Zero Trust Beyond the Buzzwords

to you thank you very much uh so good afternoon again I do have memes uh I don't have jokes I'm not actually comedian but everybody kind of wants to take a nap uh as he sort of kind of mentioned my name is Melissa bishoping I am from the northern Virginia area I've lived there for about three years and I worked for a company called tanium uh where I get to do really fun stuff every day I look at emerging threats zero days exploits in the wild and take that to build detection engineering and empower the field and people are like why are you in a science talk well because quite frankly the perspective is important and

I get really mad when people use words wrong and zero trust gets used wrong uh also crazy cat lady crazy lady crazy plant obsessed lady if you follow me on Twitter or pasadon you will see eight months I have three speaks cats on their way right so quick overview uh what are we going to talk about we're going to level set on what I mean by zero trust and zero trust architecture uh the whole point of here is going beyond the buzzwords I'm not here to talk to you about blinking boxes I'm not here to talk to you about whatever you read some magazine you know your boss is tapping on the shoulder about so I'm

going to talk about challenges to implementation so hard everyone's talking about it but what are we actually getting to and then some sort of quick wins where do you go next how are you actually going to do something with this information when you go back to work so security I told you I had me uh security is so frequently seen as like an individual layer of I.T or an individual layer of protection however security itself has layers security should be at every layer of your business and I recently uh did a presentation on a security weekly podcast talking about security being a verb not an end so the thing that you do in every part of your business process

and I get into how this relates to zero trust here in a couple of slides security shouldn't be seen as a separate piece of the business you shouldn't be like well okay we're implementing this new business process this new you know SAS application let's go talk about uh the security folks after the fact that should that shouldn't be happening yeah the when you're looking at security start from the bottom start and really look at your fundamentals and then work your way up through your endpoints your inventory all the way to your Cloud application and blues because zero trust at its core is empowering you to sort of accelerate this of getting this holistic Viewpoint and weaving it through your entire

operation another sort of level set an overview how is data compromised today if you look at whatever the latest headline of the week is you're being the same sort of vulnerability as exploited over and over and over again this there's hundreds right there's hundreds of different specific examples but we're putting these in buckets we've got compromised assets we've got unauthorized devices on your network and we've got Insider threats and we could even further bucketize The Insider threats to like your malicious insiders or your stolen credentials

just kept happening really like so why is this still happen um it's implies the implied trust model that we used to operate under those sort of hard Network exterior The Trusted interior is pervasive today because some of these large Enterprises it's really hard to move that ship and change the philosophy we all thought the accelerator the acceleration you know covid were all working we're doing this remote work that that was going to change the perspective but that's not necessarily the case uh we're also I I mapping data flows is easy to say and really hard to do and if you go to like one of your network engineers and you say I want to know how data flows

through my network they're probably going to run screaming in the other direction and deal with that and then incomplete message you know the company that I work for the sales pitch the company that I work for a lot of what we do is knowing what's on your network identifying inventorying and getting under management if you have incomplete visibility you cannot protect what you don't know if you hear that said in multiple different you know security conversations if you can't see it you can't defend it if you can't see it you can't trust it either so what is zero address I could write literally a dissertation on this topic and go into it but we don't have that much time today uh so

I'm going to try and be a little more brief zero trust architecture is not just a tool it is not a policy you implement it is not a single use case that you explore it is literally the way you think about your network what you think about your business it's the way you think about the data in your network and zero trust principles can be applied to almost any engineering effort almost any new onboarding effort you can you can put anything through that lens and I think that's the important piece to land home is like you probably have things in your environment right now today that you could say let's take this existing policy let's take this existing

framework and retool it for zero trust and I'll get to that here in a couple of slides the idea behind zero trust is that everything is dynamically evaluated nothing is implicitly trusted and at the time access is requested the device and the user and the data they're trying to to access are evaluated for is this machine healthy is this user allowed permission is this device up to date and should this data be accessed in this way and a dynamic decision is made and access is either granted or denied trust only happens when you have validated that the trust should be given versus the old model where you know we kind of had this assumed you know the

