‹ All episodes

Emerging Cybersecurity Risks

Emerging Cyber Risks and Zero Trust with Paul Miller, Zero Trust Architecture Expert at Appian Logic

👉 Zero Trust and How it Works

👉 Is there a national cybersecurity document?

👉 How can companies overcome the legacy lag while implementing zero trust?

SHARE EPISODE

Welcome to this episode of the Emerging Cyber Risk podcast, brought to you by Ignyte and Secure Robotics, where we share our expertise on cyber risk and AI to help you prepare for the risk management of emerging technologies. We are your hosts, Max Aulakh and Joel Yonts. Our guest today is Paul Miller, Sero Trust Architecture Expert at Appian Logic, a management consulting and IT security company. 

Topics we discuss:

  • We unpack zero trust and ZTNA security architecture
  • What is being done to develop a national cybersecurity document?
  • Driving awareness and change on cybersecurity at companies
  • Overcoming the legacy lag at companies while adopting zero trust

 

Paul Miller Bio:

Paul is a thought leader in cybersecurity with over twenty-eight years of experience across companies and institutions like Northrop Grumman Corporation and MIT Lincoln Laboratory. Paul provides leadership for cybersecurity, compliance, and strategic planning and has extensive experience in all aspects of Cybersecurity. System Architecture, Security Integration, and Secure by Design lead on various projects in both IT and products. He is an expert in implementing zero trust and ZTNA security architecture. 

Paul Miller on LinkedIn

Appian Logic Website

Max Aulakh Bio:

Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.

Max Aulakh on LinkedIn

Ignyte Assurance Platform Website

 

Joel Yonts Bio:

Joel is CEO & Research Scientist at Secure Robotics and the Chief Research Officer & Strategist at Malicious Streams. Joel is a Security Strategist, innovator, advisor, and seasoned security executive with a passion for information security research. He has over 25 years of diverse Information Technology experience with an emphasis on Cybersecurity. Joel is also an accomplished speaker, writer, and software developer with research interests in enterprise security, digital forensics, artificial intelligence, and robotic & IoT systems.

Joel Yonts on LinkedIn

Secure Robotics Website

Malicious Streams Website

Resources
LPARs
COBOL

Intro: 00:03.810 Welcome to Emerging Cyber Risk., a podcast by Ignyte and Secure Robotics. We share our expertise on cyber risk and artificial intelligence to help you prepare for risk management of emerging technologies. We’re your hosts, Max Aulakh.

Joel: 00:18.042 And Joel Yonts, join us as we dive into the development of AI, evolution in cybersecurity, and other topics driving change in the cyber risk outlook.

 

Max: 00:27.690Paul, thank you so much for joining us today on this podcast about emerging cyber risks. Paul, with me, I have Joel, who’s my co host. So with that, Paul, tell us your story, man. Tell us a little bit about yourself, your background, and just give us a little bit of insight into what goes on in Paul’s mind.

 

Paul:  00:47.070 Sure. So I’m currently working with, various agencies, the government, to implement Zero Trust, mostly in the architecture, but I’ll do some PM work as well. My background, I started in high school doing audits. I actually did call detailed reports back when telephone fraud was the big concern of the day. Actually caught a couple of people. So that got me spawned into this, but been in it since, I was a kid, held various jobs. Cyber was always the one thing that you had to worry about. You could architect, engineer the greatest systems in the world. But one hacker comes along, finds the flaw, and tears apart your stuff. When the DoD started concentrating on it, especially the early days before it was given CMMC and it was DFARS clauses, I was the person responsible for that. At Northrop Grumman, I had five divisions at the time. We had most of those implemented. We had actually written our own frameworks, so we had worked heavily with their Pen test team, so we developed all kinds of countermeasures. So I was sort of like, CMMC, this is a joke. This stuff’s easy. I got an award for best Cyber, and I literally told it in front of 150 people that I guess we suck less than the rest, because I don’t think we’re doing very well. So fast forward. I got sucked into doing missile defense robotics programs, autonomous vehicles, underwater autonomous vehicles, bomb disposal robots. I worked for the teleco industry doing Cyber for 800 number directory. I worked at Lincoln Labs as the Cyber Compliance and Cybersecurity Manager. We had 700 active programs, 4500 users, and 35,000 systems. So I’ve seen a litany, I think, and I’ve seen enough things over the last few years. I’m sort of enjoying the idea of being more of a consultant and advisor than having to sit up at night waiting for the phone call that says I think that kind of drives the history, though.

