Zero Days and Zero Trust Part 2: Microsegmentation, Critical Infrastructure Protection, and a World of Many

so back said so if you missed part one are you going to be lost and so my response to him was that is my get out of jail free card for everybody I have a couple things up here but I pass these around to kind of do a little bit of admin stuff you just take something a couple of nice gifts that we can give out so there'll be some questions that we're gonna ask and we'll see where we got this year we got a batch Bunny practical packet analysis right because it's Saturday and what else would you do on Saturday besides study packet analysis and the blue team handbook so we'll be passing some of those things

out so by way of introduction for those that don't know me who here was and by the way notice what I just did what did I just do I'm getting ready to do this I'm leading off with a question right so I'm going to talk about so Jason Blanchard gave an excellent brief in fact if you miss it catch it on the video because what he did was he really talked about the storytelling process how they make movies literally how they parse the time out in the movie you keep your attention you keep it keep the story going and there's joseph campbell would say take you on that hero's journey from beginning to end right with the book i'm

in the back of the room listening to this brief at 11 o'clock i spend a lot of time with my flight back together and then also you said now that's how they make movies this is how you're supposed to do a presentation at which point while he's talking I'm back there writing notes down and then I ran like weasel for about an hour and read it on my slide so I tried to mirror what Jason did so but his takeaway was beginning with the question and then end with any conclusion so if I don't say in conclusion you're probably gonna win so this is why you're here like I said if you weren't here for part one I gave a

speech similar in this theme last year by way of introduction I'm a retired military guy spent 25 years in the Army I'm what they used to call an X we're trying to figure out like Bobby is this old cyber house how to bring the bunch of plumbers electricians and folks together to kind of gain access into something whether or both or close access so if the world if you can imagine for me to be on the outside now talking about cybersecurity is very thing that I was trying to pop on the inside I am now trying to prevent on the outside right so I became very decent in a concept and here comes the question

the concept of micro segmentation so by show of hands here and notice Jason check the block I'm asking the question who here is familiar with micro segmentation okay now I'm going to parse it out a little bit let's park there for a minute when I'm talking about my precipitation I'm talking about collision domains I'm not talking about trying to get data packets and smashing into each other on you know on the wire that's not the micro segmentation I'm talking about I'm literally talking about micro segmentation where I am here you were there and we start creating some space between us so that I can do things here or things can happen to be here without impacting you there so is

everybody kind of tracking with what I'm talking about from the target like reciprocation good you now have Park line so check the block everyone now is certified I'm truly a sans force on you Sam spreads on this part one in a nutshell what we're going to tell you though is we're going to tie that in again about a year ago when I gave this speech in this very room with some of the very same people in this room microsegmentation was a relatively new concept to me and industry-wide it's a relatively new concept to industry right for various reasons which we'll get into here but the takeaways of this presentation is we're going to tie my reciprocation into

the theme of this conference which is you know critical infrastructure protection which if you haven't seen the movie sneakers that's why the movie sneakers is kind of the patron saint of this conference okay and we're going to talk about the threat landscape we're going to talk about some tools techniques procedures what my reputation is and how you can then implement it and then as a shout out to Jason Lantern I'm going to show you how you can apply that practical knowledge to a real-world example okay any questions before we move on now why are these sighs who hears familiar concept between the trifecta a holy trifecta of our community well I saw it quick [Music]

[Applause]

so the way nice way to think about this is this imagine a swimming pool DEFCON ain't nobody even pool people are throwing things at each other people are shooting water guns at each other they're probably having blast beverage containers all over the pool you know no holds barred you know the granddaddy you know the patient the index zero if you will and then we transition into black hat black pack you trying to formalize a lot of that and now a lot of the wildness goes away but it's really more formalizes here's some techniques or some texture some procedures or some way to break me the things that are currently out there today yeah there's a little bit of

cutting edge stuff however be sighs does anyone of these cited references right so back in the day with black members here people let me people like you would say I want to talk at blackhat they don't have switch room and all those things that they couldn't have time for a black app use the B side all right and so there's some folks out there you can follow them on Twitter but they came up with this concept called b-sides and b-sides it's really what you get a chance to talk about those things that may not be applicable right now in this very moment like for example you get to talk about some things that may be a

little bit further down the pipe that's really what we're gonna do here today we're gonna explore this notion of micro segmentation although I will tell you it's already being implemented today but anyway so that's why we're there back up for a second there's two things on there that you need to take away from this from that slide right there and where they tie in each other there's something on the left hand that ties in something on the right can anybody do that we're getting close it's getting warm boom boom all right Corey you get it

