Welcome to the live blog from SecurIT: the Zero Trust Summit for CIOs and CISOs.
SecurIT is an all-day industry event at Terra Gallery in San Francisco. This blog will be a frequently-updated chronology of highlights from the day, including notable quotes, photos, and other interesting details that we hope a remote audience will find useful in their Zero Trust journeys.
If you're new to Zero Trust, it might be helpful to visit https://www.centrify.com/zero-trust-security/ to learn more about this concept, which is enabling a complete rethink of security. The old adage of 'trust, but verify' doesn't work in today's world, where network perimeters have dissolved, cloud computing is the new norm, and workers are increasingly mobile. The new mantra is 'never trust, always verify.'
The agenda for today's event is available at https://www.eiseverywhere.com/ehome/securit-centrify2018/711155/
Now is also a good time to remind everyone that we are live-streaming the event as well. You can either view that at the top of this page, or go to https://info.centrify.com/ztsummit-livestream.html to sign up and follow in a separate browser window.
Finally, we're also documenting the event on social media, and encourage you to do so as well and provide your thoughts throughout the day using the hashtags #SecurITIDG and #ZeroTrust.
First up will be Bob Bragdon, publisher of CSO, to provide opening remarks around 9:15am PT.
9:15am PT: Bob Bragdon, Publisher of CSO
Welcome and Opening Remarks
9:22am PT: John Kidervag, Palo Alto Networks
John, a former Forrester analyst and Zero Trust Founder, is presenting A Strategic Overview of Zero Trust.
"December of 2013 marks the beginning of our industry. Everything before that was BT: Before Target."
"Trust is a vulnerability because it has no value to your organization, it's just something that can be exploited by hackers. If someone says they're going to use Zero Trust to get your organization to a better state of trust, they don't understand it."
"Trust is a four-letter word."
Zero Trust Design Concepts:
- Focus on the business outcomes
- Design from the Inside > Out
- Determine who or what needs access
- Inspect and log all traffic
John is equating Zero Trust to Secret Service Security for the President. They know who he is, where he is, and can limit the access to him - that creates the perimeter, not fences or other physical boundaries.
"We have to automate the response. We can't move fast enough to beat a machine. We can never respond fast enough. We need to have ways where we automate to stop breaches."
"Zero Trust is strategic because it can resonate all the way up to Congress, to your CEO."
9:43am PT: Dr. Chase Cunningham, Principal Analyst at Forrester
Chase is speaking about What is Zero Trust, and Why Does it Matter?
Chase is creating an analogy about fear of mosquitos vs. Great White Sharks. No one goes running inside when they hear a mosquito, but they'll stay out of the water for fear of sharks. Yet mosquitos kill 725,00o people per year, while Great Whites kill 15. You have to fear the small things just as much as the big things.
"Breaches are bad, but it's a F.U.D.D (Fear, Uncertainty, Doubt and Drama) problem. They should be thinking about how to solve the problem."
"Compliance is not security. People do compliance because they're chasing the compliance rabbit. But they don't have a security strategy."
"The industry has a strategy problem about how to leverage technology to solve the issue."
"The common threat in ransomware, phishing, and social engineering is people. We need to figure out how to secure people."
"Pick a pillar, start applying Zero Trust to it, and solve the issues. Then go back and apply it to another pillar."
Chase is now talking about Next-Gen Access as part of a Zero Trust strategy.
Chase is summarizing with a slide about What does Zero Trust mean for us?
"People are chasing security and compliance, rather than a strategy that actually solves the problem. If you adopt Zero Trust, and follow the framework, you won't fail."
10:47am PT: Tom Kemp, co-founder and CEO of Centrify
Tom is speaking about Changing the Game with Zero Trust Security
"We're spending more money on security each year, but we're actually becoming less secure. Zero Trust provides a better framework to look at cybersecurity, and rethink the way we're doing security."
"80% of breaches involve privileged credential misuse. The bad guys are going after the 'keys to the kingdom.'"
Core Principles of Zero Trust:
- What do we know about the user?
- What do we know about their device?
- All access to services must be authorized.
"The old model was, 'Oh you're in the network, we're going to trust you. The new model says, "Never trust, always verify."
