Zero Trust, Terrain, and Holding the High Ground

Presenters:

Transcript:

Finish up the day in this particular room, I believe. Holding you guys from either getting in traffic or staying for the final keynote here at the end of the day. But we do want to kind of share some time here about zero trust rain and holding the high ground with Clint and John. I'm going to let them introduce themselves because they've got a very interesting background, and I don't want to screw it up, so I figured I'd let them tell you about it.

Thanks, guys. Thank you. Hey, y'all. Thanks for coming. I'm John Kindervag. I'm the chief evangelist at Illumio. I'm best known as the creator of Zero trust. So we're going to talk about zero trust. We're going to talk about it in a little bit different way because I'm bringing in my good friend. This is Clint Bruce. Clint is a legend.

I mean, I'll just put it that way. He played football at the Naval Academy, and then he went and he played football in the NFL. And then he got a call and they said, hey, do you want to come and join the Navy Seals and play football? And he did. That's not exactly what they said. It's not it's not that question exactly.

Yeah. But so he's a former Navy Seal and and an advocate for veterans and has done a lot of amazing things. And, I've had the, you know, the pleasure of getting to know him over the last few years working with his foundation to help veterans. But he's also taught me a lot about how we can apply lessons in kinetic warfare to cyber warfare.

And that's what we're going to be talking about today, right? Yeah. So, we're I'm going to give you a quick introduction to zero Trust and what it looks like. This is the best visual. Metaphor I can give you. This is how the U.S. Secret Service protects the president. United States. This is a technique known as what?

Executive privilege protection. Yep. So you'll hear people talking about EPA executive protection. There's a lot of ways you've done it. You've done it. Clint trains, people like Secret service and, bodyguards. You've trained some bodyguards for some famous people, right? Yep, yep. And so, he's done some of this stuff in real life, and this is a good visual representation of what we're trying to do when we build zero trust environments.

So the first thing we do is we ask some questions. And these are the three questions that the Secret Service knows about the president of the United States, that we typically don't know about the data or assets we're protecting. First, they know who the president is, right? They know who the president is. And they they, they don't do presidential discovery projects, right.

They don't scan for the presidents. And we don't typically know that. So and then they know where the president is at all times. Do you think they ever go, hey, Clint, what happened to the president? We've lost him. Yeah. They they may ask at once. They'll ask it once. And then there's a new guy in that position the next day.

And then finally they know who should have access to the president at any given time. They're not very, they don't have a sense of humor about access control. No, I know it is a tough crowd. It is a tough crowd. Yeah. So you don't get to access the president of the United States unless you're specifically allowed to.

So these are the three questions you ask. Any are protecting anything. Data assets are the president of the United States. So the way it works here is, this is President Barack Obama's 2009 inauguration parade. And you can see that it did have a perimeter. Right. But notice the Secret Service agent at the at the top of the screen.

Those are uniformed Secret Service agents, and they have their hands in their pockets. They have hats on. Why? Because it's cold outside and they know they're not going to do any real protection. They're just there is security theater. The real protection is done at the bottom of the screen at what I call the protect surface. The protect surface is the fundamental concept of zero trust.

From a tactical perspective. What are you trying to protect? You cannot protect something if you don't know what you're protecting. Right. So, a lot of people are focusing on the attack surface, managing the attack surface, but that's like the universe, right? And it's constantly expanding, and there's no way to control it. So the way you solve the problem is you invert it, you invert the problem, turn it inside out, and you say, I'm going to focus on what I need to protect.

Not everything that's going to attack me. So on this day, there are four individuals in the protect surface the president, his wife and his two daughters. If at the end of the day, those four people are left alive, the Secret Service have done their job right. We were just talking about this because I was once on a, doing something with Vice President Al Gore, and I had a briefing with my Secret Service agent who was involved in where I was at, and he said, and this is the briefing, you'll get a kick out of this.

He held up a blue cordura bag and he said, in this bag is a machine gun. I'm only going to pull it out if I'm going to start shooting. If I start shooting, you lay down on the ground. If you get shot, that's your problem, not mine, right? Yeah, yeah. I mean simple, simple, simple instructions. Really not easy, but simple.

So, I learned that they weren't there, and we were talking about this a minute ago. They're not there to protect everybody in the environment. They're not there to protect everybody in Washington, DC. They're there to protect the people, the executives, whoever they're trying to protect. And that's what we've got to figure out. So, I want you to notice something here about the protect surface.

Right. Look at this. These Secret Service agents, they move themselves. They're adjacent to the thing they're trying to protect. Their as close as possible to the thing they're trying to protect. This defines a micro perimeter in policy and so that that that's where everything comes together. Everything is about policy. And we forget that we think about products.

But policy. Right? I mean, you're a former Navy Seal. You guys had to figure out what you were doing and why you were doing it, right. Yeah. Policy drives everything. Policy is the the line between action and words and where it meets the real world. So now they have a policy. They know who who can come in and go out.

