Tune in to this episode of Ask A CISO to hear:
- What is Zero Trust
- Are VPNs still viable today and are they part of a Zero Trust strategy
- Can Zero Trust be realistically realized?
- Cyber warfare, and how even small organizations can be at risk
- A most shocking war story on a particular vulnerability
About The Guest: Dr. Chase Cunningham
Dr. Chase Cunningham is Chief Strategy Officer at Ericom Software, a company that provides web isolation and remote application access software to businesses.
A retired Navy Chief Cryptologist, he has more than 20 years of experience in cyber forensics and analytic operations gained from “on pos” work doing cyber forensics, analytics, and offensive and defensive operations at operationally-demanding work centers within the NSA, CIA, FBI, and other federal agencies.
Dr. Chase is passionate about sharing his insights, experience, and knowledge with “those that are willing to listen.” To that end, he is active on Twitter and has his own podcast DrZeroTrust and a YouTube channel with 1.46k subscribers.
About The Host: Paul Hadjy
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
Transcript
Jeremy
Hello, and welcome to another episode of the Ask A CISO podcast. My name is Jeremy Snyder. I'm the founder and CEO of FireTale and I'll be hosting today's episode. We're delighted today to be joined by Dr. Chase Cunningham, Chief Strategy Officer at Ericom software, a company that provides web isolation and remote application access software to businesses,
A retired Navy Chief Cryptologist, he has more than 20 years of experience in cyber forensics and analytical operations gained from "on pos" work doing cyber forensics, analytics and offensive and defensive ops at the operationally-demanding work centers within the NSA, CIA, FBI, and other federal agencies.
Dr. Chase Cunningham is passionate about sharing his insights, experience and knowledge with those that are willing to listen. To that end, he's active on Twitter and has his own podcast, "Dr. Zero Trust" and a YouTube channel with about 1,500 subscribers.
Chase, thanks so much for taking the time to join us today.
Chase
Thank you for having me. I appreciate being brought on.
Jeremy
Awesome. Awesome. So I know Zero Trust is something that you spend a lot of time talking about and working with customers on. So let's just start with an overall question: What does Zero Trust mean to you?
Chase
Well, I think about it in the most, I guess, basic terms you can, which is really just removing trust relationships from systems. You know, John Kindervag, who's a great friend of mine, has talked about it for a long time that trust is a human emotion that we kinda shoved, shoehorned into computer systems, and we made it default and inherent, and if you look at what's going on with the compromised side of things, it's trust relationships that are being exploited.
So that's what I really look at is wherever those things are present, we should remove those, but the other twist on that, in my opinion, is I look at Zero Trust from the perspective of an attacker. I think we spend a lot of our time really focused on the defensive side of things. I kind of abandoned the idea of perfect defense a long time ago. I would rather be focused on removing what the adversary needs to be successful, and that makes me more secure sort of by that change in approach.
Jeremy
And I know one of the pushbacks that often gets thrown out there when we think about Zero Trust, and I think about Zero Trust from my days as a cyber practitioner. I was working at a SaaS company in the late 90s, we were kind of early in the SaaS wave, and I know from my side, my eyes were kind of open to this concept when we did a global implementation of Cisco firewalls and the very first rule on every single firewall device that we rolled out was denial.
You know, it was deny star star. and then on top of that, we started to open up explicit allows, and that's kind of how I think of a lot of things around that. The friction that comes into that, though, it means that you must have an explicitly declared allow condition in order to access a system or to access something on a network.
And then there's that kind of tension that might arise, where users who didn't need access to a system before all of a sudden they do, but they don't have access because, let's say, no trust has been provisioned. How do you think about kind of balancing that tension or helping customers when they plan out that Zero Trust journey for themselves?
Chase
Well, I think, to what you were saying, a long time ago cause I did the giant firewall deployments too. And I mean, it is, that's a sledgehammer, right? And it's a misery index for everybody involved, and it ... but you're doing the things that are needed for segmentation and doing that in the old way, that was really cumbersome.
