Get ready to embark on an enlightening journey with our guest, Huxley, a seasoned cybersecurity professional known for his extraordinary career path. From manipulating dial-up ISPs as a teenager, to landing a serious role in the field through a thrilling discovery, Huxley's tale will bring you to the edge of your seat. We dive deep into how he overcame fear and uncertainty while dealing with the unknown, and how he relishes the thrill of unraveling complex cybersecurity puzzles.
Our conversation spans the significant consequences of ignoring account management. Listen to compelling anecdotes underscoring the importance of disabling employee accounts after their departure. We also retrace Huxley's time at Cisco, discussing how the tech giant transformed into a security services provider. We also delve into the real-life repercussions of lax security practices, illustrating how even large corporations can suffer monumental losses.
As the conversation unfolds, we chart the evolution of cyber asset management. We further explore how Cisco expanded its security product portfolio and how Rumble Network Discovery transformed into RunZero. We highlight the necessity of securing all devices in an increasingly interconnected world, from office networks to personal devices and IoT. As a cherry on top, we'll delve into how RunZero assures complete network coverage, reducing the risks and reinforcing the importance of protecting an organization's attack surface. Tune in for a gripping and enlightening conversation about cybersecurity and asset management.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, huxley?
00:00:01
It's really good to finally have you on the podcast here.
00:00:04
I feel like we've been trying to schedule this thing for quite
00:00:07
a long time and I just kept on getting sick.
00:00:10
I had a kid, I got a million excuses, but I'm really glad
00:00:15
that you're here and that we could finally talk.
00:00:17
Speaker 2: Yeah, absolutely, joe , happy that we're finally doing
00:00:19
this.
00:00:20
Speaker 1: Yeah, definitely.
00:00:20
So.
00:00:21
You know, Huxley, I always start everyone off with telling
00:00:25
you know how they got an IT, what made them want to go into
00:00:29
security.
00:00:29
The reason why I do that is because there's a portion of my
00:00:33
audience that is kind of in that boat right, where they're
00:00:36
trying to potentially do a career change.
00:00:37
They're trying to see if they can actually get into security,
00:00:42
and I have found that it really helps everyone to kind of just
00:00:46
hear a myriad of backgrounds.
00:00:48
Right, I've done 150 of these episodes and I haven't heard the
00:00:52
same background twice, you know , which is actually really
00:00:55
interesting to me, because, going into this whole podcasting
00:00:59
thing, I thought that I would hear you know the same one
00:01:03
multiple times, but that's not the case, right?
00:01:06
Speaker 2: right, right.
00:01:07
So I have two stories for you.
00:01:09
One is the how I got into security and general story, and
00:01:13
then the other one is how I got into it professionally.
00:01:15
So the general story is just I was a teenager and I was hanging
00:01:22
out with other teenagers and this was a time when you would
00:01:25
do dial-up into ISPs and we would get on the internet and we
00:01:29
had to find a way to get on the internet at a substantial
00:01:34
discount.
00:01:34
And so we tinkered around until we figured that one out.
00:01:39
That's how that happened.
00:01:40
Fast forward, maybe like five, six years, I got my first job
00:01:46
off campus and I was helping out with the IT side, right, system
00:01:52
administration, network administration.
00:01:54
But one thing I also did was I decided to run a scanner, right,
00:01:58
it was called Satan, which is you know long, long abandon.
00:02:02
Where now, but you know at the time like it was the tool.
00:02:05
And so I ran Satan on the network and I was able to find
00:02:10
an unknown.
00:02:11
It was either Telnet or FTP server on the president of the
00:02:16
company's Mac.
00:02:16
So apparently his like Eudora mail client if you remember
00:02:20
Eudora, his mail client like would open up an FTP or Telnet
00:02:24
listener for some reason.
00:02:25
I forget what the reason was, but I immediately was able to
00:02:28
raise my profile in the company because of my finding, and the
00:02:33
president of the company decided to take me under his wing and
00:02:36
mentor me directly.
00:02:36
So that is an early example of how security really launched my
00:02:41
career.
00:02:42
Speaker 1: Huh, I guess that's a situation where it can either
00:02:47
go really good or really bad.
00:02:49
You know they could go down the rabbit hole of like oh, you
00:02:54
exploited this, you know you did this and get rid of you.
00:02:58
Or they could do what they did and kind of mentor you and take
00:03:01
you under your wing and immediately elevate you in the
00:03:03
company.
00:03:03
Is that kind of how you felt as well?
00:03:06
Was there any debate in your head about oh, should I report
00:03:10
this?
00:03:10
Should I not Anything like?
00:03:11
Speaker 2: that, oh, I was young and not good at making good
00:03:15
decisions, all right, so no, I just did it and I reported it
00:03:20
and, luckily, the president of the company was very forward
00:03:24
thinking and he appreciated that sort of hacker mentality and he
00:03:29
went the way that it went, which is great.
00:03:32
Speaker 1: Yeah, when I was early on in my career as well,
00:03:35
you know, and I started to get interested in security, I was
00:03:39
really trying to get buy-in from the VP and from the developers
00:03:43
to enhance our security of this product and I was having no luck
00:03:47
and so I went down the path of literally finding a
00:03:50
vulnerability, one.