 

Joel: 02:48.440 So you’re not a noob, what are you trying to tell us?

 

Paul: 02:51.016 No. Yeah, I’m an old dog. Awesome.

 

Max: 02:55.240 Ah, cool, man. So that’s fantastic. I think a lot of your experience, Paul, north of Grumman and within the defense industry is key for where security is headed. Right. Usually the government is trying to get in front of all of these things. And I know you’ve been working on zero trust and those kinds of things. But before we get into that, Paul, what are some of your core beliefs on what you believe? Like, where are we going as a career field? Right. What’s next for cybersecurity?

 

Paul: 03:26.250 It’s interesting. So you look at some of the studies and it’s 8% of the global GDP is the cost of cyber right now. The spend rate is almost catching up on cyber as it is with defense contracting globally. If you look at the defense spend of every nation, it’s about 2.1 trillion dollars. And cyber spending is about 1.75 trillion. Wow. So I think the idea is now is not so much you’re going to prevent them, but you want to frustrate and fatigue the attackers. Let them move on to easier targets. Let the cost go so high that there’s no easy attempt at attacking. And I think it’s going to be interesting. I think AI is going to drive a lot of that future. We could talk about zero trust, we could talk about good architecture. But even when you look at some of the DARPA research programs on AI, I think there’s just so much opportunity there to drive capabilities. Not just automation and machine learning, but just take it to the next level of how do I respond to threats in real time? Using writing code just in time to remediate a vulnerability that you see actively exploited in the wild. I’m not sure we’ll get there soon, but I think it’s coming.

 

Max: 04:41.644 Yeah. I had no idea we were spending that much. Sorry, Joel. Go ahead.

 

Joel: 04:45.644  No, I think I was going to pick up on the exact thread. I remember talking to executives. I don’t know how many years ago now it’s all running together, but it’s a few years back and there was starting to be this thought that says maybe it’s just better to not spend on security and we’ll just take the penalty. Right. But what we realized is the penalty just keeps going up. Attackers get better and better at making you pay for it, either through the ransomware that was before the ransomware era really kind of kicked in, but weaponization of this stuff. And as AI moves in, it’s only going to get more costly. So that spend gets justified, I think, every year, but it keeps going up still.

 

Paul: 05:25.210 It’s interesting. I saw a stat that said, the first ransomware using Bitcoin or cryptocurrency was 2018. And it’s sort of fascinating to see. And I always struggle. It’s a good investment, but if they ever pull the plug on cybercrime and somehow actually can shut those things down, there goes cryptocurrency. To me, it’s not such a fad, but yeah, I think there’s lots of different ways we have to skin this problem and skin the cat, so to speak. But I think the spending rate is not ending because even though we spent lots of money, the problem is only continuing to get worse. Absolutely.

 

Max: 06:02.564 Yeah. We have really yet to figure out this whole notion of return on investment, which we could do a whole podcast on. But yeah, Paul, I think what I’m interested in is this, Department of Defense and the government in general talking about Zero Trust and ZTNA. You hear all of these buzzwords and everybody talking about zero trust. What does it mean to you? What is zero trust and ZTNA? And can you share a little bit of some of the things you’ve been working on when it comes to those types of concepts?

 

Paul: 06:32.950 I think you start with the assumed breach mentality, right. And I think that’s the real big game changer. The focus layer defense, the comment, how many layers does it take? How many more do I need to add before we stop getting hacked? Can I even detect it? Right? So we focus on protection. I think zero trust focuses on integration, which is a big challenge and a game changer. A lot of the cyber programs have been very siloed, they’re not very integrated. So I think the first step is you have to bring the assumed breach mentality to the game that’ll drive a different understanding. You start moving into detection and response and remediation, and you start looking at it there. And then you start bringing the capabilities together, integrating them. So, Max, I don’t build a control that lives on an island, and if that control fails, I don’t set off all the alerts and remove your access. And I think that’s the big changer with zero trust. I think the other thing that we talk about is we don’t even have a name for traditional networks. But I remember doing networking in 1991, 92, you plugged an Ethernet card in, you might have enough memory to run an antivirus program. Then you had to configure every level of the stack, or the two devices couldn’t even talk to each other. So you built the networks to make it easier to connect machines. Now that they’re simplified, standardized, you have one set of standard protocols that almost everybody uses now. I think you start moving towards removing the implicit trust that you were forced to use in the early days of the network.

