Listen to this educational webinar led by security experts with deep experience implementing pragmatic security for a global manufacturer, we’ll describe why zero-trust is a big improvement over traditional perimeter security — and why it’s effective against both APTs and insider threats.

Webinar Transcript

Julie Garand

Hello everyone, and welcome to today’s webinar, Practical Zero-Trust Strategies for IoT/OT Network Defenders. I want to introduce Phil Neray, VP of IoT and Industrial Cybersecurity at CyberX. He will be doing our introduction as well as moderating today’s panel. So Phil, I’ll turn it over to you.

Phil Neray

Thank you, Julie, and welcome everyone to our session today about zero-trust. We’re thrilled to have Jeff Moore and Christy Peel, experts in security who are going to do most of this presentation, but I’m just going to give a little context beforehand. You may know Rick Howard, who is the Chief Security Officer and Chief Analyst at the CyberWire, former Chief Security Officer at Palo Alto Networks, and before that, he was at iDefense. He’s been doing this excellent podcast series recently in which he said our number one mission as security people is to reduce the probability of material impact to our organization due to a cyber event. In other words, it’s not preventing all intrusions. It’s making sure that when the bad guys get in, we find a way to prevent them from having a material impact. And then on the topic of zero trust, he talks about assuming your network is already compromised and then trying to limit the material damage. So, these are topics that our guests are going to go into a little more detail shortly.

I want to give a couple examples. Edward Snowden is kind of the archetypal example. He bought a hundred dollar web crawler, he had admin credentials and that allowed him to steal over a million documents. Now, he was an insider, but let’s not forget that adversaries that steal credentials also show up as insiders in our network. So that was one example. The other example in a report that just came up this week, actually about another leak that’s even bigger, called the Vault 7 leak, and the report that was published in the media said that there were a combination of weaknesses—very weak compartmentalization, which we’ll see is an element of zero trust, everyone sharing admin passwords, and then no monitoring, which is, as we’ll see, a compensating control and also a way to strengthen your zero-trust strategy.

Finally, you may be familiar with the Triton cyber-attack on safety controllers in a petrochemical plant that was revealed a few years ago, and I just want to go into a little more detail on that one. So, that was an attack on a petrochemical facility and what was interesting and new was that it wasn’t about stealing data or even shutting down the plant as we’ve seen with some recent ransomware incidents, but it was meant to basically cause a very serious safety incident. I just want to go through the anatomy of this attack for a second. If you look at the Purdue model arranged horizontally instead of vertically, as you might normally see it, we’re not exactly sure how the attackers got in. That’s never been revealed, but somehow they got in—might’ve been a phishing attack, might’ve been an exposed RDP port, might’ve been an insider with a USB drive, but they established their initial foothold on a system on the corporate IT network from which they were able to gain credentials and go through the DMZ into the OT network, after which they deployed PC malware—it was actually Python code compiled as Windows executable that they then installed on an engineering workstation. Now, what was interesting about this malware was it knew exactly how to communicate with the PLC and the safety controller using the native protocol of that device. In this case, it was Schneider Electric’s tri-station protocol, but when we looked at the architecture that they built, it could have really been any OT vendor’s protocol. They knew enough about the memory layout of that device, such that they were able to deploy their malware onto it and move it into the firmware memory region without disrupting its normal operation. So, they did that using a normal PLC logic download, or upload as people call it. So they use the normal function that’s regularly used to change the PLC control logic, but instead they deployed their malware into that device. They never got to execute this part, because they ran into a bug and shut down the plant one too many times and then were noticed. But we believe their eventual goal was to use this backdoor to disable the PLC and then launch a second cyber-attack that would then cause the pressure or the temperature or some unsafe condition to be reached where the safety controller would normally shut down the plant and would be unable to do so. That would cause the damage the adversaries were looking for. And just quickly, if you look at what kinds of alerts a monitoring system would provide to alert you to these things along the way, remote access connections, it was later found that there were suspicious RDP connections from the IT network to the OT network. It was also later found that Mimikatz was being used on the IT network. The attackers were in the network for a long time—some people say more than a year during which time they were performing cyber espionage, scanning the network, understanding what devices were there, so they could build their malware to specifically communicate with those devices. They use the PLC program update function as I mentioned before, which is a legitimate function, but it’s a perfect example of a living off the land technique as applied to OT, because if you’re just looking for malware, you wouldn’t notice this as being suspicious. Then they actually tweaked the native protocol of the Schneider Electric device to communicate with their backdoor, using some unused or undefined function code values in that native protocol to tell their backdoor to read or write memory or execute code. So, it was a very sophisticated attack, and you can see how at various stages in this attack, the attackers kept going through the network essentially unnoticed. So, this is a great example of once you get into a network, if you don’t have the right controls in place, it’s very easy to navigate through the network and compromise additional systems, which is one of the key things we’re trying to prevent with zero trust. This is also an interesting graph showing the various Triton tactics that were used, but mapped to the MITRE ATT&CK for ICS matrix that just came out a few months ago—we have a whitepaper on our website about this. You can see that we’ve mapped the various things they did to specific categories or specific tactics in the MITRE ATT&CK matrix.

