing stuff that matters have the time to waste trying to convince other people that there's a better way to do this if you doubt it, and if you think that it's a bunch of marketing fluff and whatever else, please continue to engage in the failed practices of the last 30 years, because we need folks to slow down the lions and the zombies and that that's, you know, it's, it's kind of hard to hear, but I, I'm not wasting my time anymore trying to convince people that this is where They need to go. There's an entire globe of people that's engaged and are doing this, you know, drink your hate or eat all you want, but...

John Kindervag  12:06

Well, and there's a whole group of people who are fighting the fight on that perspective, against those people. So, I got a message this weekend from a guy I know, who said somebody had made some derogatory comments about Zero Trust in me. Personally, I never saw him. He told me about him. Thanks, no, but he was like he said, but I think he's really mad at me for my comment back, but I'm going to, you know, I'm not going to stop. And so you have these advocates for you and for the idea who just have seen it work, and go, No, quit. Quit being quit the hater raid. I like that. I've never heard that. Is that something you coined, or is that,

Chase Cunningham  12:52

I mean, haterade, it’s a thing I guess, you know.  

John Kindervag  12:55

Well, you're so much hipper than me, so I guess…

Chase Cunningham  12:59

That's a low bar. I'm just saying.  

Raghu N  13:01

I mean, haterade, if I say it in my accent, it doesn't really sound anywhere near as cool as when Chase says it. So

Chase Cunningham  13:07

Sounds more formal when you say it.  

Raghu N  13:11

So you talk about slow gazelle, or the ones, or sort of those that we kind of need to leave for the zombies to attack and capture them. Are you concerned? Chase, John, but Chase, go, you. One of the first things to go to is that when we look at the number of organizations that continue to be impacted by cyberattacks, and the significant and what seems to be increasing disruption that those attacks are creating, that, yes, people are adopting, but the adoption isn't fast enough. Isn't pervasive enough that we're that this is still very much the game in which attackers have the overwhelming upper hand. I

Chase Cunningham  13:53

mean, I think, ​     ​I think the truth of the matter is we're never going to be totally ahead of the threat. And that's a misconception that people need to adopt. That's why, when John was talking about accept breach and those things, to me, it made a lot of sense, because it was like, you're, you know, you're, you're always going to be in a state where you're trying to keep up with the adversaries, because they don't play by the rules. They don't have compliance checklist. They're willing to shotgun stuff out and just kind of see what works. They don't have to do any of the things on the other side of the coin. So I I'm not concerned about it. I always tell people when I do workshops like that, I'm aware of the risk and the threat, but I'm not concerned. You know that I would be concerned if I wasn't prepared for it, and if I wasn't dealing with the state of reality, and if I didn't have a plan of action. And I think that that is, that's where people should focus more. You know, the market likes to push a lot of like fear, uncertainty and doubt, which is a marketing tactic. But, I mean, the truth of the matter is, we are, we are always ice skating uphill, and progress is progress. Is progress. Yeah.

John Kindervag  14:55

I mean, I think, you know, there's a certain where. Awareness versus having your head in the sand right? My pin tweet is still and I don't use Twitter, or it's called x now, I guess that tells you how far behind I am, but is, you know, most people have hope. Is their risk mitigation strategy. They hope nothing bad will happen to them. And we have to remember that hackers don't have change control, so they're always so manual. We're always so manual in our processes, and they're highly automated. So when I was with you recently in the UK, I got to give a speech at Bletchley Park, which was pretty amazing. Didn't you think that that was a pretty amazing place? That's amazing. And in Bletchley Park, they have The Bombe, the machine that Alan Turing used built to defeat the non-SIG enigma code. And I've always been inspired by that line from the movie The Imitation Game. We What if only a machine can defeat another machine. And I finally got to give that say that line in Bletchley Park, which was cool, but it's such a big idea that we have to understand that we need to build machines to defeat the other machines. You know, people talk about people process and technology, and I've come to believe that it's technology process, and then maybe people that people are kind of getting in the way of the problem and creating the problem, not much of a solving of it. So the more we can build the machine use computational power, whether we call that AI, whether we call that graph databases or security graphs, whatever we were talking about here, those computational tools are the things that we need to get the information so that we're prepared and that we can respond in ways that haven't been possible in the past.  