 

Max: 08:13.622 Yeah, I think Paul, some of these things, we’ve been talking about it for many years as professionals, right? This common terminology of defense and depth, layered defense, adding more how many licks does it take to get to the center of the Tootsie Pop? Right. Adding more stuff to it?

 

Paul: 08:31.160 Yeah, for the younger audience, that’s.

 

Max: 08:36.890 What came to mind, right? Like, oh, okay, I just got to keep doing this. Right. But I’m sure you’ve read the DoD’s strategy that just got posted, like, not too long ago, right? So they’re saying, this is not going to happen, or we’re on this journey till, like, another decade. Right? Till 2032 and all that stuff. Are there fundamental shifts happening in thinking? And what are some of those fundamental shifts? Because I feel like as cybersecurity professionals, leaders, we’ve been talking about this for quite some time, and we’re just starting to see, like, a formal national document that’s somewhat laying it out. Right?

 

Paul: 09:14.468 Yeah. OMB 22 nine. And I always forget the executive order 14 00:28 or something, those two that drove the implementation. You have Nista, 802 seven. Right. And I think that sort of builds, but it’s not a framework in, like you have RMF 853. They’re very set. Thou shalt do these things. Problem with RMF is you also say, okay, but you don’t have to do them under these. Um, you can make exceptions. And then it’s, how do you measure the cumulative risk of all the exceptions? On top of that? RMF overall is a fairly good standard to follow. Zero trust is really you have to understand your protected surface. I think people are starting to move towards that. You see, every agency has a data officer or a chief data officer. So you see the move to really understand your data, know what kind of data exists on your network to really centralize it, move to more cloud focused. There’s a big push between Zscale Cloudflare Netscope and Palo Alto to really grab a hold of that ZT network access. And I think a lot of people have gravitated. That’s kind of an easy win. It’s a big user experience win. But then it’s, how do I implement the additional controls as I move forward? And how do I integrate the capabilities? How do I build awareness, how do I shift the culture? So the agencies I see I’ve worked with one agency. I have to leave it nameless, but they’ve been at it for two years. I’ve talked to a couple of other agencies. They’ve got pieces of the puzzle. The challenge is, right, how do you find the big picture guy?

 

Max: 10:51.632 Yeah.

 

Paul: 10:52.080 And so everybody was required to return to their solutions architecture. Last year, one of the agencies I worked with, we got very positive actually, it was CISA, referred to as refreshing. And I think we had a good approach to it. But at the end of the day, a lot of people are trying hard, and some agencies, they’re top down. Thou shalt do this. Everyone does this. Other agencies may be more communal. They may want more input from the users. There’s more buy-in required, there’s competing priorities. So I think it’s sort of a lot of the challenges that any organization would have. But you definitely see it’s fun to get to witness a lot of the drive towards building more security. Nobody ever challenges the idea that we need security. I don’t care. I just want to make a profit. I had one CEO tell me that I don’t care if they steal our code. Maybe the hackers can fix it. You don’t hear that in any, um, agency in the government.

 

Joel: 11:51.570I’m sure that wasn’t on the record, though.

 

Paul: 11:51.570 Oh, no. When he said that I was on the record.

 

Joel: 11:58.550 All right. Yeah.

 

Paul: 12:00.648 I presented to the board of Directors the company no longer exists. I can say it, but the CEO had said at a board meeting I had suggested revamp our whole cyber program, and he informed me that he thought it was a great idea, but he didn’t care.

 

Joel: 12:13.900 Is that the reason it no longer exists?

 

Max: 12:18.570 Curious about that, too. Like, what happened, man?

 

Paul: 12:21.804 We spent a lot of money putting out fires. I got really good at incident response. You could do that in your 30s. It’s no problem carrying a bag around and flying for three straight days in seven cities to put out an incident. But once you hit your fifthy’s, it takes a day to recover from flying.

 

Joel: 12:38.266 I’ve done my fair share of IR, too. And it sounds all exotic because you’re flying around, but it’s some back office in the middle of Kansas. It’s not like the Las Vegas strip. Right? Yeah.

