A podcast Connecting the Dots, Exposing Threats and Navigating Cybersecurity

 

Episode 4: The Ransomware Epidemic: How to Protect Against Cyber Attacks with a Zero-Trust Security Model

 
 

“These actors are criminals. And while the Russian government allows them to operate kind of with carte blanche access to the rest of the world, as long as these criminals kind of stay off Russian soil, then the two business models don't really conflict. So the criminals, as long as they don't intrude and ransom Putin's interest, he is not going to rein them in, there's no incentive...”- Brian Kime

In episode 4, John exposes the truth behind cyber criminals and the disturbing trend of increased ransomware attacks. Brian Kime, Forrester’s Senior Security and Risk Analyst, is John’s special guest as the two go deep to shed light on cyber threats and how businesses can implement zero-trust to prevent these attacks.


Have feedback or a cybersecurity topic you would like us to dig into on this podcast? We would love to hear from you! Drop us a quick note at lockandshield@team.neustar.

If you have any questions for Brian, you can contact him at bkime@forrester.com.

Highlights:

  • How cyber attacks are evolving – Incentives and key factors behind today’s cyber-criminal activity.
  • Getting the Feds involved – Examining if/how the government will play a role in mitigating ransom attacks.
  • Stopping attacks before they happen - What solutions are out there to protect you? What is Zero-Trust and why is it gaining traction?
  • State of the nation – Breaking down the last 18 months of new developments.

Discover how Neustar can help secure your organization online.

Contact Us

 
 

Episode Transcript

John McArthur: Welcome to the Lock and Shield podcast presented by Neustar. I'm your host John McArthur, Director of Security Intelligence within Neustar Security Solutions Group. Given the ongoing trend of ransomware attacks, and higher and higher ransoms being paid, we thought we'd take a deeper look, understanding how serious the threats are to enterprises, and how they can just defend themselves against them. Joining me today is a special guest, Brian Kime, who is a Senior Analyst in the Security and Risk Practice at Forrester. Brian has an extensive background in cybersecurity matters, including serving as a senior intelligence analyst in the United States Army. Brian, thanks for being on the podcast. And before we start diving into all things ransomware, let me ask, how did you get involved in cyber security?

Brian Kime: Thanks for having me, John. My journey into cybersecurity began one of my first active duty assignments, I was kind of an IT manager, but I had a little bit of security responsibilities with like Active Directory and cross domain transfers and stuff, and a former boss of mine, a commander was acting as a contractor as like the nuts and bolts kind of IT guy sys admin. And so I spent like, couple years with him basically, and did a couple other active duty assignments, including a deployment overseas, and then said, okay, I want to go and get a real job now. And what can I offer someone and I'm like, you know, I think I'm pretty good at this intelligence thing. And I kind of like the security thing now to like, is this like a thing? And pleasantly surprised to find that actually, like, what we now call cyber threat intelligence was becoming a real discipline within cyber security. So got hired on by Dell Secureworks, at the time I was called an IT Security Intel Analyst, still, you know, shout out to my first boss at Secureworks, Berlene Herren, first best boss I've ever had there. She's a retired Army Russian Linguist. And, you know, she helped set me up for like, all my success since then. So Berlene, if you're listening, thank you, again. She's retired, fully now, from her second career. So yeah, you know, and then did a little time at the vendor, right. And then I went and did threat intelligence for a very large critical infrastructure asset owner, that Southern Company here in Atlanta, you know, helping to keep State Nexus actors out of our electric and natural gas operations. And then an opportunity arose to come here to Forrester, and I wasn't looking to become an industry analyst, but they said I could research and write about threat intelligence, and industrial control system security, couple things that I have become passionate about over the years. And I thought that sounds pretty cool. You know, let's do that for a bit. Let's get all these things out of my head that I've been thinking for a while. And, you know, we use the Forrester name to mature the threat intel industry. And also, I'm happy to be here about 18 months now. You know, done a bunch of stuff already. And, and I'm still digging it. So, yeah. And I'm glad to be here, John.

