CYBR.HAK.CAST

There’s No Highway to the Risk Zone with John Kindervag

CYBR.SEC.Media Season 2 Episode 15

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 21:53

Michael and Phil were joined at CYBR.HAK.CON. by John Kindervag, Chief Evangelist at Illumio and the creator of the Zero Trust Framework, for a wide-ranging conversation on risk vs. danger, personal resilience, and the future of AI. 

Things mentioned:

Do you have a question for the hosts? Reach out to us at media@cscgroupllc.com 

In this episode:

Keep up with Our Events:

Keep up with CYBR.SEC.Media:

Check out our other shows:

Check out our Conferences and Events:

Support CYBR.SEC.Careers Non-Profit Efforts

Subscribe to the podcast: 

Thank you to our Media Partners:

SPEAKER_02

Hello and welcome to another episode of Cyber Hackcast live from CyberHackCon in Plano, Texas. I'm joined by my BBFF, Michael Farnum.

SPEAKER_03

We got another B in here. Yeah, another B. We got three B's.

SPEAKER_02

So, John, if you're not familiar, so BBFF is best bald friend forever. Oh, best bald friend, yes. Because Sam was his BB, was his BFF. Yeah.

SPEAKER_03

Yeah, so we had to add the X or other B. So we have three B's.

SPEAKER_02

Yeah, three Bs. I'm the newest of the bald Bs.

SPEAKER_03

You're the newest, yeah. The young bald guy.

SPEAKER_02

Newly bald. So we got bald, bald friendly lighting in here today, too. Yeah, we do, yeah. Too much of a glare.

SPEAKER_03

We're gonna tell the story about your baldness on here. But for those of you don't know, this is John Kinderbogg, chief evangelist at Illumio, creator of the Zero Trust Framework. Honored, good friend. Known you for a long time. A long time. How are you doing, man? I'm doing great. Good. Thanks for coming out to Cyber Hector.

SPEAKER_01

Yeah. It was tough for me. I had to drive 30, 40 minutes from my house. I know. I'm so sorry.

SPEAKER_03

We're just lucky you were in town. Yeah, you were actually. Yeah. It's good stuff. How's the show been for you so far?

SPEAKER_01

Good. Yeah, it's good to see you guys up here in Dallas and so just down in Houston.

SPEAKER_03

Yeah.

SPEAKER_01

Kind of expanding your latest. Yeah, expanding your horizons.

SPEAKER_03

Trying to. We have Phil here living locally as well, kind of helps with the partnership. But that Phil and I have told the story a few times about trying to get people wanting to get a cyber or a hacker con up here. There's DFW, besides DFW, which is a good show, but it's just this different time of year, so we were trying to get a another HackerCon up here, and we decided to partner up together.

SPEAKER_01

It's good because there's not too many HackerCons left. We were just talking about that. The first one that I attended in 2006, 7, something like that, was SmooCon.

SPEAKER_03

Yeah.

SPEAKER_01

And they're gone now, right? I don't know why, but there seems to have been and then even something like DEF CON or Black Hat has just morphed into another mini RSA, another, it's just not hyper-focused on that. So in DEF CON, and who knows AI maybe is going to put all of all of the hackers out of business, right? Oh, yeah.

SPEAKER_03

Well, if I don't know if you've seen our CTF and what Hutch has done on that to keep people from using AI just to do the CTF, because there's literally is C CTF is dead talk here at Cyber Hack Con too. So it's kind of an interesting time to have that discussion. But yeah. So let's talk about your your newly formed baldness. Yeah. What so there was an event, what, two years ago, Hugh SECCON, and you came and did a keynote. I did. Why don't you as part we we always talk about hacker origin stories uh and just origin stories in general, but I think this is a big part of your story, a personal part of your story that I think is a great thing to talk about.

