Zero Trust: One Ciso's Journey: John McLeod CISO at NOV
Rick Howard: In my last job, I was the chief security officer at Palo Alto Networks. I worked there from 2013 until just before the pandemic hit. But for those who don't know, back then, Palo Alto Networks was and is a big player in the application firewall market. Today, they do all kinds of things, but back then, they were mostly known for firewalls. The idea of zero trust hadn't really caught on yet by the masses. John Kindervag wrote the initial white paper back in 2010 when he worked for Forrester. And Google reengineered their entire network based on zero-trust first principles after they got hit by several Chinese attack campaigns that same year that came to be known as Operation Aurora. But for the rest of us, zero trust was just an idea that was still on the front side of the peak of inflated expectations on the Gartner hype cycle. We hadn't even got disillusioned with it yet because, practically speaking, nobody was pursuing it.
Rick Howard: But the Palo Alto Networks CTO, Nir Zuk, and the chief product officer, Lee Klarich, had already built in features to the firewall that could aid their customers on the zero-trust journey. And they wanted a way to demonstrate how the internal Palo Alto Networks security team used the firewall to pursue our own zero-trust journey. They even hired John Kindervag to come in as a company evangelist to help explain. It turns out that application-layer firewalls are ready-made to facilitate zero-trust functionality. And not just the Palo Alto Networks version, but all the firewall vendors can do this - Cisco, Juniper, Fortinet, Check Point and the rest. Application firewall administrators create rules based on the application running through the firewall platform tied to the authenticated user. In that world, everything is an application. Joe from accounting using the Expensify SaaS app is a monitored application. Sally from sales browsing LinkedIn for leads is a monitored application also. Fred from the cafeteria printing the day's menus is a monitored application. And Ruth from IT pinging a host across the network is a monitored application, too. Literally anything and everything that a user or device or software component does that generates network traffic that crosses the firewall is a monitored application.
Rick Howard: We discovered quickly that by just using the security tool we already had in place, our own application firewall, we could get a long way down the zero-trust journey without having to buy and deploy another complete set of technology. All we needed were people and processes. And since we use the same firewall for all of our data islands, cloud, SaaS, mobile and the data centers, we only had to create the rule set once as a policy, and the system would then propagate the rule set to all of the data islands for us. The end result was our new zero-trust mindset or at least our start to it. But it's been a number of years since I did that, and this "CSO Perspectives" podcast has been me explaining the concept of zero trust without a lot of practical discussion about what works and what doesn't. It was time to invite somebody to the Hash Table who has actually done something useful with the zero-trust strategy, actually deployed things to get it done. For today's episode, we're going to get down in the mud with another CISO who's had some success with these ideas. So hold on to your butts.
(SOUNDBITE OF FILM, "JURASSIC PARK")
Samuel L Jackson: (As Ray Arnold) Hold on to your butts.
Rick Howard: This should be interesting.
Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old US of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis.
Vikrant Arora: Zero trust is one of our principles under an overarching risk-based security strategy. And our main impetus for pursuing it is to provide a delightful and trustworthy digital experience for our employees and consumers. The idea being that the more we can trust an identity, device or a session, the less friction we need to add from a security standpoint.
Rick Howard: That was Vik Arora, the vice president and CISO at the Hospital for Special Surgery in New York City and one of our newest subject matter experts that join us here at the CyberWire Hash Table. And I love that he says that one of the main reasons for implementing zero trust is to provide a delightful digital experience for its customers and employees. How cool is that?
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Tim Allen: (As Tim Taylor) Oh, yeah.
Rick Howard: Before 2010, the most common defensive strategy was something called perimeter defense. I talked about this in our last episode on cybersecurity first principles prior research. The idea was that you built a strong electronic fence around your digital assets and allowed only authorized users and devices inside. The problem with that strategy is that it works fine until some bad guy gets inside the fence. Once in, they have access to everything. Think Edward Snowden. Ten years after the Kindervag paper, a lot of security practitioners, including me, thinks that idea is ludicrous, especially our guest today.
John Mcleod: So my name is John McLeod. I'm the chief information security officer for NOV. NOV is a global leader in manufacturing of energy equipment, anywhere from drilling equipment all the way to solar panels. I'm located here in Houston, Texas. And I've been with NOV since 2014.
