Jun 6, 2021
Full show notes are available
EO from President Biden asked
for a plan to create Zerotrust implementation in the next 90 days
(well, 70ish days now… as of 23 May)
“CIO: Zero Trust is the
What is the optimal
configuration (read: easiest) zero trust config?
Are there different ways to
implement Zero Trust?`
- What is ZTA
are your users?
- Devices in use?
- Device attestation/health checks
- Applications exist?
- Not just into/out of the traditional LAN
network - do you understand dependencies of applications and
databases and how the traffic flows?
- Connections exist?
is the data/traffic? coming from?
is this activity occurring and what
Need to balance the access to
technical resources in a rapidly evolving and dynamic business
landscape that ceases to exist within the confines of normal
Mobile workforce - how much work
can you get done without ever getting on the VPN?
- IT Hygiene
- Zero Trust REQUIRES the pre-work of
establishing baselines. You cannot detect abnormality in the
absence of normality.
- Policy should exist to drive what the
specifications of a baseline system, server, application, etc will
- Network traffic, endpoint performance, SIEM
tuning, endpoint agent/software accountability
- ZTA is less useful if you're not doing basic
patching, application updates, and allowing local admin on the
- Not designed with this approach in mind, and
often costly to modernize.
- Legacy Systems:
- Where are your assets and how are they used? A
“rough estimate” of endpoints is never good enough.
- What are you logging? What AREN’T you
- Asset Management
- Stale accounts, service accounts, HR Workflows
- Limitations of admin rights
- Local admin/password expiration issues for
- User rights auditing
- Human resources/talent
support/$$$/Buy-in for retrofitting applications that are “working
just fine” is a huge political/business hurdle.
What can you move from traditional
off-prem solutions to cloud-based services (more up to date,
regularly reviewed for security vulnerabilities, offloading
responsibility of maintenance, SSO capabilities)
- Where to go
- MFA is a MUST. No, it's not perfect, but it is
one more layer in efficacy.
- Identify data owners, make them responsible for
RBAC development with technical departments.
- Quantify risk associated with mishandled
resources for crown jewels (see previous section on
- Change control around permissions,
- Security as an active participant in the
development/acquisition of new products, software, services, or
organizations Like remodeling a house, it is much easier to build
security into the process than hire someone to retrofit it
- Have discussions around REAL RBAC needs BEFORE
implementing a solution. It is easier to expand permissions than it
is to take them away. Resist the idea that the
of broad stroke permissions is
always the right choice.
- What auditing are you doing? Have you baselined
behavior? Where are your logs going, and WHO IS RESPONSIBLE FOR
- Asset Inventory (again)... Then…
- Applocker/Application Controls
- Lather, rinse, repeat.
- It’s hard, it’s time-consuming, and it requires
a LOT of support for business unit owners.
- DLP Classification
- Capture metrics, then set KPIs and regular
check ins to reduce MTTP/MTTR/MTTD
- Manage the
Endpoint: Stop thinking
about the perimeter as your weakest point. The endpoint is critical
and increasingly vulnerable, mobile, out of traditional
“control”. Real time, actionable data and capabilities are
critical to remediation and progress.
Would you like to know
Check out our Store on
Join us on our #Slack Channel! Send a request to
@brakesec on Twitter or email firstname.lastname@example.org
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
Comments, Questions, Feedback: email@example.com
Support Brakeing Down Security Podcast by using
our #Paypal: https://brakesec.com/PaypalBDS OR
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec