Zero Trust Means Attackers Shouldn't Trust You
On this episode of the Cybersecurity Hot Takes podcast we are joined by CISO, Sam Curry from Zscaler.
Transcription
Reece
Hello. Welcome to another episode of "Cybersecurity Hot Takes." It's me, your host, Reece Guida, and we have a very exciting episode today. We have Zscaler's CISO, Sam Curry, joining us. Say hello, Sam.
Sam
Hello. How's it going?
Reece
It's going well. And I feel like it's going well because your lunch buddy, Kurt Johnson, our chief strategy officer, is here today for an enlightening conversation with you. Say hello, Kurt.
Kurt
Hello, everybody.
Reece
And then, oh, yeah, there's H.B., too.
Sam
Say hi, H.B.
HB
Hey, everyone.
Reece
So, we had a very fun time last week with Sam, who was the featured speaker at our Zero Trust roadshows in Boston and New York City, and the whole idea of this roadshow is to talk about best strategies and practices for implementing a zero trust architecture. We also had Dr. Chase Cunningham, shout out to Dr. Zero Trust, who provided his catchy and funny insights into this as well.
But when you were talking, Sam, especially at the New York roadshow, something you said stood out to me. We were talking about zero trust a bunch, but you introduced this term "negative trust" to me, and I'd never heard somebody think about security in that way before. I think the audience is going to find it interesting. But before we even get into negative trust, weren't you a skeptic of zero trust to begin with?
So, why are you speaking in our roadshow in the first place?
Sam
Yeah, I think I can't stay a skeptic, because otherwise, I think Dr. Chase Cunningham will cease to exist, and that's just not fair, you know, Dr. Zero Trust.
Reece
We need him.
Sam
I'm kidding. He's awesome, by the way. I was a skeptic because there's always trust in the system, and so just semantically, for something to really be zero trust, you would expect there to be none. And so, you have to trust somebody at some point, so if you have none, no a priori entitlement, absolutely zero, then you'd have to create a provisioning system, and that in itself would have to have trust, and then it would become a new topography, a new attack surface by itself.
So, I was a skeptic. And as I started to think about the challenges of doing it, I said, "Oh, okay, that's the challenge." And I started a program, because I was a CISO formerly, I was at my fifth time, and I said, okay, so now I'm going to start a progressively less trust program, and I realized ratcheting it down and getting trust out of the system is itself inherently worthwhile.
Yes, we have least privilege, and there's a bunch of principles that we follow, but less and less trust, approaching zero, is a good thing. And at some point, you have to discontinuously make big changes in your environment around identity, around data, around network, but zero trust, you can get there incrementally. Kurt, I think you once were a big fan of delayed perfection is the enemy of the good, right?
Kurt
That's right.
Sam
I'm sure I'm butchering it there, but the point is that at some point, you also make big jumps, and as you go, there's a chance to innovate. And so, now I'm a believer in zero trust because I think it's not just a collective goal, now we have defined it much better. And I think the journey for those who come next is not only going to be a better journey, but there's new areas to innovate and to try stuff.
And then you get to negative trust. I can dive into that, but I don't want to do all the talking here. I'm sure others have some things to add already.
Kurt
I think what's always interesting when we talk about zero trust is that we just like, in this industry, to attach human emotions and things to our cyber worlds, and you know, the whole notion of trust is kind of this binary, either you trust something or don't. But in the real world, we do that through recognition. Like, I know Sam.
I've known Sam for many years, so when I see Sam, I don't have a lot of doubt that that's who it is. But you meet somebody that maybe you've only met once or twice, right, and then you use this whole notion of information to raise that level. Like, oh, yeah, I remember, we met at RSA 2022, at the event, and that's enough to kind of give you that hint.
But we've been, in a sense, teaching our kids since early ages about stranger danger, and not to trust, and what are these aspects of trust, and somebody offering candy is not a good level of trust. And so let's turn and apply that, and remember the movie "Catch Me If You Can," Frank Abagnale infamously, like, ended up in the cockpit of a Pan Am or TWA flight just by having a uniform, and making up an ID badge?
