Blake, Michael Once they got inside the network, the micro segmentation that they had done. Really. Didn't they put things on different IP addresses and they put on different Vlans, but they didn't restrict the traffic between anything. So as soon as they got access to the network, they had access to everything. Ford, Carolyn If you listened to our recent episode on why Zero Trust isn't a product you can buy off the shelf, this one is the sequel, because once you accept that Zero Trust isn't magic salt that you sprinkle on your network, the obvious next question is okay, then what? In this episode, I sit down again with Michael Blake, Technical Fellow at Owl Cyber Defense, where he helps secure some of the most sensitive U.S. and global government and defense systems. He specializes in zero trust, cross domain solutions, and network segmentation, and building architectures that hold up in the real world. We walk through five concrete steps to actually implementing zero trust, starting with inventing what's really on your network, including the hardware and closets that nobody budgeted for. We talk about micro segmentation, shrinking the blast radius, managing privilege creep, and YZ trust in a box, which can still leave you wide open once an attacker gets inside, because here's the uncomfortable truth. Vlans without enforcement are just very polite suggestions. This episode is about budgeting, talent, AI risk, zero trust is less a product and more an operational discipline. You said.he first step. Step one to zero trust is knowing what you actually have on your network and I shared with you. I don't even know what's in my cupboards, so. It sounds really obvious and it all. I mean, I realize the reality of how hard it is, especially when you start thinking about shadow IT. So can you share? A real world example where you helped do this discovery. Or, you know of an organization that did this discovery, and if you discovered something really good, I want to know about that too. Blake, Michael Yeah. So my experience is in the Department of War. So it's from that lens that I've seen this happen. So one of the Co comms, they did an inventory of what was on the network. And so there are many acquisition cycles, decades of hardware there. And they did have money for modernization, to replace the old equipment, but it was spread out across the different organizations. Their one branch in the military ran the switch. Another branch of the military ran the Unified communications infrastructure of the phones and things like that. And so they got so much money for their piece. But then when they went out and started inventorying things. They found in closets behind walls, legacy equipment, and it wasn't on anybody's inventory list. It needed to be replaced, but it wasn't budgeted for. So there was a lot of finger pointing. And I would say passionate discussions about who's gonna pay to replace that equipment, which budget it was gonna come out of, I've seen that inside Owl as we've taken on some of our iInitiatives to be FAD, ramp approved and RTP compliant. Does it come out of the IT budget? Does it come out of the engineering budget? Who's gonna pay for what? Piece of that infrastructure. So there is definitely that, that inventory piece. With the unclaimed equipment unassigned equipment that you identify. You know, if it is a shadow IT definitely hasn't been patched because nobody knew it was there. And it probably and most likely performing an important function. So that is kind of the gotchas, there is the. Accepting that you're going to do that inventory, find stuff that you didn't know about, and then you're going to need a budget to modernize. Everything that you think you need to modernize, to get it capable of being. A zero trust end point. Ford, Carolyn What's the most efficient way you've seen these discoveries happen. 'Cause you're mentioning different groups own different things, so do you like a tiger team? And then do you use, you know, discovery tools? Blake, Michael Yeah. I mean, you're gonna need. Ford, Carolyn Just good old fashioned manual discovery. Like how? How do you go about it logistically? Blake, Michael There are. There are tools out there that will scan your networks and find umm. As much information as they can about what's on there. Those often will trip a lot of the security software that you have under the network 'cause they're gonna be scanning across the network. So there's definitely gotta be some coordination across the different organizations. And a lot of times you'll get some false, falsely identified things. They'll scan an IP address and it'll show up that it's a Linux box and it's actually a really old Windows box. And so there's not only the kind of scans that happen, but there's the physical inventory and inspection that goes along with it to verify that those tools did accurately identify some of that old equipment. Ford, Carolyn So you do the automated scanning with a tool. Who in an organization have you seen take on this lead where it's been like it's just been a beautiful thing to see and it's worked really well. Blake, Michael Yeah, it's usually driven from. In the corporate world, it's reactive. Shareholders want people to have dividends and they wanna see their stock prices go up. They don't wanna see large investments in infrastructure that don't increase the bottom line. So there's definitely. You know, a reactive posturing in industry, if you look at what happened with a lot of the breaches, they knew they had old stuff out there. They just weren't funded to make those updates. Ford, Carolyn Right. Blake, Michael In the DoD, it's a bit more draconian, right? The Pentagon can send a policy out. Set