Hello. Welcome everyone. I'm John Tolbert, Lead Analyst here at KuppingerCole, and today's webinar topic is A Zero Trust Approach to Cyber Resilience. I'm joined today by Trevor Ding, who is Director of Critical Infrastructure. Hi Trevor.
Hi John. Good to see you.
Yep, likewise. Thank you.
So, a little bit about our logistics before we begin. Everyone is muted. There's no need to mute or unmute yourself. We handle all of that. We'll take questions and answers at the end of the webinar period.
Today, you'll see there's a q and a blank in the Go to webinar control panel, and you can type in questions there at any time. We're also gonna do a couple of poll questions during my part of the presentation, and we'll take a look at the results of those right before we launch into q and a. And we are recording the webinar and both the recording and the slides should be available in the next day or so.
So again, I'm John Tolbert from Cooper and Cole.
I'm gonna start off talking about the motivation for Zero Trust, what's driving it, and then look at a little more in detail about what is Zero Trust and how does that apply to cyber resilience. Then I'll turn it over to Trevor and he can go into more detail on cyber resilience against things such as ransomware. So from the top, why are people interested so strongly these days in Serial Trusts architecture?
You know, I think there are several reasons why people in the security world are very concerned about different kinds of attacks and, and why zero trust can actually help reduce the risks of those. Number one being ransomware, it's in the news, We'll, we'll dive into that in a bit in a minute. But then there are things like industrial espionage and intellectual property theft taking, taking trade secrets that are unique to an enterprise and making them available, which, you know, causes companies lose their competitive advantage.
Then there's also data breaches that involve pii, and we'll also talk about regulations, regulatory compliance, and how those things in themselves are not only a loss, but potential for big fines.
So ransomware, you know, it, it's been around really for, you know, probably the better part of 10 years.
But, you know, it got a lot of attention. And around the 20 16, 20 17 timeframe with One Cry and not paa, it really came to the, for as a cybersecurity topic that that sort of got out into the mainstream news. And now we see targets including, well, pretty much anything and everything, you know, hospitals, clinics, schools, state and local governments, you know, big companies, little companies, nonprofit, charitable organizations.
I still hear occasionally people working in small to mid-sized businesses that don't think that they're at risk, but more and more they find out that they indeed are at risk from ransomware. You know, a few statistics here saw relatively recently that attacks against hospitals in the US around 94% over 2021, you know, and of course that's, that's a terrible thing, and you wonder why this may be happening.
Well, you know, medical organizations can't really afford to be without their data. So unfortunately, they in many cases have paid ransom. We also seen a change in the tactics.
You know, ransomware used to be a bit opportunistic, but now we see access brokers selling access to RDP accounts, to get into organizations, to, you know, steal the data, leak the data sometimes without even encrypting it.
And we also see other kinds of actors that take, you know, a P T aids, persistent threat kinds of techniques, doing the same thing, or, you know, we, we have, you know, cases too of just simply destructive malware, that kind of masqueraded as ransomware and all this variety and attack types. It disrupts businesses, supply chains and, and even economies. If you think back to last year, the attack on the, the pipeline company hit the IT side rather than the operational technology side.
But, you know, out of an abundance of caution, they shut down production. So, and, and that had follow on effects to many, many businesses outside the one that was initially hit.
So on the cyber crime side, again, you know, who are the targets?
Well, any organization that deals with money or something that could be converted into currency, and you see the list here at the top, it's, it's very broad as to the kinds of organizations that can be hit with with cyber crime. You know, we've seen, you know, in the last few years, data breaches that have affected social media companies leaking pii, more than a billion users and many individual data breaches have totaled, you know, more than a hundred million user records per incident. And according to cybersecurity ventures, cyber crime costs totally will top 10.5 trillion by 2025.
I mean, that's, that's almost an unfathomable number.
So, you know, in the last couple of years we see organizations asking us about Zero Trust for how to enable their business.
You know, with the pandemic, the work from home, work from anywhere, Paradigm has become not only more prevalent, but it's, it's just the way of doing business. We have employees everywhere. We have employees traveling, we have contractors, and this is the way it will be going forward. So you have employees need to get access to enterprise resources from all sorts of locations. It's also spurred on cloud adoptions and more organizations have sort of has their journey to the cloud.
So you have, you know, a number of different cloud resource providers that most organizations have access to, can even be difficult to get a handle on. You know, which software is a service and infrastructure is a service providers you may be using. There's regulatory compliance. Various regulations require things like mfa, multifactor authentication, you know, specific data level controls. Then we also see network and security convergence.
