The New Frontier of Zero Trust: Microsegmentation

Apr 5, 2022 3:00 pm4:00 PM EST

Request The Full Recording

Key Discussion Takeaways

With new data risks and requirements on the workload level, microsegmentation has become essential for company security. However, many businesses are still struggling with the challenges of implementing a zero trust segmentation strategy for their overall framework. So, how can you start to develop this approach to protect your network quickly and effectively?

The first step to building a microsegmentation strategy is to identify what data matters most in your network — your “crown jewels.” While you want to have centralized security policies, your workloads should be segmented in a way that increases your control over the flow of data. This way, you can prevent and reduce the spread of suspicious activity and attacks, especially around your most important assets. 

In this virtual event, Greg Irwin chats with John Duronio, the Director of Strategy at TrueFort, about how to overcome the obstacles of implementing a microsegmentation strategy. John shares examples of companies that have successfully deployed zero trust segmentation policies, the process of implementing this strategy in hybrid environments, and how TrueFort helps clients protect their workloads from harmful attacks.

 

Here’s a glimpse of what you’ll learn:

  • John Duronio explains how TrueFort helps clients deploy microsegmentation and protect their cloud environments
  • One company that overcame the challenges of implementing a successful microsegmentation strategy
  • The criteria to start with when building your microsegmentation project
  • How long does the design and discovery phase typically take for large organizations?
  • The day-to-day requirements of running and optimizing a microsegmentation product after it’s been deployed
  • John discusses how microsegmentation solutions differ in various complex environments
  • New security risks and requirements, and how zero trust segmentation helps
Request The Full Recording

Event Partners

Guest Speakers

John Duronio

Director of Strategy at TrueFort

John Duronio is the Director of Strategy at TrueFort, a platform that helps companies secure their data center and cloud environments. John has over 20 years of experience in cybersecurity, previously serving as a Senior Sales Engineer and Security Architect at McAfee. He has worked with both startups and large enterprises, holding roles such as CIO, CTO, and Deputy CISO. Currently, John is a frequent speaker and strategist on wide-ranging security topics, specializing in industrial control systems and critical infrastructure.

Greg Irwin

COO at BWG Strategy LLC

BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.

Event Moderator

John Duronio

Director of Strategy at TrueFort

John Duronio is the Director of Strategy at TrueFort, a platform that helps companies secure their data center and cloud environments. John has over 20 years of experience in cybersecurity, previously serving as a Senior Sales Engineer and Security Architect at McAfee. He has worked with both startups and large enterprises, holding roles such as CIO, CTO, and Deputy CISO. Currently, John is a frequent speaker and strategist on wide-ranging security topics, specializing in industrial control systems and critical infrastructure.

Greg Irwin

COO at BWG Strategy LLC

BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.

Request the Full Recording

Please enter your information to request a copy of the post-event written summary or recording!

Discussion Transcription

Greg Irwin  0:18  

My name is Greg Irwin. I'm one of the partners at BWG, and I've been moderating our technology and cyber discussion groups for the later part of nine years. These are interactive forums. Many of you I've spoken to over the year. So I'm meeting for the first time, thank you all for joining. We're co hosting today with TrueFort, and we're talking about zero trust. And in particular, we're going to zero in on micro seg. And talk about different use cases, how it fits into an architecture and try and get into the weeds as much as we can, without getting too far that we're all within, you know, just just dealing with like a tech talk, I want to talk about how micro seg is really going to fit into the overall framework and kind of bringing out some real world stories. If you're in a spot where you can turn on your camera, please do it'll make the conversation a little bit better, a little bit richer. If you've got kids or dogs or cats running around and, and you can't turn on your camera. That's the way the world we understand no harm, no foul. Also, we're gonna make this a little fun today. So one of my favorite things in these is to run is to spin the wheel. We're going to do that today. So at the end of our call, participants will spin the wheel and somebody will win a $250 gift card as a thank you and just, you know, appreciation for your time and participation. And I mean that in terms of participation, I'm going to spend some time with John Duronio of TrueFort talking about his perspective. But I promise it's much more fun when we can go around the group and people people can talk about maybe the some of the successes, some of the challenges, some of their roadmap, and we can kind of learn and hear from other organizations. So I am going to ask to go around the group. And the chat window is incredibly helpful in doing so. So before I get too far down the path here, let me bring John in to the discussion. John, thanks so much for Cohosting with me today. Do me a favor, give out a personal intro and give a little intro on TrueFort.