But we don't do this in cyber security because we're so focused on products and not policy. But products only exist to enforce policy. We forget that. But we put our products on, the perimeter or on the endpoint, which are as far away as we could possibly put them from the thing we're trying to protect, which is totally insane, right?

Because when you're trying to protect somebody, you want to be as close as possible to them so that you can know where the attacks coming from. You have visibility, right? Yeah, yeah. You want to own the terrain. You want to own everything behind you. You want to understand everything, and you want to create the gap between you and the threat so you can move towards the gap without compromising your principle.

So proximity to the principle allows you to own the terrain as much as possible. So, so now, the Secret Service can, can stop what's called dwell time, right? We have this concept of dwell time because we have no visibility between the thing we're trying to protect and and the controls. Right. So zero trust because it has complete visibility, because it's focused on what we're trying to protect, eliminates the concept of dwell time.

You can't hide. It's that level of visibility that is so important and so now if you have that visibility now it comes down to who can have access to the president. And so we start with a default deny rule because policy is binary. All you can do is allow or deny there's no other choice in cybersecurity. So you either can have access or you can't have access.

So if you start with a default deny, then it makes it simple to create a policy. Because now you say who has to have access, to, to get their job done. So at this moment there's only two individuals, and I don't know why all the that's supposed to be over the top of their heads. It was when I uploaded it last night.

So, but, there's two agents who can transit outbound to the of the vehicle, which is the beast. The beast is not the protect surface. It's just transport. Right? It's the individuals. The thing you're trying to protect. You're not trying to protect the vehicle. You're trying to protect the people inside the vehicle, and you're going to protect them the same way.

Whether they're on Air Force One or walking a rope line. And so now, that's the only outbound rule, the only rule that exists. So if you try to come in and get access, look at the Secret Service agent at the bottom of the screen that's supposed to circle and supposed to be over his hands. It was last night when I uploaded it, but who knows?

He doesn't have his hand hat on. He doesn't have gloves on. It's not because it's warmer down there. It's because he has to be ready. And so if you try to get, access to the president, he is going to reject that, because underneath his coat, he has a control right where he is going to pretty violently reject that, that access he's going to he's going to influence better decision making.

And I like that influence better decision. So he's like, we're not telling you what do. We're just helping you make better decisions quickly. And for that quickly while your face is on the ground. Right. So, I've watched that happen to, so now this this is not where they stop, though, because they're going to continually monitor and update in real time.

They're going to look at out in the crowd, see that there's somebody sketchy, this guy in the white shirt. So they're going to say, hey take a look at him. That's threat intelligence. And they're going to be able to dynamically change how things work. And they're going to be able to dynamically change the policy. Just allow somebody to get in.

This is a zero trust model of executive protection. But this is how you protect anything. Data assets or the president of United States. So we're going to talk about that, here and talk about this and put some military context into it. So, Clint, talk talk about military theory because you went to the Naval Academy, proud graduate of the Naval Academy, naval seal.

Subscribe to our newsletter

You've seen a little bit of combat. And so how do you guys go about thinking about it and thinking about protection? We've got Frederick the Great. Yeah. No. You know, and I think this is one of the reasons I've always been attracted to and enjoyed the cyber landscape and in my career. And I grew up in this, in this kind of nexus in military where, you know, back when I first started with this very deliberate printing cycle, you had 96 hours, go do this, come back.

But then the speed to thread and the speed of target was happening so quickly, we had to start integrating some of our smarter, our cyber people so we could exploit intelligence real time and move on to the next target. And I saw in you all a lot of what I saw in us this kind of adventure spirit, this kind of rejection of normal normalcy, this ability to kind of navigate and uncertainty.

So so I've always enjoyed that. I've always been fascinated by your terrain. You in many ways, you're like the the explorers in the ocean goers back in the kind of the beginning of seafaring. For us, there's this thing called commanders in ten, and it drives everything. And it's the one thing we never forget while we're out. There is one thing we're there to do, and it's one thing everything deviates and pivots off of.

So for us, it's just like friend of the great said, if you try to hold everything, you hold nothing. But if you hold the one thing and you point all efforts toward holding that one thing, you got a chance. And that drives theory, that drives everything. This one thing, we will do this and no further. It's like Thermopylae with the Spartans.

The Alamo with a better outcome. In the real world. And, but, yeah, you got to know that one thing. And so too many people are trying to hold on to everything, and they end up holding on to nothing. Right. So that's what we're going to talk to you about today. What are you going to hold on to?

And so, Clint, a lot of people ask you, yeah. How about what's your favorite weapon? Yeah, I've heard you tell this story, I'm sure. So one of the questions I get asked all the time, I'm very fortunate in I'm in this kind of Forrest Gump in kind of person. I have a prevailing theory is just like, fail forward, stumble upwards and take notes.

That's kind of the way I've done everything on the maps I've lived on. And one of the questions I get asked all the time, in particular when I'm roomful of young men or an athletic team or something like that. Okay, what's your favorite gun? And it's a natural question. There's nothing really wrong with it. It was a question I probably asked me too, but I answer the question I want to answer.

