Implementing Best Practices for Zero Trust

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

howdy how's everybody doing yeah you're surviving from last night whatever your last night was wow this is a good I mean 9 o'clock in the morning I thought oh no they've given me the slot 9 o'clock after the big party night holy moley if I have somebody show up I'll be thankful so I'm extremely thank you my name is John kinder vog I am the field CTO for Palo Alto Networks and I'm the person who created zero trust so I'm gonna be talking to you about implementing best practices for zero trust a platform approach and I'm gonna be doing it with my good buddy Hans Q he is a famous rapper from the middle of of the Netherlands also an IT guy over at Damon shipyards in fact he's the seat is oh so he's got a big job over there and he's gonna be talking about how he did what we had what we created in zero trust years ago so you guys ready to learn a little bit more and talk some more and hopefully we'll have some time for questions so we're gonna be talking about zero trust and why do you do zero trust well the rate main reason you try to do zero trust is because this gives you a security strategy that you can take up to the highest levels of your executive teams not just our CISOs but your CEOs and your board of directors and your VPS of finance I myself have given versions of this speech to CEOs and boards of directors around the world and so if we look at the grand strategy of cyber security we can see that it must be to stop data breaches data breaches are the thing that gets executives in trouble so what is the one thing that can get the CEO fired that you can do an IT you can allow a data breach and that's what happened to Talk Talk in England I don't know if you've heard of talk talk anybody in England from England here I know we got one up there and so when I was the first time I went to England right after this I said oh whatever you do don't have a Dido moment and I'm like Dido she dropped another album right and there go no no not that Dido the other Dido and I'm like there's two Dido's in the world who know right and there was Dido the singer who was the one I know about and then Dido herring the poster child of saying the exact wrong things when there's a data breach if you if you ever go on youtube and watch all of our videos it was essentially like it's your fault that you got breached ha don't you know don't come back to us and so she eventually lost her job because of a data breach so ultimately zero trust is a cybersecurity strategy designed to keep your boss's boss's boss employed if we get down to it that's what we're trying to do because we're trying to stop data breaches now if we go on to what it actually means right it confuses a lot of people because you've all all heard that you're trying to make a system trusted and all that kind of stuff and that's not true right anybody tells you the goal of zero trust is to make a system trust it absolutely is a pozer they do not understand what zero trust is in zero trust were trying to eliminate trust from digital systems because what is trust trust is a human emotion that we have injected into digital systems for absolutely no reason at all no one knows how it got there just yesterday they announced that there's these new hacks on TPM modules in CPUs right so the trusted performance module oh it wasn't so trusted after all and so it's a it's what's known as a plastic word that we throw around for no reason at all so it turns out trust this human emotion that we've injected into digital systems for no reason at all is the foundational problem in all of cyber security because Trust is a vulnerability you must understand this trust is a vulnerability it is something that people are going to do bad things for so what do you do with all our abilities you know you mitigate them right absolutely you have you got to get rid of those darn vulnerabilities and this is the worst one and the reason it's the worst one is because it's the only vulnerability in the world that is also its own exploit at the same time what do you have to do to exploit trust you have to create a new tool you have to have a new script inside a Metasploit do you have to create some zero day malware absolutely not all you have to do is get on the network and as a former penetration tester we always got on your network so it turns out the only entity on your network today who gives value from trust are the malicious actors who are going to exploit it that should be scary to you so if we look at the old trust model and there was an untrusted sign of the internet that's the evil internet because all bad things come from the internet we all know that right and then the untrusted aside went to the internal network and that's where all your wonderful people work right I mean they came to work on rainbow unicorns and given out candy to little boys and girls today I didn't that there's they're so wonderful and and and but oh no what happens right sometimes a bad thing can come from the evil internet and get on the trusses side of the network and so we all freak out some malware some ransomware whatever it is well what is that stuff it's a collection of packets what are packets packets are zeros and ones as represented by electrons and photons so in order for me hans to exploit trust and your network i just have to get a photon over on your internal piece of fiber-optic cable simple right so we need to get rid of it because not only can I do that from the outside on the inside we have things like these malicious actors there's a couple of names that should resonate everywhere in the world Snowden and Manning you've heard about these these people were trusted users on trusted devices they had the right patch level the right