Is Zero Trust Achievable?

Neal Conlon, Head of Sales & Marketing @ Appguard Inc.

Ascent Conference 2019

[00:00:06] For anyone who doesn’t know who I am, I’m just kind of infinite researcher who really loves what he does. And the thing I love about my job as an infinite researcher is I get to do a lot of deep diving into technology and products. The thing I like least about what I do is I end up finding a problem to solve in kind of the everyday market. So just to give you a little bit of background about myself. So I’m in New York City native. The first time I was called disruptive, I was eight and it wasn’t a very popular thing at that time. This is so true. I would get kicked out of three or four schools before I would ultimately decide who’s going to leave New York and join the United States Marine Corps. I would then spend the next eight years in the Marine Corps, forward deployed most of that time, first tours as a combat engineer, blowing up things, second tour, playing around with Stinger missiles and Predator drones, blowing up things from the air. And then I got into technology and products. I now live in the Hudson Valley, which is upstate New York. For people who live in the city, it’s the city for people who live in upstate New York. I live there with my family, my children. And we have got two cats, two dogs, a horse fish and the occasional frog running around. And if you follow me on social media, I’ll probably send you vegetables in the mail because I grow vegetables when I’m not building products.

[00:01:33] True story. So every Monday morning for the past eight months, I’ve taken my little orange wheelie. I’ve kissed my kids goodbye and I’ve hopped on an airplane. I’ve traveled all over the world. I’ve the total number now is six hundred and twenty three meetings that I’ve had with CEOs see CEOs and CEOs of major companies talking about cybersecurity. I’ve spoken at Parliament about Brexit and cybersecurity. I’ve spoken to Saudi Arabia, to royal families and been just about everywhere in the world that you can think of.

[00:02:10] I guarantee you, there’s no one else on this planet that has one hundred ninety seven thousand miles on an airplane talking about cybersecurity. And I say that with force, because it’s a very serious challenge that we have in this world and it’s getting smaller and smaller as the world gets more and more digital. I also find it very hard that people to be able to have the perspective and exposure when you’ve spoken to those type of people, both from a technical perspective, from a business perspective, and from an investment perspective as to what’s going on in the world of cybersecurity.

[00:02:42] I boiled it down to one simple thing that all CEOs, investors and CEOs are saying about the world of technology and especially cyber security, what can we trust? We buy a product. We build a product, we invest in the team. We invest in the people. And then six or eight months later, it doesn’t do what it said it was supposed to do. In cybersecurity. It’s very hard to figure out as these companies continue to scale what to actually believe, what products actually work in cybersecurity, what’s going to protect my customers, what’s going to protect my investors, and what’s going to protect people along the way because everybody’s chasing the unicorn. The next big thing. And the reality is, is that what happens is products begin to scale, they start to stray away from the fundamentals of why they start to do what they wanted to do, because they’re chasing some other grandiose plan. So what it boils down to is, is that trust is really not a technical solution, right? Humans are building technology. Humans have bias. Therefore, technology is going to have bias. And therefore, if you don’t have a fundamental in place that you can believe in, your technology solution is going to have a bias tied to it that someone can breach and get through the minute they figure out what your bias is. It’s a fundamental. So it’s actually a human challenge that we need, so we need to solve. So that said, I started to go deeper into really what it means for trust, and I came across in my in my research, Bernie Brown. So for anyone in the room was not familiar with Penny Brown. She’s a clinical researcher who specializes in shame and vulnerability in technology. We talk a lot about vulnerability. We talk about the vulnerability of technology, whether it’s scalable or not, and what it can actually do. This is a human emotion and a human bias that is built into technology. Brittney Brown has this cool little acronym that as a military person, I really like braving, right? We need to establish boundaries, we need to establish reliability when you establish accountability, vault integrity, non judgment and generosity. But what does that have to do with technology? It’s got everything to do with technology because technology is built by humans with a bias. So as I go deeper into my research, I thought, well, what is trust really mean for cyber? We talk a lot about zero trust and we talk a lot about all these different architectures that come out. But what does that mean? What I figured out is that if you look at compliance frameworks across the infrastructure across all these industries, they’re missing a foundation of trust in the actual compliance framework. So if I take Brenna’s Briney, Brown’s Socotra like I know her, I don’t know where yet. If we take her acronym of Braving and apply it to cybersecurity, it’s this idea of the boundaries of your infrastructure are are nonexistent any longer. The reliability of your software, your hardware, your team, do they are they doing what they say they can do and how they know to do it?