all right so Lord of the Rings Jared toki comes up the concept called the palin tears the obscene high is the orb right if I flip into my volunteer and you open L interior your region I hate to see what's going on in your region that's hard to see you have some eye announcer to have omniscient presence on my network but in a nutshell what does it mean it ties into the left-hand side here everything is under security from my perspective it begins with the word see I need to be able to see everything on my network if I can see it I can control it if I can control it that means I can touch it

if I can touch it that means nothing protecting that's what we've always tried to do is nothing new in sexy devil what is different goes the notions of Mike reciprocation once I see it touch it and control it I didn't want to start separating now in the world of Mike reciprocation we're going to get into a minute it becomes a little bit squirrely because up until this point we didn't have things readily available to do that like software-defined networks we didn't have things like you know the ability to have an enterprise scale near real-time near machine speed like an ability to control that Network right but that exchange we have that capability now right so that's

what we're gonna kind of talk about but again nothing new here let's kind of move on and again what's old is new what's new is old everybody else me that is so simple right what does he say if you know yourself you wouldn't have to back if you know your enemy you know you win the bet with the true jeez that's the problem we have today everybody spends a lot of time reading all the rent laws there but they they have a hard time with their own we're gonna talk about why that's a problem here by the way I'm talking very fast this Jason told me at 11:30 during sleep my friend so this is

the movie sneakers this is Bishop he's blind and he's able to pick up some of my technique runs right he's listening on the water and in certain cones on the telephone system DX is picking up he's hearing it he can tell mother we're together right so that's why that's important this ties it to hearing where I'm walking you now on the hero's journey like we're setting the friending the problem this is the movie and there he is what's significant about that venture he slide so if you haven't seen the movie that is a blade the blind man driving the truck that has all their infrastructure popping equipment in right and you don't see some of the

other stuff but if you haven't seen the movie I suggest you watch it right so we're just warming you up this is what they were doing this is why you guys are in here it's all about critical infrastructure profession this end of today's what they were trying to do so really when I said when a patient perspective trying to get into a network a lot of times when it is remotely from sanctuary I'm doing you hear where I'm safe and secure i remotely going to your network sometimes you just have to send the Verizon cable guide to your house and they have to go in physically do something right so that's why this becomes important and

that's why critical infrastructure becomes a very interesting topic to me now gonna throw you a hardball I heard if you love anybody tell me with that screenshots wrong oh that hand went away too fast that means you know the answer right anybody anybody besides one good perfect I knew you knew it too you tell me the guy who owns that a keyboard or that's trimmer that's more like by Kevin Smith yep that's one but what distresses me is when you look on this you see some ICS exploitation things on there now good take your time I'm not gonna dive into it but go watch the movie because a lot of what my heart lived for your die hard

the movie dealt with well as critical infrastructure protection right which leads us into here let's start with other firms we got to use some of these things fast and loose micro segmentation you've already talked about what it is in my view in my lens the way I use my segmentation in my community it complies the Software Defined Networking the encryption buying brain you know policy controls push down to the workload level I'm literally talking about security pushed down to the IP packet right and then critical infrastructure if you don't know what those things are you can look above later 63 and superseded by homeland security policy seven basically it just spells out what is

give me some of this my VHS community made Sunbrella there's a veritable ecosphere looks like what's significant about that

no we did not boy I got you know what you are lucky you are getting you are getting the answer they're all connected right so when you protection a lot of people because human nature want to sit there and bend things because it's easy for humans to get around they've been in it's a my controller this is my rice ball this is my thing is all the fossil for that is the absolute worst way to look at infrastructure things everything is connected like transportation relies on pretty much all of those things in order for us to operate right for guys like me those are our pathways to defeat if I can figure out a way a loose string

maybe there any way that I can build so what we want to do is we want to bust rate then by the way that's Rob choice over there there's more than later but if you don't know about your guard InfraGard local we have chapters here now standing up in Augusta Georgia but these are the InfraGard chapter members and where they comprise it is a community owned once you're involved in this community you are part of this conversation SMEs and folks that just want to help protect the critical infrastructure this is how it breaks out right but this is a nice snapshot it gives you an overall view of what the critical infrastructure portfolio looks like and by the way