 

Paul: 12:49.992 Even if I remember someone asked me how Florida was, I’m like, I never saw the sunny side or the outside.

 

Max: 12:55.430 Yeah. I just went to Destin and yeah, I thought, hey, I’d go to the beach. And it was like eight to twelve, midnight, 08:00, a.m. To midnight in front of a computer screen. And leave the hotel room when it’s dark and come in when it’s dark.

 

Paul: 13:09.130 Yeah. Sleep on the plane is what we often even did. I mean, again, when you’re 33, you could do that, but it’s not good for a company to have to staff up to run around, put fires out. But as you said, the reason the company doesn’t exist, I think there were a lot of bad choices made, but great experience.

 

Max: 13:26.388 Yeah. So, Paul, I think at least from the outside perspective, right. Being in the government as an airman, as an Air Force guy, many years ago, 15 years ago, when you’re there, you’re like, man, this is slow, this is so slow. But then when you look at it from the outside, ten years later, everybody’s talking about it. Cybercom NSA. Everybody’s talking about Zero trust. Right. We know that some big change needs to happen. We know that, like, we, as the whole community, everybody understands that whatever we’re doing is not working. Right?

 

Paul: 13:57.580 Yeah.

 

Max: 13:57.980 So for the agencies where you have had some progress, what is causing that shift in mind? Right. What drives that?

 

Paul: 14:05.888 To some degree, I think the awareness, especially with a lot of people coming out of the Air Force, and the Air Force, they had a very good zero trust program. I’m not sure where it’s at. Now, you had, guys like Nick Schelane, who was a, tornado of sorts. I don’t know him. I have friends that know him, and he’s a force. From what I’m told, you have some people who will really drive change, and they’re hard to argue with. I don’t think people who work for the government don’t care. I think they really do recognize the problem, and I think there’s passion for what they do. I see a lot of people, they get up, they want to do very well, and I think that drives a lot of that, especially when you get support, when you have an executive order and OMB and leadership wants to be successful. I think everyone’s afraid at the government level, there’s enough experience being compromised. I always say a good cyber program starts when you’ve had a major compromise. That’s usually the thing that scares management into never wanting to see that again. And I think the governments experience it more so than anybody else, especially the Air Force. I forget how many times a day they have compromises.

 

Max: 15:15.054 Yeah. Just looking across. But on the commercial side, Joel, we kind of face the same challenges where the organization knows there’s something that needs to happen, but what sparks that transformational change? On the government side, it might be a, special SES that they bring in to yell at everybody..

 

Joel: 15:34.490 Picking up on what you said the correlation is. And I wonder about, on the public side, if it’s similar. But in the private world, the biggest problem is these pockets of legacy technologies, these heterogeneous environments where you’re trying to connect all these different systems, and some of them are ancient, especially in the bigger companies that have gone through MNA. And so that becomes a challenge that no matter how somebody wants to put force behind it and focus, there’s all these dependencies out there. I would imagine the same exists in the largest It consumer in America. Right. That’s DoD, right?

Max: 16:10.280 Yeah. Paul, I don’t know if you’ve ever worked on I actually got to work on mainframes, dude. I’m, like, younger than I started. Right. But I’m younger than you guys. Right. Like, I was just touching them ten years ago. So, there’s a ton of legacy stuff, at least on the contracting side. Joel I see that a lot, but, yeah, I don’t know how zero trust would even work with some of these legacy systems that are out there. If it’s even possible. Right? I’m sure it’s possible.

 

Paul: 16:37.088 Yeah. It takes a different approach. I mean, I mentioned the protected surface, right. So if you don’t know what you’re protecting, you can’t really tell your controls and customize them around that. But how you protect even some of the more legacy applications, you start by building access controls that really bring the boundary to the data, to the application. Often the data still needs to be used. Right. It needs to be put into your usage but you still really want to build your controls around that. You want to really understand the data that exists there. So if there’s data leakage, you can prevent it, you can detect it, and you can respond to it. IBM still keeps their mainframes. Zos is still alive and well I know. I saw them in missile defense. I’ve seen them in some of the financial agencies still run on them. And the challenge I always found entertaining is that younger guys don’t know those languages, whether it’s Fortran or CE, or how do you go back and…

 

Max: 17:35.216 Cobol and configuring LPARs? Oh man

 

Paul: 17:38.442 I know so many guys who’ve been in it for 20 years and have no idea that inside that rack cabinet is just one shelf with a computer sitting on it. That’s always the other amazing thing. When you actually get to open them up, there’s a pile of books underneath.

