Zero Trust and 80 Proof Bourbon with Adam Kohler

All right, Adam, how you doing today?

Wait, wait, wait, which one?

Well, that's it. We have an extra special episode today. We have not one, but two Adams from Staten Island. I mean, I'm feeling like the minority here. This is very, this is very awkward and uncomfortable for me.

Well, Adams make up everything.

They do, Adam squared. Power of two. Yeah. So we have Adam Kohler joining us. Adam. Adam Kay. Welcome to the show. Glad to have you on.

Thank you. Thank you. Happy to be here. Appreciate the invite.

Glad you could make it. Always, always glad to have another son or daughter from Staten Island on the show. It seems we can never have enough. But why don't you tell us a little bit about yourself and what you do. You're a security guy like us, which is cool.

i am i am uh... you know i was uh... what i call practitioner kind of doing a thing on the front lines for an organization and um... you know i was about you know uh... fifteen plus years ago and then about ten years ago i decided to go to the vendor side uh... which is where i met the other adam uh... you know and kind of starting to work with with vendors specifically and that's where i've been for the last the last uh... ten years working for a couple vendors specifically leading

uh... systems engineering teams uh... which team up with with salespeople and kinda help uh... our customers and our prospects better leverage the product and you know ultimately to solve some business pains that they're experiencing great yeah that may not be something that everyone who listens and knows about how we go about buying security stuff and how it's sold and I guess it's IT things too you know we have you know the people who buy stuff uh... you know whatever but then we have the vendor side like Adam's talking about you have a salesperson who is a salesperson but then they have the the system engineer or whatever who's the technical guy who actually knows how the thing works you can talk to the people who kind of tell them what's going on and work with you to make sure that you can get it working at all and it's a little it'd be interesting if you buy a car like that I suppose but it doesn't quite work or your marriage or your marriage that's right

I'm going to stay away from that one. I know. So day one when I met Adam, let me preface this. The first day I started the organization where Joe, you and I worked, the first day I was already emailing Adam K. First day.

I remember. We were in the basement. We were in the basement of a building where IT usually is. Talking about how we were going to leverage the company I worked for, their product set. to solve some challenges that the company you worked for was having, right? And that's where you kind of get into the nuts and the bolts and the use cases and the features. But ultimately, all that is trying to achieve, you know, a business outcome, right? And solve a pain for the business. And so, yeah, that's kind of what I like doing. I love what I'm doing now. You know, now I'm on the vendor side, getting to work with a lot of different people over the years, create relationships. And ultimately, we want those relationships to last, right? Because I want my champions to get promoted. I want them to do well. I want the organization to do well. I want the executives that invest in the solution to do well. And then here we are, I don't know, it must be at least 10 years later, sitting on a podcast.

Wow, you sound like such a polished manager, director, vice, whatever you are.

You are so good at this. Yeah, wow. Business outcomes and relationships, wow.

I think, should we talk about alcohol instead?

You know, like, wait, wait, wait, wait, wait. I think this is great. I might have to change my job and go work for you again. Not work for you again, but interview for the company to work for you and deal with you again.

Well, it's quite the interview process, my friend, not for everyone.

Yeah, well, Joe didn't want me working for him. It's good.

Well, he inherited you. I've listened to a couple episodes in preparation of today. And what I learned is that he kind of just, you were the stepchild he just kind of got stuck with.

Wow, you're the one that's increasing us by one for the viewers.

So, well I guess part of the sales cycle also is alcohol. There generally is a bit of drinking and entertaining involved. Of course as a side light. So what do we have for today?

As the guest, I got to pick the booze and I went with a bourbon and specifically Widow Jane, a little 10-year. Nice kind of booze. Liking it so far and just trying it for the first time, I decided to try something new for our podcast. What about you guys?

Well, me, I've got a, I didn't bring the bottle here, I don't have it ready, but I've got a bootlegger bourbon, which is pretty good. And you know, I realized where I got it from when I saw the bottle, it has some etching on it. It actually came from a vendor, you know. Back in the COVID times when we couldn't go out for a while, I don't know if other people experienced this, but definitely in IT, all the happy hours and all the dinners were canceled. So people would have their little virtual meeting afterwards and just ship bottles Of liquor and wine and everything to your house. I mean my house would was like Oh, yeah, my bar was just fully that looked like a total bunch of drugs, you know It's just crazy at one point. I still got some left over.

Yeah previous previous employer for me at least When I, when we had COVID, my house started looking like either, um, an airline, um, that was giving out the alcohol bottles or like a, or a hotel, um, refrigerator. I had like 20 different small bottles, but to be quite honest with you, I wasn't gonna lie and tell you I was drinking bourbon or something. I'm drinking an iced coffee Nespresso. This is the second, this is the second podcast that we did today. You know, I'm, I'm giving up a little bit of stuff I probably shouldn't say. And so I'm trying to be good.

Well, I expect your second one to be followed up now that you've re-energized with something proper.

I'll make you a deal. If you head over to my side of the island, we'll have some drinks.