some deadlines and then. Create some consequences for missing those deadlines. We're an industry. The government can't really do that kind of draconian stuff to industry, at least in most commercial markets, Regulated markets, Medical market, you know, the medical industry, nuclear industry, things like that, definitely they have some teeth, but in most like critical infrastructure and things like that, there's there's not a lot of teeth out there. Ford, Carolyn All right, so it really has to be a cultural. Buy in effort team effort, OK. All right, Step 2. Once you know what's on your network. You got. You said it's time to segment. So you you said it, you do this to shrink the blast radius. Can you walk us through what a smart segmentation plan looks like and maybe a time where you saw segmentation? Either stop a breach or totally fail because it wasn't in place. Blake, Michael Yeah. So the idea is that it used to be once you were inside the network, you had access to everything. Ford, Carolyn Right. Blake, Michael So every machine could talk to every other machine on the inside of the network. Once it was inside the LAN. So anytime malware came in, it had free reign to traverse the network. A disgruntled employee could take whatever information they wanted and corrupt it or steal it. So the idea of micro segmentation is to limit what people have access to based on the only things that they need access to, and the same with servers and applications to partition them off so that if there was some type of breach, whether it was an internal act or an external, it would be contained to just that small segment. And then eventually, when you're all your tools are in place, you can isolate that area off and either do a data recovery or send them off to a honeypot. Just depends on how what?bWhat the organization wants to do once that breach has happened. Ford, Carolyn OK, I might be asking too much with this question, but is it possible for you to give me? an example network of a typical organization. And give me some ideas of when you say you're gonna segment. So you're gonna segment like everything that finance touches. You will segment that. Blake, Michael Yeah, it's. Yeah. It's like the accounting system, right? You have the. Ability to commit fraud. So if the person that writes the checks balances the books, you definitely don't want that to be the same person you want to have. The accounts payable department to be separate from the accounting and things like that, so. You would make sure that not only the people that work for you that have gotten promotions don't have privileges. You know a lot of times you move across groups. So you verify the privileges of the people that. They haven't carried some privileges forward from a previous position and you verify that you've got that clean separation of roles and authorities so that you don't create an opportunity for fraud. Same kind of idea. The software that prints checks if there's people that are balancing the books in the accounting department. You don't want them to have access to the check writer, right? And so if there's if the check writer is off to the side and open area. You don't want that either. So you put it behind a locked door. But you also gotta make sure that from the network standpoint, nobody can get to it and only the people who have the authority to issue checks actually have access to that machine physically and on the network. So that would be an example of segmentation. . Ford, Carolyn And do you do it? Do you perform the segmentation hardware based like a diode so it can only do one way like? Blake, Michael If the communication is such that, like if you're doing backups and things like that, you might want to push your backups into an area where the information only goes one way. If you have IoT devices like thermostats, humidity sensors in an industrial setting a lot of times those are very inexpensive.Nobody really thinks about. Updating the firmware in those to address vulnerabilities, so they're pretty I would say high risk devices. You still want the humidity readings. You still want the temperature readings, so you might have a diode between that IoT network that just pushes all that sensor data into your enterprise for monitoring, but then you don't allow anything for the enterprise to go back out to those things. Ford, Carolyn Hardware separation. The only way to do it is is it necessary? Or you can do some segmentation with software. Blake, Michael Diodes are good for really high risk kind of things. The end and a one way transfer. You know that the data's only gonna go one way.. In zero trust for DoD, when you do the segmentation at that boundary between the segments, they actually say there should be a next generation firewall. If you're in a virtualized environment, separating the Vlans inside your hypervisor and then out on the network. If you're going between physical devices They want an actual physical firewall. Next generation firewall sitting there. And what they mean by next generation firewall is that it's got a seam, security information and event monitoring. Some type of tool that's on there monitoring things as it happens, it can send some alerts if it sees suspect activity. Ford, Carolyn OK. All right, so you already talked about step three a little bit with the segmentation, but our next step is access management and role control. So when we talked before you talked about privilege creep where you know people move from job to job, department to department and they're accumulating access over time like digital wrap or pack rats. So how should orgs regularly validate who accesses what and what is if they don't? Blake, Michael I think it's not