The Sasse market, that's a report I'm working on right now, Secure Access Service Edge, IT packages networking with security, including a number of different security tools that we've been talking about for years. You know, it's packaging to make it, you know, easier for organizations to consume and deploy, and it really needs to be founded on zero trust principles for access.
Lastly, digital is still ongoing and has been accelerated in many cases, again, due to the pandemic and, and zero trust. Access is something that certainly helps protect organizations that are in the midst of digital transformation. So let's look at the background a little bit. What are the building blocks? So it starts with identity. We believe it's digital identity, the types of credentials.
It can also encompass and should encompass device identity, where the, the device that the user is using to make a given access request, those should be considered along with the network, network identity, the systems, the underlying systems that users may be trying to reach, the applications that are hosted on those systems, the data objects that they're trying to access, and lastly the software, the, that makes up this entire ecosystem.
So, you know, again, looking at the left, we see identity as kind of a core component and it sort of builds through this process to a need to understand all the attributes. And I'll, I'll try to dive into that a bit later too. So zero trust covers it all. Zero trust architecture requires continuous risk evaluation of all these different factors.
I wanted to mention the n special Pub 802 0 7. I like this document a lot.
I think it has, you know, boiled down a lot of the, the basics, the tenants of zero trust number one here, all data sources and computing services are considered resources, and that requires, you know, resource level authentication and authorization for each object. All communications should be secured regardless of where it originates or where it's stored. We need to get away from the idea of the, the inside versus outside. Access to individual enterprise resources must be granted on a per session basis.
Access to the resources should be determined by dynamic policies that include, you know, the end users identity, the application, the service that's hosting at the data object, the device attributes, and then various environmental or behavioral factors. You know, this is, takes me back to the exact more reference architecture that, that that sort of encompasses those things as well.
You know, making policy based decisions based on attributes that cover user source resource, you know, network, you know, a multitude of attributes for the most fine grained access control.
Then, you know, another great point that MIS makes is, you know, the need for continuous diagnostics and monitoring. So enterprise monitors and measures integrity and security posture of all the assets, all resource authentication and authorization happen dynamically and must be strictly enforced.
And then again, the enterprise should collect as much information as possible about the current state of the assets, network infrastructure, communications, and constantly be looking at the o, their overall security posture. So I mentioned regulatory compliance.
I think, you know, top of mind for many has been privacy for several years. I mean, GDPR has been around, you know, four and a half going on five years. But we've also seen regulations arise in other places and, and other privacy regulations have been around four years too.
You know, so we've got, you know, California, many individual US states now have privacy regulations. Other countries, you know, Canada, Singapore, Australia, there are many and you know, they're not necessarily the same as gdpr. Even it's received, you know, a lot of attention over the last few years.
The, the way individual jurisdictions decide to create their own privacy regulations can differ significantly. Then we have finance, you know, finance regulations like PST two in the European Union requires strong customer authentication, which is again, you know, very closely aligned with a zero trust model.
Other, other regulations or standards like three DS two, the New York CR R 500, and there are other examples too of financial regulations that can be well served by zero trust approach.
Same with healthcare, healthcare regulations including privacy regulations can have some governance there, but we have hipaa, HL seven.
You know, we don't often talk about export control laws, but you know, these are, are regulations enacted by various countries. The, the, that can pertain to specific kinds of information that should or should not be shared with organizations or individuals outside, you know, particular countries. And that can be somewhat similar to national security, which, you know, classification to clearance mappings, intellectual property. There are regulations that govern that. Like in the US there's the Uniform Trade Secrets Act.
There are other intellectual property control schemes as well as each individual company or organization holds. It probably has their own security policies that need to be complied with. And there are industry trade associations lastly, and they many times offer specific frameworks and standards for collaboration. And many of them have elements of zero trust architecture sort of built in there as well.
So at the network layers, zero trust means, first of all, don't trust the network, you know, and this means the entire enterprise network.
We used to think in sort of a fortress mentality of the inside versus the outside. We had firewalls and we, you know, believed that that would always, you know, take care of most of the problems that we might encounter. But today there's much access from, you know, contractors, business partners. So the firewall is not, is necessary, but not sufficient in, in many cases. Then there's the cloud, increasing use of the cloud. How do you secure the, we've mentioned work from home, work from anywhere. All this needs to be considered untrusted. Why?
Because you know, many organizations, whether they know it or not, have B Y O D bring your own device. People are using their own devices, they may not be controlled by the enterprise.
