No Network Needed

our next hawk a from Ron Burkett he is the director of sales engineering at Z scalar he's got 20 years of experience in the networking security industry and has been deeply involved in developing emerging security and networking strategies for fortune 1000 customers Ron currently is tasked with helping customers develop zero trust networking strategies by adopting Dyson wrong okay okay sorry yeah you're introducing me up all right okay currently Ron is tasked with helping customers develop zero trust networking strategies by adopting cloud software-defined networking strategies and FedRAMP certified solutions for US federal government agencies thank you Ron

good evening how's everyone doing tonight who besides Raleigh all right so hey you know you guys kind of saw the the next slide I was at the booth today and one of the guys came by and he said hey I really like b-sides because you guys have so much more and better beer than the dev cons and I thought about I'm like yeah you know what's relevant to that well so yeah too early that bad no so I just couldn't resist having a little fun while they're here and said yeah I like beer too in fact I still have mine so I hope you're all drinking and enjoying the evening so thank you anyways it has nothing to do with what

I'm talking about but everything is always a little better if you have beer mixed in so you know we always we've all grown up with networks and building traditional perimeter security and by the way I'm struggling to stand here I like to walk when I talk but they gave me a fixed microphone and a camera and back so if I feel if you see me grabbing on them and about to throw this podium because I'm used to walking around but anyways networks are great great we've all built them for years they've been around we just there's a couple problems with them one of them is users right if we didn't have any users or networks wouldn't they be great so a

little quote here from one of my favorite characters Michael Scott when the Crown Prince of Nigeria contacts you directly you don't ask questions you help where you can write so this kind of describes how our users interacted with our networks they have no clue that they're doing things wrong even when they're they're well-intentioned or if any of you are unemployed and you're sitting at home watching Maury Povich all day long all right when when asked what did you click on you said nothing the 12 toolbars in your browser determined that was a lie so we've all been there users are tough right they do things they shouldn't they don't have a clue and they're just trying to do their

jobs the end result in a lot of cases is compromises for us as security professionals dealing with the issues that are that come as a result of users not being educated and doesn't matter how hard you try so you know like a certain thinking what's it really take to protect your network and how do you keep the bad guys away so I'm like well let me think about what should be a really simple network to secure so I started thinking back to some things I did on my own home network so I'm like every good IT geek right and that I spend a lot of time locking down my home network and using all the technologies

I've worked with over the years to to build a secure Network now just for a little background that means yeah in my home I have a really expensive power bill a bunch of exx servers tons of IOT devices in today's world you know cameras Amazon echoes you name it using the internet no big deal I also have you know typical user base I have the Michael Scott's of the world on my home network as well as some sophisticated ones so but you would think is still relatively easy I'm just protecting you and my wife you know my three boys two of them teenagers one of them preteen and a foreign exchange student from South Korea now I did say South Korea

don't worry it's not North Korean hacker it's a South Korea easy kid to do it should I be able to keep that safe and we would logically think if that's all you have to protect I should be able to do it and keep it safe so like any good IT geek I kind of put everything in my house you know full next-gen firewall full SSL inspection actually not just SSL inspection I had it twice I had two different devices doing it feeding different things I actually had full packet capture in my house all right so I had content filtering AV scanning IPS IDs literally so you know again all that for five users a handful of IOT devices

should be good to go right and you know as I went through it for first of all I don't want to completely knock it it was good cut my at the time fourteen-year-old boys sneaking up at night playing xbox of course no one plays without being online right so it was really easy to track his activity he wasn't really happy with the results caught another one of my boys actually using Instagram as a chat mechanism because we don't allow them to chat with people at the time you know your kid didn't want to chatting with all the girlfriends out there and they were actually going to an Instagram in the comment section and tagging each other

and they were meeting that Jake's face is what they did every night and they literally get together and we found it so so my security tools serve their purpose in fact my kids would say dad why is it so hard here no other kids get this level of scrutiny and I said well that's what happens when your dad's an IT right you have to deal with these type things but you know again you would think it'd be relatively easy to secure but you know again you put an Xbox on your network a ring doorbell and what did I have to do for SSL inspection I had to make an exception what did I have to do for my other tools I had to make

an exception you know many times I ring the ring doorbell and drove my dogs crazy trying to test why the ring wasn't working it's just it's crazy right now I know this is a consumer-level device you're saying Ron I don't have those sight things but the fact is you know when you have all these different things out there you're building exceptions for them all right and it makes it very difficult to have a secure network in fact you know as it turns out I thought it had it really good it's a it was so good I made a video for the company I worked for at the time I said look my kids came home with their