SPEAKER_01

Yeah, I have a nephew, and when he was four years old, he got a childhood cancer called neuroblastoma, which is a very dangerous cancer. And about less than 1% of children get that. It's like all childhood cancers, you're born with it, right? And so I learned a lot about childhood cancer when he was four years old. And then we got a the doctor came back and said, well, he has a 2% chance of survival. And I remember my wife, just up here in Plano, just not very far from here, at their house, it is it's his her brother's stepson, said, Well, God doesn't believe in percentages. And I thought, why are we so focused on probabilities in cybersecurity? I started to investigate it and I realized probabilities in risk management were completely a mess. I talked to you when I was down, I was down in Houston doing one of your SECON like mini things.

SPEAKER_03

Yeah, the little user group changes. The user group thing.

SPEAKER_01

And I pitched you a session that I just got rejected from by RSA called Risk is Danger. And this comes from my nephew's middle name is Danger, right? His mom has a great sense of humor, and she wanted him to be able to grow up and walk up to people and go, hey, my middle name is danger, right? And so his real middle name really is danger. And I started to think about risk, right, which we in cybersecurity we define as probability times impact equals risk. And I realized in cybersecurity we can't define the probability because there's so many variables, right? And so I told you my idea that we needed to switch from risk management, which was problematic because you can do things like accept risk, or you can go after risk. There are some people who are who just love to take risk, right? You know the people who want to jump out of airplanes and hang glide and do base jumping and fly in those kite suits. There's people who just are attracted to risk, but then when you start to talk to them about danger, right, danger has a different psychological component to it. And so I gave a speech about this origin story of my nephew going through this cancer treatment, and then I applied cybersecurity to that, how we need to switch from risk management to danger management, right? Because there's no highway to the risk zone, right? But there is a highway to the danger zone. And and how you, if you think about things that are dangerous, you're going to be more likely to want to fix those things. But if you think they're risky, well, I can accept that risk. I mean, how many risk acceptance documents have been written in our business? Right? A lot more risk assessment has been done than vulnerability management. I was given that speech, and then I said, So you're probably wondering what happened to my nephew. And I point out that he was cured of cancer, and I had him come out on stage, and he gave a little talk that was very moving about what it's like to be a survivor of childhood cancer. He was the only person in his cohort of treatment kids who actually survived, right? So it was a very rare event. And then he shaved my head for cancer research right there on stage. And we had 1,500 people crying in the in the in the audience, and not because they were bored to tears. It was actually a very profound experience. And we raised over $20,000 for cancer research that is given to uh MD Anderson Children's Hospital in Houston.

SPEAKER_03

Right now in Houston.

SPEAKER_01

And so, but I continue to push that message out, which is why I haven't grown back what little hair I have, because it gives me a reason to talk about it. But there, you know, it it resonates with a lot of business leaders because they could never really understand risk, right? Risk is so, I don't know, fluffy.

SPEAKER_03

Nebulous.

SPEAKER_01

Nebulous, yeah. But danger, you can understand it. So, like in the speech, if you remember, I had a picture of a of an electrical outlet, right? And so, you know, we can walk by an electrical outlet and not worry about it. That's risk. And then I showed a baby next to the electrical outlet, and no one goes and they say, Well, I have a one-year-old grandson. We didn't go and say, Well, let me investigate how many kids get electrocuted under one year old to see whether or not they need to go out and buy the little plugs from Amazon. We just put the plugs in because it was too dangerous to even conceive of trying to figure out the risk, right? So we don't do that in our real lives. We mitigate dangers instead of accepting risk. And so the more that we can get people in cybersecurity to understand that, especially in this area of AI, the mythos stuff and and and all of the agentic AI stuff that's going on, I mean, it's going to get more and more dangerous, and you won't be able to calculate risk.

SPEAKER_03

What's from the AI perspective now, how do you see your original quote unquote claim to fame, zero trust? How is that factoring into just how people are trying to use AI in corporations, not just in the security world, but ultimately it's a security issue?