00:03:51
I had to learn vulnerability management, so I had to find
00:03:55
this open source scanner because I had no budget or anything
00:03:57
like that scan the product, find the vulnerability and then
00:04:02
exploit it live in front of the VP, and he didn't know that I
00:04:07
was going to exploit it live.
00:04:08
I just showed him the vulnerability report and he goes
00:04:10
oh no, those are resolved a different way.
00:04:12
And you know, after some Googling I found the exploit
00:04:16
right.
00:04:16
So I just I was like, okay, well, I launched the exploit and
00:04:20
it gets exactly what it's supposed to get.
00:04:23
And I showed him and he goes oh, this is a problem.
00:04:25
I was like, yeah, it's a big problem.
00:04:28
This is like everything on this report is like this, where you
00:04:33
know it's told, it's said that like it's resolved another way
00:04:37
or whatever it might be, but it's not actually.
00:04:39
And so we're running into these issues and I didn't realize, at
00:04:44
the time I basically volunteered myself to own all of
00:04:47
security for that company, which was an interesting
00:04:51
endeavor.
00:04:51
You know like my first little foray into security is like
00:04:55
trial by fire.
00:04:56
Speaker 2: Yeah, yeah.
00:04:57
So you know, one big upshot from that, aside from being
00:05:00
imported by president, was that company wanted to start doing
00:05:03
security projects.
00:05:04
So every first firewall deployment they just handed it
00:05:07
to me like go figure this out, figure out how to.
00:05:11
It was just like an IP base firewall.
00:05:13
But yeah, go figure that out.
00:05:14
I'm like okay.
00:05:15
Speaker 1: Yeah, it's, it's always.
00:05:16
I Mean it's a.
00:05:18
It's a daunting task, right, I guess, for a lot of people, but
00:05:22
it's also a great opportunity.
00:05:24
You know, and I think people miss out on that opportunity
00:05:27
because they're too scared or not not used to that
00:05:30
uncomfortable zone, you know that area that it puts them into
00:05:33
, and and there's been several times almost every project that
00:05:37
I've taken on has been something that I knew nothing about, like
00:05:41
I've never done it before, right, you know, you kind of
00:05:44
know the gist of it, right, like how it would work or whatnot,
00:05:47
but, you know, never logged into this tool or any of its
00:05:51
competitors.
00:05:52
But that's really like where you were in your paycheck, so to
00:05:55
speak.
00:05:55
Right, the ability to step into an unknown situation and kind
00:05:59
of, you know, really master it, own it and bring it to fruition.
00:06:03
Is that how you felt as well?
00:06:04
Were you nervous when you're going through that?
00:06:07
Speaker 2: Oh, I was frequently nervous when I was told go
00:06:10
figure this out.
00:06:11
And when things weren't working Well, the customer was just
00:06:13
like standing next to you watching you type.
00:06:16
That sort of anxiety factor went through the roof and you
00:06:19
just work through it and In my case, ultimately it worked out.
00:06:23
But I will say one thing when I was that young I was really bad
00:06:27
at determining Whether or not this unknown is something that I
00:06:32
could overcome.
00:06:32
Versus like this is way more than I can handle.
00:06:35
As I've gotten more Experience, like I could better gauge the
00:06:38
size of the unknown there.
00:06:40
Speaker 1: Yeah, I think that's a big thing as well is when
00:06:44
you're early on, when you're young in your career, you're not
00:06:46
able to gauge as easily what the what the work effort is like
00:06:50
, what the difficulty level is, if it matches up with your skill
00:06:54
sets, even remotely.
00:06:55
And so I feel like early on, early on it's, it's important to
00:07:00
take everything that you're offered and fail Quick, fail
00:07:04
early, yes, you know, and get that through right because, like
00:07:07
you said, right You're, you're in this situation where you have
00:07:10
to deploy something and own a product at a customer right, and
00:07:14
that customer is, you know, on your back, so to speak, right
00:07:18
there, right there, you know, watching every move that you
00:07:21
make, and maybe they're more intelligent or aware of this
00:07:24
product than you are, and so they can sit there and be like,
00:07:26
oh, he's making the wrong move, right, he's doing the wrong
00:07:29
thing there.
00:07:30
Speaker 2: You know that that has happened.
00:07:31
That has happened, yeah, but you know what?
00:07:34
I think?
00:07:35
Another great thing, following up on something you said,
00:07:37
nothing that's really good about consulting security consulting
00:07:40
is it forces you to into this practice of estimating effort
00:07:44
and Forces you into this practice of tracking your time,
00:07:46
so you get better at that sort of estimation as you get more
00:07:49
experience.
00:07:51
Speaker 1: Yeah, that's a good point.
00:07:52
You know, I was introduced to time tracking when I was working
00:07:58
for a credit bureau and the manager that I was working under
00:08:02
would just have us, you know, working insane hours on these
00:08:06
projects.
00:08:06
It was crazy the amount of effort and time that we were
00:08:10
putting into it and the manager in between us and him got to a
00:08:14
point when he said you know, I need everyone to just track
00:08:16
their time because when I push back on him giving you these
00:08:20
hours and whatnot, like, he Says that you're not working that
00:08:23
much, when I know that you are and so we need to keep record of
00:08:27
and track everything.
00:08:28
And it was actually a very valuable skill.
00:08:31
I thought that it was really tedious, that really dumb, that
00:08:34
we were doing that and everything else like that right.