Raghu N  16:43

So John, you kind of talk about security graphs, right? And Chase, you've got a brand-new book out at the moment, Think like an attacker. Why security graphs are the next frontier of threat detection response. And those of you who are watching this on the video version, we'll see John holding up what I hope is a signed copy of this.

John Kindervag  17:05

No, no, this is an unsigned copy that I bought off Amazon.

Raghu N  17:10

He made you pay for it. That's Chase. Well,

John Kindervag  17:14

you know, I wanted to find him and his wife dinner because they're friends of mine, so I bought a copy of his book so that he could,

Raghu N  17:22

I hope he's pricing. I hope he's pricing

Chase Cunningham  17:24

it, yes, and then we get a Chick fil A now.

Raghu N  17:27

So Chase, let's kind of take it down to basics. What's a security graph?

Chase Cunningham  17:33

I mean, ​     ​the graph side is really where we were doing this, and I wrote about it in the book. And I think this is super applicable, is we were doing graph analytics. I would call it back when I was active duty, and I wrote about it in the book, because what, what the value proposition there is, is being able to see what's going on and understand the relationships and know the connections, and then be able to plot, plan scheme, to employ controls. And just to give you an idea of how valuable that can be in the context of a kind of combat space, which cyberspace is as a combat space, when the invasion first took place in Iraq, and operations were just kind of haphazard, right? You were trying to find adversaries and go do the things that you need to do, and you know, control the space, where they were lucky if they could do five, six, like successful operations a month. Fast forward to when we move towards this graph model with real intelligence analysis and fusion cells, and understanding the totality of the threats, the risk, and the interconnected nature, and all those things, they were doing 300 missions a month. So those types of things make a huge change in your ability to actually enforce controls and understand the contextual problem and networks are, they're very ethereal, right? It's hard for me to sit here right now and just picture in my head what's going on inside of my infrastructure. If I can graph it, and I can see it, and I can figure out what talks what, I can really, literally begin to plan my approach, and that's game-changing. I've been an advocate for this since I came out of the military, and I'm glad to see that some companies are actually making it possible for everybody to do graphing.

Raghu N  19:08

Yeah, and I think that that it's that perspective that you have, and that is much closer to matching what is really happening, versus just a sort of tabular perspective on what is happening in your environment, right? And that's kind of moving the needle forward. Is that, is that sort of a good way to think about it? Chase?

Chase Cunningham  19:29

I mean, it's, it's the difference between, I would almost say, like trying to plan and implement a strategy with blindfolds on, and then all of a sudden, somebody takes the blindfolds on and turns off the lights and puts it on a big screen in front of you, and you can go, oh, okay, there. And you know, we always talk about this concept too, in military and warfare circles of contested space, and this is something John's talked about as well. Like there are things that I must accept I will never be able to fix or control, but as long as I can keep my eyes on. Contested space and understand what avenues of in and out and east and west actually provide assets to contested space. I have control over it, and this, you know, this is the difference, especially for like an enterprise or government or state and local, those types of things, there's force multiplier capabilities. And it's not a lie for me to say, like, I have personally seen this type of thing be a force multiplier in live environments like that's what people need to take away. That's why I got the opportunity to write a book about I was like, Yeah, let's do this.

Raghu N  20:33

Yeah, awesome, John, put this in the context of Zero Trust, right? And I know you, often speak about the sort of the five steps to Zero Trust. How does a security graph help with that?  

John Kindervag  20:50

Yeah, the security graph is the technology that gives us the maps we use in step two of map the transaction flow, and it also gives us, because that's so tied into step one, define the Protect surface, so that we can understand what's happening. We use the maps there that were created by the graph databases, and defining the edges and the nodes and all that kind of stuff. And then out of that we can go to step three, which is define the architecture, and by having a map, we can have the architecture. Step four is policy, so we can see how the policy is being enforced. And step five, monitor and maintain we can see what we're doing better, so it gives you visualization. In fact, I just did a LinkedIn live with a mutual friend of ours, Clint Bruce, who's a well-known Navy SEAL. And Clint, I actually got introduced to him by Chase, and it was called Zero Trust Terrain, and Holding the High Ground: Why Cybersecurity Needs Better Cartographers. And this comes back to something that Clint always says that he, you know, his favorite weapon in combat was a map, because there's two things you can be wrong and lost, and he will tell you that he's been both, and he will then make fun of his map reading skills and his navigation skills. But you know, it's better to be lost, or it's it sucks to be both, but if you have a map right, you may be lost, but you can look at the map and you won't be wrong anymore. And so I was talking to him about this, and I said, “Man, it seems like, you know, the Map Maker is a pretty important person in the military.” And he was saying, “Absolutely.” I said, “Well, you know, here's Zero Trust.” I was telling about the five steps. And I feel like, you know, creating great maps is a really important weapon. And he agreed with that, and he agreed to do this LinkedIn live. So that was cool to get that from somebody who is so notable. And you know, you look at the history of warfare and military cartography and wars and wars, won and lost based upon the quality of the maps, and when you have bad maps, you fight poorly. When you have good maps, you fight well. And you know, it's a fascinating thing that click just introduced me to. So I think that's a nice analog of why this is so important. And of course, I have to thank Mr. Cunningham for introducing me to Clint Bruce, who is a pretty intimidating figure. You know, you think Chase is intimidating, then you're Clint Bruce, and the intimidation factor goes up. I'm sorry, Chase, I didn't mean that.  