antivirus passed all the knack checks but guess what no one looked at their packets the packets being generated by those devices when they were on the network no one cared because your trusted so go wherever that you want I was talking to a person in Washington DC a few weeks ago who was instrumental in bringing down Manning after the attack and his first thing that he thought he told me he said the first thing I thought when I heard about this is how does a private first class at a Forward Operating Base in Iraq have access to classified State Department cables how does that even happen that's just as insane and the answer is the trust model because once you're on that network it was called super net the once you're on super net you get access to everything on super and that's true in your environment too once you authenticate into a network then you get access to everything on the network this is why the people who tell you that MFA equals zero trusts are lying to you if that were true neither Snowden or Manning could have happened because they have better an MFA than you can ever afford so we have to get rid of trust no more trusted systems no more trusted packets no more trusted interfaces no more trusted users no more trusted devices now people will say to me John you are saying that people are untrustworthy and I'm not saying that at all I'm saying something much much more profound I am saying people are not packets no person has ever been on a network it is the anthropomorphize a ssin of the network that's killing us the idea that John is on the network that hunts Q is on the network I don't know about you hunts but I have never been on a network I have never shrunken down into a subatomic particle where I've been transferred via RF signal to a wireless access point and turned in turn from 802 11 protocol to 802 dot 3 protocol so I could surf the public from the internet that has never happened to me it rarely even happens in the movies that's happened at raw and a lot more man but even in the matrix they got to plug in right so this isn't about people zero trust does not care about people that cares about packets what are packets doing what resources are they accessing should they be accessing them how do we have policies that prevent them from accessing the wrong things and enable them to access the right things so there's four basic zero trust design concepts zero trust is super easy everybody else is saying it's really complicated it's not downstairs you can get a pack of zero trust playing cards and then you can go on the internet and watch me show you how to design a network with a deck of playing cards it's that simple people who say it's complicated they don't know anything about it they're lying to you so these four design concepts are this focus on the business outcomes what is the business trying to achieve do you normally ask that probably not in fact business leaders tell me that when they when they think about IT and IT security they think of them those guys are the Department of no they just tell me no all the time right so we had to say we're the Department of yes you want to do something yes let me help you do it securely in a zero trust fashion and then we design the network from the inside out instead of the outside in you know I'm a recovery network engineer from the old days I have a lot of certifications from that company Voldemort write the name that shall not be named and we learn design networks from the outside in you started it yeah it's right the CPE equipment you moved in to the router you really cared about that in there then the course switch and the distribution layer switches the access layer switches and then you said to the business plug your stuff wherever you want to and now gdpr said hey where's all your stuff and we go we don't know no idea at all right because we designed it in the wrong way so in zero trust we start at the data or assets we're protecting and then we determine who or what needs to have access need to know lease privilege right so neither Snowden nor Manny needed to have access to most of the data they stole in order to get their job done this is the MFA part right and identity part but you can't just do it an identity alone you have to inspect and log all the traffic all the way up in layer seven you can't stop it layer three okay some people say I'm doing zero trust of layer three no you're not every single attacker knows how to bypass a layer through the security control and then they'll say to me oh no we have a layer four firewall no you don't there is no such thing as a layer four firewall layer four is metadata about layer three hey I forgot what port 53 is let me look in the firewall rules oh we had DNS right port 21 what is that that's a FTP is that what it is right port 22 is SSH you know why port 22 is SSH because the guy from Finland wrote a letter and said hey I got a protocol that's kind of halfway between FTP and telnet can you give me port 22 they said sure it's all arbitrary there's only one port in the whole thing that makes sense and that's the port number for Dhoom only one video game has assigned port number its doom and it's 666 at least that one makes sense right so we inspect and log all that traffic for late through layer seven and we do that in policy and pan operating system that's why I decided to join Palo Alto Networks so the best way I can show you is to give you a visual example of how the US Secret Service protects the president United States this is President Obama's 2009 inauguration parade and you can see here that the the Secret Service knows three things about the President of the United States that we don't know about the data or the assets we're supposed to protect they know who the president is they don't say hey we need to