Finally, I just want to point out that traditional reliance on static IOCs are no longer very effective. You need to have them, of course, but they won’t detect malware-free attacks or living off the land type attacks. This is a chart that came out two months ago from CrowdStrike showing that more than half of all attacks in 2019 did not use known malware, and if you look specifically at the bottom right in North America, it was closer to 75% of the attacks did not use known malware. They have a great quote in here that says it’s not about preventing the initial compromise—that is impossible, which relates back to the Rick Howard quote—but it’s more about detecting and investigating and remediating an attack as quickly as possible, so you can stop the attackers before they blow up or shut down your plants. N

Now, I’d like to hand it over to Jeff and Christy who are going to go into a little more detail on these topics.

Christy Peel

Thank you so much. Alright, so to give you a bit of an overview, I’m Christy Peel, professionally known Emma Peel. I previously worked at a Global 2000 pharmaceutical research company. Before that I worked at British Telecom, global services, professional services. I currently am a CISO so for a professional services cybersecurity firm. Other factoids: I have degrees in computer science and mathematics.

Jeff Moore

Hi, I’m Jeff Moore. And currently I am the CISO for Corvus Insurance. I am also providing CSO as a service to a lot of our policy holders, but at the same time, I spent a lot of time trying to figure out what the environments need, what is new in the organization. And in my last position, also at a Global 2000 pharmaceutical research organization, I spent a lot of time trying to understand how we can get zero-day networks.

Christy Peel

Oh really? Okay. All right—zero trust. Essentially it is a paradigm shift in thinking from more of a perimeter-based topology to one where you assume that your network or your organization is hostile.

Jeff Moore

Yeah, and it was back in 2005 that the Jericho Forum actually started talking about a level of zero trust. They have several papers on this, and they moved into the open forum back in 2013 or 2014. They were looking at trying to figure ways around now that the perimeter is gone, how do we protect the organization? And it came to a point that it is all about the identity.

Christy Peel

So, let’s debunk some myths around zero-trust networks. A few things that you should know: they are not software-defined networks. That’s actually something that’s slightly different, that you could have a zero-trust architecture network that could be hardware or software-defined. So, the way or mechanism of how you implement a zero-trust network can be an SDN, right?

Jeff Moore

Yeah, and most SDNs are now being targeted to 5G, do that’s currently what’s seen as the software-defined networks. I use the word zero-day networks, because we’ve been in some serious senior management meetings in our past where this was what they were using to sell to even higher senior management. We’ve also had salespeople drop this statement, and we all know that zero-day has nothing to do with the network.

Christy Peel

This is more vulnerability than anything else. So, there is no such thing as zero-day networks or zero-trust networks, much to the demise of sales. They are not easy to implement if you’re in an existing organization, right?

