Security Signal: The Perimeter Problem

One to ten scale, where do you think companies are in their journey of zero trust? I would say four. So I was going to say six and I was feeling bad about it. Hi, everybody. It's a pleasure to be here and joined by two esteemed analysts. Manny, do you want to start with a quick introduction for yourself? I'm super excited to be here. Manny Barzilai. I'm the CEO and co-founder of Miles. a cybersecurity startup that disrupts consulting and a partner at another cybersecurity startup called SciTactic, where we build the world's best cyber crisis management and readiness platform, the CTO of the Cyber Research Center, the Tel Aviv University Cyber Research Center, and ex-CISO in the intelligence services. Well, we have a lot to talk about, a lot of your background, so we'll dive into it. Do you want to go, Steve? Absolutely, yeah. Excited to be here also. My name is Steve Pascucci, and I'm a vice president of SASE and Zero Trust Customer Development for Cloudflare. I've been with the company for nine years, and I help our customers get the most out of the solutions that they buy from us and help them decide on which solution they want to use. Got it. So the segment we're talking about today is called the perimeter problem, or lack thereof, because the perimeter seems to be either evaporating. or shrinking and so on. So let me just start with the first question. And maybe you can start us off. As you think about the perimeter, what are some of the things that you're seeing with the shift in the perimeter kind of going away in terms of identity-based security and so on? How are you seeing that happen? Yeah, so that's a very interesting question. First, let me say that with regards to identity, there is a concept that says that... If you're able to solve the identity problem, you're able to solve cybersecurity because identity is the core challenge of cyber. If you know that the right person is using the right data with the right device and accessing the right things and doing the right actions, if you're able to identify everything, then you don't have cybersecurity issues. So this is a big challenge to solve. Now, primarily there is a very big problem in today's world where everything is cloud-based. It's not always clear where does the organization ends and the supplier begins. So, perimeter is a very questionable concept in today's reality, and I think that the more we are interconnected, the more you have connections on the application level. You're using, I don't know, AI as the backbone of several applications. Again, it's not clear whether it does. Your application ends and the supplier begins. So, definitely trying to make sense of the perimeter in today's reality, I think it's a hard challenge. not sure that this is the way to go. Steve, what's your perspective on this? I think it's important to remember where we came from, where, you know, the perimeter was a firewall in a data center. And we've moved that to the edge. So edge security has become, instead of inspecting traffic that's coming through, it's validating identity. And then you're able to do a lot more checks. So it's really this paradigm shift and this modernization of how we are. accessing applications, how we're accessing infrastructure. So I think it's just really important. And then the modernization of that is really taking into account device posture and impossible travel and things of that nature to supplement identity. So it's not just identity that you're looking for. One of the things that organizations respond with is, well, we've got zero trust. Right. And so course, that could mean a whole host of things for everybody. But in a multi-cloud environment, in a complex kind of plethora of things that are being thrown at an organization's network, how do you think about zero trust? And where do you think organizations are in terms of actually implementing zero trust in their environments? I have a feeling, I'll say this a couple times, but zero trust is a journey for everyone. And it really almost doesn't. matter where you start. Most people start with their most problematic scenarios. And so for some, it's contractors and developers. How do we manage that? For some, it's remote and hybrid workers. How do we think about that? For some, it's how do we apply zero trust principles to individuals that are accessing infrastructure? So really, what's my biggest problem? Where can I start? And it's a journey. So it's one of these things that's going to evolve and change over time anyway. Yeah, I remember I was at Forrester when we actually coined the word zero trust. Oh, you guys did it? And so what was interesting was it took about three or four reports pushing it into the marketplace that this is not about a product. This is not about a solution. This is actually a mindset. You've got to start to think about defense in depth as a mindset. And that's actually what it is. And, of course, a lot of the vendors have kind of. I've overlaid that by saying, oh, we do zero trust. And so it kind of defeats the purpose of the whole idea of, as you said, it's a mindset, it's a journey. It's not something that you focus on as a one-time thing. What's your perspective on how are organizations doing in zero