For me, everything is a little bit of a teachable moment. And I go, hey, are you asking? My favorite gun is what my favorite weapon is. And the younger the AR, the faster we go. What's the same thing where the older the are, the more diverse and seasoned they are. Like you in this room. You'll kind of nod your head.

You mean as though you know there's a difference, even if you don't know what it is, and I will listen. A gun is a tool. A weapon is what I use to win, my friend. Weapon is a man. Because once I have a map of everything, I know where the bad guy will be. I know where to come in, what to bring with the leave, how to get home, and if I have a map.

The worst I'll ever be is wrong, but I won't be lost. And so for me, the most powerful weapon I can have is a map. Because I can figure everything else out. If I know where I am, where I'm supposed to, or who I'm taking with me, and where the unknowns are. You know, the UN, the known unknowns and the unknown unknowns.

That's what a map exists to kind of quantify a metric. So the map is my favorite tool. So the map is a very powerful tool. This is a map of Little Round Top at Gettysburg. We're going to talk about that in a minute. But I'm going to step out and we're going to talk about how you deploy zero trust.

And I'll tell you, you'll end up understanding why Clint is here today, because, you know, as the creator and the person who's deployed and worked on more zero trust environments than anybody else, I developed a simple five step model that if you follow it, you'll be successful. And if you don't, success, as they say, is not guaranteed.

And so the first step is to define the surface. We've already seen that we need to know what we're going to protect. People ask me all the time I bought product X, product Y, what do I do with it? And I'll ask, what are you trying to protect? And they'll say, well, we haven't thought about that yet. Well, you're going to fail when you don't know what you're trying to protect, but in order to know what you're trying to protect, you have to have visibility into it.

So I learned early on that I needed to understand what are the types of things I need to protect. And those are called data elements. And you can read about this. This is a common I created this acronym so that people could commonly understand it and talk about it. So it's in Disa guidance, the UN stack report NSA they'll talk about data elements.

It stands for data that's sensitive applications that use sensitive data assets that are sensitive I.T OT, IoT assets. Right. So your status systems in the oil and gas industry, that kind of thing, and then services, DNS stewardship, Active Directory, network time protocol. How many people spend any time thinking about protecting their network time follow protocol servers probably.

Oh you do. We got one guy who asks. There you go. And it's important everywhere. Because if somebody attacks your network time protocol server and your time is get out of sync, your whole network goes down, right. And so you take a single gas element and you put it into a single protect surface, and you build out your zero trust environment 1 to 1 at a time.

And then after that, the second step is to map the transaction flows. How does the system work together as a system? And after an event one time where he talked about his favorite weapon being a map, I said, Clint, if your favorite weapon is a map, then I think the people who make maps are pretty important, aren't they?

And your answer was, you know, the cartographers, everything, the cartographers, the person that you protect the most, they're the ones that war with uncertainty. They bring granularity out of nothingness. And they're the one that maps where you are, where you're going, and what stands between where you are and where you're going. So the cartographer at the beginning of any exploration or mission might be the most important person.

They're defining reality that you're going to have to work on. So typically we don't have maps available to us in cyberwar. And so we're not only lost, but we're wrong. Yeah. Automatically. Yeah, right. You're his favorite things. What he one of the things I tell people is like if you don't have them, if I don't have them, if I have a map, the worst I'll ever be is wrong.

If I have a map, the worst, all of it is wrong. But if I don't have a map, I'll be lost. And wrong and lost are different animals. I've been both. I've been wrong and I've been lost. I hate them both, but I hate loss more. Because of your lost. Any move could be wrong. But if you're wrong, it's just a matter of realizing it.

Remembering where you said you want to be, availing yourself to the wisdom of those who have been where you say you want to be. Those are there now, and the camaraderie of those want to get there as badly as you do, and then you just got to do the work right. But lost is terrifying. Wrong. Sometimes, you know, if you're wrong, you're just too early.

And I think that's one of the things you all have to wrestle with in your industry, and you're warring with uncertainty or the leading edge of uncertainty. The modern day explores in so many ways, and a lot of the people that you work for think you're wrong, but you know that you're just too early and you got to hold the line and you got to believe what you believe until they realize you're right.

And I've always appreciated that courage. But yeah, I will take wrong over lost any day, because sometimes I'm not wrong and I'm just early in wisdom. Let you know when you're early and you're not wrong. So maps win wars, good maps win wars. Bad maps lose wars. Right? So if you have an outdated map and a lot of wars, Vietnam was fought with, you know, you talked to I grew up in the Vietnam era, and you talked to people who fought in Vietnam, and they're using maps that the French made in the 50s.

And it's 20 years later and that thing doesn't exist anymore, and they're trying to find where they need to go. Afghanistan was like that. Afghanistan was like that. You're like, so that's a mountain, you know? Yeah. I mean, it's just it's when's the last time someone was there and and it was Alexander the Great made. Sure. Sure.