You need to, you know, be able to enforce security on those devices in some way or another. So it's best to start by not trusting them. And that expands beyond just the device files code application.
You know, we, we saw the, like the log for j a lot of code that gets commonly included in other applications can have problems as well. So those kinds of resources too cannot be inherently trusted. Other infrastructure, you know, if it's not owned by the enterprise, the remote workers, machines and sites. And then lastly, communications, both, you know, in storage and in transient should be encrypted and scared.
So I like this.
Again, this comes from this special publication 802 0 7. I like how we see a clear distinction between the control plane and the data plane. That the data plane layer, again, kind of thinking back to the exact little reference architecture, you have a policy enforcement point this should be in front of and protecting all the different enterprise resources, you know, that are out there so that you can make per session relevant decisions about access to, you know, specific resources. That's what lives within the data plane.
Outside of that, in the control plane, we have things like the policy decision point. That's where the decisions themselves should be made. They should be be a policy administration point outside as well. Taking in information from, you know, IM systems lep, wherever policy is stored and wherever, you know, user behavioral analysis or other policy information might be utilized. So time for a quick poll question. Where is your organization on the zero trust architecture path? Would you say you are a interested but it's not yet planned or budgeted?
B in the early stages, C, it's already underway, or D zero trust is already in place. We'll give you a few seconds to answer that question.
Okay, thank you. And again, we'll look at the results at the end of the session here. So let's talk for a couple minutes about zero trust for cyber resilience. So I've built a list of kind of a long list here of capabilities. I'll try to quickly go through these. Comply to connect.
This is, you know, enforcing, patching both with the operating system and application level and hardening as a requirement for network level access, pam, privileged access management, you know, enforcing the principle of least privilege. Then macro segmentation at the VLAN level. Micro segmentation, you know, SDN using, you know, network access control, having hierarchical PDPs, again, getting the PDP into the data plane in front of the resources. But having that, you know, be logically a hierarchy that can draw from enterprise policy.
Having those applications specific PDPs for the most granular and distributed access controlled, again, covering data objects, you know, if it's not an application, if it's just, you know, content management or file repositories, again, having data object level access.
And then many organizations today use portals reverse proxies. These should be plumbed in with zero trust network access, I am systems as well, so that, you know, if you are offering a Porwal, you can apply zero trust attribute based access control kinds of policies for those types of access situations.
Then, you know, secure by design, everyone, many use agile delivery methodologies. Building security in is very important as is encryption access control at the data level, data classification and tagging, you know, this is often implemented as doing and discovery, classifying the documents and placing metadata on the documents for the access control system to read. So is a type of tool that we see more and more and enterprises today, if you're going to have access from outside, I think it's great to have the ability to have automated responses and investigative and forensic capabilities.
Endpoint protection, also important user behavioral analysis, knowing, you know, it has the user that is the request that the user is making now, similar to ones that have been made in the past and taking input from various other security subsystems as well. A risk engine to, you know, make the policy decisions. And then lastly here, dlp, data leakage prevention again, is a another way of enforcing data level access control at the endpoint particularly.
So kinda putting it all together here, how do, how do these zero trust capabilities help build in cyber resilience?
Number one, I think these are measures that you need to put in place to protect and prevent access from untrusted devices, which as we've talked about zero trusts kind of means all devices are not to be trusted at the beginning phase, enforce the privilege of least principle, of least privilege, and be able to contain the rare successful attacks. We acknowledge that, you know, best effort sometimes can overcome. So being able to contain limit the damage that can occur is important. Prevent credential discovery and misuse.
And we talked about access brokers selling, you know, internal access to companies resources prevent the attacker from being able to get in and do recon. You know, in the case of ransomware, again, you know, they take a p t style tactics and exploit those today. So recon lateral movement data, exfiltration, everything that that applied to, you know, a p t prevention, discovery and remediation really applies to ransomware types of events these days.
And then decrease the, the risk of data loss through encryption, theft, destruction, have a backup plan, backup and restore testing and facilitate incident response in mitigations.
So here we'll take our second poll question and we're interested in knowing has your organization conducted read somewhere incident response training and testing? And here we have a yes, we have B, no and C not yet, but planned. Give you a few more seconds here on this one.
Okay, well thank you. And again, we'll take a look at the results here in a couple of minutes right now. I encourage you if you have any questions for us, please feel free to enter them into that go to webinar control panel and we'll take them at the end. And with that, I'd like to turn it over to Trevor.