Well, that's akin to a password, right? I mean, it's about having a uniform on is good enough to get you in. And now, a whole industry around education of the end users has popped up, with great companies like KnowBe4 trying to educate people to not take candy. But at the same time, it's like, what do we need to do to raise that level of trust? And as the adversaries got better and more, you know, directed at this, we had to raise our own defenses.
So, the whole notion of zero trust was kind of like almost going from, you know, going right into hyper mode out of the gate to say, okay, don't trust anything until we get that higher level of assurance. And the trick today is how do we gather enough signals to make that level of assurance? So, you know, it went from trust but verify, to now never trust and always verify, and it's really becoming a challenging task as we apply this in our digital world.
Sam
And as soon as you get into the continuously verify game, you can start to do some really interesting things with that signal, and where we're coming at it from Zscaler is about the authorization. I mean, think you were coming at it in Beyond Identity from authentication, and the two go hand-in-hand very, very well. But that gets us to the negative trust game.
So if we're trying to remove trust, and get closer and closer to zero trust in our IT infrastructure, negative trust touches on what Kurt just said, which is we want the opponent to not be able to trust the infrastructure they think they've compromised. Because to date, we've had the attacker only having to get it right once to get in, and then it's a field day as they spread.
And defenders have to get it right all the time. I want to reverse that. So, let's give them false credentials when they go credential harvesting with LaZagne or with Mimikatz or something like that, let's have identities that when provisioned, are only ever used by attackers. Let's have false pathways, and false apps, and false files, and as they appear, they become super signals in the environment that says, this is really an attacker, and you get it further to the left than you would otherwise get a signal.
And so, every time they're faced with an option, or a door, or a set of doors, they don't know which one they can trust, right? So if you're headed towards zero, I pictured a number line in my head, and then you hit zero, where do you go? Well, you try to make it a negative trust environment for the opponent. And you can do this in a way that the legitimate users would never encounter these things.
That's why it's a super signal. So, that's where that came from too, Reece.
Reece
I love how oppositionally-oriented it is. Because usually, we think about how do we protect ourselves? It's no, how do we litter the environment, and confuse the adversary? Because like you said, they only have to be right once, so let's make it really, really difficult for them to be right.
Sam
Yeah, it's...
Reece
And easy for us to see.
Sam
That's right. It's an asymmetric race. In fact, the idea of cyber insurance came up when we were talking at some of these roadshows, and we talked about how everywhere else you have complex systems, and the threats are... we called it first order of chaos. They are complex, they are chaotic systems, but they're not intelligently adaptive. So you have hurricanes in a meteorological system, or COVID-19 in a biological system, but COVID-19 doesn't say, hey, my host is going through an airport, lower the body temperature.
The hurricane doesn't say, "Oh, they're taking shelter this way, you know, blow the building down differently." But that's exactly what hackers do. And in a business, there's only three places where you have that type of opposition. It's not the rest of IT, by the way. It's information security, or cyber, it's legal, and it's sales, because that's where we have opponents that are intelligently adapting to our strategies and what we do in defense.
So, it's time to start spiking the wheels on the opponent's, you know, car.
Reece
As a salesperson, I agree with that. And also, as a Floridian, your intelligent hurricane analogy absolutely rocked me to my core.
Sam
Oh, dear.
Reece
So, I'm going to have to grapple with that when I go to bed tonight.
Sam
I didn't mean to startle you with that one. Yeah, so that's negative trust. That was the principle behind it. And I don't know if it'll catch on, and certainly some marketing person out there is going, "Ooh, that's good," and another one's going, "Oh, I can't do that." But, yeah.
Reece
Is that an idea that you came up with while pondering security in the wee hours of the night, or is that something you've talked about with your peers?
Sam
Yeah, that was one of those.
Reece
Yeah.
Sam
That was one of those. I talk to Kurt quite a bit, and I think that may have come up in the conversation we had. And I also talk to my brother about cyber things every day, so poor guy has to put up with that. It probably came up in one of those intellectual contamination conversations that we have, so, yeah.
Kurt
I can only imagine what dinner around the Curry table is like.
Sam
Well, my dad's in cyber too, actually.
Kurt
Your father's in this, your brother's in this, so...
Sam
Yeah, my dad is, too, yeah, so...yeah, you'll have to come over sometime.