 

John Duronio  2:35  

Yeah, thanks for the opportunity, Greg. So we're excited to have so many people attending today. And my background is I was a I'll call myself a recovering CISO, but I was actually the deputy CIO. So in my joke was always my boss was too busy being in meetings all the time to get the actual work done. So that's what my team did. So, no, but I did that for about seven years, and industrial controls kind of area. And in that space. When I first started out in my career, you know, 25 plus years ago, it was very much flat networks, and things are moving towards virtualized and so on. And now all software defined, but it's really interesting, you know, kind of seeing that evolution happened. And I joined TrueFort last year, about seven months ago. Verily, you know, really excited about the kind of unique way that they approach that micro segmentation space. So thanks for joining everyone.

 

Greg Irwin  3:28  

John, I'm gonna ask for a little bit more, you know, I don't I don't like we don't do the full presentation or sales pitch. But you should tell us TrueFort. It is. All knows who you are. Okay, yeah, tell us some of the the marketing highlights here for who you guys are.

 

John Duronio  3:46  

You know, it's interesting, because a friend of mine recently posted on LinkedIn, he was hearing a vendor's pitch. And he said, after 10 minutes, he still didn't know what they did. To your point, it's very important to really clearly explain what we're doing is micro segmentation at the workload level, so for the applications that companies run, specifically saying, you know, if you have a unique way that you want to segment, we can do this by workload, a workload, you know, we can do it by segmenting off certain data that might be kind of the crown jewels. By identity, these service IDs aren't, you know, able to have passwords reset, because they're critical, they can bring the application down, but we don't want them touching these types of applications, and so on. So we really have been able to help customers very large customers starting out, which is really interesting as a startup, because that's really the ones that have the biggest challenge, right? Because they have a lot of custom applications and things that they've written, but we're also seeing now in the mid market segment, the same thing and the same challenges. You know, you have a lot of compliance regulations that come out now that actually say you have to do microsegmentation and we'll talk today about, you know, kind of my thoughts on why that is and because again, anyway, I used to have to manage a lot of incident handling and so In response, it really is about that breakout time is getting so short, that once they are, you know, able to infiltrate the network, they're able to laterally move across very quickly now, so. So our company we started six years ago, our founders, and you know, founder and co founder had built very large scalable systems for very large banks. So he talked about a lot of times the kinds of systems that they were consuming large amounts of data to make decisions, that machine learning kind of algorithm rates to be able to quickly say, Should we buy or trade actually was very applicable to security world, and they recognise that so they built the same type of system, then start monitoring their internal bank networks, to be able to address this and realise that they can actually, you know, create a product from that. So that's where the six years ago, the start of the company began. And it's, you know, it's really interesting, because it's all about big data and being able to consume for a very large amounts of data sets very rapidly make a decision. So that really wasn't the challenge that the company had from the start, because they've done this. I like to say it's a six year old company with a 20 year old product, right? Because they've been developing these types of systems for very large banks in the past, JP Morgan Chase, our CEO was their CIO for, you know, a time as well as Bank of America. And before that, Goldman Sachs.