Jeff Moore

Yeah. Looking at our past organization, if we actually rolled it out, we’d probably cut ourselves off from the rest of the organization. The benefit of doing this is it’s not easy and it’s not one size fits—you have to understand your organization, and we’ll go into that a little bit later.

Christy Peel

This is also not data loss prevention, so you can buy DLP products, but there are definitely some foundational strategies that do overlap on how you implement DLP and how you implement a zero-trust network. They rely on some fundamental maturity within an organization, but other than that, you’re still going to have to address data loss prevention, regardless of what type of network topology that you have.

Jeff Moore

Yeah, and while it’s out there, a lot of networkers need to change their mindset of how these things work. I’m not a big fan of having the word zero-trust network, because it’s a little bit different from that with the way you set some of this stuff up—it’s a lot more than just a network, so that’s important.

Christy Peel

So, because I have a math background—network is an overloaded term. If you’re talking discrete mathematics, network is a synonym for graphs, right? So, graphs are nothing more than a collection of vertices and edges. And again, you’re going to look at this and go, what is this? This is actually the formal mathematic definition. You can have different types of graphs. You can have directional, non-directional—a multigraph is essentially what you’re going to care about when you’re actually planning a zero-trust network. You can have multiple edges going into a single vertices, and they have direction because you have data flow, right? So, if you want to get right down to it, stop thinking network hardware topology, start thinking discrete math graph theory. If you find yourself kind of twinging a bit, that is the paradigm shift that you need to start having when you’re starting to plan out your strategy for a zero-trust network.

Jeff Moore

Yeah. I’m glad she explained it, because I’m not a math major. So, everybody out there has been talking about either four or five principles of a zero-trust architecture and networks, and it is actually very much this is the mindset and how people are going about it, and it’s working for a lot of people out there. If you start at the beginning of the principles, in a way, it’s the way you have to start your plan for the network and how you’re going to go through it is understand what the resources are that you’re going to be wanting to access. Understand where they are, what they’re available for, and how you are going to access them in a secure manner. There’s a lot of technology out there. The one thing you need to understand is zero-trust is not one technology. There are a lot of different technologies that you’re going to require as you go through this and a lot of different areas.

Christy Peel

So assuming that your network or graph—I’m going to keep using graph for the rest of the presentation—your graph of your organization sits on a larger graph. That is the internet. So, how you’re going to protect your piece of that, the sub graph and the larger internet realm—that is now how you need to start thinking. That perimeter and the DMZ and the firewalls—that is done. Also, you have to take in consideration that you can no longer trust because insider threats will be on par with external bad actors within your organization. You treat them as equal.

Jeff Moore

Yeah, and that slides you right into the least privilege or literally just enough access, segregation of duties, and the idea here is to actually understand what people need and give them access to it. But the important part here is also monitoring. After that you go to #3, which is verify. All of this needs you to make sure you know what’s going on. And continuously monitor that traffic, look at the movement in the environment up, down, left, right. And last but not least remember, there is no perimeter. People get hung up on, they can’t get out. We have to know that, hey, they’re out and they’re in. So your design methodology is from the inside out.

Christy Peel

So, I guess the best acronym is you have a castle with the castle walls around it. That was great back in the days where it was a lot of foot traffic battles, but nowadays with technologies being advanced, I can send a drone up and over your walls, like it’s done.

Jeff Moore

Yeah, and if you think back to the old days, the castles had a moat, but when villages started to come around the moat, they actually took those villages as a slowdown of the other people trying to attack them. It didn’t need a moat. The people couldn’t get through the village that’s built up around it fast enough. So, they would see this coming down. They integrated that into their strategy to protect. So, segmentation styles—no matter what, there’s always going to be a form of metal somewhere in the world. And don’t get me wrong, Azure offers a zero-trust network solution, as do a few other companies and some great vendors out there that offer this, but there’s always an underlying piece of metal somewhere, right? As we go through a lot of this, you get to understand that a brand new company, start with going forward towards zero-trust network. The smaller your footprint is, the easier for you to bring it on in, and a lot of the new next gen firewalls out there have a lot of the benefits to be able to start a zero-trust journey right away.