Rick Howard: John has worked for Mandiant and Halliburton. And before he took the NOV CISO gig, he was the AlienVault CISO. I asked him if there was an event or something that made him a fan of the zero-trust first principles strategy.
John Mcleod: Yeah, Rick. The lightbulb moment was 2017 RSA Conference. I sat and watched the Google folks do a little presentation on their approach, BeyondCorp, and it was that lightbulb moment for me.
Rick Howard: Oh, I remember when they went through that. The security community started calling it Operation Aurora. A Chinese cyber unit - Unit 61398, part of the second bureau of the third department of the People's Liberation Army of China, or the PLA - targeted some 34 major companies, including Google, Microsoft and Juniper. And in the aftermath, Google said that the Chinese had three goals - number one, to get access to the Gmail accounts of Chinese human rights activists; number two, to get access to the legal discovery portal, the portal that managed requests for information from U.S. law enforcement pertaining to ongoing investigations; and finally, number three, from the targeted tech firms, they wanted their source code and their signing certificates. In fact, I just finished reading a Cybersecurity Canon Hall of Fame candidate book by Ben Buchanan called "The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics." Ben is now working for the White House as the director for technology and national security for the U.S. National Security Council. His chapter on Operation Aurora is fantastic. Because of the success of that Chinese offensive cyber campaign, Google's site reliability engineers redesigned their security architecture from the ground up using the zero-trust philosophy. And a few years later, they rolled out a commercial product called BeyondCorp based on that effort. Famously, the godfather of the zero-trust idea, John Kindervag, published his paper, "No More Chewy Centers: Introducing the Zero Trust Model of Information Security," around the same timeframe, but since then, the security vendor marketing departments have run the term zero trust through the meat grinder - so much so that many network defenders aren't even sure about what it is. If you ask any three of us to define it, you'll get three different answers. So, John, do you want to take a crack at how you define zero trust?
John Mcleod: Yeah, actually, let me go back in history a little bit. I've been an incident responder for quite a bit of my career. I started out in the Air Force. Then I became a consultant. Then I'm landed here in the energy industry. What is that common denominator? As I go backwards in time, you know, in the 1990s, we built these flat networks with a Windows domain - you know, just this flat thing where we - you know, we trust everybody.
Rick Howard: Oh, yeah, I remember them well. I remember them well. Yes, I do.
John Mcleod: And then here we sit, and, you know, 30 years later, nothing's changed, and it's about time we change. We can't rely on what we've done in the past. What is that quote? If you - you know, if you keep doing the same thing and expecting different results, that's insanity.
Rick Howard: I've been accused of that many times in my life.
John Mcleod: Well, we're - you know, I'm in this big, huge, global company. We're over 150 years old, so how do you turn a - you know, a big ship?
Rick Howard: Yeah.
John Mcleod: You know, as a CISO in a smaller company, when I was at AlienVault, it's easy. You know, we could turn the ship in a pretty quick amount of time. Matter of fact, if you read the book "Project Zero Trust," which I highly recommend, you know, George Finney talks about turning that ship around for his fictitional (ph) company in something like six months. But for a large, global company, it's really all about strategy. You've got to use zero trust more as a North Star.
Rick Howard: I'm so glad that you said that. Zero trust is a strategy, a philosophy. It's not a tool that you buy from a vendor and turn on and off like a light switch. I was talking to Steve Winterfeld about this. He's the advisory CISO for Akamai, my best friend, as most listeners will know, and the Al Borland to my Rick the Toolman. Here's what he had to say.
Steve Winterfeld: Rick, I think one of the key things to remember here is zero trust is an architectural design, not the tool you go and buy. And so you have to go through and figure out which approach you want to take. It could take multiple tools and is a program, not just something you can go easily buy and be done with.
Rick Howard: I talked about George Finney's book in episode one of this season called Students of the Game. In that episode, I said that George was a friend of mine and one of the smartest cybersecurity practitioners that I have ever met. And I was greatly relieved that his ideas on zero trust align pretty closely to what I've been talking about here on this podcast. And what makes his book unique is that he followed the model of previous technical writers who wanted to reach a wider audience by creating a novel as a vehicle to express the technical ideas he wanted to cover - just as Gene Kim did in his Cybersecurity Canon Hall of Fame book, "The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win."