user's identity isn't compromised we assume that the machine because it's on our network from our domain is safe but that's what we talked about a couple of slides ago these common you know headlines that we read about we've got devices that sat compromised on the endpoint run on the network for months that are accessing your data every day and they're not being readily assessed philosophy versus our zero trust is like a state of mind and I'm gonna sound a little bit like a hippie you're designing for that sort of just in time like you're thinking about everything you're thinking authentication you're thinking about the specific data itself you're thinking about Network flow you're thinking about

these things in a just-in-time way you're thinking about the assumed breach which some people take issue with me saying assumed breach but that's the whole idea behind trust every time you grant access to data you are assuming Trust what if you took the approach of I I I want to trust you let me check and that's really the fundamentals behind the philosophy the other important thing that I think a lot of people Miss is that it has to be real time it has to be against Ghost it has to be real time and it has to be part of an ongoing iterative life cycle so so many times I'll talk to people who are saying well you know we do weekly uh

we do weekly vulnerability scans that's great a new zero day was announced there's a new CD that came out yesterday when was your last scan well it was six days ago okay so you're not really looking at the state of your network at that moment in time being able to look at these things in a real-time like not just oh well what is that report that I got back from my system last week last quarter whatever or what were the results of that pen test a couple of months ago what does that say about health my environment you're making you know that's that may be great for tracking progress and sort of indicators of health and sort of how

you're maturing well it's not so great at granting trust because things change every time a user plugs a USB device into their computer every time a new CDE is announced in a while all of these things change your risk and therefore they should change how you evaluate Trust when we talk about architecture like I said I'm not going to talk about Blinky black boxes I'm not going to talk about magic Solutions but there are some terms that come up when you're talking about this from an architecture decision uh you'll hear people talk about control planes versus data planes policy engines these are sort of the the things that help you implement the decisions you're making in

your architecture this is how when I said you know hey when a device wants to access the data that's checking the user that's checking the device health the device compliance the device patch level and running a calculation to say yes I trust you granting it so you'll hear some of those terminologies but I don't want that to be seen as like oh that's the tool that is a piece that you need to implement this successfully there's so much you can do just with what you already have and that's where we also talk about design choices as part of architecture you can re-engineer your existing firewalls with zero trust in mind right you can re-engineer the way you do group

policy the way that you're doing group membership in active directory with zero trust in mind and that cost you zero dollars other than the head count don't want to understand so I am a very visual learner the old style of how we used to handle perimeter-based security was the you know sort of castle with emote the moat is going to keep some stuff out and you're probably going to get some advanced warning when someone's trying to reach you through the movie once they're in the castle they might encounter a knight or you know a page or someone who's maybe gonna like raise an alarm they might also be able to sneak through a dark Corridor a hidden passage

and go unnoticed and once they're in the castle you assume that they were supposed to be there that's the old way that we've we've historically built our Networks I love this image I did shamelessly steal it and I want to say it was from Palo Alto so if anyone's here so giving credit where credits do this is the presidential motorcade and this is a great visual again I'm from up near DC so this fits in my my world view we have the president's car which is the Protection Service that's the data that you're concerned about protecting then you've got this micro perimeter of additional scrutiny these are the people that are most trusted to like protect

inside that beam but you also have additional monitoring constantly scanning the crowd looking for new threats you've got an additional wall of security they're over on the perimeter and that's that's your old school sort of you got to get through that first once you're in through the guys over there on the blue line you've still got additional people monitoring and ready with defenses before you can get to the door of the president's vehicle and open it and the chances of you just because you're standing in this area being allowed to open and unlock the door to the president's car significantly less than you were in the castle and you just wanted to walk into the king's bedroom

so last couple of slides on sort of zero trust fundamentals then we're going to get into the action piece uh seven tenets of zero trust this is not new this is not my specific wording this is kind of industry standard at this point I'm not going to read you the slide I slides available through the copy the point being is that there's no Silver Bullet zero trust solution these tenants are both part of what makes it complex but also part of what makes it universally applicable pretty much any solution you've already purchased and already rolled out in your environment this provides your sort of collection of Concepts your ideas that are designed to basically look at the uncertainty