these slides I will share with you after this just get with me and I'll give you power on the slides a covers so here we are this is it three ways to do this I see $99 with there's no one in this right if if I talked about ICS if I talk about state if I talk about booty operational technology control system supervisory control and data acquisition all of that stuff that makes things like factories refineries pipelines all that stuff to make it work it's all covered by group of folks a consortium if you will nice and 99 is there every policy they tell you there's three ways to protect that stuff right and by ICS and critical

infrastructure where you ways to do it the traditional way ergo I'm telling you is not I will tell you that through spectrum I can get and touch to you in your network it's just a matter of time right because part of spectrum whatever you want to call it there are different ways to get on to the actual keyboard for keyboard attack through different stuff you guys know it don't know it google the word on the Washington Post or State for waves VLANs so we got a little bit sexier we decided to go with demons right so let's go ahead and throw hardware and software cloud whether logically and isn't least separate things like we're gonna do that

with feelings virtual networks right the problem with that is a lot of the VLANs tend to be specific to the platform with the OS right and so if you could imagine if you started stealing out of global need enterprise-wide it becomes physically hard to do you just don't know and let us think away one thing from this life we do not exist in themself just to do security we do it to support something most cases that something is either the Department of Defense or a business model right without the business model or the department offense the point is we would not be doing security so it has to be something that we can actually apply the

resources that we have and they are limited and they are finite to fromsett I would like to talk about micro segmentation because it's a new approach and it's something that I've been anyone is saying so here's your problem how you deal with that is a problem that is nothing new you guys the problem it's always on so when I talk about critical infrastructure I'm talking about systems that are always on they never fail right you have an OPS versus security tension right it is well to our pushes to this mistake of time let's talk about this can anybody tell me what the significance of the council is look at that memo what was the point of the

Mogul in the council everybody used to pick everybody's experience or knows that there's a castle here the guys have heard me talking about this last year no they saw me this is one of my favorite topics what's the point but what is it over here to the left-hand side a little bit of a joke there but think about those on the left with that boat right there but you know what I don't have anything more to give you so the original intent of the most is if I came at you and I couldn't get into your perimeter reflectances what that is it's why we use it for cybersecurity i couldnt get it from what I do I'm late CG back the old days

we called it lay siege anyway we have a short stack right I just keep throwing things at you and prevent you from talking outside your network therefore your business model will fail because I'm shutting you down from isolating you like you'll hear everything I talk about the military flavor because 25 years it's hard to get out of my system but so they came up the concept of the moat the moat was designed because when I was leading siege to you for 30 days what were my engineers do they were digging a hole in the ground and coming up underneath that mode and coming up into the castle the water in the moat was designed to flood the tunnels to

prevent engineers or to the thing right so think about that if you look over here on the left hand side if I'm going to come out your attack I'm gonna come at you the least the most the most recent resistive path way to defeat how I'm gonna do it so I'm gonna start at the top I'm gonna look at you logically and I'm gonna go I'm gonna make sure I meet your people I'm gonna spear fish you know I'm gonna vomit officiating spearfishing I'm gonna go on social engineering if that fails I'm gonna keep dropping down until I get to a point in fact if I'm really cool it if you believe movies that we watch today what

will happen you'll find I'll have that one pool champion that speaks a weird language it sounds like dolphin but he codes in C++ in his sleep everything in fact ecosoc solution match he does he just went there to complain right the point is I will drill down farther and farther till I get support where I'm literally tunneling underneath your defenses come up into us so what we want to do is we want to prevent it because what happens once you're inside the castle that's the key once you're inside the castle we analyze typically each Swiss traffic it's trusted and now that's where we have the the point is starting to happen right lateral movement so everything on the

right hand side there's nothing new there can anybody tell them anything and why is that important Wow from out of nowhere a hand shoved up on the right hand side give in to music yes positions if I can teach you groan if I can't smack you in the face what I'm going to do is I'm going to figure out of the way you come in from somebody to talk to and typically in the business world you see it that's why I have it up there in the first because they're not sexy right all this other stuff is sexy stuff it is in the taper but this is the Borg stuff unpatch systems right mergers and acquisitions what does that

represent that means I name a company like four examples work and I hire a company to be my friend well guess what I'm integrating them with my network but guess what a lot of times we don't make the seamless transition for the security policy so it's holistic and so now I have a pathway for Fiji right so what are we this line in the civil unions we are trying to not prevent the intrusion at the end of the day you are not gonna prevent a tradition that we're trying to do this mitigate and reduce the threat so that catastrophic failure or loss ie it gives the business model owner time to respond and if you can couple