friends and they were watching illegal movies they didn't even get a virus because they they start talking about this thing I'd never heard of called footlocker 9 and then all of a sudden they're playing videos of movies that are currently in the theater and I'm not talking like the quality where someone recorded it with the camcorder I'm talking full HD quality and you know my antennas are just up and going off and going crazy like what are you guys doing so I started looking at the logs and all my traffic and I found all kinds of bad stuff and it was blocking it and I'm like this is great so I actually said kids this is good bring all your friends

over play all the bad stuff and I'm gonna record the traffic and I did and I made this really cool video and I went around proudly proclaiming on my network security pitches throughout the u.s. saying look you can even watch illegal movies and we'll keep you secure and so I was at the height right and what always comes before you know right before the fall you have that pride right before it well yeah we're not gonna not gonna go there right so so anyways a few months later turns out I started looking around on one of my servers running on my land and you know I had a bunch of files there that shouldn't have been there now thankfully

it was a servant to the open Internet that they made inside my they made it inside my network guys in fact thank you I think that AV has a virus here so so the point was I couldn't even keep my wife three teenage boys and a foreign exchange student safe on my network and by the way I probably had I didn't just have the vendor at work for I had every one of you that uses some other security device I had that in there too all right every one of those devices and they couldn't do it so you know how do you deal with it you're like Ryan it doesn't matter what you said you know again I have all these

other tools I have a lot of people looking at this and they're dealing with on a daily basis if that was the case we wouldn't see things like the Verizon rapport or you know people wouldn't make statements like it's not a matter of you know if you get hacked it's a matter of when you get hacked and we've all heard these statements we know they're you know there's at least a certain amount of truth to them so you know I was sitting down with a good friend of mine like most IT guys he likes to drink scotch and smoke cigars with me which by the way anyone will stay out tonight I'm happy to you know help you understand

how to do that well so he's like Ron it doesn't matter I have Network segmentation he goes in and this guy happened to manage the network for a school district vitaly's again school district kids would do anything to get to what they want right he's like we don't care if they even get infected we just reimage their machines they're on a separate network from all of our administration I said huh you guys yeah don't you have HIPAA PCI and other regulations with student data and health records and everything out there and they said yeah but again they're in a different network I said oh so students not allowed to plug in or still as teachers password and get on the

Wi-Fi for the administrator of network yes well no I can't help it and then the other IT guy nice because yeah Ronnie's a school district I have NAT - all right yeah who in here is tried to implement NAT yeah and who here has no exceptions to their knack and it works perfectly all right yeah we've all been there look it's awesome tool I'm not saying you shouldn't do neck I'm not here to downplay knack it's great I would highly suggest you all have it however let's not pretend that it's going to give you peace of mind it's really going to make things work because every copy or every other type of device in the world you

make an exception for worse yet the VP comes in and says hey I can't get to where I need for my iPhone or my iPad and then you build yet another exception and you're trying to relate a user to layer 3 layer 4 rules and ACLs you have one on your network equipment so you know Mac again it sounds good with the explosion of IOT and contractor access to different devices today it's really hard to have a comprehensive nak strategy so what ends up happening is you have this crazy and vicious cycle you constantly are trying to defend against the latest threat you find there's a lot of cool things out there to stop that threat you put it

in your network alright you block it in another threat comes and it just keeps coming in over and over all right it's kind of like hey we had another breach I guess what we got a little more money oh yeah we get another tool all right and there's just a few vendors in the cyber security space right you know a few hundred it's one of the highest back venture capitalist industries in the world because there's so many threats in so many different ways to defend against it and look there's a lot of good vendors up here right they do a lot of really good things I'm not suggesting you shouldn't do basic blocking and tackling

and protect your network but it just keeps becoming a vicious cycle so here's a picture of one of our customers networks this is all the active endpoints in their network at a given snapshot in time so hundreds of thousands of endpoints all different types of endpoints all different types of users from you know Michael Scott to the Millennial that knows how to actually use this computer well all using that network and all creating different security related types of events all right and so you know we've all lived this world way we've done in the past as we built this castle moat mentality we built our networks we put a stack of security devices there keep