 

Max: 17:55.030 Yeah. So, Joel, to your point right, like you were saying, I think the government probably has, I would guess, more legacy than modern government, in my experience. And Paul, you can correct me here. We come up with modern management approaches to the problem, what should work, but doesn’t mean it will work. But when you look at the back end of M, most systems, they’re super old. They are like ten to 20 to 30 years old, is what we typically see, at least from my experience, paul, I don’t know if you see that differently. And it’s just such a huge dichotomy because you have this forward leaning concept, like zero trust and artificial intelligence, and then you have this backwards, rear leaning technology and people culture.

 

Paul: 18:38.174 Yeah. I think it makes for an interesting problem. I think most organizations have developed risk management practices. I haven’t seen a lot of companies that are still reliant. We had one place, we had a lathe, a specialty lathe that used a Trash 80 to give you an idea.

 

Joel: 18:59.930 Nice.

 

Paul: 19:00.524 Yeah. Had a five and a quarter floppy, and it did what it needed to do, and we managed to keep it up and running. That’s awesome.

 

Joel: 19:07.936 And when it wasn’t lazing, it was playing Organ Trail.

 

Paul: 19:11.790 I don’t think there was even enough memory in it to play any games. Um, maybe hangman. So you see some of the technologies, and I’ve replaced a Data General Mini. I’ve replaced a couple of mainframes over my career, and they’re monumental tasks. Right. Because you often don’t even know how the organization operates. Right. They’ve become so reliant on the technology to drive the capabilities that how do you go in and say, how does the company work? And I’m going to look at it holistically from end to end and really transform it. I did Sarbanes Oxley early in my career. I got the It controls enemy. I started the job a month later. I was at L three at the time. So a um, month later, they’re like, Where’s your cyber controls? Nobody told me I needed them. They’re like, you’re late, you got two weeks. So I wrote my policy manual, and I got everything together. We implemented everything on the weekend. There were no change control boards, there was no approvals. I remember the CTO of our organization. He had never changed his password from password, and he hated the idea of passwords. And I got yelled at. But no good deed goes unpunished the next day. I know. They’re like, you need to implement the financial side of the Sarbanes Oxy program now. And that wasn’t two weeks. That took up two years of my life. We had to really bring everybody together. People who had developed these hatred for each other internal so often funny to me, these people would have gone to ends of the world to help each other outside of work, but inside of work, they wouldn’t even sit in a room with each other. And I think that’s when you go back to Zero Trust, I think that’s one of the challenges that whether it’s an agency or a corporation, how do you get people who there are significant players in your organization. They bring a lot of talent to bear, a lot of inside baseball. How do you bring them together to work with each other? How do you lead them through a major change and shift in technologies? I may not have a data center anymore, but I have three guys that have worked for 25 years racking and stacking equipment. What do I do as I make that shift? And I think that’s probably the biggest fear I run into is what do I do when this is over?

 

Joel: 21:29.404 We’ve been talking about the legacy drag on Zero Trust, but I see another potential complex, and I was going to ask you about one. Of the things I say often is technology is not getting simpler. It’s getting more and more complex. Right?

 

Paul: 21:43.412 Yeah.

 

Joel: 21:43.860 If there were eight layers in the application stack before, there’s 16 now. I don’t know, but how do you deal with modern API micro? Not segmentation, but API microservices.

 

Paul: 21:55.342 Yeah. I mean, you get to the microservices, there’s an application workload pillar in Zero Trust, and you want Immutable workloads. Well, you talk about modernization. So I have to take my legacy app that runs on a Windows stack, running some SQL server. It’s tied into an active directory now. I want to rip all that out and move it over to something that spins up and shuts down servers as it moves. I want to have a continuous patch release. I want to be able to release patches 50 times a day. I want to get features out on that whole shift to the CI CD pipeline. You see, it works better with companies that adopt it if you work with software engineers. Agile is like a religion, right?

 

Max: 22:39.716 Yeah.