that with something really cool which is reducing and automating the flash debate in terms of detection into response now we really have something powerful and that's what we're gonna talk about nothing new here in the sake of time we're going to keep going this is what we're going to change right this understanding so it becomes very challenging right so when a world of many recent Tatian in a world of many how do you reduce the scope of both your service as well as your compliance that's what we're trying to do now this is not Jack talking this is from that guy over there on the left hand side used to be running DHS who owns all the cybersecurity for this

critical infrastructure stuff and of course now mr. chief staffer he's moved but he said that and that's nothing new to you guys right what is interesting to me is the following slide that's good he's talking about the same things that I'm already talking about and this is a this is horse or marine infantry officer saying this brings me probably wrote it for him but he's still saying the same thing this is what is interesting this is the takeaway so during that time you get away with this or not I put the link up there for you they put some controllers out controllers on because we want to see what our networks and you know that we're probably not going to be

cognizant so let's turn around see us out there so they knew they they were probably to come back with a number maybe 10 to 20 percent over what they thought they had that's the number that they came back with so think about that attack surface area so the early patch is a 70% successfully of all systems if you think you matter but the systems that are the devices you think you have actually you have 24% war start doing that math you see how your attack surface is now not only unbelief but unknown to you right which guys like me useful up right we would call that pivot once in lateral move but that's that's a thing and then

slowly work there and that was 44 nights it's kind of interesting anyway there's probably no correlation so world as the world is evolving so again we're talking about some things in the military they used to have a term called dynamic network defense they were trying to get to this notion where we could not only see the entire network but they controlled the entire network and then the graduate level calculus is when we send control the network we wanted to be able to manipulate for the network in real time based on the the existential threat at the time in the operational environment what does happen and then a jump means I don't not website because it's cold out

or because you know the weather's that you know my body is designed environment and yes I'll get cold but my body go I'm cold it will send my foots up isolate the cold and all the other vital functions will continue to move on what my body goes to this hole now it's why this is B sense our conversation right so why did I put full freedom up there where my feet set why is this like Wolverine we talked about like reciprocation Wolverine and Weapon X what made them different almost dead on right so high man Tony Stark what did he do what Tony Stark dick he built a perimeter but what you get inside the perimeter Tony Stark is just

a rich dude with an attitude right where we're being penetrated orange everywhere you penetrate we'll read Adam who he is and so no matter who you world the body adapted to it I mean that's why he's in perfect right so that's kind of the the analogy that we want to have here and in a day we want to do this oh by the way listen let's not forget why do we do security what do you think weighs in his normal visit do you think it's security or do you think it's some Alliance which one is the weight when they know their infrastructure are they doing it because they want to know the best policy best

security posture than that or do you think that they're looking at a list and make sure that their regulatory or they can pass on it they pass the regulatory and their compliance and their oversight and all the legal issues and that no one's going to go to jail you know by the way you're DPR not the company you will is your rock supported right hasn't happened in mistakes but that's the harbinger of things to come right most companies will look at the compliance and way compliance versus security to promote compliance what do think about it even if I'm the vinner Network what am I going to do I'm gonna go with your bank financial institution

I'm going to download all the open source regulatory compliances you have to go by I'll help you deal with build about 70% what your infrastructure looks like because I know what dates and what tests and what you know things you have to pass now I've got a 70 percent solution of what your infrastructure the security posture looks like based on open source knowledge just simply because you're trying to pass the plank and stay alive so how do we do this how do we prevent you from doing that for those that don't remember last year that's Rob Joyce old boss of mine he is now Cyprus are for the United States you can watch this unusually cuz this is

fascinating we actually have a closet and what do you think he said first thing you want to do understand you network better than anybody else recently defeat shoes because we understand your network with you number two segments and by sending the crap by that every baby mama right make it so bad basically every time you do something members are security you have a crunchy outside and soft inside make it so that every time you take a bite is crunch crunch nice crunch because what is the crunchy do every time I'm working harder to gain access to getting deeper access and escalate privileges I am working harder to become reason my second trip since 6:00 p.m.