So one of the, one of the, I think one of the key things with this, and John mentioned at the start is around cyber resilience. And one of the, the key aspects of the, the stat that he raised, it's written down about the attacks on hospitals up 94%.
And one of the key things that we see is that some of the cyber gangs are actually threatening to do things like prevent the operation of intensive care or maybe, you know, target some particular patients or stop the operating rooms operating if unless they actually pay money. So the, the ransom has gone beyond just releasing data and things like that to actually denial of the service that they're delivering. So it becomes important that organizations become what I saw written down as being attack tolerant.
So, so making sure that fundamentally, that if there is an attack, it doesn't prevent the delivery of those, delivery of those services. And really cyber resilience is now a priority for business leaders and not just cyber security people. And this was, this was raised at the World Economic Forum earlier in the year and they defined a whole series of, of activities around how to improve cyber resilience.
But with some of the, the attacks that John referenced earlier, that ability, and especially Colonial pipeline and things like this, we saw mask a couple years ago, that whole ability to maintain the business while under attack becomes absolutely key. And this needs to be a focus of security teams everywhere.
And some of this comes on the back of a lot of changes that we see in business.
So, you know, within a lot of areas we see the move to what's called Industry 4.0, which is really the, the hyper connectivity of different services within, within a business that historically wouldn't be connected. So the increase in automation, the integration of those automated processes into e r P platforms, you know, a wide variety of things.
And a lot of this actually comes on the back of the pandemic because many organizations have actually accelerated their digital transformation because of the impact of the pandemic, because of the lack of maybe staff, because of the cost cutting, because of the need to work remotely and deliver services to customers on a remote basis. So what we've done here is to actually map two things. So we've mapped the pace of digital transformation across the bottom and what is effectively the cybersecurity resilience or digital or security transformation up the side.
And it allows us to effectively segment business types and how they're, how they're operating. Because in the bottom left hand corner we see the digital conservatives or digital leg guards. So organizations that haven't necessarily pushed down that route as, as quickly as others. This could be cost, it could be the industry they're in. And also the, the challenges because they haven't necessarily increased their, their security resilience. Now in the bottom right hand corner, they have what we call the cyber sprinters.
So these are organizations that have gone, you know, full on into digital transformation, but they potentially haven't taken security people with them. So I talk to a lot of, a lot of organizations and talk to security people where they say, you know, the business people are moving far faulty fast, they're creating risk, they're creating challenges that will come in the future. But then on the flip side of that, we have the security blockers.
And this could be because of regulation, it could be because they are in a, an environment that is complex, that is difficult to transform and then I guess where everyone wants to be, which is fundamentally cyber leaders. And this is where the business and security teams have really worked together to be able to reach that, that position.
It's, it's, you know, I guess where we all want to be. So it's a case of making or getting the, the business transformation people not to transform as quickly as they'd like to do, but to potentially then transform the security to, to map into that environment. Now the good news this with with this is that we have zero trust.
So, so whereas before we would tend to focus on solving the security problem that was in front of us by potentially buying the next technology, which is not necessarily the wrong thing to do, it was just how things were done in, in the past because we spent a lot of time trying to detect, find the bad things and keep them out.
Whereas the good thing with zero trust is that it allows us to identify the good things and let them in.
And, but the challenge is that no one really owns zero trust. It's, it's, you know, defined by the industry, it's defined by different vendors, it changes to a certain extent with who you talk to.
So it, it can appear to be very complex and it can be appear to be a very difficult journey. But the good news, as John mentioned, is that certain things are very well defined. So there are two main zero trust principles that were defined right at the start of the, of Zero Trust by John's, you know, with John Kind Bank. And this was, you know, assumed breach and plan for it. Now the reality here is that if you assume that either you have been breached or you're likely to be breached soon, then then your security team become a lot more proactive.
You go hunting for those attacks that, that ransomware rather than just reacting to what, what's going on. And then as we said, the key thing is to only allow least privilege access is restrict access where possible. The other piece of good news, as John mentioned, is that n have created their special publication for Zero Trust. And this is on the back of the fact that, you know, President Biden basically declared that all government agencies need to implement zero trust, but because it wasn't actually defined, it needed definition.
And so the Nest special publication 800 for zero trust allows us to do that. And it gives, and it's not the fact that it's a global standard or anything, but it gives us a framework to start with. It gives a framework that a lot of local, other frameworks can be, can be based on.
So what we've done is really to take that whole piece and sort of looked at the cybersecurity framework and the new framework for operational technology and really boiled it down into three simple steps for, for cyber resilience.