SPEAKER_01

I've had so many people call up and say it was like zero trust was made for the AI. Right. Because I mean, there's books written about it. George Finney, you know George, you know George, wrote his second book, Rise of the Machines, Zero Trust, a Zero Trust Project Story or something. I don't remember the I wrote the foreword to the book, but I can't remember the the second part of the title. But it was about zero trust in the world of AI and how it applied to that. Josh Woodruff just wrote a book called Agentic AI plus Zero Trust, and I do a lot of stuff with him. And it's just like it was custom made for it because it's about protecting data and assets, not about products. And so everybody else in in the world has been about products, right? You sell products, you buy products, you install products, versus zero trust is about protecting stuff, data, assets, users, whatever. And so in the agentic world, and I wrote about this for Financial Times of London, said AI isn't keeping me awake at night because in a zero trust environment that's properly deployed and maintained with the right policy, there's no rule that allows an unknown resource to send unknown software into your environment. Right? Doesn't matter how sophisticated the attack is, doesn't matter whether the vulnerability is there, there's just no policy that allows it to happen. And that's what I'm really focusing on right now is moving people from thinking about products to thinking about policy. Because we've always lived in a product-centric environment, right? I was a forest analyst for eight and a half years where you're always talking about product, and I was, like you, a reseller engineer for a long time, and I've installed a lot of firewalls, a lot of different kinds of technology. But a long time ago I realized that I can install a great product, but if it's got bad policy, it's completely useless. So this is gonna show the right how we do policy correctly to determine whether or not we're gonna allow something to connect to a resource or not. Right? And so zero trust is a is we start with a default deny rule and then we just put in very granular specific allow rules based upon whether whether a user or an asset has a business reason to connect to a resource.

SPEAKER_02

Yeah, it's very interesting. And mentioning zero trust, I've got a talk, a presentation I do on how IoT can be exploited to gain access to IT infrastructure, and with the endpoint detection systems getting so much more difficult to bypass, threat actors are finding unique ways to gain access to stuff like security cameras, like in the Acura ransomware attacks. So we're really seeing where zero trust is even more important nowadays because before there was one way in that they could watch, and now threat actors get more creative using IoT, using AI and other technologies to gain access to those environments.

SPEAKER_01

And that's a good point because we look at all these IoT and OT devices, and I remember I I designed a Zero Trust environment for a country for their smart meter deployment for their electrical grid. 50 million smart meters were being deployed. Well, there's you know, it didn't have any operating system on a smart meter, right? It had BIOS only, so you couldn't put an endpoint control on it. And what we realized is that the thing we needed to protect was the system that controlled the smart meters, because that would allow people to get in. This was before the Mariah Botnet attack. And so you just, when you look at everything architecturally, and when you use the five-step deployment model, which is define the protection force, what are you going to try to protect, and then map the transaction flows, how does the system work together? That will tell you where you need the controls. And so we figured out really quickly, oh, we need to protect these systems that pull data to from the smart meters and push data out to the smart meters so that people couldn't use that to then get purchased inside the network because the internal network was going to be flat. And I've always hated flat networks. And even in 2010, I wrote a report at Forrester called Build Security into your networks DNA, introducing zero trust network architecture. And I said new ways of segmenting networks must be created because all modern networks must be segmented by default. It is the flat networks that are killing us because a flat network, you you pay the bills, but it's owned by your attackers. Because they're in there, right? They've been in there. I mean, we're old enough to remember a company called Mortel.

SPEAKER_04

Oh, yeah, right?

SPEAKER_01

I mean, it was hacked out of business by an adversarial nation state, and they didn't know for 30 years, they didn't know that they were in there. And so, you know, you gotta have visibility into the thing you're trying to protect. And I know you're a pen tester, right? And I used to be a pen tester years and years ago. And what people learn, and like a great example from one of the one of my customers who had their Zero Trust environment pen tested, the pen tester couldn't get into the protect surface because we're not trying to protect everything, we're trying to protect the certain things that are important to act surfaces, right? Call them the high ground. I'm using military theory now to talk about cyber trauma. Or Star Wars. Yeah, man. And so what do I need to protect? And then if you if I have the right controls around that, it's really hard to get into that. You'll get a kick out of this, Philip. I had one CISO who had the pen testing company come in, they couldn't get in from the outside, so they said, Well, we need a domain credential, which is, of course, if you get a domain credential, you can go anywhere, right?

