John Kindervag is the creator of zero trust and the current senior vice president of cybersecurity strategy for ON2IT, a Dutch software company that offers 24/7 cybersecurity as a service in a zero trust context. Kindervag joined ON2IT from Palo Alto Networks where he served as their field CTO for four years. Prior to that, he was at Forrester Research, where he served for eight years as their VP and principal analyst for the security and risk management group.
The human concept of trust continues to be improperly infused in the way we approach security, which is what Kindervag has set out to change. When asked about the increasing number of attacks and the expanding attack surface, John responded:
“We’ve seen this increase in of attacks, how are we going to deal with the number of attacks, but what we haven’t seen is an increasing amount of protection.”
In this episode, Kindervag discusses:
- How to practically implement zero trust;
- Shifting focus from worrying about the attack surface to securing the “protect surface”;
- The future threat of quantum and the fear of falling behind;
- And the difference between digital and kinetic warfare.
CLICK HERE for a full transcript of the conversation.
Steve King 00:13
Good day everyone, I’m Steve King, the managing director at cyber theory. Today’s episode will try to figure out where we are amid this increasing storm of cyber attacks, and what we can do, if anything about it. Joining me today is john kyndra. bag. The guy who invented the term zero trust and is now the senior vice president of cybersecurity strategy for onto it, a Dutch software company that offers 24 by seven cybersecurity as a service in a zero trust context. JOHN joined onto it from Palo Alto Networks where he served as their field CTO for four years and before that, from Forrester Research, where he served for eight years and change as their VP and principal analyst for the security and risk management group. Prior to Forrester, john put in another 15 years in the cybersecurity trenches and earned a BA in communications from the University of Iowa, unfortunately, Iowa lost to Oregon Monday in the second round of the NCAA finals, but oh, well, thanks. Thanks for bringing that up. You’re absolutely right. JOHN is one of those legends in the cybersecurity business about whom, folks Warren, if you can’t handle the truth, don’t ask the question. And then that regard, we’re certainly brothers from another mother. So welcome, john. And thanks for taking the time to chat. Hey, thanks
John Kindervag 01:42
for having me on. Steve, always a pleasure to talk to you.
Steve King 01:46
Appreciate that. Certainly, thank you. So let’s get right into it. We’ve seen an uptick in every possible attack type over the last few months ransomware, as you know, exploding with new products and services and demands and attack vectors. We just saw an unprecedented set of what I think are brutal supply chain attacks on solar wind sucks selling on Microsoft, and, you know, 100 other technology companies, as we’re discovering as weeks go by, our federal networks are infested with adversarial actors. So where are we in this crazy nightmare, john? And how did we get here?
John Kindervag 02:24
Well, you know, you said something that I find interesting. We’ve seen this increase in of attacks, how are we going to deal with the number of attacks, but what we haven’t seen is an increasing amount of protection. See, the attacks are going to happen. And I don’t even follow the attacks anymore. I used to, you know, back when I was in a tadpole in the primordial soup of information security, which became cybersecurity, which is one of the problems, what’s the cyber? Why should we secure it, right? Think about how we use language in this business. So we’re securing cybers. Okay, what is that? We’re worried about attacks, great, but we can’t control any of the attacks, we need to control what we can protect. And we need to understand that we protect things that have value to us and to the attackers, right? So I like to say there’s only two types of data in the world, Steve, there’s the data that people want to steal, and then there’s everything else. And so if you protect the data that people want to steal, like the source code is solar winds, then the solar winds attack can happen, but it won’t be a successful attack. Right? attacks will happen, will they be successful. And by successful, let’s define that success is typically that somebody is able to do something to insular winds change the way the software works. And I mean, applause to whoever did that. That was an amazing attack, we need to understand how good these people are, right? I mean, they should win. Turing Award prizes for some of these things, maybe who knows. They’re just amazing. But at the same time, for the for the most part, a successful attack is when data that is regulated or sensitive has been exfiltrated. From your control into the hands of a malicious actor. That’s what happened it at mandiant. The attack happens. The attackers are in there for x period of time. That’s called dwell time. They’re dwelling in there. They’re apparently staging stuff, they get everything on a staging server, and then they x fill it. And that’s when the breach happens when they’ve x filled those tools. So if you know in zero trust, I’ve created a concept called a protect surface. Instead of focusing on the attack surface, which grows exponentially just like the universe does, right? It’s constantly expanding. Let’s focus on the protect surface. What can we protect because we can shrink the attack surface down orders of magnitude to something that is very small and easily? No, I usually use in presentations, the example of protecting the president in the United States, the Secret Service, right? The Secret Service knows three things about the president that we don’t know about the data assets were protected. First, they know who the President is, trying to figure out what you need to protect in an organization talk to people and they’ll go Yeah. You know, the kind of hem and haw around because they’ve been worried about infrastructure, not the data or the resources they need to protect. The second thing that the the Secret Service know about. The President is where the President is at all times. They never lose track of the President, right? If you really want to wrap a secret service agent around an axle, talk to him about how you love that movie, Dave? with Kevin Kline playing the fake president. Have you seen that movie?
