A

Foreign. Hey everyone, and welcome to this sponsor interview here in the Risky Bulletin podcast feed. I'm James Wilson and today we're talking with Adam Poynton, the CEO of Knock Knock, about how preventative tools are cool again, thanks to AI. AI is helping attackers outrun traditional detection and response tools and techniques. To fight back, Adam thinks we need to go a bit old school and implement good old controls like deny by default. And Knock Knock is exactly that type of solution. It basically restricts access or makes things invisible to the network to the users until that identity or that person has been through a successful SSO challenge. So you can't even get to the thing until you've successfully authenticated. Here's Adam talking about how attackers are using AI for speed and scale, how the time from vulnerability disclosure to exploits in the wild is now only about eight hours, and why old school preventative controls are really quite cool again and kind of all we got left. And he starts off by explaining how Knock Knock works and using the example of how their customers use it to restrict access to Citrix. Enjoy.

B

So you've got Citrix, it's sitting on the Internet. Anybody can connect to it from anywhere potentially because, you know, they need remote access. And in front of that Citrix thing there's a firewall, a cluster of firewall, some sort of control environment. But then essentially the Knock Knock approach is before the big bad Internet can connect to the Citrix service or port, they have to go through this identity, you know, this login process, not on Citrix, not in that same network, could be in a different location. And there's kind of a threat model in the detail, in the weeds of how Knock Knock works, but quite considered where they have to do the identity process over on one network. And then the firewalls that you have that I mentioned before, they're orchestrated to allow that user to access through an exposed Citrix to that user rather than the entire Internet. So it's kind of this decentralized distributed architecture approach, but the user connects directly through wherever they are, from wherever they are through to Citrix or through to whatever that service is, which the shift there is. You know, rather than the patching team being, you know, on, on the flight deck ready to just jump and, and go and put out the fire, they're able to then patch that on Monday or take more of a risk based calculation to when should we patch this critical O day urgent. Should we actually patch it now or should we be a bit more, you know, methodical and practical about it? Let's patch it, you know, 4am on the Saturday morning because the big bad Internet can't run around and oday your Citrix edge because it's only your trusted users that could be the attack source. Now it's still a risk calculation. It's we're not saying oh you don't need to patch anything, just yolo knock knock prevents that. It's more a case of having the ability to do things in control rather than being in, you know, controlled and motivated by the attack surface that you expose to the entire Internet.

A

All right, so, so listen, I was, I was asking these questions with my old, you know, enterprise CTO hat on and, and, and I was imagining someone had just come to me and said boss, we absolutely have to get this thing called knock knock. And of course being the cranky and frugal CTO that I would have been, I would have said hold on, hold on, what the hell is does it do? And you've answered that to the point where I would be intrigued and be like that actually sounds really quite cool. But at the same time we've got a million other things going on. We've already got probably some remediation program underway. The first question, well I guess second question, first question is going to be what are you doing? What is this? And the second question I'm then going to ask someone that comes to me and says we got to have knock knock is why this and why now? And you know, I think I get the sense that there might be an element of the why now that is super important but help someone navigate that challenge of like okay great, it's cool but why this and why now?

B

Yeah, so I guess the why now is really back to that Citrix example. You know, a vulnerability or a patch comes out, you've got days, weeks, hours, maybe minutes to address that. You know I'm thinking of the SharePoint bug that came out on the Friday afternoon. Or you've got motivated attackers nation states that are genuinely investing in oday research. Or you've got gen AI where like the barrier to entry to like do von research, do exploit dev and then en masse apply that and auto own to the point of patch the system you broke it into, you know, former beach head C2 etc like that's already here. So we came from the like motivated attacker prevent that by default way of thinking and then gen AI and the speed is now insane and is is upon us. So the like why now question really is what other preventative projects do you have in the pipeline As a, as a enterprise CTO that's looking at. How do I, you know, I don't, don't want to say that's in risky beers because it's kind of forbidden but like move the dial on, on actually solving my security nightmares. And it sounds very salesy but like what other prevention projects do I have on the. If I'm going to limited amount of budget to spend, what's actually going to prevent me from getting hosed by the O day that comes out or even egress or east west, you know, what are the attack surfaces that I have that I want to prevent the exploitation of? You know we went through these big years of like mapping them, finding them, identifying them, keeping up to date. A vulnerability comes out, let's go scan our environment. Oh yes, we have that. Let's go fix it. Those days are gone. Yeah, it's, it's auto own. So the only ways to shift to prevention. And one last point, so I'm rambling. The, the zero day clock thing came out which was 1.6 days of from 1.6 days average time from vulnerability being published to exploitation and attack widespread. I loaded that up yesterday. It's now eight hours.

