3 Core Tenants of Zero Trust with Neal Dennis of Cyware Labs

Transcript

Neal Dennis: Hey, guys, thanks for having me. Mike. Looking forward to our conversation.

Mike Krass: Absolutely, you're making a statement with this background? So I'm gonna lead into the first question here, Neal, tell our viewers and listeners why you are qualified to talk about security.

Neal Dennis: I've been in this field for plus or minus 22 years in some form or another and started my journey in the military as a linguist and a SIG enter working for pick a three letter agency and some other fun stuff. But cybersecurity wise, you know, fell in my lap during that, that in the early 2000s, as it was becoming a term and an idea. And then you know, kind of morphed into contracting work and more government military related work. Finally, private sector, setting up Intel teams setting up security response efforts and all sorts of fun stuff over the last, I'd say eight, nine years now, both as a personal consultant as well as working for various product companies. And then kind of ended up this last few years actually working as a bridge between clients and a product company called sai where that that kind of merges a lot of fun concepts. And then this is my personal bread and butter. And so I like to think that as an intel analyst, that, you know, my curiosity as a whole is second to none in the general field of cybersecurity. So

Mike Krass: Excellent and curious question, before we dive in, you're also the host or co host on the podcast. Correct?

Neal Dennis: That's right. So thank you for reminding me that I do other things. So adopting zero trust with my co host, Elliot Volkman. And to caveat that it's his fault that I have a podcast with him, he took advantage of my Intel curiosity, and sucker punched me into this. And it's been a wonderful journey we've been doing this for, we're technically in season two, year two, so but we hit our actual one year anniversary back in June. So we've got, I don't know, 20 some odd episodes. And so I will caveat, my knowledge on zero trust, which we're going is buffeted by the fact that I have a really good partner in this that has been able to take me on this wonderful journey. So that's really where that fun expertise for what little bit I have kind of comes from so.

Mike Krass: Excellent. And that's a perfect segue. I'm going to use an Elliot move here and and segue into talking about zero trust. There in your, in your estimation, there's two or three core tenants, or core competencies of zero trust. Can you talk to us about the first one?

Neal Dennis: Yeah, I think over the last year or so what I've learned is really, the primary focal point is nobody knows anything in the grand scheme of things around zero trust truly. And that what that means, though, is that nobody knows anything, because nobody really knows where to start on their own journey. So I think the first thing is, is understand that everybody's journey is different, and that their core competencies are going to map out. But every time you get to a new one, it's going to be different for you than it was for your partner two doors down. And so I think keeping that in mind, the journey is different for everyone. That construct is just that it's a construct, it's a concept of where to go. And it's not outlined, you know, lock stock and barrel where it needs to be

Mike Krass: Interesting. So everyone's on their own journey starting at their own unique starting law. Exactly. Okay, core competency. Number one, what's, what's the second core tenant of zero trust in your estimation.

Neal Dennis: So I've learned a lot about identity access management in general, courtesy of this adventure. And I think when you get into this, understanding that at the baseline zero trust isn't necessarily about obliterating all actual trust between things, it's about caveats, and what that actually means and controlling what has access to what and when and how you monitor for that access. So just because you know, you're an engineer with API access to serve as a, b and c, doesn't necessarily mean that you and every other tool you attached to should also have those accesses or that someone sitting in your office that's working on a similar project should also write so at a very basic level. Understanding that controlling the actual trusting mechanisms and who has access to certain things, is kind of a key first step in establishing the rights and privileges around everything. And the more that we can put the right boundaries around on it and the right limitations and exclusions, as well as the monitoring that identity access piece, that that, to me seems like the starting point for a lot of people both for the human loop as well as the API's and the programmatic things in the loop as well.

Mike Krass: Got it yeah again I'm looking at this thing behind you have seen protection. So timeout monitoring, obviously, actually would assist with that, whether it's application security networks, endpoints. The other in this example, talking about identity access management, who has access to what you have an example that you'd be able to share from your career at some point.