Chase Cunningham  23:37

He intimidates me, dude.

Raghu N  23:40

Isn’t he like an American footballer as well?  

Chase Cunningham  23:43

He's also an NFL player, a Naval Academy grad, and a CEO, but he's a total underachiever.

Raghu N  23:47

Yeah, absolutely, absolutely makes me feel amazing. So, Chase just, just carrying on from that, from what John said about the importance of maps, like, what makes a what makes a good map or a good graph, versus a less useful graph?

Chase Cunningham  24:06

Well, I think in the digital space, really the most important thing to me is to be able to have the graph build upon itself, and to have the Self Realization and self-understanding without requiring a digital cartographer. Because, you know, to John's point, cartography super important. However, when we're dealing with the expanse and the volume and the many moving parts and the ethereal nature of this and etc., being able to do that with, you know, Ricky the intern on a spreadsheet, it's not going to work. Whereas, if we're doing it with a digital system that could build it on its own, and then tell me, You know what goes where, which talks to what like that is absolutely critical. And then the other thing I would, I would suggest in in the digital spaces, I want the map, and I want the really good context, but I want to be able to do something with it. This is why I personally am not a fan of Sim technology. He has a standalone because sim is like going to the doctor, and he takes your blood work and comes back and goes, Man, you're really sick. And then he leaves and you're going about what “Wait, can I get a treatment plan?” I want to know I could do something about it when you tell me the problem, and especially if we're talking isolation, segmentation, those things. If you know, going back to my navy days, if I see water leaking into a compartment. I want to shut the water off. I don't want to sit there and go, geez, this could get really bad if I let this continue,

John Kindervag  25:25

right? And also, when you have a map, you know how to fix things, because it's documented, and it's accurate, right? And in it, we never did that, which is why I put step two in, because I had some things go south very early on in the Zero Trust world. And I said, no, I got to figure out how these systems work, because nobody knew how they worked, right? Nobody who built them was even around. Nobody documented them. And this was back when things were pretty static. Still, they didn't move around much, not like today, when you can move Kubernetes clusters around, and you have the cloud and things just move around and but it was still pretty sad and finding that information out was incredibly hard. In fact, it would take sometimes multiple weeks with a big, expensive engagement to get that information, you know, but in the real world you expect that, like I my daughter's dishwasher overran itself and flooded on the day she came home with her baby, my first grandson, first grandchild, and so her husband and I were trying to fix the dishwasher because it was making a mess. Guess what? There was a manual on the internet that gave you all the parts and all the step-by-step, and we got it fixed because somebody documented how it was built. And we don't do that in our world. We just built it, and then we’ll go add it, it'll never go bad. And it does, it starts dripping water all over the floor, right? And you have to fix it so it gives you that. And then the other thing, too, that I don't think people really understand. I think Chase, you touch on it a lot, because in your book, Think Like an Attacker, you know, I remember having many discussions with FBI and Secret Service people who've done breach investigations, and they'll talk about how the attackers have so much more information about the network they're attacking, then the attackers know about their own network, right? So, the reconnaissance phase is so important to them, and they'll get all this information so they know exactly how to target the attack. And I don't know, is there evidence that they're using these kinds of graph databases to build maps to attack has anything like that popped up?