Now, policy engines today have evolved to the point that this is very doable. It doesn't require that sort of sledgehammer approach. Machine learning has come a long way to, kind of, be able to say that in a perfect world, what the flow that we want to see is I want see any user or any entity, because everything now has an identity, right? Thermostats, you know, whatever. So let's just call it an entity.
An entity is gonna use a device. Maybe that device is part of the entity, but a nick or something, then it's gonna run on a network. I don't care what network; I don't own the network probably, and then I want go to some resource, probably an application, and behind that application is data. And then right in the middle of that thing is where the policy engine controls all that.
And if you're able to broker all that connection with the right telemetry and apply controls along that path, you're enabling ZT.
Jeremy
Okay. And so if we think about something kind of associated with the policy engine there, we think about something that kind of manages either role-based access or maybe attribute-based access or some kind of conditional access that can kind of feed into the policy engine and update policies as to, let's say, new access that might be required.
Is that kind of the direction that you're suggesting?
Chase
Yeah.
And I think that the other side of that equation, there's, in the military space, we ... in combat, we have this thing we call contested space, right? Which is an area that I basically accept will always be combative and I never can necessarily control. The contested space is an area where you shouldn't be spending a lot of your time and resources.
Now I know unequivocally, if I change the access paradigm, I remove significant foothold that the bad guy needs to be successful. And on the other side, I know if I do things around isolation, segmentation control and visibility within the infrastructure itself, I remove the adversary's ability to move laterally and do those bad things.
So that's where you focus your efforts. Anything else you get to later, and that is contested space and we'll probably be contested space for as long as electrons are moving.
Jeremy
Yeah. I mean, basically anything outside your immediate network control would fall into that contested space category, right?
Chase
Yes, and that's where, when you have contested space, the goal is really to get, say, like, look, I want really good visibility so that I know what's trying to come in from the contested space. Going out is going out. You know, you leave my network, then more power to you. May the Force be with you as you transit the internet. But when you're coming in, I want to know what's going on, and I want to know that I have an ability to apply control around that.
Jeremy
So do you think things like VPNs or SASE, Secure Access Service Edge, are kind of a solution to bringing a Zero Trust model to, let's say, a distributed workforce like we've all been working in for the last couple of years?
Chase
Well, I think the, I personally, I hate the term SASE, cuz I just can't imagine being a CISO in telling the board, Hey, I'm sassy. This sounds stupid to me.
Jeremy
Yeah.
Chase
But anyway, let's just talk Secure Service Edge or the access side of it. But I think the approach there within ZT, and SASE or SSE are not totally opposed to each other, right? One kind of hand shakes the other hand-in-glove, however I wanna call it. Now VPNs, that's an old legacy, archaic technology that pokes a hole in something and ports you directly to something else.
And that's a problem that violates all the tenants of ZT. And that, I mean, I think if I remember correctly, VPNs were basically an enterprise technology back in '93. Who would use 1993 technology today and say that they're doing something new and innovative. You know what I mean?
Jeremy
Right, right. You know, counterargument there would be just because it's not new and innovative doesn't mean it doesn't have its place in the world. And my guess is that VPNs heavily outnumber the number of Secure Service Edge implementations that are out there.
Chase
Oh, by far, but I think that the point is to try and migrate people off of those because the VPN at a thousand percent, the VPN is a necessary thing to bridge where you were to where you're going, but these businesses that are talking digital transformation and everything else, and they want to work remote and distributed or whatever, they have to do something different or they wind up continuing to do the same things that have happened for years and expect a different outcome.
Jeremy
Yeah. And so do you think Zero Trust is something that can be done or ... because one of the things I've heard is that, you know, Zero Trust is a journey. It's not a, maybe a strategy. It may, let's say a goal, but it's a goal that you can almost never achieve because your networks keep evolving, because the technology stack keeps changing.
What's your view on that?
Chase
I think that's right. And I mean, I think that's the thing that makes sense. If you look at every other facet of business, like let's take sales for example, everybody's pretty familiar with the sales process. I don't stop evolving my sales process because I achieve the goal at the end of the year, right?