A

Oh no,

B

we were talking.

A

Don't hit refresh on it whatever you do.

B

That's right, that's right. I mean and, and that's for I guess the data is brilliant and the minds behind it, you know, some of among the best minds. Absolutely. Looking at this research and real, you know, quantitative based data. But that's the average. So when you're looking at a real motivated attacker or these gen AI doing volume discovery.

A

Yep. It's, it's certainly not eight hours. It's much, much faster and I think months.

B

There's already exploitable bugs out there for a year, 18 months, 100% the, you

A

know, the security bar that used to be good enough is no longer good enough. Is, is the net outcome of all of these stats and headlines that we're hearing. So where does knock knock fit into that in terms of getting, you know, is knock knock a way to reset that good enough line? Do you, you know, like how, how does that fit into being the solution here?

B

Yeah, well I think, you know, that sort of line of thinking comes down to the economics. Right. Like it was always who's going to burn an O day on me or who's doing the research to find these bugs and then exploit and am I, am I in that category? And the economics of well and truly change where the barrier to entry or exploitation Is dropped, collapsed. The time therefore also has. So it was always an ace. It's now an asymmetric problem more than ever. You know, the, it was always this kind of cat and mouse game, right? Like you would, you know, you'd get be good offense and then you get good defense and defense get ahead for a little while, then offense and come back and now offense is off the charts and defense, you're scrambling. And I think we all thought the like AI versus AI approach where you know, like I'm just going to spend better AI on defense than offense and that race is fine, but we sort of don't want to play that race because you end up, you know, costs go up and yeah, it's a race, it's. You're competing in that sense. So, you know, our approach or way of thinking is like just stop everything, block everything and then only limit exposure to your authenticated verified users. And we have components in the product where it's not just about, you know, stolen identity or stolen username, password. We've got other things that we can do with separate MFA on top and kind of ratchet up the requirements to get access to certain things. So it's not, we're also not just beaten by stolen, you know, username credentials, MFA and you bypass and get access to thing. So we've sort of catered to that. But, but this like economics gen AI versus AI approach, if you just prevent exposure, the efficacy of that is astronomical. It is a little bit back into that old world of like, oh, the security team said no, you know, I'm going to work my way around it. But it sort of block everything and only specifically allow the things through that should be or most likely should be allowed through. Very effective and not that difficult.

A

No. And I like your analogy there of the Gen AI version AI being a race. And I think we were always in this race. But as you said, the variables keep changing and the things that we could rely on to say there's a reasonable assumption that we're always going to be ahead in this race because like you say, it's either too expensive to drop a no day on us or whatever it was that made us comfortable with the posture we were in, that has all changed significantly. But, but you know, when you're running a race, you're not always ahead in the race. Right. You might finish first, but there's times when your competition's ahead and in this case that's the attackers. And knock knock's kind of a way to say we're not going to even run that race anymore. The race is done. There's, there's, there's, there's no thing exposed that needs to be patched and kept up to date. And like you said, you still got to do that. But this is, this is like a, you know, it's a really good solid wall that just says actually the baseline is now here.

B

Yeah, that's a good, good way to think of it. You don't want to say changes the game, but the race is different.

A

We ban that phrase as well.