00:08:36
But now, coincidentally, I do it at every other job as like my
00:08:41
own safeguard right.
00:08:42
Maybe I need to dial it back a little bit, give myself more
00:08:46
time to recoup and rest and things like that right, like
00:08:50
that's.
00:08:50
That's now my mentality with it , because you know, in security
00:08:53
you can I mean, you could literally just work 24 hours a
00:08:57
day and not run out of work.
00:08:59
Speaker 2: Oh, that's the problem there are more
00:09:01
vulnerabilities than anybody could ever remediate.
00:09:04
That's, that's a hundred percent true.
00:09:07
Speaker 1: Yeah, I mean that's just talking about, you know,
00:09:09
on-prem right, like when you say that, I think of on-prem
00:09:13
vulnerability management, but when you add in the cloud, I
00:09:17
mean that's tens of thousands and that's.
00:09:20
Speaker 2: It's changing all the time.
00:09:21
Right, because right developers , other engineers, they have the
00:09:25
ability to spin things up and down all the time.
00:09:27
So you know, whatever point in time snapshot you have of
00:09:31
vulnerabilities and and that attack surface like it's, it's
00:09:34
already wrong by the time you look at it.
00:09:36
Speaker 1: Yeah, which is?
00:09:37
I mean that that's like the most challenging part of it Am I
00:09:42
at my current job, we do like a daily report.
00:09:44
It's a daily scan, the report goes out right and it's always
00:09:50
challenging, you know, from the aspect of when you start
00:09:55
including dev environments Into your overall reporting of the
00:09:59
numbers and whatnot.
00:10:00
It's like, well, the developers need a place to play.
00:10:02
Yep, if this dev environment has no connection to anything
00:10:06
else, what does it really matter if it has 50 critical
00:10:09
vulnerabilities?
00:10:10
Right, because there should be no customer data in there or
00:10:13
anything like that should be being the the operative word
00:10:16
there.
00:10:17
Speaker 2: You know, yeah yeah, but we have seen examples where
00:10:20
dev environments were part of the attack chain.
00:10:22
Right, they weren't that the end goal of the adversary, but
00:10:26
they were able to laterally move Through that dev environment to
00:10:30
get to something that's that's more valuable.
00:10:33
So you could say that, but you know you're leaving yourself a
00:10:38
gap there in terms of in terms of your defense.
00:10:40
And I'll say another thing about devs.
00:10:42
There's also been documented examples where dev credentials
00:10:45
were used, again to production environments, right, right,
00:10:48
certain devs do need to get into production environments to do
00:10:52
Some sort of troubleshooting and if those are not properly
00:10:55
Decommissioned, when that developer leaves, like that's,
00:10:58
that's another attack vector.
00:10:59
So dev environments are totally Unscope as far as I'm concerned
00:11:04
.
00:11:04
Speaker 1: Yeah, that's you.
00:11:06
You bring up an interesting point.
00:11:08
You're always taught, right, as soon as someone leaves the
00:11:11
company, you should be disabling their account.
00:11:13
You know, immediately, right, that's just good practice and
00:11:17
Sometimes it's hard to keep track of that, to keep the
00:11:21
checks in place, right, to make sure that people are doing it
00:11:23
and whatnot.
00:11:24
And A friend of mine he works for a different company, a
00:11:28
company I've never been a part of or anything like that, I
00:11:30
won't name them but he said that a former, you know systems
00:11:34
engineer had left the company under what seemed to be good
00:11:38
terms and Apparently he had some issue, you know, with the
00:11:43
company or with some product or whatever it might be, and that's
00:11:47
why he actually left.
00:11:48
But he didn't tell anyone that.
00:11:49
And two months later I mean, this is literally months later
00:11:52
like, this guy already has another job and everything like
00:11:55
that, right, mm-hmm.
00:11:55
Months later he gets bored and he starts hacking the
00:11:59
environment using his old account and Getting into places
00:12:03
that he shouldn't be getting into and downloading data that
00:12:05
he shouldn't be, and it took them Maybe a day right, to
00:12:09
figure out who was doing it, where it was coming from, that
00:12:12
sort of thing.
00:12:13
But the damage is still being calculated.
00:12:16
You know like they still don't know absolutely everything that
00:12:20
that took place.
00:12:21
Maybe he did actually use that account within those first two
00:12:25
months and they're just now seeing it.
00:12:28
It's a complex problem to solve .
00:12:33
Speaker 2: Yeah, the example I was thinking of was this very
00:12:37
large company that has an online meeting product and the
00:12:41
developer left and many months later, that person's credential
00:12:46
still worked and he logged into the production environment and
00:12:50
just started taking down servers that supported this online
00:12:53
meeting product.
00:12:53
And the company explained it in a way as they were doing some
00:12:58
like chaos engineering testing, but ultimately it came out, and
00:13:02
not only there I don't know what the dollar amount was, but some
00:13:05
humongous dollar amount of damages but on top of that there
00:13:09
was a lot of reputational damage because the CEO of this
00:13:11
company had to go on Twitter apologizing for the outage.
00:13:15
And it was more embarrassing because the CEO at one point
00:13:18
said, okay, it's all fixed now, and then somebody else posted
00:13:21
another tweet that says no, not still not working.