 

Greg Irwin  6:17  

So, John, I'm gonna pause with you here for a second, I'm gonna come back for some q&a with you because I want to talk about real world use case, but I'm going to ask for help from all participants right now. Do me a favour, wherever you are, let's use the chat in the chat window. Add for me. One question that you want to hear about microsegmentation? I know I've got one. I'm gonna I'm gonna ask John them right now. But tell us the one thing you want to hear. It could be not even directed to TrueFort could be directed to others, like, how many have implemented a Microsoft strategy across your networks? Right now? That's one of the most basic, you know, how do you maintain control in combination with the control panel from Cisco? Or some of your, your network layers? I don't know. Do me a favour, I'm gonna ask everyone, please drop in a question. So that we're sure that we're going to be covering the topics that you all care about. So Chuck, thank you very much. That's exactly the kind of stuff we want. Do me a favour. Everyone else drop your question? Hi, John, let's get right at it, I'll tell you my, my preconceived notion is that microseg is really hard, I mean, really hard. Which means, you know, to actually define what can go where and how it goes, where just the discovery of it, let alone implementing is, is a challenge. Tell us about one use case. And, you know, kind of the real world of what it takes to put a micro segmentation strategy in place.

 

John Duronio  7:57  

So we'll start by, you know, giving an example of a customer, I won't name names, right. But this is a large financial institution that has about 18 different sub companies that they own, all acquisitions that they've made. And as you know, with any m&a, every company has a different, you know, set of baggage that they bring with them. Right. So their use case was we really don't have visibility across all of these different domains to just understand what should we even be permitting to work together? Versus what should we be segmenting from one another? They're running sort of separate operations, each one with their own separate CEOs and separate management, right. But yet, you have to have centralised security policies and be able to control really the flow of the data. So they're their real world challenge was, okay, can you help us with this problem? We actually redesigned the product because we never had a customer with 18 Different Microsoft domains. So we said, Okay, this is a great challenge, we will take that on. And within a few weeks, we were able to meet that use case. And so now they're able to say, okay, great. So within each of these different groups, we're going to do segmentation based on that individual business's needs. And they then work with their business partners, because that's the other challenge that you have is you really have to bring in the business leadership to understand what is it that are their crown jewels, because they're going to be different every single and you know, with every customer that we have, and with this one customer that 18 different, you know, types of crown jewels that they wanted to protect, right? So regulations are different across all of those. And they might have different development environments, because again, their m&a is right. So they did things a different way at each company. So they had to customise that on a per, you know, per domain basis.

 

Greg Irwin  9:40  

Let me we've got a lot of people who just joined in here a little late. Let me remind you, we're speaking with TrueFort. We're talking micro sag, and we're gonna go around the group and talk about some stories. John, as I'm chatting here, you might want to breeze through some of these chat windows. These are the questions we want to cover. And if you missed it, we're going to do a spin the wheel. So basically, I'm going to do, you know, do a lottery. And at the end of the call, we'll, we'll raffle off a $250 gift card, just as a thank you for your time and participation today. So thank you all. Please stay involved. Let's make this a really valuable hour. All right, John, there's some really good questions in here. I think they start from strategy and design. Right? Governance,

 

John Duronio  10:33  

I cover the whole hour with all these questions now that we've gotten. So thanks, everybody. So I'm going to start with a very, you know, kind of first one that struck me, which is, what criteria do you start with? And that's a great question. So let's start there. And I'm going to say that it really is about the business. So you're going to want to pull in, it's just like with a data loss prevention product, right? You don't know what data to protect until you've worked with the business side to understand and how do they value that data? And so we'll work with the customer first to do that kind of discovery and that understanding of what is it that matters? What are we going to what are we going to have to monitor first and then what are we going to have to show you is talking to one another, and then we can start to put policies in place. So until you have that visibility, you can't apply anything. And so that's really the first thing you do to determine the scope, which is what is what is happening, you know, across all of my application space, what ideas are talking to what you know, workloads, and, and then we start to then classify those because not all workloads are created equally, some are for testing purposes, some are for you know, they can never go down there. They're absolutely all have to be live 100% of the time. And so those are going to be probably microservices, we have to apply maybe a different way of thinking about ephemeral workloads versus ones that are always on. So that's the scope of it is really key. And I really appreciate that question because it themselves, you know, just working with development, won't be able to define policies alone, you've got to bring the business in as well and understand the data that you're also really trying to segment, you know, again, to keep the ransomware authors from getting that. And then you have to have your security teams involved because they'll have a different way of kind of threat modelling and thinking about what happens if what happens if we get access to, you know, a customer list, the names of the customers might not seem that critical, right. It's not something that's protected in every industry, I came from the telco industry for a while as well. We have protected customer network information PCI. HIPAA has protected, you know, obviously, you know, consumer data that you have to protect and encrypt. So every industry is a little different. So you start with kind of what is it that you have to protect? And then what can we actually protect what's actually happening, then we'll find the policies to then put out

 

Greg Irwin  12:50  

with that. Yeah, let's talk about discovery phase and design phase. Yeah, that's really where you're at, and probably governance is who's actually running this project and setting the criteria, right. I'm sure all of the answer to this is it's depends. It depends. And I'm sure it does depend. But I'm gonna ask you a specific example. Anyway. Let's say there's a 10,000 person organisation, not not a JP Morgan out there, that that is going and needs to put in a microsecond strategy. How long does design and discovery in design phase take? In that kind of a project? Is that a month? Is it many months? What's some expectations?

 

John Duronio  13:36  

So so I kind of call this the crawl, walk, run right type of a project, because microsegmentation, a lot of times, people have actually failed at these projects, because they feel that they do take too long. So I would say depending on the type of approach, they could take a year or more, even with a 10,000 person company, it doesn't really matter the size of the company. It's really the complexity, because they're all running many, many applications, there's a lot of interdependencies, they're dealing with outdated change management databases, whether you're large or small. So it's a struggle to say what's real, what's actually out there that we can protect. So they've got to start with that first. And that is why again, we talked about that quick time to value, why you can either we use our agent, or so the thing we haven't talked about yet, we have the ability to take your EDR and take CrowdStrike if you've already got it deployed, as one example. So we can then start doing that visibility mapped across a tool you've already deployed, for instance, that isn't really focused on how your applications behave. We take that data and we show you how the applications behave. And then you can start to define your policies once you've done so you can push them out by a CrowdStrike firewall module. Now that's just a network based type wall that you can push out through CrowdStrike with our agent you can do it different ways as well. You can do identity based you can do you know this process can talk to that process. We even call that Nana segmentation. So you get very granular on the policies with origin. But also our agent doesn't require things like reboots, it's not sitting, you know, to not to get too technical, right. But we're not sitting in a layer where you have to restart your systems. So there's an advantage, and it's very easy to deploy that. So we've we've been able to come in where failed projects have happened. And in real, real world use case, one of our competitors was, was doing a project that took over eight months, the customer was, you know, frustrated. And actually, their partner came to us and said, you know, we, you know, we had we hadn't heard of TrueFort before, but you know, we're starting to hear about you now in the marketplace, can we test you against this other solution, and within two months, we were done with the project. So a real world case, that was also sort of a manufacturing type company, almost exactly, like you said, about 10,000 people. So we're on that mission, kind of market type type space, but But again, that's, that's a, your mileage may vary, vary, because again, you might have, you know, the development side has to get involved as well, they want to do testing, they want to ensure that we're not going to break things. So it really depends on the maturity of the policies that that that

 

Greg Irwin  16:05  

organisation has, let's do this, let's start opening it out, and bring some others in. And by the way, as we go, I promise you, there are a bunch of people on this line, who have gone through these projects, who have struggled or had some real successes, did some some smart things in terms of running the projects. And I want to encourage you to answer some of these questions from your peers. So if you have a response to one, with some thoughts in terms of some ideas that you've pursued, because I promise we don't have all the answers here. This is, this is a TrueFort project. This isn't just, you know, flick the switch, and it's done.