 

Paul: 22:41.490 And I have not been fully reformed yet. That said, you see the organizations that adopt the agile methodology and change becomes constant. And I used to do work with veterans with PTSD, and these are guys who are in the VA or were arrested. This was their course of action. We trained them on mindfulness techniques, actually. So one of the things that happens is you lose that sense of safety. So you have predictability and control, right? So when you lose predictability and control and something bad happens, you crave it even more if your life becomes predictable. And you always have control over your daily activities. Any affront to those kinds of people or any of those practices or habits, anything like that, is greeted with hostility. So you have to sort of find ways to communicate with the people where they’re at. You have to look at those technology stacks. You drive into a CI CD pipeline and how do I integrate security into something like that? And one place I worked, we implemented breach and attack simulation and we built our campaigns and we integrated them into the CI CD pipeline. And the output created stories for remediation. And we would build the stories into our storyboard. They would go into jira, put hem in the backlog. I think as cyber people, we have to be the first ones to embrace those changes and really dig in and say, all right, how are you writing code now? What is a CI CD pipeline? What are you doing to automate your code releases? How often do you realistically release code and how often do your customers want you to release code? I think that’s the challenge, right, is the customer, if you let the customer drive, they want feature updates regularly as well.

 

Max: 24:29.448  To some degree, I think you hit on a key there. When you’re working within that agile religious concept right there’s human vulnerability. We got to be able to say, hey, we don’t know what that means. We don’t understand, we don’t have enough information. And I think a lot of people are just not okay with just stating that the change is happening so fast, it’s impossible to know. So they’re going to go back to their old ways and things like that. And with a lot of the new paradigms, new ways of doing software development, whether it’s agile, test driven development using AI CD continuous development, there’s a lot of unknowns. There’s so much unknown. And we got to be as people, we got to be willing to state that and then learn from it, right? And that sort of behavior it’s hard, man. It’s really hard. It’s an individual thing. It’s being secure in who you are and being comfortable with not knowing. And especially for veterans who have gone through PTSD, that’s like, super hard for them, right? So that’s a great example, but going to zero trust, right? You mentioned one of the pillars which you talked about, the application and workload of that particular pillar. There’s a whole bunch of other pillars, man. When do you think we’ll start ? There’s something called the Advanced Zero Trust. I’m sure you read about this, right?

 

Paul: 25:47.120 Yeah maturity models. Right?

 

Max: 25:48.640 Exactly. Like, when is this artificial intelligence going to start to interact with this ZT? And then, have you seen elements of that within the government or anywhere right now?

 

Paul: 25:59.124 I mean, there’s some companies that are using it to detect and respond. Mostly it’s detection once you start integrating. Right. My model, I haven’t been happy with the system model, so we sort of simplified it. I have basic capabilities and I have the ability to integrate those capabilities, and now I work towards automating them. And that’s where when you see the automation tools, when you look at, um, EDR, EDR is a great example of whether people are moving to MDR. A lot of automation capabilities in the app workload, you hear people are already using things like Chat GPT to bug fix and track, um, and do code analysis. And I think you’re going to see it on so some people refer to the visibility and orchestration as cross cutting. And the DoD, they refer to them as standalone pillars. I agree. I think they have to have an equal seat at the table. Governance is the one that I like to put as the cross cutting because it’s the fuzziest of them all. And I don’t know that you’ll ever have true AI in governance. But that said, I think when you look at where you go with data discovery, data tagging, and in using that  awareness of data to make access decisions so that I can get down to the granular level and say, Paul shouldn’t see the secret sauce or how computers are done, I apologize.

 

Max: 27:21.750 It’s all good. We can have the dog in the podcast. So, yeah, I was thinking about some of the things that Paul was stating in terms of I think one of the interesting things Paul you said is governance and AI won’t happen. Something like that. Right. I can’t recall the full sentence, which you said, yeah, it won’t go together. What do you mean by that?

 

Paul: 27:41.604 No, governance is a tricky one when you look at Zero Trust, right. How do I define governance?  You can have the ability to go in and say, who should have access to what. You move from role based access to attribute based access, and you really start to make your access decisions more granular. But even when you start looking at that, how do I make access decisions? I may be able to take some historical data and build some awareness that says Max should access the barking dog, but maybe Paul shouldn’t have access to the barking dog. So when you look at sort of that model, you kind of wonder, where do I really build governance? And I think governance is kind of. The softer of the capabilities, where really there’s not a lot of guidance on how to do governance. And I think a lot of organization that’s probably struggling. Right. We talked about agile. I want to get products out the door. The governance is we need to make money. We need to release new products. We need to lose new capabilities, we need to drive growth.