Chase Cunningham  27:44

You know, I don't have any concrete evidence. But I would just guess, because, you know, kind of like, everybody knows, right? We don't own the patent on any of this sort of conceptual side of things. I would guess some of these more well architected, educated business like malicious entities, probably do something along the lines of mapping the networks. And you know, whether or not it's as good and dynamic and useful as some of the stuff we're seeing in the industry. Now, who knows, but I mean, I know when I was doing stuff without getting myself in trouble at different agencies, we spend a lot of time, you know, looking at maybe theoretical, possible, sort of mapping things. So, you know, it's out there

Raghu N  28:31

Well, and I think Chase, to that point, it's, it's the need that drives the attacker to build this picture, because they have a goal in mind. They have an objective. And from their perspective, it's like, what is all the information I need in order to achieve that? Whereas from a defender's perspective, because often to sort of, to paraphrase the title of your book, Think Like an Attacker, we are not doing so…

Chase Cunningham  28:59

That what drives me nuts in the space, honestly, is I we have so many folks talk about defense, defense, perfect defense, blah, blah, blah, whatever else I like to I like to call most of the folks that don't do red teams and don't do, you know, think like an attacker. I call them Dojo black belts. And what I mean by that is, if you've ever been in martial arts, you know that there's those cats that have got their black belts with like, three stripes on it. And you ask them, have you ever been in a, ever been in a street fight? No, but I've got my black belt. Well, then let's go out and get in the street fight and see how that works out for you. Because the first time someone picks up a chair and cracks you or the skull with it, your your, you know, ninja skills are going to come into question.

John Kindervag  29:34

That's illegal. You can't do that.  

Chase Cunningham  29:37

You know exactly, who would do that? Like, I would like, you know, I don't understand it. Why folks want to engage in that line of thinking at least, and go, you know, how are we going to deal with the malevolence of this whole thing? I mean, these are their businesses on the on the adversary side, but ultimately, they're businesses that are built on a very simple principle of, if I can steal your stuff and make money. Me with it, I will. And that's as old as time. There's only two professions that are as old as time, right? One of them is, you know, less something we want to talk about here, and the other one's stealing stuff,

Raghu N  30:09

Yep, yeah, absolutely.

John Kindervag  30:11

There's a song in there, “Tale As Old As Time.” You have two daughters, so I know you had to listen to it.

Raghu N  30:20

Oh yeah, know that one! So, John, red teaming, right? Red teaming, like the concept of red teaming in cyber, it's, it's absolutely nothing new. It predates, sort of, Zero Trust, etc. So I kind of see two, two things sort of fusing here, right? The first piece is that organizations are not investing heavily enough in adverse, real activities like red teaming, right? I see the adoption of Zero Trust. While it's sort of, it's definitely increasing. It's not as aggressive necessarily, as we need it to be. How do we move the needle there on both of those items? Because I kind of see those as kind of complementary to each other. Like, how do we move the needle?

John Kindervag  31:05

Well, I mean, I think there has to be some changes in the theories behind some of these things, because, see, I'm so old that I still call red teaming penetration testing. I was a pentester. We weren't yet cool enough to be red teamers, yet we didn't have colors, you know, in jerseys and stuff and all that, you know, red, blue, and purple. But the thing about that, which was difficult, is that there wasn't anything people could do with the information we gave them, right? And I got out of that business because nobody ever did anything with that information, because it was too inform, too much of information, and a lot of it was pretty spurious, because you can always get into the network and grab a banner we got in and I'm now more the belief that when you're pentesting something in Zero Trust, you want to, can I get into that Protect surface without a credential, for example. And then even if I do get a credential, do I move around? Or is the policy set up so that, so that even a domain credential of an unknown actor doesn't have policy attached to it? So there's ways to do that. But if you're in the 20th century mode and you're doing it the way I used to do it, then you're probably, you know, you're going to get a lot of data, but you're not going to be able to do anything with it, because it's going to be too much. And it doesn't point to something that's important. What do I got I have to protect? Is the important question here. I mean, that's the only question. We're in cybersecurity. Well, what's the cyber why should we secure it? I mean, at least when we were in information security. Hey, we should probably secure some information. So in order to sound cool, we actually lost our purpose in a lot of ways, and that's always been a frustration of mine, because the people who advocated for renaming our businesses cybersecurity actually hadn't ever done anything in real life, right? They were Dojo black belts, so to speak, and they'd never been in a street fight,

Raghu N  33:11

right? And I think there to pun again on Chase's book title. Think Like an Attacker, that's exactly often what we're failing, what we're failing to do, right? An attacker has a very clear, or often has a very clear picture of what their objective is and what they're trying to attack or what data they're trying to steal, right, and is focused on achieving that, whereas, from a defense perspective, Sorry, Chase, if you don't like that term, right, that we kind of don't have that focus, and we are spread too wide and too thin to affect anything real