 

John Duronio  16:49  

So I come from having to hadn't managed, you know, these types of tools in my past. So I totally get it. And that's a great, you know, a great question. Because all solutions do require some care and feeding. From deployment time, what we begin to initially do is once we're pulling in that data, whether it's from our agents, or it's from, you know, CrowdStrike agents, and again, because we're very independent, we can go on, you know, Kubernetes, Linux, we, you know, we can even deploy on on Solaris, AIX. So it really is very, very varied with our agent. But once we're starting to pull telemetry, and the first thing we do is we begin to build a baseline. And that's really the kind of secret sauce that I haven't touched on yet. But it's, it's so that we start to say, this is what is regularly happening within your application and workloads. And once we built that baseline, and you then can take that, and you can actually just say, Okay, this is what we'll assume is normal, I'm going to allow everything that we've now seen in the last few weeks or month or whatever, however long it takes for all of your different processes to kick off, maybe you do a nightly backup, so only 24 hours is needed to build a baseline, that's fine. But you probably have different change management Windows once a week. Maybe it's daily CI CD. But whatever that process is, we want to make sure we're capturing all of that activity in a certain amount of time, and then build that baseline. So now we can say, Okay, this is what happens, do you want to push a policy that says allow all of this activity, and then just alerting you when things change, right, so then we can kind of create sort of a risk tolerance of, if I see activity going beyond what the actual normal activity looks like, I want to I want to take action. If I see accounts that I know right now can only touch 100 different applications, I can now start scoping, maybe they shouldn't touch 100, they should really only touch 50, or whatever. So we're giving you that visibility, then create a policy, we call those our application policy definitions and APD. And that policy, then the care and feeding that you need to do is essentially see what's deviated. And that can be on a daily basis that might be every you know, our that your your teams are publishing new code. So you have to just work with what your change management is at that point. And then if it's an accepted, you know, accepted change, you roll that into your policy very quickly, and now it's locked down again. So it's really at that it's sort of again, back to the what is the process on the on the dev SEC ops side, that every customer that is going to be a little bit different? It really is one of the big challenges that every customer is going to face is, again, how complex is our network currently, and it's about use cases. So I like the like taking simple use cases and saying, let's start there, like let's say, do you have visibility into how many service accounts you even have? And do you have visibility of what those service accounts can actually access? Right? Because we know that there's less controls around those types of accounts, we know that there's a lot of credential harvesting going on. There are very basic tools that all of these ransomware actors are using. And they're buying and trading on the dark web so that they get the admin password for whatever application and now they're able to do that lateral movement that I talked about. So, so how quickly do you get visibility across? Just what can the current environment pose from an attack surface perspective? And then how can we shrink that surface? That's your first challenge. And then your second is going to be once we've now locked things down, and we were more comfortable, the auditors are happy with the activity. We're giving them visibility they didn't have before. And we're reducing risks that we couldn't really even see before. Now on a day to day basis, when those risks and that deviation does go beyond our thresholds of tolerance, what actions do we want to take, and then it's in that process, we bring our services teams in, they've you know, they've consulted with many of these different types of customers, health care, manufacturing, ensures financials, as I talked about, in the use case, like in one customer, the manufacturer, they just wanted to keep the information technology team from touching anything on the operational side, right. So you got these control systems that are industrial internet of things, they're scary, we can't patch those things, the vendor will break our agreement with them. So we just want to segment that, or the use case of I had one customer where they have to keep developers from accessing production code and doing testing against real credit card data. So we've got to divide those environments. Ken, can you help us do that. So we always want to start with very kind of basic use cases and demonstrate the capabilities there. And then get into when it's a more complex kind of environment, because we're going to be needing to train different groups, the developers, you know, want to have access and see that visibility, as they're making changes. So they have to get change, they'll have to get trained on the product. And then operations has to get trained as well to do the maintenance, the maintenance on the network side. So

 

Greg Irwin  21:36  

the approach for micro sag on prem versus cloud. Is there a standard approach across both? Or does it differ very much in terms of the type of, you know, infrastructure that you're that you're trying to support? You know, that's,

 

