Challenge Accepted is a podcast from Arctic Wolf that has informative and insightful discussions around the real-world challenges organizations face on their security journey.
Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duo draw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.
In this episode, our two hosts talk to Dr. Chase Cunningham, Chief Strategy Officer for Ericom Software, retired Navy Chief Cryptologist, and host of the DrZeroTrust podcast. In their conversation the trio discuss the role that Zero Trust plays in modern security operations, share thoughts on how organizations can improve their overall security posture and pontificate on interesting future cybersecurity technologies.
You can subscribe to Challenge Accepted via Apple, Spotify, Google, RSS, and most other major podcast platforms.
Transcript
Ian McShane 0:15
All right. Good morning. Good afternoon. Welcome to the latest episode of the Challenge Accepted podcast. My name is Ian McShane. I am the Vice President of Strategy for a company called Arctic Wolf. And I’m delighted as always to be joined by Adam Marrè. Adam, what’s your job?
Adam Marrè 0:31
Hi, I am the CISO of Arctic Wolf. And it’s great to be here as always.
Ian McShane 0:35
It was great to have you here. So here’s something funny I found this last week, a bit of a call back to an earlier episode if you’d like I was driving to Heathrow to Heathrow Airport. And my usual thing on that 90-odd minute drive is to catch up on the last couple of Darknet Diary podcasts. Let them step up stack up, so I’ve got something to listen to. You familiar with that one?
Adam Marrè 0:54
Oh, yeah, absolutely. It’s a great one.
Ian McShane 0:56
Yeah. So anyway, like firstly, I almost crashed my car. Right when I heard Arctic Wolf for the sponsor, and Jack was the host, Jack was reading out the marketing spiel and I was like, ‘Wow, holy crap. We’re like a real company.’ And kind of similar to when I had a sponsoring the the NPR podcast. But anyway, that’s neither here nor there.
What was actually funny was that in one of the recent episodes, and I wish I could remember which one, Jack was just as surprised as I was that the FBI are available to help our organizations now, like, if you cast your mind back to one of our first episodes, I was mind blown genuinely mind blown to hear that you can just call your local field office and ask them to give you some help. And so hearing similar vibes from Jack on the Darknet Diaries podcast made me feel a lot less stupid than I like I can tell you.
Adam Marrè 1:42
Ya know, it’s funny. It baffles me that people don’t know, but I guess they really just don’t that, you know, when you have an incident, the FBI would love to come help you, at least advise on it. And then if it meets their investigative guidelines, they will come in and help investigate, and they are not into blame or catch the victim situation, they are definitely in the business of trying to get the bad guys. And so yeah, they will jump in and help.
It’s one of the reasons I did so much outreach back when I was an agent, I guess, not only to get people to know my name, so they’d be more likely to call me but also so that they know that they could, if they run into something, and it can be as simple as they find some contraband images, you know, inappropriate images on an employee’s computer, it can be even as small as that. ‘Happy to help you.’ Yeah, you can just call the phone line, you can get in touch with the cyber squad. And yeah, they’re happy to help. I love that people don’t know that.
Ian McShane 2:38
I know. It’s just surprising. I mean, it’s not the first time I’ve had someone else be surprised that you can do that. So that was great. But anyway, on with today’s podcast, it’s kind of a fanboy moment for me today and got one of my favorite industry commentators because he swears slightly less than I do. It’s a chap called Chase Cunningham. He is a retired Navy chief cryptologist.
He has decades of experience in cybersecurity in forensics and analytic operations. He is known as Dr. Zero Trust, which is pretty awesome job description, and he’s currently the Chief Strategy Officer at Ericom Software Chase Cunningham. Welcome to the Challenge Accepted podcast. Thanks for coming.
Becoming Dr. Zero Trust
Chase Cunningham 3:15
Challenge Accepted. That’s a good name. I like it.
Ian McShane 3:18
Yeah, there you go. So we’d like to get started off by really digging into like the background. We’re interested in how people get into cybersecurity. So what was your path like just mentioned, you’re in the Navy, but what was your path to cybersecurity?
Chase Cunningham 3:30
My path of cybersecurity was a congregation of absolute idiocy and good luck combined with people seeing that I had a talent.
Basically, the long story was I didn’t join the Navy as a cyber person. I joined as a diesel mechanic. And I spent a lot of time fixing gear that was fixable before they started installing electronics on it. Once they put electronics on it, it wasn’t ever right. And I got so sick and tired of trying to fix this thing. I literally snuck into the the chief engineer state room stole the laptop that I saw the Lockheed guys using, went down and changed the settings on the on the box, and then the machine was correct and was working.
Just so happened while I was doing that this cryptologic warfare officer for the ship was walking around and he was like, you know, I was busted. I thought, ‘Oh, crap, I’m going to prison.’ I actually called my mom and said, ‘Mom, I’m probably going to Leavenworth’ and she was like, ‘Okay, well, not surprising.’
But anyway, two days later, after they let me sweat bullets the cryptologic officer came in. He’s like, ‘Do you really like being an engineer?’ And I said, ‘No, sir. This sucks. I’m tired of changing oil.’ And he said, ‘Okay, well come with me.’ And then they put me through a battery of kind of assessments. And next thing you know, I’m working my way into Intel cyber crypto, codebreaking all that stuff.
Ian McShane 4:49
That’s awesome. That’s such a hilarious story. Like, what kind of education did you have in? I guess in cybersecurity for that no experience whatsoever.
Chase Cunningham 4:57
The only thing that I did was when I was was in high school and I grew up in this little redneck podunk town in Texas I helped our our IT person who was a 65 year old typing teacher set up the computer lab like that was it, and I can type really fast that was that was literally my skill set. However, I was good at figuring things out. So I figured stuff out. I always thought I could learn if I read enough and I read a lot.
Ian McShane 5:25
Yeah, that seems to be a common thread with with most people we talk to is they’re good at figuring stuff out and figuring that stuff out.
Chase Cunningham 5:30
Yeah, yeah, that’s what I don’t necessarily like crazy certified super alphabet soup, you know, type things. I like just people that will figure it out and make it work.
Ian McShane 5:41
Yeah, I agree with that. But what was your first like cyber job outside of the military then?
Chase Cunningham 5:45
My first cyber job outside of the military was writing the computer network exploitation curriculum for the Fort Meade, military folks. So I was a contractor, I wrote the curriculum that every Soldier Sailor airman, Marine goes to NSA goes through part of my curriculum.
Ian McShane 6:00
Wow, that’s, that’s impressive. So what took you from that to working for someone like Forrester and you know, selling out to the devil winds, you know, trying to advise advise companies.
Chase Cunningham 6:12
Again, more of just a lucky series of meetings. I knew John Kindervag who was at Forrester, and he kind of called me and he’s like, ‘I might wink wink be leaving Forrester wink wink’ and said, ‘You know, I think you should come here.’ And he basically kind of shoved me into that job.
He wouldn’t leave me alone until I went and interviewed and then I wound up going there and took over for him on the zero trust thing. So you know, again, good people, lucky series of things, not because I’m awesome, because I’m not, I just get lucky.
Ian McShane 6:45
Yeah, I know that feeling. Definitely. So that’s a pretty good segue. Like one of the one of the things that frustrates me, and I’ve probably mentioned this ad nauseam on this podcast and other podcasts is, one of the things that frustrates me about this industry is just alphabet soup, or the ‘oh, look, there’s a buzzword’ suddenly, every single vendor has to jump on that bandwagon.
It feels like zero trust goes through peaks and troughs of that. Like I think it was really popular 10 years ago, after John had started to write that paper and Forrester really started to adopt it. Then he went quiet, because silence started talking about machine learning, which was cool. And then it kind of gained popularity again, over the last couple of years. And every single network or security provider appears to do literally do on again, air quotes, they do ZT Come Come by my zero trust. So can you give us give us your heartache as Dr. Zero Trust give us your hot take on the state of zero trust in our industry?
The State of Zero Trust
Chase Cunningham 7:39
Well, I mean, the state is that the end users are starting to really understand that there’s a strategy and that there’s value to it. And if they look at it from the perspective that I think ZT makes sense of ‘let’s remove the things the bad guy needs to be successful and do that continually.’ Then I think that that adoption is taking place, because I’ve been having calls with folks in Africa, Japan, Australia, like it’s it’s global in nature, the market, you know, vendors do what vendors do and they see something that they can make some money on, they gravitate to it and they start selling ZT.
But to be perfectly fair, I don’t beat them up too much for selling ZT, because one, I think the strategy has got enough merit that we should be speaking about it. But number two, you can build ZT with any technology, it doesn’t matter whose it is and how awesome it is. You could build it with totally open source if you had the time. And we’re willing to suffer through the misery of making all that crap work. But it is it is doable. I mean, it’s it’s strategy 1,000%. And technology just comes along when you pick the tech to enable the strategy.