things like that that's what we want to do right stop kill chain it's not perfect it's just a nice way to explain something it's a 20 more so that you can have a discussion about penetration to people and help them understand them now answer this question if you were to stop an attack where you want to stop that attack like so actually where would you stop that attack where's the best place to stop the attack anyone there you go right now think about what he just said how do you see if I'm inside your network right I think you can cite your network inside on the dungeon it's all black spaces I have a new word from the

inside I'm not raising an alarm inside the network right understand but if I can break you out here like you said that's where I want to do it right but in order to do that I have to understand what the devil looks like right so again going back to what rod toys said this is not jack talking right this is industry best practice this is nation-state best Parris hydronium points from scans how do you do that enable strong authentication and encryption enabled whitelisting that was the third thing that Rob Joyce mentioned white goes right and then with your communication to varying the unencrypted microsegmentation right so that's how we do that so don't be hearing about this

show you how we're gonna do this right in a real-world example of what would that look like how would we do that okay what is that what is that I love the picture represents to me that's software to find out right it's hope permission but it's what Starling state right information it's the birds communicating with each other and they're able to fly in those patterns whether it's in response to a threat or it's a response to the operational environment I just made nature sound very technical so the bottom line is think about your ability as a network administrator to be able to a lot of a to do that with your network response or threat right so that if I'm getting a

pop to your plan a fire threat issues going on over here I can have my system automatically respond covered by networking to adapt that and more importantly in some cases isolate I see some of the CTD folks right why would I want to turn the system off I want nice a way to keep it alive so that whatever now where everything is sitting in their living in my system I wanted to stay alive in the system but what the agency would do if you read the Washington Post and believe with the Washington Post says they will take an attack pull it out take it over to the safe zone turn it back on see what

destiny and understanding but what about the time losses did what if it actually did it inside your network while was going on that's a human burglars we don't take something that we get cold nobody takes it isolates it prevents it from doing from an inoculation Wester this is the automatic solution right so but how do you do that right that was in the details so here we go this is not jack I have first this is recorded I have blatantly taken this from the Gartner report in 2017 there it is sources have been cited and I have about there but they do a very nice job simplifying a very complex there's four ways that car again and she recognized

leader in terms of what the best practices out there are four ways to do these native plant controls third-party firewalls hybrid and thought I'd like to take overlays for $600 please okay so quick overview of each one for the safety times only leave some time for questions microcircuit XD that's all this right they are building an ecosystem they're baking insecurity into the ecosystem so that for example fires I don't want anything thrown in dispersity nice well played well played we're not talking so with my billion dollars on their infrastructure for the clap for a part of that conversation

this hand right now let's say I'm the federal government table thank you let's see how that ATMs out there they're all running clips better yet let's say they're critical infrastructure protection it's always on right it'll be turned off if it's up and running I'm not touching typically that means probably not past right because sometimes it's not just a matter of patching things why the company's not patch next one thing is they don't see the equipment so they don't look magic to they just may not have their security posture tied in with oversight controls checks and balances right the other reasons that people don't talk about is companies don't pack infrastructure especially large scale infrastructure like that because they're afraid they

won't be able to handle the patch the upgrade will actually break the system is designed to patch right and so you made 12 passes something and all of a sudden this is just children right it happens at home with people with their laptops sometimes you try to upgrade and you know I got a laptop for a long time and at some point it just all of a sudden a that message your system can no longer update to the new operating system because it's old and busted everybody no matter that is easy when it's one laptop now when you've got thousands of any notice of an employee there you go hi you want a state when I

say good body language ones like your age the gray line he's willing to be ready so that's the point that's why companies don't patch but myself myself I'm a business model remember security is not secure secure safe security support business from a business perspective it makes sense to me now I'm forcing you to have to buy yourself I am NOT controlling you versus the other way around so when people say how many weapons to probably they'd be better really think about that you're leveraging the cloud but really is the crowd leveraging you were you leveraging box don't even answer think about but anyway so that's a native cloud solutions micro segmentation that's not what I'm talking

about third-party firewalls to be an example of that juniper Networks these are companies that make a firewall whether it's harbor or software basis but they throw it and they ask you to basically put it inside your research make sense how many end nodes yeah or how many applications you're under how many servers the attack rate the more you have the bigger client there's more licenses all that sucks goodness this model right that's not what I'm talking about this you always have a high profile like this - - when people don't know what they want so firewalls that gives you my bottom again I'm trying trying to gain efficiencies from some of the software-defined stuff so I'm going

to do that right so you always have the micro segmentation hybrid model right doesn't matter what you do you can have a little bit that that's not what we're talking about folks this is what we're talking about the overlay model why is the overlay my heart interesting because everything I just talked to you want to use this type of equipment what type of operation what type of infrastructure you have so what are you using so hard walls well then that kind of pointy