form a committee to do a presidential discovery project they don't say hey can you get us a tool hot so we can scan for the president we don't know where he is we don't know who he is and then they know where the president is at all times they never go hey have you seen the president no no are we supposed to be protecting them right we got guns and everything we need to protect the president and then they know who should have access to the president anyone at any single time they're very specific on that I've been around a presidential detail and so you can see here January 2009 they had a perimeter but look at the guys up in the upper right-hand corner they got their hands in their pockets why because it's cold outside given the proximity to the beast where the president is you'd think they'd be down in their ninja poses right ready to Bruce Lee these guys but no they're just sitting up there they're security theater they're knocking down the low-hanging fruit they're intimidating that's not where the real security is coming from the real security is coming down here at the protect surface that's a fundamental concept I mean how you deploy zero trust you understand what you need to protect I can take the overall attack surface shrink it down orders of magnitude into something that's Noble that's called a protect surface on this day the protect surface is the president his wife and his two children if they survive the day it's a win for the secrets servus no one else matters and that should be true in your environment the stuff you need to protect if it gets protected that day yeah that's a win and so then they do something really amazing they move their controls right up next to the protect surface you know in cyber security if we if they did it the way we do cyber security the guys on the left there they'd be on the border of Mexico and the guys on the right I be able on the border of Canada we because we put all of our controls as far away as we possibly can from the things we're trying to protect don't we our endpoint security is a long ways away from the protect surface of the data or resource that laptop is accessing our perimeter security is all a long way away from the protect surface in fact it's so far away we create a separate attack surface for the attacker is called our internal network our internal network becomes a secondary attack surface for the attacker so once they do that then they can create a micro perimeter in layer seven policy notice those you know the plainclothes Secret Service agents they don't have an gloves they don't have their coats buttoned why I mean come on maybe it's warmer down there than it is up where the other guys are you think so do you think on that day it was warmer and they didn't need as much bundling up no it's because they got layer 7 controls underneath their coat so they've defined a policy on that policy on that micro perimeter so those two people in the front row of the vehicle can leave the micro perimeter whenever they want to or whenever they're told to but nobody can traverse inside the micro perimeter because you're going to get layer 7 policy enforcement from those uniform those plainclothes Secret Service if you do and then they continue and monitor this in an updated in real-time that's what the guys with the earpieces and talking into they're their risks are doing so that they can deploy new policy updates in real time this is a zero trust model of executive protection and it is the best visual demonstration of what zero trust is should be done so I build zero trust networks using Palo Alto Networks and our partner technologies and I do with a five-step model we first defined the protect surface what do we need to protect those are known as Daz elements data applications assets and services you take a single dies element you put it in a single protect surface and then you map the transaction flows how does the system work together this tells you how to architect the zero trust environment you then create policy and then you monitor and maintain it these five steps you do it over and over again for each different individual protect surface now I want to turn it over to two haunts cue from Damon and he's going to talk about how he used this five-step model to deploy zero trust inside of Damon shipyards good morning everyone and thanks y'all before I start with our presentation I'd like to give you also a little bit of insight of what Domon is we're a shipbuilding company we're active in roughly 40 different countries we do approximately 200 vessels a year and we have been partnering with our friends from on to it all been actually helping us for the last 11 years and to guide us and to groom us to a certain extent also on the principle of zero trust so I was asked to to tell you a little bit about that but when you start with zero trust one thing is of course very important what are your crown jewels as an organization in our case you can imagine that if you build stuff like this which is something we recently launched which is for the very rich and famous if you want to do a polar expedition come to me I'll set you up with something like this you can be autonomous for a month with your own dive chamber submarines everything you want we put it in there we also do this and this very started we started with a simple type bus somewhere in 1969 and we were building those but we ventured into naval defence sector we're also doing luxury yachts and if you really if you buy one of those you have to get the next one as well because they're pretty much a package deal and this is what we call the fast your support this is where you keep toys so you can imagine that all the information we have is stored both in our ERP and ARP DM solution that's where we keep everything that's