I don't go, cool, I'm done. I made a million dollars. Life is great. I'll never change.
No! What do you do? You continually reevaluate. You get new tooling, you change your strategy, new people, new approaches, and that's the same thing we're doing in security. It is interesting to me and I'm working on a couple of papers along these lines where people think that this is a really different approach and it's crazy, and it's so weird.
It's the same thing that we do in every other part of business. It's just this is specific to security and cyber.
Jeremy
Yeah. Yeah. And I think it goes back to something that I knew you've talked about in the past, which is kind of the strategy mindset. I know in a lot of the conversations I have with people and I've been focused on cloud security for the last, let's say six, seven years. I always bring people back to kind of cyber-first principles. And there's really two that, to me, stand out.
One is visibility. I like to tell people, look, if you don't know that it exists, you don't have eyes on it. How can you be, you know, how can you have any level of confidence that it is secure or have any knowledge that it may not be secure? So you've gotta start with visibility on it.
And the second thing I tell people from a cyber perspective is: hygiene is actually super important. One of the things that I think we as organizations and we as kind of users of cloud systems have gotten really, really lazy about is cleaning up after ourselves. And I know that's kind of human nature, but you look at these cloud platforms, and it's so easy to create, and it's so tedious to go clean up after yourself, but you leave all this kind of extraneous attack surface sitting out there.
When you think about this strategy mindset, what is it that you tell people as kind of first guiding principles around, you know, cyber strategy and embracing that strategy mindset?
Chase
Well, I think you're speaking to it principally right there where you're talking about, cuz I still look at stuff from, again, the perspective of I want to be up on the hill and I wanna see the battle space, cause that's what cyberspace is, is it's a combat space. So I wanna see what's going on. I wanna be the general on the hill, right?
And part of that is being able to vector resources to where I know that there is a likelihood of incursion or bad things, whatever's in the cloud. That likelihood and that landscape is vast. So it does become a bigger problem, but on the other end of it, really those systems are built and architected for being able to do things dynamically at scale if you used them correctly.
But the thing that people get wrapped up around is they try and take old approaches that they used on-prem legacy and try and do it in the cloud, and the cloud's built for a totally different reason so it just doesn't scale.
Jeremy
Yeah, yeah. To that end, I think one of the things that I'd be curious to get your view on. I know you've worked on both kind of offensive and defensive sides. How do you tell people to think about, kind of, modeling the adversary? Cause I think that's something a lot of people don't spend time on.
We spend all our time on defense. We spend all our times on, kind of, system designs and thinking about how secure is my network? How secure are my end points? But we don't really take a second to put ourselves on the other side of the table.
How do you start that conversation with people or get them to start that line of thinking?
Chase
So the first thing that I do anytime somebody wants to do a ZT workshop with me is I either walk in with a scenario, that's a breach scenario and I throw it on the desk. And I just say, here you go, this happened this morning. And I just watch and see what happens and that usually wakes people up to, well, we weren't prepared for this, what, you know, and that's a very realistic scenario.
And then the other thing that I tell 'em is if you're not willing to do an unabridged, hardcore red team operation, you're not ready for planning your strategy. And the reason that I say that is just exactly what you're getting at.
If you don't know what it looks like to be engaged in that fight, and you're not willing to look at the dirty underside of the system that you've built and see how an adversary would go after it that is not bounded by the restrictions of a penetration test, you're not ready and that the funny thing is every organization that I've engaged with in those two lines, it has been an absolute watershed moment in what they thought they were ready for and what they realize is actually taking place.
Jeremy
Yeah. That's something I can identify with completely. I mean, I, you know, in my own history, when we had our first breach, we found out just how unprepared we were. You know, we thought we had good backups. We thought we had good firewall rules. We thought we had good access control lists.
I mean, in my case, it was an FTP server that was breached back in about 2003. We can go into that another time; we don't really have time for it today, but I know that we were just completely caught off guard and we had never thought about, let's say, the level of creativity that the attackers used in compromising a system.