John Kindervag 05:55
Yeah, yeah. So talk about how you know about the secret tunnel in the white house so that the President can go out and get away from his secret service agents, they just love that part of that movie, let me tell you. And then the third thing they know is who should have access to the President, at any given time, access is specifically controlled on a need to know basis. You could be you know, somebody who generally has access to the President, but right now you’re not getting access to the President. There was a time I worked on it on a thing with Vice President Gore, I was around the Secret Service, learning how it worked. And there was a moment, okay, it’s time for you to come in and meet the Vice President, and get your picture taken with him. And part of me wanted to say I really wasn’t, you know, that wasn’t kind of one of my goals. But it wasn’t a choice. You know, a man with who I knew was carrying a machine gun said, here, now you’re going you’re going in to meet the president, or the Vice President, and we shook hands had the photograph taken, and I walked out. And for that short moment I was around him I was, you know, I can see him. But for that short moment, I had access to him, because I had a need to have access because they needed the picture to be taken. Because that’s what happens in politics, I guess. So you know, those three things. And so the president and his family, whoever is there, that’s the protect surface is something that is easily known. And now we can have controls around that. And define a policy about who’s going to access that in that policy. I call them a micro perimeter. And then you can constantly monitor, update and change that so we can actually protect things that matter. The President matters to the Secret Service in your environment. What matters is what I call data elements. It’s an acronym I created to help people easily remember what they need to protect, you protect important or sensitive data. So that’s what the D stands for data, right? I say there’s four P’s of data security, there’s PCI credit card data, Ph II, health data, there’s PII personally identifiable information, IP, intellectual property. Those four P’s are generally cover all the data that you need to protect, that is sensitive that could get you in trouble. And so if we think about that, right, now, I know what I need to protect. So as data then there might be applications I use that use sensitive data, CRM, HR DRP, those kinds of applications, there might be an asset that I need to protect it ot IoT, IoT IO, IoT, look, they’re all exactly the same. They all run on TCP IP. And we’ve created much more complexity in the system saying, Oh, you need this system for it. And this system, bro T, and this is some for IoT and this system for IoT, which is the Internet of medical things. No, it’s all the same thing. And then there are services, you need to protect stave DNS DHCP, Active Directory, Network Time Protocol, things that are easily broken, they’re fragile, but your business doesn’t run a rat run without them. So put those things in, in an individual protect surface, one to as element equals one, protect surface and build out your zero trust environment, one protect surface at a time. And now the attack surface doesn’t matter. You know, it doesn’t matter what new attack comes out, because I have a very limited number of flows that have access to the resources inside the protect surface. So it just changes the game. I you know, zero trust is inverting the way we do cyber security.
Steve King 09:34
Well, I’m certainly glad you simplified it. It’s now now it seems very easy to do the right thing here in terms of protected
John Kindervag 09:44
is but so many people make it so complicated. And I’m not smart enough to make things complicated. You know, I need things to be simple.