where we pretty much align all our companies so looking at what our crown jewels are that's pretty much everything which is what we call in ifs ifs is that who we use within our company there'll be a line over here he's got a credit card machine so yeah we taking orders right after yeah you might want to check with your account whether or not it's maxed out but we can even work on down payments true so looking at what ifs was we knew at least what we had to map where we had to look at and we were also at that time in a actually in a lucky situation the lucky situation was that prior to to actually starting with this our company used to be nothing more than a combination of companies we just shared the same name they were always in the name there was something like Domon in there but that was prior to having our own production facilities our own design facilities there was strictly sales we would outsource everything but eventually we realized that we needed our own production facilities and we also decided to need our own engineering so do you value chain of our organization what's connected there so we started mapping but also we started reorganizing the organization so we ended up actually setting up a completely new environment for our ERP solution in order to facilitate all our companies across the globe and we from the get-go we decided to do that based upon zero trust since day had been brainwashing me already for a few years we I think we started way back with another solution and not from Palo Alto with IBM at that time and eventually we moved there so we started mapping and we started also to realize that we had to do it strategically different so everything was going to change there and luckily the board was actually as in many let's say organizations like mine the board was very strict we don't have a clue of what you're doing but if the piece you're doing it right and we're going to trust you and just get it done it's often quite easy said but it's not also the reality but we managed to get correct and then we started to actually to think about how we're actually going to build the organization and you can imagine that here we also partnered with external advisors because we very early on realized that for our own organization that actually defining a new network or the finally complete new structure you need outside eyes first of all it's a fresh insight at that time and you also realize that many of your own staff many of them really don't want to change and that's the biggest thing there is a network engineer or whether or not you can actually remove the word network any kind of engineer and you can imagine that being a shipbuilding company we tend to have a lot of those they are absolutely they will grow a rash they would from everything everything will happen if you want to change everything depending on whether or not it's the smallest coma or whatsoever luckily we don't have the depth versus spaces discussion internally but you can imagine that as a very traditional organization shipbuilding is a process which has been going on for hundreds of years it's it's always stated that innovation in the sector was more like disaster driven something goes wrong oh crap the ship just sink where you have to do something else so very traditional organization not very digital so that's definitely a challenge there was the biggest challenge we we had we started to to design and I'm not good it doesn't really matter what it says here but the idea is of course that what you do with zero trust that you try to to minimize your attack surface you try to minimize as much as possible so this is pretty much I'm actually going through is at a at a quick pace because the idea here was that we basically redesigned everything we opened up two new data centers and from that moment on we put our crown jewels there we put all the other stuff in the periphery there everything was still segmented of course everything was disconnected and only when you have the proper rights you could access the information that was the design and then of course then would be the next step then we actually start building or that we start architecting it and and once you've architected it you get to step four which is creating policy so if you've seen the movie imitation game about breaking the non-significant igg macodes in that movie the character of alan turing says something really profound he said what if only a machine can defeat another machine and that's true we are living in an age where our adversary is highly automated they are more automated than we are they have some advantages that we don't have one of them is they don't have change control think about that hey I just tried to hack daemon shipyards that didn't work so when's my next hacking window Oh Sunday at 3:00 a.m. sure doesn't work like that right so now we have to become as automated and as agile as our attackers and so we are building a machine to defeat a machine you heard about a lot yesterday but for you the policy is set up on the front end with panoramas so if you've used panoramas you know it's an easy policy management tool all of our policy management tools are designed to be easy our former CEO now vice-chairman Mark McLaughlin said you have to create a management tool easy enough for me to create policy that was the the metric and so we can create this policy it's known as a Kipling method policy Kipling method policies are very simple to understand I can teach anybody how to use it but it comes from the writer Rudyard Kipling who gave us who what where why and how in a poem in 1902 so we have user ID to create a layer several replacement for source IP that defines a whose statement who is accessing a resource then we have app ID to replace port and protocol that defines a layer