Then you have to look inside your network, at the way it’s set up, to how do you logically want to set up a lot of this? And of course we’ve had in the past, we talk about VLANs and all that stuff—yes, that’s part of the concept. Then within those logical environments that you build, it’s all a matter of trying to understand what needs what how, but also to make it a lot more manageable. If you need only people in this area, then you’ve got it in control. And then within those logical areas, you’re going to drop into microsegmentation. Microsegmentation can be as small as having just a segmentation, just for an application or even for data group or several applications in an area so they can talk to each other, not cross boundaries. In some cases, each segment is going to be based on a type of data—also maybe which country could actually access that data—and as you work through this, you’re going to get more granular control on resources, how you’re going to allocate it. Also in a lot of cases, you’re going to actually optimize performance for some of these and start building quality of service within that environment, so it’s quite interesting.

Christy Peel

Let’s talk a practical journey. Now, we cannot tell you within your organization how to build your specific zero-trust network, but we can give you the roadmap of what you typically need to do to start down this path. The first part, going back to graph theory, you need to map your nodes or vertices. These are everything—you need to have an IT asset inventory. You need to do data discovery of what business critical information you have. You need to have information classification around sensitivity, or there is a compliance aspect where data cannot move between countries. You need to be able to map your crown jewels. You need your users as well and the roles that they have within the organization. All of these are going to give you, in graph theory, a collection of nodes that have different characteristics but are the logical representation of your company or organization within the grander scheme of the internet. Then you start doing this for your edges, and by edges I mean the connections between nodes, APIs, interfaces, data packet trafficking, right? You can do this two ways. You can do this manually, digging through tons of documents and logs. You can do it more passively, turning on options and your next generation firewall, bringing in some tools as well to help you build those edges out.

Jeff Moore

But as you go through this journey, it’s very important to understand this is not just your network team’s job. You’re going to have to get in touch with the identity and access management group, that data group, the data owners, application developers. It’s a bigger picture, and the important thing about this bigger picture is you need senior management stakeholders. So then as you drop down into nets, you go into the discovery phase—who should see what? That definitely means you’re going to be working with the identity and access management team, but also the data teams and the application teams who needs a lot of this stuff. Where is this stuff? Right?

Christy Peel

And it’s not, who does see what— it’s who shouldn’t see.

Jeff Moore

And it comes down to realistically, where is something? Who actually needs to see it? And who does?

Christy Peel

And doing this in discrete mathematics, this is called pathfinding because essentially you’re marking the path via edges between nodes on your information graph, or your mathematics graph of acceptable use or acceptable behaviors.

Jeff Moore

And then you get to your fun part. One of the interesting things, I hate the word network, because it’s definitely overloaded, and it gives a really false understanding of what exactly we’re trying to say here. Right? So one of the things about this is you go into the architecture phase here, and your architecture phase is where you design the direction. It’s not your typical network design, which is actually a lot simpler. This actually goes around the idea of understanding the physical, the logical, the legal, and how you want to put a lot of these in areas. As you go through, you need to understand the organizations. You need to understand the data, the assets, the applications, the services, what’s the impact to the company. People can’t get to them, right? Where do you build quality of service in it? And very clear is what regulations actually impacts you. Each country has a different regulation set. Are you going to go for the highest? Which makes sense? Then you build your segmentation. Your microsegmentation is your logical environment. And then you move to the next one.

Christy Peel

So, at that point you have your zero-trust network in the organization. You’ve done so much heavy lifting around the discovery phases of this. You think you’re done, but no, you need to actually start analyzing this, right? So, you have your graph. You need to start actually seeing how it’s being used, because an organization from when you design this to moments after you’ve gone live is evolving. That graph changes—new systems come up, new connections go between new nodes. It’s going to evolve over time, and this is not what you classically think as network monitoring. This is data analytics. This is graph theory. This is larger than just topologies.