Reece
Yeah, I'd be glad to go to one of those dinner parties. So, I'm thinking back to the time we shared last week at this roadshow, and another thing you said that stuck out into my mind was in the context of giving security leaders advice. Because, you know, I read the news, and I see that there's a lot of articles out there trending about how CISOs are having problems relating to the board and...
Sam
Oh, yeah.
Reece
...talking about security in a context that's not risk, risk, risk, risk, risk, risk, risk, risk. And you gave a great little story, where the punchline was a CIFO saying to you, "You security people just want toys." Tell us the story behind that, and how that can perhaps translate into practical advice for security leaders who are struggling to relate to the board.
Sam
Yeah, so I think the question we had from the audience was who are the biggest allies at the C-level? And I said the general counsel and the CFO. And I think the real reason for that is that the biggest problem in cyber I don't think is a technical one, for all that our job is technically difficult, we had a lot of challenges. The biggest problem is the gap between cyber and the business, that we don't generally speak the language of business, and when we do speak risk, we don't use the same words, and we don't quantify risk the same way as finance, legal, operations, other forms of risk.
And I actually asked my former CFO, who's brilliant, his name's Russ Stein, he was a CFO at Cybereason when I was the CSO there, and you know, I said, so "Hey, what do you think each department wants when they come asking for something?" Because you know, he's sitting there with the money, and everybody wants the money.
And he said, "Hey, you know, sales wants a salesperson, engineering wants a developer, that's always the thing they ask for, and marketing wants more program dollars." And I said, "Well, what does cyber want?" And he said, "More toys." That's what every CFO knows about us. So, you've got to have a strategy for what you're going to do with those toys. And most of the things that we buy, they're old.
They don't...they aren't up to date, they aren't doing the latest things. Most of it is what we call statutory spend, in other words, spend you have no control over, things that are already mandated for you. It's not discretionary spend. So, you've got to find a way to have a financial strategy to do that, and I have never seen a cyber strategy and plan that didn't benefit by better alignment with the business. I mean, we think we know risk, risk, risk, risk, risk, risk, risk, but we can actually do our jobs better when we understand the business better.
What's more is we need to demonstrate we're business people, so we should be using those other words. We should be using "revenue" and "margin," "customer satisfaction" and "employee efficiency," and the strategy things, right, the "user experience." Those are things that should come out of our mouth when we're justifying something like zero trust as a program, and not just "risk" all the time. Because that's what they expect us to say.
But if you're not going to talk about the other things the business cares about, how is the CFO and the CEO going to decide another salesperson, more program spend, or another toy, where's the next dollar go?
Kurt
Interesting point, Sam. And I think our industry has moved forward in that regard, and backwards all at the same time, and I think it even relates back to the whole concept of zero trust. And I think back to I've been around this industry long enough to remember the fun of Y2K and talking to CIOs who threw every wish list of a toy in their bucket, calling it Y2K. I mean, they were upgrading routers and firewalls, I'm like, that has nothing to do with Y2K, but who else knew?
And I was talking to a CISO recently who was just so negative on the term "zero trust." "It's a buzzword. It's what you vendors are doing." And he said, "But I will say it's how I can justify a lot of spend." Like, you know, all of a sudden our CFO and CEO are reading about zero trust, and asking me what I'm doing, so I could put it around my budget. Now, the current economic climate has maybe put a little bit more scrutiny on that, but we haven't really changed, and anything that can catch that kind of attention, and create a little bit of a scare is a great way to buy a new toy.
So, how do we...?
Sam
By the way, I think NAC came about because of Y2K.
Kurt
Yeah.
Sam
And the reason I think that, I was at RSA conference on a panel in 2002, and somebody from a hospital stood up and said, "I'm doing NAC. We have 30,000," you know, "computers in our environment, where should I start?" I said, "Well, why are you doing NAC?" and the person... I didn't mean to be, you know, a terrible person, but they had no answer for that. And I think it's because everybody had just bought all this new Cisco gear right around Y2K, and NAC came out as a program to cause a hardware refresh, and the marketing behind it was incredible.