seven version of a what statement by what application is that resource being accessed and so we have well over thirty 100 predefined application IDs and we can create an application ID custom for you for any of your applications that we don't have in our database and then we have finally Content ID that defies a house statement by what criteria should that be allowed should we make sure that threat protection or IPS happens should we make sure that all the attachments go through wildfire so we have these very simple rules you can see a couple examples whether it's going to the cloud or on-premise everybody can understand that I can teach executives I talk to the CFO of a major financial company how to create his own kipling method policy said what do you want to protect I want to protect the finance app so let's put that in the what column I said who do you want to have access to that he said I want the me the CFO the VP of Finance and I want everybody who's in the finance department oh that's simple because we know the OU's of those and then we added multi-factor authentication to it and then we I said well you probably want to turn on some threat protection and you want to make sure every attachment is going through wildfire he said that sounds good and so out of that what was literally dozens of rules for that application got down to three rules three rules very simple he understood how to do it we gave it to the engineer the engineer immediately put that into an app beta the application became the protec surface remember it's one of the Dazz elements so that was the Dazz element and immediately it was turned into a zero trust policy and so then we could then use multi-factor authentication to consume that identity information inside user ID again to reiterate multi-factor authentication is not equal to zero trust that is a lie coming from somebody who doesn't understand and zero trust we consume it as an attribute within user ID user ID is a much more powerful identity tool than multi-factor authentication because it is much more granular includes lots of variables inside there so if you are using user ID and you want to user ID and app ID and Content ID are still the three most transformative core technologies ever in the history of cyber security and then we can automate this using using policy optimizer where we look at the traffic we look at the configurations that you have and we automatically turn those layer 3 rules into app ID based rules automatically it's really cool this is part of building the machine to defeat the machine now Hans you didn't have this no I wish we had a bit done would have made our life a hell of a lot easier it would have but we've been listening to our customers and so with 9.0 release this came out in 9.0 and Rama and you do not have to upgrade your own old panoramas or a dough pan OS devices to 9:02 take advantage of this you just need an I know panorama so this is a great first step you can automatically take those applications which are Daz elements and start putting them in zero trust environments now you did this and start a create policy and get your step four right yeah absolutely when we created this we also we pretty much we we realized that despite the fact that I mentioned earlier on that we would put our crown jewels in a good safe new spot brand spanking new data center actually two data centers we also realized that we actually we had a bunch of and probably the most dreaded word in the IT sector legacy and legacy would be an absolute derelict of an application almost running on ms-dos poor for one very strange reason could be that it's actually the machine it operates refuses to work with anything else you have utter shite in your and so you can imagine the Dutch word no actually I think I kind of forked it to okay yeah but the reality is that you have stuff in your network where sometimes you have what we actually used to call internally you have to oh crap or the beep protocol in place for that you lock up everything and you realize something is going to break you just don't know where and you just don't know when and that is something which we were prepared for which we were willing to take the risk of and if you don't do that that's gonna bite you eventually but you know in a large-scale organization if you look at our environment if you look at where we are we are in rural China we are in Vietnam we are in Europe we're pretty much everywhere but also in low-wage countries you just it's a constant gift it's a constant gift yeah especially being the sea so yes absolutely best job ever but you can imagine that especially that you have to be harsh you have to at the moment just say well guys it's gonna be like this we're gonna break stuff and we're going to fix it we're gonna make certain that if it breaks we're going to react as quickly as we humanly can in order to mitigate it but that's the only way to get to a safe situation unless you're a green field if you're a completely new organization then you can do it from the get-go I try to actually constantly I'm both the CEO and actually have a double role I'm responsible for Enterprise Architecture I'm responsible for all team of architects and organization and the reason on both is that we very clearly made the decision to integrate both architecture and security because many organizations you will quite often see that security is like a bolt-on thing we actually have the department of NOAA for heard before where they'd say yesterday I think in the keynote as well and quite often that's true and if you actually try to train all your architects the guys who come up with the new stuff and have them do it safe by design make it secure by design and also given the fact that we are at Dutch company we also have to take legislation