[00:05:43] Accountability and ownership of controls is becoming an ever pressing issue in cybersecurity, vault integrity, non judgment and again, generosity. If you’re following these things and align them within your compliance frameworks that you’re just doing the check a box, this creates a very interesting layer of security, both from a human and from a technological perspective. Well, so much so that in two thousand nine, a gentleman by name of Kinder Vagg wrote an article about Zero Trust. The first time we came up with this idea that we can’t trust anything and technology was two thousand nine. And today in twenty nineteen, it’s becoming a actual architecture that’s being deployed across infrastructures. So trust is the root cause of all data breaches. Fundamentally, it’s not because the technology wasn’t supposed to do what it’s supposed to do. I say it like that on purpose. Trust was trust was given for the wrong reason to something. We thought it was this. We thought it was an insider. We thought it was an employee. And once you can brace for that bias, you can obviously breach through just about anything.

[00:06:49] Well, the other parts of my research fundamentalism I’ve come up with, right, this is what Sisco’s from around the world, cyber leaders, analysts all over the globe. I’ve compiled this into kind of these three things.

[00:07:03] The reality is, is that they don’t trust their perimeter. There is no more wall, right. With the age of cloud and the age of applications coming from places we don’t know. There is no more perimeter to. There is no more wall. Right. The other piece of it is, is that fundamentally, until you can scale it, there’s no way to patch the basics. There’s no way when you’re dependent across Microsoft or Apple or anyone else out there which have known vulnerabilities, how can a small business and entrepreneur, a startup founder, really understand that there’s not vulnerabilities that they’re dealing with every single day?

[00:07:39] So every Tuesday, Microsoft pushes out a patch, and between that Tuesday and the following Tuesday, six million new malware are created. There’s no way that the math adds up, that’s the actual number, there’s no way that the math can actually add up that a human being, an A.I. or a behavioral thing, especially when it’s got a bias tied to it, can actually implement or take care of that six million malware. The likelihood of another want to cry or blue keep or eternal blue is more likely than not.

[00:08:11] The other piece of it is, is that when you get into the world of banking and you get into the world of big infrastructures, the bad guy or the state actor or the malware is probably already living in your infrastructure.

[00:08:24] So.

[00:08:26] If we peel security back for a second and think about the three vulnerable places for people, it’s your end point, your keyboard. Humans are going to click on things. Absolutely. Humans are going to click on things. We’re supposed to click on things. That’s why we have jobs, right? The applications are built with vulnerabilities, right, ultimately, there are people who are building code who have a bias tied to them for the type of coding you do, how they did it, speed, et cetera, et cetera. It’s not a secure it’s not a secure application.

[00:09:00] Now, if we stop thinking about cyber security right now, how many how many parents do I have in the room? Raise your hands for a second if you have children. OK. Any time that you think about this, let’s put technology aside for a second. Could you fundamentally believe if there was ever a place where there’s a flaw in something and a mistake happens, where those two things meet, the likelihood of some bad shit happening is going to happen? I’m not going to put my kid in a child in a situation where there’s a flaw in something and there’s a mistake because that’s going to be lots of booboos bandaids and lots of ice cream and lots of other things. Right. But that’s what we do every single day because where the end point meets, which is at your keyboard or your mobile device and where a application that has known vulnerabilities in it, like your Excel, your adobe and your word every day, just just as an example, bad shit is going to happen. And it gets very confusing to me in my research when people sit there and think they go, well, I’m surprised that that actually is allowed to happen. It’s because it’s a place for flaws and mistakes collide.

[00:10:11] So the other piece of research that’s come out of this from cybersecurity leaders is that the cybersecurity tools of today are not nearly as effective as they need to be. This has created an environment where zero trust architecture, this idea that came out in 2009 is now become an actual framework. And so I’m an active contributor to the zero trust architecture for the next framework. So if anybody would like to get a draft of that, which it has not been released yet, after this, come find me and I’ll make sure to get your card from you. I’ll give you a copy of it in advance so you can bring back to work and be like, hey, look, I got this cool thing. Nobody else does because no one else has it.