putting more and more security devices there and of course we have users traveling outside and they want to get back in the network so we put a stack as security appliance into let them get back in the network we do the same thing for remote offices we connect the remote offices and make our network even bigger all right and now a lot of us go hey no worries I'm moving to AWS I'm moving to zarur put my network stack in there but yeah what are you doing you're putting the same security stack in there to protect your users going in and out and you all you've done is make your network footprint even bigger and again we're

all guilty of this we've been doing this for the fat past 15 20 years so at the end of the day if you really honestly approach it you can't secure your network you can't afford your network you can't write it and grow it and scale it in an efficient manner you really don't trust your network you see the quote there from GE he said our network has morphed and grown over time to become essentially an unmanageable beast alright and that's the truth of what a lot of us have because we have so many things they've just gotten bigger and we keep out any tools and complexity to it so it all begs the question why do you still have

one why are you still trying to look at the old world and the old ways of doing it saying why do I still have a network you know it's kind of like this so if you ever traveled to Florida take a look at the sticker on any of their vending machines and it basically tells you if they don't have this sticker call us first of all it's kinda hard so why do you need a sticker to tell you because you can't call about a vending machine problem so you why do you have to have the sticker because you just have to have one that's how most people look at their networks because someone told E I had to

have a network I had to make it bigger and give everyone access to it I didn't do that again sorry so at the end of the day I don't need slides right at the end of the day we have more risk more complexity we have no easy way to secure users all right and so we have to really start thinking about different ways we can approach this and this is where zero trust networking was born so zero trust networking is a completely different approach all right instead of making your network bigger adding your remote sites to your network we're gonna take a different protein say no one is automatically trusted so that's again that's the the the fundamental flaw that

we've all worked with over the past years if they can get on your network they're allowed to get to the applications we must trust in the thinking on the network that means we're trusting that our neck and our network segmentation and our ACLs and everything else are correct but it's just not the reality in today's world they've become so complex so zero trust networking it about saying I'm only gonna allow a user after I've authorized who they are done some type of posture checking verify that they they're actually a user not stolen credentials because their own a valid machine maybe even validated their location hey this user just you know we know that travel you know booked them on

a flight to Singapore so it's okay they're accessing it from Singapore but this user wasn't so even though their machine or their user pastor credentials they're not safe so then you give them access to an application so no more I'm on the network and I directly have access to applications that's what zero trust networking is about what it really means at the end of the day to is that you now simplify your network design where your applications live just need outbound internet access where your users live just need outbound net internet access they connect to some controller could be in a cloud or it could be hosted somewhere private that controller then makes a decision and

says based on who you are and based on posture that you're able to get into that application now the cost savings alone on networking cost MPLS things that nature can make this very attractive to anyone you say it waitron it's kind of the panacea right well yeah but there's actually companies doing this google beyond Corp has done it today companies like GE have done it today many others are on that path and when you start thinking in that manner it really reduces what you have now it's going to create a few other problems but let's just review a few other important things that you want to think about when you're designing zero trust network one

never put users on your corporate network alright they can only access applications if they're going through your Software Defined perimeter all right put all your application policies or app centric rather than networker layer three centric if you make policies based on layer three you're depending on the network team to build it out the pawl the the ACL correctly you're depending on the complexity being there you're not overrun your CPUs on equipment that's not meant to have that and keeping up with all that and how things are designed that someone didn't put an application where they shouldn't but - that doesn't mean you just put your applications on the internet they should be completely dart to the

Internet all right a user should only gain access to them because the the software-defined parameter allowed them to gain access but we should allow the transport medium to get them there to be the internet which is point number three right if we can make the the Internet in the transport now all I need is a user to sit at home sit a Starbucks or a branch office and guess what they all look the same all right and that really simplifies my networking for my branch offices all my branch offices now can be very cheaply connected sites that looks very much like an internet cafe I don't have to buy expensive maintenance contracts I don't have to buy expensive