SPEAKER_04

Yeah.

SPEAKER_01

He said, sure, I'll give you the domain credential, which I never asked for in my career as a pen tester. I never I thought if I had to ask for a domain credential, I'd already lost the game, right? So it seemed kind of silly, it seemed cheating. But the guy gave him a domain credential, and the pen tester couldn't go anywhere. Not little enough to call him a pen tester, right? Well, now you the cool kids call it red teaming, but I'm not a cool kid, and I'm still back in the the old days where it was a pen test. But he couldn't go anywhere, he couldn't get access to anything, and he was like, What's going on? He said, I never assigned a policy to your credential, right? Very simple. You got a credential, but no policy. You can't go anywhere. And the the attacker said to him, What are you trying to do? Make me look bad? And he said, Yes, yes, I am. I'm trying to make you look bad. And and that's what we need to do, make the attackers look bad. And but we have these very open policies, right? Where and then we blame it on somebody else instead of our own lack of diligence in creating policy. There was a big bank that had an S3 bucket that was dumped out, right? And it was oh, it was a misconfiguration in a cloud, in a hyperscaler, is what they said. So I went and I read all the legal filings and the legal documents in that case. And in there, you find out that there's an executive vice president who said, Oh, having credentials and authorization is slowing down the developers. So anybody who has a domain credential in our entire company should have access to this S3 bucket. It wasn't a misconfiguration, it was a deliberate choice to allow bad security in order to increase speed.

SPEAKER_02

Yeah, that's such a throwback to some of the my earlier IT career. Whenever someone would try to install something and the permissions didn't work, because they just gave everyone admin access to it. Absolutely. Yeah.

SPEAKER_03

Just knock it out, just give everybody some. Oh, just put the any on the firewall. We just need to get this done.

SPEAKER_02

Sometimes what's old is what is what's new again.

SPEAKER_01

Yeah, that's what Snowden in his autobiography said. I was the most powerful person at the NSA, and he didn't ever work for the NSA, he was working for a contractor, but he said, because I had admin credentials. He had no reason to have access to any of the data that he stole to get his job done. And that's the question you have to ask. Do you need access to this to get your job done? It's a really simple question. But people, I think, uh are well, I was in Switzerland with the government of Switzerland, and they were trying to explain to me what they thought that fundamental problem was, and they're talking and they come up with this long Swiss German word. Now we both are friends with our Swiss German friend and uh and Sam Sam, Sam van Ryder. I've known Sam forever. I know him long before you because his uncle is my realtor.

SPEAKER_03

Oh, yeah, you did that. Yeah, which is a weird thing.

SPEAKER_01

That's how I met him is through my realtor. But they came up with this long Swiss German word, and I was like, it's like Farfett Newman or something. I don't know, one of those things. Just a really long word. And I said, Well, what does that mean? And they're then they have to try to translate it into English and finally says, means lazy. People are lazy. That's why, that's why they do this. They're lazy. They don't want to make the effort. They don't have the will to win this cyber war that we're in, right? And if you're gonna win a war, right, you have to have the will to win the war. And I don't think we have the will to win the cyber war that we're in.