Chase Cunningham  33:42

Chase you're willing. I mean, the back to that whole thing about contested space, like there's stuff that I can't fix for a variety of reasons, for technical, for personal, for budget, for whatever else, there's stuff that I can't fix. And if you accept that, then you also can look at stuff in general. To Hill, who's one of my mentors. Just like, you know, John's my mentor is great guy. He says, if everything's a priority, nothing is. And I don't think people give that enough credence too. So I need, and when I do conversation to workshop, people like that's part probably the first thing that we spend the most time on is, what are we actually, you know, calling as a priority here, because if you can't tell me what is a priority, then nothing is a priority, because we can't do everything. I mean, I would love to ride in on the white horse and the shiny armor and say we're going to fix all this, and it's never going to have any level of suck to it. But that's not possible.

John Kindervag  34:35

We call him General Zero Trust. So, I think the key thing here, you know, in this book, think like an attacker, what's, what's the first rule of warfare from Sun Tzu, I'm asking you, Chase.

Chase Cunningham  34:49

Gosh, I was, I was actually banging on Sun Tzu recently, man know thyself, something like that.

John Kindervag  34:56

Know thy enemy. Yeah, we got to know our enemy. Right? So, build some, do one, yeah, well, that's okay. You weren't prepared. I didn't, I didn't, I just threw that out. But you’ve got to know your enemy, and if you don't know your enemy, then how are you going to defend yourself against an enemy you don't know? And so when, when I was doing pentesting, I'm kind of best known for, helping a little bit on the margins, create a thing called VoIP Hopper, which is a tool to toast UC networks now, but Voice over IP we're doing a lot of voice over IP research, and we figured out how we could automate VLAN hopping in voice over IP networks, and we were sent to pentest a casino, and they, you know, just rent a room. Don't tell us you're there, and tell us where you can go if you plug into the back of the phone. We went everywhere, right? Because there were no controls in place to stop us. And we ended up, we ended up in the financial system, and we could have Ocean’s Eleven, that casino. But instead, we said, “You know, here's all the flaws we found. Here's what you need to do to change it.” And then they wouldn't change it. They wouldn't do anything about it. Because, well, you know, ADs moves and changes. More important than security. We want to be able to move those phones around and plug them in and not have to do anything. I'm like, “Oh, really? We could have stolen all of the money from this casino, and you're worried about AD moves and changes of voice over IP phones?” And we did a friend of mine, Jason Ostrom, shout out to him. He's a SANS instructor. He's the one who really put it all together, and I just kind of helped on the margins. But we did a ShmooCon and a tour con, live demos, and we got standing ovations because people you know live were breaking this stuff, even, even stuff that the vendor had put in the week before to stop us, because there was this adversarial thing going on between us and the vendor. And okay, they just put in new code. Let's TFTP it in and see whether we can break it. And we did. And everybody stood up and clapped, because, you know, we're thinking like the attacker, how am I going to get to this important stuff? What's the weak point in the terrain? You know? And the weak point in that terrain, that back door, or that path in Thermopylae that was shown by the trader, is the voice over IP system, and they didn't see that as a problem. You know that that is only for good. It can't be used for bad. And of course, when you're an attacker, you're looking for all the good things and asking, How can I use this to do bad things?

Raghu N  37:35

So from there, let's interject some AI into this, into this conversation.

John Kindervag  37:42

Because we can't do anything without injecting AI, right?  

Raghu N  37:46

Exactly, exactly. Now, I could see Chase reaching for the red nose that he wears every now and then on some of his LinkedIn videos. So, Chase, you can take this. You could do your clown version, or you could do the serious sort of Chase, Dr. Zero Trust version. How does AI fit into all of this talk around thinking like an attacker, security graphs, etc.?