But I do recommend that you read all of the missed documentation because it actually is very useful. So, so step one is really about identifying areas of highest risk. So if you can identify where the potential threats come from, then you can react to that. The second one is to develop an instant response plan, which, you know, fundamentally what happens if you're attacked. So there's the poll question about have you tested your reaction of ransomware? So this is, this is all part of that process.
And then the third one is really to develop a long term recovery strategy or a long term strategy on how to protect yourself in the future.
So if we, if we look at the first one, the identify areas of highest risk, there are a lot of models out there for mapping risk, unlike this one, you know, you're free to choose your own. And what this does is really it maps the likelihood of a threat event initiating or occurring in various departments or various parts of your infrastructure.
So going back to healthcare and hospitals, as we spoke about a while ago, the likelihood of an attack on the coffee shop could be very low, but the likelihood of an attack on intensive care could be very high. And then across the top we're looking at basically if, what is the result of, of that tack, what is the impact?
So again, if it's the coffee shop, it could be very low. If it is intensive care, it could be very high. So what you can do with this model is fundamentally to plot all of the different functions within your business, either buy either BI function or by application or by any sort of process. And then it gives you the chance to start applying the rules and the various, the various things that you need to do with it.
Part of that is to, and this is defined within pretty much every niche document, is the ability to map all communications to understand what the risk is.
So, you know, being able to take things like medical imaging, imaging and medical records, be able to see what communication is happening with that environment. And then to sort of throw in things like remote physicians that we're seeing a lot more of now medical equipment. So this could be scanners, this could be pumps, this could be whatever it happens to be.
And then we add in environments because for the cloud, because more and more data is being held in the cloud, even in the medical environment, and we want to be able to see the communication between different elements within the cloud and various other systems. We wanna be able to see what's happening in the network, but equally we want to be able to map in things like vulnerabilities.
So being able to see the risk of individual devices, and not only that, being able to see what those devices are connected to.
So something that may have, you know, we may use a vulnerability scanner and determine that something is of high risk, but it may only be connected to one thing, whereas something of medium risk that is connected to 20 other systems is actually has a very, a much higher exposure. And so we need to, we need to be able to deal with that. And then also we need to be able to pull in threat information.
So, so being able to visualize in a, you know, in a single view, the, the risk within your, within your organization becomes very useful because you can then use that to decide where to apply certain policies to be able to remediate those threats. So it looks a bit like this.
So you are mapping between workloads, applications to devices, systems to external domains, applications to cloud services, and IT to ot. And by working with some of the specialist OT scanning companies, were able to actually pull that information in to be able to get a lot more detail than exactly what's going on.
So step two, which is basically develop an instant response plan. The thing with things like ransomware is they get into an organization and they learn, use lateral movement to try and get everywhere because the more places that they get, the more chances they're gonna get high value assets. And the challenge with that is obviously once they're in, then they start to move around, they start to infect more, and ultimately they can take control of the entire system.
And we've seen this time and time again with many, many attacks over the years that because these ransomware is being able to get everywhere, it causes real problem.
Now the thing is, we know that ransomware can only use existing communication protocols like RDP or SMB or Telenet or SSH or one of these, one of these sort of things.
So basically if we then understand what those potential risks are from those highly connected ports, those, you know, peer to peer ports, the well known ports that they use, what we can then do is put in a barrier to protect those systems by blocking those particular ports. And that keeps, you know, that stops the ransomware moving around. So even if you get infected, you're only gonna get affected at the entry point of that attack and it's not gonna spread throughout the organization. But obviously what we want to then do is to punch some holes in that for that least privileged access.
So, so by doing this, what we, what we are doing is protecting those, those high value assets, even if there is then an attack.
And we might, the other thing we may want to do is to sort of put some automatic response in there. So John May talked about source systems earlier he talked about detection. So if we are running some monitoring detection, which could be edr, ndr, one of these sort of things, and a workload becomes infected, what we can do is to quickly and automatically isolate that workload to prevent any communication happening.
Now it could be an individual workload, it could be a system, it could be, you know, whatever it happens to be. But the ability to almost instantly do this then allows things like EDR to do what they do better and quicker because they're operating in a much, in a much smaller space. And then the final piece is basically, you know, build a long term strategy. And this really comes down to implementing zero trust.
And one of the, I think one of the challenges that people have with Zero Trust is that everyone claims various bits of it and it's, and it's, it's can be, you know, quite daunting.