MPLS links I don't have to buy a lot of things in fact you can buy some really low-end devices even if you and you could certainly use other things like SD win and to incorporate with it if you do have a few needs or traditional networking things like VoIP that you need to route back to the corporate office that's fine so it doesn't preclude anything like SD win but it says we're gonna use our internet as our transport and then last but not least you shouldn't depend on any network based segmentation this should all be at the app level should inherently say that this user or this group or whatever definition you want to make is

what controls access or who has access to that application all right so all this should happen by the way transparent an end user because we want to make the end user process better one of the biggest problems and people will start extending their network and adding branch offices adding lots of VPN concentrators is the fact that the end of the day user experience is bad first of all have them don't even know how to fire up a VPN anyone here ever try to use a VPN on go go on a plane by the way - that works well right so how and then a user spends the whole time struggling with it they start revolting

and there's a start of a lot of your shadow IT because you haven't made it easy for your users so we want to do something that allows the performance to work but yet makes it easy to manage and doesn't make our network that unmanageable beasts so what are some of the things that you can do to start down this path number one and you should know I'm being serious when I tell this because e skill has nothing to do with authentication you need to get your authentication in order all right so authentication is a main tenet of zero trust security or zero trust networking and software to find parameters because you need to prove who

you are first once you prove who you are then you can gain access to applications so if you haven't already started this path make sure you're cleaning up getting to you know a good saml-based provider start integrating all of your SAS based apps and then to it as well so you have one single source of truth of who is out there and what they're allowed to access so - what else can you do you start with those nasty contractors man I feel bad for Target they've been the story of so many people's speeches for years because of the HVAC contractor you've all heard about I realize if you start on a journey to zero trust networking that is

not going to be easy it's not going to be something you may do overnight so why not start with the guys that you wrote on on your network at all in the first place make them start using a zero trust networking then start discovering start cataloging your applications so you can build out the appropriate policies because again we want our policies to be app centric not layer three not network centric and to find what users can get to what applications and then three is you're preparing expect your network team to hate you right you're threatening their jobs because you just said I need to replace every site with an internet cafe all right an internet cafe do you need BGP

and a bunch of chrome in Raleigh right and RTP and I might be saying the wrong thing here but do you need all these complex networking strategies now you need a device it can simply Forge your traffic out to the Internet all right an application on an employee potentially to help you with that software-defined parameter and posture checking so expect that you're gonna have a problem don't underestimate it this is the biggest area most people struggle with they start throwing up all the different issues of why you can't do zero trust networking because again if you start down this path you are threatening the livelihood of a lot of people's jobs and what they for a corporation in the end because

you've simplified your network which is one of the reasons why you've increased performance and why you've been able to to then gain a lot better security around their applications and see you didn't even have to hear anything about Z scale today I did at all VIN or neutral any questions or comments from the audience good correct yeah great question so for those who didn't hear the question says you're assuming you have a user behind every end point what do you do for things like phones and cameras that don't necessarily have a user behind them and that's a great point those type of items typically don't need access to the network in the same way either or if

they do it's a very separate network for that distinct purpose and that's why zero trust networking providers should also work closely with all your different SD way and providers that's where a lot of them come in you're also seeing the advent of things like Skype for business it's a cloud-based controller they just need access to the Internet you don't actually have to have it communicate directly except for peer-to-peer direct phone conversations and in those cases again you may have some type of SD win or simple even homegrown VPN backhaul for isolated network just for voice that no other application or user traffic is on and that's typically how you deal with a lot of those IOT type devices does that make

sense yeah good question fair statement it's a but not that's not what I'm saying to say as a result of it yes

yeah project Jericho so so I can't say personally if any of our developers or any of our early thought leaders actually were involved or knew that it's nothing something in our case with our company has been mentioned there's been a lot of things from our own customers as well as Google beyond Corp as well as some things in the federal government that have been asking for this type technology and said in kind of just saying boy I wish I didn't have to have all these things help me easy scaler you know imagine how I could accomplish this goal and you know Z scalar didn't start with zero trust networking we started with protecting outbound internet access

and out of this these conversations is what was born and when they said man we're trying to stop the bad guys from keeping that mostly the end users from being infected right and then catch any outbound traffic when something is infected whether it be an end user or some other point but how could we prevent it and never make it happen which is to separate it and that's how it was born at Z scalar so a little bit different background but to answer a question directly I have no clue if any of them had any involvement or knowledge of Project Jerrica a good question any other questions or comments go ahead take it away the question is how would

you recommend security network from a teenager man my kids are tough [Music]

yeah so I still make my youngest kids slide their phone under the door at night yeah nothing like a good old school you can't have access to it and you know the Soup Nazi no soup for you you know that that works I certainly it's you can get any level of consumer devices today and I want to see though and do things like shut off the Internet at night that's where I start and you know that thought I heard a comment back there I'm not sure what it was but but yeah I keep him off of it I mean look kids are smart I shared this story of my kid on Instagram using this chat because