Chase Cunningham  38:13

Well, first of all, none of this is AI. I tell people every time you say AI, somewhere a kitten dies, they usually stop saying AI, so much. But I mean, the truth of the matter is, this is a large language model. This is machine learning. This is applied mathematics and algorithmic approaches and context and compute, which is great, and I understand the industry's accepted AI so fine, like I'll, I'll die on that sword. Let's just accept that. That's what it's called. But this fits really well into what AI can help you do, these types of approaches, the need for the dynamic nature of mapping within these systems, the interconnected nature. Again, Ricky the intern, can never keep up, but these AI, LLM systems can do this at scope and scale. And I think that one thing that I've been talking with people a lot on the realm of AI is like in all of my history on planet Earth, 46 years, I never felt like it was kind of okay to cheat. Now, when I look at these systems, I'm like, you know what? Cheat away. If you're able to use an AI or an LLM to help you do stuff quicker, better, faster, and make better decisions than the competition or the adversary, by all means, use it and leverage it, because it's going to benefit you. And remember, again, we don't have the patent on the usage of these systems. I think I saw a stat recently that said phishing was up 4,000% since ChatGPT came online. So, you should be using these things everywhere you possibly can, because the benefit to the defender can be exceptional.

Raghu N  39:42

John, AI in the context of Zero Trust. Go…

John Kindervag  39:47

Yeah. I mean, it's, it is the fuel of the machine built to defeat the machine, right? So, the best definition I've ever had came from a mathematician who told me. AI is statistics plus "if" statements. It gives us the ability to computationally analyze all this traffic, put it in the right little boxes so we understand its context, and then we can visualize what we need to do to protect something. And we can see an attack before it becomes a data breach, and then we can respond to it automatically, because we can give a command to an AI system. And I wrote about this at Forrester. You know we need to. I called it rules of engagement. We have to. We need to know when we can be allowed to respond automatically, without human involvement, and the less human involvement is involved with these things, the better off we're going to be, because humans take too long, right? I used to do a speech called, What if you did change management the same way, or, What if you deployed an airbag the same way you do change management, right? And the answer is, you die. And so, you know, there are things that are have to be highly automated, and actually, response to activity on a network is super important. And I think this thing that's underserved in the AI thing that I've had an epiphany with, because we just announced a partnership with Nvidia and and the guy that we're doing with is an old, old friend of mine, Uber hacker from back in the day, but he was explaining them to me the value of running Illumio on an NVIDIA chipset, and how, how The DPU capability really enhances the essence, or the feeling that it's AI, because AI is that I can get a response really, really fast, as fast as I could get from a human being, whereas in the past, there's a lot of number crunching, and you don't get a fast response. So, it's as much a hardware problem as a software problem. So, I've written about this, why I don't, why I'm not losing sleep over AI, I think it gives us an advantage over the attackers.

Raghu N  42:09

So, Chase. If I were to sort of pin you down, of course, I couldn't actually physically do that, but just intellectually pin you down and say, Chase, I want you to tell me the best use of AI that you have seen in cyber, not theoretical, actual use? What would it be?

Chase Cunningham  42:28

I think the one that I've seen is the folks that are doing the things, that are mapping networks, that are taking infrastructure and tying it together, and I've seen some really good policy engines that are being created, bringing that information in, using the telemetry and building what the correct defensive posture and policy looks like that that is exceptionally valuable. In my experience, just because you're able to, you're able to do things the way that you want to operate, which is at machine speed, right, speed of light, electrons and those types of things. And, you know, to John's point, I love the whole thing about you can do change management, like airbags, because everybody would be through the windshield, the speed, the value and the I think that if you're doing it correctly with these types of approaches, you are taking back the high ground. You are shifting the power more towards your freight. Because I'll, you know, I have no problem saying you're never going to be perfect, but at the end of the you know, engagement. I want you to be hard enough target that the adversaries go, you know what? It's not worth it. We'll find someone else. And that's, that's a win. You know, if live on the same street and I got Dobermans and ADT signs and, you know, people think, oh, that crazy redneck will kill you if you get on this property and they go, rob you, then chase wins. You know, I'm good with that. I think.  

Raghu N  43:41

Yeah, I was just this, what you just said there. I was just having this conversation with a colleague today. It's, it's not necessarily about having to stop, it's just having to slow it down enough that the attacker says, that's not worth my hat. That's not worth my effort. I want to move on, right? If you've done that, they have a business model, too.

Chase Cunningham  43:59

That's what people I mean, when you're talking about like this, just general, you know, hacker living his mom's basement with no life, like the people that are doing this stuff for nation state and for monetary purposes, they have a business model, they have bosses, they have requirements, if it's not worth their time. I mean, just think about what you do when you try, and, I don't know, chase a lead and you know, they're never going to call you back. What do you do? You pop smoke and find someone else.