[00:10:55] They have multiple, multiple tools across their infrastructure, and the other piece of it is, if you’re a startup founder, you can’t afford to have these tools and protect things. So therefore, you just kind of ignore them.

[00:11:06] And then the other piece is that every tool, of course, claims to be the best, but it’s still in news saying that Equifax was breached, Mariotte was breached, Weight Watchers was breached, et cetera, et cetera.

[00:11:22] Talking about trust, the reality is, is that you need to find as technologists, we need to find a fundamental that we can believe in and here’s a fundamental that we believe in and that we can trust in. The fundamental is, is that you can prevent breaches at the endpoint by blocking applications from doing inappropriate things and harmless processes, prevention is a fundamental that you can align with not being proactive, not finding things, not remediating things. It’s a fact if you go to the doctor on a regular basis and you monitor your nutrition and you exercise your likelihood of you being overweight and getting sick will not happen. That’s a fundamental right. So if you can prevent something from happening, you should try and prevent it from happening. Well, how do you do that in technology?

[00:12:13] So there’s three areas that you can do this fundamental in the actual technology above the hardware. There’s a place called userspace in system space at the colonel level. What happens is, is that when a bad guy or a malware is trying to do something to your computer or to your infrastructure, they are only trying to do three things. They are trying to harvest credentials so they can use them against you. They are trying to encrypt your machine so they can ransomware you and your infrastructure or they are trying to exfiltrate data or complete a payment sequence.

[00:12:49] Those are the three things that happen. In order for them to do that, they have to come in through some application and cross over the space between userspace and system space to fundamental. You can ask anyone on the planet who does technology is a fundamental. Right, you can believe that as long as you can protect the space between userspace and system splays, system space and protect the application from doing a bad thing to the kernel driver, these three things cannot happen.

[00:13:21] Then along that, if you can isolate this behavior and make sure that it cannot continue to go on, whether it’s something being downloaded from the Internet, something coming across from reading an Adobe PDF, any of those features, as long as you can isolate this behavior and make sure it’s not allowed to action itself, you can protect your machine, your servers and your infrastructure from having these things happen at all.

[00:13:46] And then as long as that can be inherited throughout what they call a kill chain, so what I mean by that is in my slides, a little bit wonky, a little bit geeky here. But the idea being is if I open up an email. And there’s a bad thing attached to when I click on it, because I’m a human, I’m supposed to click on things that work. And then I download that thing to my machine and I’m supposed to open it up because I’ve got work to do. And then I’m supposed to forward it over to someone else in the company, because they’re my manager, they’re the next thing I have to do because that’s what they’re supposed to do. Well, if I can protect that. File the entire time and not let it to execute, not only have I protected myself in my machine and my reputation in the workplace, I’ve also protected the company, my brand, et cetera, et cetera, et cetera.

[00:14:38] And not to go too far deep into this, but one of the biggest challenges in technology is really this idea that there is compliance frameworks that are built. And by the time that the compliance framework is built, launched out to the world, the whole world is trained on it and it’s implemented in the world of cybersecurity. It’s not like accounting or legal. There are countermeasures and bad people that are out there that are trying to find holes in these systems right away just so they can exploit them for their own needs. So the this framework is pretty simple. It says, hey, we’re going to identify a bad guy or a bad thing. We should protect against it when we can. We’re going to detect it. We’re going to respond, and then we’re going to recover from that bad thing when it happens. But this doesn’t work when it comes to zero day attacks and other malicious activities. It’s not scalable and it’s very costly to understand the Arawa on spending in these various infrastructures. So the offguard technology fills this gap in a very meaningful way with a fundamental of trust that is hard to beat for sure.

[00:15:46] The interesting thing about that is that.

[00:15:49] If you don’t have to rely on an index list of bad things going on, there are some key benefits and key fundamentals that happen.

[00:16:00] So you’ll what you’ll experience is, is no latency within your computer, no overhead. You don’t even need to be connected to the Internet in order to protect your machine from bad things happening. Right. This is this is a use this is from a use case where App Guard is deployed, I’ll just call it in a sandy place in a faraway land where operators are using this on a regular basis. And there’s some folks that really believe in our technology, so we’ve got a whole slew of awards from government Dodie’s to startups to all kinds of cool fun stuff, and we’ve got some cool, interesting products.

[00:16:38] And if anyone would like to talk about it afterwards or I can share knowledge, I’m more than happy to do so. Thank you for having me today.