I want something that says I'm not sick to be lesson to the knees I laid on top of it and what it will do is sit down with a very bones of that infrastructure without disrupting the current operating system infrastructure applications all the stuff that you're currently an invincible right leg you can say volunteer business guy what have you done your ass is OCIO it doesn't matter as long as you're not you typically need to ask for money because you have a five-year plan or three-year plan the point is you have been in state you can hire them they say when you have no money that work cuts money loose you implement that the last

thing you want to do is then go back in and say I made a mistake I've screwed up I need another ten dollars because this is not the best thing to do right so what that's the challenge that's the overlay model and that's what we're getting ready to talk about so in the time I have and we got how much time 10 minutes 20 minutes I'm like I got two slides left baby see this this is why I'm not filming you know this is the good side right because the part of the part of my hair is on so here we go overlay microsegmentation model that's agonistic to the infrastructure right what if I could automatically virtualize any IP

number right now think about that if you're talking and you're using tcp/ip you're talking right that's what I want to I want to virtualize okay captain fancies there okay cool but what is it retreat committee is I want to do that from an identity based workload perspective it doesn't matter where you are it's not tight this is where the water right University issues whenever my credentials and by the way I freely admit the reason I just sick credentials and I know there's probably some pen testers out there that went what if I popular credentials yeah you're for conversation that's not this that that'll be number three so I'll be next year song but I have an answer for

that if I have authorized potentials and I get on to the demo it doesn't matter where I am I want to be able to have my security policies follow me anywhere in the world song like a mic as long as I recognize that microphone right now my credentials you probably compromise me but I got an answer to that right that's why my presentation is powerful because remember I'm not preventing the exploitation I'm preventing the spread if I call the tyranny of the Apes right the cross-pollination cross propagation the escalation right the tyranny of the Apes all the things that mr. exactly would want to do one since I can either fight and I was only making work harder

so I'm think it'd work harder than their signature a whole nother conversation which is good for me so next thing I want to do there we are now this doesn't matter if it's servers over on the right hand side or to the crown jewels or these are end-users if it does it doesn't really matter the point is this is TCP I traffic right and the old days this is the all trusted stuff right here right the point is I want to be able to segment it down to the individual windows now I'm going to is there anybody in here that works selling firewalls for a living because this is the point this is why I like talking to

be silence versus my day job because the b-sides that can be out here and I can talk about the stuff in my day job quite do this I usually get thrown out of the door like what I'm getting ready to talk about literally if done correctly negates the need for a final think about them week why are the firewalls designed in the first the control traffic this is nothing sexy about Aparo they recently designed because there was a lot of loosey-goosey traffic going back and forth one of the ways if these kind of scaled out it got thicker and bigger we wanted the way to logically control the flow of traffic back and forth to make sure

things got to where it got to go and then all of a sudden sort of get it nasty so we want to be able to way to keep bad guys out and keep good people that and then it became an issue where if you're like a company that got really cool that you would certainly have conversations like stateful and stateless traffic inspection all right the point is we started adding more and more things as opposed to just fixing the problem right next a lot of what we do right now in cybersecurity you have an infrastructure I have a problem I buy solution because I bought a new equipment and then I have another problem I read something happen over here dark

reading says this or darkness is over so I'm gonna find more quickly bring next up in I'm not agency stuff off I got your cell phone so I'm constantly modifying my act as it gets to the point where an apple could be hundreds of thousands of lines in an apple right now think about the vulnerabilities in something like that who manages that and that's the vulnerability so remember you guys are not doing security for Security's sake you're doing security to support a business model which means what you've got to pay people to come in there and go through nothing more than hundreds of thousands of lines of actors oh what's that right why would you wanna do that and by

the way by the time you're going through all that stuff people are moving around second network doing stuff so anyway next thing what I'm gonna do here is I'm gonna see my hair I'm going to use agent based stuff software-defined stuff basically say what is talking to what find out everything that's everything one time none of those things are I am then going to lock down every one of those things now theoretically think about those at a high level of extrapolation you take an organization and you wrap it in something like this and then as you start to understand your network you start parsing this name down until you have higher secured Carlos literally packet level between individual

workloads and then it's automated from Software Defined Networking so that your review me as much as the human out of it as possible that you're gaining time you're getting speed the day efficiencies in terms of costs and overhead response all that good stuff right next in here it's got to be that special requirement it's got to be any ipm right so if it's talking it can be enabled right and then of course that's a cloud inside there now here's what really cool what if I could throw some of that stuff on there too now this is a conversation that I would love to have with you it's a positive conversation apples right now what are