 

Max: 28:44.910 Yeah, there’s a strong overlay of business, just business governance, business focus to get it out to the market. But yeah, to your point, I think a lot of people are wondering, and I don’t know, Joel, if you’ve seen any commentary, how do we regulate AI? And I know that could be an entire topic, but that’s where my head goes to some degree.

 

Joel: 29:02.502 Absolutely. Well, I mean, I was buzzing, obviously. I spent a lot of time, Paul, talking and thinking about AI. That’s my current focus area. And one of the things that I think is a reality is that we don’t get the value out of AI, unless we allow it. The autonomy to make decisions without human involvement, or to see things humans can’t see, which is by definition, more like 100% trust than 0% trust or some higher percentage. Right.

 

Paul: 29:27.544 Yeah.

 

Joel: 29:28.024 So that’s an important ingredient to get the value out of it. But at the same time, I understand what you’re saying, because of the unpredictability of it. I’ll put one other leg on this stool and see what you think about this, is that with continual development or deployment, continual deployments even more so, that automatically deploys multiple times a day in certain environments. Automation is required in order for that to happen. The security checks of it. So how do you put all that together? You can say no to AI and autonomy, but you can’t hit the speed that’s needed.

 

Paul: 29:58.128 Yeah, I think when you look at the app workload, as we refer to it, in Zero Trust, when you look at the capabilities of doing automation, writing code just in time, continuous delivery, especially. I know DARPA did an experiment back when, um, they had a contest at Defcon, and they had a bunch of basically like, which system can break the other one. The guys who wanted it, saw the compromise of the first system, they analyzed it, and the AI wrote the code to not only fix the vulnerability, but to build it into an exploit against the attacker. So I think there is a lot of potential for AI. Everyone’s always afraid of change and new ideas. I think when you look at Zero Trust, if you have a mature Zero Trust program, you start looking for all kinds of ways to automate. And as you start to see the declining return on investments on those efforts, AI is where you have to go. And I think it’s twenty four, seven, I forget what the human can pay attention to, like 20 minutes, 45 minutes maybe tops. And then they get distracted. Computers can pay attention indefinitely without being concerned about bathroom breaks or phone calls from family members, the dogs and stuff. Honestly, I think governance, when I say it’s soft and squishy, it’s the one place where humans seem to work well. But I think eventually you’ll get enough history, you’ll be able to make informed decisions and you’ll be able to build in learning into those decisions that eventually access governance especially. It’ll get there whether or not you can do all of what we’re talking about. I think there’s a lot of challenges. But if you’re not sprinkling AI into your decisions, especially machine learning, then you’re not going to have a very good cyber program. And if you’re not preparing for the hacker’s use of AI, you’re in bigger trouble. I think that’s the real concern I have is that the only way to defend against AI is to probably, in my opinion, use AI.

 

Joel: 32:05.038 Absolutely. I think one of the differences that we’re looking at is using the term automation and AI interchangeably is not quite correct. Right. Because typically automation is taking human logic and applying it over and over again. AI is allowing the program, the algorithm, to map the data to its own logic that no one ever coded. And so then you get indeterministic results at times and that’s the challenging piece, but it allows you to move faster and that’s the key.

 

Paul: 32:31.840 Right, well, and how else will you respond to threat actors that have AI to build their attack vectors? Right. There’s a fear and obviously AI gets a lot of attention for some of the fears of it. But right now it’s as good as the information you feed it, at least as far as I understand it. But yeah, that’s why I think when you look at maturity level, you don’t start with just throwing AI at it and have at it. You really want to start with is where can I automate? What automations can I build? You got to get the integration in. Otherwise your AI is not going to be very effective either way. It’s coming. And hopefully as we see agencies move into that integrated state, we’ll be able to start using AI more and more. And I think you’re going to have to use it more and more. I don’t think you have an option.