Oh, okay. All right. That sounds like it might be fun. We'll definitely talk about that. Come out to your side, the Jersey side, as we refer to it.

Well, that's true. And it's funny because Joe was here yesterday on the Jersey side. And I was trying to give him like special directions. This is how you go here. This is how you go there. He's like, Adam, it was really easy. I don't know why you have such a problem.

I know the GPS took me right there. He's telling me, I got to watch out for this. There's this road. There's that. It's this thing. I'm like, Adam, I got here. No, no problem. It's like, you know, it's, it's Staten Island. I mean, I know it seems like a very exotic place to you, but it's, uh, you know, there's turkeys everywhere.

There's deer that came from Jersey, mind you. I had one of those in my backyard for the first time. in the last year, never thought I'd see one. But yeah, no, it's funny you say that though, when you guys were kind of talking about how vendors had to get creative, sending booze, creating online events, right, cooking classes with engaging with, you know, people's families, because those events are now taking at home and all that fun stuff. You know, I think that that kind of COVID and that push to working from anywhere, if you will, kind of led a bit into the topic we're going to cover today. So, you know, it was quite the adaptation.

Yeah, let's get into it then. We are going to talk today about zero trust. And, you know, for those who don't know what zero trust is, it's kind of a term of art, so to speak, and security that gets a lot of buzz. But it's a funny one, because It means a lot of different things to a lot of people and people argue about it and wonder just what the hell it does mean. It's a really weird situation. Everyone says they have zero trust and it seems like a lot of them mean something different. But of course, Adam and his company is the right answer. You know, we know that much.

And I want to add before he jumps into that, zero trust is more, in my opinion, a philosophy that it really is a tool or it is an actual one one thing fits all. You know, you talk about zero trust, you talk about, hey, don't allow your people to go to anything on the internet unless it was been already whitelisted and everything else is blacklisted. Or, you know, I mean, that sounds like a weird thing to say, but only whitelist the sites you want to go to or only allow the applications that you want or only allow you know, emails that come in from a certain source. So, Zero Trust is almost like DLP. It's a philosophy and to implement it requires multiple facets and multiple vendors, I think, in my opinion. So, take it away, Adam.

The other Adam. I agree with you. I agree with you. I think that no one approach or one vendor gets you there. I don't think of it as a It's a silver bullet solution. I think of it as a technical strategy, right? But even larger than that, I think it's a strategy that we as individuals that live in this technology encompassed world should implement, right? Across, you know, outside of cybersecurity professionals like the three of us, it's something you should use well beyond that and just in everyday life. And I think that a lot of vendors, you know, if you go to RSA, you can kind of play a buzzword bingo, right? Zero trust has definitely been the buzzword of the year at times. But to your point, Adam, I think that, you know, zero trust also kind of sounds negative, but I look at it as a lack of implicit trust, right? So we know that good gets compromised. And so when good gets compromised, we want to limit the lateral movement, the lateral damage, the blast radius. So again, I think it's, you know, it's been something we've been talking about as cybersecurity professionals for over 20 years. whether it was called deprimerization back in the late 90s and early 2000s, right? Into now when it's been coined as zero trust and lots of different vendor approaches. But, you know, I had the fortunate ability to work for two vendors that both talk about it in very different ways. And I agree that, you know, if you would have bought either one of those vendors alone, I don't think you'd be getting zero trust.

So I wanted to just put this. So yeah, you were talking about it sounds bad. Let me kind of give you the line here. You don't want your wife saying, you know, I have zero trust in you. It's a very different type of zero trust.

It's not so much. I would say, you know, zero trust does sound a little bit pejorative. I would almost put it down in terms of. don't make assumptions because the truth is going back like you know 15 years or so ago when it came to security we basically used to make a lot of assumptions especially when it came to trust it's like oh someone is logged on to this machine that we controlled so we know who they are we can trust them or this machine is on our network we can trust it and because it's on our network we can give it this access And what's happened over the past, you know, more than a few years is, you know, as people break into stuff, it's, you know, we've realized we, you can't make, you just can't make those assumptions that they're a very bad thing, bad thing to do.

And if you look at it from an intuitive standpoint, let's talk about in physical security. If you work for an organization, corporation, and you get an access card, And you need to go only to the rooms that you're supposed to. They don't trust you to go into those other rooms because they don't give you access. They only give you access to the room that you're supposed to have access to. So if you look at it from a physical security standpoint, it makes sense, right? We're not going to let you go into the count room where all the cash is. We're not going to let you go into the hospital where the controlled substances are. You have no reason to be there. We're only going to trust you or allow you to go into the rooms that you're supposed to be.

Yeah. I mean, I think that, you know, we as an industry 20 plus years ago got phenomenal at the castle and moat model, right? Putting up these firewalls and all, you know, without getting too deep into the weeds, but we protected our perimeter really, really well, right? And so obviously with the cat and mouse game, the threat actors said what they haven't protected well is is their weakest link, which is realistically the user, right?

And also once you get inside, that's when that broke down. We started letting so many people inside. Not only so many people, but also it's like, okay, so someone figures out how to get inside and they're a bad guy. What do you do then? So that's what broke down that model.