So, so so you got to know the map. And after you've done the map, that's when you can put the products. And that's the architecture. We always started with the architecture in the past, but we can't because everything that we architect has to be tailor made for the thing we're trying to protect. You see, when you are around a Secret Service detail, they walk into the room and they know where the president of, in my case, the vice president was going to be.

They knew that all the doors are exits. The protection was custom made for who they were protecting and the space that they were in the terrain. Correct. And so once we can do that, then we have to do the policy. What what's allowed to have access to the president or the vice president or the data or the asset, any element.

Those are the questions we have to ask because everything comes down to policy. Policy is everything, right. And I see so many, so much bad policy in our industry. And then finally we monitor and maintain so we can take all that learning, all that telemetry, and we can turn it into an antifragile system. So you may not be familiar yet with the concept of anti fragility.

It's a concept created by a man named Nassim Nicholas Taleb who wrote The Black Swan, but he talks about, you know, systems that are robust and systems that are fragile. And he says there's another system that goes beyond robust, goes beyond resilient. We say resilient all the time. But resilience, he will say, stays the same under attack, under load.

But antifragile gets better and better. And he uses the example of the human body. Right. So when you go to Vegas they say everything. Everything that happens in Vegas stays in Vegas. That's not true. All the extra weight you put on from drinking, you know, and eating at the big buffets, allegedly, allegedly that comes back with you.

Yeah. And so what do you have to do? You have to stretch your body out. You have to restrict calories. You have to work out however you do in a run. I know you don't run your buddy Goggins. You told me. He told me the other day. He said, I said, do you know David Goggins, who's a famous he says, I used to lift weights with him, but then he started running.

Yeah, he wanted to run. I was like, no, no, no. So, so but but that doesn't destroy your body. It makes it stronger as your body adapts to the stress. And we can do the same thing, using zero trust, and we can adapt to it. So let's talk about the Battle of Gettysburg a little bit. Because this is this kind of spurred it on.

I watched the movie Gettysburg. If you've never seen it, it's a it's a really interesting movie. And, Joshua Chamberlain is played by, Jeff Bridges or Jeff Daniels. Just Daniels and everywhere throughout the whole movie they're talking about. That's good ground, that's high ground. They're talking about the terrain and what's the impact of, of of Little Bighorn and what he did, I mean, in this little round, it is the crux.

It's the mayfly. It's, it's it's it's the Alamo. It's all these are the choke points. And if we hold this, we've got it in the got it can change. At Thermopylae they went over the marble. They knew that none of them were coming home. They didn't go to them. Apply to win. They go for the marbles to hold and preserve.

Preserve the civilization. And so winning can can look different. But but you always got to hold the high ground to do it. And for me, as a guy who's kind of dealt with loneliness and frustration, and when you're in adventure and explore young like you all are, you know, picking up says if you want to change the world, you got to be content to be thought foolish and and wise in your own time.

And only justified later. And that's what it must feel like to be you all, every day. And and so for me, the high ground, not only is it a strong point, it's a place where I find people who have in common because it's always hard to get to high ground. It's always hard to to stay on the high ground.

So I have a positional perspective of of of clarity, of confidence. And, and most things pivot on the presence of those three things. So when we look at, what I call cybersecurity cartography, this is a map. This is the aluminum map. I worked for a company called aluminum that does micro segmentation and breach containment. But I came here I chose to come here because of the map.

Right. Because I didn't I was tired of being wrong. And I was tired of being lost in my career. I needed a map. So step one define the surface. This is, a map of a of a customer, and you can see there there's a point of sale application. I'm a former qsa. Anybody else done qsa work a PC?

I work in the room. Nobody. Nobody. Wow. That's first time ever there haven't been people who do PCI. But that database, the fact that there's a database that tells me that data is credit card data, that's the thing I need to protect. And then I have the map. I can see everything that's coming and going. Right. I have complete visibility.

You can't hide. There's no such thing as dwell time because there's no place to hide. And then from there, I can architect it. Step three. Just by having the technology that orchestrates and creates the map begins my architectural process. And then step four, we write the policy. This is not first linear. We will processing like in the old firewall days.

This is using, graph databases. And so you can see here there's some red lines. That means it's explicitly blocked green lines explicitly allowed. And there's orange lines. That means you should be taken care of that you don't know why is that orange line connecting to your, protect surface. And so that tells you what you need to look at.

And so in a in if the policy is correct, you're only going to see red and green. Right. And so the map is super important. And this is cyber terrain. And so let's talk about the concept of terrain in the military and how we can apply that to cybersecurity. Yeah. So when we're doing and y'all know this and this is what's so fun for me I mean I don't know if y'all ever considered yourself warriors, but I can certainly I certainly do because you were dealing with uncertainty and bad actors.

By definition, that's a warrior, a man or a woman who puts themselves in a position between those they protect and uncertainty and bad actors. And so what you do, and we have to make the world simple. We have this warrior kind of ethos and mindset. And for me, there's two terrains. There's influence terrain and impact terrain. And some of this is kind of Marcus Aurelius and stoicism and influence terrain.