Next-Gen Access: Pillars of Zero Trust Security
- Verify the User: Single Sign-On, Multi-Factor Authentication (MFA) everywhere, User Behavior Analysis and Risk Scoring for Access.
- Validate the Device: Device & App Management, Device Context, Conditional Access Based on Security Posture (ex. updated OS version), Endpoint Privilege Management
- Limit Access & Privilege: Granular Role-Based Access, Limit Lateral Movement, Access Requests for App/Endpoint/Infrastructure, Audit Everything.
- Learn & Adapt: Machine Learning to know more about the user and apply conditional access, etc.
"We surveyed organizations about their Zero Trust progress. People who were further down the path of Zero Trust had 50% fewer breaches."
Rethink Security with Zero Trust
- Challenge a Perimeter-Based Approach
- Adopt a Zero Trust Security Approach
- Leverage the Power of Next-Gen Access
11:16am PT: PANEL - How to Approach the Zero Trust Network
GRAHAM: "I think we're in the early innings here. We're very focused on user access: hackers no longer hack in, they go after the weakest link - users. There are lots of devices and interactions (ex. IoT) that won't be driven by the same access."
NGUYEN-DUY: "Cybersecurity and risk management are larger than network management. It's anomaly detection, and the other issue is mitigation at speed and scale. There's a lot of manual segmentation today. It didn't work on the Titanic, it's not going to secure your enterprise either."
"The perimeter is almost an archaic construct. Today it's about visibility, detection and control."
GERO: "At our buildings, it's 100% guest Wi-Fi. Then you can segment by applications themselves. For human-based access, treat insiders and outsiders the same. The perimeter for machines still exist in that model.
"Machine Learning is great for finding patterns. If I know an AppleTV only goes to three places on the internet, and it starts to act differently, that's a great sign of compromise."
NGUYEN-DUY: "There is such a think as a risk-management framework. There is no such think as a mis-management framework."
GERO: "The basics like MFA and getting visibility of your network are far more important pillars of Zero Trust. AI brings sophistication to that setup once you've got the basics done."
NGUYEN-DUY: "Zero Trust isn't a chicken cooker where you plug it in, set it, and it works out of the box. It doesn't work like that. You have to educate leadership. 78% of all federal security programs are at high risk."
GERO: "This is a journey. Visibility is going to help you create a strategy for how to do this."
GRAHAM: "Engage your users. Explain to them the journey that you're going on, and have a dialogue with your users about why certain roadblocks are being put up. People need to know why that's occurring. Make them aware of the journey."
11:58am PT: PANEL - Where to Start When Adopting Zero Trust: Next-Gen Access
GRAJEK: "Access is the right place to start because we have the tools. What do we have well developed? Access management tools. We've identified the access points and put agents on there to control access. And we've gotten really good at contextual authentication."
BHARGAV-SPANTZEL: "Strong authentication that looks at what is out there that can help raise assurance on this user's identity, their devices, and do it continuously including long-term sessions. Having all that information available when making access decisions is very important."
MANN: "If you look at this market 10 years ago, MFA was a pain. People would cringe about recommendations for access management. People are still stuck in that world. Today there are modern solutions delivered from the cloud which are really easy to implement. Most times security is a pain in the neck, but I can tell you, and not just from Centrify customers, that end users are loving these solutions. They don't have to remember passwords. It's completely invisible."
"There are preventative controls and reactive controls. Access and identity management are all about preventative controls, and we need to re-learn that in the industry."
BHARGAV-SPANTZEL: "IT governance and policies are very important, but must be comprehended across applications. We also have to take into account legacy systems and support them."
"We need to look at ways to strongly authenticate the user, but also to make it frictionless."
MANN: "If you can implement least access on the most privileged users in your organization, you have a good start on prioritizing risk. But people want zero risk, and it's a complete fallacy. We try to solve the most complicated problem with the most complicated technology. Sometimes we just need to focus on what is simple."
BHARGAV-SPANTZEL: "With GDPR, we need the ability to first identify assets and data and then implement strong authentication, and figure out who downloaded what and make sure audit logs are approved. Then the controls are in place to go back and do analysis. Zero Trust is very relevant and makes a lot of sense across the board."