00:13:22
It's just like, both quantitatively and qualitatively
00:13:27
, like that was a very expensive breach and it could have all
00:13:32
been prevented if there were the proper governance for Dev
00:13:36
permissions.
00:13:36
Speaker 1: Yeah, that reminds me of kind of what happened with
00:13:40
the last past breach.
00:13:42
You know, september of last year they were claiming oh, no
00:13:46
one's vaults were leaked or anything like that.
00:13:49
They didn't get any customer data.
00:13:50
It was just this other small subsection of data that they got
00:13:55
.
00:13:55
A couple months go by, and you know, the update is oh wait,
00:14:00
they have everyone's vaults, but don't worry, you know they
00:14:03
can't get into it, it's encrypted this way.
00:14:05
And then a couple weeks later it's like oh wait, they can get
00:14:08
into everything.
00:14:10
It's like guys you make one one you know report right, tell us
00:14:16
the truth the first time around, because now it looks like
00:14:18
you're lying.
00:14:19
Speaker 2: Yeah or incompetent.
00:14:20
So which one's worse?
00:14:22
I'm not sure.
00:14:23
Speaker 1: Man, insecurity, probably incompetence.
00:14:25
So you know, just looking at LinkedIn, I saw that it kind of
00:14:34
seems like you started your career at Cisco, right, how was
00:14:37
Cisco?
00:14:38
How was that time there?
00:14:39
And I asked, because Cisco is such a large company, right, and
00:14:43
especially, you know, even during the years that you were
00:14:45
there, I mean they were, they were everywhere, right, and they
00:14:49
still are everywhere.
00:14:50
They're a huge part of the network stack for a huge
00:14:54
percentage of the companies in the world.
00:14:56
So what was it like to you know , work for that company and
00:15:02
learn?
00:15:02
Was it heavily siloed?
00:15:05
Was it more open space?
00:15:06
How does that look like?
00:15:08
Speaker 2: Yeah, I would say I watched Cisco go through this
00:15:11
transition from a long time ago where it was really route switch
00:15:14
focused and a lot of the motions within the company were
00:15:22
really focused on that.
00:15:23
So I was there to witness the formulation for the first time
00:15:26
of the security services division, for example.
00:15:30
So building up capabilities around delivering security
00:15:34
services both on the offensive side as well as the defensive
00:15:37
side, and things like this, and now like it is a part and parcel
00:15:42
for the company, even with the products, of course right
00:15:46
Products and services.
00:15:47
So it was a really great transition to watch.
00:15:51
I mean, cisco was already a mature company but it matured on
00:15:53
the security side while I was there.
00:15:56
Speaker 1: Yeah, absolutely.
00:15:57
You know, it's always interesting, right, when I don't
00:16:01
look at Cisco products that often the reason is because I'm
00:16:05
not a network engineer.
00:16:07
I'm not even a network security guy, right?
00:16:08
So thankfully I do not have that headache, because when I
00:16:12
was trying to get into security I was studying for the network
00:16:14
plus and that book would just put me to sleep every time,
00:16:18
right?
00:16:18
So I'm like, okay, networking probably isn't for me, right?
00:16:22
It's interesting to see how the products have changed over time
00:16:25
and how their own I guess product stacked or product
00:16:29
offering has changed over time and how they've added in this
00:16:33
umbrella, you know, overall of your security services and
00:16:36
everything else, right, to provide that enhanced visibility
00:16:40
and as few screens as possible.
00:16:42
When I do check it, I'm looking for, you know, changes like
00:16:45
that, which I always find is interesting from a larger
00:16:48
company, right, just to see how it works, how they grow and
00:16:52
things like that.
00:16:53
Speaker 2: Yeah, certainly they've grown in capability and
00:16:56
at one point they just had a firewall, but now they have like
00:16:58
over a dozen security products.
00:17:00
Speaker 1: Yeah, yeah, it's a huge portfolio.
00:17:04
I mean, just the team to manage their portfolio is probably
00:17:08
bigger than most companies Like.
00:17:10
That's how I feel, at least.
00:17:13
So, fast forwarding a little bit, going through your
00:17:17
background and whatnot, I see that you, you know, we're the
00:17:20
head of security over at Datadog and now you're over at RunZero.
00:17:24
Yes, so talk to me a bit about RunZero, because I feel like
00:17:27
it's a newer company on the market that not many people have
00:17:29
heard of, but the capability that your solution provides may
00:17:34
be actually pretty unique in the space.
00:17:37
Speaker 2: Right, so it's actually not that new of a
00:17:39
company, because we changed our name about a year ago.
00:17:43
We used to be called Rumble Network Discovery, which I think
00:17:47
a lot of folks still think of us with that name.
00:17:49
Runzero is a more recent name that we had.
00:17:52
And you're absolutely right, the problem that we solve is
00:17:56
actually a very old problem.
00:17:58
It's CIS control number one.
00:17:59
For those who are familiar with the CIS controls and this
00:18:04
actually kind of goes back to me running Satan back at that
00:18:07
really first company that worked at off campus and we're solving
00:18:11
the problem of asset inventory.
00:18:13
This is the very, very basic tenant of you can't protect what
00:18:16
you don't know about, right, and so tracking down those
00:18:19
unknowns on your network is absolutely crucial if you're
00:18:23
going to have a credible defense .
00:18:24
And the thing is that problem cannot be solved with tools like
00:18:29
Satan anymore, because 20 years ago, 25 years ago, we in
00:18:34
security were asked to protect the office.