Yeah. Well, let me start with impact terrain. Impact terrain is everything that we control. We can put another layer there. We can have another access control port. We can we can make it cool. We can manipulate the environment. We can upgrade or downgrade or move. These are things we can manipulate and control that's impacting influence. Terrain is something we just have to be ready for.

We cannot influence the probability of it based on anything we do. Up in Dallas where I live, we live in Tornado Alley, right. And so we can do a bunch of things, but we can't limit the probability of a tornado. All we can do is be ready for it. And influence to influence terrain defines those things that we have to be ready for, that we can't influence probability of the actions, policy and decisions.

Impact. Rain is everything we can actually change and we can manipulate and we can control. So in your world you need to be focused on your impact terrain, aware of your influence terrain, but you can't control it. So people spend more time trying to focus on controlling the influence terrain. And that's why we see people doing, attack surface management technology, which isn't going to work because it's influence terrain.

Yeah. Impact terrain. I can control that. And what's the most important part of Pac terrain? It's the high ground. He has a place called the High Ground. That's where we hang out. We have social events. I get the honor to work with veterans, through them. My dad was a Korean War veteran, and so I have a soft spot for veterans who struggle to, transition into the normal world.

And so Clint has given me the opportunity to help some people, but talk about what is the high ground and why that's so important is the high ground is that that, like we said earlier, the high ground is a place, you know, to hold. It's the place you fight to, is the place you hold metaphorically or literally. It's the place that it'll all be okay if I can get there or to hold some other people can get there too.

Is he metaphorical or a literal kind of last stand, the place you're going to hold at all costs? Little Round top. In the Battle of Gettysburg, Joshua Chamberlain won a medal of honor because, they were whole. It was a hill, and the Confederates were coming up, and they had to hold it at all costs, because if they lose that, they're going to wipe out the entire army.

Meade's army. And so, in Alaska, a desperate moment. Chamberlain led a charge bayonet charge down the hill, which must have taken huge amounts of courage. I think about that. I have two of my great, great, great grandfathers who fought in Sherman's army and, the 33rd Indiana. How much courage to that take to just walk along and people are shooting at you, you know, you don't even get to hide behind things.

That took a lot of courage. It takes a lot of courage to do a charge, and it takes a lot of courage to hold the high ground. And it takes a lot of courage to do that in cybersecurity, to so talk about then the concept of things being bounded and how that can affect your psychology and how you you put your efforts, to cybersecurity or to kinetic warfare as well.

Yeah. The bounded things are, again, those things that we can govern, that we know that are critical to the ongoing effort. Right. So so for me, the high ground is really influenced and shaped by that which is bounded and that what you can control, I'm not totally sure if I'm answering your question. You are okay because you're lower than what I just told me, but I just put that on the screen.

It. Right. I also have concussions, and I was born in Arkansas, so yeah, it's kind of an uphill swim, honestly. Like, I'm trying to remember what I said last Tuesday. Yeah, right. So but again, there's a finite amount of stuff that you can control. Don't try to control the infinite. Try to control the finite. Yeah, that's what I meant.

That's what I meant by bounded like control that. Yeah. Yeah. So if you, you know, Thermopylae is a great example because they knew what they could control the pass of Thermopylae. Right. And they were trying to stop the Persians long enough to, for the Athenians to come in and get an army going and fight them back. But there was a problem at the Thermopylae.

What was the map problem? The goat trail. Yeah. They had a traitor and a goat trail. A traitor and a goat trail. Right. So in in a trusted insider who knew the back roads in and led the army around to the to the back end, and I guess everybody but one person was killed at Thermopylae. Yeah. And you hear about it is the 300.

I was doing deep research into this, getting ready for it. And there were, also 7000 thespians. There was 300 Spartans, 300 Spartans, 7000 thespians. So there were 7000 actors with them. Right? Right. So I was like, wow, amazing. No one else got that, I know. Yeah, okay, I'm with it. I was present thespian side of school.

It's no big deal. It's IRL best actors out there. It's real. But so, you know, but, the fact that they didn't know the map, they didn't know about that go trail led to their downfall. They could have held out even longer if they would have blocked that go trail. Right? Yeah. And so you got to know everything that's going on in your environment.

And the reason is, is because this is something you taught me. What is this? These words velocity to threat and speed to speed. Bad. This is something I think we learn in the special operations community, really from the cyber landscape. In the late 2000, late 1990s, early 2000s, the cyber world was becoming this mirror image of physical landscape for me.

I wrote this paper for the National Security Council when we were talking about the concept of convergence and how a physical and logical security, they're they're mirror images of each other and then. And that you can't look at one without the other. So we have to we have to co-locate these two kind of heads of state when it comes to that.

And so for me, one of the things I think is unique to your terrain, and I don't envy you at all. Is the speed too bad? Meaning how quickly can something go from idea to iteration to to to actual effect? Right. And and if there's nothing on the terrain that I've grown up and that mirrors what you all have to deal with.