And so because of that, it took us days to dig out from that. Is that something that you encounter a lot, is that you just don't have that kind of, let's say creative mindset around trying a bunch of things cuz that's been one of my observations around hackers is they're actually remarkably creative.
Chase
Yeah. Like when you take the OSCP certification, which is an awesome cert, by the way. When you take that, the mantra that they tell you is try harder. So, you know, you're going to take OSCP to practice going after networks. They keep telling you, cuz you keep getting irritated that you can't find a way into a network or whatever, try harder.
And if you go onto the Discord servers and Slack and whatever else and ask, the folks running it will just say, keep trying and I mean, think of different ways, do whatever you can, and that's the mindset that the folks on the red team, adversary side of this equation have. It's a business for them just like it's a business for the people defending the networks, but they're not bounded by rules, and that's what people seem to forget is that it's not.
Jeremy
Yeah.
Chase
You know, it's I like to talk to people about, have you ever like been to a dojo with someone and you've been gone on the mat? And they go, okay, grab my wrist this way. And you're like, well, I wouldn't do that in real life. And they're like, well, grab it that way anyway, cuz I can defend that. Like what? Like that's in a fight, I'm not gonna walk up and, you know, recalibrate my wrist grab to how you want me to grab you. I'm gonna smash you in the face.
Jeremy
Yeah. Yeah. It's that famous Mike Tyson saying everybody has a plan until they get punched in the mouth, right?
Chase
Yeah. Yeah. And I mean, if your goal is to defend a network realistically, then you must be willing to accept a realistic onslaught. Otherwise you're not ready.
Jeremy
Yeah. Yeah. Such a great point.
I wanna go back to something that we were talking about just a minute ago, along the lines of VPNs, but not specifically around VPNs.
You raised a point that kind of sparked a thought in my head, which is, you know, why would you think that a legacy technology from 20-plus years ago would be apt for the modern world? There's two other pieces of technology that I kind of think about a lot, even though I don't really use either one of them.
One is endpoint protection and the other one is WAFs. What do you think are kind of their roles in the modern landscape if they have any?
Chase
Well, I think the endpoint now is so transitional and so broad in scope that it's really hard to get a boundary around. I consider that to be pretty much contested space. I do think there's things you should do on the endpoint. I think application white-listing, those types of things make a lot of sense. I'm not a fan of antivirus, to be perfectly frank, cuz antivirus doesn't seem to stop anything.
So I think that's part of it. And then the WAF side of it, I've yet to run across a customer that has had a correctly-configured WAF and has it actually in defense mode. It's always in just monitor.
So yeah. Why are we using something that's just doing that?
Jeremy
Yeah. I'm a hundred percent with you on that point in particular, I would say the same. I've never seen a customer with WAF in block mode in production, you know, not once.
And this is a not ...
Yeah, yeah. Every customer that I talk to about, Hey, what's your WAF implementation look like? It's always like, oh, well we have it, you know, in blocking mode, in non-production and then in monitoring mode in production, and everybody's terrified of breaking production. I kind of worry about that mindset, because to me, it says you're willing to put stuff out in production, but you're not willing to provide the protections that you yourself think you should be providing to that production environment because you know that it's frail or you say business comes before security fundamentally.
I mean, you must have run into similar mindsets quite often, I imagine.
Chase
Yeah. And I think that's more of a reflection on ourselves in the security industry than it is on the people that are in the application business side of this. And not, we, and I include myself in the mix, like we have done a disservice to our position in the business realm by trying to push in front of 'em like you have to do these things security first, security always, whatever else. At the end of the day, dollars and cents is what's gonna make things happen.
If you're a doctor, hospital is gonna be saving patients lives. So It's really that we have to make sure that we can work within their bounds and their practices. And we do the best that we can.
Now, there is also that need to have that conversation of, you know, business leader. I'm putting these things in place. You are ultimately the one restricting or accepting 'em, you're the one accepting the risk, but I'm willing to support you in this endeavor. So I think that it's a balance that's gotta occur and we need to get better at doing it.
Jeremy
Yeah, I think you're spot on there.