Raghu N  44:23

Absolutely, John, I know you've, you've kind of been traveling the world, quite literally, right? Sort of preaching Zero Trust. And actually, you've had the opportunity to do that at some really interesting places. We saw at Bletchley Park. During RSA, you and Chase were by the side of a US military ship and other places like from for you, what's been sort of the most iconic place at which to talk about Zero Trust and why?  

John Kindervag  44:53

Well, I mean iconic, probably in terms of historic, is Bletchley Park, for sure. I mean, just to tour that and see what was going on. I know you got to walk around there too, and the historic nature and it's just so tied into the history of not only cryptography, but computers. And, you know, does our business even exist if World War Two didn't happen? And if Alan Turing and that team at Bletchley didn't do what they did. I mean, that's a big question, because they also created the Colossus, which was a next generation computer, and, you know, a lot of really important stuff started there. So that's pretty cool. I mean, I've had a lot of fun places to have those conversations sitting in the Pentagon is a cool experience, kind of nerve wracking, because it's, it's a little bit unique, but and then sitting in a congressman's office, having that, or, you know, in and you were there in the House of Lords, talking about it. So, the kinds of people who want to talk about this are now grand strategic actors, right? They're not just technologists, and they're certainly not Ricky, the intern who doesn't want to talk about it because he thinks he's going to have to do more work. But if he did talk about it, he could be an intern and he get a full-time job.

Raghu N  46:18

So, Chase, I mean, John's mentioned Bletchley Park. He's mentioned the House of Lords. He's mentioned the Pentagon. Go on, trump that!

Chase Cunningham  46:25

Trump Kindervag? I guess, I mean, I can't. You know, I'm just, I'm glad if I get to go to, like, a place where people will actually give me the time of day and listen, so, you know, John gets to, John's going to Bletchley Park, and whatever, you know, so, I mean, I, I, I've enjoyed it really a lot when I've been able to go talk to folks that I can see that they're going, Okay, we're going to do this, and we're going to, you know, bring some value to it. I'm all about the SMBs and the small, small folks and the nonprofits and those people. I'll, I'll take 10 conversations and 10 dinner meetings at a Chick-fil-A with those folks any day of the week.

Raghu N  47:03

I love that. So just, just a bit of fun before we kind of before we wrap, right? So, Chase, I'll give you the first go. Anything that John has said or done around Zero Trust that you've looked at and thought, “Oh, man, I wish you hadn't done that right, or I don't agree with that.”  

Chase Cunningham  47:24

God, let's, we're amongst friends here. No. I mean, the only thing that for me was like, when I got to Forrester and John, you know, was dragging me by the nose to get in there, and then they said, “You're going to take Zero Trust.” I was like, “Oh, God,” like, this is his thing. And now they're going to take his, you know, stuff, and make me run with it. And I was just sitting there going, great, I get to play, you know, second third fiddle to the guy that, you know, was fiddling when no one else was listening. And now it's a thing so that that for me was like, when I first got there, I was just sitting there going, like, I really, really don't want to cover this, and I don't want to do, you know, the second iteration of John stuff. And it just was, you know, fortuitous that it turned out as a good thing. But yeah, as far as, like, disagreeing with him, like, I mean, no, the guy's on point. So, you know, he keeps his maybe we'd say he keeps his stuff in one sock,

Raghu N  48:12

Nice! John, I mean, kind of like playing on what we're joking about at the top, right about this, your baby Chase nurtured it through sort of a toddler into a child, right? And now it's now it's a teenager. Did he bring up the baby? Pretty well,

John Kindervag  48:28

Yeah. I mean, although my regret would be that he didn't take the job the first time it was offered, and we could, and we could have worked together on this instead of me having to leave and then talk them into you, Chase, one more time, and then talk Chase into going there. I still remember we were at the club at, you know, the lounge at the Marriott Marquis at RSA. I don't know if I should go there. There's this cool, cool networking company that's going to pay me a little bit more. And I think, I think it turned out well for you.

Chase Cunningham  49:06

Yeah, so yeah, the moral story is I should listen to John more often.

Raghu N  49:11

All right. All right. So, you're both sage-like like and that is not a comment on either of your ages. It's really about the beard and your wisdom.  

Chase Cunningham  49:19

Sage smells weird.  

Raghu N  49:23

So well, Chase, right? You're too far away from me at the moment to say to comment on the smell. So like, let's leave our listeners with sort of your musings on the present and future of cyber. Chase, you're the guest. John's a Chief Evangelist, so he can go last. You go first.