But if we actually look at what the Zero Trust taxonomy is and, and, and what we're dealing with here is, so we have what John mentioned, which is zero trust network access, which is sort of like the next generation perimeter. It pulls a lot of technologies together and improves the way that users get access and verified access into the network. There's zero trust segmentation, which I'll talk a bit more about in a moment. And then obviously there's zero trust data security, which is, you know, all about secure restoration of data.
So, you know, so yeah, so it's making sure that the data that you are using to restore is actually secure.
Now zero trust segmentation is about controlling the communication between those verified systems and assets.
So, you know, know what you, what you fundamentally end up with is this concept of being able to ring fence various functions. So again, we look at a hospital here, we can put a ring, a secure ring around things like image management system, the bedside care or the electronic me medical record system. And what that means is that any attack in any of those areas doesn't reach or doesn't spread into into the other areas. And that sort of keeps that whole piece safe.
But obviously again, we want to be able to allow that least privilege access for only the systems that need to communicate with each other to be, to be able to actually do that. So what we end up doing is, is this sort of thing. So by putting segmentation in place, we are making sure that a hospital, or it could be a factory or it could be energy or it could be anything like that, it's still able to operate regardless of whether, you know, whether there is an attack or whether there is an attack.
So that allows organizations to build their cyber resilience to protect themselves in the event that there is, you know, it's a potential cyber attack.
So with that, I'd like to thank you and really hand back to John again.
Great, thanks Trevor. So, you know, before we look at the poll questions, I thought, you know, you make a really good point about, or maybe I kind of extrapolated away from that, but you know, who owns Zero Trust in an organization, You know, since it does sort of cross disciplines across responsibilities, you know, where, where do you think that rolls up to?
I mean, I guess the natural answer would be like the C I S O, but you know, it can encompass so many different parts of security and identity. You know, maybe this is something that makes it difficult for organizations to really roll it out as widespread as it needs to be. I think that was a really good point you made.
Yeah, I, I tend to agree and it, it's quite interesting that when, when I've run Zero Trust workshops, the, there's a lot of discussion about trying to get management and executives on board with the process. Also some challenges around with workers councils because there's some obviously identity privacy issues that come along with that. There's the name zero trust, people get a little jumpy at like, don't you trust us? The reality, yes, it has to be the most senior security person, but it, the board, the executive has to really sort of be in the process.
So, you know, this is all about Zero Trust is all about maintaining the functionality of the business. So it, you know, it has to be, it has to operate at the highest level. It can't be just like one person in the security team saying it's a good idea and trying to do it.
It's, you know, it's gotta be the whole, the whole company and right then to individual users, you know, that everyone has to really buy into that whole process.
Yeah, I think, you know, exposure through the news about, you know, so many different incidents over the last few years, whether they be, you know, PI data breaches or ransomware or whatnot.
I mean, I think the average level of awareness has just been increased because of the, the prevalence of these attacks. I think it is easier to get users on board with these kinds of changes, you know, because of the exposure through the news.
I think, I think you're right and I think weirdly TV drama is now really, they all get very excited about cyber. So, so the number of TV dramas that we're seeing where there's, you know, some sort of attack or you know, some such thing going on that all of this does raise, raise the profile because, you know, many years ago I'd go to parties and say I work in cybersecurity. No one would have a clue what I did. Everyone's an expert now, so, you
Know. Yeah. Well let's take a look at our poll results. So the first one, where's your org on Zero Trust architecture path?
Okay, this is interesting. Let's see. Interested but not planned or budgeted a little more than one in five at the early stages, more than 50% and then either well underway or feel like Zero Trust is already in place about a quarter.
That's, that's pretty good. I'm surprised that you know, it, it's the responses, but on the whole, this is good indication that the messages are getting out there. Any thoughts on that, Trevor?
Yeah, I think, you know, it, it pretty much lines up with conversations. If we did this two years ago, the number of not budget not planned would be much higher. So I think a lot of people are on the journey. It doesn't surprise me that the, we've done the, you know, we've done it already is actually quite a low number and it's, and I'd be really interested is know what those respondents have actually done.
So have they done ZT and A or have they done Z T A and segmentation and backup and, and you know, all the, all the other pieces because you know, sometimes I talk to people and they say we've got zero trust and they've put in remote access, you know, so, so there is that, that sort of perception of where you, you know, when's it finished, you know, So it's difficult to know, difficult to know.
Yeah, good point. Let's take a look at the second one. So has your organization conducted ransomware incident response training and testing?
Yes, 53%. Excellent.