trust? So first of all, it's very exciting to sit with the person who coined the phrase or the person in the team. Not me, but I edited the report. You built this business, right? You built this business. So that's amazing. And I think I absolutely agree with what you said. It's more of a philosophy. It's more of a way of thinking. And the first step in failing in zero trust is thinking that zero trust is just a product, right? And if it's not, if you don't live by this philosophy, you're going to fail. And it's about understanding and acknowledging that you cannot trust by design anything you have to verify everything. And to some extent, zero trust makes identity your new perimeter. identity becomes your perimeter. I think this is a very important approach. Many organizations adopt zero trust and many want to go there. This is such an important journey to have and I couldn't stress enough how much you should push that inside your organization because in many ways it makes security cost effective. You're simplifying security if you go to zero trust. You don't have like this multi-complex situation where some places you identify in this way, other places you effect that way and suddenly you have weaknesses here and weaknesses. You simplify security and simplifying security makes security management cost effective. And this is such an important thing to push forward. And we'll talk about complexity, which is a big part of what you're alluding to, which is kind of all of these things that are thrown at a company and how do you kind of manage and deal with it. But let me put you both on the spot a little bit. We talked about the journey, right? Let's say there's a start and some kind of an end at somewhere for that journey. Maybe there isn't an end. But if you look at an average organization, right, how far along do you think? That was the question initially. Are they in that journey? Do you still feel that there is a lack of maturity in general in terms of understanding of zero trust, of prioritization, as you said, Steve, prioritization of what really is? a major risk for me to kind of handle first as opposed to trying to throw products at that problem, right? And so one to 10 scale, where do you think companies are in their journey of zero trust? You know, this is a hard question because I have some amazing examples of companies who were amazing at implementing zero trust, but most of them are not there. So I would say even those companies that implemented such a product but didn't make it a minor mindset are far away from the place that they need to be, I would say four. So I was going to say six and I was feeling bad about six, but I agree with you. I think when companies are at their best, they have zero trust scorecards and they're evolving over time. You know, AI has upended the game. So, you know, non-human identity, how does, where does that go into the scorecard? And, you know, email, not part of the analyst. you know zero trust or sse or sassy but really should probably be a part of a zero trust approach um so um yeah so i'd say i'd say now i'm going to change it to five there we go yeah because there is so many places to implement zero trust you know with your vendors and your customers and your employees and and applications and everything so even if they have one successful project still there are so many other things to do we had a really interesting statistic that 46% of human login attempts involved compromised credentials, right? And so if that's the case, do you think Zero Trust is going to resolve that issue around identity and perimeter? And is that really, how do compromised credentials play into what's happening with AI, really pushing a lot of that into organizations? any thoughts on that? Yeah, absolutely. So surprisingly enough, this statistics actually shows that there isn't a problem. Because you see so many people using leaked credentials, but not so many cases where those leaked credentials are being used to hack people and hack organizations. And the reason is because in most cases, we already have two-facto authentication or multi-step authentication in many places. So you can still use leaked credentials. and still be secure. Now, obviously, this is far from being a deal and organizations should invest in refreshing those cases where they have leaked credentials or at least know about that. This is far from being a deal and there are some cases where you can use leaked credentials to steal hack organizations. I'm not saying it's good. You should definitely change that. But I'm just saying that in a multi-factor authentication world, leaked credentials is not sufficient to... So you're saying that statistic actually shows that we're actually doing good under our trust because we've got Lear Defense. That's why we don't have 46% of the organization being compromised, right? It's still a big problem. A lot of people lose a lot of their data because of their credentials, but not on the enterprise level, mostly on the personal level. Still, we need to do something about it. Okay, fair enough. The statistic on the personal level is probably a lot higher, I would say, right? Yeah, because you have those... cases and it happened to me all the time people send me an email telling me