JM: No, very cool. It's great to have you. And you know, that background speaks very, largely to what we want to talk about today and ransomware. Talking about industrial systems, Active Directory, I think all of that has a place here in our discussion today. And I think it goes without saying right, the last 18 months have been tumultuous time. The COVID pandemic has impacted everybody's lives. But over the last 18 months, it also seems like we have a disturbing trend of more and more ransomware attacks, with increasing ransoms being demanded and sometimes being paid. We've talked about Colonial Pipeline in May which 4.4 ransom million-dollar ransom. JBS just happened in June $11 million. There was Whirlpool in December. Numerous school districts, hospitals, municipalities, technology manufacturing companies, no one is being spared. So, I guess I'll just start with a basic is, what should we expect? Should we expect this to get better or worse?

BK: So, looking at the incentives I don't see an incentive for these ransomware criminals to stop. There's lots of big businesses that have a lot of money that can be ransomed. And I think the business model because this is a business, elicit but still a business, that these criminals have created, has enabled them to scale and go after, you know, bigger victims, bigger targets. Now, most people didn't know about colonial until mid-May. They didn't probably know about JBS foods either. And yeah, so we're gonna see I think some more soon, you know, we I was looking into this recently for another client. 2019 there were only like, two groups that were doing the extortion thing, the, the hack and leak, and through 2020 I think that grew to something like 24 different groups. Now, there's sites dedicated to tracking the victims, because that's part of the thing, don't pay and I'm going to shame you on my website. So, one, we don't even fully understand the scope of the problem. Most victims have not, you know, had to report nor would they voluntarily report a breach, things like Colonial are hard to hide, because when oil products stop flowing, it's pretty obvious, right? You know, I live here in Atlanta, we had the long lines and the plastic bag over the pump handles, you know, when they were empty. It was it could have been much worse. But, you know, so those things are kind of hard to hide. If it's just ransoming, you know, customer data. You can kind of conceal that. But when poultry products and pork products, you know, are not in the store, people will start asking questions, right? You didn't mention Molson Coors. You know, my beer is not there. I'm going to be pretty disappointed. Right?

JM: We didn't touch all the important stuff. All right, Brian so when we when we talk about the recent spate of ransomware attacks? Who are the sources for these infiltrations? You know, and what is what is the level of effort to issue them, what level of funding do they do they need, how are they able to attack such a broad scope of businesses?

BK: These actors are criminals, some folks wanted to blame the Colonial Pipeline into on the Russian government. And while the Russian government allows them to operate kind of with carte blanche access to the rest of the world, as long as these criminals kind of stay off Russian soil, then the two business models don't really conflict. So the criminals, as long as they don't intrude and ransom Putin's interest, he is not going to rein them in, there's no incentive for the Russian government to stop the ransomware criminals operating from their soil, there just isn't the like I said, this is a business and these ransomware actors have created this ransomware as a service model. And so you have one group that supplies the infrastructure, and then they recruit customers that then turn that ransomware is a service tool against some victims, and then there is some splitting of the profits from a successful ransomware extortion. So they don't need funding from the Russian government, they just need to be left alone. And these criminals are smart enough that they're not going to attack Russian entities. And it's been reported that some of this ransomware, the malware actually does look for certain indicators of where the system is. So, it checks for Russian language packs on Windows, it looks at the IP address, if the public IP is in a Russian is a Russian ISP, or it's in a one of the in the sphere of influence that Commonwealth of Independent States like Belarus, Kazakhstan, and things like that. If it's in that near kind of broad for Russia, then the malware doesn't execute. So, the ransomware technically and strategically, you know, they are staying out of Russian targets, so that they don't mess with Putin's business model, you know, as long as they keep their businesses independent, all good as far as ransomware criminals are, are concerned with.

JM: And I was gonna say it's safe to say too if these attacks are sort of being launched against United States enterprises, and you know, industrial companies or our allies. That's not something Russia necessarily is concerned with, because there's some destabilization there. So I suppose there's a motive there as well.