 

Joel: 33:20.960 One of the things that’s on my mind is AI is such a differentiator on a national level, we’re talking defense, we’re talking economy. And so you’re on the scale. We can play it too reckless and train wreck ourselves, or we can play it too safe and be too late to the market. How do you feel like we balance that? How do we manage through that?

 

Paul: 33:42.184  I think it’s going to be the organizations that really decide the future. Right. When you look at who made the move to the Internet, who drove Internet first technologies, who drove their organizations that way? Walmart. I’ll use them as an example. They were a juggernaut, right? They were taking over the food industry. They were going to take over everything. And now it’s Amazon. Right? What did Amazon do differently? It’s not like they’re better at logistics. Walmart is great at logistics. What they did differently was they embraced the Internet and they embraced new technologies. I think that’s always the game changer. Again, I go back to companies. Executives are no different than anyone else. They stick to the things they’re good at. They stick to what they know. I think personally, it’s been my thing. I graduated high school when they were laying off all the mainframe guys in New York where I lived. I knew plenty of mainframe people who were being laid off. Everyone told me I was crazy to go into it in 1980, 919, 90, when I started working in the field, and you fast forward the jobs of today are all in technology. So if you don’t embrace new technologies, new ideas, and you rest on what you did yesterday, tomorrow is going to get painful. I can’t say it enough. I’m with you. That’s why I like Sierra trust. As soon as NIST released it, I was like, oh, what’s this? This is shiny. This is interesting. How do we do this? I was at Lincoln Labs and I was banging my hand on the table. We need to do micro segmentation. We need to use zero Trust as the only solution that will really work for us. It’ll solve all our problems. So I think it’s the same when you see too many people are trying to find the soft spot, the easy part, that’s, to me, the most dangerous place to be.

 

Max: 35:31.900 So, Paul, we’re almost at time here and wanted to ask you this last question as kind of your parting thought. So, Paul, I know you’ve been working in this Zero Trust and you have this architecture that you have built out. When can we see a release of that? When do you think it’ll be published, or will it ever be published for others to learn from and review?

 

Paul: 35:51.232 That’s a good question. I’d have to talk to our leadership. I think there is a push towards, um, publishing a lot of these types of documents. So I work as a contractor for Appian Logic. I’m an employee there, director of something. I always forget my title. Only title that ever mattered was Paul. We did a gap assessment for one of the agencies last year, and we drove it in a way that was informative because everyone thinks it’s an audit. And we were like, no, we’re just trying to assess where you’re at, where you’re going. We built it into a model that could forecast. I took about 80 controls and I did interviews, I did Spotlights on People so that I could show where they’re really they’re way ahead of the curve. These are not zero trust related things, but they’re something that these people should be proud of and made sure that we used it to build a consensus and an approach to go forward. It was wildly successful across the agency I did it with, all the way from the CIO CISO to the network admins and the firewall people. So that’s the thing I want to try to drive. I think audits can be confrontational. They can be challenging. And I think I’m hoping I can build out a process for that over the next few months. I know other consulting firms are doing something similar, but I think what I have is a little different. And the secret sauce is obviously me in that equation.

 

Max: 37:15.874  So that’s what I’m asking for, Paul, is when are we going to get to that secret sauce? No, I’m kidding.

 

Paul: 37:21.390 I am the sauce. There’s a quote.

 

Max: 37:28.510 That’S going to be the first one right there. I am the sauce.

 

Paul: 37:33.970 I’m hoping, um, not too long into the future, I’m still thinking there’s an opportunity for the two of us to collaborate on that, really build out some futuristic capabilities. Maybe we can find a way to use AI to drive them forward.

 

Max: 37:47.720 Yeah. Well, Paul, I know for myself, I wanted to thank you for coming on. I think this was a great conversation. And Joel, I appreciate you joining in. This is fantastic.

 

Paul: 37:58.034 Max, always a pleasure. Love talking to you. Anytime. Nice to talk to you, Joel, and thank you very much.

 

Max: 38:05.290 Emerging Cyber Risk is brought to you by Ignyte and Secure Robotics. To find out more about Igyite and Secure Robotics, visit ignyteplatform.com or securerobotics AI.

 

Joel: 38:16.434 Make sure to search for cyber in Apple Podcasts spotify and Google Podcast or anywhere else podcasts are found, and make sure to click subscribe so you don’t miss any future episodes. On behalf of the team here at Ignyte and Secure Robotics, thanks for listening.