And that's something that realistically, you know, 20 plus years later, If you're an MGM customer, perhaps you've heard about it, right? It's still a problem today. Even with all the billions that we spend on cybersecurity, even with all of the user education that we do and the fake phishing attacks that infosec organizations do, you know, at the end of the day, a multi-billion dollar organization was defeated, you know, via a LinkedIn profile and a call to the help desk. So it's still very much a problem. And you better believe that organization has invested a lot in hiring top cybersecurity talent and products. Well, I have it now, I'm sure.

As I keep on using this analogy of the physical security, you know, you can have a bank, and the bank is completely fortified physically. The front door has everything, it has gates, it has this, it has that. But meanwhile, you go to the deli next door, you break into the deli, and you're able to go through the wall of that deli into the bank because the whole wall wasn't fortified at all, assuming that the other organization fortified it. So now you're moving, you have lateral movement, you're traversing, so you have to be very careful what you allow and what you don't allow.

Yeah, and I think that, you know, that's part of the challenge is that it's not trusting anyone, but it's to say, what is the least amount of privilege that I can give this entity to perform its function, right? Um, and, you know, does I want, I want to enable COVID came, we want to enable our users to work from anywhere, right. Just to work from our home offices. Well, they connect the VPN, then we drop them on the network and they can go anywhere, but they really need to go anywhere. Right. Or should we start to limit and say, HR users can go here, sales users can go there, accounting can go there. And it doesn't stop you from getting compromised. Right. And it's, it's that concept of we all get compromised. It's just detecting the compromise or meeting the compromise, killing the attack chain in a timely manner, right?

I was going to say, well, one of the big things that we do now and that Zero Trust plays into, like I said, it used to be you get in and you're in, or you get access and you have access to a lot of stuff. We always knew that that violated what's called the principle of least privilege, which is you only give people the access that they need. But it's become even more important now when the hackers have gotten very good through various means, but you know, they become very good at becoming someone legitimate. And then when they become someone legitimate, you know, are we gonna say, okay, do we just give them everything now they're trusted? And it's like, no, you know, we want to at least make it harder for those people. So, you know, they can't move around and exploit stuff. And, you know, as Adam was saying, then hopefully as they, you know, do it, it makes it, as they try to work their way through this, it makes them easier to catch, basically.

So to throw a grenade into here, you know, it's okay to have, to allow people to have access, but then there becomes issues of technology. And one of the things that Joe, you and I saw, and I know you saw Adam, okay, is that, okay, you're working from home, you're able, maybe there's, maybe you have split tunnel, maybe you don't, but even with split tunneling, You allow maybe all your traffic to go to a certain port 80, 443, because you don't want to really use the bandwidth of the organization, because then you have to get bigger bandwidth. Everyone's working from home. So you allow the traversal of your web traffic to go through your home. But wait. Wait, wait, wait, wait, wait, wait. What happens if I want to use a printer and the printer's at home? How do I make the printer work for home? Do I set a separate subnet? Do I send somebody to their house? We saw a lot of these complications of how to allow certain technology. How do we trust the person in their home not to exfiltrate the data by printing to a PDF? Oh, but they need to do the function of printing to their paper so they can send things out. And that was another complication. Just because you allow privilege or don't allow privilege does not allow you sometimes to fine tune the technology that has to be allowed or prevented.

Well, I think what a lot of, unfortunately, IT organizations do is they layer on a control without realizing what that's realistically going to force the user to do, right? And then will there be additional controls that stop those additional activities? So I worked for a company once upon a time that blocked printing locally, which is great because then I just emailed the document using my personal email and my work email, pulled up my phone and air printed it.

A classic.

So like, all you did was actually make me do it in a less secure manner. Because at the end of the day, the business needs to be enabled, because without the business being enabled, without operations staying up, doesn't matter how secure you are, if you don't have a business to protect. Right. And so I think that that's where I think a lot of times we fall short to your point, Adam, in that, okay, Great. You implemented zero trust. You did split tunneling. You're putting your internal traffic to your corporate networks. For those who are watching that doesn't know what that means, it means you take all the traffic coming out of your computer and you say, this stuff is meant to go to my corporate network and this stuff goes to the internet, right? I'm not going to inspect anything that goes to the internet. And that's a problem because that's where the risky stuff is. And once that endpoint gets compromised, well, now guess what? that threat actor can use the internet into that compromised communication path to go to the corporate goods, right? But we put a lot of controls in place without thinking about have we, you know, impacted operations and productivity, and then, you know, which ultimately people will find a way around.

Yeah, well, that's always one of the big challenges in security. That's that we've talked about this in prior episodes. people will always find, they will always figure out how to do their job and figure out how to do it the easiest way that they can and the most effective way for them. Even if it breaks, even if it goes around security mechanisms, even if it goes around security and policy, and one of the big challenges about being in security is that, I guess it's like crowdsourcing. You got a security team of maybe a dozen people, but the couple thousand people in the organization are much more creative and you're basically crowdsourcing their way around it. It's very, very difficult. But although Adam, you're right, what you really want to give them is a solution that's going to give them what they need to do from the business standpoint, but that also is controllable and that's reasonably safe.