Chase Cunningham  49:46

Yeah, of course. No, I mean, I think the cyber, we spend a lot of time in the negative space. In cyber, we were always people that think of the bad stuff, which is great, because we should. But I mean, the truth of the matter is, progress is progress? Is progress? Progress, I have seen progress. The strategy is becoming a conversation. People are having more and more small and mid-size, and regular, everyday users are starting to ask some really good questions about how businesses actually take care of and secure their environments. And I think that there's been some policy and some guidance from on high that's been drafted that's actually useful. So, you know, folks would typically say that we're just sitting around griping about how bad things are, but I do believe that there's genuine progress, and I think that it's, it's a great business market. It's a great market for people's career. And I, you know, I encourage folks to engage in cyber every chance they get.

Raghu N  50:38

Before I go to John, you said it's “a great business.” I know you have this by the breach kind of thing, right? Part ingests, part actually making a bit of money, any sort of stock picks that you'd recommend us to go and buy.  

Chase Cunningham  50:53

Well, it's hilarious that you said that, because I actually haven’t. So, I haven't happened so often. I created, with a friend of mine, a Discord channel that streams us breach information. So, one just came across the bow. Yeah. So, Nucor was one that just came out, and then there was one that showed up while we were on this call from United natural foods. So, you know, go read my breach, buy the breach book, and you'll understand the methodology, and then you can go make some money on it.

Raghu N  51:17

That's why you're distracting your E*TRADE account for.  

Chase Cunningham  51:24

I was doing a little bit of breach.  

John Kindervag  51:27

And that's an important, yeah, no one thing about that, because people used to say to me, “Well, you know, the breaches don't matter, because the stock price always goes up.” Like, that's the only metric. Of course, the thought prices go up because they went down, and people buy when things go down, you buy low, and then you sell high. And so yeah, but that doesn't mean it's good for the company. So, I just wanted to point that out it's good for Chase and his new hedge fund. So exactly you're going to pick me up in your jet when we go, when you come to Texas, next, right?

Chase Cunningham  52:05

Yep, eventually, yeah, the Dr. Zero Trust hedge fund. There we go. Yeah.

John Kindervag  52:10

But no, what was the question?

Raghu N  52:17

Indeed, do not edit that. Do not edit that line from John. What is the question? The question John was to leave us with your musings, your sage, like musings for the present and future of cyber.

John Kindervag  52:26

You know, cyber is a great business to be in because it's never going to go away. And as much as everybody's talking about, AI is going to eliminate all human beings, eliminate it's going to eliminate some human decision making, but not human beings. And, my goodness, if it eliminates human beings, we're all dead anyway. So, I've never understood that one, but you want, you want to be able to respond more quickly. You want to be able to use the information more usefully. And lot of this technology that we're talking about, you know, we have a strategy now, Zero Trust, and then we have technologies that get better and better. So, I never defined what the technologies had to be. I defined a strategy, right? So it was designed to be strategically resonant the highest levels of any organization, but tactically implementable, using commercially available, off the shelf technologies at whatever level those were going to be, because I knew those would always get better and better, and everybody else wants to define the technologies they want a list of what here. You know, in almost every compliance mandate, use a firewall here, use an IPS here, do this, do this, do that, and then, over time, those things become irrelevant. But the but the guidance or the requirement doesn't go away, so you end up using old technologies to fight a new battle, and so you need to have a lot of choices and a lot of options in terms of how you're going to tactically implement a Zero Trust environment based upon what new things are coming out, Like, like these large language models or like graph databases. And the more you can use new stuff that that is designed to achieve specific goals, the better off you're going to be.

Raghu N  54:10

Thanks. So I think, like just to, just to wrap up, it's kind of similar to, sort of attackers. Attacker tactics often don't alter much over the over the generations. The techniques and procedures may very well do to essentially keep up with technology in the same way, right? Security Strategy, Zero Trust as a that is that grand strategy doesn't need to change, but the techniques and procedures through is implemented obviously need to change to keep up with the times, etc. Well, John Chase, I mean, it's always a pleasure. It's always an honor to speak to you both. I learn a lot. We have a lot of fun. You guys come up with new anecdotes, etc., every single time I speak to you. So, appreciate the time and appreciate everything that you're doing to essentially make organizations safer. Thank you.  

Back to top
Read more