John Duronio  21:57  

that's really the challenge that customers have most of the time, it's that they can find solutions that can help them in one environment, but maybe not the other. And so really, that's the kind of classic use case of when they come to us, because, for us, it doesn't matter what that architecture looks like cloud versus, you know, virtualized environments, versus, you know, Kubernetes and clusters, and, you know, or real just bare metal, because that all exists. And a lot of customers, they've got a lot of hybrid, some are bursting the cloud only shortly, and then coming back again. So how do you make sure your policies flow as you do that burst, and that they're matched to what your own, you know, control data centres look like? And I'd like to comment around putting together a governance board right around those things. Because that's, that's really the key, you've got to you've got to have a GRC kind of way of viewing this, of how are we governing security policies, and both of those different environments? And can they match because not, not all tools can sometimes vendors have three or four different, you know, one just for Linux, another one just for Kubernetes, another one just for clout. And so that becomes very difficult to try and manage that. And then to trap as well as not to interrupt. But I mean, I've seen this also where the vendor will say, Oh, that's why you've got to go 100% all in on, you know, our platform approach. And so you got to be wary of that as well.

 

Greg Irwin  23:20  

aren't too and suka please layer on additional colour? If, as you wish here, I'm curious, John, I want to come to, you know, recent customers, and can they standardise the project to be able to cover all of their environment? Or is it very much, you know, we're going to do this for our on prem mullinix, this for our Azure, etc, etc.

 

John Duronio  23:46  

Well, a lot of times it's about modelling what happens when we go from on prem to cloud. And so we're when we go from monolithic to now, distributed architecture and containerized, you know, more and more ephemeral type workloads and, or immutable workloads, right. And again, there's the assumption that as you do that security just somehow baked in, and so you should be fine. My point is always until you can really see what's happening. And you can visualise that activity in those relationships, you really don't know. And so that's a lot of times it's the what if scenarios that we're walking customers through prior to then committing and saying, Okay, now we can take our legacy workloads. And we can say we're monitoring because now we're up in this cloud environment, is really lift and shift. And they've dragged along all this legacy, you know, security policy that was built for a very different environment, or that maybe is slowing things down as they're trying to become more agile. So I would say that a few years ago, financials was almost 100% On Prem. We just saw recently JPMorgan Chase, say they're 100% Now cloud, right? And all new projects will be cloud only. So it's actually evolving as we're talking and it's incredible like how that you know, That change is happening. And I know that obviously Coronavirus brought a lot of this about. So you know, as more people are working remotely and so on, it has changed really, that risk tolerance that companies had had especially highly regulated companies. But the you know, our mix is what we're seeing is really almost 5050, you know, there are still certain things that companies will only do on prem. And that might be like, as I said, a manufacturing control systems that have to be local to where the workload is. Other things are, you know, are much obviously, more dispersed. And they're using content delivery networks, and so on. So the application complexity is always really interesting, because you'll start to see these inter dependencies and these relationships, as we are monitoring and pulling from different environments, but by aggregating that all into a single picture, you know, and that's, that's what's exciting about the capabilities, because, again, the visibility from an EDR is not gonna be the same thing that you're gonna get from your cloud security posture management tool,

 

Greg Irwin  26:00  

right? Can you establish TrueFort, not the sales pitch? But can you implement TrueFort across AWS, various endpoints? And, you know, Linux data centres? Like, can you cover all of it.

 