Subscribe to our newsletter

And I don't know if this is a great analogy, but I think about kind of Tron and how Tron was so far ahead of its time and that it created this kind of mirror image of what actually happens when we look at a bad actor at some point in time, even in a lot in a logical terrain, there is a person sitting somewhere about to hit an inner button or click a mouse, and then it goes into the cyber world, and then it reemerges back out in the physical landscape.

And there's just nothing in my world that, rivals how quickly something can go from idea to iteration to affect like a dozen yards. And I think we learned that sense of urgency from your world, and it made us better. So I'm grateful for that. But that's what I mean by velocity of the threat and speed of that.

So our you know, one of the things he told me is our world, those things happen so much faster than in your. Yeah. And it's so asymmetric. I mean, I've never very rarely in my landscape you run executive protection in the special operations worlds. And have we dealt with such an asymmetric threat scenario? The reality is you have one person.

I mean, Aaron Turner. I remember when Aaron Turner and I talking in 2000 about the concept of hacking the grid and, and some of these other things, and the emerge of the cyber is a terrain is created the most asymmetric threat scenario the world has ever seen. There's never been a scenario where one person with resources, capability and intent can war effectively with a sovereign nation.

And so not only is it the fastest train in the world, it's the most asymmetric train in the world. That's why I love knowing you guys. There's something like that. And the rules of engagement are massively asymmetrical. If there are rules there, the rules are only kind of governed by limitations of technology. But. But in your world. Right.

You know, if somebody's shooting at you, you get to shoot back, right. Well, sometimes you have to tell them to stop. Okay. But and then they like stop. No. Okay. And then you just kind of okay. What. Right. Didn't shot at sucks. Especially when you're my size. You can't hide behind anything. You might. You jump behind a tree and there's like, oh, there's these guys are hiding behind you.

I'm like, don't hide. I'm not cover. I'm a man, right? I yeah, well, I'm sure they'd say differently. It's but in, in corporate world you can't shoot back, right? I've had a lot of people who want to do offensive security. I want to attack those people who attack me. That's illegal. You're not allowed to do that, right?

Yeah, the government maybe does some of that, but even that we try to limit because the deployment consequences are huge. So we're, we're we're really strained and constrained into a fully defensive posture, not an offensive posture. We can't go out and necessarily attack the bad guys. We the FBI will will say, here's we've indicted these five generals from North Korea for hacking.

Well, okay, that's just yeah, no, they're not going to go to North Korea and walk in and knock on their door and arrest them. That's not going to happen. So again, for us, we have to be in this very defensive and preventive posture. And that's what zero trust is going to give you. Because you're going to understand what not only what the threat is, but more importantly, what you need to protect.

And so the people who do a lot of zero trust, her boss is my old colleague Dmitri right here, her boss, Liliane Koning, out of the Netherlands, who you taught to shoot? Yeah, the first time. Yeah. And he talked to Niko the dog. Yeah. So there was a there's a all. All, military dogs have commands in Dutch.

Yeah, right. And you and you really should know those like, it's it's important. Yeah. Because when you say stop to them in not Dutch, they don't stop. It's terrifying. Yeah. So so he was there and talking in Dutch and Nico was like, oh one of my people. And so they had a lovely conversation, the dog and the cyber guy.

But one of the things that he and I were talking about is the more you do zero trust, the less you have to worry about the threats, because the threats don't have a policy statement that allows the threat to be successful. So all bad things happen inside of an allow rule. If a bad thing happens inside your world, there is a policy statement that allowed it somewhere.

So you're not a victim of cybercrime. At best, you're an unwitting coconspirator because you had bad policy, right? I was with a, giving a speech with the CSO of a big major bank. I won't say the name of the bank, even though he publicly gave this speech, but on his first day of CSO, they asked him to, approve a firewall rule change, and.

Okay, well, I'm. I don't know anything about the environment yet, but I'll look at it. And it was for a checkpoint firewall. And, you know, I've installed a lot of checkpoints and they're all linear first hit rules. And he said, oh, I guess it looks okay, but let me see the smart center, let me see the management console.

So they brought it up on the zoom and they said, he kept going, scroll up, scroll up. And they were kind of reluctant to keep scrolling up to to the top. And they finally got to the top. And hey, guess what? The first rule in the firewall was? Any any allowed. Absolutely. There was no firewall. What you have to understand is a firewall is not a piece of technology.

A firewall is a policy. Think of every rule as its own firewall. Right. And so they had, a multimillion dollar, environment that allowed every piece of traffic to come through. Right? So there was no control. And so the time to deploy ransomware on average is four hours. How quickly can you stop that? Right. The time to move laterally and break out 48 minutes.

And the fastest, breakout time we've seen is 51 seconds. This is why we have to automate. This is where AI is going to come in. This is the automation is so important. I like to quote the movie The Imitation Game about breaking the Nazi Enigma code. I got to give this speech about that up in Bletchley Park earlier this year.

And in that movie, The Imitation Game, Alan Turing, the character of Alan Turing. And I don't know if he ever said this, but in the movie he did. He said, what if only a machine can defeat another machine? That's what we can do. We can build the machines. That defeats the machine, right? We aren't relying on human beings.