we blocked chat from them they're gonna find a way around it I mean so are your users in your corporate network if they want to do something so look you should never for go and tackle an Internet security for whether they're home users or corporate users that means when users got to the internet you want to do everything from content filtering to AV skinning to SSL inspection a lot of things I talked about you know at home that's gonna be harder to do all those things at home you're gonna settle for some basic content filtering even Z scaler offers things wit in partnership with some of our OEMs like Aero Wireless where they use our shift based product

for DNS based security it's a good start for a home user there's no perfect answer for that for a corporate user again you want to make sure you're doing all those things because you don't want anyone to do credential stealing or harvesting even if you bought that a bad malar

yes there's a question better so just to make sure I understand the question correct you asked about layer seven application type firewalls and AVS Canyon right on the fire warrior muck four things are hosting internally and serving to the internet or for users going outbound so the inbound stuff is different most people don't they're not going to do much of anything on the inbound side on a consumer level device it's too complex of a world especially with SSL and the average consumers not gonna understand how to put their web server certificate on their firewall as well to do all those same things for outbound most definitely it's going to get better but there's going to be

limits again try explaining to a home user how to set up man-in-the-middle SSL inspection and try to make sure they understand it doesn't work for their iPhone because they do cert pinning it's going to be incredibly difficult to teach them how to do that and build exceptions even myself I mean that was one of the think my points of talking about being difficult to secure your network and making it complex is the fact that I had to build so many exceptions when I ran all these network devices and my network and security devices that literally I mean I had ACLs and policy-based routing going on in my home network and I had all kinds of

stuff and then I said well I have a guest network and I wanna make sure they can't get over my other network where all my media files are at and and that was for five users and so it's incredibly difficult so yes they're gonna get better they're gonna do some of the things and they're gonna come with a lot of free services but they're always going to be basic level services that are easy to turn off from a consumer point of view the worst thing you do is block something to break it rather than let them get infected so it's a completely different mindset than corporate and that's why iPhones and those type devices have caused so much

trouble for us is because we're trying to bring a device is really designed in a consumer model into a corporate network and we've had to build exceptions which again gets to the whole point that Lisa so eloquently pointed out for me which is you can't you cannot sic hear it all right which is why you want to think about your applications differently and get them completely on a separate network all right am I about to get yanked I see someone walking towards me on my is my time up all right go for it yep so good question so the question was a lot of our old applications like 3270 terminal emulation will this work and in this zero trust model or do yet

to really tech them so every vendors implementation is zero trust networking has its own nuances of how they work in the case of Z scalar is gonna work with any IP based protocol all right so I shouldn't say any there's always exceptions all right but anything this client initiated connection all right is gonna work and so it's not limited to port 80 and 443 if that's what you're asking typical HTTP HTTPS there are versions of that with a lot of enters and those are typically what people call browser type access and those don't require an a client or an agent on the endpoint if you want to get above anything that's above a Vale's browser you're almost always

going to have to have an agent on the endpoint accessing that application because you're gonna have to have some type of shim in the network stack to forward traffic to it again there are other things like even active FTP is a great example of something that's very hard to make work in this model because there's a connection initiated by the server and it's not quite the same as a firewall you don't want an application layer gateway sitting on there to allow it to automatically open up a connection inbound so there are a few apps that would fall into that category but by and large most apps are going to work in this model you know VoIP is the

question asked early is another great example something you don't want to send over TLS tunnel because it's latency sensitive and all these models are going to depend on some type of TLS or secure tunnel and so you're gonna want to send that traffic raw and direct but I guess if you having a private conversation that might be a little scary but you're already doing that today and send it over all these public links yeah yeah

yeah and it really helps you when you start to implement it well one of the really cool things about zero trust networking is gone is a day of a business division just turning on an application and people having access to an IT not knowing about it because for them to make it work for their users if you've totally again the goal is a dark datacenter no users directly connected to the network they have no access to the application so now if they if you've adopted the this model any time the business unit adds an application it doesn't work until you add it to that list of applications and who's authorized to gain access to it

so it really solves a lot of problem and actually helps purchasing and everyone else along the way any other questions all right awesome I think last order of business sorry before your clock I have to give away this Yeti that was at the Z scalar booth exists the cards that were drawn anyone who has a list oh here it is yes alright so first name on the list Adam Noonan and there's candy in it still so alright thank you everyone have a great night [Applause]