BK: Yeah, exactly. You know, creating some chaos on US soil fits into Russian strategic goals. Absolutely. And we don't have as a country and as the West, so NATO countries, the US, the Five Eyes countries, we don't have publicly determined available red lines like if a criminal does X on the Russian criminal does X on American soil, then this is going to be some response, maybe it's a physical response, maybe it's sanctions, you know, we have a wide range of responses that we could take in these incidents. And we haven't figured that out yet. If a terrorist launched an attack from Russian soil and blew up a pipeline in the United States, we work with Russian authorities probably to extradite that person, we tend to actually cooperate on terrorism. But now we're talking cybercrime. And while we have some metaphors, I think for things in the physical world, I think it's just it's different enough that we can't apply the same kind of frameworks that we would use for terrorism, it doesn't cross the same line. Yeah, well, while some of the effects might be kind of similar, you know, I'm not I don't have to rebuild the pipeline, you know, a terrorist blew it up. That pipeline is offline for a very long time till it gets rebuilt, Colonial was back up and running within a week. So it's different, and it's somewhat deniable can the victim in this case, Colonial can't necessarily say, it was this person sitting in this town in front of this computer, you know, private companies just don't have the sources and methods to get too big “A” attribution, like the actual hands on keyboard operator that executed the attack, they don't have that there. And for certain reasons, you know, it won't, it will take a while for the FBI to identify that criminal, and then even then, to protect sources of methods, some of that information may never become public. They'll take what public information, what unclassified information is available and use that for indictments, usually, and so we have a very hard problem deterring these types of crimes, you know, yeah.

JM: Hey, there, just a quick break from the podcast to bring you this interesting ransomware historical note. According to Digital Guardian dot com, the first known ransomware attack was initiated in 1989 by Joseph Pop PhD, an evolutionary biologist who carried out the attack by distributing 20,000 floppy disks to health researchers, spanning more than 90 countries, claiming that the disk contains a program that analyzed an individual's risk of acquiring disease through the use of a questionnaire. However, the disc also contained a malware program that initially remained dormant in computers, only activating after computers powered on 90 times. After the 90-start threshold was reached, the malware displayed a message demanding a payment of $189 and another $378 for a software lease. That pales in comparison to today's ransoms. But this ransomware attack became known as the PC Cyborg. Do you have an interesting security story to share? Reach out to us at lock and shield at Team Neustar.

How do you see government authorities becoming involved in sort of addressing if and when ransoms are paid? Because we know Colonial paid sounds like JBS paid. You know, do you see more legislation or regulation or policy around that where they were the governor would be advising on if for when to pay?

BK: And the FBI, his position is don't pay. That's not that there's nuance there, of course, they understand that certain things have a lot of value. And there could be safety and health issues involved there. And so they don't, they advise not to pay, but they understand that kind of if you have to. Right. Some folks have said we should outlaw ransom payments, like well, what if I was a pharmaceutical company designing and manufacturing a vaccine that was in extremely high demand right now around the world? What if I was Moderna or Pfizer or AstraZeneca? Novavox? I think is the other one that's got a phase three trial out now. You know, what if I was one of those companies, right? And all my research into that lifesaving vaccine was ransomed. Are you telling me that you would put the company's owners in jail if they pay a ransom to get that research back and continue working on this life saving vaccine or that lifesaving cancer treatment? No, like, I don't think anyone in the right mind like when you start to frame it in that like, specific scenario, then it's like, yeah, well, okay, maybe we don't make it illegal. We should deter it, obviously, you know, in general, don't pay. Right. Right. I think if you force some kind of reporting, you might end up learning less about it, you know, there would be somewhat of an incentive to not report right. So what if I can get away without reporting you know, I might do it because there could be harm to my brand's reputation. If I do disclose that we've had a ransomeware incident. What else can the government do? Some folks said, Oh, it's amazing. The FBI was able to get back like 60% of the Bitcoin, right? This is awesome. Yeah. That was the exception It's not the rule. Now, the FBI has done it before, it just hasn't been as high profile. This is I think, the most high-profile seizure of Bitcoin paid out by victims. This is not the rule going forward. This is not standard practice. If in the process of investigating the breach, they happen to find a private key or get access somehow. Cool. But no one should plan on the FBI recovering ransom.

JM: And on that note, let me ask you, because I think a lot of people saw that report where, yeah, over 60% of that ransom $2.4 million or so 2.3 was recovered. What's the sense in the industry? Is it understood like, hey, guys, that is the exception here. FBI. Did, you know did a great job tracking down that? Is that understood? Like don't count on this. Or did was there a sort of a, there's a way out of this sort of sense?

BK: I don't know for sure. I know, there were a lot of people that said, this is the exception, like don't bank on this, guys. I mean, I was writing about it. Hopefully I know others were. But you know, CEOs and board members probably aren't reading my tweets. So, if I listen to this podcast, yeah, there we go. This is the exception, not the rule. Hopefully, they'll see this too. I would suspect, though, that some board members and C Suite type folks probably do see that and think, oh, that's part of our plan. Now, just have, the FBI fix it for us. Right. I hope they're not doing that. I say there's probably a number north of zero of boards that have worked that into their incident response plan now. I hope it's very low numbers. I hope you'll do realize that this is not common. It's not always possible. Let's hope that common sense prevails. Right.