Jeff Moore

As you’re analyzing all this data, this is where you build your policy, right? This is where the policy that will reign for a period of time—and I say a period of time, because like she said, things change, data changes. You may open a new office in another country. You have to change the way and who accesses it. They may only be able to access a certain portion of that data. So, a lot of the times this is what your policy will be created for your environment. Then once you’ve done all these steps and you’ve got it turned on and everything, you go down to document, modify, monitor, constant monitoring with different tooling, right? You’re going to be looking at everything from access logs to login logs, to data, changing logs, all these things—you know, who was in a group that accessed something that shouldn’t have accessed something? Also a big part is so many people need to be in this, right? This zero-trust environment requires constant visibility, constant view of what’s going on, enforcement, and control that honestly is delivered from multiple products—even from the cloud. In the cloud, it can be on-prem, in the cloud hybrid really well done. It comes down to here is everything. Now what? You go back to the beginning again.

Christy Peel

Yea, and you continually monitor it. Now, I will say this is probably more of a complicated space within the IT world. Within OT or ICS, you are dealing with more machine-to-machine communications, so you will have the possibility of having a less complicated graph. But as soon as you have a single IT system connecting to your OT environment, you must now take your IT environment and start doing the exact same steps over there. That’s why, if you’re a small company, you have a larger grasp on your footprint. It is easier to start there. You’ll spend less time in discovery, but you will because of the evolving re-evaluating things on a more regular cadence.

Jeff Moore

And then the example of how compliance works. One of the companies that everybody on this call has used, which is Netflix, right. They’re probably one of the few organizations that have from the beginning built zero-trust networks, and you can tell because if you go to Europe, you may not be able to watch certain shows because they’ve already balanced it out. Of course you can use VPN. They know you’re going to get around it, but sooner or later, they’re going to block that down. But because of legal and regulations and who has licensings of shows when they log in and I’m in Germany, I can’t watch such. You’ll be able to watch all the Netflix shows that they’ve actually made themselves, because they’ve got them right to the complete platform. But you may not get Friends. You can’t get Friends anymore, but let’s just say you could still, you may not get Friends because now Friends actually is licensed over here, but not in Germany. In fact, a good example is also the new Max show out now that you can’t get from your favorite studio in Europe, it’s only licensed with the States.

Christy Peel

So, recommendations—get senior management. This is not going to be cheap if you’re an existing organization.

Jeff Moore

It’s very much because this is a strategic direction. This is not just flip the coin, I’m going to do this. It’s a strategic direction and a culture change, right? So you need their support, and it’s across the organization.

Christy Peel

You can have a beautiful zero-trust network implemented across your organization, and your application developers will still assume that their bottom layers of the OSI model that’re in the perimeter are safe, right? This is a paradigm change for them and how they develop applications, because they also need to think about hostile networks as well. There is now more responsibility on them with regards to how they architect their secure applications.

Jeff Moore

If a lot of your technology is onsite, start updating the firewalls. It can start you on this journey, help you on this journey. It’s always good.

Christy Peel

Asset inventory I think will be like next gen firewall startup. Get an asset inventory and data classification. Those will be probably the two largest needle finding in haystack exercises.

Jeff Moore

A lot of my peers have actually started by establishing what they call protective enclaves to control user access to these applications, with the idea and mindset of moving towards a zero-trust network, so these are really cool. They’re figuring it out and then doing it. And to be honest with you with what’s happened in the universe today, zero-trust networking was a huge buzzword, but I think a lot of companies, if they thought about this would have not been as massively impacted in some of the ways. Then of course, since you’re considering your network is compromised all time, make sure you have a very good incident management plan and system in place. Make sure that you can get all the logs, you have access. If you’re using anything in the cloud, make sure that your cloud provider, if there’s something behind that you may need, you have a deal with them.