No, 35, not yet, but planned 12. So almost two thirds either have done it or have it planned. That's great.
Yeah.
Thoughts on this one? I'm
Really pleased.
Yeah, I'm really pleased by that, that response because you know, a lot of the, a lot of the time to do that, to do that testing requires support from the business to almost be able to turn things off, you know, to to sort of, you know, play sort of war gaming with it. So, so if that's happening, that's a really, really good sign because too many, too many organizations, and it may be, I don't know whether it's easier in a bigger or smaller organization, but too many people have no idea what would happen.
And sometimes the, the result of what actually happens is different to, you know, to what, to what the plan is. So, you know, I think that's, that's a really positive sign.
True. So let's take some questions.
Again, if you have a question, feel free to put it in the go to webinar control panel, question blank, and we will take that. So let's see, the first one we have, if I have edr, then why should I also buy Zero Trust segmentation?
You know, one of the, one of the things we often like to say that Zero Trust is it's, it's an architecture, it's a guiding principle, it's not really a product. So edr, edr, input protection, detection response, those have a role to play in an overall zero trust architecture, but they're certainly not everything that one would need. And that again, kind of makes it a bit more difficult to get to full zero trust architecture because it does require sort of revamping the architecture in ways that you might find if you find it to be insufficient.
So it, it is bigger than edr EDR in my view. It does have, you know, specific functions that can contribute to it, but it certainly, you know, segmentation, which is part of the question again, that's for, you know, containment thoughts on that, Trevor?
Yeah, I think, you know, absolutely EDR is fundamental to all, you know, all protection against this, this sort of thing. I think there's, there's two things that are really interesting that we've seen, seen happening, and one is that the, the ransomware gangs have really put a lot of effort into evading edr, so, so not super successfully.
So it may be that where things were 99% successful in, in stopping attack, it may be that they're 98%, but it, it's, it's always the case that the, obviously the way that EDR works, the way that, that it comes up with conclusion, the way that it then, then sort of enforces that can sometimes take some time. It may not be, maybe not be necessarily reliable all the time.
So what, by putting in segmentation, you're containing that attack and that actually makes EDR more efficient because you are, you're fishing in a much smaller pond and you know, and, and there's some, there's been some research done that's, that shows that if you can, if you can segment the network, the sort of makes CDR about, you know, four times quicker to be able to find and, and remediate against those, those attacks.
So I think one of the key pieces that John mentioned there is, you know, zero trust isn't a product, it's a, it's a whole series of things that need to be put in place to be able to, to be able to deliver that level of protection.
Agreed.
Let's see, the next one, you both mentioned this several times, but what if I have ot, where does that fit? Well, that, first of all, where do you start defining OT operational technology?
I mean, to me that means, you know, broadly either a critical infrastructure, you know, power generation distribution, water treatment plants, or b, industrial control systems, you know, manufacturing warehouse, fleet logistics. They're very different kinds of use cases with, you know, widely different kinds of devices and operating systems and identity management schemes that back them up.
And, and then many of those industries have regulations that may either explicitly or hint at elements of zero trust themselves. It's a, it's a big topic and a great topic and I think it's one, you know, we should definitely discuss more, but in the interest of time, I'll see what you have to say on that, Trevor.
Yeah, I think it's interesting. Again, you know, there's, there's legislation around the world in various countries across the EU to do with critical infrastructure and protecting, protecting ot.
And again, in the US they've sort of issued some legislation saying you need to be, you know, more protective, which basically, you know, almost is defined as do security better. But the good news is NIST is coming to the rescue, again, they're working on draft cybersecurity framework for ot, and it's, it's very similar to, you know, to the way that we do things.
I think one of the challenges that we've, that everyone faces is that traditionally we would use something called the purview model to basically build layers of protection for ICS and, you know, various other, other devices To a certain extent that's breaking down because of the industry four zero and the integration of some of the higher levels into, into ERP systems. So we need to sort of modify that slightly. And I think, you know, that that's the challenge that everyone faces.
So, you know, for instance, at the moment I'm, I'm at a trade show in, in Dubai, and the one thing that is noticeable on everyone's trade show stand is somewhere they're, it's a big subject. It's be an bigger subject in the
The next question. This is a good one too. How do I segment in the cloud?
You know, that, I think that that can be quite complex. And I guess it depends on, you mean infrastructures of service, you know, full virtual machines or data objects stored in, you know, collaboration platforms or email or, you know, so the, the width of that question demands a pretty wide answer as well.