JM: Yeah, absolutely. It I was wondering, too, if you have a sense, like, you know, we know these ransoms are paid. And you sort of mentioned the marketplace there where there's sort of brokers who can launch the attacks based on the needs of others. I mean, is there concern? You know, how big is a concern that maybe these ransoms will find their way back to say, more, you know, more formal we consider terrorist organizations that might issue physical attacks? like is that a concern that comes up when we talk about paying ransoms for these attacks?

BK: I have heard that mentioned, the US Government did say they're going to prioritize ransomware. And these extortion types of events at the same level as terrorism. Perhaps some people read into that, and thinking that ransomware criminals and terrorists are like intertangled now, are working together. I've seen nothing that supports that, I think it would actually be bad business if the ransomware folks did start working with transnational terrorists. I think that'd be bad for their business. Because if I could use terrorism authorities, and partnerships, to combat terrorism, if I can tie some ransomware group to terror activity. Now, like now, the Russian government may be willing to play ball and actually extradite one of the criminals. So, I think it's really unlikely that ransomware operators are sending some of their proceeds to terrorists. Just doesn't make good business sense to me.

JM: Got it. Okay. Well, we've talked about the problem and sort of the scope of it, I guess, is, the next question would be how long until we have sort of, you know, ubiquitous solutions or processes in place to stop these? I mean, I think I think in my mind, I'm thinking of DDoS, you start to be a major problem started two decades ago, but the late 2000s DDoS became a major problem disruption of businesses, but we have solutions in place largely to mitigate those and we do hear about them, but the impact seems to be less and less. What about what about the ransomware attacks? You know, where do we stand there defending against them?

BK: That's a $64,000 question John. Yeah, I wish there was a DDoS model, we could just kind of put some control and just pretty simply reduce the impact of a particular type of attack. And you know, because DDoS you know, is volumetric coming over the other wire, it's pretty easy to spot, pretty easy to mitigate I think. Ransomware is different, though, of course, Over the wire, what maybe a ransomware actor could just could be some State Nexus, you know, espionage going on, could be a criminal that maybe doesn't want to extort, maybe, maybe it's just going to steal some data and then resell that maybe it's payment card data. So, over the wire, I don't know we can filter out these things right and do some DDoS type solution. Even on endpoints you know, it's hard to understand kind of until you see ransom notes and you see your company's name appear in that ransomware list of victims that you kind of know what's going on here. So there's not one control that's going to I think resolve these. What we do, of course, advocate at Forrester is the zero-trust security model. And while zero trust may not prevent all breaches, it will reduce the impact of those breaches.

JM: Got it. And I guess let's pull on that thread. Let's talk about that. What at the most basic level, what is what is the zero-trust security model?

BK: Yeah, so the zero-trust security model is based on a few principles. So, we assume that all networks are untrusted. Least privilege is required. And we assume breach. So, digging a little deeper in there, right? We used to consider our corporate on premises networks as trusted networks, right? We tend to do have that hard, crunchy exterior, like an M&M. And inside was nice and chewy, you know, and soft. We trusted the inside, right. But we have insider threats, and once and threats, external threats are getting our network then start moving laterally throughout our network searching for critical data and critical business processes and things that they can steal or impact and hold for ransoms and whatnot. Least privilege. We don't want to give people access to something solely based on the network they are on at the moment. And traditionally, we thought about this as your coffee shops and your hotels and airport Wi Fi as well. We don't want to trust those right? You know, so we could do we do VPNs. When you're at the hotel, get your connection, you got your captive portal, you authenticate there, then your VPN kicks on. And now I'm safe, right? I'm back in the corporate network. Everything's awesome. I can trust this. Right? Yeah. Not a good strategy these days, right? All of us at home is our is our home networks really trusted, right? So many of us are, you know, knowledge workers are still sitting at home, using their residential Wi Fi networks. But we have our kids running around, and our spouses, I don't know about you. I mean, I'm just in such a habit from being an army Intel officer that the second my butt leaves my seat, I hit win L and I lock my screen. It's such a habit, it's been ingrained in me. But how many people are securing their system while they get up to use the restroom to go make dinner at the end of the business day, right? And your kid could come behind and screw things up. Your spouse might come by and maybe you've been living together non-stop for 18 months, and they're fed up with you. And well, I'm going to send a nasty email to, you know, to the spouses boss and get them in trouble. Maybe I'm going to start stealing data. Because there's plausible deniability, you know, it's not, it's not their system. It's the spouses. And so, you know, maybe they've learned enough by hearing all the phone conversations, and they're like, oh, if I just, you know, go to this site, and I look for this, I'll find all that sensitive, all that data. And, you know, you may have this kind of weird insider threat scenario where it's your spouse or a child that is taking advantage of your access. So just because you're at home, doesn't mean that any organization should trust that home network, assume breach, right. And we're not going to stop all the breaches. If we start from the mentality that there's likely a threats with some access to our network, now, we're going to be vigilant. And we're going to think holistically about our security. So, we're going to look at its zero-trust extended framework model data is at the center. That's what we're trying to protect, and what talks and works with the data, right? People use data, their devices store the data, the data goes over networks, and workloads process the data. So unlike defense in depth, which is more just let's build lots of layers of security controls in zero-trust orchestrates and automates all these things together, right. So, we could do more risk-based approaches to ensure that someone is authorized to access certain data, regardless of where they are in the world.