GRAJEK: "GDPR is going to be very interesting, especially in data collection. We've been really sloppy about data collection. We can't be sloppy about this. We know we have to contextual and continuous authentication."
MANN: "GDPR is one more catalyst for Zero Trust. Put the compliance part aside, we know we've been sloppy with data, one of the ways to control it is with Zero Trust. At the moment in most organizations privileged users have access to too much data because we've also been sloppy in controls and identity."
"GDPR has been a wakeup call for how we've been treating data, even if we've been protecting it. Have we been moving it, sharing it? If company B wants access to user data, I'm only going to provide a certain level of access versus giving them all the data. Those concepts are part of Zero Trust."
BHARGAV-SPANTZEL: "My piece of advice is to know that you have options beyond what you may have thought were there. Let's engage and understand what they are."
MANN: "The biggest thing we can do as an industry is get the mindset of the higher ups in the organization right, or they're going to keep buying the wrong stuff."
1:36pm PT: PANEL - Who's on the Path to Zero Trust Security?
HOPKINS: "Sometimes in security we can be considered in a black box for doing our own thing. This is a culture shift where we have to get in the same car together and work on the same thing."
BRAGDON: Understanding risk tolerance for the business, what do you need to have in place to begin the journey?
GILLMAN: "A lot of what Zero Trust is, is strategy. As we start the Zero Trust journey, the realization of the prerequisites will come. It is a way of thinking, a philosophy, and people have to understand that this is the mentality now."
HOWITT: "There will always be down the road, but what we've discovered from talking to everyone that everyone has different needs. Businesses small or large will want to know how long it's going to take."
HOPKINS: "I think it's a phased approach. You have to levelset expectations -- we're going to a model of Zero Trust. It allows people who are naturally reluctant to change, and sets expectations."
BRAGDON: What made you start to adopt Zero Trust?
HOPKINS: "We were a heavily regulated company, we process $2 million worth of transactions. As we're growing we're seeing more attacks and more sophistication of attacks."
HOWITT: "It was more holistic for us. That framework sells itself."
GILMAN: "At a previous employer I rolled out a lot of systems that were Zero Trust-like. It wasn't until later that we turned around a looked at what we built and we thought, there is something bigger here. This was the driving factor. So what drove me in there was 'how can we apply novel engineering design to solve business needs?'
HOPKINS: "Communication and education are key to everything - this is what we’re doing and why we’re doing it. What’s the user experience like? You can keep the folks in the village happy. You can have a sustainable impact for good. Be very collaborative - that’s my mantra for security in general.”
“When you go down a journey you discover stuff you wouldn’t in a conference room.”
HOWITT: “We use training as much as possible so people have expectations of what’s going down the pipe. People were saying ‘we want this now.’ The speed bumps along the way ended up working with the business units and stakeholders. We had to use a level of customization.”
“I think it’s different from a number of companies i’ve talked to. I guarantee that more than one meeting people are saying ‘I don’t know anything about security but I don’t want to’."
BRAGDON: Have we reached a tipping point where people in security are thinking differently?
HOWITT: "It's in the headlines. You don't want to be the next 'insert-name-here,' be the next headline."
BRAGDON: Is the fear of being the next Equifax realistic?
HOWITT: “It exists, and it is a driver. Whether or not they’re looking at the bottom line, there is also reputation.”
BRAGDON: Talk about the technical challenges versus political challenges
HOWITT: “We didn’t know different business units would want to be a part of it. In terms of a political standpoint, it sells itself. On a technical aspect, we need to delve deeper from a security standpoint with the individual business units on how they operate.”
BRAGDON: Are you ever competing with other IT projects?
HOPKINS: "Successful people are the hardest people to persuade. We don't want to be the next Equifax, but that's an old play. Now it's trying to hit the business goals."
"A quick win is to just have the discussion about Zero Trust. The other I'd say is Single Sign-On. Users love SSO, so just the user experience right there has been quite remarkable for the amount of time it took to get there."