interest the uncertainty and health of your endpoint and do that per access just in time determination of trust and and I think this is sort of if you if you go to sleep at night and read these mirror like before you go to bed and cement this is this is what I'm thinking about what I'm evaluating a new tool when I'm evaluating a new initiative when some other department has come to me and said we want to buy the SAS application implement it now today these are the things you need to be considered how do I Implement these tenants this is this is your like North Star for making zero trust decision uh this slide I know there's way too

many words on the screen but uh this is actually out of defenses like zero trust uh they did a document back in November on basically their webinar and what their vision is for zero trust there was a previous model uh similar to this that had six pillars they've added uh I think the seventh one that they added was the visibility and analytics piece the reason I like this this visual representation is because zero trust is a foundational piece of how you're designing your network and how you're you're designing for risk it's got all of these different components and you can have maybe one of your pillars isn't as strong as the other and the others will help pop that

up but the goal is to reinforce your trust across all of these different models and it's iterative it's ongoing it's a it's a maturity that you're working towards nobody comes out of the box on day one with some magic solution that gives you completely hardened foundations so no Silver Bullet Solutions but we're building okay so what do you think um I don't know what you know I don't know if a lot of you are in compliance on audit I don't know if a lot of you are in engineering but I think everybody has some some pretty common reasons of why they care about this uh one of my favorites is business flexibility I am a

big fan of getting people convinced to do what I want them to do because I can sell it to you on how it makes your life easier and if there's one thing that I've learned that Business Leaders like it's being told that I can give you more flexibility I can say yes to more of those weird SAS applications you want to put network if I can't already have a foundation for evaluating Trust so not only does it require an understanding of your business workflow but I like to phrase that it allows you to understand your business workflows go around and talk to those leaders of those different departments that are asking for requirements of you

and I this this applies whether or not you are like the tier one analyst who's like doing break fix type stuff all the way up to if you're the CSO you should be talking to those different departments and having those water cooler conversations about so what is it you do here and ask them to walk you through how they use your network how are they using their endpoint how are they accessing data what do they need and eventually because people love to talk about themselves they're going to tell you where their pain points are and they're going to tell you their great idea of how to do it better then you start building bridges then you start creating efficiency

because now you get to be the hero who knows how all of these different departments could benefit from consolidation optimization collaborating with each other and you start building this sort of internal security brand as security as a facilitator trust well you're using zero trust as your motivation you're that's your in to go talk to them okay we've got this Regulatory Compliance thing and we're all doing zero dress now because that's what the board cares about let me talk to you about Superior Solution why else do you care well there's mandates there's depending on what your industry is there's going to be requirements there's going to be insurance requirements it's also just better security you sleep better at

night because you're decreasing your attack service you're identifying that smoke cream and permissions and you're getting rid of it and you're making the decisions at real times second a device becomes vulnerable you can revoke that trust you're not granting additional exposure why is it so hard for me I'm standing up here for the last 20 minutes telling you this is totally straightforward uh because like I said before we kind of suck at visibility um most environments that you go to you say so how many endpoints do we have and they'll say I don't know 15 to 18 000. and I'm like well that's three thousand unlocked doors uh poor hygiene you know if your patch

metrics are saying that you've still got vulnerabilities from 2017 on your network like we we got salt bad Legacy applications and tools as you heard in the intro I spent a little bit of time working on oil and gas is anybody in here ever work in like that kind of industrial manufacturing or critical infrastructure how many like Windows XP boxes have you ever found running just stop people yeah see there we go Windows 98 even better and it's all it's all it's like somebody's golden thing that you can't take offline one of my favorite stories was a Windows 2000 box running a piece of database software that the developer was dead there was no documentation and the

company falls out of business but also it sucks regulated so we can't just internal and oh by the way it cost us seven million dollars to implement the new so sign the risk acceptance right like we've accepted the risk that we know that shouldn't be there we know we can't patch it we know we can't even set it up in an H A failover like we can't even virtualize the thing it's critical so risk accepted now I'm going to go into a little bit of a tiring in a minute on risk acceptance so again complex regulatory oversight if you're in this room you probably have some experience with a audit uh the words can be really verbose and say a