Kurt
It's interesting. I mean, I know you do a lot of mentoring of cybersecurity professionals. I mean, kind of at all levels, what are you trying to educate these folks on, on kind of the importance of building...you know, being a business person, and not just a cybersecurity person?
And I know you have a story on how you learned that the hard way as well.
Sam
There is one. My worst job, I won't... If you look at my resume on LinkedIn, you'll see exactly where it was, but I lasted less than eight months because I didn't treat myself as a business person first in the eyes of my peers. I'll try and protect the innocent here. So, I was asked by a CIO to mentor a CISO who was an interim CISO. I said, "Well, okay, you want me to mentor him. What do you want me to accomplish?"
And he said, he needs gravitas. And I thought, how do I deal with that? He said, "Just talk with him." So I talked with him, and the guy was super smart. He showed me his plan, it was great, and I had this insight, I said, "When's your next meeting with the CIO?" He said, "It's Monday." I said, "Okay, I don't want you to show him this plan. Like, don't show him this plan. You haven't shown it to him, have you?"
He said, "No." I said, "I want you to turn up, and I want you to ask questions, listen carefully, I want you to find out from him, like, what are the top objectives from the board. Then I want you to go away, and even if you don't change your plan, I want you to come back, and I want you to recast it in the words he used. But whatever you do, don't show your plan." And so he didn't turn up at the next mentorship meeting, at the next one, he was really mad. He was interviewing his replacement.
And I said, "What happened?" He said, "Well, I turned up, and I presented my plan." Like, he missed the whole point, and that's, like, the biggest mistake, he effectively turned up with the answers. He didn't have a dialogue, he didn't work it out with the other person, that was the missing gravitas.
He wasn't a business person, he was turning up with the answers, and trying to be the smartest person in the room. And I made the same mistake with my shortest gig.
Reece
Yeah, security doesn't happen in a vacuum. And I think it's so important to think of it beyond the context of risk, because if you went up to a random person on the street, and asked someone, "Hey, what's zero trust?" and they weren't in cyber, they'd say it's an oxymoron.
Sam
That's right.
Reece
So, we really need to contextualize things.
Sam
And you have to build, ironically, you have to build a lot of human trust to get a program like zero trust through.
Reece
And that's what Kurt was saying at the beginning. Because we think about it in terms of machines, how can we trust machines instead of people? And this is something, when I'm consulting people on sales calls, that really resonates, because they're frustrated with the shortcomings of, you know, end users being able to decipher phishing messages. At the end of the day, the human element is inevitable. So, we have to figure out when and how to leverage it.
Sam
Well, zero trust is one of the big programs, if you do it properly, whether you do it incrementally or in big jumps, the InfoSec department or cyber can't do it by itself, period. It's not going to happen with, oh, that's a thing they're doing in that silo, which means you're going to have to do it with HR, you have to do it with CIO, with legal, you're going to have to finance behind it with CTO.
This is a big deal, so you're going to have to have trust among the people, and bridge that gap.
Reece
Well said. And I love it when a podcast episode comes full circle like that, so I won't mess with what fate has laid out before me. But I will say we have another hot take ready, Sam, for when you want to come back.
Sam
Oh, wow.
Reece
I love the "NAC came about because of Y2K" hot take.
Sam
I'm going to get in trouble with that with someone, I know it. Like... But I blame Kurt for putting me on that.
Kurt
Yeah, I was going to say...
Reece
Yeah, geez, Kurt, don't get Sam in trouble.
Kurt
Some people call their zero trust strategy network access control all over again.
Sam
Yeah.
Reece
Ooh.
Sam
Is that 3.0, or 4.0?
HB
Network access control was probably the terminal point for castle-and moat architectures. It was like the last gasp of castle-and-moat architectures before...
Sam
Yeah, it was.
Reece
The last gasp.
Sam
For a while it was NAC/NAP, and then they made peace. So, there's more there. Mmm, there's a teaser for you. Yeah.
Reece
Ooh, stay tuned. Well, Sam, we're so grateful for your partnership. The integration with Beyond Identity and Zscaler has the market very excited for zero trust authentication capabilities, and we look forward to the next conversation. Thank you.
Sam
Thanks for having me on. I appreciate it.
Kurt
Thank you.
%20(2).png)