And going back to the whole MGM thing, right? At the end of the day, The issue is always that layer eight. For those who don't know what layer eight, we kind of joke around. There's only seven layers of networking. Layer eight is the hand, it's the keyboard, it's the politics.

It's the person.

It's the person. Yeah, okay, I was getting there, Joe. Let me get a little bit more screen time. A little bit more screen time. I'm hamming it up.

Yeah, so oh that island just came out.

Yeah. Yeah. Yeah. Oh the hands of this that yeah, I see a turkey in your window behind you Yeah, so the reason why I'm bringing this up is is that You know, I remember one time vividly, you know, I'm explaining somebody about DLP and it was one of our Internal clients or customers and they're like Adam I Why doesn't the product already know that every time I send an email to my wife or to my home email, that it's okay. I'm like, wait, wait. So, and I'm trying to be very careful. I won't even tell you the type of client we're talking about. So you're telling me if you send it three or four times, you normalize it. That means it's okay. It's the opposite. And it's the same thing with zero trust, whether it's a proxy or anything else. It doesn't make it right if you think it's okay, it's actually the opposite. And this is why we have these, this is why we also go into another issue of, and this is more for us networking people, we get into this whole like issue of having too many agents on your machine or agent overload. I have an agent for DLP or data loss prevention. I have an agent for going out to the internet or proxy, whatever you want to call it. I have an agent for my EDR or endpoint detection response, a fancy way of saying antivirus. So you can have all these controls in place, but you have to make it work and you can't make it slow.

Yeah, and just so everyone knows, the agents Adam is talking about is a little piece of software that like, you know, shows up in your little system tray in the lower right and Windows that you think is slowing your machine down. Which it is probably. Which it probably is.

But it only slows it down when you have so many.

Except for Adam's company, that doesn't slow anything down.

You bring a great point, right, which is You know, you talked about the layers, layer 8 is obviously a big problem, but then at the end of the day, the way that I look at the world now, is layer 4, the transport layer, the network layer, is that. It's just a thing to transport, right? And that's it. And that is what has happened to us as a society, right? And as a prior network engineer, and God forbid a future network engineer I engage with hears this, The network is a way to move packets from point A to point B as quickly as possible with the highest resiliency possible. And that's it. And that's where it should end, right? And the security, the authentication, all of that, it's all happening at the application layer and above, right? Outside of obviously encryption. So I think that, you know, you kind of look at it and you say to yourself, okay, like, The network to me, again, castle and moat, but what happens when everyone is just outside the castle now?

And that's where we live. Right. We used to think we could control the network. So if you know, you can control who talks to who and control the traffic based on where people are. We can't do that anymore. And it's getting even harder, like you talk about the application layer, you know, control what applications talk to each other and everything. You know, that's even tougher because, like, you know, I mean, Adam, number two, number two, sorry, was saying earlier, you know, someone sending us something to their you know to their wife it's like you know i've had the case where someone's sending a spreadsheet full of financial data and he goes but it's to my stockbroker that's safe it's very very difficult for computer systems still and maybe ai will help this but one of the big challenges Is that something that's supposed to be going to someone who's there, or is that a bad guy who's taking over an account, sending financial data out to his buddy? That's a huge, huge challenge now.

Or the HR person says, I need to work on the salaries or something, and the bonuses. I'm sending it to my personal email because I can't get to it if I don't have my work machine. It's OK. And I'm like, no, it's not OK. You know, you don't want to send people PII or personal identifiable information, whatever.

You know, AI is a double-edged sword, right? You know, I mean, we talk a lot about generative AI, specifically, you know, in the industry now. And I think that what I will say is phishing emails have proper grammar now, right? Yeah, hey, there we go. So, you know, that's, you know, that's a plus for the bad guy. But also, what are people copying and pasting into these AI engines? But, you know, how do we enable our security teams using AI now that we've kind of shifted topics? I was, I was meeting with a CISO of a large stock exchange recently. And, you know, above and beyond their, they formed committees around AI, but above and beyond Their number one initiative was we are going to enable through AI. How do I take my security team, my SOC, and get rid of the low-level stuff that causes them to be looking for a needle in a haystack and leverage AI for that? Those are the types of things that they're trying to do. Joe smirks and he laughs because it's really tough to do. It's really tough. you know, and that's their pie-in-the-sky goal, right?

Well, it's really tough to do, and the funny thing is that we've actually been using AI to do that for years, not the generative AI that's coming out of the chat, GPT, but more things like machine learning and other things that essentially looks for patterns, you know, but whether it's generative or the other stuff, patterns can be deceptive and can be very, very difficult to distinguish what's good and what's bad. And that's something the bad guys very much exploit. They try to make the stuff that they're doing look legitimate. So that even sometimes if you have, you know, not the AI, but the analysts looking at it, they're like, I don't know if this is right or not. You know, that's really, really tough.