00:18:36
Basically, right, you got your desktop and on your desk in your
00:18:40
office and basically everything was there and you could even
00:18:44
get away with edge protection.
00:18:45
Right, just throw up a firewall and maybe you can get away with
00:18:48
not having any sort of endpoint protection, because you're
00:18:50
protecting the perimeter.
00:18:51
Now that's changed.
00:18:53
That has changed entirely.
00:18:55
Right, you are now being asked to protect not just the office
00:18:59
but all of those devices in the cloud and all the devices that
00:19:02
have left the office and gone to the coffee shops or to remote
00:19:06
employees homes and, aside from that sort of diversions,
00:19:09
environments.
00:19:09
But there's also been other things that have happened, like
00:19:11
the rise of bring your own device, for example, so you have
00:19:14
all these devices showing up on your network which you may not
00:19:17
even manage.
00:19:18
There's also the rise of IOT, right Building, automation and
00:19:22
things like this, smart speakers , which we didn't have 20 years
00:19:26
ago.
00:19:26
And then, finally, there's this convergence of IT and OT.
00:19:29
So many security teams are now being asked to manage the
00:19:32
factories or the water treatment plants or the medical devices
00:19:37
in addition to the traditional IT devices.
00:19:39
So you need a modern tool to handle this type of cyber asset
00:19:44
management.
00:19:45
You need a modern tool to go and do that type of asset
00:19:47
discovery.
00:19:48
And what I'm finding is a lot of folks think that some of their
00:19:51
current tools that sort of does some sort of asset discovery on
00:19:54
the side.
00:19:55
They think that those are good enough, when in fact those tools
00:19:58
are really not addressing the unknown, unknowns in your
00:20:01
network.
00:20:01
They don't find those unmanaged devices.
00:20:03
And even if you think, okay, well, with my existing tools I
00:20:08
can have like 95% coverage of the devices that I have, it
00:20:12
doesn't mean that only 5% of those unknown devices only have
00:20:16
a 5% negative impact on your security posture, because those
00:20:20
unknown devices actually have an outsized impact on your
00:20:24
security, like those are the ones that the adversary is going
00:20:26
to go for.
00:20:27
They're not going to go after the devices that are up to date
00:20:29
on their patches, that already have an EDR on it.
00:20:31
They're going to go find that one device that you have that's
00:20:34
been sitting there in the corner , that's not been up to date
00:20:37
because nobody knows what it does anymore, and they just sit
00:20:40
there and they lurk on that machine for as long as they need
00:20:43
to to do further reconnering or to find the crown jewels.
00:20:45
And so people think, oh, I have my EDR, that's that's my acid
00:20:49
inventory.
00:20:50
Or I have my, my volumet scanner, so that's my acid
00:20:52
inventory.
00:20:53
Or have my NAC and that's my acid inventory, when in fact
00:20:56
those solutions, when they do acid discovery, are optimized
00:20:59
for managed IT devices, not those unknowns on your network
00:21:03
that are going to matter more to you.
00:21:05
Those are the the critical attack vectors.
00:21:08
Speaker 1: That's interesting and it's very indicative of
00:21:11
where the market has gone post COVID right.
00:21:15
Is there a way that your solution is able to say like yes
00:21:19
, we do have 100% of the devices in the network?
00:21:23
The reason why I ask that right is because there always seems
00:21:26
to be some sort of like gray area right when it's like okay,
00:21:30
I think I have everything.
00:21:31
And then, of course, another 200 devices show up and it's
00:21:34
like oh, I didn't include this, I didn't account for that.
00:21:36
Is there?
00:21:38
Is there a way to have some sort of assurance behind it
00:21:41
right?
00:21:41
Because even as an engineer that would set up a tool like
00:21:44
that or I'm talking about setting up like a vulnerability
00:21:47
management scanner, which you are not, it's more than that,
00:21:51
you know, there's always that gray area where it's kind of
00:21:53
hard to tell if I got everything .
00:21:55
Speaker 2: Yeah.
00:21:56
Speaker 1: Is there a way to do that with your solution?
00:21:58
Speaker 2: It's always going to be difficult to tell right.
00:22:00
But the question is how much can you reduce that unknown
00:22:03
Right?
00:22:03
Are you bringing it down to zero or as close to zero as you
00:22:06
can?
00:22:07
And so that's where we're going after there.
00:22:09
It's never going to be 100% Right, because the moment you go
00:22:13
and create an asset inventory and then somebody brings in a
00:22:16
new device onto the network, it's already inaccurate, it's
00:22:18
already missing that device, even if the next discovery you
00:22:23
know there's a cadence for the discovery, even on the next pass
00:22:26
of discovery is a minute from now, for that minute you're
00:22:29
missing that one device that somebody brought in.
00:22:31
But what you want to do is try and make that as complete as
00:22:36
possible, and that is something that you're not going to be able
00:22:39
to do with your EDR or your phone scanner or your CMDB
00:22:42
discovery or anything like that.
00:22:45
Speaker 1: Yeah, that makes sense.
00:22:46
So let's talk about more of how it does what it does right.
00:22:51
So is it just sitting there waiting for advice to reach out
00:22:55
to the network?
00:22:56
What is it actually doing to determine the CMDB?
