A

You're listening to the Cyberwire Network, powered by N2K. You eat an elephant one bite at a time, right? And most things that are worth having in life, most things that really, truly move the needle, whether that's your professional life, your personal life, your security posture, they all happen in stages, and you gotta start somewhere. Just Zero Trust is the same way. A systematic approach. It's a framework. You just got to get started.

B

Leigh Ann, Brandon, welcome to Threat Vector. I'm really excited to finally have you here. It's been kind of tough to get you on to the show with all the work you've been doing lately.

A

Yeah, thanks, David. We're really looking forward to the conversation today. Like you mentioned, we've been heads down with our clients over the past few months. Things have really picked up on Zero Trust interest. So, you know, we were able to carve out 30 minutes to hang out with you today, and we're really looking forward to it. Yeah.

C

Glad to be here, David.

B

Leon, what inspired you to focus on Zero Trust transformation and, you know, talk to us about what keeps this area really compelling for you?

A

Yeah, so I was drawn to Zero Trust, really out of a desire to find some sort of systematic approach that would actually move the needle on security for my clients. I kept seeing organizations invest heavily in security, but it was the same problem all the time. It was the same breaches, the same operational disruption, and they were still losing sleep at night. So Zero Trust is fun for security professionals. It's kind of music to our ears because it's a structured, systematic way to reduce risk, and it actually works in practice. It's not just a fancy roadmap on a pretty slide deck. So what keeps me engaged really, is helping teams apply Zero Trust strategies in realistic ways. Realistic ways that actually work.

B

Brandon, you've worked across multiple sectors on Zero Trust implementations. How have you seen the conversation evolve over the last few years?

C

Yeah, David, thanks for the question. And so with Zero Trust, so, I mean, across different industries I've worked with, so, I mean, whether it be commercial, whether it be federal, whether it be the Department of Defense, not Too long ago, NIST 800207 came out and everyone wanted to move to this whole Zero Trust philosophy. And one of the problems everyone is experiencing is with Zero Trust, it's hard to implement. That is what everyone sees, or they think that a vendor is saying it's one product, you have zero trust. Rather, most of the customers, when I go into an organization and ask them, do our discovery and try to find out where Their gaps are, what we end up seeing is they have a bunch of tools that can integrate together to do zero trust and rather than ripping and replacing, instead they can use what they have in order to do that. Zero trust policy.

B

Leanne Many organizations start with a zero trust vision, but then they really struggle to operationalize it. What's the biggest reason implementations stall?

A

Honestly, David, it's usually because most orgs try to treat zero trust like a product you buy rather than a way you operate. And it may sound overly simplistic, but the biggest stall factor that I see is actually analysis paralysis caused by complexity teams. Look at their legacy tech debt. Okay, we all have it. Those 20 year old apps that don't speak modern protocols, they just freeze and they think, oh my gosh, I have to boil the ocean. I have to rip everything all out at once in order to be quote unquote compliant with zero trust. If you're thinking like this, you're already setting yourself up for failure. You gotta think about zero trust as a journey, something that you build into your organizational DNA over several years. You can't just rip and replace, you can't just snap your fingers. It has to. It's a living, breathing framework and you have to treat it as such. And it's critical to remember that you're trying to move the needle on security, right? You're not just changing the branding on your tech stack, you're really trying to change the DNA of security within your organization.

B

You know, as you're describing this, it reminds me of a few years ago. I was massively removed from daily exercise, let's just say played a little college ball. And I thought, oh, I'm just going to go out and I'll run a 5K. You know, the sort of ignorance or arrogance of the moment. It took me quite a while to like, chip away at it. It wasn't just a, like, oh, tomorrow I'm going to be athletic, I'm going to be runner again. And I think what you're talking about is this idea of like small goals. Focus on what can you do today, what can you do tomorrow that's going to make an impact and then knock that out and move along rather than run until you can't walk anymore. And you know, then you're like, ah, now I'm never going to do this. So it's, it's a good thing to think about this idea of what are the most important things to do first, do those and then move on rather than trying to go after everything all at once. Brandon, when you're looking at these implementations and these rollouts, from the technical standpoint, I know you've talked about visibility gaps can undermine zero trust. What is it about visibility into your assets and your data or your data flows? That's still such a challenge.

A

Yeah.