lot of nothing not actually get you anywhere and then lack of business support if the business doesn't understand why they should care they're not going to care and they're certainly not going to fund it all right let's see in the knees one by one visibility uh if you have devices on your network that you can't see you have devices on your network that an employee uh it's nobody who's in like pen testing kind of rolls wants to go in and be like oh well I've got domain admin because I popped the Windows XP box that you didn't even know was online I'm familiar that's not fun that's like literally boring so make it a challenge give them something fun to

go after anything you often hear people say oh well you can't secure what you don't know you can't secure what you can't see I say you cannot trust what you can't see uh threats are realized in these environments when you can't actually identify in real time do you know when somebody plugs something new into your network do you know when somebody let their kid borrow their laptop and put Minecraft on it so visibility added score required you have to be real time you can't be doing periodic Network scans you actually have to know when things in your network be it remote be it through the cloud be it on Prem uh and then you need to build in some

automation because quite frankly our time is finite and our teams are small and headcount budgets are tighter than ever all right I.T hygiene hygiene is another one of those words that's really easy to say and seems to be really challenging to do because probably the visibility travel uh this goes back to not just patching which patching is the thing like if you would just patch everything you would close the door to 99 of those headlines but yet it's hard you can't patch it if it can't be reached uh we also talk about account management are you actually doing account hygiene do you have rotations are you granting service accounts domain admin in your environment please don't use it

um you know this is also a problem that that tends to increase over time when we're out of hygiene your network gets the harder it is to correct because now the downtime required to patch that domain controller just went from 30 minutes to four hours in getting the business to accept that appetite is a totally different argument uh we also look at things like onboarding and off-boarding this is an HR problem you hear people say now you get to go be the hero you get to go say hey as part of our serious initiative we want to have all of this automation that we're building for onboarding and onboarding and we need you to help us

words for company at one point where so I started and I immediately was looking through our active directory and I said well I don't there's no way this many people were here so I went to HR and I said where's your HR like record of Truth tell me who still works here and they said oh well I mean just the people in the office and I'm like well we have 400 accounts in A.D and this office has maybe 80 people yeah I mean there might be some that we forgot to turn on it's like an equal job security that's great uh so building in those processes as part of your design I think is critically is important

the remote Workforce coupled with the existing lack of visibility created all of these new challenges to hygiene and if you can get ahead of them now you're going to save yourself time later but hygiene don't forget that hygiene is one of those things that just keeps building and building and building on itself and before you can really embark on any of this you have you you cannot start a zero trust initiative without addressing hygiene and visibility first because everything else you do you're gonna be spending your wheels you're constantly gonna be back foreign Legacy problems goes back to what we're talking about a second ago um zero trust is still sort of a modern thing

several years old I can't remember the actual year the bank point in the term uh but it wasn't you know the systems that are running our electrical grid our oil and gas pipelines manufacturing facilities very few of those were ever designed with security in mind much less 0. uh we have years or Decades of these sort of duct page Solutions the upgrades are expensive and you have you have to find a way to accept the risk in the moment and prioritize the road map and that's the part that people keep forgetting if you do it and you have your executive signed risk acceptance risk acceptance is not a bank account you can go in the negative one

you know if you accept a risk you actually do have to find a way to reclaim that risk acceptance later on Regulatory Compliance I used to run into issues when I would say hey we can improve security by doing this cool new thing and they would say socks doesn't matter compliance doesn't mean we're secure you can be comply all day long with your risk acceptance and you've still introduced vulnerability so being able to communicate the changes to you know how we're doing the regulations and what's coming down the pipeline stay attuned to how you know there's all of these executive orders and these new strategies coming out push us this way Translating that into more than just the

paper experiment on is the hard part so looking at what is the spirit and intent of the compliance requirement versus what is GRC willing to sign off on and get them convinced to do here I feel like too often um security spending is seen in a lot of companies as we're spending this money to not available and if it's not required by the audit we're not going to spend it we would spend money on a hundred thousand dollar penetration test that told us we had the unmanaged Windows XP box but we wouldn't spend the same amount of money on modernizing our firewalls to give us that sort of next-gen real-time packet inspection whatever you want to

implement we're paying for the thing that makes us compliant we're not paying for the thing that improved our security getting support from a business so they mentioned in my introduction I have a background in Psychology before I got into Tech I got my bachelor since like and it was as I used to tell my husband the most expensive piece of wall art in the house I was like I'm not using this thing it's not making any money I don't want to pay the most money because understanding people understanding motivation understanding the fear and anxiety helps you understand how to reach people and if you learn nothing else like learn that trick because you could and I'm not

saying going like fear uncertainty and doubt and please buy this for me I need it otherwise we're going to get hacked it's really about understanding what keeps them awake at night what is the board care of uh we talked a minute ago about risk and I love this sort of we talk about his bank accounts but I'm a nerd as we said earlier there's sort of this Venn diagram of nerd versus it people in circle risk is not a manifold but can accept infinite risk it has to be recharged you have to go to them and say I understand that we cannot tolerate the expenditure to modernize this or this zero trust thing is untenable because it's going to put

additional burden your device is ready so you have to make it about something that they care about which is money uh if you if you take the zero trust initiative we can claw back this risk acceptance and we are now saving that money that we can say all right let's go accept the risk on this other thing that's kind of been a bear in our side to succeed convince it's helped me help you right like tell me what you're worried about tell me what the board is the most concerned about tell me how we failed our last three audits and let me align what these zero trust principles are to fixing those most critical priorities that's how you start

getting by it staying ahead of whatever's trending whatever the coming regulations are whatever they're talking about on the news that morning where somebody could have been saved because I how many of you have been through a breach scenario where or seen one on the news and then your boss comes in and goes Pace our competitor I just thought I got ransomware we're good right like that would happen to us okay well actually if we would do this initiative right here this is how we can put ourselves in another position to be resilient uh and I have I I no lie I keep a spreadsheet of like five or six prioritized projects that matter to me

that I have been able to get funding for because eventually somebody's going to come to me and say what can we have done to prevent this or what can we do to not be them and you want to be ready you want to have metrics you want to have ideas it's it's not the first time it happened to me a director came to me and he said what tool do I need to buy whatever the budget is what do I need to buy and I was like I don't know Sam like I had not done my research and I said I'm never going to be in that position like I had a golden opportunity to get funding for any

project I wanted to push forward to include something like a zero trust initiative and blue never again always have your list of initiatives what can he do um there's a lot that goes into an overarching sort of zero trust roadmap I'm talking here about the fundamentals I'm talking about getting started and I'm talking about what you take back today identify the protect surface map the data flows I know the network Engineers hate to hear it build the architecture Define the policy and then you enter sort of your monitor and maintain this is like 50 000 foot this is very high level and we can break each of these into a presentation of Their Own not the purpose of wine breaker today

so think about it in the framework of these five steps to at least assess where you are and where you go did any of you have ever seen me give a presentation before you know I love this slide this if you have not seen it is from Matt Swan from Microsoft uh he built something called the incident response hierarchy of needs again I'm a psych nerd Maslow was this psychologist who created the human hierarchy of needs talking about what it makes for us to reach self-actualization and that included things like you have to have shelter you have to have food and water but then you also need friendships you need love and relationships you need fulfilling work

and that's how you reach like this level of becoming an awesome self-actional as human the incident response hierarchy of needs without a doubt every time I walk into a new client they want to talk about what's up here because this is fun right I want to talk about ninjas coming through skylines I want a friend hunt I want to do pen tests I want to do like all this okay that's cool how many devices do you have on your network I was like they're still down here and they want to move up here and you you fundamentally cannot because you're a threatened on team that you just spent millions of dollars Staffing training and equipping is ineffective they're

hunting and sixty percent of your environment so you're missing it's like definitely want to aim for it gotta fix this stuff first and so when we talk about identifying we want to talk about identifying what's on your network and then includes the stuff you own and stuff you don't identifying the applications that you use identifying the licenses that are in play and identifying the users that you have then we want to talk about identifying privilege scoping how these devices can talk to each other what the networks actually have access to and what the users actually have permissions to uh and then from there you can build the rest of your strategy you start Shoring up your gaps if you take nothing else

away from this talk today it's like this is the one you care about mapping your data so again every network engineer that I ever talk to when I say this works they're just like no no you need to know where your data flows do you know how many departments have access to that file server versus how many actually need it and you know why you even know what they're doing with it do you know that you've got data going out to a third-party FTP server for some contract you've got no well you should probably know that like this goes back to what I said a couple of slides ago I support meeting with Business Leaders to be like how

does your team what's your team need how can I facilitate help me help you right because if you understand what the team does in the course of their day job you start understanding that they are the experts in their work your job is not to tell them how to work your job is to understand how they work and once you understand how they work you say okay these are the permissions I can claw back these are the the policy I know that once a week this person in this department needs to submit this file via this third party app and to do so yes they have to use this insecure FTP client but we're going

to accept that risk however by accepting that risk we are going to enforce a policy in our zero trust framework that says only this jump box only this user only on Mondays between 12 and 2 and only if the device is healthy you wouldn't even know you needed to do that if you didn't know how the data was flown and more importantly none of that costs you anything that's that's just strategy that's looking at what you've already got and making a decision on it building the architecture this is another one that like I almost feel dirty putting it on one slide because this is not a one slide problem um but going sort of what I was just

saying on the previous leverage that map data and that inventory to start making strategic decisions and I don't care if you make one decision a week that you can make a small change to to reduce scope creep to reduce permission to tighten down those controls even if the one thing you're doing is writing the policy that you're going to enforce later that is why you do the mapping that's why you do the foundation pieces leverage your existing next-gen firewalls most people have them already at the perimeter like yeah not everything's coming in the perimeter but for what is what's coming in through your VPN you have complete visibility least privilege we talk about least privilege a lot are you actually doing

it I've been super guilty of I am now the like I'm troubleshooting I just want to make sure this isn't a permissions issue local admin for you you'd go back and change that did you know that I did that if you don't if you can't detect when you're your support center or your your system administrators are adding someone to the local admins group or giving someone extra permissions that right there that's a zero interest initiative you need to be embarking on you need to be able to detect change so that goes into the last bullet here identify your gaps in logging and I think that's probably one of the the biggest lifts is because logging is

expensive logging's expensive and it takes a lot of time to set up properly if you're not logging it you don't know when it happened full stop uh segmentation gateways people will talk about segmentation a lot when they're talking about zero trust I don't believe that every Network needs a firewall between it and the rest of the world I believe that your firewalls need to be well designed and that you need to be intentional about where you're putting things in the networks that they're sitting in uh the great thing about doing segmentation and using these firewalls is that you have more centralized like Health assessment and more centralized data assessment a lot of them these days

even come with the ability to do that just in time policy compliance and these can be configured to whatever you and you can tighten them down as you go you don't have to say all right everything has to be perfect you can build them as you're going to be more and more compliant policy people cringe when I bring up pki because it's messy and it can be hard and pain yes but it's essential getting good public key infrastructure getting your certificates under control gives you the ability to have more Trust yeah sure yes but this is an additional layer remember onions have layers securities there are options now that weren't available 10 years ago to do things like

pki as a service which makes this much easier for smaller businesses uh lastly puppies please the whole idea behind zero trust is trust that is unique to the device the access that they're requesting and the user that's being if you're throwing wild cards in you're basically saying yeah I trust everything that is the certificate equivalent of the moot scoring I am a data Junkie I love taking something abstract and putting a score behind it maybe you've got a framework that does your scoring for you you've got insurance company that's giving you a framework to follow or maybe you're able to just sit there and say I can wait what's in my environment based on criticality and I can win this

on what I know to be true about my environment whatever you do you have to be tracking you have to be looking at you know how do we how do we score the endpoint the user the application in real time now the control plane data plane kind of setups that we were talking about earlier with your policy engine will do a lot of this for you you they reach a threshold and access is granted they don't reach your threshold and exits is denied but you can also look at options yourself of you've got an extra firewall that has the ability to audit device health if not healthy it's automatically a zero just deny access that's kind of a

heavy-handed approach and isn't practical long term but that's when you get started you've immediately scored that device I think sitting down and coming up with identifying your crown jewels identifying your data identifying what applications are in play and giving those the way criticality probably the first step policy creation I talked about the Kipling method is anybody here for like the who what where when why when you're creating policy you don't have to sit down and have like a pre-generated template you can but asking these questions right here is enough to get you started and these are the same questions that are going to inform your on paper policy but these are also the questions that are going to

inform the policy you're putting in your policy engine uh if you don't know the answer to these questions guess what you get to go build a business relationship and ask you get to go start having more of the water cooler conversation uh the hardest of these questions I think to Aunt to ask is probably how risky is the data if it gets lost how sensitive is my data because you don't know your security your compliance you don't know how risky that data is until you go talk to a person that owns it until you actually understand what it costs if it gets lost or if it goes down the last phase we talked about is

Monitor and maintain a fan of this picture because it's accurate I talked a couple of slides back about how you could log all the things I don't mean log literally all the things because the analysts in your operations center are just going to be like a data so logging should be something that you ramp up as you continue to get it under control start with logging the most essential events start with logging the most critical pieces of your infrastructure your crown jewels as they were and then move up to logging everything on every endpoint once you tune things down if you're getting hundreds of alerts a day your them isn't tempted you can tell yourself that if it

helps you sleep better if you're actually you you create this culture where people just start ignoring everything that's not good uh I tend to say I like if you're not reviewing the rules in your sim and in your logs of the month a quarter depending on the size of your business you're missing opportunities to improve efficiency and it's not fun nobody likes sitting down and looking at logging rules but it's important and if you start seeing a sudden spike in false positives being reported like that right there is your indicator of I need to actually go see what I'm like why is this rule bad don't just allow bad people to get muted and ignored who fix the bad rule if you

wrote it in the first place uh why are we looking at recording kpis on this stuff well quite frankly you're saving head count you're saving time you're reducing the number of incidents raised and you're reducing the alert fatigue and that right there immediately makes you more secure last slide um I always like to leave with like a couple of quick ones like what do you what can you immediately go back tomorrow and talk about we'll get your authentication are you doing you know multi-factor are you having that multi-factor enforced whether they're accessing something on-prem or in the cloud is everything you've got you know connected to a single sign-on solution from the authentication piece also

looking at stale accounts permissions where do you have existing Network segmentation and what devices do you have that are file servers sitting on workstation Networks someone out here has one leadership what automation do you have uh and what automation like sit down with your you know your tier one people your tier two people and say like what tasks do you do 15 times a day that's a task for Automation and why do I say automation because automation reduces human error and reducing human error because you're security look at the existing products that you have that facilitate things like machine learning for raising alerts uh looking at the Honors that might already be in your existing platforms and products uh

and then looking at the opportunity like most of you I would assume probably have like Microsoft Office there's already some DLP capabilities there if you're not looking at Classic data that's part of mapping your data flows that's something you can immediately do Empower you actually auditing and classifying data the big question is every time you look at a pool they think in your network hold it on your end plane have we looked at this through a zero address have we asked ourselves those the the Kipling method questions of who what where when why about how this tool or this workflow does its job if we haven't let's sit down and have those conversations when we look at the

inventory because we did our inventory we look at the inventory of the applications do we actually know the purpose of each one why it's needed where it's going so that we can make better decisions on the design all of those things are free to do with the exception of your time and then when you have a vendor come in and say I have a zero trust Blinky box I could say how does it already fit within this framework what is your tool do to augment what does your tool offer mean to better people and automate this process that I'm implementing photographs root Style I think you're going to find that you have better conversations and you have

fewer Executives tapping you on the shoulder going hey so I saw this convertible for this thing and they said zero trust and we shouldn't change that so that is actually I know I'm a little bit early but that is all I have from a slide perspective um for a little while hopefully this was interesting and important hopefully memes kept people awake thank you again for allowing me

any questions