Steve King 09:53
Yeah. Hard to sell a new product if you keep it that simple. Yeah,
John Kindervag 09:58
but that’s the thing, man. I mean, product will sell itself. People want simplicity. That’s, that’s a myth that you need complexity to sell a product. I hear that all the time from the people who actually buy products. What does this do? I don’t understand it. Why can’t anybody explain it to me right
Steve King 10:15
now? We aren’t as big as being facetious. I hope you understand that.
John Kindervag 10:20
Okay, okay. Yeah. And so, since you it’s hard, you
Steve King 10:24
know, President and and the Secret Service, our former president had a habit of sort of commingling things, in a way to help his negotiating style, at least from his point of view. And we kind of commingle security issues and economic issues, which kind of isolated us, I think, a little bit from the global community, that might be an understatement. Now that we’ve got a new administration in office, what are your expectations for the, for the various roles in international cyber defense that, you know, may or may not play out over the next couple of years?
John Kindervag 11:01
Well, zero trust is just about network packets. So it has no political bias. You know, I keep politics out of cybersecurity, everybody needs to be protected. And I’ve been to so many countries around the world, helping them understand zero trust and designing it is a global movement. So, you know, people, people who need to protect stuff need to do it, need to do zero trust, because it’s the only cybersecurity strategy in the world. Right, it has a strategic resonance to the highest levels of any organization. Right. So the CEO, the CEO, the Board of Directors, you know, I’ve spoken to congressmen about it. I’ve spoken to generals and admirals around the world. They all understand it conceptually. Right. So that’s the value is it has strategic resonance, but it can be tactically implemented using whatever the commercially available controls that exist at any given time. And then, of course, as the controls get better and stronger, it gets easier and easier to do. So, you know, I think this is certainly abstracted away from geopolitics, it’s, but we do have to realize that we are all fighting the same cyber war, everybody in the world fights the same cyber war because the earth is flat. The earth is flat, because TCPIP made it flat, right? You know, we all live in the same bad neighborhood, there are no suburbs on the internet, Steve. So you can’t you know, in the old days, like, I grew up on a farm in Nebraska, there was not very many threats up there. Because, well, no one wanted to go up there. And but now it’s directly connected to malicious actors in all of these foreign countries. So they’re fighting the same nation state attacks. And so cyber security is an adversarial business. Right? The company that you might work for has competitors. But you in the cybersecurity side of it have adversaries, and adversaries only exist in cybersecurity, in policing, and in the military. And so if you’re at company, Acme, trying to stop the coyote from destroying your whatever, you’re you’re fighting the same cyber war, that the US government is you’re fighting the same nation state attackers. And what’s different is, like in kinetic warfare, there’s no way a foreign government would send a missile to hit solar winds or, or fireeye. Right. I mean, that would just be an act of aggression, that that nobody can stand, but they will fire a digital missile. mean, think of those attacks as digital missiles against private sector corporations. That is an amazing change in the dynamics of warfare. So digital warfare is different than kinetic warfare, because it’s much easier to do and much harder to fight.
Steve King 14:00
Right. And China and Russia are clearly adversaries, their real threats and cyber. What do you see us doing in quantum research, for example? And what are the odds that will ever catch up? I think we’re way behind certainly China in that regard.
John Kindervag 14:15
You know, that’s not an area of expertise that I have. So I hear a lot about it. But when I talk to people who do it now was the encryption guy at Forrester. It was, you know, is one person well known said, Yeah, I’m not worried about that. Too much. I’ll be dead before it ever happens. He said, it’s a bit like you’re driving you’re here’s the example. He gave me a lot quite worrying about quantum. He said it’s a bit like you’re driving your car on a sunny day. And you know, you’re not wearing your seatbelt, you’ve disabled your, your airbag. You’re listening to the radio, you’re singing, texting all at the same time, but your major worry is will I get struck by lightning Yeah, no, that’s not the thing that’s gonna kill you, you know, it’s gonna be the texting, it’s going to be the not not having an airbag or or seatbelt on or you know, your tires are bald, or all these other things, those are the things that are going to kill you worrying about the lightning strike on a bright sunny day when there’s not a cloud in the sky. That’s just his, his paranoia. So I hear a lot about that, I think we have to see a lot more stuff happening in that area. And whenever it happens, we’ll come through and find a way to stop it. I mean, no, I, I talked to wit defeat the guy who created the diffie Hellman algorithm about that. And it was amazing. He just kind of like, waved it off. He said, Look, encryption is solved. Let’s focus on key management, let’s focus on using it. It’s the usability, not the algorithms that are the problem in encryption. And so even if somebody could come up with some great quantum cryptography breaking things, you know, from the movies, it’d be pretty darn unusable because we have this existing stuff that’s really hard to use. And I can’t imagine that the new stuff is going to be easier to use. So let’s worry about the problems of today that affect real human beings stealing credit cards, stealing credit reports. And then you know, buying things and causing credit problems or or creating a false identity, or shutting down a system. let’s worry about the things that are actually happening today. We can do research on the future. That’s cool. But focus on protecting this stuff that actually affects the real world at this moment.