C

And David, I think one of the problems that we see across our engagements and when we work with our customers is they don't really know what's in their environment. So they don't have a clear asset inventory. They don't know where their assets are. So you have right now assets that are in the cloud. You have assets on premise, you have different types of users, whether that be contractors or whether that be employees internally. And just that whole visibility and understanding where those data flows are, where those assets are. You can't really start with zero trust if you don't know where, where your assets are, what type of data is on them and how you need to protect them. So really that's the hardest part, is not knowing what assets you have out there and what enterprise resources are a part of your organizations. Because once again, how can you create policy around an enterprise resource if you don't know what that classification sensitivity of data is on there and where it's even living?

B

Leanne, when you were talking earlier about jumping in and trying to take on everything at once, I think that that has to be the type of culture that you have, right? Can you share an example of how that outcome driven approach or mindsets delivered a improvement or a measurable outcome that really did ignite the excitement of the business and the IT side and the security side altogether?

A

Oh, man. Yeah, we have a lot of them cropping up recently. A particular one that comes to mind, we had, we recently worked with a large global logistics firm. They were drowning in tool sprawl. Okay, just throw more tools at the problem. They kind of had a classic hybrid headache, right? They had thousands of employees as well as a constant rotation of outside contractors, all needing access to sensitive shipping data, financial portals, right? So they, they took this massive undertaking and they were like, all right, I'm going to put, put together this like, massive goal. And it was a multimillion dollar network overhaul. Well, you go to the board, you ask for that money and the board goes, listen, you got budget restraints and the team's already burnt out, so you might as well be climbing Mount Everest at that point. So instead Brandon and I sat down and we said, all right, look, we're going to make this simple. What's one specific risk that keeps you up at 2am what are you losing sleep about? Because that at the end of the day, I want my clients to sleep soundly. I tell them, hire me, I'll lose some sleep. You, you, you go get some sleep. Right. And for this particular client, it was the contractor with a laptop scenario. They had zero visibility into what these outside vendors were doing once they logged in. And frankly, they were terrified that a comprom, my personal laptop, would become a bridge into their crown jewels. So Brandon had a really creative solution here. Instead of that massive overhaul, the whole network refresh, we pivoted to focusing on securing the point of the spear, if you will. The point of work, the browser. And the beauty of that approach is that it's relatively invisible and quite seamless to the end user. Right? Our company didn't have to ship out company laptops or install any invasive software on devices they didn't own. They quite literally just had just were able to give their contractors a secure managed window into their apps. So suddenly they had total control. They could see exactly what data was being touched, and they could literally disable things like copy, paste or the download buttons for sensitive files. Right? So circling back to your question, David, things like that, the measurable impact, it was almost immediate. Within a few weeks, they had effectively hidden their most sensitive data, data, or excuse me, their most sensitive apps from the open Internet. They eliminated the risk of a contractor accidentally spreading a virus. So they were able to cut their onboarding time for new vendors from weeks to, quite literally minutes. And their security team finally stopped, you know, chasing ghosts on machines that they didn't control. And the real big takeaway there is that we started with the one business problem that actually mattered. Them. We solved it, we proved the value, and now we can move to the next thing, right? So zero trust really works best when it's a series of strategic, smart business, LED wins. Okay? It's not a technical mountain that you have to climb all at once.

B

Brennan. Every week I talk to CISOs and security leaders, and each week they talk to me about how rapidly technology is changing, is evolving, whether it's automation or AI or adaptive access, all of these things are reshaping what's possible. Can you talk to me about how these innovations are changing the Zero Trust playbook?