Neal Dennis: Yeah, I think if we think if we go back to my military side of the house, typically under fun technologies, maybe not so much now, because our fast tech moves, but in the early 2000s, and before the government military was using one of the first ones from a security standards perspective, to really start to, to roll things up and hardened stuff consistently. There's always holes in the loop. But I think for me, one of the key things that I didn't realize at the time, because I don't think the terminal existed yet, but zero trust when we started rolling out our CACs our security cards with our PKI loaded onto the car, right? So from a sessions perspective, the only way that my session could really truly exist and right setup was, if I had my physical piece, I plugged it in, I logged in with both the pin as well as my username and password, I pull that card out that kills my session. So I think as a starter package, just controlling the user session experience and controlling how how much harder it is to replay those things for the threat actors to get access to all that, that, for me was probably my first taste of what the conceptualization of a zero trust mentality could be, and providing limited accesses, when and where applicable, right for that identity access control. And then the second thing I've recently learned, is more focused on this whole construct of password list security. And at the

Mike Krass: Hearing a lot about that lately.

Neal Dennis: Yeah, we literally just did a podcast on this with partner Yubico YubiKey. If you don't know what UB keys are, I have a bunch of them one before we met them, and now courtesy of them. So it's been great to play around with this stuff again. But passwords the password list security on the i identity access piece is kind of a pipe dream or a misnomer in and of itself one way or the other. You always gotta have I think, you know, we think about the three tenants. Multifactor, right, who you are, what you are and what you have, right? Who you are, what you are, and what you know, there we go. Yeah, we'll go with those. But it a passwordless world, we're still relying on those elements to get you to authentication. And at the end of the day, maybe it's some kind of biometric fingerprint, maybe it's some kind of way I typed on the keyboard, but it's still password in a roundabout way in the concept, it's still a key of some sort that identifies you as you. So I think for me, those are two big ones we can have, you know, the physical devices that lead the system. No, it's us. And we have the pin for that device. And then we have the passwords and all the other stuff that goes with it. We have things like UB keys that are basically the same thing in a grand scheme of things. But for me, I think that's kind of ground truth. 101. And the cool things I've learned is a lot about that identity access piece. And, and there's so many different ways people are trying to address that problem alone, just to start the zero trust from the humans to the API. So

Mike Krass: Interesting. Yeah, I think it was actually just last week, we use LastPass for password management. Just accessing different things across the organization and with our customers too. And they had just sent out a message to all their their client list of a we are moving towards a password list future which, you know, there's there's an ironic joke waiting to be told there of like a password manager becoming, you know, not full of passwords. I'm just waiting for that joke to tell itself. Right until itself in time with with LastPass.

Neal Dennis: Yeah, I That's funny. I didn't see that one yet. So I'm I'm a LastPass, and a one pass user for various things. I haven't seen that email yet. So it's kind of funny. I need to bring that up with Elliott, because they'll probably want to talk about it.

Mike Krass: Yeah, definitely. We talked about the first core tenet, which is everyone has their own starting line, right? There is no universal use start here. There is just where your organization is whether you're a public or private MB in you, you kind of start wherever you need to start wherever you are at in, in this journey for zero trust. Second tenant, you just talked about talking about identity access management, and we got into that, what's the third time.

Neal Dennis: So I think those are probably the two big ones. The third idea that I'd probably bring to bear would be more around focus specifically more on App sec and what that looks like and thinking about once again It's still very fixated on on identity access management. But I think a lot of people misinterpret how certain things like API's and other other integration type things really function from a security perspective. And I think what I saw at RSA this year from a tech stack perspective was there was a heavy focus. App SEC has been around for a while. We've seen tools do App SEC , but I think what we saw at at RSA, obviously, the API or AI stuff, chat, GPT this chat, GPT that but I did see a lot of really interesting tech stack for actual API integration, security and awareness. And I think that dovetails very nicely into the construct of, of zero trust where, you know, API as an idea of RESTful API, the construct of connecting the tools, and having that standardized language is very solid, we need that language. The authentication and monitoring of that, however, I think, has failed us time and time again, I think being able to give an API key to an engineer and say, are fun, and it's within its own. Sometimes they're HTTPS connectivity. Sometimes they're in their own ports, right. But we miss out on the actual security of that, because we treat that as a side channel that's secure in and of itself. But we're missing the human factor. We're missing the actual security of how those passwords or the security protocols are managing it outside of the comms itself. So something that RSA I saw was renewed interest and just securing the API and providing a way to effectively monitor track and assign permissions and deny permissions when and where applicable, like you, would you and I in a normal community, like a normal Active Directory type solution. Right. And I think for me, that's a huge aspect.