Ian McShane 8:39
Yeah. So I come with 1000s of stupid questions. And here’s one for you is zero trust simply rebadging network access control from 15 years ago?
Chase Cunningham 8:48
No, that’s a component of it. That’s, you know, while Mac is Mac is like the VPN is we’ve kind of aged past that ZT, and some of these things are a better way of doing it. But you know, if you want to build your ZT strategy around network access control, then you know, that’s your poison, by all means, feel free to drink from the well. Just make it work for you. I mean, it’s a bid strategy, like anything else.
I do a lot of workshops with people and try and wrap them around just like what strategy actually is. And sometimes they don’t, it’s funny, because if you talk to people about business strategy and sales strategy, man, they get it.
The moment you say, ‘let’s talk about security strategy,’ they started going like, ‘Well, why is this difference?’ Like it’s not? It’s just a different methodology?
Adam Marrè 9:36
Yeah, I think that’s an interesting question.
I’m wondering, how do you have that conversation where you try to get someone to see you know, the strategy is a strategy it’s not and then how do they know when they’re good, not done, but in a better state? And how do they decide like what state they want to get to like, how do you work through people with those conversations?
Chase Cunningham 9:56
So you know, first, I really want to ask who’s engaged, who’s going to be the ZTE sort of champion because you can achieve any strategy without someone leading, you know what I mean?
And I don’t mean like someone going, ‘Oh, I’ve read this book about ZTE.’ I mean, who is the person or people that are going to actually drag you kicking and screaming towards success.
And then the other thing that I like to wrap their head around is, I have a series of slides that I put together because everyone loves PowerPoint. But really, I looked at the Harvard Business School sales and business strategy. And I put that in front of people. And I go, ‘Look, all you bored people understand this, because that’s why you’re sitting here, watch, I’m going to switch the words.’ And now it’s a security strategy and their minds go. It’s that simple. Like, here you go a strategy. We’re just doing different things. And guess what, you don’t stop. Because you have to keep going to sell more to grow more business, whatever. It’s the same thing in security.
Adam Marrè 10:54
Is your experience that they do get that?
Chase Cunningham 10:57
All of a sudden they started going, ‘Oh, okay, like, now I get it.’ And then I mean, usually the person that’s really thankful is the CISO. That’s in the background going like, ‘yeah, you know, hallelujah.’
Adam Marrè 11:12
Yeah, that’s, that’s great. And so but I am curious, so you get into get him on strategy, right? They get it? It’s a strategy, then how do you bring that down to actual change? So they obviously need to now change what they’re doing and fund this? Yeah. And how do you bring it back to the reality,
Chase Cunningham 11:30
The first thing that I like to look for is what what don’t we need? What’s redundant? What are we double and triple dipping on so that we can get rid of things that are eating into the budget, because you’re not going to be able to go back to somebody go, ‘Hey, I need a fifth identity and access management solution,’ right?
They’re gonna be like, ‘Well, don’t we already have three of these?’ So you know, pick which one best meets your needs, and you’re aligned on and then start whittling off all the other stuff. And it’s that constant, reminding people that this is not supposed to be a cost center. This is supposed to be a business enablement capability, and then push that forward.
Adam Marrè 12:08
Yeah, that’s interesting. I guess this goes along with your comment about, you know, you don’t want to beat up the vendors too much on pushing zero trust, because at least now it’s in the conversation. And there’s probably a piece of the pie that they have.
So, again, how do you approach that conversation? Where you’re just saying, like, ‘we need to settle on one of these, maybe we rip out some of this other stuff.’
But how do you start the conversation of what is what is the first step? What do we look at? I mean, I’m sure it’s a depends answer, depending on the situation. But generally, how do you get people to kind of focus on what’s the next thing they can do? So all these people are like ‘hey I’m down with the strategy, I get it.’ Now what?
Chase Cunningham 12:55
Well, in a perfect world, with the organizations that really are in on this, I like to have them run either at least a tabletop or a real on red team op and see where they’re actually most vulnerable at and what the reality of compromise looks like for them. And then let’s go prioritize around how that occurred, because that’s what an adversary is going to do. Why try and learn kung fu when the other guy’s using you know, MMA with a nine millimeter? Like, it just doesn’t make sense to try and plot around that.