C

Yeah, I think so. Previously, how everyone looked at security was more so stat access. So, for example, you log on to your vpn, it authenticates you, and then you have full range of access to any internal application. But now with the zero trust and with the evolving security landscape that's not good enough. So as organizations have different types of employees, right? They're accessing different applications, whether that be SaaS, whether that be IaaS, whether that be on premise applications. You want to make sure that you are dynamically changing your access based off of where you are, what type of user you are, and what type of access you should have. So for example, when an organization typically has like different types of employees, so like let's say that we have a privileged employee, let's say that we have just a normal employee who wants to access business applications, and let's say that we have contractors. Well, there's different types of user Personas and there's also different type of device Personas. Maybe for example, an organization wants you to be on a company laptop, right? While some different applications make you where you need to be, where you can be on a unmanaged device, like, such as your bring your own device or your own personal laptop. And so as people are accessing these different applications from different type of devices, we want to dynamically enforce policy based on those different permutations, whether you're on a managed device, unmanaged device, whether you're a contractor, third party, whether you're an employee or you're a privileged user. A good example is someone who's trying to access Google Drive, right? Maybe if they're on their personal device, they can only go ahead and access Google Drive and only confuse stuff on there. However, they can't download anything to their personal laptop and they're only restricted to just being able to read on there, like look at your Google documents, look at presentations. However, that same employee, let's say that they go ahead and they are on their managed device, they're able to access an application and download stuff. So from Google Drive you're able to download a Google Document. Whether or not when you were on your personal device, you weren't able to download that. So just that permutations of access, looking at who you are, what device you are on, we want to go ahead and make sure that access is dynamically changed. And I think that's one thing that you're seeing more and more. Just that perimeter isn't, isn't the only area where you should be making sure that someone's authenticated. You want to factor in all these different attributes as well.

A

Sam.

B

Leanne let's shift gears. Mismanagement often slows down. Zero trust progress. How do you help organizations break down the silos and maintain momentum across departments?

A

You have to align on a shared outcome. When Teams can agree what good looks like for a specific application or workflow. So things like who should have access under what conditions and why, that becomes the common language that really unites everyone. And communication really plays a huge role in sustaining that momentum. So you have to have regular structured conversations between identity, between network, the security teams to create continuity and really reinforce that trust. And, and that's what allows Zero trust decisions to stick over time. When those teams work cross functionally and they stay connected, Zero trust stops being this one time initiative that we're just going to knock off the roadmap and starts becoming part of how the organization naturally operates. Going back to what I said earlier about having it become part of the organization's DNA as a living, breathing thing.

B

Brandon, you've led Zero Trust architecture assessments across a variety of different industries. What are some of the reoccurring gaps or maturity challenges that you see the most often?

C

Yeah, I think one of the main things we see is visibility into data flow. So you see a lot of organizations where they don't have any visibility into their traffic, whether they're not doing decryption, for example, on their firewalls, so they can't actually see any threats. The other thing that we see is that east west segmentation or that lateral traffic. A lot of times an organization, they just leave their traffic so it's not segmented, they're not doing that granular segmentation where we're focusing on the identity, the device health and what they're trying to access. So that's just a common pitfall we always see. And if you're looking at the technology, I think the other thing we're seeing, and this is going on to some points that Leanne brought up earlier, is that organizations, so they typically work in silos. So for example, you have your endpoint team, you have your IAM team, you have your cloud team, you have your network team, you have your security operations. However, a lot of times they work in isolation where they're not actually trying to look at focus on the mission of what they need to protect, what type of access they need to dictate on their different policy enforcement points. It's not being used together, it's not looking as unified security, it's looked at as isolate. This team just does this for their endpoint solution, this team does this one thing for their network solution. And really when you're looking at zero trust, you're looking at how these different attributes, how this telemetry from these different type of security capabilities work together to inform that least privileged access. And so getting them and steering the conversation between these different engineers, these different teams. That's the most important point with zero Trust because it's again, it's a strategy for you to go ahead and implement this zero Trust. And we want all your tools to work together in a unified fashion so that we can better enforce policy access.

B

So I want to Talk about the Unit 42 maturity heat map for a second. It's a tool that we have and I want you to talk to me about how that tool helps give organizations clarity on where they need to focus next as they're going through this journey.

C

Yeah. So as part of one of our Unit 42 engagements, what we try to see is what the customer has in terms of maturity. So we break down those different silos or those different security domains such as your identity, your network, your endpoint, your security operations, your cloud. And we try to identify where those gaps are in your architecture as well as we're looking for integrations to create that least privilege policy. And so when we go ahead and we're doing this assessment, we try to look at your quick wins for the organization and then your long term strategic wins. And so we base that off of security impact. And we also do it on labor of effort in order to, let's say there's a gap in the organization, let's say they don't have east west segmentation. Well, they might not have the resources in order to quickly go ahead and segment out their environment. However, maybe something easy as multi factor authentication, doing it continuously, they can turn on really easily. We try to look at your quick wins to get you to that zero trust architecture, that ideal state. And that's how we try to help our customers. What are your quick, what are your strategic long term wins? And put that onto that roadmap where it, it resonates to the customer in their business and their mission.