John Duronio  26:18  

So it really is all about, you know, the, the type of environment. So we had to, for instance, with one customer, they had a customised, Kubernetes environment. Within a couple of hours, we rewrote our Kubernetes integration, we have this thing called pipelines. So we have a very open API. And as long as we can get access to the API, we can essentially ingest very, very quickly. So that didn't take very much time. And, you know, again, it was a very large ISP, actually, who runs their own version of Kubernetes that nobody else in the world have ever seen. And so I personally was really taken aback by that, because that's not a sales pitch. That's actual sales engineers working directly with the prospect, and being able to turn around a POV in just a few hours so that we can integrate. But it's still your mileage may vary, because there are certain workloads that we don't support. So serverless, for instance, right, it's just code, you're essentially going to have some sort of an API monitoring, though that has to happen. And we can still help you visualise what's talking to that serverless workload or that type of workload that we might not support, or that endpoint that we might not support, like an IoT type endpoint, you can still create segmentation policies, just because you're seeing the activity and what's talking to what we're seeing somebody not go through our jump, Oh, somebody's not using my privilege access management tool to do the authentication, we need to use TrueFort to then put that enforcement in place to segment and create a policy that says you you can only log into this environment through this one jump host. And with only these IDs, and only using this P im tool. So that's another use case we have with one of our customers. And it's a very small scope, but that's actually getting them the value that they need, because developers are going and throwing in their own root passwords to things just to test and then leaving them out there. And that was how they were getting attacked. So I'm right now, you know, in a in a competitive situation against the, you know, VMware NSX T. And so I can speak a little bit to the, you know, the customer, why they're looking at us is because software defined in network based, wasn't good enough for their security team, because they felt that again, with with zero trust now, you know, you know, just just themselves, DOD, all the federal agencies with the executive order, given their marching orders that they have to implement zero trust, they're now understanding because there's actually a maturity framework that says a foot out last year, which talks about the controls and whether they're, they're basic, whether they're advanced, and whether they're optimised. So for microsegmentation, specifically in zero trust in the draft of what what is the maturity model look like? The basics are network based micro segmentation to your point. And that's how people have done it traditionally. And that's also why they were turned off by it in the past, because it's very difficult to maintain. And by the way, you know, even as the workload moves, even if you're locked into one vendor, the application itself sits above that layer, right? And you might want to make different policies, as I said, you might want certain processes not to talk to certain processes. And so that really becomes now why the shift left has happened. They're pushing this as something that developers just need to do and bake that in. Right? So infrastructures, code we all hear about, you have to just build your own firewall rules as you're writing your code. And I find that to be a significant challenge because I worked, you know, for many times in projects with development as a gate to review on security side and a lot of times you're kind of coaching the development side because they're, they're under a lot of pressure. They've got to get something out quickly. So there's a bit of a struggle there. Right? So to me again, back to the what is optimised for Cisco. It's identity based micro segmentation In its process based micro segmentation, it's these other ways of segmenting, that are not forcing you or locking you into a Cisco ACI or an NSX T or any other methodology that's just network based only. And by the way, the perimeter is the people. It's tough to network anymore. So you know, one user makes a bad decision or one count gets compromised. And that's how these attacks are happening, as you know, so we've really got to be able to monitor and have visibility, beyond just network layer activity, and segment above, right, at a higher level, you spend a lot of time there's a lot of investment in it sounds like right. So just it's almost kind of like when I ran Cisco firewalls, Palo Alto came to me once and said, Look, let us just sit outside, just do a spanner attack. And we'll see what else we can tell you with the next gen firewall. That's really the same approach that I look at with application based segmentation. So if you put that policy in place, let's see if they're rigorous enough. And then you bring in kind of your red team to also do that stress testing at the same time. And I do think a lot more customers are getting farther along with segmentation, I think I had a prospect come to us just a few months ago, there and their cyber insurer wouldn't re up their policy, because the amounts that they're having to pay out now are so much more. And the one control, they said that if you don't do this, we cannot re up your policy was microsegmentation, which is amazing to see that now being called out at the insurance and insurance levels. What I what I really recommend is, again, that this is now because you know, also SEC regulations are saying that your board has to have somebody that is, you know, has a security background as well, you're gonna start seeing more requirements come in. And so now's the time to start seeing what's the easiest way to implement these things. And so that's, that's really the recommendation that I can make is fine, those those tools that have the least amount of care and feeding that you have to give them, you know, they're using machine learning, and helping you automate decisions. So

 

Greg Irwin  31:54  

vote for Thank you very much, John, thank you, let's keep going, I want to get a rain arrange of inputs here, let's try and get three more involved, we've got luck, we've got about 1015 minutes here, let's finish strong, I think that it'll be interesting, I want to get into some real pain points or real real initiatives that people are working on trying to figure out. And maybe as a group, we can help provide some ideas. One, one other thought, I really want to encourage the ability to let people connect across this group, you all have each other's names here, and you can just go on LinkedIn. But if we can help connect people doesn't have to be TrueFort or BWG, it's really incredibly useful to find people in similar seats, who are dealing with similar things. And I know everybody here has some level of interest or focus around microseconds. So it might be useful, something that I'll encourage people to be proactive about one of