That’s the great thing, if not at least a tabletop of look, you know, here’s the scenario, what would you do? And where would you react and start building that way? Because if you don’t put it into a realistic scenario in some way, then it’s a lot of pontification. You need to I don’t want Kentucky windage, you know lick your fingers and stick them in the air? I want to know this goes there so that we solve this problem.
Adam Marrè 13:50
Yeah, it sounds like a risk based kind of a risk based approach. And you’re using the tabletop to actualize the risk and the leaders mind, so they understand it, then they can apply it.
But is there still a hurdle to climb? Are they? I guess, I don’t know the context of these conversations. But is there still a hurdle to climb where they’re going, ‘ Well, let’s just strengthen the perimeter. And we’re good.’
Chase Cunningham 14:13
[Laughs] I mean, luckily, we have so much evidence in the industry that I can point to that it’s just like, ‘Are you better than these guys? And those guys and these guys, and those guys,’ I mean, you know, if you’re running with the herd, and the first eight animals in front of you are getting murdered, don’t do the same thing.
Ian McShane 14:35
[Laughs] Yeah, that’s hilarious. I mean, just want to roll it back a little bit. Because you hear about these frameworks all the time, right? As NIST, there’s, you know, God knows what other else ones you can think of right now. And they all apply in some way. Or you can you can artificially lay them across almost any organization. So here’s where you can improve things. So does that mean that zero trust is in that bucket as well and that there’s something in zero trust for every organization? Or are there ever likely to be, these ones where I’m sure you hear all the time but people were like, ‘yeah, it definitely won’t work for me because of x, y, & z.
Chase Cunningham 15:05
I think there’s some value to be derived from the strategic side of ZT for anybody that’s operating in the digital space, because it’s really pragmatic. And it’s built on the realities of that.
I think, though, to your point, if they get wrapped around trying to do ZT, and kind of solved for pencil whipping, you know, like, this thing says that, so we got to have this compliance, it’s not pointless, but it’s not the point. And that’s not going to help you actually achieve the outcome you’re looking for. So, you know, the no offense to the auditors in the room, but that’s not actually driving change. It’s making you use your pencil to check off the spreadsheet.
Security Operations
Ian McShane 15:43
Yeah. And I guess that’s the hard part. Right. So this doesn’t kind of parallels I think, with, with what we do with security operations, right? It’s not something you buy, it’s something you do generally. And there’s a bunch of things and a bunch of ways you can do it. With security operations, for sure. Like, obviously, we can we can help customers, there are other people that can help customers as well. Is there something like that zero trust? Or is it really more a case of this is has to be driven in house, maybe with the help of some consulting rather than some operationalization people?
Chase Cunningham 16:13
It depends on, in my experience, like how much effort you can put into that. Personally, I think the large majority of organizations, especially small and midsize businesses should outsource their security operations to somebody because do what you do.
If you’re not 100% in on security, don’t dip your toe in the water and think you’re gonna get it right. Because what’s gonna happen is gonna get bit off. So doing that is not the right approach. I was doing a consulting engagement with a candy company that was getting ready to stand up a SOC, and I was like, ‘dude, y’all make candy.’ Like just make candy and have someone else do your security. I don’t know how to make a chocolate bar. But I know how to do firewall rules. So why would I switch the two up?
What Organizations Should Think of Before Zero Trust
Ian McShane 16:59
Yeah, yeah. I feel like we’ve beaten zero trust a little bit around. So let’s step outside of zero trust right now you talk to a lot of organizations is there? Is there one thing or 10 things that every organization should really think about before they get to zero trust?
Chase Cunningham 17:16
I think the real thing to think about is how we see organizations trying to go for like this idea of like, perfect defense, like, you’ll never be compromised. And if I do this, then I won’t have a breach. You’re gonna get compromised, you’re gonna get breached, people click phishing links, I hate to be the one that continue to wake folks up, folks use crappy passwords, right, so deal with those realities, and then put the controls in place to mitigate the risk from those overt things, and work your way towards the really hard stuff further on.
If I’m gonna get in the car and go 80 miles an hour down the highway, the simplest thing I can do is put my seatbelt on, I don’t need to figure out how to dodge cars with an AI powered whatever. I should just buckle my seatbelt and figure the rest out later.
Adam Marrè 18:02
Yeah, that’s one of the things that I think about, and I hear is, ‘hey, these fancy strategies’, not that ZT is super fancy, but you know, these fancy strategies that are out there, that’s not what I’m seeing. For example, the Verizon data breach report, I’m seeing credentials, I’m seeing-
Chase Cunningham 18:22
Same stuff from 30 years ago!