some things that I would want to have in my I want to have things like right make sure it's a guest on GP is that deep packet inspection right if you guys familial DNA how is that a contractor happened to look at encrypted traffic going out of the network and when and so when he went into the traffic was in there he went oh that's Jack's fingerprints and all of his history for his clearances right so now everyone's like you know what I want to have more of that I want to have to tag instructions but but think about this what if I can put a layer of security in here with that level of

certification do you know what that means now he is a crypto bag job right which means with quantity each part of a job right but it also means that if into the bin again is changes but in today's technology or understand the quantum technologies with the stuff that's coming down the pike even if you through that at that type of encryption at 256 it's still resolved as a strong password which means even if you've got a hold of the data it would take you on quite a long time to decrypt it to figure out what was inside here which by the way here's the business owner who just lost Excel to reactor right again each time right

now this is the thing that's really interesting to me the policies are applied based on the user's or server's role in an organization not by the quest here's why in a large organization when I joined the organization somebody has different community mentor sorry Jax benefits on the connection so this isn't an exorcist but what happens when I leave the organization sometimes too many people want to make sure that I am now taking off on all of those same things right that's another step that has to happen sometimes you forget about real questions with that that artifact is still inside the network right and if they say is that stuff that induces turbulence in the necklace right or you

know you're losing control of the network right what I wanted is the ability to sign into an organization have everything given to me so no matter what I'm at an organization I can sign that I've accessed entropy and then by the organization once my role is gone I'm gone that's it the network basically self knows it's closed and there's no way back in that's interesting and here's the thing we can talk about this after this presentation I love those back to his point I want those endpoints dark stop it at the reconnaissance face tie this all in the timing everything I want those things dark because what I'm going to do is nothing sensitive is seeing them but

if I seen your network and instead of my PCP Packer come up to me and they'll be responding saying I can't hear you or I don't know who you are send again right now a conversation that may take what if when you send your mate I want to serve in shape and let that pack of the drunk right now it sound like a black hole you may know I'm out there right but you can't do anything everybody knows the time times like already we've never really seen lacquer it's just we've noticed the weird stuff happening around like all the gravitational stuff so that point of this is if there's something there black hole right kind of like in a network you

may see bandwidth coming in there you may see spam you may see stuff but you're not able to log in right that's a powerful conversation that's what we want to do even today it comes down to this reducing nothing sexier than reducing an attack surface and reducing the audit service if I could do both of those two things at the same time Wow I increasing the flexibility resiliency and then I've got something so what does that look like in real life most of my time what's my time ten that's good perfect time for questions oh by the way that engineering piece let me explain what that looks like that's there let's say for example I got

customer supports going back and forth and I got legal going here they've got communities of interest they're talking and they are aware of each other but they can't they can't kind of cross pollinate each other they are not even aware of engineering so we roll it that would be like PII separate so the things that make your network work you don't want your PIV on the same network and if it is you want to protect it right so it's those kind of conversations but in the real world this is what it looks like [Music]

[Music]

it's a right it's all had their cloaking device it would basically show up what if one of you show up enough you knowing about it and it just magically appear that's kind of like what we're talking about with micro segmentation so you guys haven't seen this but I got it I got to give this so in conclusion does this thing exist in 2025 you know 400 years in the future of no it exists today are the organizations that have heard of using micro segmentation yes all four flavors I've showed you there in terms of the models to include the overlay are being used today does the technology exist yes it does exist is it being probably about

five ten minutes seven minutes so we got to see that so seven minutes remaining for questions before we all stretch and get ready for Jake to do it Jake does that by the way if you don't follow Jake Williams on Twitter so questions so

could be the same thing right yeah could be the same thing yeah and so the challenge deserver instantly said how do you define how do you define or bound if you will separate my favorite term in this world it depends right like when people say you know you know what if you were to so somebody never passes question but it comes up right if you were to employ my precipitation on an existing infrastructure what would be the load on the infrastructures right couldn't handle the load of microsegmentation right so the internet would be do you use my pset probably do it if your employee might be said to sing now right so it's not gonna do its effects right