B

I hear some of the ideas and strategies of some of our customers coming through when you're talking about this. Recently we had a SISU on and what he said on identity was I don't try to roll it out for the entire organization all at once. It would be chaos. But I find those areas in the business where there's either a willingness to adopt the control or there's a risk that is so pervasive that that group is desperate for help and they're saying we want to go first, we absolutely want this control first, we want that protection and to start those wins there and then use those to build stories of success with the rest of the organization and to find out where there's a little bit of friction. And it seems like that kind of pragmatic approach combined with this heat map allow you to figure out where your biggest bang for your buck really is going to be. And I like the idea that there's a way of looking at this through those various lenses to figure out where you're going to get their long term strategic value. But where are you going to get your early wins? Speaking of early wins, a lot of organizations are looking for those Leanne. Where should they focus first if they want to be able to show that tangible progress on a Zero Trust program?

A

For sure. So Brandon alluded to this earlier early wins come from getting crystal clear on the who and the what identity and device posture. If you can't confidently verify who a user is and whether the device they're using is a in a healthy state before it touches data, everything else is built on shaky ground. Right? So for example, a common mistake is treating MFA as a box to check or relying on things like location or office WI fi as a trusted signal. But in the zero trust world, those signals don't really mean as much anymore. What really matters is telemetry. Right. The whole picture is this the right user, are they on a managed device and is that device patched and protected? If not, access should stop regardless of where they're sitting. And if you think about it, that's a really favorable starting point if you're using that framework because it directly addresses how most modern breaches actually happen, stolen credentials and compromised endpoints.

B

Brandon, as you look ahead, how do you see Zero Trust evolving over the next few years, especially with the growing importance of things like identity, data security and the introduction of automation essentially everywhere in the security stack?

C

Yeah, I think one of the biggest things and this is already happening today, so we're moving from that perimeter approach like where you just rely on whether you're outside the network or you're in the network and you're moving more towards a data centric approach. So we're looking at what type of data is on a device, what type of access do we have based on my user, based off of their role. And I think this is turning where it's more dynamic instead of having static policies, they need to be more dynamic and flexible and adjust to where you are. I mean look at organizations today. I mean they're all over the place, whether it's applications within SaaS, whether it's on premise, whether it's in a third party site, all that type of data and all that different context should drive these dynamic policies and that dynamic access. And I think another evolving threat too is AI. What we're seeing. So nowadays it's not where we can keep up with different types of malware, what's out in the wild, different type of threats. We need to have a more dynamic approach. And I think too with this telemetry that we're ingesting as part of our policy enforcement points or our different tools, we need to be able to leverage that and use that AI, use that ML in order to dictate policy. And I think you're just going to be seeing a lot more dynamic policy and I think you're also going to be seeing AI in the mix to help make those different access decisions rather than relying on static policies or on human intervention.

B

Leanne what's going to separate organizations that achieve a sustainable Zero Trust implementation from those that fall short?

A

Honestly, those that stop waiting for the perfect time or the perfect architecture. Zero Trust is not a destination, it's really, it's a journey. And I always say that and I always feel silly because I feel like it sounds so, so corny, but, but the truth is it's an evolving commitment to eliminating implicit trust wherever it lives. And the hype and you know, a lot of companies say that it's a product you buy and then you never think of it again, but the reality is that it's a disciplined, conscientious evolution. If you can make one more access decision today based on real time data and telemetry instead of an old assumption, you're already going to be 10 times better than your peers.

B

Leah and Brandon, thank you for the conversation today. I appreciate you sharing your insights on how to make Zero trust real and digging into both the business implications and outcomes that Zero trust unlocks, but also looking at the technical side a bit more and then giving good advice to our customers of not trying to think about this as a product or a one and done, you know, take on everything type of strategy, but more of this constant journey, constant action, being dynamic in the way that you, you think about your approach. It's certainly refreshing to get a clear eyed view of what Zero Trust is and isn't.

A

Yeah, David, thanks for having us, it was a great time and if anyone would like to continue the conversation, you can find Brandon and myself on LinkedIn. We're always around. Or give us a shout through the unit 42 investig distro if you're interested in a Zero Trust assessment.

B

That's it for today. If you like what you've heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your reviews and feedback really do help me understand what you want to hear about. If you want to contact me directly about the show, email me at threatvectoraltonetworks.com I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Betacourt and Virginia Tran. Original music and mix by Elliot Peltzman. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.