oh my god i got this this email saying someone hacked my account um they use my camera to like take a video of myself visiting those very sensitive websites and they have a photo of me doing that and this and this and to prove that they show me my password and username and obviously they have done nothing except taking your password and from exactly and to make you feel that they have access and let me do it happens so many people approach me and I would imagine that for every time someone approached me, there are like 99 people who are embarrassed to approach me because like for girls and for guys telling me that they visit those websites and now they're afraid. It's very embarrassing spot to be in. So that's a big problem for like consumers and personal people. Now let's talk about, and Steve, you started to talk about it already. What practical steps, what things can organizations do as they think about it? their zero trust journey and strategy. Where do they start? What practical steps have you seen really work well in clients of yours? And how do you see it kind of evolving? I think there's two places that I would start or I see businesses starting. And number one is identity, which we talked about already. But the second thing is getting an inventory of all your applications from most important to least important. Who has access to it? Who shouldn't have? access to it. And starting there, that's a monumental task in certain cases. But really doing that hard grunt work, that measure twice, cut once type of work is absolutely where you should start. And I shouldn't be saying this, but choosing a zero trust tool is the fourth thing you should do. Getting your zero trust principles in order and deciding, and then you decide on a tool in which you're going to enforce these principles. Are there any quick wins there? Anything that... organizations can just implement quickly and then get, I don't know, 20% of the problem solved instead of going through this process, which would take them sometimes more than a year before they can get the budget, bring the people. Is there anything that you would recommend do today? It's easy. Start with that. I think at Cloudflare a couple of years ago, we wanted to get rid of our VPN. Yes. And so we did just what I said, which was it was the most critical internally web host. trusted applications that we could access. And that's a really quick win. You can do that in a very simple way and control who has access and in what cases. What about you? Have you seen any successes in clients of yours where there's outsized value for a small amount of effort? It's very easy when you build a company ground up, right? So some of my friends in the security world have joined startups from day one, and those startups became. large organizations and if they implemented zero trust from day one and for them it's such an easy journey and those are amazing um cases everybody can learn otherwise i would say that i would absolutely agree with what you said anything that you can do to secure remote access which is one of the biggest weaknesses that we have today uh would be a quick win and there's always new generation of remote access solutions out there, check them out, don't be afraid of trying new things, because this is a big, big weakness everywhere. Yeah. And maybe a related question to that is, a lot of people struggle with, again, we talked about prioritization of zero trust capabilities, and you said, well, do an inventory, and then maybe product is the fourth thing, and so on. If you had to invest, I mean, of course, the budgets are tight for everybody. these days, people are being very thoughtful. They have to kind of think about value that it's driving, et cetera. Are you seeing anything interesting or exciting from an investment perspective that, again, would have an outsized impact in terms of zero trust, capability building, mindset building in the organization? So from an investment perspective, Manny, maybe you can start, are you seeing anything exciting where if you... If you're a CISO, you have a budget, you've got a line item, whatever, 4% of your budget can be spent on this. Are you asking about a specific product? Because whenever you ask about a product, I will say Cloudflare. So just, you should know that. I don't know what is the real answer. I will say Cloudflare. I'm not limiting you to a product. I'm saying if you've got a chunk of money and you are told that you need to fix zero... or start fixing zero trust problem in your organization. Yeah, so I would say something surprising. I would absolutely agree with what Steve said about the cleaning, like understanding what's going on. Doing the boring work that we all feel that it's boring. Understanding, implementing the mindset, understanding what it is that you want to do and create the right plan for you, TaylorMann. At the same time, I would also invest, and it's just a bit outside of us. you ask, but it's very important to understand, I would also invest in resilience, in preparing for the incident. Because during those long projects, one year, two years, three years, you're super exposed and something will happen. Every company has to assume that in the next year, two years, three years, they will get hacked. Now, it's not 100% sure, but it's better to assume that you will get hacked and be wrong than to assume that you're not going to get hacked and be wrong. So it's okay to invest in prevention, in implementing zero trust. is super important at the same time think about what's going to happen the moment you get hacked you have to have a plan for that so you're saying you balance out your offensive and defensive capabilities and make sure that you're prepared if you were to uh encounter something like that which all of us would at some point and so because the hackers will not wait for you to finish the zero trust project yeah yeah fair enough fair enough i'll give another almost non-zero trust answer but i'd invest automation. So, you know, can you automate onboarding and offboarding of employees and applications? That would, if you're the larger the organization, of course, the more that's happening. And if you could say, you know, today is my first day or today is my last day, and I no longer have access to these systems with a click of one button, that is protecting your company. And it's not zero trust related necessarily, but it's automation related. Sure. That's also simplified security. Automation simplifies security. Everything simplifies security. I'm in favor of it. And maybe the message that you both have is exactly that, which is reduce complexity in your environments that would allow you to better protect the environments and better respond to threats in your environment. Both ways, right? So let's talk about, I know future is hard to predict, especially in a field that we operate in. And I don't want to go three years. or five years because nobody knows right and so let's let's be very specific 12 to 18 months where do you think the trajectory of the threat landscape and the and the protections against it basically the zero trust conversation where is the trajectory going and and and do you see anything interesting exciting or threatening um that you would like to talk about yeah absolutely i think Obviously, you cannot talk about the future without talking about AI. Obviously, it's the most important disruptive technology that we have right now. You can't have a podcast without talking about AI. You have to mention it once or otherwise they wouldn't let you onboard the internet, put it on the internet. I think one of the biggest problems, there are several interesting problems. They're going to change cybersecurity forever, but one of which is definitely, and we're going to start seeing that soon, is the autonomous hacking systems. So those are systems that are able to... to do the entire hacking lifecycle from identifying the victims to finding the vulnerabilities and exploiting them, going inside the network, do the lateral movement, finding the crown jewels, stealing the information, encrypting the file, sending you the email, saying, hi, I'm the AI system who did this, let's negotiate, verify that you pay the Bitcoin, giving you the instructions on how to open everything and helping you to remediate whatever happened to make sure that you're happy as a customer and doing the entire. cycle without a human in the process and we're not far away from this reality if we have autonomous cars driving the streets which sounds like a much crazier challenge they have so a system that hacks this process and we already have seen like all the building blocks in order to make this reality happen are already there nobody connected them into a full autonomous hacking system but we there is no technical challenge in doing that sure so this is i think one of the biggest issues that we see in the years to come and in that sense zero trust is built to some extent to deal with those kind of things but the true way to deal with those kind of things would be autonomous security systems that are able to change the configuration automatically buy products implement them immediately do all of those things there is no way for a human pilot to win against an air power drone so you have you have to have a drone here and a drone there and only then you have the ability So are you saying the hackers are getting lazy or are you saying that they're becoming more enterprising where they want to increase the scale by automating all this? This is a very good question. I don't think the hackers are getting lazy. I think they are being replaced. So the people that will build those autonomous hacking systems are not going to be the hackers. It's going to be the people who are going to replace the hackers. So we already see people in the cybercrime world, which are not technical by nature, leveraging AI. to you know to foster crime and and push crime um um so yeah the crime world is also being disrupted and and suddenly hackers will have to find a different job fair enough so so on that note hackers finding a new job steve what's uh what's your prediction i remember uh nine years ago when i started at cloudflare and we were seeing all these ddos attacks all the time and then there was a lull and i said to myself are we getting too good at this and But obviously the case is that, you know, the bad guys are always getting better. They're always looking for the next new spin. And I think, you know, what you said is exactly