John Mcleod: So how do you take things like what Forrester developed - the seven elements - and then you kind of break it down to how it fits into NIST Cybersecurity Framework or the Cyber Defense Matrix that's out there, which I - again, another book, another concept that I highly recommend, and if you haven't read "Cyber Defense Matrix" or anything, I highly recommend that.
Rick Howard: The book John is referring to is called "Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape" by Sounil Yu, and I've just started reading it myself. And the seven elements comes from Forrester, a leading global research and advisory firm and the company that published John Kindervag's original paper back in 2010. One piece of trivia here - you used to be able to get a copy of the whitepaper for free from the Forrester website, but when the CyberWire interns down in the sanctum sanctorum were doing the fact-checking for this episode, they noticed that Forrester now charges $1,495 for it.
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Tim Allen: (As Tim Taylor) Oh, no.
Rick Howard: I guess they realized they were sitting on top of a valuable piece of intellectual property. But over $1,000 for a 15-page research paper? I'm not saying this is price gouging, but sheesh, my mom wouldn't pay that for my own book, which, by the way, only costs $32 not only covers what Kindervag talked about in his white paper, but you also get all the other first principle strategies. I'm just saying. You can preorder my book over at amazon.com. The link is in the show notes. The Forrester seven pillars of zero trust are number one, workforce, number two, devices, number three, workloads, number four, networks, number five, data, number six, visibility and finally, number seven, automation and orchestration.
John Mcleod: What the Forrester method does with those seven elements - and then if you, again, standardize with the Cyber Defense Matrix, there's five asset classes. And then Forrester adds in visibility and analytics and then automation and orchestration, which is elements six and seven. Again, zero trust is our North Star, so how do we separate users from the resources? You know, why do you have to come in to work, log into this flat network, this Windows domain, and be on the same plane as the actual crown jewel or the actual resource itself?
Rick Howard: In hindsight, that we did it that way - it's ludicrous that anyone...
John Mcleod: It is.
Rick Howard: ...That we would let a bad guy walk right up to the valuable resource and knock on the door. That's - I mean, it's crazy talk. I can't believe we did that. So go ahead. I short-stopped you.
John Mcleod: No, no, no. I mean, it's a great commentary because you're right. It was ludicrous. I think we took - in the '90s, we took the easy button and we never really looked back at architecture.
Rick Howard: You're doing, then, identity and access management away from the workloads, away from the material data. So you're going to decide who the person is or who the device is, decide what they have access to and then let them connect to the thing they're trying to get to. Is that what you're talking about?
John Mcleod: Absolutely. We want to be a premier, identity-driven security team. And everything's about identity. You know, the - again, the days of that castle, that old '90s architecture - these walls, this network perimeter that we built are gone. They're really the - it's an identity-driven perimeter is really the future.
Rick Howard: After the break, I'll ask John about the other tactics he's using to pursue his zero-trust journey, including software-defined perimeter, single sign-on, two-factor authentication, software supply chain and cyber hygiene. Come right back.
Rick Howard: One name that describes what you've deployed is called software-defined perimeter, which is a horrible name because it has nothing to do with perimeter defenses at all. It's more like a "Star Trek" transporter device, where Starfleet officers walk into a transporter room, and the technician validates their credentials and that they're authorized to go where they want to go and then facilitates the trip. That's what these software-defined perimeter tools do. If that's the case, then, what you're saying is you can't really do zero trust without a robust identity and access management system.
John Mcleod: In 2018, we realized we needed to go down that zero-trust journey. Another epiphany moment is our on-prem identity solution could not bring us into where we needed to be in our journey, so we had to make investments in identity.
Rick Howard: Did you build it yourself? Or did you find a commercial product or somewhere in between?
John Mcleod: Well, like any other large companies, we just saw what was out there, and we narrowed it down to three different companies. And then from there we selected Okta as our identity provider. Now, you've got to remember we've got this - some customized on-prem stuff. Some of it was Microsoft Forefront Identity Manager, a great tool back in 2008, awesome tool, but it never kind of grew. So we - you know, it's a highly customized on-prem, and so we needed to get into the 21st century with better technology.
Rick Howard: So you have Okta doing your software-defined perimeter. That handles the identity and access management piece. Is there other tactics that you're deploying here that will improve the zero-trust posture?
John Mcleod: Yeah, absolutely. So from, you know, technology standpoint, you know, once we figure out what we do with our identities and we've made investments, obviously, multifactor authentication is a key here.
Rick Howard: Yeah.
John Mcleod: So whenever you're talking about single sign-on with Okta, we also want to apply certain things to that. Now, again, we're a big company, so we're not there just yet, but we want to kill the idea of a password. And you'll see it on LinkedIn and things like that all around, but Okta will get us to where we need to be with killing that password, but we need to make some changes with some of our other technologies in order to support that.
Rick Howard: So you can get to, you know, like, an 80% solution, and then it's an uphill battle to get the remaining historical legacy stuff you have? Is - did I understand that right?
John Mcleod: You're right. I've got a big, hairy, audacious goal to where I want to kill the Windows domain.
Rick Howard: Oh, wow. Nice. Yeah.
John Mcleod: But realistically speaking to what you just described, those legacy applications that still require a Windows domain - I really want to make that, basically, very secure with walls around it. And if you want to do anything inside of that Windows domain, it's going to be extremely difficult to do anything outside of business. It just is your business workloads.
Rick Howard: So you're using single sign-on to know exactly which people, which devices are coming in, and we give them specific permissions to get in there. Are you also including two-factor authentication in that piece, or is that a separate piece?
John Mcleod: Where we're going to be is we are going to use a combination between Zscaler and Okta to help facilitate conditional access.
Rick Howard: OK.
John Mcleod: Now, there's obviously some endpoint stuff that we've got to deal with. You know, do we trust the device? Or is antivirus running on it? And so we've got two other technologies that's going to help us in that aspect. And that's Microsoft Intune, great MDM solution, and SentinelOne. And so between these four products, we're able to get where we need to be with conditional access.
Rick Howard: Let me bring you back around to two-factor authentication. You get conditional. I like that. When I talk to people about this, they don't bring that up, but that's an excellent point. But have you moved the organization yet into tokens for two-factor authentication or something less than those things or...
John Mcleod: Yeah, luckily we - I guess in the 2015-ish type arena when business email compromise was starting to begin and we saw it on a rise, we started MFA and our two-factor authentication as many services as we could. So it's kind of interesting when I talk to some of my peers. They're only making sure that their elevated privileges or their administrator accounts are multifactor authenticated. We went and did everything.
Rick Howard: So you got physical tokens for those administrators, meaning that even if their accounts get compromised from, you know, Tajikistan somewhere, they still can't do the stuff they have to because they don't have the physical token to log in and do the stuff, right?
John Mcleod: Correct. Absolutely.
Rick Howard: Have you moved into the software piece of this, meaning protecting software? Because, you know, with Log4j and the SolarWinds attacks from last year, we're realizing that we have this giant supply chain of software that we're not real sure of. Are you doing anything there that will verify that the components that we are using internally are known, and then we have restrictions on things that those components can use?
John Mcleod: You know, I think software - or supply chain risk is the way I'll kind of word it - it's going to continue to be a headache. I think the way we conduct - and we as a whole industry conduct supply chain management from a cybersecurity risk perspective is broken. I think vendor management is broken, as well. And I don't have answers to any of it. We're still doing a lot of the things that other companies are doing, you know, managing by spreadsheets or trying to, you know, find some of the latest technologies to help us. But I still think those are the broken way to view supply chain risks.
Rick Howard: Are you dipping your toes at all into a relatively new idea of software bill of materials, these SBOM things?
John Mcleod: I'm waiting for others to get the headache over with, and then I'll just learn from them.
Rick Howard: Well, they're not ready for prime time yet. There's still standards being developed and stuff. And so we're a couple years away, I think. But just some folks I've talked to are trying to manage it themselves. And I agree with you. That's too much complexity for me. I'll let someone else figure out the details.
John Mcleod: Yeah. It's a huge migraine.
Rick Howard: Are there any other tactics you're using besides ones we've talked about so far?