JM: Got it. And that would, you know, if I, if I use example of myself, and obviously I've been working from home here through the pandemic, so just by virtue of the fact I am VPNed in, I shouldn't necessarily have all the keys to all the candy stores here within Neustar. Right? Right. It should always be whether I'm in the office out of the office on my mobile device. There's some understanding of John does this. This is John's role within the company. He has this privilege, regardless of where he is. This is the privilege he should have. Not more to your point. The least privilege needed. Yep. And then I'm assuming to there's other checks around, you know, probably endpoint checks around, is this device kosher? Is it up to up to date with iOS etc. is acceptable. But ultimately, we're talking about the individual accessing or an application accessing a process. Exactly. Yep. Well, on that note, yeah. And you talked about automation orchestration of the secure zero trust security model. What are some of the biggest misconceptions about this? When you're talking with C level folks or CSOs? What are the big misconceptions they might have about this? Because when I hear orchestration, I think automation, I start to think, the new equipment, I start to think I start, I start to think dollar signs. Yep. So, what are what are, you know, is that the case? Or are we already you know, there's something that this is more simple than I'm thinking.

BK: So Forrester has been championing zero trust for over a decade now, going back to Kindervag. And then most recently, Dr. Chase Cunningham. And now recently, we're really spreading the wealth and zero-trust research at Forrester. And we have a report out from last year about myths around zero-trust. One, you have some vendors that are marketing, zero-trust technologies, right? We do have zero trust, network access vendors out there as ZTNA. There's a few other vendors I think, are offering some kind of zero-trust thing, right. With Biden's executive order mandating zero trust for federal government networks, we're probably gonna have a lot more marketing focus on zero-trust, you know, that it is what it is right. So understandably, a lot of buyers are going to see dollar signs, right. But the myth that zero-trust requires completely re architecture, new technology stack, you know, is just inaccurate. So, we have a lot of things, everyone probably has a lot of things available already, they can use to start their zero-trust journey. All you know, most of our systems have some kind of role based access, right? So, give people just enough access to do their job, right? Routers have access control lists, you know, if a network doesn't have any business talking to your network, write, an access control rule that says then, you know, network x doesn't have to talk to me, right? If you only do business in France, do you need to your networks need to talk to North Korea. No, No, you know, so let's shrink the needle stack, if you will, right, let's shrink that makes it easier to find bad, right? Of course, there's ways around that people say, Well, you know, I'll just set up a VPS server like in your country? Well, yes, that's going to happen, right? We still treat all networks as untrusted. So, you know, but we use some of our built in tools, right? account segregation is something huge. We talked about this a lot. My colleagues, Sean Ryan and Andras Cser talk about this a lot. So it coming from utility space, we did this pretty well, this is one of the things I was I'm really proud about the old company that we segmented our user accounts based on role. So everyone had, of course, their corporate account, they logged on to for email and whatnot, if you are an admin, on some server, you had an admin account that had totally unique credentials. And those are managed with a privileged access management tool. Coming from the utility side, if you are an electric generation, you had an account specific to that domain. Transmission, another account, very specific there. So, if that, if my user account got compromised, it would have no access to any transmission stuff, which is part of the bulk electric system highly regulated, and very bad if that goes down, right. So, by segmenting all these accounts, I can't hop from fishing Brian, to turning the power off. I'd have to go through so many different steps, I'd have to find someone with the right access, then I have to actually manipulate them into getting their other account info and that other credential. And so we made it really hard. And that's not really a defense in depth. That's, that's more zero-trust, right? least privilege. You know, my general user account has only enough privileges to do my basic business tasks. And then I have specific accounts that do other things like cloud things and admin things, and generation things. You know, if you have the right tickets, of course, and I had some, IT is some security admin stuff and some cloud stuff. I had nothing in the ops-side, because I didn't touch all that I was there, you know, to do threat Intel, of course. So, I didn't need access to that, why would you give me access to that I'd only I would only cause damage. So account segregation is basically free, you know, it doesn't cost much to set up new accounts in Active Directory, that's, you know, so do that, you know, don't use your same account, to admin, a router as you would to check email and browse the web. It's really that simple. And it's really that cheap. multi factor authentication is not all that expensive either, especially for the those privileged accounts, use MFA, other things that are important, the asset discovery is huge. You can you can automate with PowerShell and start automating, pulling down all your assets, right? That's not too terribly hard. There's a lot of things that you probably already have in your environment that you can use to start on your zero-trust journey.