just the people, it's also the network. You're gonna create these. You're gonna create these micro segments. There's gonna be problems. There's gonna be a temporary solution to bridge gaps between these microsegments. And then they'll become permanent temporary solutions. And so I think. There is definitely a need to go through and verify that the understanding of the security posture that's out there is that the work that was put into that is being maintained and inevitably it's gonna be broken down over time. Like I said, for troubleshooting purposes there just needs to be like an audit at least yearly to come through and make sure that. You know that isolation is still what everybody thinks it should be. Ford, Carolyn So it's machines and people that you're auditing at least yearly. Blake, Michael Correct. Ford, Carolyn Is that audit manual or is it? It can be automated too? Blake, Michael Some of it, I mean there is obviously some automation that can happen, but there the automation is not context aware so. Yeah, it will take some institutional knowledge to properly set it up so that. The actual security risks being identified in the false positives aren't creating a bunch of work for people. Ford, Carolyn Right. All right. We're to Step 4. You already hit on this when we talked about step one and that's budgeting. Implementing a zero trust architecture isn't cheap, so what's your advice for leaders trying to scope and budget? Zero trust and without? Over over committing under delivering. Blake, Michael I think if I was the CTO of a company that was profitable. The malware companies are really good at doing market surveys and figuring out what their next targets are. So if I'm at a profitable company. You're ripe for picking right by one of these companies. They're gonna. They're gonna figure out how to get into your network, and they're gonna do ransomware or something like that. And then you know your job as CTO is probably over. So if I was gonna be a person in that role at a company I think it is really important to assess the risk to the enterprise. So there's nothing wrong with inventorying everything, identifying the cost, potentially modernizing stuff. Human capital investment is gonna take to implement some of that security. If you don't have anybody that knows how to configure firewalls and things like that, you're gonna need someone to do that. Someone to map all your data flows out, set up all your privileges correctly and things like that, some security engineering. So there's that human factor side of things and then. When you look at actually the different maturity models and what your target is. Is it basic? Is it intermediate? Is it advanced? What kind of timeline are you on and then budget, at least for a milestone? At least you can come in and say, you know I'm, I've assessed the risk. I think this is what it is and this is what's gonna take to remediate it. You've bound the problem a bit, and it might be that there are more. There's more money for you to do things than you thought, or there's less, and you're gonna have to change your strategy. Ford, Carolyn So it sounds like when you're budgeting, you take these first steps, you identify the crown jewels, you identify the highest risk targets and you secure them first and set your milestones to secure them first, and that can even be part of the segmentation like you segment that first because you might not be able to do the whole network at once is that? Blake, Michael Yeah. I mean, if you have a lot of legacy equipment out there, you know on a factory floor, if you have a lot of legacy devices or bring your own devices, a lot of companies are virtual and they're really virtual people, you know, are given their own budget to go out and buy their own computer. And there isn't, the concept of a.company issued device that's really locked down. So that is kind of the highest risk. Is that what's considered an unmanaged device? I know it's connecting to my network from a person's home, but I don't know what kind of environment at their home they have from a cyber hygiene standpoint. So it's probably best just to assume that the thread is pretty prevalent. Outside of the area that you're gonna try and protect and just work from that concept that you know I'm not. I'm not preparing for an attack from a 16 year old in their basement with a hoodie on. It's a very well funded A-Team of Malware hackers that are organized like a Fortune 500 company sitting over in Eastern Europe somewhere. Ford, Carolyn Right. It feels a lot more manageable to do it. What you just said to identify your high risk targets and start to apply the zero trust principles there it feels like it's doable. Blake, Michael Correct. Yeah. And you have to really look there. There are some self-assessment things out there. There's kind of like a score just because you implement certain aspects of zero trust doesn't mean you've actually built something secure. So there was a pilot for an IoT as a water plant over in Europe. The Department of Defense or Department of War kind of took a zero trust approach to said, OK we're gonna try and bring some things in Zero trust. We'll get to a certain point. We'll do this assessment and then we'll bring in a penetration team and see if we can get in and so. The technical boundary that they set on the outside the the PEN testing team could not get in from the outside, but a majority of the cyberattacks don't come from a technical breach. It's usually a person that gets compromised. Ford, Carolyn Right. Insider threat, other intentional or or malicious insider threat. Blake, Michael Right. So they get what's called a white card, which is assume that there was a social