2:18pm PT: PANEL - Building the Business Case for Zero Trust
SMITH: "Part of Zero Trust is about describing behaviors of the systems, even as they're being defined. Typically security is something done after the fact. To accomplish Zero Trust, you have to capture those requirements and translate them into policy, and then codify that policy and incorporate the security into the process as you're doing it."
BARTH: “I think a well applied Zero Trust system would say a reactionary approach is doomed to failure and you need a proactive approach.”
SMITH: “Shifting resources from investing in resources themselves instead into solutions that are more aligned with the workflow, which is what Zero Trust is meant to do. It is a shift of resources from infrastructure up to being more aligned.”
BRAGDON: Talk about maturity required to take on Zero Trust
MARQUEZ: “Anyone who has classified their data, checked all the government requirement boxes... you are mature enough to tackle this.”
BARTH: “There are a whole lot of simple things that I think not the most sophisticated companies can gain from Zero Trust. Investing in Yubikey would be a great quick win.
BRAGDON: When we look at things you’re investing in like policy technology, does it displace this?
BARTH: “I think a well applied Zero Trust system would say a reactionary approach is doomed to failure and you need a proactive approach.”
BRAGDON: “So, shifting from a more tactical approach for people to a more strategic approach for people?”
MARQUEZ: “In large companies they have insurance against breaches, and they like to hear what kinds of security you’re investing in.” BARTH: “I like to think of it in the inverse. ‘What does it cost to NOT do this?’”
BRAGDON: "What speed bumps have you seen in implementations that other people can avoid?"
MARQUEZ: "We try to plan for them all, whether it be timing, or other initiatives going on to be aware of. Communication. We have a backlog of teams that want to join, and we keep them updated."
SMITH: "Starting in the most dynamic parts of your organization is often a pitfall. So you jump headlong into your most dynamic part of your infrastructure because you can never keep up, but the problem keeps changing. Start with the data, the systems that support it are generally relatively static."
MARQUEZ:“Be multi-faceted in your approach to Zero Trust. Speak to business leaders in their language. Provide a place for them to go for education.”
SMITH: "We're enamored by the term Zero Trust, but the people who need to buy into don't know what it is. 'It's not a stretch to ask someone who should have access to this system?' The answer is, the people who need access. And that leads to Zero Trust."
3:00pm PT: Briggs Gladius, Former Navy Seal
We're skipping the afternoon break and going right into our final speaker, Briggs Gladius, who will address Zero Trust from a much different perspective: as a former Navy Seal. He's talking about Tackling Overwhelming Obstacles by Embracing Change.
"I'm going to talk about lessons learned not just from success, but from failure. Everyone's goal in business is not just to scrape by, but to excel."
"No matter how skilled you are at something, you will never be the best at everything. So you always need a team around you."
"Remember the goal, and ration the bad. Where are you trying to get to? What's your ultimate goal? SEALS are good at breaking things down into small pieces, and accomplishing small things. For everyone who quit, if we'd told them, 'If you can make it through today, you'll make it.' The worst things are, the more you have to break them apart."
"Always keep training, and never stop learning. It doesn't matter how long you've been in, you always train three times as long as you fight. Tech moves very fast, never think you've just gotten to where you know it all. That's where you have the fatal fall."
"Take what you do very seriously, but don't take yourself too seriously. Your character will carry over into your work life. Our second to last mission in Afghanistan we went to this little compound, and the team relieving us is coming in and we're doing a turnover opp. I pass the leader of the other platoon and a massive explosion happens. He stepped on an IED. The whole place was a minefield. Very little of the bomb went off, he loses both his legs, and in all his pain and suffering he cracks a joke, and it was not funny. It's amazing how much a sense of humor can drive you forward."
"If you think a lack of purpose doesn't affect your professional life, you're wrong. You have to have a sense of purpose. Zero Trust has a purpose. Wealth and fame are great, but not without a purpose. And that purpose usually aligns with our passions and our gifts."
BRAGDON: "Zero Trust has been around for a while, but it's really hitting a rhythm right now. I hope you found today's program helpful and insightful, and know that there are many people and companies out there ready to help you chart the Zero Trust trajectory for your business."
That's the end of our program today. Thanks to all who joined us at the event, here on the blog, on the live stream, or on social media.
This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.