JM: Yeah, as you're describing sort of the segment, segmenting of applications and access more specifically, I'm reminded of the hack that occurred probably about six years ago, now a major retailer in the United States, let's just say their point of sale system and credit card info information was stolen, the entry point was determined to be their HVAC system.

BK: Yep, it was third party risk is, is huge. You know, coming back into the utility space. This is this is how the Russians are doing it 2017. They were intruding upon a lot of suppliers to electric and electric utilities. And then violating that trust relationship we have with that vendor, we were very well defended, right. One of our biggest weaknesses, and any utility, any critical infrastructure, is the supply chain. And again, yeah, has zero-trust or on your suppliers, you know, don't always trust them, you know, they should go through the same checks that everybody else goes through their access to your network should never be based on where they are in the internet. So relaying this back to the account segregation, and MFA, if you have a third party that's coming in to do maintenance on some critical infrastructure, make sure that that account is unique, you know, make sure that you're using MFA, make sure that they are dialing in from an acceptable place in the world, right? Let's dilemma this, you know, I mentioned on trust networks, sure. We don't want to always trust that vendors network. But maybe we don't want that vendor dialing from Sri Lanka, or something, or South America somewhere, right, they shouldn't be remoting in when they're on vacation. So, you know, let's say, hey, you've got to have, you got to be on your company's network in order to VPN into our systems. And then some folks go as far as actually, as the customer physically retaining the second factor token. And so the contractor then authenticates username and password has a call the customer and then authenticate over the phone and get that second factor or code that six digit code. So you can you can do a lot of zero-trust, like things, you know, even with your third parties. The other thing that I did from the threat Intel perspective is I looked for new domains, mimicking our suppliers. And I would proactively sync all those domains. Phishing, you know, most of us look for infringement upon our own brand, which is smart, you should do that. But mostly,those abuses are used to target your customers, your peers, your partners. So conversely, I'm looking at those folks, I'm looking at my infrastructure providers, my ICS OEMs, at the last job, and I was would proactively block new infrastructure that is mimicking our big suppliers. That's hard to scale. Some suppliers come and go. But that's a good strategy, right? We blocked a lot of stuff that way. And again, you know, and that's necessarily not trusting my, my vendor, but that's just not trusting every domain out there. So that's another good strategy that we use to help reduce third party risk.

JM: So I can say that one hits close to home for us, because obviously, within the Security Intelligence business here Neustar, we have our own sort of DNS UltraThreat Feed intelligence that we provide. And that's certainly one of the use cases we talk about with our customers about how to protect their supply chain is mining sort of newly observed domains for look alikes of your supply chain, and even have your own brand. So you don't get fooled, nor do your suppliers get fooled when interacting with sensitive information. Now, I think I think you said this, but I do want to touch on this, you know, obviously the last 15-10 years, there's been a migration into more of a hybrid model of infrastructure, right? Moving from strictly on prem now to cloud services and having a hybrid of them both. That doesn't preclude having zero-trust policy. Right, you can have that environment and still follow the zero-trust policy?