Yeah, I think. And, you know, it's that user behavioral analytics where deviation into patterns And that goes back to what Adam 1.0, the 2.0 version, the improved version, was mentioning earlier, which is that ultimately, that pattern shouldn't be recognized, shouldn't be trusted solely based on the fact that it's a pattern. Because threat actors use those patterns to exploit. What I think is interesting about the generative AMI model is how can I use that to be in an interactive thing with my SOC analyst, right? Who a lot of them, let's face it, are pretty junior, right? Especially when you look at the whole view of the world and they're used to being stuck in a SIM interface, right? How do we use generative AI to ask questions and to ultimately get some answers and reduce the workload to make them more efficient?

Well, you know, I suppose that can be kind of useful because, you know, it is interesting when you talk about the, you know, the SOC analyst, the junior security person looking at these things. It's usually someone, you know, young, someone not super experienced, but even the experienced ones, they're not, you know, business people. And maybe if they're looking at something, They don't know what it is. And I suppose maybe a generative AI could help to say, for them to just say, what is this? Is this a financial statement? Is this something that is sensitive? Because sometimes, you know, I know from my experience, we've had to do it the hard way and go to someone who's more knowledgeable, I guess an AI could help.

And how many systems do you have to pull that data set from to kind of get, you know, into a point where you could learn it? I mean, where you can understand you know, does this make sense to my incident response?

Well, the generator, if we talk about it, you have to have a trusted source that's feeding that, but that source also has to be something that is not open. And the reason why I say it's not open is because you really want to sample live data. And you don't want other people have access to that live data in the same boat to become gender AI. If I'm understanding the issue correctly, does that sound right?

Absolutely. No, I mean, listen, AI models are trained, they learn, right? But I think for a long time, especially in financial services, right? And then more mature industries, they've been creating data lakes for a long time, right? Which they're taking data from their systems and putting it into a lake. And those systems ideally are trusted. There's obviously flaws that we could go down the rabbit hole on there. But then using generated AI on top of their data lake to help an incident responder, I think is a pretty cool way to look at it. Again, novelty at this point, right? But what I've seen is that there's obviously this open embrace of generative AI and just AI in general, right? And so how do we do that? What are the implementations, especially from a VR trust model, where you're not supposed to trust anything, let alone an AI model?

Well, that's what kills me about AI. And we've talked about it before. And it's one of my favorite AI topics, the whole thing about hallucinations or whatever, which I think is just a euphemism for, you have to say, hi, it's great. It tells you all this stuff. But it might be wrong. That makes it tough.

And then from a data lake standpoint, when you use it for AI, you want to make sure that that's, you know, and I know we kind of touched on that, you don't want that source to be compromised, because then it becomes a supply chain type of attack, similar to what we've seen where upstream, people are compromising stuff. And I can only imagine if you compromise a data lake to normalize stuff that shouldn't be normalized, then that traffic doesn't get identified. And then it looks like it's benign.

It's a topic, man. It's a topic that we could probably spend many, many, many hours on, you know, when it comes to generative AI. I'm sure.

OK, so getting back to the Zero Trust a little bit, Atom 2.0. What would you consider like a good zero trust implementation? I mean, what do you think is a solid example of, you know, using it, using that approach well, especially in the modern context, you know, something kind of current.

Right. So I think I have two different answers if I'm speaking to a cybersecurity professional in the industry or an everyday person. Let's go with the everyday. Everyday person. All right. I think that I think that The way that I would look at it is that you should always think, question and think to yourself, what is the least amount of privileged information that I need to give this entity? Entity being a user, a device, a person, an organization, a corporation, a healthcare. How much information I have to give them to do the task I need them to do for me, right? And so what I mean by that is, you know, kind of when I look at a doctor's office, you know, and I've actually tested this out many, many moons ago. Do they really need my social security number? I would argue they need my name, my address, my date of birth, and my medical information, you know, XYZ, UnitedHealthcare, member ID and group ID. I would argue they never need my social security. That is more than enough PII to understand who I am, right? So question that. I did back in the past, I tried to... No, I'm not giving you that. Well, you have to, to see the doctor. Okay. You know, 8675309. Got it. Here you go, right? Still got treated, still got billed, all that fun stuff happened, and I didn't put additional PII out there in the trust of someone else.

Can I just jump in there? It's funny. We've had this conversation, Joe and I, And without respect for country, a lot of these offshore recruiters, you need to give me the last four digits of your social security number. Get the hell out of here.

First of all, I don't know you.

And then the ones that are really scamming, just so you know, we can validate you from a security standpoint, what's your mother's maiden name or something like that? I'm like, come on, stop. You got to stop. And everyday people need to question, is the person calling me the true source? Don't answer questions like that. Say, what number are you calling from? And then you don't call that number. You just want to see whether or not they're lying. And then you say, I'm going to call the number on the back of my credit card. I'm going to call the number on the back of my bill. Don't ever trust the person calling is truly that person.