Adam Marrè 18:24
Yeah, I’m seeing lack of patching, you know, that’s the stuff that I’m seeing. Should I not focus on ZT? Should I focus on those bread and butter basics first, and then get there?
Chase Cunningham 18:37
Well, those those basics are part of ZT. You know, like, if you’re trusting that those are taking care of, you’re doing something wrong. And if you’re trusting that people don’t have bad passwords, you’re doing something wrong. So I mean, there’s a zero trust spin on those as well.
I tell people all the time, that phishing, training or whatever else, like I don’t trust my users not to interact with malicious content. It’s not that I don’t trust my people, I just don’t trust users not to do that. I can phishing train them from here to eternity, I can glue their hands to the table, they’ll click a link with their tongue. So just deal with that.
I mean, remove that risk, like it is crappy passwords, you’re going to use a password manager. ‘I don’t want to?’ then you don’t work here. Like that’s the other thing that kind of bothers me is when I talk to these business people. They say, ‘Well, we can’t tell our security folks that they have to do this or they have to operate in this manner.’
My question is if someone worked for you in sales or business and they said, ‘I’m not going to use the software for this business,’ you would say what? ‘Oh, you’re fired.’ Okay, there. Yes. Like do that. [Laughs]
Adam Marrè 19:45
Yeah, like I’m not I’m not gonna use Salesforce. I’m just gonna use this-
Chase Cunningham 19:48
I’m gonna do this on my own spreadsheets in my office with pen and paper. No, you’re not. If you want to you can, you just won’t be doing it here.
Adam Marrè 19:57
So the idea it’s not an either or situation you just, you use zero trust as a strategy. And if you’re at the point where well, we’re kind of all at the point where we’re trying to mitigate phishing, and we’re trying to deal with with credentials, you’re saying roll that in and make it part of the strategy. And yeah, you can do maybe the more advanced stuff as well. It’s all part of the same strategy.
Chase Cunningham 20:18
Yeah. I mean, if you like, I love the divert, right? Because if you look at divert, you can look at trends and data for the last, let’s just say, five years. If you see the top three methods of exploitation or phishing and credentials, what should you focus on first? It ain’t DLP. You know what I mean? S
It gets kind of comical to me, because this is the only space that the bad guy literally tells you what they’re going to do. And people go, ‘I don’t know how to solve this problem.’ It’s, it’s there.
Adam Marrè 20:49
Yeah, it’s also an industry where we use a technology that was invented in the ’60s and pretend like we can keep it really secure and email. Oh, yeah. We give it to everybody and say, ‘anyone can contact you at any time.’ Go ahead and try to try to protect that.
Chase Cunningham 21:03
Yeah, I call I call it like Big Pharma for cyber, I’m gonna give you a lot of treatment for the symptoms, but the disease, don’t worry about it.
Ian McShane 21:17
Love it. That’s certainly a good hot take. But in security in general, you got any other hot takes for us today, Chase?
Cybersecurity Hot Takes
Chase Cunningham 21:24
I mean, I think the one thing that really stands out to me is the growth of the market around browser isolation, because that does fit in really well with taking care of the user, like you see 100 million dollar funding round showing up now for you know, Island and Talent and Surf and all these others.
If you step back and look at how someone would interact with malicious stuff, how are you going to do it nowadays? It’s going to be the browser. So why would I not use that as a control? And it’s not, you know, agreed the crappy VDI of the past has gone away. This is a real actual browser text. So I think it’s worth looking at.
Ian McShane 21:57
Yeah, interesting. Cool. Well, listen, thanks. Thanks for your time today. Chase. This has been super. Anything you want to plug? Where can the internet find you?
Chase Cunningham 22:06
I’m easy to find on LinkedIn, published a bunch of books. So please buy those because I got kids that need you know, stuff. And I’m on I have a podcast called Dr. Zero Trust. It’s on all the podcast channels. And you know, I do live streams on Wednesdays.
Ian McShane 22:20
Awesome. Adam, anything from you today?
Adam Marrè 22:22
Hey, I just want to thank Chase for being here. This was great. It’s awesome talk to you.
Chase Cunningham 22:26
Yeah. Thanks for having me.
Ian McShane 22:27
Thanks, everyone. Thanks for listening. Until next time, see you then.
Transcribed by https://otter.ai