right. There's too much money to be had and there's no lack of creativity and motivation. And it's not just hackers or non-technical hackers, I think it was kind of what you were saying. There's also nation states that are driving worse. So, you know, no one's immune. And so, yeah, I agree with what you were saying about that. autonomous hacking and, and just, you know, different vectors being exploited and more and more creative, you know, ideas coming out just because the rewards are way too rich to, to, to, to, to stop. So, so you're, you're saying both are saying that the boards are going to have a lot of sleepless nights and the CISOs are going to have a lot of sleepless nights dealing with the significantly increased threat level around things in the next 12 to 18 months. Well, CISOs are already not sleeping, so it's not, they don't have anything to lose, but absolutely the challenges ahead are much greater than the ones we've already seen, right? So absolutely. I think what you were saying is really important that autonomous systems to respond also because some of the most popular tools out there that CISOs are using give them so much signal or give them so much signal that they can't respond. And so they're prioritizing. the the the threat signals that they're getting and and that's not a sustainable uh way to to to to build a secure business yeah i mean i i i feel that there is a lot of noise too and and finding signal oftentimes becomes an issue where you've got just too many products and too much complexity and too much information being thrown at you to figure out where the noise and the signal is um and and so having that reduction in complexity becomes really important. Um, so, well, we're, uh, we're, we're at the end of questions and beginning of lightning round. So, uh, we'll, uh, we'll dive in. Um, let me start with, uh, with you, Steve, uh, if you had to describe the current state of cybersecurity in one word, what word would you use? Consolidating. Consolidating. Great. That is a, I hear that a lot. from CISOs who are trying to, I just, somebody just threw out this statistic and just blew me away. An enterprise, a large enterprise has 72 cybersecurity vendors. It's like, what? Yeah, absolutely. And there's definitely a room for creative, innovative point solutions, but it's getting too complex to manage that. So you've got to consolidate as much as you can without giving up any usability or security, but yeah. consolidating okay great many so if i had to choose one word it's gonna it's gonna be either um ai don't use it well everything cyber now is ai but since i don't want to be this guy yeah you know i would say crossroads um this is a situation right now we're making we are either building the problems of tomorrow or the solutions of tomorrow and i think we don't really understand the problems that are coming with autonomous hackings and the architecture of the internet that allows the internet to crumble slowly by slowly and the need to build maybe new infrastructure with a new stack, we are not there, yeah? And we need to move faster. Now, I think that's a really thoughtful answer because, yes, it could go either way. So completely agree. So I raised the AI answer. This is a fun one for me as well. What's the one buzzword in security or tech that you wish you could retire? Seamless integration. How about that? You know, yeah, when it's at its best, things integrate. But, you know, it's never as seamless as we know. Okay, fair enough. I'm not sure. I'm not sure. I need to think about it. AI, maybe? No, AI is important. Without any context, right? Yeah, the problem is. agree with that, is that AI is such a broad term, and we're still not in a place where you're using the term in a correct way, because AI means many other things, and we need to be more sophisticated in using this term. Got it, got it. So you both have had tremendous experience working in this industry, and the next question is around, what do you think is the biggest challenge that companies and individuals face as they think about cybersecurity? It's the complex. aspect. I think that it becomes harder and harder to manage security infrastructure. And if you're not able to simplify the process or remove complexity, you will not be able to manage your security. It's as simple as that. And all of those small mistakes and all of those holes in your organization happen because you take upon yourself a big, big challenge. If you're not creating a scalable system, if you're not seeking scale from day one, it would be impossible to manage your entire infrastructure. Got it. Got it. Steve. I'm surprised to see complacency on that list, and maybe it's just the conversations I'm having, but the one thing I'm not seeing out there, which is good, is complacency, which is good. But I'd also agree with complexity, and I think that security vendors and marketing teams play a role in this. There's a lot of confusing information out there. A lot of tools sound the same and do the same things or seem to do the same things. And I think that, you know, we try really hard to help make sense of what's out there, whatever the solution is. And so that complexity is not just the complexity of technical environments, but it's the complexity of