engineering type of attack and they got privileged access to the network. Ford, Carolyn Right. Blake, Michael Once they got inside the network, the micro segmentation that they had done. Really. Didn't they put things on different IP addresses and they put on different Vlans, but they didn't restrict the traffic between anything. So as soon as they got access to the network, they had access to everything. So there's been other instances of that where. You know some of the big primes have been reported out. You know, in the last year that they had Prepared the zero trust in a box kind of approach, but then it was assessed. There were really no restrictions on access once it was inside, so you can definitely put. You can definitely put all this technology together, but if you don't implement it correctly, you're gonna get a false sense of security from having all that in place. Ford, Carolyn Right. Well, let's talk about that. That's Step 5. So the talent and sustainment. What's it gonna cost? Or how many people are we talking like you've shared with me that the zero trust in a box concept that the government has, has 35 different tools, which I think means 35 different vendors. So like, do we need 35 different new people? Blake, Michael Well you there's. Yeah, it's definitely a complex stack of applications that perform different security roles. All potentially isolated in different areas of the network under Microsegmentation. So when you do have a problem, that does make it pretty challenging to get an overall picture of what's happening. So yeah, there's definitely kind of the big challenge of implementation, but when there's a problem, you really have to anticipate, OK, when there is a problem, how big of an outage am I gonna be able to absorb and have I given the people that are maintaining. The system, the tools to actually go out and figure out what is wrong and fix. It, and if you don't have a way. To aggregate logs securely or. You know, analyze the different faults that might be out there in the network. Then it's gonna be really challenging. I think the outages are gonna become bigger. As these kinds of sustainment teams, it's a place to cut costs, right? Hey, we didn't have any incidents last year. We had 10 people. Now I think we just need 5. And then you actually have a problem and realize that you need 10 people to fix it, yeah. Ford, Carolyn Right. Is it? Is outsourcing feasible for this? Like, are there companies that do this? Blake, Michael And that was my point about the funding. It might be that you know you could do it in house to meet your goal, but maybe there's funding to accelerate it or even outsource it. And so those are definitely viable options. You wanna, you know, use a trusted partner to do those kinds of things. That some companies but it's definitely an option is to do the. You know there's even like, you know, part-time CTO's, part time CIO options out there. So if there isn't the subject matter expertise inside the company to do that you might even out. Ford, Carolyn Right. Blake, Michael A higher level position in the C-Suite to help make that happen. Ford, Carolyn I think the vogue term these days is fractional. Fractional CTO fractional Cisco. Is there a repository of assets that people can go to? Like a checklist or a plan or Trust that you would direct people to. Blake, Michael I think that. You know the most regulated environment is our Defense Department or Department of War. So they're the most mature, I think, because they've been thinking about it the longest and have real strategy groups looking at it. I would think of that, not necessarily as something written in stone, but more of a thing to consider that they've thought about because they tend to overthink things. That makes things really complex, but is a good starting point. They've got like, a set of security controls that you can look at and see do these apply to my organization just like NIST does. They've got a checklist and a self-assessment to see. Can I give myself a score? And then they've got guidelines for penetration testing that if you don't get a high enough score, they're not even gonna bother coming and penetrate pen test you because they know you're gonna be compromised. And so you kind of get, you've kind of got to get to that point of maturity where? At least at a top level, you think you're you would limit. Uh, the ability for a malicious actor to move across your network. Ford, Carolyn OK. Before we wrap anything else you want to leave our listeners with? Blake, Michael It's a journey. Like I said, the Department of War has a lot of documentation out there and they talk about the journey to zero trust. And it is definitely a journey. The threats are gonna keep changing. The countermeasures are gonna change. The technology's gonna change. We've got quantum computing on the horizon, AI. We've got, you know, considerations zero trust has started over a decade ago for our military and ICS, so a lot has happened in the last 10 years. And it's happening faster and faster I think. So there's definitely gonna be more changes out there. So looking at some of MITREs papers out there on. Their perceived threats that are there from giving an AI access to your entire network, just like giving a person access to your entire network. Probably not a good idea if you're trying to limit the access of a person to different pieces of your network. You want to look at AI the same way because it can aggregate that information and present it potentially to people that shouldn't see it. Ford, Carolyn OK. I know you have a White paper on owl's website. I will dig that up and drop that in the show notes too, as a place to start. OK. Thanks Michael.