it depends and what type of trap yeah oh yeah how many endnotes do we have are we having when you build the tunnels so what we're trying to do is understand the people are the worst right you know the most vulnerable population right and what I want to do is I want to prevent them from doing so as much as I can isolate them inside that network in their own community of interest so that way they can't help themselves it does the question so remember I told you to see questions this is the one guy I'm worried about is this I have a question that comprises seven parts broken into six subparagraphs yeah so that's a great

mystery conversation right so if I was building the network right I would put a gateway out put a gateway right so inside here I lock this down in my micro segmentation right this is my IP actually that's the desert I'm talking to you I have a hyper secure tunnel think of IPSec on steroids you and I are going right but yet you still have a legitimate to go or not you but let's say somebody on the outside in the Internet has to talk to you later I would simply build a gateway but the point is that gateway they will be financially number I will understand where they are right and I can align my sensors my IDs my PS along so the keys

the trip is right now when I deploy infrastructure to protect a perimeter the problem is I don't understand what the perimeter is so I don't have enough to go around so I have to figure out where the highest risk is and then put most of my good stuff against the highest risk area right well if I don't know what everything is how do you determine with the highest risk areas right so now by doing this I can selectively choose where those gateways on and guess what we're already doing nothing now returnable the government is already doing them now because when they went to me and said you will collapse the number of entry waves up to the Internet by an

order of magnitude that was an attempt to begin the segmentation process where they could control and put those things so by the way so what about just described to you think about this is the matrix right this is this is Kevin and I have sitting there in that exoskeleton right there and when they open up the door to the outside to let more and once they set down at the gateway right they have people sitting there watching it and when the door was closed then they walked away that's what we're talking about so I build a gateway you like them and I would control those gateways and then those gateways would be what they would be my high-risk areas which means

I probably plus up my sensors right there or I would probably make sure that the socks in all that cells tight ends with in any event going on and probably didn't get resources better there did you say someplace else right so that's one way that's one way off the top of my head anybody else I was getting ready to walk out and smile and the hand goes up in the back I would push back to you and ask you define yeah right so it's not that the perimeter of itself is dead what I'm talking about here is making everything right I think when most people think of a primitive they're trying to physically wrap their head

around something you draw a circle and say this is the perimeter I'm actually talking about micro segmentation which makes everything the actual IP the surface area becomes the actual IP packet itself doing this the way some companies are starting to do right now and they can only do it because of modern technology software to find that we're taking some of the advances are we that you're able to push the security faster so now we're talking already right the actual model can the IP packet itself the fact the data itself becomes the perimeter which means if I want to traverse and do a heaven feed to get into joel i now literally have to bust through everything that i'm doing which

is basically making a lot of noise in the network which is what I want which sets me up the traditional methodology for event management tipping off the socks in response and mitigation and stuff like that right in a nutshell what I'm doing is I'm making the cost to you higher than it is for me to maintain it which means you're going to go to somebody else to get them because I'm just too hard yeah that's a good point so he wants to know the question is how would you take this and do the older stuff right I think this is what this is exactly designed for right so critical infrastructure when you think about it a

lot of what underpins critical infrastructure is actually that legacy unsupported stuff right it's old old mainframes and stuff that just works they never turn it off it's Windows XP running things right it's that kind of stuff with micro segmentation you as long as it's talking tcp/ip you're basically able to bring down that attack surface and shrink it so you may not actually do IP packing you know work load the workload but you may sit there and go guess what all my Windows XP machines I'm going to segment micro segment off all the Windows XP so that they're one community of interest so that if somebody does go in there with an XP exploit it doesn't cross at

all those boundaries right so I can control it because I'm a control freak at the end of the day I want to do two things I want to see the network and then I want to control the network that's it that to me is security right if we give really sexy with it then we're able to get to the point like right now we can't forecast weather right it's crazy right maybe one day out we can take the weather service but I can tell you like with Hurricane Irma if the weather comes this way here are the flood zones and what will be flooded to what level and I think about that now if I'm a

security guy if I was a CSO imagine being able to go back to the c-suite say sir we don't have a hundred percent but if we get hit with a ransomware attack let me show you heat map of what will be compromised to what level imagine having that conversation nobody has that conversation but that's what we want to be because the weather man can do it and then guess what happens to people in Florida go it's ready I'm gonna go over right and so I may now go wow if that's read you're telling me if we get a ransomware attack that's what the infection areas going look like let's take the servers out of that zone and

let's put them over in the yellow zone right that's a whole different security conversation that we're currently having right now there it is let's mine get out of jail free card so folks thank you [Applause]