I would take it a step further and say that's proper zero trust. This person I don't know. But now let's take it with someone I do trust. My doctor that's been treating me for 20 years. Or this device that I carry around. My phone. Good gets compromised. So yes, the rando on LinkedIn trying to get me a job that wants my Social Security, fine. Apparently, more American companies should have done that based on the FBI articles that came out recently about North Korea funding their ballistic missile program through outsourced IT people. For us, maybe not that bad of an idea, right? Okay. But like, no, let's take those things we trust and under – like my doctor, like I said, he's been – I trust more than anything, right? He doesn't need my social, okay? My phone, for example, everyone puts a webcam cover on their laptop.

They'll put it on their phone.

When have you ever seen one on a phone, ever?

I got one better than that. When have you ever covered or stopped your audio microphone on your laptop or your Google device or your whatever device? Audio is probably, I'm willing to say, even worse than your camera.

I have a smart home. I have tons of zones from AC perspective heat. I literally made sure that I bought smart thermostats that don't have Alexa and microphones built in. I bought the old model, the cheap model. Because I don't need to talk to it and say, set the temperature, Alexa, to 72. I can walk up and that's one less microphone in my life.

You just raised the temperature in my house. Why did you do that?

But no, to me, that's the zero trust. Just think about what is the minimum that this entity needs to do the function. I wanted to provide. How I provided that and not provided car Blanc.

Well, the problem we get into that, though, and this gets into another topic we've covered in the past, is the whole thing about surveillance and data collection, where the answer is, with a lot of these things, they don't need it at all to provide the function that they're giving you, or they can do it without it. But they want it, because that's valuable information. And unfortunately, it not only subjects you to the surveillance, but what about when they lose it? What about when it gets compromised?

So it's risk versus reward. We had this conversation with Jen, which is a former ACLU and EFF Frontier Foundation attorney. She came on our show and she's like all about privacy, how bad all these data collection companies are, but yet she still loves her voice controlled stuff. She goes, I know it's bad. I know how bad it is, but I still use it.

You have to, again, it's, you know, whether it's enabling the individual or enabling the business, is the risk first, you know, worth the reward, right? That's why we have GRC, you know, governance risk commission committees and, and all that fun stuff, um, you know, in the business world and you as an individual, you need to think to yourself, is, is saving myself five feet of walking up to the thermostat worth an additional microphone?

I'd argue no. But you might be able to do that with your thermostat, but you can't necessarily do that with your phone. Your phone is always collecting data. Your phone is always listening to you.

Which is why you have to think about where it is, right? Listen, my phone is on me a lot, but if you want to have a private conversation, throw it in the microwave, don't turn it on, put it in the Faraday cage, right? But if you want a conversation to be truly... What I've accepted post 9-11, as a New Yorker and as someone who lived through that, is that any time I put something on a median outside, is that there's a chance it's being listened to by someone else. So the only true private conversation is a conversation that's happening in person, but then you've got to worry about what's around you. So if you want to have that real conversation, again, kill the communication ability of said device, but at the same time, Why are you going to trust that and think you're having a private conversation? Or you get out of the shower and you're wearing your birthday suit, right? And you're sitting there on your phone like this, you know, reading a news article on email. That's a camera pointed at you. That, to me, is the definition of zero trust. You don't need to be doing that in that moment, right? It could be in your draw, where it can't see you, can't hear you. And so I think that's what I would love to kind of put out there. this vendor or that vendor or this or that. It's a lifestyle.

Yeah, it's a lifestyle. It's very hard these days to adjust to. We all want to do it. We all want to get there. Same reason why I would argue with you, Adam. Adam 2.0, the better Adam. I would argue with you is if you are a major corporation with deep pockets and you want to do zero trust from a proxy, from a DOP, from anything, It's chasing your tail constantly to update the sites to go to, the applications to use, the machines. You've got a whitelist. There's a whitelist app because some of them are not easily identified by their behavior, their patterns, whatever it is. So, let's just talk about zero trust. You only want to go to 10 websites on the whole entire internet. Because some argue there's maybe a thousand the most you're ever going to go to. Let's just say a thousand. And you would know better than I would, but let's make that number up to a thousand. And then all of a sudden, because we don't want people creating a new site, it looks like, you know, instead of adamroth.com, it's adamroph.com, and you don't want people going into that by mistake because they didn't realize, or the wrong character from another language looks like a regular A. So then you have to have somebody constantly updating it, constantly allowing when they require access to it. So the point I'm making is, it's great. I love it. I'm not saying not to do it, but there's a lot of maintenance involved.

You're starting at the end, bud. That's what I'd say to that.

And you're probably right.

You're starting at nirvana, right?

Yeah.

I used to love when people would come up to me at the first meeting and they said, I want to do micro segmentation. Yeah. And I'd sit there and I'd wonder what article they read yesterday that decided they were going to do micro-segmentation while they have flat networks. Like, how about that?

Wait, wait, wait. Flat network. Tell them what flat networks are.

Well, just to use an analogy, it's like when someone says, I want a turbocharger and a supercharger and all this fancy stuff. And, you know, and it's like a Yugo they're driving. You know, it's like they're way beyond. They're nowhere near that.

They found it at the end. And I believe you should set that as your goal, you know. Set that as your goal. It's a journey.