BK: Correct. In fact, zero trust helps you get I think, to that hybrid place, right.

JM: Hi, it's John again, as we talk about ransomware and the zero-trust security model, I wanted to let you know that Neustar offers a broad range of industry leading security products and services to meet the needs of your enterprise. Neustar's UltraGeoPoint provides unparalleled accuracy, and an extensive list of contextual fields to leverage IP decisioning data for your security fraud and compliance needs. UltraGeoPoint is complemented by UltraReputation, our data set identifying IP addresses likely to be malicious. We also offer UltraDNS to manage your critical domains, ensuring they're always available and secure. Neustar's portfolio of application security products, which includes UltraDDoS Protect and UltraWAF utilize deep insights of network traffic to ensure users digital networks are secure across all touchpoints. Newly augmented with the robust Bot management capabilities of UltraBotProtect, it becomes even more powerful. To learn more about Neustar's lineup of security products and services, please visit home dot Neustar and navigate to the security solution section. Now back to the podcast.

BK: When for an IT Org that is mandating like VPN, yeah, you're routing your traffic from your home through the corporate VPN, and then out to like Azure, or GCP, or AWS, or something very inefficient. By using a zero-trust model, you know, we can get rid of that VPN, we can improve the employee experience by reducing the friction to access all those cloud applications that we have built in the last, you know, 10 years but have accelerated in the last 18 months. So, we have some research out on how on zero-trust and employee experience and how ZT enhances EX how it makes it easier to be an employee of your company.

JM: Well, on that note, then based on conversations with your with enterprises, you know, where are we on the journey then to having widespread acceptance and adoption of this security model? And let me ask this, too, is ransomware increasing the interest in adopting the model?

BK: So, I'll answer the last question first. I think it's clear from the Biden Executive Order that mandates zero trust architectures for federal networks that ransomware is driving a lot of that. The ransomware, we'll say epidemic is driving that executive order and a lot of the mandates from that. So absolutely more ransomware, we're getting more interested in zero trust. 100% there.

JM: And just and you know, to that point, then is you're seeing more interest in overall and adopting these policies in the enterprise you're talking to? Is that the case now versus yeah, versus 24 months ago, when we really weren't talking about ransomware, you're seeing some momentum there?

BK: So, I've only been in force for 18 months. So that's as far as my Forrester history will go back. Zero-trust is already a big thing amongst Forrester clients. That's a big reason why they came to us. Now, obviously, people outside of Forrester are talking about a lot more vendors talking about it. Other firms, you know, are talking about it. And of course we have governments folks talking about it, I know before I landed at Forrester, the Department of Energy had set aside some research budget for zero-trust for critical infrastructure. So this this does go back. It's not like a new thing just six months ago. This has been building over more than a decade, this interest, right? And zero Trust has evolved. It was very network centric for a while now it's more holistic or recover. Like I said, the workloads the devices, people and networks, of course.

JM: Got it. I guess with that, Brian, we're just about a time for today. Before we go, how can listeners learn more about the cybersecurity research you're performing with Forrester? How can they get ahold of you?

BK: Yeah, I mean, Google is your friend, you know, there are there are not a whole lot of BK:s in the world, there's only one that works at Forrester. So that's the simplest way, BK: at Forrester will find me. You'll get I have some public blogs out there. Some that tease research some that just are you know, my own hot take on a current issue like a Colonial Pipeline. But do follow me on social media, both Twitter and LinkedIn, you can find me at Brian P Kime. I am in the middle of industrial control systems, market research right now. So, I'll be looking at a lot of vendors that help secure critical infrastructure. And then I'm getting back into some vulnerability risk management research late in 2021, and 2022. So, a lot of things coming here. I haven't forgotten the threat intelligence stuff either. So, I've got some idea ideas up here. And I may be able to get to some, some more threat Intel research, get a little more technical and provide some tools for folks to improve their threat intelligence capabilities.

JM: Very cool and I'll say we'll put a link to your Twitter handle as well, you know, some of your blog posts in the show notes. But with that, Brian, many thanks for joining the podcast today.

BK: John. Thanks for having me. It's been wonderful.

And thank you all for listening to the Lock and Shield Podcast presented by Neustar. We look forward to talking to you next time. Thanks.

View Full Transcript
 

Let's Connect

Contact Me