00:23:00
Speaker 2: So there are three approaches with RunZero for
00:23:05
doing this.
00:23:05
The first one is integrations with all the other tools in your
00:23:09
IT and security stack.
00:23:11
So I talk about how, like EDR and phone scanners are not great
00:23:14
for ass discovery, but they're really good for the jobs that
00:23:16
they're meant to do, right?
00:23:17
Edr is great for endpoint protection, phone scanners is
00:23:19
great for hunting down volans in the network, so they do have a
00:23:22
lot of valuable information, and so you want to bring all that
00:23:25
information in, and we could do that with integrations.
00:23:28
And, frankly, you know any sort of scanning technology would
00:23:32
miss anything that's disconnected from the network.
00:23:33
You know devices that are in remote employees' homes, so
00:23:36
you're going to need those integrations anyway.
00:23:38
So that's number one a wealth of integrations that can pull in
00:23:41
data from all these other solutions in your tech stack.
00:23:44
The second way is with an unauthenticated active scanner.
00:23:48
So this would be strictly finding the things that are on
00:23:51
your network, but also it could scan like the external surface
00:23:55
of the cloud, for example.
00:23:56
And what this is is unusual, because most scanners out there
00:24:00
most network scanners they tend to require credentials because
00:24:04
they try and log into these devices to get more information.
00:24:07
But if you know the credentials about those devices, then that
00:24:11
means you probably already know about it, you probably already
00:24:13
manage it, you probably already protect it, so it's not really
00:24:16
helping with this unmanaged device or unknown unknown's
00:24:19
problem.
00:24:19
So you want to go with something that doesn't require
00:24:22
authentication and yet can find lots and lots of detail, and so
00:24:25
this is where things get really interesting with the scanner is
00:24:29
that when you take an offensive approach or the view of the
00:24:33
attacker to go out and recon the network, but for defensive
00:24:37
purposes, you actually get a lot of information.
00:24:39
By going through and looking at all the ports, all the
00:24:42
listening ports on the device, you can actually get a lot of
00:24:46
information that would be typically more interesting to a
00:24:49
security researcher and then use that to come up with a really
00:24:52
accurate identification with the device, so like you can achieve
00:24:55
really accurate fingerprinting even though there aren't
00:24:58
credentials, and so that's very interesting.
00:25:00
That's a lot of folks find that to be one of the most
00:25:03
interesting things about Run Zero.
00:25:06
But there's a wrinkle here.
00:25:07
When you look at some of the other unauthenticated scanners,
00:25:10
the way they're developed, they're not really safe for
00:25:14
fragile IoT and OT devices, so they have a legacy of crashing
00:25:18
those devices.
00:25:19
So our unauthenticated active scanner has actually been tested
00:25:23
and proven in those types of environments, so it's safe.
00:25:25
So a lot of folks they assume that, like we're end map on
00:25:30
steroids is how I've heard people describe.
00:25:32
It is actually not true.
00:25:34
Like this was actually developed from the ground up by the same
00:25:36
guy that wrote Metasploit, in fact, and so that's that's
00:25:39
approach number two.
00:25:39
And then we have a third approach that is being released
00:25:44
next month and this is a passive discovery approach.
00:25:47
So there are some environments where they simply do not want to
00:25:51
do any active scanning whatsoever and there are no
00:25:53
integrations for those types of devices.
00:25:55
So typically this is this will be an OT environment where they
00:25:59
just either don't have the time windows to do scans or they just
00:26:03
don't want anything touching those devices, and so for that
00:26:06
we have this passive discovery capability where we're able to
00:26:09
sample the traffic that comes in from a switch and then use that
00:26:15
for discovery and fingerprinting purposes.
00:26:18
Speaker 1: Oh, that's really fascinating.
00:26:19
That is a challenge that I have faced before, where it's an OT
00:26:24
environment and people don't want the scanning to impact the
00:26:29
device or really even touch it in an effort to ensure that it
00:26:33
isn't bogged down and whatnot right, and no one really has a
00:26:37
good solution for that.
00:26:38
It's always kind of like we won't know it's there unless we
00:26:41
touch it.
00:26:41
Right, we have to scan it and everything else.
00:26:45
Speaker 2: Yeah, there are ways around that, though.
00:26:46
There are ways around that, I mean, there's there's multiple
00:26:49
things going on here, but I think one of the more important
00:26:51
ones is the use of incremental fingerprinting.
00:26:54
So what you would do is you would send a super benign query
00:26:59
to a device and just to get some macro sense of what that is,
00:27:05
and then you would follow that up with successive queries that
00:27:08
gather more detail, and as you do this, you're building out
00:27:12
more and more of a picture of what the device is.
00:27:13
And what you could do is you could say OK, based on what I
00:27:16
know now, this code path is safe for this type of device.
00:27:19
This code path is not, and so you adjust the queries that you
00:27:23
send based on the information that you have so far.
00:27:26
And that's just one of the principles of Active Scanning
00:27:30
and OT.
00:27:31
Speaker 1: Oh, wow, that is really interesting.
00:27:34
So is it doing this over an extended period of time?
00:27:38
So like, let's say that you're scanning an OT device, right,
00:27:41
and it does its first, first poll of that device, right?
00:27:44
Is it then, let's say, in the management console?