I agree with you. It's a journey.

How about this? How about we start with the crown jewels, right? If you ask any business owner, any organization, what are the five crown jewels in your organization, right? They should know that off the top of their head. Start there.

Crown Jewels being the most important asset, whether it's a server, whether it's a user, a VIP.

The things that own the PII, the things that host that. You know, I was at Toronto for a conference, a healthcare specific conference a while back. And, you know, an executive from SickKids got up, and she talked about their experience with a ransomware attack. that they experienced, and what I loved the most about that talk, it was incredibly impactful to me, was that the things that she brought out that I didn't realize, right? So she said, let me ask you guys, we're suffering a hospital healthcare-wide outage due to ransomware. What do you think was the number one application that we needed to bring up, right? The audience says, your EMR, right, your electronic mail writers, EPIC, whatever the case may be. Your email, your website. No. Payroll.

Making people get paid, right?

Right. You know what the second most important thing to her was? Food. Food to feed the workers that were now working 24-7 in the environment, right? to keep it up and running, to combat this ransomware attack that they were experiencing. And so, a lot of times the things that we concentrate on are not the important things. My favorite talk that I ever saw at a security conference was the 2600 conference, back in the day, low-tech hacking. The wire with a wet towel, underneath the door that opens the door from the inside and you just defeated the system.

Everyone, this is like stuff from the 80s, hacking phones. Right.

But again, you know, to your point, Adam, like, I got to worry about this URL and that URL and this thing. but you haven't accomplished protecting your crown jewels.

Yeah, it's a journey. I was at the end of the journey, buddy. I'm sorry, because that's what people normally want to... They all want to talk about the end journey. It is, bud. And I tell people, even for micro-segmentation, you know, we were implementing micro-segmentation, and I'm like, what are you going to open? I say, you know what? Let's do a capture. Let's see everything that's going on, and let's start blocking things from a standpoint like only like only allow 8443 from the source to the destination but the point I'm making is you don't have to know every single port and every single source you can start by doing a little bit, and then closing in more, and then closing in more, and then closing in more, to a point where you tighten it. But it doesn't have to happen on day one.

Here's also what's challenging. I mean, you know, being a practitioner, being a manager, all this stuff, you need all this stuff. You say, okay, we're gonna start with this, and you start, and you go out, and you do all this stuff. But, you know, the state of things is so difficult and so challenging that you have a situation where it's like, All right, we put all this stuff in, we protected the crown jewels, we got this, we got that, we got all this different stuff. And then you find out someone, you know, was able to log into the VPN again into the network because they tricked someone on the help desk or because of a phishing email. And you know what? You blocked 199 million phishing emails. this month, but one of the five that got through got to someone. And they got it. And I can tell you from experience, that's part of where that mentality comes from. It's like, yeah, we can do all this stuff. We can do the essentials. We can protect it. But you know, it's like the bad guys have gotten so good at exploiting that tiny little pinhole, that little thing that just gets them in. They work it from there and then they'll find out something else small and then find something else and they go in. And that's when the depression and despair comes in when you hear about some of these hacks. And you say, like, you know, especially when you say... That's what keeps you up at night. Exactly.

What keeps you up at night? Your favorite question as a InfoSec executive.

And this is not terribly complicated, but it's like, I've seen some of these pen testers do some crazy things. And when I say crazy, I'm not talking about high technology. They're like, oh, let's go look at Adam... 3.0. Let's look at their LinkedIn or their Facebook or something. Oh Adams into baseball cards What we're gonna do is we're gonna put up a fake site But we know he's into this one card and we're gonna put this card up for a ridiculously low price But a reasonable price and then we're gonna send an email saying hey, I heard that you into a working I heard you were interested in this card. I got your information from a list and And then they turn around and that person clicks that site and they get compromised. Because sometimes it doesn't have to be an overly complicated technology. It's got to prey on your emotion. So now you're at work like, oh, I got to see it, I got to see it. And then boom, you got it.

Which is why I think that that onion approach, that layered approach is what matters, right? Because again, we know good gets compromised. So if it does, what happens? They looked up a guy on LinkedIn, guy, girl, whoever, and they used their credentials in the help desk, and they logged in, and they were able to... Yeah, MGM, and they were able to own the entire environment. Because there wasn't segmentation or layers of controls involved, right? So I think you have to ideally end up in a world where, you know, if you do get compromised at the subset of the environment, that gets compromised, and then also on top of that, can you detect the lateral movement? Do you have deception in place? Oh, I love deceptions. I know you love deceptions, that's why I put it out there, Adam 1.0. I know you love deception technology.

You had me at deception. Because we also have a friend that worked at a deception company.

And I think that, do you have those types of things in place to understand You know, if good gets compromised, now what? Right, because we still have to come back from that.

And by the way, I thought you were deviating for a second. When you said onion, I thought you were going to Tor sites.