into place GDP are you have to also do it privacy by design right previously by design so you really almost have to say guys we are going to shut stuff down we are going to kill it and we're going to slowly open it up and you might encounter that but that's the only way if you really want to make your organization safer if you want to protect your the proverbial crown jewels so one we've done that this is a nothing more than basically some of the rules we had I really wish at least on the behalf of my team that we actually had the policy optimizer at that time we want so we were doing this I think this was 2014 so we've been doing zero trust since the very early on were that beginning we're actually in the near future we're going to have to redo it again because I mentioned ifs and I mentioned our PDM solution and the fun thing is next year we're going to a different solution so we get to start all over again to a certain extent do you need a hug no I probably need a beer how so and guessing more than one and then we came to actually the last of the five steps in order to implement zero trust and it was monitoring maintain or as I like to call it check it out offense because that's one of the best things in my book having partnered with a security partner who has been with us for a very long time who has actually taught us how to how to improve how to get more mature and also how I could utilize my very scarce scarce resources because we are shipbuilding company which means we're not assessee we're not an IT company I can't pay the same or I can't even get the same stuff because how it likes to work with a shipping company if your IT really you want to be work at Google you want to work with Palo Alto you definitely don't want to work with a boring company who builds boats okay utterly sexy boats if I might say so myself but still we just build both so we have limited people so we need our partners for that so without them mission impossible absolutely machine impossible so that's where all the weights stepped in at that time and they still stepped in and I think it's it's very good to see where you become what we have become what they know so for that that's very good yeah and just on two it has a booth downstairs so go take a look at that I've been working with them for I think a decade or so I don't know a long time but they've deployed more zero trust than anybody else in the world so if you really want to get a real expert in this region to help you deploy it and manage it and maintain it they have an app for cortex pub downstairs so go down to the booth take a look at onto its booth so let's talk about how you do this right I mean where do you start that's your question to me and so I developed a thing called the zero trust learning curve it's based upon two different accesses there's a sensitivity or criticality of the protect surface don't ask me with whether this is the x-axis or the y-axis I always get those things confused but it's just the one that goes up and down that one why is that why I was actually we on because he's better at the maths than I am and then we have the time on the zero trust journey those are the two things that are critical that we're looking at so early on we're going to define this bell curve based upon a protect surface remember we're doing this on a per protec surface basis one protect surface contains one Daz element if you understand that you start to understand the simplicity and the real genius behind how you can deploy it so the first ones that you do are learning protect surfaces you learn how to do it folks it's in low sensitivity stuff the reason you're doing it in alerting protect surfaces is because if you screw up you get to start over again and nobody cares too many people started at the crown jewels and they made a mistake and said we're never doing zero trust again and I that's what I would hear all the time and I used to believe and advocate start with the crown jewels and then I found out you don't know where your crown jewels are you don't know how they work so there's no way we're going to get to protect them so we don't start there we start with things what we call learning protect surfaces the stuff inside there doesn't matter the only reason to do it there is so that you can do it in a low-risk environment and then the second thing we do is we do the practice protect surfaces you get to zero trust the same way you get to Carnegie Hall practice practice practice once you practice enough that will give your people confidence that they can do this and then they can do the crown jewels and once you've got the crown jewels the high-value assets whatever term you want to call it in your organization you can start focusing on the secondary protect surfaces the things that you know over time less and less sensitive and the tertiary ones yeah okay will do them because we can I'm teaching you how to build Lego blocks right so you're just taking and doing a new Lego block I was a couple of weeks ago I went to be Erinn board Denmark which is the front row here that's be on board right and but I had to land in Billund Denmark which is the home of Legoland and I've always used Legos as an example right so we think of a protect surface as a Lego block and you're just going to build the Deathstar whatever you want to build with your Lego blocks and then you get to where there's things that should never be in a zero trust environment because they're not important enough so takeaways from Hans yeah thank you yeah I'll main takeaways is actually that well I've listed them here but the the idea still is trust nothing make certain that you do like that and of course actually the last one designed from the basically reverse what you've been doing in the past you're actually designing based