We can make the machines do it. And so that's what we're kind of trying to do. So we're going to take some questions here. But in the meantime there's Clint in his Navy glory. Look at that. Destroying two people. That's called the power Billy is what that one's called. Yeah. And warrior way, MVP of the 1996, Aloha Bowl.

Big beat. Cal. Yeah. Hey! Whoo hoo! Hall of Fame, naval academy. Athletically not. Not academically. Academically a I always tell people my my career at the Naval Academy is marked by athletic achievement. And academic achievement is kind of an arbitrage. Hey. Well, you know, George Pickett finished last. They call me insane. Oh, my whole deal is I'm an economics guy.

Adam Smith, free markets. And and I knew very quickly that I was not going to be the valedictorian of the class of 97 at the Naval Academy. And I hate mediocrity. And you get a dollar if you finish last for everybody. So I was strategic dive towards the bottom, and almost made it 925 out of 937 and, which, you know, not something my mom's not real proud of that.

But one of the things I do want to say, I love what you just said. And at some point in time, we got to do the hard stuff because of our own personal integrity, core values and ethos. And one of the things I used to always tell guys and I tell myself was like, I will not be complicit via complacency.

Complicity via complacency is you are as responsible, right? And I think the one thing that's fascinating about you, and again, it's why I love this community so much. And I think it's so neat. And I love learning from you. As in any day, if you're really good at your job, until people terms like, we're bad guys, we're just your bad guys.

I mean, especially when I'm a bad guy, I'm just you're a bad guy, right? And I think your ability to have that adversarial mindset, to think like the enemy, to be the photo negative, move fluidly between the righteous and the non righteous and ingrain those. That's what makes you special, different. That's why you're here. And I think if you're if we're pros, we have to hold ourselves accountable to not being complicit through complacency, if that makes sense.

It does. And we got some time for questions. Right. Yeah. I would love to take questions. Yeah. Let's have some questions. Oh, and by the way says Linux Linux versus I don't know I kind of like Linux. There you go. Yeah I want you to talk about like I said, I don't list all that's the Charlie Brown, right.

Yeah. The the movie, the that's Linus. Yeah. I'm sorry. No. Oh, and by the way, on the space thing, I, you know, because I've had a chat. It's right out there. I got to spend a day with Scott Carpenter. I've worked with Jim Lovell, I've worked with Gene Kranz. But you now this guy has the connection with, with with the astronaut world.

So tell about some of the. Because you introduce me to the world's greatest overachievers. I've never walked in a room in and had the impression that I was the smartest person, like, I. I walked in here, I was like, I'm. If I'm the dumbest person in this room right now. And that's why I need all of y'all. Because I need a lot of help.

But every once in a while in the Seal teams, you're you're surrounded by these. You're they're surrounded by gifted people are grinders. Right? That's really the two people that make it. You're people that are gifted, that know how to grind, and you have people that aren't gifted at all. They just know how to grind. Right. And I'm I'm a firm member of the grind community, and a lot of my friends are beautiful.

And, you know, and I get their Christmas cards and their Christmas card looks like a J crew red like he's handsome, his wife's handsome, his kids are beautiful. My Christmas cards looks like a wanted poster. Like for women. Last seen large, ugly, bearded guy. And, it's really bad. But but Chris Cassidy, who's Naval Academy grad, Navy CEO, he's my task unit commander of the days after 911.

Subscribe to our newsletter

And then he came to NASA. Not only is he an astronaut, he was a chief astronaut for 18 years. Right. And then Johnny comes up in space. Right now, he's a remarkable person. And, I think my singular gift is 11. I'm not afraid to surround myself with people better than me and just try to keep up. And it served me well.

And and it's it's allowed me to have relationship with some of these nascent and ask people, some of the folks on the flight control center came up, spend some time with us. And that's why I'm here. I love being around pros like you who know what terrain that I don't. And I just kind of pick up the breadcrumbs.

I'll use nine words that I heard today at home later when I get home, I'll be like, you know, babe, you know, the, you know, the time stamp thing that was there when you raised your hand on. I'll be like, yeah, that, you know, the that time thing. And she's like, you don't know, like the tannins on this wine or like you just read the bottle like, so like and but yeah.

So, so questions. So we work with the I work with the High Ground Foundation. Just one quick shout out if you want to donate. This is a nonprofit. The, on average 22 veterans of the global war of terror kill themselves every single day. Every day. Right? So every day I've lost one of my friends to suicide than I have to combat in training.

It's heartbreaking. It's tragic. And there's. And we can stop it. We can stop it by helping people come from the, the preamble, the maps. One of the things I tell people, I go, hey, listen, I've lived on four maps, and all of us have our own versions of this. This isn't mine. And I'm fascinated by yours.

But the way I describe my life is I've lived on the ball field, the battlefield, the boardroom and the breakfast table. You know, the ball field. I grew up playing football. I played football in high school. College, played in the NFL. No one knows that because I played the same position as Ray Lewis at the Baltimore Ravens. He's he's he's all right.