Jeff Moore

Then deploy EDR within your environment to make sure that you can do a lot of additional monitoring. It’s always good to have better visibility. Also, when it’s out of your network on some of your clients, you have better visibility, choose your tool of choice. There’s good, bad, and ugly ones, even down to the container level. The other thing is once you go towards this zero-trust and you mature, there’s a lot of companies out there that are mature, that they actually allow the third parties to connect in with no problem, right? They don’t worry what they’ve got, because they’ve already set up their trusts. They understand what this person needs to access and he will get access to this. And the great thing about a zero-trust network is that it makes it a lot easier to work with third parties who need access, because they’re only going to get access to this one thing. It’s no longer necessary for them to VPN in to get to something or create a VPN tunnel between their organization and your organization.

Christy Peel

So with that, we’d like to think Phil for having us on today. I will definitely give control back over to Phil for any follow-up questions, but we loved having the opportunity to chat with you guys on this.

Phil Neray

Thank you, Jeff and Christy. That was awesome. We have a couple of questions. I’ll start with one that everyone is curious about—how come you guys are in the same room?

Christy Peel

So, when you’re defining zero-trust, and again, it goes back to, I know where he’s been. He knows where I been. Therefore our risk postures are the same. The short version is ironically we’re neighbors.

Phil Neray

Okay, and you don’t want to talk about the cats?

Christy Peel

Also, if you want me to talk about it, I have a cat who is 18 years old that requires subcutaneous fluid, and that is more than a one-person job. So a couple of times a week, I’ve had friends come by to help me put an IV in my cat.

Jeff Moore

Twice a week, actually.

Phil Neray

That’s great, thank you. So, it’s interesting, you mentioned EDR, and we had a question from one of the attendees about XDR and I wanted to point out that you can think of what CyberX provides as NDR (network detection and response). So tell us, what are your thoughts on XDR, and what are your thoughts about XDR in the cloud specifically for security?

Jeff Moore

So the funny thing is, is when you mention XDR, I think of XDR Radiology, right?

Christy Peel

My brain mainly goes, what do you define as XDR? Next generation EDR, essentially.

Jeff Moore

So, the thing with XDR is the extended detection and response, and like everything, it correlates data from your email and sort of thinks almost a bit like ATA from Microsoft. To me, detection is one of the key things. You cannot stop things, but you need to know what’s happening. When you have great detection products—and honestly, Phil and CyberX have been a great product that we’ve used in the past and we’ll use in the future—but the great thing about having detection is you need to know what happens. If you can’t catch it, you need to know what’s happening so you can stop it, and using things like XDR and NDR, you’re trying to remediate data loss. So, yes, I think it’s a great idea and I always recommend people should get the best detection they can.

Phil Neray

With respect to XDR—so this is now people talking about if you an put this huge data lake in the cloud and gather telemetry from endpoints, networks, firewall logs, Office 365, active directory, everything you have, and stick it in the cloud, that will enable you to correlate and identify things much quicker. But what about putting the security data in the cloud? How do you feel about that?

Christy Peel

So again, security data in the cloud really comes back to the risk tolerance of your actual organization, and it really depends on the compliance and the regulatory bodies that you fall under. If I worked in a medical device company, I would never put a crown jewel or my risk register within the cloud because of the sensitivity of it. So, those are questions where, as you’re doing your discovery of your data assets and nodes and doing information classification, you’ll know and you should have standards in place within your company on how to treat this information now with regards to logs.

Jeff Moore

Well, the thing is, is when you throw everything together, it all comes down to context, right? If you don’t have the right tools to give you the right answers to the questions, you may not know. It becomes a problem. What you don’t know, you don’t know, but if I’ve suddenly got 10 million things in there that says, I’ve got a breach. If I do get breached, I actually could become more legally liable because I have all the information that should have told me, but I just didn’t know what to do.

Christy Peel

I will caution anyone that thinks that throwing all this information into a data lake and not having done the discovery and edge mapping, like I outlined, you essentially have a data swamp, right? A data lake has a whole bunch of information, but it’s settled down to the bottom, the sediment, and you use the information the most that is pertinent to what your purpose of the data lake at the top. So, just pulling in inputs from all across an organization without actually tuning it to what you need, you are taking on more liability because you have the information. I can prove it in court.