upon where your most vital information is then you go out for it and then you expand even further and for many people that is it sounds very logical if you start doing it but upfront usually that's not where you start I've been in IT since 1989 I started as a yeah as a programmer at that time we were like 12 I love you no.13 know but still it's for it's it's very important and as John rightfully said in the beginning trust is not a binary thing Trust is not IT it's it's it's something which we've been taught but it's something which works right here but it doesn't work anywhere else and actually in here and we also have to realize quite often that we are also flawed there so you we have to be really cautious in that part so and of course everything is on a safe spot and that's where the idea is and if you if you look at the bell curve where you actually said the last part we actually made an error there to be honest in our case and it was kind of that we actually we were a little bit over enthusiastic so we were starting to inspect also the CCTV feeds in our entire environment and that might sound like a good idea on paper but if you're on a tight budget and you're running with the four smaller sites for the the smaller p8 to hundreds at that time you might get a performance issue so you have to really wonder whether or not you want to inspect all the CCTV feeds at that time so eventually I made a budgetary decision okay we're not going to do that because it's not that valuable so what did it bring us as within Domon and we're very proud that this actually happened the crowd went nuts but the reality is I wish it's still just a boring IT camp or boring IT within a shipbuilding company but it did bring us a whole lot of things it brought us a architecture which is fully suitable for the future where we are protected are we the best in class Oba not by far I'm pretty certain that this room to be proved it should be because everything is evolving all the environments around us all our companies will cooperate with everything is evolving but at least we are I get to actually reallocate my stuff I had a whole bunch of admins who were trying to manage the firewalls in the past ourselves they can do stuff which they probably like even more because it wasn't their core competency and they really weren't that they actually were quite happy eventually somehow that means I don't have to manage it oh that's a good idea so you can imagine that how happy they were so so that was there was definitely one of the plus points for us and of course the very first one the threats of course I'm going to knock on wood afterwards but we haven't had a severe incident due to this and I really hope that it also stays like that of course you can imagine so my fights closing tips first one is definitely start small as Jonas also said you have to start in more like you have to you have to pretty much you have to fiddle with it a bit you have to fail fast failure accept it it's a good thing because then you learn because you only learn if you make a mistake if you're doing it and it goes right you're actually thinking and if terms of a happy flow and we all know that's gonna bite you that's definitely going to bite you so but then once you've got accustomed to it and you know what you're doing back to the crown jewels that's where the money is that's where your risk is and yes there might be certain parts of your organisation which doesn't apply as a crown jewel well be realistic then focus on those focus on the ground giggles again that's the most important one and of course I'm not gonna plug them again I think we've done that quite a few times but get help from anybody who is who's done this before who knows what they're doing who can also challenge you because strange eyes can definitely help in confrontation and usually yes the confrontation actually helps to improve and get your ducks in a row in my case sorry the Ducks was pretty much our IT stuff the rest was pretty much in a row as well but your IT staff tends to be your biggest challenge to a certain extent almost a tectonic change from what you were doing in the past so and of course lost did I mention to get help art once more yet helping this one so I said zero trust as a cybersecurity strategy and here's how I'm gonna prove it this is a man named jason chaffetz he was the chairman of the government and oversight committee of the United States House of Representatives they wrote a data breach report after a big breach called Office of Personnel Management it was huge in the u.s. it actually affected you and we could talk about that offline at some point but he actually wrote a byline article called adopting a zero trust cyber modeling government now he doesn't know anything about IT but he understood the strategic power of zero trust he said this zero trust would have profoundly limited the attackers ability to move within OPM's network and have access to such sensitive data if you have a zero trust policy that limits the people's the user's ability or the packets ability to to do bad things Brigham Young University did a pen test on their zero trust environment and the pen tester couldn't get in and he said I need domain credentials and the CSO said okay I'll give you domain credentials he had domain credentials but because of the kiplyn method policy the domain credential didn't go anywhere and the pen tester said to the C so what are you trying to do make me look bad and this is you said yes yes I am right because it's all about policy right you have to allow bad things to happen in your organization in order for bad things to happen every bad thing happens inside of an allow rule do you realize that so if we can tighten down this policy and say resource hunts can talk to resource Jon over