John Mcleod: There is. So I'm a huge, huge believer in attack surface management. I think that if you're not using some sort of an attack surface management tool combined with continuous penetration testing, that's - to me, in my mind, that's the only way to make sure that the things that you poke out and you leave out on the internet is protected. You know, it's one thing to have a vulnerability, but is that vulnerability exploitable? And that's where attack surface management comes into play.
Rick Howard: So it's more than just keeping a list of all the vulnerable pieces of software out there. It's applying that to what's the most important, what's most likely to get hit and making some smart decisions about all that.
John Mcleod: Exactly. I may already have compensating controls out there where I could sleep at night, you know, let's say with Log4j vulnerability, you know, or something like that. So it really just depends on the situation. Ultimately, we do have a concept that we're trying out. It's going - we call it going dark. Why do all of our systems that's currently out on the internet - why do they need to be on the internet? Is there a way for us to make them dark to the internet but also accessible to our customers? And we're still going to do a few tweaks, but we're getting there.
Rick Howard: Well, with your software-defined perimeter, that gets you a little of the way there - right? - because they're not visible to anybody in the world. But is there more to it than identity and access management? There's extra steps you can do to go dark?
John Mcleod: Well, there's - the two biggest technologies that we're using is Okta in combination with Zscaler. Essentially, if you go in our guinea pig - is what I call this this website, if you try to attack it, you know, a month ago, you're going to see a vulnerability. Today, what you're going to see is Zscaler's IP range. It's not ours. And really - and then, of course, Zscaler then presents Okta's - it's called customer identity access management, CIAM. So it then presents you with Okta's prompt for logging in. And then it's really up to our customers whether or not they want MFA turned on or turned off. It's up to them.
Rick Howard: So it feels like you're a long ways down this zero-trust journey. How long does it take you to get to even this - I know you've got more work to do, but how long has it taken to get to this mature architecture?
John Mcleod: Well, you know, when I look back and I try to tell my peers how to accelerate, really, the first two years, 2018 to 2020, was all trying to convince people that zero trust was the right journey. And I'm glad that George Finney wrote that book because I'm going to highly recommend it to everybody, and I think it opens people's eyes. So I wouldn't say we wasted two years, but the first two years was evangelizing where we needed to be. And then so these last three years - or last two years, however you want to count your numbers - it has been about making those investments in the right technologies and then, you know, keeping the ball moving forward because there will be lulls in your journey. We still have a long ways to go because we are a 150-year-old company.
Rick Howard: So you had two years of prep, and then you had the COVID years - right? - that got to - because you were doing that during COVID, right?
John Mcleod: We sure were.
Rick Howard: (Laughter) Oh, my goodness. Amazing. All right. So you've had some success here. What would you tell your peers about why zero-trust projects fail? What would - what are some of the things they should avoid so that they can be on the same path that you are?
John Mcleod: You know, what I've run into is the human, the employee. It's your network engineer who might be into an all-monolithical (ph) network and not thinking outside the box that there's, you know, a software-defined network that's out there. Or you might have somebody that's in another monolithical-type mindset where this vendor is the only vendor that can solve for this particular problem. You've got to think outside the box when going down this zero-trust path. The key is you want to minimize the blast radius. So in order to do that, you have to go outside your norms and conquer some of those people that only think - I'll say think inside the box, kind of like the "Silicon Valley" show with pied piper. But you got to think outside the box, and you got to show people to think differently.
Rick Howard: I've been talking about the merits of a zero-trust first principle strategy for a long time, trying to convince security practitioners that this was the way to go. It's fabulous that some of us have gone a long way down that path, proving that it's absolutely possible to deploy zero-trust architecture. John's efforts at NOV are remarkable, even more so when you consider that he and his team did the bulk of the work during COVID. Nicely done, sir. And I wholeheartedly endorse John's recommendation about reading George Finney's book "Project Zero Trust." Since Forrester's charging big bucks to read John Kindervag's original paper, you might as well save a few pennies and buy George's book and my book on first principles. Links are in the show notes. Let me do the math for you here. You can get both books and save over $1,000 compared to the Forrester paper. Even this math-challenged CISO can figure that out.
Rick Howard: And that's a wrap. Next week, we're going to roll out a Rick the Toolman episode and check in on the current state of SASE, or Secure Access Service Edge, and its younger sister, Security Service Edge, or SSE. You don't want to miss that. The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I'm Rick Howard. Thanks for listening.