I mean, I know so many companies that I've gone into over the last couple of years, you talk to them about their cloud security and you find this tension between, let's say, the cloud teams or the DevOps teams that are really trying to leverage cloud technologies to their utmost, really make the most use of them, deploy quickly, be flexible, etc.
And you talk to them about, Hey, working with their security team and what you hear consistently is, oh, they're the "No" people, they're the guys who say no who block us from doing things.
So to your point, I mean, how do we change that conversation?
Chase
Well, I think we can still be the department of "no", but I think it needs to be new opportunity, not no, right? So, okay, that being the case, I tell people that are in my organization, you can't tell me no without having an alternate suggestion or a way to fix the problem. Like if your answer is no, go back and figure out what the actual solution is.
And I think that that's something that we need to wrap our heads around as we do a great job and we're pretty good at figuring out what won't work, but that's not going to fly. I need you to tell me, even if it is an end around, tell me how to make this work in the long term, cuz that's a winning conversation. Being the department of no, it is not going to continue to make your presence in the business any better than it was before.
And ultimately if we're removing ourselves from the conversation because we're constantly saying no, we're not helping anyway.
Jeremy
Yeah. Yeah, we had that conversation with a customer a couple years ago, and the analogy that was brought in front was kind of like, okay, if you are going to say no, ultimately you're like that kind of proverbial rock that gets thrown into a creek to dam it up. It'll work for a while. It'll stop the water.
Exactly right. But the water finds its way around the edges and sure enough, before you know it, some developer pulls out a credit card, says enough of this. I'm gonna start a new AWS account and we're, you know, we're gonna be off to the races and then we lead to shadow IT situations. We lead to completely unknown attack surface. We break those visibility principles and we open up the organization to much greater risk than if, for instance, the security team had given that alternative solution or given that kind of, you know, even if it is an end around or kind of hacky or whatever, right?
Chase
Yeah.
Jeremy
So I'm curious... sorry, go ahead.
Chase
I was just gonna say I've never run into a space yet where there hasn't been technology available to solve a problem. Maybe it's not always perfect, but there's always been technology.
It's been a leadership issue and that's something that we have to be a little bit more honest with ourselves about, I think.
Jeremy
Yeah, I would agree with that. I think, you know, leadership, human issue, however you wanna frame it, but always there's a communication way forward to find a solution to the problem.
So I want to come back to the current state of the market. There's a lot going on in cyber warfare right now, where at least a lot of talk about cyber warfare. I've heard the saying that, Hey, this Ukraine conflict is kind of the first modern cyber conflict or it's the first kind of hybrid war. I guess, first of all, what's your view on it?
And second of all, what do you think we should be thinking about if we think about our own organizations being engaged in cyber warfare?
Chase
Well, I think the, the most interesting thing is this is the first time in human history where the battlefield knows no bounds. Typically when you think of battlefields, they're there and you can stay away from it and hopefully not be engaged in that conflict whereas now with the digital space, you're engaged in conflict, kind of, whether you like it or not.
Now, the level of your engagement may vary, but you're on it. If you're online, you're part of that battlefield, so be real about that.
But the thing about cyber warfare is that it's become the bridge between espionage operations and kinetic operations. And that's where all of us fit is we might be part of that bridge if we're not careful. So, you know, as being online and being a businesses that are digital, the days of being able to say, well, no one would care about me. My little business is not important to a Russian APT. It might be because you have connections to other things, or you're a jump box for an attack, that type of stuff.
So, yeah, I mean the ability to sit back and go, nah, it's not me. I'm good. Don't worry about me. That just doesn't fly anymore.
Jeremy
Yeah. I mean, to some extent, I hadn't even thought about the angle of being kind of a jump box into, let's say, getting into other organizations. You know, almost every business is part of some supply chain or you have intellectual property, or you have data. Data about customers, data about users, data about something that can be valuable, maybe not particularly on its own, but when taken as a sum with a bunch of other things that this threat actor may be gathering, that becomes valuable in the wrong hands.
So it's really interesting.