Mike Krass: Let me jump in here. Did you see that as at RSA? I was not there this this year. Did you see that as just part of what app SEC vendors are starting to build? Or is this almost its own? were you seeing it represented as its own? Almost like subcategory of app SEC of like, yeah, there's application security. But there's also API. What did you call it API monitoring or?

Neal Dennis: API integrity API? solutioning services? I forget what the official Gartner term is going to be. But I answer the question. What is Gartner been paid to say? In a good way? Yeah. But no, I, I saw a little bit of both, I did see some unique companies that were very specific on apps, API security as a primary. And then I did see some of the larger companies that have been app SEC focused, kind of bring that into their solutioning. But yeah, so you definitely see an industry category specific, coming out of API sec, and needing to monitor track, manage all these other things. For four net new business ideas, so I think it's kind of neat to see that focal point and I think was zero trust along with the original app SEC mentality combined with this API piece, I think that kind of gets us into a new generation of what it means to be secure in that machine to machine workflow. And I keep alluding to human and API involvement. But the world works on integrations, without integrations without apps connecting to apps connecting to tools to whatever, none of us have anything, right. I mean, this Zoom meeting is a great example, if the VoIP part of the cows along with the video part of the house along with the actual servers that are using, all those are independent technologies that make zoom work, but they're all driven likely by some either native API integration that they developed or, or some kind of interconnectivity. But once it's said, everybody just assumes it's set. And they don't really do an effective job at making sure that the actual pass codes and the security layers and the people who have access to all that are truly who they should be consistently, persistently. So one part think that the next generation of exploits is going to be very API fixated, like we've done with RDP and everything else. But at the same vein, I think that's why we also have these net new companies, because that's already been identified as an issue. And people are trying to make sure that we do the right permissions and things like that around it. So

Mike Krass: Yeah, I appreciate your answer there. And especially seeing the answer. It's really an and or, or bowl. Answer. Some people are just API sec. Sec. And there's some app SEC vendors in the product vendor space, who are just kind of rolling this as part of their platform. I could see you know, as that API's API sec, ball hard to say when you roll together. I can see those two. I can see those be being attractive, and how like bolt ons to businesses. is in the app SEC space who are thinking like, do we kind of build this as part of our platform? Or do we bring in someone who's already built a really clever solution that we can integrate into our integration so that we can integrate into our overall offering? Definitely, when you start to get those, those really sub micro niches like that, it raises those questions of like, build this ourselves, like, are we we have the time and energy and resources to do it ourselves? Do we want to spend those time that time energy and resources or frankly, is it okay to just, you know, look at this as part of our m&a strategy and start, you know, rolling those different micro categories into our overall offering?

Neal Dennis: Yeah, I think that brings to mind another point that zero trust as an idea is really kind of caught Steam over the last maybe four or five years, at least in nomenclature wise. And that's in part because of a lot of people like Dr. Chase Cunningham and a few others that have really fostered this through various channels. But you know, right before RSA, or right before COVID kicked off at RSA, you could walk that floor, and you would see zero trust, zero trust, zero trust, I think 2019 2020 was the year of zero trust kind of coming out and making its first foray into popular terminology. But then we had COVID. And so the terms and some of the basic ideas were there. But now everybody was forced to immediately jump into trying to figure it out without really having actual guidance really have been established yet, right. So I think it's kind of funny, we went from the term being defined and finally being adopted to Congratulations, trial by fire with all your remote workers. And so we spent two years of everybody trying to figure out how to fix all that stuff. And zero trust is now being reinvigorated over the last year or so because everybody's trying to clean up all this stuff. Everybody's trying to figure out how to how to take my laptop that they gave me for what was supposed to only be six months, that's now been three years right at home, and make it more secure. And then the last piece, you know, there's there are a lot of startups out there that blatantly are zero, trust focused. And, you know, they're securing everything from the human to the app or trying to get into the app stuff and API stuff. But more importantly, they're taking it a notch down and securing documents and repos and things like that. So you and I can be secure, we can have the API side secure and the integration secure and actually have those being adopted in some kind of checkout type system for security and interaction. That if you share a PDF with me that sensitive, what's the zero trust policy on that? Right. So I think the last piece for me, I think that's kind of the fun nugget is seeing people who are trying to go beyond just securing the human and securing the device, and they're actually securing the collateral, they're securing the PII and actually putting wrappers around that for zero trust. So I find that pretty fascinating to watch. And, you know, on the government side, once again, we were doing that for decades now in some manner or another where if I sent you a document, you didn't have the clearance for it, you didn't get it, you couldn't open it. But that's big government with big servers and big money that have developed that, seeing that on this side of the fence. Now, it's kind of cool to see.