00:27:47
Is it then going to say like, hey, you know, we'll know, we'll
00:27:50
have a better picture of this device within you know, two days
00:27:54
or three days, whatever it might be, because you're spacing
00:27:56
out those polls?
00:27:58
Speaker 2: No, no, it's not over days, it's over seconds.
00:28:01
Speaker 1: Oh, wow.
00:28:01
Speaker 2: Right, and it's not even in the console.
00:28:03
So there's a piece of software that's called the Explorer and
00:28:07
that is sitting on some host that you would provide.
00:28:10
Right, the entire solution is software.
00:28:12
There's no hardware component to the solution.
00:28:14
That.
00:28:14
That's provided by the company.
00:28:16
Like you, the customer, you provide the hardware for it or
00:28:19
the virtual machine your pick, and you deploy the software
00:28:22
that's called the Explorer and it itself has that logic that
00:28:27
can do that incremental fingerprinting.
00:28:29
Speaker 1: Oh, that's interesting, that's, I mean,
00:28:31
that's a new way of thinking about this problem and kind of
00:28:35
attacking attacking this problem , so to speak.
00:28:38
Speaker 2: Yeah, yeah, for sure.
00:28:40
And there's there's other things that you would do when
00:28:42
you actively scan OT.
00:28:43
That that's really important too, but I think you know to
00:28:47
your point this this is the most relevant principle out of the
00:28:50
five.
00:28:50
Yeah, absolutely, but but again , if active scanning is not not
00:28:55
your cup of tea, then there's also this passive traffic
00:28:57
sampling capability that's due to be released soon.
00:29:00
Speaker 1: So where do you see the space going?
00:29:03
Is it still growing?
00:29:04
Is it still evolving?
00:29:05
Because the reason why I ask right is because for a while
00:29:08
there we didn't see a whole lot of innovation from competitors
00:29:12
like Nessus and Tenable and Qaulis right, that were kind of
00:29:17
legacy solutions in this space, and now we have solutions like
00:29:21
yours coming along that are kind of revamping and remapping what
00:29:26
it means to be this type of solution.
00:29:29
Where do you see your solution, your company, going for the
00:29:32
next couple of years?
00:29:33
Speaker 2: Yeah, so there's, and there's many ways to go about
00:29:37
this, but I what I can tell you is the problem is not going to
00:29:40
get easier.
00:29:41
The various attack surfaces that organizations have, they
00:29:44
tend to grow.
00:29:45
It's rare that an organization's attack surface is
00:29:47
like just goes away or or gets smaller.
00:29:50
There tends to be more and more devices connected to the
00:29:52
internet every single day, so the problem is just going to get
00:29:55
worse.
00:29:56
And volun scanners play a very important role in protecting
00:30:00
organizations.
00:30:00
Right, you do need some tool that can execute security probes
00:30:04
on devices to verify if a vulnerability exists.
00:30:07
Right, and that's part of it.
00:30:09
But another part of dealing with the attack surface is
00:30:13
identifying insecure configurations.
00:30:14
Right, the fact that Telnet is running on a device, or the fact
00:30:17
that there's an SSH server that does not limit logins to public
00:30:23
key but allows password, for example, that is not a
00:30:26
vulnerability with a CVE attached to it, that is just an
00:30:30
insecure configuration.
00:30:31
And so when you are trying to protect that attack surface, you
00:30:36
got to look beyond vulnerabilities.
00:30:37
There's vulnerabilities, there's insecure configurations.
00:30:40
And then there's also the context that you would want
00:30:44
around the asset itself, like what is this thing?
00:30:47
Is it important to my business?
00:30:49
But also, network location Is this device externally facing?
00:30:54
Does it have a public IP address that's reachable by the
00:30:56
attacker, right?
00:30:57
All those things help you truly understand what is the risk of
00:31:03
that device.
00:31:03
And then if you're able to categorize that device by the
00:31:08
attack surface that it contributes to so let's say,
00:31:10
this is a phone, so this is probably part of my mobile
00:31:12
attack service, or if this is an EC2 instance, so this is
00:31:15
probably my cloud attack surface so when you're able to take all
00:31:20
of the riskiness of that device and secure configurations and
00:31:23
vulnerabilities and that context around it and then assign it to
00:31:26
an attack surface, now you have a really good picture of how
00:31:30
well you are doing in protecting your organization on that
00:31:33
attack surface and then you can start actually prioritizing
00:31:36
where the work should go and you can measure how well you are
00:31:40
doing in terms of reducing your risk in that attack surface.
00:31:45
Speaker 1: So you bring up an area that I always felt like was
00:31:50
lacking in the space.
00:31:52
Right, it's kind of more focused around like those known
00:31:54
vulnerabilities, the CVEs and fingerprinting things based on
00:31:59
that.
00:31:59
But, just like you mentioned, not everything is going to have
00:32:01
a CVE.
00:32:02
It could be poorly configured and opens you up to maybe not
00:32:07
even a zero day, but just an exploit of a service, a
00:32:10
different way than what was fingerprinted before right, yeah
00:32:13
, yeah, like I like to say.
00:32:15
Speaker 2: vulnerabilities it's the vendor's fault.
00:32:17
Insecure configurations that's your fault.
00:32:21
Speaker 1: Yeah, that's proven out in the cloud, right.
00:32:23
That's a really good example.
00:32:27
Speaker 2: How many S3 buckets are publicly accessible?