 

John Duronio  32:54  

the primary use cases for pushing us out. Even if they don't have to put our agent on, they just take the EDR data from CrowdStrike to start with, is just to model the application behaviour. And start with that because developers will a lot of times look at that and say, Oh, I thought I shut that service off. Thank you, you know, that was only supposed to be happening during the testing phase and UA T is over. So why is that in production? Those are the kinds of things that happened during these projects, that are the aha moments that, that really help your teams, build these use cases and validate back to management, why it was important to go through the exercise. And why to your point. It's not a point in time. Now we're done. Okay, let's move on to the next project. You know, oh, XDR, okay, we'll do that next. No, it's an ongoing, this is a framework, if you would, zero trust is is not a point in time, after one and a half years, you'll be done. It's a process that it's you know, it's like incident response, it's a cycle. And you'll continue to go through application changes there living and breathing things we always talk about, they're not just what the time they're my vulnerability scan came back with or my, again, my CMDB came back with, and now we're good to go. You got to continuously validate. And that's the other thing about zero trust that I really like it's never trust and continuously validate whether your controls are actually working. So how do you produce that kind of documentation today? You start with something that does have that visibility around the application behaviour at that layer, right? Not not necessarily like the, again at the network layer thinking of like layer seven type application activity. I'm literally talking about like this service, logged on with this account and touch these different workloads at this time. And is that okay or not? And getting down to that very granular and that that process a few years ago, seem tedious to a lot of I think organisations but now with the types of attacks we're seeing, it's it's no longer you know, an exercise. It's something that they're they're all going through, and they're trying to find ways to get faster at response as well. Yeah, but I've seen some vendors that are They're doing containerized based and there's a lot of industrial IoT that's actually talked about cloud. I mean, there, the joke was at BlackHat, a few years ago, there was a go to my hmi.com website. And after they, you know, took it down three different ways the website folded, right, but it was just, you know, for small water authorities, you know, none of us want to have our water rates raised. So there's, they're looking for cloud, they're looking for, you know, efficiencies, and it's going to happen, whether we want you know, what to believe that or not, but, but to your point, I actually find segmentation policies because of Perdue model are better followed and OT than I see it being followed in it. And there's the validation piece. And that's really where I, I've worked with, you know, some of these manufacturers and other OT, you know, an energy, some of our customers, because, you know, I used to do some of this validation, and previous, you know, kind of Pro Services function when I worked in a different industry, but one customer was one on gas we went in, they said, We have absolutely none of our SCADA systems talking to the internet, and we found 18 beacons outbound. That just took us a few days. And that's because people all have their backdoors, right, they all have their own case methods of

 

Greg Irwin  36:11  

John, this was a fun session, this is a good session, this is something that everybody's working on. I'm going to encourage that we, we connect, you want to go deeper on these, I'm happy to connect you with the folks over a TrueFort Oregon, if you want to connect with others across the line, you just have to ask us here at BWG. John, any closing words of comment you've been you've shared a lot today. Any any any final comment?

 

John Duronio  36:37  

I'm just gonna talk about the format is the first time that we've done this. And, you know, I have to say, you know, Greg, thank you for making this very interactive, because I learned, you know, all the time from prospects and customers. And so this has been helpful for me, just to hear how people are approaching and, you know, again, what different strategies that they've used. So thanks, everybody for your time and happy to answer questions afterwards and please feel free to reach out.

 

Greg Irwin  37:01  

Thank you. Thank you, John.

Read More
Read Less

What is BWG Connect?

BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution. BWG has built an exclusive network of 125,000+ senior professionals and hosts over 2,000 virtual and in-person networking events on an annual basis.
envelopeusercartphone-handsetcrossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram