One of the most influential voices in cybersecurity, Chase Cunningham has been at the forefront of Zero Trust since before it was on everyone’s lips. I was excited to have the opportunity to pose a few questions to “Dr. Zero Trust”.
Q: You started your cybersecurity career in the Navy. What advantages did that offer you?
Well, I admit openly that I am not “supposed” to be in cyber. I joined the Navy as a diesel mechanic and was blessed to cross over into the cybersecurity space over time. To put it bluntly, someone recognized I had a talent for computer-related things. That eventually led me to where I am today, thanks to my training in the Navy and working within the intelligence community.
I think the real advantage that I have had, like many other ex-military and intelligence folks, is that I was trained by the best that our country had to offer, and we went through years of experience in an accelerated timeline. Having been through those training programs—and then having been exposed to the real cyber world long before it was “mainstream”—helped me be more realistic about what this space is all about.
Q: Some commentators have said that in 5 years Zero Trust will simply be known as “security”. Do you agree?
I sure hope not. It’s extremely helpful for real strategic plans to have a common “name”. It helps everyone know what the overall goal of the strategy is and helps to keep things focused. Even if it’s something simple like “stop smoking”. That’s more vectored and specific than “be healthy”. Not a perfect analogy—but the gist of it is that we shouldn’t just say “more security”. No. “Zero Trust” makes sense because at the end of the day that’s a fundamental thing we are focusing on here and it directly relates to the problem we face. I hope that we continue with the common lexicon around Zero Trust as time goes on.
Q: What do you consider to be the greatest risk associated with pursuing Zero Trust?
Honestly, it’s never about a lack of technology. We have the solutions needed to enable Zero Trust at both the enterprise and SMB level. Period. The risk with Zero Trust is a lack of continued strategic focus and a lack of leadership to drive the initiative forward. I have yet to see any organization that cannot technically enable Zero Trust over time, it has always failed based on the lack of a leader to drive things forward.
Q: A Zero Trust network isn’t a quick turn-key solution that can be attained with one product. Are there any ‘quick wins’ that organizations can implement to move to a more ZT-compliant network?
I think it has been proven that you should start with “easy” problems that are technically addressable. Such as IAM and enabling MFA. Those are not “hard” problems to solve and they make a massive difference when it comes to eliminating the biggest swath of compromise vectors: bad logins, passwords, and stolen credentials. More advanced organizations can make a big difference in their control capability by being more prepared to fix two “harder” problems. The first is applying more micro-segmentation and the second is the continued inventory and control of data resources.
Q: The industry has been talking about the concept of assumption of a breach for at least 15 years. However, technology is highly inclined towards the prevention of a breach, why? How does one balance prevention vs detection in cybersecurity?
Because it’s sexy. Everyone likes to have that shiny blinky light in a SOC that says “we stopped the hack” and then everyone high-fives and smiles. But that’s not what really happens. This is a systemic problem that most often requires extended focus and minuscule details to determine a compromise. So, detection is sexy but not really “practical”. If we assume a breach and treat everything as compromised until proven otherwise, and then continuously do that, we can be more preventative in nature and preclude a large percentage of compromises that shouldn’t happen in the first place.
Q: Why do you think that the visibility component of a ZT strategy is critical in order to close the feedback loop and create continuous improvement?
Absolutely, you can’t know where you want to go if you don’t know where you are. Cyber is a battlefield. In any—and every—battle scenario throughout history the victors are those that can “see” what’s taking place and observe as many active moving parts in that combat environment as they can. To be able to accurately deploy defensive solutions you must know where you are weak, what’s vulnerable, and prioritize along those lines. The value of visibility in this space cannot be overstated in my opinion.
Q: Is it possible (realistic?) for an organization to reach a state of Zero Compromise?
Zero, no. Manageable, yes. As long as we have “meatware” interacting with software we will have avenues for compromise. The only system that will never have a threat of compromise is one at the bottom of a lake. But if you approach the problem correctly and are realistic about your outcomes and expectations you can manage the risk and likelihood of a compromise.
Q: Which areas of cybersecurity require greater investment?
I don’t think we actually need more investment. We collectively spend more money on curing cybersecurity than we do for metastatic cancer. Seriously, we spent 400 billion on cyber and 110 billion on curing that form of cancer; it’s crazy. But in cancer research, we expect a cure. In cyber, we just kind of say “we need more” and continue to throw money at the problem. We need to step back from the problem and focus on the reality of what we must deal with. If we focus on how we can more intelligently leverage what we have already budgeted for, then we can optimally use that money.
Q: How do we move beyond “indicators of compromise” to something more concrete or prescriptive?
We need to more adequately assign risk based on those IOC’s. I am not a fan of IOC’s or SIEM, to be honest. It reminds me of a bunch of people looking at an office building and seeing one room on fire and then they go “whoo we found the fire” and then they high five and walk away. Shouldn’t we fix that and find out where the fire came from so we can stop it from happening again or spreading to another area? If we can assign relative risk and the likelihood of success for an exploit or IOC and consequently vector in a fix, then we are doing things correctly in my opinion. Seeing an issue is good, fixing an issue is just as important.
Q: One statistic of concern is dwell time. IBM’s Cost of Data Breach report currently has it at 280 days. How do we bring that figure down?
The number there has been going down over time, which is a good thing. Obviously, it’s not enough but something is going along in the right direction. I think the metric that matters most is the MTTR, or Mean Time To Respond. The reason I think that metric has more value is that it shows how fast you got to fix the issue. Back to what I said before, it’s good to see things and observe a nefarious activity but fixing that issue is more important. So, if we can see a trend in MTTR instead of just dwell time I think we are seeing a much better trend that has more direct value.
Q: In the past, you have refuted that the biggest problem in cybersecurity is a lack of talent. How must tools adapt to give greater power to current operators in the field?
We do not have a talent “crisis”. We have a lack of technology optimization that enables the human capital we do have to address systemic issues at speed. That’s a long nerdy way of saying we need tools to better enable humans. If our tooling is doing the right things and helps us figure out what to fix and when to fix it and does that at the scale of business, then we are going to have the humans we need to fix the issues we face. Not everything in cyber needs to be fixed all the time. There are priorities and there should be prioritized fixes applied in that manner. If you want to dig the Suez Canal you could do it with shovels. It would suck, but you could if you had millions of shovels. But that’s dumb, and you will always need more ditch diggers. Wouldn’t it make more sense to use power tools and bulldozers and have your tools power the dig? That’s what we need in cyber, and we can do that if we approach the problem differently.
For the Lumu take, read how Zero Trust Architectures can improve by aiming for a state of Zero Compromises.