Mike Krass: Yeah, and, you know, encouraging from a security standpoint, talks about even repos, having some sort of security clearance tagged on to them with the amount of not that I'm against open source in any way, but with the amount of open source code that makes its way into other products and services. I think by last, the last stat I saw was something like 40 or 50%. of, you know, coding that's happening. Or we have an App Sec client, by the way. And so they had given us this stat, which is, you know, 40 to 50%, of coding, that's going into different products and services is being brought over from open source, right, which effectively means like, I don't know, the exact origins of this. Sure, I can track it to some degree, but I don't know the exact origin all the way down to the first time that the fingertip the keys, right. Yeah. I also talking about securing a repository like that. I also don't know how often it's being changed. Like, I'm not going and checking this right as as, you know, application developer, I'm not going to check in all this open source material that I snagged to build this thought or the other thing on a daily basis. I don't have time to do that. And even if I did, I probably wouldn't, because I'd be building product, right. So I think that's a really interesting concept. I'm glad that you brought that up.

Neal Dennis: On the open source note, there's a company called Open ZD. I mean, you can be too two shakes, because I want to make sure I'm saying them right. So I want to get them. Yeah. All right. Yeah. called Open ZD. They are an open source zero trust construct to provide zero trust layers and ideas around your tech stacks. I think for anyone looking at app sec and things like that, a few other things. They're a good one to go look at from an open source perspective. They're the the own department, the only open source project, but they are the largest and they're the only one I've really had a chance to really really talk to of late. But yeah, I mean, it's a weird, weird construct. When we really think about it, most of us have been practicing the etiology around zero trust in some echelons here and there for a long time, we've just finally put a wrapper on this. So people can, can really start having formal documentation around what this actually means, you know, the government just put out their zero trust policy earlier this year, NIST just updated and created standards for zero trust this year, as well. Or in the last year. And so, you know, we have government organizations that are finally bought into the concept and terminology of this, which then helps breed that market space. And I think also helps helps push the standard and make it more formal for the rest of us. And then the other piece of that, it's never going to be a once again, a package deal. It's always going to be as DIY, start your own journey, you know, Choose Your Own Adventure book thing. But at least there's there's now as of the last year or so some brackets that you can apply to this to look into it. And I think that's been really impactful. When we started this a year and a half ago, none of that existed. It was just all people talking about it. And when he told me zero trust is I don't know what the heck that is. I had no clue either. But then when I started learning about the principles of Oh, yeah, I've done that piece before I've done that part before. So tell me if I can sandwich them together. I'm now a zero trust, at least, you know, echelon. 123 And uh, yeah. All right. Cool. Sounds great.

Mike Krass: Yeah, that's awesome. Well, Neal, thank you so much for joining us, to our listeners and our viewers. That is a wrap for this episode of What's the problem. We hope you found our conversation with Neal Dennis to be insightful to be informative. He dropped that that one nugget and takeaway right there and he thought we're gonna close out and he gave you an extra nugget. Also, I just wanted to give a quick shout out to our hosts MKG marketing. MKG is focused on helping cybersecurity businesses get found drive qualified leads and close deals. So if your cyber business is struggling to do any of those things, let us help you. To learn more, you can visit our website at mkgmarketinginc like charlie.com Thanks for listening. And don't forget to mash that subscribe button and leave a rating for the podcast. Neal prefers seven out of five stars. So don't let Neal down here. It's not about us. It's about Neal here. Appreciate your support. Until next time, Neal, wave and say hello to everybody who tuned in today.

Neal Dennis: Appreciate you guys. Thank y'all again.