Steve King 16:41
Well, I feel so much better now. Thank you, the circling back to the solar winds attacks. What is your advice to the 1000s of companies who have questionable networks in the near term, I think that sees as advice to the Fed networks was to rip and replace and the judicial branch just reverted to a dead tree strategy.
John Kindervag 17:06
So what is a dead tree strategy? By the way?
Steve King 17:09
dead tree strategy is we’re not going to do anything with computers anymore. You need to hand present paper files to the court.
John Kindervag 17:16
Paper. Oh, yeah, that’ll work. Yeah, okay. Entry strategy. I never heard that before.
Steve King 17:21
If you’re, if you’re a lawyer to Law Group in California, you simply need to fly to Washington DC with those papers and present them in person?
John Kindervag 17:30
Yeah, no, none of that stuff is going to work. I mean, that’s what zero press does, I can take a legacy network and I can put the right controls in using the method, the correct methodology to protect anything, whether it’s legacy or new, don’t rip and replace it. This is all about the correct policy to the protect surface. So the answer is start with the thing you want to protect. I’m on these calls all the time, you know, and trying to help people out. And some is like with a government, one not too long ago, and everybody was trying to position their own product, put my widget here, put my widget there. This is how you architect zero trust. And I finally said, Hey, guys, what are you trying to protect? And it just was like, you know, the proverbial you could hear a pin drop?
Yeah, right. Right. Oh,
John Kindervag 18:16
we haven’t thought about that. Well, Intel, you think about that one fundamental question. This will never work. I mean, if you were the Secret Service, say you’re Steve, the head of secrets, the Secret Service, would you walk around, say, Ottumwa, Iowa, asking people if they were the president? I was supposed to protect the president, but I don’t know who he is. So he or she is right. I don’t know who the President is. So can you are you that I have to go and I have to talk to every single person in the country to find out if the president Well, that’s not a very efficient way to do it, is it? So you start with the things you’re trying to protect your data element and, and then design from the inside out, we always design from the edge in, that is exactly the wrong way to do it. Because the stuff that we need to protect is not on the edge, typically, right? It shouldn’t be. And so start with the thing you need to protect, design the system from the inside out, instead of the outside in, and then it will show you where you need the proper controls. So that you can apply the policy and you can protect all this stuff. And it’s just we’re trying to apply legacy 20th century thinking last century thinking to a 21st century problem. I love being able to say that and cybersecurity and networking are the only things that we do in technology the same way we did in the 20th century, right. As somebody who’s in the DevOps business, you know, how many, how many Fortran programmers or COBOL programmers do you have on staff? The answer is probably zero. Right? Because Hey, that We’ve gone beyond that we’ve got new ways to do it much more efficient and agile ways to do it. Well, that’s what zero trust does. It brings those same ideas to designing and building various it environments, whether they’re on premise or in public clouds, private clouds, endpoints, or SAS environments, which are the only places where data can be stored, and ultimately stolen from. So I talked about the grand strategic of objective is to stop data breaches and a breach is not when people get in, that’s an intrusion of breaches when stuff goes out. That’s what legal and regulatory entities like GDPR and ccpa set. So don’t worry about the intrusions. I mean, yeah, you kind of secondarily worry about it, but worry about what’s going out. The reason ransomware works is because you’ve allowed a command and control session to go outbound of your network to some random address on the internet and set up a symmetric key exchange, you allow bad traffic to go out, right? That’s because of the broken trust model. So that’s why I’m trying to get rid of trust, zero trust is, is looking at trust and realizing that is a human emotion that’s been injected into digital systems for absolutely no reason. And it is the fundamental root cause of every single data breach that has ever happened, that broken trust model that we have trusted and untrusted systems. So we’re not trying to make systems trusted, we are trying to eliminate the concept of trust. And then we will validate every packet, both the asserted identity and the movement of the packet in policy throughout the lifecycle of the packet. Very simple stuff.