So if you think about kind of, Hey, we're all part of this conflict, how do we get people to wake up to that fact? Because I think a lot of organizations really are, like you say, they say, Hey I am a doctor, I'm a dentist, why would anybody care about me? How do we get them to think about it is important for you to take good care of the data and be a good custodian of it and do the things that you can do to protect yourself?
How do we get them to really wake up to that?
Chase
Well, I mean I really think it's gotta be something that we've tried for too long, to push at the, you know, global be part of the better stuff and whatever else it's gotta be specific to kind of the, you know, what drives the individual or the organization.
So I think just being able to continually remind people that you're doing something online. You're digital, you're serving customers, clients, patients, whatever. If you want to continue to do that and be uninterrupted you should change your approach to the problem because that's the reality of what this is.
If you're ... I think actually Costa Rica is a great example, right? Costa Rica wrote a big cybersecurity strategy. They talked about doing a bunch of stuff. They didn't do it. They got hit by Conti. They're down hardcore. Their GDP suffered by almost 5% in the first year.
Jeremy
Yeah.
Chase
Right? So, I mean, can your business take a 5% loss at its gross?
Jeremy
Yeah. Yeah. And your point about Costa Rica is, in my mind, particularly apt cuz you know, I went on vacation there a couple years ago, and I remember hearing they were one of the very first countries in the world to demilitarize.
They had this popular vote back in the early 1900s or something where they voted to defund the military because they said, Hey, who cares about us? We know our neighbors, we're friends with our neighbors. We've got a border control, sure. But that's really all we need, you know, some local police and some border controls. We don't really need a military. And then you think about this kind of ostensibly very peaceful, beautiful nature-rich country, and they get hit as well.
So I think that's a really great example to point people to.
Chase
They're a long way from Russia last time I check.
Jeremy
They really are. They're a long way from China as well. So, awesome. Well, I really appreciate your perspective on that.
I know you're working on a new book. What can you share with the audience about what you're working on? What might be some of the themes they should look out for?
Chase
So while I've got two of them that are getting, that are finishing up now, one book was with a group of other authors. That's gonna be a continuation of a book sort of for general knowledge on cyber. So that one should be coming out pretty soon.
And then I'm working on a second version of the cyber warfare novel that I wrote called gAbrIel and that should be coming before Thanksgiving.
Jeremy
Awesome. Awesome. What was the first book in that series?
Chase
It was Gabriel.
Well, the first book was just gAbrIel. This one, of course, because it's computer sort of related will be gAbrIel 2.0 cuz it's the new version.
Jeremy
Yeah. Awesome. Awesome.
Well, I will have to look out for those. I've read a lot of cyber warfare novels and I actually think they're actually pretty useful even from a day-to-day work perspective because they can open up your minds into different lines of thinking that you might not have been thinking about.
I guess I wanna close out today's conversation with: are there any fun kind of war stories that you can share from, let's say, cyber incidents or cyber operations that might be interesting for the audience to hear?
Chase
Yeah, I would. I mean, the one that gets to me is folks talk about users saying they need access to stuff and they, you know, shut it off. And then they complain about the longest I've ever been involved with someone that had access to a production system that had a really large vulnerability on it was 13 years.
Someone had unfettered access to this. Never used it. Never touched it. Didn't even remember they had it, but they had valid creds on a system that was touching the internet for 13 years straight. So, you know, these, the argument that people will make about, oh, I need access to that. I might use it someday. There's better ways to do that. Don't just leave it out there for 13 years at a stretch.
Jeremy
I mean, that's an awful long time for that user to be compromised or their credentials to be compromised or a vulnerability to be unpatched. I mean, man, that is crazy! 13 years, wow! That's ...
Chase
Admin level creds, user never touched them set up 13 years ago, still valid that day.
Jeremy
Yeah, well, that's a little bit of a sombering thought to end the conversation on, but I do appreciate your time. We have hit time on today's recording so, Dr. Chase Cunningham, it's been an absolute pleasure having you.
Thank you so much for taking the time to join us today on the Ask A CISO podcast.
Chase
Hey, this was a blast. Thanks for your time.