He's pretty good. I remember being at practice one day going, it might be easy to become a Navy Seal and beat out Ray Lewis. And it was I did. So I left and, then the battlefield, I was, I was a member of the military. Then the boardroom is the season we're all on now. The breakfast table.

We're born on the breakfast table. Sometimes. That's great. Sometimes it could be better. And then we build one. Right? But I tell people, and I've told John this before us is the most lonely and scared I've ever felt in my entire life is when I left the ball on the battlefield and came to the boardroom. Because on the battlefield, in the battlefield, it's simple, but it's not easy.

Like there's no mystery where the high ground is on the ball field, the battlefield, you know where it is. They sign up and oh, do you know where it is? There's an ecosystem and infrastructure that exists to get you as high and as far as you're willing to go. But for me, the boardroom was much more different. The meritocracy didn't seem to abide as much here.

And I didn't step into a process and an infrastructure and a system that that that wanted me to go further than I would by myself. And it was the most lonely and scared I've ever been. And then I just kind of remembered, I mean, I remember, I remember I was having a particularly dark day as a young father.

I don't have a father and father died, and I was when I was young and and the one thing I never wanted to fail at was, was being a dad. And I felt like I'd failed at that. And, and I was just kind of examining, looking at the past for, for some hope for the future. And, and I kind of remember that the way you get to the high ground is always the same.

You just kind of find a for all the right people at the right places. You've become your version. What you love about them. And that's what we've all done. We're all aggregates, all the rights out of an equal sign. And so for me, the high ground became this thing that I'm trying to get to. And and it's one of the reason I started businesses, because it allows me to be around and learn from people I want to be around and learn from, regardless of what the domain of expertise is.

I guess there's so much I want to learn from you. And for me, being a business guy allows me to go away. What a shiny that I know how to do so I can earn the right to ask the question that makes me feel dumb. And so the high ground is just a system that allows us to do that.

It's we have programs like the 21 and UN fellows. And what we'll do if you're a if you're a veteran, all you want to do is go back home and teach and coach. If you want to go back home with a teaching coach, but you're school district because you're from a middle small town can't afford, you say you're making 65,000 years a sergeant, Marine Corps and all you want to do is go back to your small town in East Texas and teach and coach, and they can pay you 50.

Well, we're going to find a way to pay you what you made in the military, and you're going to earn it. But I know you're going to be better going home knowing what you did that day. We're going to invest in you and invest in the generations of your hometown and the regions, your hometown. And and so it's awesome.

I, I think when men and women are purposeful and they go home and know what they did that day, they just are the better versions of themselves. And so and so you guys are all cyber warriors. General John Davis, who stood up what became Cyber Command after. Do you know that? Sure. Yeah. I mean, the seed of cyber is Naval Academy.

We've got a whole cyber warfare building. They, they let me go towards it. I can't go in it. They won't let me go in it. But I've touched they weren't looking the other day and I touched one of the codes and I believe. But you know cyber cyber is a big thing at Navy. So General Davis told me one time, because he, he he couldn't be a he was a Green Beret and he couldn't do that anymore.

So they moved in into cyber and and then he did the same thing, found the smart people. And then he hired them to run this thing. Right. Because he knew how to fight kinetically, but not electronically. But one time he put his arm around me at an event and he leaned over and he said, John, I've already fought my wars.

You go out and fight yours. And so that's the message to you. You go out and fight your wars. You're fighting a war. You are right. And, and and it's a harder war in many ways. And and the consequences to all of humanity, you know, are amazing. And what we're seeing now, the convergence where drones that are preprogrammed using GPS and you can't jam them.

And how are we going to take them down? It's a crazy world. So this is the first time we have not had as a part of the American military. This is the first time we we have not had air superiority. That all kind of warfare history we have had. We've enjoyed air superiority as a ground fighter, and we still have it from 1000ft up, but 1000ft down.

We don't have air superiority anymore. And that's a technical thing, right. And and so, you know, yeah, I mean, y'all, you know, put yourselves between good and harm every day. And I love being around people that are willing to do that. So questions anybody. Yes. In the back. Yeah. So and I think I've seen some books from you where you kind of become disillusioned with the zero trust because it's like installed on a, I wouldn't say disillusioned.

I'm just trying to educate that this is not a product. Right. So like, we can do better to help the journey and, and maturation process and not just, you know, something going so well, if the vendors will, will quit trying to redefine zero trust based upon the product that they sell, that would be great. There's a role for their product in a zero trust environment.

But you can't say, buy my product and you will be all zero. Trust me, I would never say that about any of the places I worked and all of the I only choose to work at places that advance the zero trust thing. But but in general, people are starting to move down the towards the same North star. And and you know, I keep doing this and keep grinding to keep help that people be on that path because sometimes their maps are a little screwed up.

Right. And, and we all got to make money. We understand that, you know, free markets, Adams Square we got we all got to do that. But there's a way to do it with integrity and there's a way to do it that helps people. And so that's my mission. So I'm mission driven. And my mission is to make the world safer just a little bit every single day.