this particular application using these users that's restrictive but usable it's transparent to the people who are supposed to use those two resources but it can't be manipulated by malicious actors because they don't have the policy that allow to do bad things remember all bad things happen inside the real our rule and we've been given five extra minutes by the way back there they didn't tell you that but they asked us to start five minutes late and go five minutes over so we have seven minutes seven minutes for Q&A so where's my mic runners we're going to get some Q&A going we're going to get you some energy here at nine something in the morning who's got questions cuz this is the right time to ask them and I know you have them so great raise your hand we got one in the front here I think I think the mic is Oh Mike Mike what sorry so thanks for about John and Hans question two hunts yeah I saw a step two is all about mapping get a mapping of the information and so on which is in my opinion one of the most challenging aspects because people would have system diagrams which are dated and so on yep so how did you tackle that specific challenge with a lot of pain and effort no that's going to be the other day honest answer we in the mapping phase we actually also had a very lengthy discussion with even our ERP vendor at that time because we we came to the realization that even they were actually having outdated information so this was definitely a pain it's not gonna be easy okay I can sugarcoat it all you want but that is definitely a painful and a cilenti process and it's worthwhile doing it and you have to do it but it's not gonna be a Friday afternoon so there's no I didn't find a shortcut anybody knows it please let me know so I can use what I did when I was a forester was that I had my customer put pan OS devices in V wire mode so I could see everything that was going across yeah we did that as well yeah and I said oh and then you can take him out later that was my view at the time and they never took them out and that's how I kind of learned how to do this with 1000s but you get layer 7 visibility is what's going to give you that transaction flow and then couple that with cortex we can start to really do some of that stuff and then a lot of it is you have to go to the business owners and the application owners and do some interviews and the reality is you don't need to be a hundred percent right you just need to have a generalized view of how this works and then that will show you where to put the controls yeah I'm guessing nowadays even with cortex is much easier when we were doing this that wasn't even available we are actually really license cortex like a few weeks ago we were using fraps before so I'm expecting that if we go to the next phase yeah we get at least more or at least easier inside and actually doing this so when we migrate show you next question thank you who's got a question there's a hand so I could is that a question or are you bidding on oh don't do that if this is a boat so anybody else won't do up in keeping Leon in shape he's an IT guy do you think about P am privileged access management solution Dakota a twin rights to give them over a trusted application so to be careful there yeah I can do that in policy in user ID so there you you know do you want I mean just like near talked about you can have all these separate applications to do something that should be done in a system and so think about that as you write policy when you write a Kipling method policy asks do I need privileged access management or I mean a lot of that stuff happens because we had telnet write or something like that that and we had telnet talking to a router that had a single admin password so now we had to figure out who is actually making the change on the router so then we created Pam to do that but now we can say the John the user ID John in this group has access to hopefully SSH not telnet to do router updates and login to this this particular thing and so we can do it much differently in it today so I would say a lot of these technologies are very last century technologies and probably not the way we wanted to them but if you want to do it that way go for it right we can integrate with that other questions no no okay well oh oh right over here come on Yuri you can do it Yuri Yuri how long do you keep the logs you are doing from the traffic and what are you doing with it how long do you keep the traffic logs I'm actually looking for our and whether or not they can address it for us I have a micro no today yeah you're a mic runner but I think you can help with it how does well here you know the xxxx I know what we do roughly did how long are they keeping their logs I mean typically what are you yeah yeah I think meaning at least a minimum a year if I'm so is everything related to threats is its minimum a year yeah traffic is probably short or like three months or so yeah I think it is something like that it's usually depend upon whatever compliance industry thing you have to me you have to have three months available you know immediately you have to keep it for a year blah blah blah that's how long you should keep it I mean if if it's more than a year and you need to do go back and do a forensics of investigation on a data breach guess what that data is long gone true the the investigation is sort of meaningless at that point so you can do it but it's sort of meaningless one more minute one more question anybody going once going twice sold the Hots there we go everybody thank you very much enjoy the rest of your show thank you you

Info

Channel: Palo Alto Networks Ignite

Views: 2,987

Rating: 4.8297873 out of 5

Keywords:

Id: -ld2lfz6ytU

Channel Id: undefined

Length: 50min 45sec (3045 seconds)

Published: Thu Jan 09 2020