Steve King 21:43
Yeah. And it’s spot on from my view. Ironically, I think the protect and defend model has gotten us kind of to this place where we’re more concerned, as you say about infrastructure protection than we are about the actual crown jewels, assets, asset values that we’re shouldn’t be worried about. I think that in my mind, that also goes to the need to look at things from a more risk centric point of view, than from a protect and defend point of view. But we probably don’t have time to go through all of that today. But you know, you one of the things you’ve done, which I have enjoyed is you’ve quite eloquently boiled the human equation down to two simple factors, incentives and aspirations understanding why we do what we do, and and how we want to be perceived, which as you say, maybe maybe all the you know, we need to know, can you expand a little bit on that in the five minutes or so that we have left?
John Kindervag 22:39
Yeah, sure. I mean, when you look at a malicious actor, what are they incentivize to do? They might be incentivized to make money, right? They might be incentivized to be cool and and show and demonstrate their skills. Or they might be incentivized that this is their job in a nation state. You can have a job as what we would consider a cyber criminal, but they consider, you know, a military thing. And we have that in our own company, that country. Those are we call them red teamers, right, when they’re on your side. They’re red teamers. When they’re on the other side, they’re cyber criminals. Right? Right. You know, so when when you think about that, if you start to understand that incentives, are they trying to make money they tried to steal intellectual property were they trying to do and then on the affirmations, this is something that somebody in, in one of the agencies that fight cybercrime talked to me about, I’ve seen videos of these hacker communities and their get togethers, and they’re all celebrating how good they are. You know, I’m awesome. And so a lot of that has been, you know, look how good I am at You can’t stop me. That’s one thing that affirmation the other. The other affirmation is also money. So we’re getting into, you know, just how criminology works and stuff. But I didn’t come up with that an FBI agent, friend of mine came up with that. So that’s how he looked at the entire world, whether it was cybercrime or physical crime, if he could understand those two things, he could understand how to fight a particular criminal actor. I think, understanding why these people do it. Some of them, they do it, to prove that they can do it. But mostly it’s about making money, right? Understand what you have that makes somebody money. And we often protect the wrong things. You know, my last analogy here is, back in the day when we had physical photographs, you would always say, oh, if my house burns down, but one thing I want to get out is, you know, besides the family, the kids, the dog, whatever, is the pictures of my kids. Right? Cool. That’s important to me. But nobody is going to break into your house, Steve, to steal the pictures of you kids, I’m sure if if you have kids, and you know, I don’t even know that. But if you have kids, I’m sure they’re adorable. I bet they have wonderful baby pictures, but nobody is going to come in to steal the pictures of your kids, right? They’re going to come in and steal your big screen TV. They’re gonna come in and steal your computer, they’re gonna come in and steal, you know, jewelry or cash or anything they can turn you they may make money from. But when they see the pictures of the kids, they’re gonna walk right past that. So the things that we want to protect, that are highly valued to us aren’t valuable to attackers. And this is one of the significant problems in risk management. We don’t properly value assets based upon what should be ascribed, based upon who wants to steal it.
Steve King 25:30
Yeah, that makes a lot of sense. For sure. This has been fun. We’re out of time. I hope we can have a deeper discussion in the future here. I’d love to have you back soon to do that. And I want to thank you, john kennebec, again, for taking time out of your schedule to share your opinions and explain a bit about these high profile attacks and what the future might hold. And thank you to our listeners for joining us once again and another episode of our continuing exploration into the complex world of cyber security and beyond. Until next time, I’m your host, Steve King, signing out.