I think it all has to be based on the identity of the individual making the request, the source of that request information about the, the context of their, the request, all those things, you know, we're talking about fine grain access control, the different kinds of attributes that can be evaluated in policy. Typically we've done that internally, but these same kinds of concepts apply to the cloud. But in the cloud, you, you know, you may be using, you know, a popular identity as a service provider too.
Fortunately, both the, the major infrastructure and software as a service providers understand things like o IDC and saml. So you can get basic and extended identity information from identities to service providers as well as, you know, your internal identity management systems too, I'd say use that build policies that support the level of granularity needed to be able to do segmentation in the cloud. What are your thoughts, Trevor?
Yeah, I think, I think you're absolutely right. It's, it's quite challenging.
So if you, if you are just taking a Linux or Windows workload and moving it to the cloud, that's easy. You just segment it in the same way as you would do anything else. I think when you, you come onto some of the services, obviously the way that you would put rules in using security groups and things like that, you are then limited by the functionality of the cloud service provider that you are using. And it's quite easy to sort of overwhelm that.
So, so understanding risk, understanding what is exactly happening, what you need to do, how you solve those problems in other ways is, is quite important. But what, again, one of the key things that that is, that is, you know, sort of mentioned in almost every framework is the ability to be able to, I guess, treat data and resources the same in the cloud as, as you would wherever they happen to be. And that becomes an important thing. And so again, choosing choosing the right cloud provider becomes, you know, becomes an important aspect there.
Definitely.
So let's see, this looks good for small company, but how do I employ this on a large scale? I think the principles themselves are pretty much the same between a small and large organization. The main difference would be complexity and numbers and different types of systems and applications and data sources and repositories and even, you know, the types of users, the, the identity providers for the different kinds of users that you may have.
All those things simply get more numerous and more complex with a large organization, but I think the principles themselves are, are the same between small and large.
Yeah, I think zero trust is, is as much culture as it is a technology. And so as long as you can, you can push that culture through an organization that that will help a lot.
And again, it, it, it sort of, there is, there is the challenge that when you're deploying technology does need to be able to scale and some do and some don't. So, so it's, it's about making sure that you, you, you're able to plan at scale as well as, you know, as well as to be able to deploy and manage that, that sort of scale as well.
Agreed. So we have time for one more. Let's see. If I work in a highly regulated industry, why should I look at Zero Trust when I already have many frameworks?
Well, you know, that's, that's a good question too. There are, there are a number of different frameworks for cybersecurity. You've mentioned the cybersecurity framework from, from this. There are others. Then there are also various regulations that need to be complied with depending on where you're operating and know from the geographical perspective as well.
I think, you know, this has to be part of an overall risk management plan.
And thinking back to the, the, the risk analysis graphic that you had, you know, where the likelihood versus impact, I think, you know, and overall assessment of what are the regulations, what are the frameworks that you have to comply with in figuring out how to, you know, integrate adjudicate between policies where necessary, if there are discrepancies between what a framework and a regulation might call for, it's that too is sort of an ongoing process that needs to happen because the regulations tend to change as well. Thoughts on that, Trevor?
Yeah, I think, I think one of the interesting things that, that you find, you know, we talk about highly regulated environments and actually zero trust or the, the concept of zero trust sort of appears different in different areas. So whenever I go to a healthcare conference, the topic of zero trust is, you know, everyone's on it.
And it's, and it's, it's a big thing that people are doing in hospitals around the world when you sort of get into even more regulation and maybe things like energy where there is, you know, a whole series of things going on. A lot of the people they say, Well, you know, we've got all this stuff we're not gonna do, you know, we're not gonna do zero trust, We're, you know, we're gonna do, and they list the things that they're gonna do and fundamentally is zero trust.
It's so, so people are doing zero trust, but just by different name. And I think there is a danger that, that you can, you know, people get hung up on the name of zero trust, but you can do it. And it does map almost pretty, you know, pretty closely into some of these high highly regulating environments.
So, so I think as long as people are doing the, the, of following the principles, it doesn't matter what you call it. So, you know, I think that that's, that's one of those, those key things.
Agreed.
It's, it's found its way into some of those regulations and other frameworks.
Yep. Yeah.
It's, it's there. It's, you know, a lot of these frameworks almost look like zero trust even they're just called by a different name.
Well, that brings us up to the top of the hour. Again, thanks everyone who has attended today, and we'll watch later. And thanks to Trevor Ando for joining me here today. Thanks Trevor. Thanks everyone. Thank you.
Bye-bye. Bye.