No, well, you're right. It's, it's, I mean, I mean, I suppose, I mean, you're right. There are How do I put it? You don't want to make it you want to make it as difficult for the bad guys as possible. And we've talked about this before. It's like, you know, there are going to be you're not going to be perfect. There are going to be at best pinholes. But, you know, you want to make sure that someone gets through a pinhole, that they're not all of a sudden wide open, that, you know, that they don't have something very easy to work with. And you're right. And that is what zero trust is about. And Also, the monitoring is so important because people will get in. I had an interesting conversation with someone recently where I said, you know, ransomware isn't like, you know, someone gets in and they drop the ransomware and then all of a sudden every screen in the computer is blue and says, it's not like that, you know. It's like, there are signs, there are things you can tell. You have to expect that people are going to get in and, you know, there's a protection of things like with a zero trust model, but It not only makes it hard to get through, but makes it easier to detect. And you got to have that detection, super important.

I mean, I've had customers that have dealt with low level ransomware infections for years, depending on their environment and their ability to remediate, right? Where it's just whack-a-mole, whack-a-mole. You know, I've also had customers who have actively chosen to leave a machine malware infected because they do something like process manufacturing, for example, where if they shut it down, it would cost the organization tens of millions, hundreds of millions of dollars to do it. So we're just going to leave this machine infected with malware because I don't want to ruin this batch of XYZ chemical that I'm creating. And so there's a lot of variance on that continuum of operations and security and where we fall in between. But I would, you know, what I say is that, you know, and me and everyone else, right? Anywhere that you can interrupt that attack chain, you kill that attack. And they're coming with 10 more, 20 more, 100 more, right? But you killed it for now.

With, you know, AI, with the amount of tools that are out there, the skip, the kits, because I can't even speak English, the kit, the script kitties. Script kitties. Yeah, thank you. Oh my God, English is hard work for me. The script kiddies are out there. They know what to do. And now it's more of like a business, right? If you can get us X amount of clients, we'll give you 20% as being a part of our affiliate program and getting ransomware.

So ransomware is a service.

Yeah. We went from sub seven.

Right? If you guys remember sub seven and net bios, right?

Yeah.

So now ransomware is a service. Yes. I mean, you know, insane.

We were just talking about that the other day too, like, uh, like threats as a service, like people that, you know, you can hire somebody to go maybe throw a mild tough cocktail through their window. You know, you can go to a site, pick it and get local affiliate people to do it for you. It's insane.

Yes. Okay, well, unfortunately, this very cheery topic here, point that we've come to, brings us to last call where, to tell you the truth, I'm ready to start all over again. Need at least two more rounds, but I think it gets back to this defending his stuff. This is not easy stuff, and there's a lot to it. So Adam 2.0, your thoughts, your final take on this, at least for now.

Final take for now. I mean, I think that, you know, I think zero trust is an important topic. There's a reason why we've been talking about it for decades and, you know, no individual gets it perfect per se. But at the same time, again, just incorporate it into your world and just wonder, like, In order for me to do this thing that I'm trying to do, do I need to give it this much access or do I need to open myself up this much? Because I think that it's not about not trusting anyone, which your trust kind of implicitly says, right? But again, it's not giving them implicit access. It's limiting this entity from doing, you know, only what it needs access wise in order to achieve the goal that I'm trying to have it achieve for me. And I think that we all can, do our part to kind of help make sure that our information is not out there.

So, I'm going to add to that, Joe. Please do. From a zero trust, let's talk about situational awareness. You don't want to give any information you don't have to. What does that mean? When you walk out of your building, if you're required to wear an ID card, Take your ID card and either put it into your shirt or put it in your pocket. No one needs to know where you work and what your name is. They don't need to get pieces of information from you. If you're mailing a letter, you don't leave it with the letter signed up in your car, so now they know your address and everything else about you. When you do things, you have to be careful of what you show and what you do. If you're on the phone, on a bus, and you're talking about, you know, your medical procedures and who you're dating and what their email address is and their phone number to call them, you don't want to give that information out. I see that all the time. So zero trust means exactly what Adam 2.0, the better Adam is saying. Don't give out information you don't need to give out. Always assume someone's listening to you, or something's listening to you, and be careful. Now that being said, I'm not perfect. I do have stuff in my house. I do have my kids using Alexa and everything else, and I try to be very careful what I do, but that's the point. Be conscientious about what you do and what you say when you can. It's not a perfect world, and it's not a perfect situation.

Okay, well, Adam, next time I'm in your house, I'm gonna yell for Alexa and order like, I don't know, 500 pizzas delivered or something.

That's fine with me, because I don't have Alexa. My children do.

Okay, well, thanks. Both Adams. Thank you very much for joining.

Thank you. Thank you 2.0.

No, this has been a great discussion. This is a topic you can talk days about.

Yeah, we can build conferences around this. Oh, totally.

What we're looking to do, actually, before we hang up here, we're looking to do maybe a security cocktail hour con. So we might do that. Oh, that's right. You're local. All right. Yeah, maybe we'll do that in a bar or something. We'll be in a bar.

I'm there, boys. I'm there, boys. Let's do it. Yes, sir. All right, awesome.

OK, well, Adam, thanks for joining. Seriously, this has been a great one. Cheers. Thanks a lot.