B

Full of van phrases today. Yeah, it is a different race because you're not competing on detection, patching, you know, exploit discovery versus you know, patch application. It kind of the race. Whereas our approach is like if you remove exposure and this just comes back to a simple risk calculation, you know, when you model it out like likelihood impact, well if the likelihood is significantly reduced because the number of potential entry points or attackers is, is materially reduced, then your overall risk reduces. So you know, that's the approach and it's, and then combining that then with like a thought through threat model, you know, a deployment that makes sense, you end up in this different race. It's no longer the same race, it's a different type of race. Yeah, yeah.

A

And reminds me also I wanted to, you know, getting, getting back to how and where knock knock can be deployed. I think we've, we've maybe even overindexed a little bit on like the external facing boxes on the Internet and needs to be on the Internet. But we don't necessarily ever feel comfortable about any form of mitigation like a firewall and VPN and whatever else. But I have worked in some enterprises that have scarily flat network and I do mean like terrifyingly flat. And you know, not because, not from bad intent but like somewhere along the line someone made a decision of actually this network should be flat. That's how we're going to do that. But then paradigms move on, but enterprises don't keep up. I would assume it's not just the external and the Internet facing boxes that are of use here. So what are you seeing in terms of like novel or interesting ways that knock knock is being deployed?

B

Yeah, we sort of originally started with that external and then that problem came to us. A few customers were like, oh, we've solved this external thing before. We go down a network segmentation approach, it's scarily flat. What can we do here? And we're like, well you can either orchestrate existing internal files if you have them, but you know, and then there were a few awkward what if you don't? What would you do? Then we're like well you can run it on Windows and Windows servers can be self defending and you can run on Linux and they can be self defending. And so we had customers that started to then just apply it on their Windows host. So rdp, all these jump hosts internally then became just in time exposure which is pretty simple to do. It's not a real RE architecture because it's just the host that's already there. It opens up just in time and it's quite simple to actually have that impact and the effect internally. And then we had a couple of customers that were like well Windows and Linux is great. What if you had other things like hp, UX or Solaris or. Yeah, no one sort of come with aix, RX or anything yet, but we're waiting on that. They're coming, they're coming, they're coming and they're environments where you can't re architect those systems necessarily. You don't want to put firewalls internally because they're doing important work and their legacy and changing them. If you're going to spend time and money changing them then like rebuild them as opposed to put players in. So again like if you can make those hosts self defending it's kind of a no brainer. And that that's just the knock knock approach of self defending. It when I think about it goes Back to like 26 years ago, around 2000. I always IP address restricted SSH and it was the only thing I kind of had it on the naked Internet was ssh running on OpenBSD on Spark to be obscure because I was worried about you know, odays and and peers in the kind of offensive security. And that was kind of the only thing. Everything else is IP restricted. Well that's what knock knock does. But like 26 years later it ties it to single, single sign on and you know, it's out of band, et cetera. But that kind of like every single host should be self defending and deny, default, deny on all services is the place you want to get to but you can do it now. So yeah, that's the internal and then the other internal use case that came up was like outbound egress. So a lot of customers have these networks that are flat or air gapped or virtual air gapped where somebody raises a ticket, the person walks down, they plug the cable into the switch, network traffic flows because a third party, they usually remember to unplug the cable at the end of the day?

A

Usually.

B

Usually, yeah, usually. Sometimes the next morning it's fine. Or it's outbound, where they've got these environments that are like running Windows, something that's not modern, and they haven't had updates, they haven't been patched in a while, and they don't really have a handle on those getting to the, to the Internet. So we introduced capability within Knock Knock, where you would log in and say, you know, click a button that says allow the green network to get to the red network for two hours or whatever it was, and then they go in and they do maintenance on those machines. And it's just about managing that cable clip automatically. But it means they can patch safely the Z grass or, you know, east, west flowing, and then automatically it's kind of removed. So that's where you do have segmentation as opposed to controlling outbound on a host level. But yeah, it's another kind of customer environment thing that came up. We were like, well, that's kind of natural. You don't want your machines always talking to the Internet all the time. If they're this like medical device network.

A

Yeah.

B

But yeah, you need to get updates, so you probably need to let them see the light of day once a month.

A

Adam, thank you so much for joining us. Adam Poynton, CEO of Knock Knock. Pleasure talking to you.

B

Thanks, James.