00:32:29
There's still millions.
00:32:30
It seems like every time you hear about like a new data
00:32:32
breach in the cloud, like there was some open S3 buckets somehow
00:32:36
figuring into the picture and was like do we never learn, Do
00:32:40
we never?
00:32:41
Speaker 1: learn.
00:32:41
Yeah, it seems like we don't.
00:32:44
Probably because we're so focused on the tools that we
00:32:47
have in front of us that are not telling us that you know, Mm-mm
00:32:51
.
00:32:51
That's the thing.
00:32:52
Speaker 2: We're too reliant on the tools in some ways,
00:32:55
potentially, and we're not thinking outside the box enough,
00:32:59
or we just don't have a good handle on what are all the
00:33:01
environments that we need to protect and what are all the
00:33:04
different devices and assets that are in there.
00:33:07
That's a big contributing factor too.
00:33:08
Speaker 1: Yeah, that's a really good point.
00:33:10
I mean, that's a huge part of it not having a good handle on
00:33:16
your environment.
00:33:16
And it's funny.
00:33:17
I worked for a company fairly recently and the security
00:33:22
manager would always complain when having a CMDB was not on
00:33:29
the must have projects list for the year, you know, and he had
00:33:33
been requesting it for the last like seven or eight years.
00:33:35
Yeah, and it would always come back to that thing for him.
00:33:38
He goes how in the world do I know that I'm protecting
00:33:41
everything in this company if we don't have a CMDB?
00:33:43
So we don't even know what we have.
00:33:45
We just kind of assume that we're able to protect it all.
00:33:48
Speaker 2: Yeah, and it doesn't necessarily need to be a CMDB
00:33:50
like a full on like CMDB, like it could just be some sort of
00:33:55
asset inventory that comes from cyber asset management solution.
00:33:57
In fact, for RunZero, one common use case for customers is
00:34:01
to take the data that was discovered by RunZero from those
00:34:05
three different discovery approaches and then importing
00:34:09
that information into the CMDB.
00:34:10
For other reasons, Right, Because the CMDB itself is fine
00:34:14
and the sort of ITSM workflows on top of the CMDB, like that's
00:34:18
all you know, top notch.
00:34:19
But the default discovery component that comes with the
00:34:22
CMDB tends to not do a very good job of discovering devices.
00:34:26
Speaker 1: Yeah, that is very true.
00:34:28
I used to work with a solution that would claim that they can
00:34:31
have a CMDB and once I started to do a deep dive into what the
00:34:36
solution was actually doing, it was just end map.
00:34:39
It was literally normal end map commands.
00:34:41
I'm like, guys, come on, I can do this myself.
00:34:44
You're not doing anything special, You're not doing
00:34:47
anything unique here that we aren't already doing.
00:34:50
It's an interesting space to see, continually evolve.
00:34:54
I always felt like when I was in the area of specialty with
00:34:59
this right, I felt like the area was stagnant.
00:35:02
But it's nice to see another company come along that
00:35:05
approaches the problem a different way.
00:35:07
Speaker 2: Yeah, it's an old problem with some newer
00:35:10
ramifications of course.
00:35:11
And to take on those newer ramifications you do need to
00:35:14
have a modern approach to the problem.
00:35:17
You can't just run end map necessarily.
00:35:19
End map was released at like, like DEFCON 8 or 9 or something.
00:35:24
Yeah, so that would have been like the late 90s.
00:35:26
Speaker 1: Yeah, well, you know, huxley, we're unfortunately
00:35:30
running out of time here for our episode.
00:35:32
But before I let you go, how about you tell my audience where
00:35:35
they could reach out to you if they wanted to reach out to you,
00:35:37
and where they could find Run Zero?
00:35:39
Speaker 2: Sure, yeah.
00:35:39
So I'll start with Run Zero.
00:35:41
Just go to runzerocom.
00:35:42
There is a free trial where you could try out all the different
00:35:50
features, but there's also a free forever edition.
00:35:53
So you start the trial and it downgrades the free forever
00:35:56
edition, which is really great for doing discovery in your
00:36:00
house or just to tinker around and to try it out.
00:36:02
To start the trial, you don't need to provide a credit card or
00:36:05
anything like that and no sales person is going to call you,
00:36:08
but you're welcome to just like try it out at home and see if
00:36:11
you like it.
00:36:11
For reaching out to me, my name is Huxley Barbie.
00:36:14
You can find me on LinkedIn, you can also find me on Twitter
00:36:18
and you can also find me on the Infosecexchange instance for
00:36:24
Macedon.
00:36:25
So LinkedIn, just look for my name, huxley Barbie, and Twitter
00:36:28
, it's at Huxley, underscore Barbie, and then on
00:36:32
Infosecexchange it's just at Huxley, but I'm sure you'll
00:36:35
provide the links in the show notes.
00:36:37
Speaker 1: Yeah, absolutely Well , thanks, huxley, and I
00:36:40
appreciate you coming on and I hope everyone enjoyed this
00:36:44
episode.
Related Episodes
Episode 90 - Saving The World From NotPetya
Send us a Text Message.In this episode I talk with Amit Serper who became famous for finding a way to stop the NotPetya ransomware from spreading and causing more damage than it already inflicted. We had a fascinating conversation and if you enjoy the podcast please leave a review and share the podc...