what a website says or what a salesperson says. The fudge factor. And we see a lot of companies out there with a lot of shelfware that they purchased thinking it would do something. And they never deployed that thing or it never worked. No, that's fair. And yeah, I just read another statistic the other day that the digital transformation loss is $2.3 trillion a year where companies are not meeting their time, budget, or outcome requirements. That's the GDP of Canada. Oh, that's right. Okay, next question. This is a fun one as well. In five years, corporate leaders will need to be floated. fluent in? I think that the major shift that we are seeing right now, and will continue in the next few years, is pushing CISOs to become business leaders, which has good things to it and bad things to it. But this is, I think, a big, big trend that everybody should consider. What one skill do you think they're going to require to be better business leaders? So I think that what would make everyone a good business leader? is, sorry for being silly on that, is understanding business. So knowing how to speak finance and legal. So those are very important things. I don't think that they need to understand marketing and sales and so on and so forth, but understanding what it is, what governance means in the sense of an organization, understanding what is the position of the board of directors and what are their considerations and how do they think and what is the leadership and what is the type of thinking that the CEO... uses because sometimes like technical people they believe that you know everybody's is believing in the target and everybody's doing what's right this is far from being true on the business side so understanding the levers of the business and and driving the thought and the perspective around risk appetite and all the other factors that would feed into growing a business i was going to get some points deductions by saying ai uh posture And, you know, AI policy. But that's five years from now. I think that'll be too late. And you mentioned before companies that are just starting up right now. They have a leg up because they're not encumbered by legacy systems. And so what is it going to take to get from where you are if you're a large enterprise to where you want to be that's not going to slow you down? And so and slowing you down is so many different things. It goes to employees. It goes to adopting new technologies. But I guess. thinking now, working from five years backwards to now, how do I modernize my legacy infrastructure? Legacy is a big problem, especially in the autonomous hacking system world. The world doesn't have enough money to replace legacy systems and those are going to stay vulnerable. What one book, podcast, or show do you watch that is surprisingly relevant to how you think about cybersecurity or leadership? I have on my bedside table, John Maxwell, daily leader. Just everyday leadership tips and principles and little anecdotes, it's great. And it's a good way to start the day instead of, you know, Instagram or the news. Or watching the news, yes, absolutely. And it's a great way to start the day. And then I really love, this is how they tell me the world ends. I think I have that title right, but I mean, Nicole Perloff, she's a author from the New York Times. And it talks about the rise of nation state actors years ago, and obviously that's... becoming more and more of a problem. But it's a really interesting, riveting recounting of some of the early days of... And that is so relevant in today's volatile geopolitical environments that we're operating in. Two surprising recommendations would be Thinking Fast and Slow by Daniel Kahneman. If you really want to understand why they say there is no patch for human stupidity, absolutely read this book. This is such a fantastic book. And the second one, Ender's Game. I'm recommending everybody to read Endo's Game because to me, Endo's Game, besides being one of the best books I've ever read, and I love this book. Never watch the movie, never ever in your life watch the movie, read the book. It's a book about management and you only understand that it is a book about management when you start reading the other books in the series. But it is a book about management and if you see it like a book about management, you will learn so much of it. Thank you both. This has been a phenomenal conversation, a really interesting conversation. I learned a lot. during the conversation. This is a series of conversations we're having on the topic of, we talked about signal, right? So we are putting out a report that talks about the signals that C-suite leaders need to think about as they think about cybersecurity in general. Of course, we talked about the perimeter problem, but we have sessions coming up on resilience reimagined, on post-quantum agile security. So all of those things kind of feed into what an executive leader and a company needs to think about or elevated thinking around cybersecurity topics. But watch and follow us on Cloudflare TV, subscribe to Security Signals, and download or read Security Signals at cloudflare.com slash signals. So thank you both for again joining, and it was a pleasure to have you both. Amazing. Thank you for inviting me.