Jeff Moore

The other thing is, I don’t like the word data lake. I like data islands. You have a lake of stuff, but I actually like the idea where you build up something, you know what’s there. As I see people throwing stuff together—I had a call yesterday about data lakes—a couple of companies were like, hey, we’ve thrown everything in here. What’s your opinion? I said, well, my opinion is, what are you doing with it? And they said, well, we’ve got some tools that are doing some scripts running against it. And I asked, what have you got out of it? And they said, nothing. I said, well, first off, why aren’t you running simple things to look at X, Y, Z—and you start building on it? It’s a building block game.

Christy Peel

It’s that pathfinding exercise that we outlined, right? Figuring out information flows. Yes, your data lake could be your platform of how you are mapping your topology of your graph, but you have to spin the cycles, and this is data science at this point—tuning it to be effective for your company.

Jeff Moore

And I will be honest with you, if you’re going down the line of zero-trust networks and whatever you put in that trust, try and get a lot of interesting consultation from people like data scientists. If you can bring them in, if your company has asked to borrow them for a couple of weeks, for them to look at this data for you, they can come up with some really interesting things. In the past, we’ve built data lakes, and use these data scientists to actually give us some volume.

Christy Peel

This is the paradigm shift. It’s mathematics at this point—it’s represented in computer science and cybersecurity, but these are math problems now.

Jeff Moore

I mean, there’s no real AI that’s going to help you, but machine learning will.

Christy Peel

Over time assuming based on inputs, and if it’s an evolutionary algorithm.

Phil Neray

Okay, so machine learning will help address this problem, but it’s not. Got it. Well, let’s see what else we have here in our chat window. Here’s an interesting question. It’s about automation to manage authentication for your devices and applications. How do you do that?

Christy Peel

Assuming that you have a good matrix of who can see what, assuming you know your assets, assuming you know the acceptable use, this is a deterministic problem.

Jeff Moore

And then, let’s go down the line and make sure you have multifactor authentication. In fact, I keep talking to some people who are thinking of three forms of authentication—in some cases, your computer, your name, and then another device that’s registered. It’s very important that you know and what you know. I think that in the future, it’s going to get even further down the line where actually your multifactor authentication is on here, but it’s not actually taking real data and saying, this phone has this IMEI number, this phone number, this SIM card. I accept that because that’s what was registered on day one.

Christy Peel

I would personally caution against biometrics, because there’s regulatory depending on what country. You’re dealing with PII, so you can find quickly find yourself in a situation to where you’re in a country and you’re like, well, why are you storing their biometrics of a human? So, do your due diligence around that.

Jeff Moore

But honestly, you do not even go down the journey of a ZTN without starting a multifactor. You’ve got to have a second factor because…

Christy Peel

You can’t trust the device, and you can’t trust the network flow.

Phil Neray

Yeah, and also what I heard you say is it’s not so much about the automation or the technology. The biggest problem is going to be the policies and the process.

Jeff Moore

Yup.

Christy Peel

You’re generating a huge state diagram, for lack of a better term. How you navigate that depends on all your vertices and your edges, and once you have that and you’re doing the same thing over and over again—right for automation.

Jeff Moore

And just to give you a quick highlight, talking to some of my colleagues in the entertainment business who work for streaming companies, they’re now looking at what TVs are actually connecting to them from your account. So, they’re going to be saying, I see 30 TVs with your account—no. We’ll just start with the main one and will turn the rest off.

Phil Neray

The family sharing example, yes. Okay.

Jeff Moore

You want to laugh? I read an article the other day about a family in which the brother had let it out to his other brother. His brother let it out to his girlfriend, and his girlfriend renamed her account to settings. And as it came up, it’s in settings, and they never thought once about it for three months until he clicked on settings to change something, and it was another account when they suddenly realized that his ex-girlfriend’s account.

Phil Neray

Okay, great guys. You’ve been amazing. I really appreciate it.

Jeff Moore

By the way, to the one question that just came out—is a strong IM strategy a byproduct of ZTN? No, they go together.

Phil Neray

Also, someone’s asking about how do you identify IoT devices so you can build the right policy?