SPEAKER_03

Yeah, yeah, I don't know that I can disagree with you. I maybe throw something of a more positive spin, though. I don't know if it's actually positive, that I do think people are lazy, but they're selectively lazy. A lot of people want that admin credential thrown on there. They want that done because they need business to move forward. And we have been something of a department of no for a really long time. I but I to me, something like a zero trust, or what I thought was gonna be the panacea of all of this when I in like 2002 when I was learning 802.1x and putting policies on the on purple. That kind of stuff. I was like, oh, this is gonna fix all that access issue because you just put the but nope, to your point, nobody would get it implemented because as soon as you hit a wall where you couldn't get something done, somebody would go, nope, can't get that done. We can we're not gonna take the time. So I don't disagree with you from a lazy, I think, is selectively lazy. They just want business to move forward.

SPEAKER_01

And the reality is, I mean, it's because there's bad incentives, right? Because people who do the real work are managing their own downside risk instead of the upside potential of their organization. Because if they try to do something good and it doesn't go well, then it's like, why'd you do that? You you know, people say, I can't fix stupid. If I hear that one more time, I'm gonna screw up. No, these people aren't stupid, they're trying to do the right thing, but you've got bad incentives, so you just want to blame them when something goes bad. And no one says, hey, when things are going great, no one gives you a pat on the back when things are going great. And no one says, Oh, thanks for trying to make things better. So everybody's managed in their downside risk, it's the upside potential of the organization. And so, like Charlie Munger used to say when he was alive, show me the incentives and I'll show you the outcome. And we have a lot of bad incentives in cybersecurity.

SPEAKER_03

Don't disagree. John, I think we gotta cut it at this point because we got somebody else wanting to use this room here in just a second, I think. But uh man, thank you so much. Always a pleasure. Great to see you. Yeah, thanks. Great to meet you.

SPEAKER_01

Nice to meet you in person, finally, Philip. We only live 20 minutes apart. I don't know how this has ever happened.

SPEAKER_03

I usually see Phil more at Black Hat or RSS. Well, true.

SPEAKER_01

I've got a I've got a friend that I worked with at Forrester and I worked with before then, and he lives 20 minutes away from me. And I see Rick Holland. Yeah, Rick Holland. I see him in London, I see him at RSA, I see him somewhere, but I never see him here.

SPEAKER_03

That's the same truth. Yeah, I was trying to get a hold of him and do lunch or something with him while I was here, but we just couldn't get it lined up. Yeah, yeah.

SPEAKER_01

Well, thanks for having me on. Thanks for inviting me to the inaugural cyber set cyber cyber hackcon. Yeah. I'm still in the Houston.

SPEAKER_03

Technically, next year, this year is the inaugural cyber setcon as well. It's just used to be.

SPEAKER_01

Yeah, yeah. So I have a lot of those t-shirts at home. Good.

SPEAKER_03

I've made a my wife made me a t-shirt quilt out of a bunch of them. Oh, just she's gonna be. Oh, that's cool.

SPEAKER_01

Well, that's cool. That is cool.

SPEAKER_03

Yeah.

SPEAKER_01

Thanks for having me. Yeah, man.

SPEAKER_02

Glad to have you. Phil, maybe sure.

SPEAKER_03

You want to close us out?

SPEAKER_02

Yeah, thanks everyone for joining. We'll see you in the next episode. Make sure to subscribe and share with your friends. And until next time, take care.

SPEAKER_00

This has been a Cybersec Media production. Cyber Hack Cast is hosted by Michael Farnum and Philip Wiley, with production and editing by Lauren Andres. Our music is by Kike Guts. The views and opinions expressed on this show are those of the speakers and do not necessarily reflect the views or positions of any entities they represent. This show is for informational purposes only and does not render or offer Twitter personalized advice. Subscribe now so you never miss an episode. You can find all of our podcasts, articles, blogs, and conference talks on cybersecmedia.com. That's cyberwithout the e. And follow cybersecmedia on LinkedIn at Instagram and Facebook at Cybersec Media. You can keep up with Cyber HatCon by following us on LinkedIn for X, Instagram, and Facebook at CybersetForCon. And you can learn more about CyberHatcon or by tickets at cyberhatcon.com.

Head Shot

Michael Farnum

Host
Head Shot

Phillip Wylie

Host