Jeff Moore

I think Phil’s the guy to talk to, because they have this product that does IoT and I’m not going to lie, I’m plugging it because we did a lot of work on it for them and we love the tool. So, yes, it identifies and you can then work around building that policy knowing what’s out there. It also gives a level of the vulnerabilities around it. I can highly recommend it. Omer, who is their CEO, hates me for it because I give him crap at times when I see things that don’t work. But yeah, talk to talk to them about it.

Phil Neray

I do have a few wrap-up slides. Thank you, Jeff, for the kind words—what Jeff is talking about is that our platform is a passive, agentless network traffic analysis would be another way to describe the technology, so it’s very easy to deploy and gives you visibility into the full traffic. You can then take that visibility about what devices do I have? How are they communicating? You can take that information and through API-level integrations with all of the major next generation firewall vendors, take that information into those firewall engines and use them to build your policies. So, you don’t have to look at your network logs or your switch logs or run around with a spreadsheet that someone built 5 years ago or 20 years ago. You can actually see what devices you have and how they’re communicating, and use that as a way to build zero trust policies without impacting your business critical processes.

Then, if you’ve identified your crown jewel assets, which as Jeff and Christy pointed out is one of the key parts of this process, you can’t patch everything. How do you prioritize patching to minimize the number of paths that an attacker could use to reach your crown jewels? Your crown jewels would be a PLC that controls the production line that generates a million dollars a day in revenue, or the system that, if it were to be compromised, would cause a major safety incident. So, those are your crown jewels. What our platform helps you do is prioritize how to mitigate the attack paths to those crown jewels. We do that using something called automated threat modeling. Then finally, we talked about threat monitoring response using threat intelligence, basically it’s exactly what’s going on in your network.

There are also some operational benefits, which will help build support for deploying this technology with your OT teams. We often hear that OT teams are resistant. They’re afraid the technology is going to bring down production and they don’t see value for themselves except from preventing security incidents and safety incidents, which is definitely something everyone shares as a common goal. But one of the byproducts of this continuous monitoring is you can quickly identify, for example, a misconfigured workstation that’s spewing out scanning traffic and bringing down your network that would be impossible to identify otherwise. Finally, integrating all of this with what you already have your stack, whether it’s Splunk, QRadar, Sentinel, etc. is key because you’re not going to monitor and manage security for your OT environment in a separate SOC or in a separate SIEM. It just doesn’t make sense, especially with attacks that frequently go from one network to the other. As a result, we spent a lot of time early on building native apps and API-level integrations with all of the most popular security products you may already have. I mentioned the SIEMs, I mentioned the firewalls—also ServiceNow, for example, we integrate with their CMDB and with their ticketing system. We recently announced a few months ago at RSA an integration with Azure IoT.

So, I’m going to wrap it up here and I do appreciate your time. I’ll take a quick look at the questions in a second, but there are all kinds of great resources on our website: the white paper on the MITRE ATT&CK matrix that I mentioned; NIST Recommendations for IoT and ICS Security—they’ve defined 16 scenarios that you should be able to detect, including one of the ones I mentioned earlier, which is updates to PLC logic, and then they took our platform, put it in their lab, and showed how it would respond to those scenarios. You’ll also see various other reports in here, including How to Present OT Risk to the Board, and if you’re new to ICS security, the intro chapters of Hacking ICS Exposed, which are a great introduction into what’s the same and what’s different about OT security. I also want to invite you to these upcoming events, CS4CA World, that’s Cyber Security for Critical Assets, on June 30th, and then the ICS Lockdown Security Summit, which is produced by the same folks that do the cybersecurity conference in Atlanta every year.

Again, thanks to Christy and Jeff for the thought and the work and their amazing personalities also.

Christy Peel

Happy to help. Also, any time anyone has any questions, just hit us up on LinkedIn or wherever. We’re around.

Jeff Moore

Yeah, we’re always looking to help.

Phil Neray

Thank you everyone. Have a great rest of your day and a great weekend. Take care.