Ross Rehart, MSc:
The business requirements for the network 20, 25 years ago were wholly different than they are today. Today we have to think about not only the business requirement of the network, but moreover, the approach to securing the network. Most enterprises today especially ones that have been around for 5, 10, 15 years or more their network was designed by people and architects and run by people and architects and operations and network engineers that were all brought up in the world from let’s build a network one certain way and protect things one certain way and do this one certain way.
A very common topology in networking for instance is a star topology, where all the sites come into one center point and that center point disperses the information back to those sites. And that center point is controlled by a firewall or by intrusion detection systems, or all of the above. Right? The problem is now is that those big WANs, and even in the LAN topology, wide area networks and local area networks, even in those topologies, those connections aren’t really needed anymore. Because you think about cloud computing, you think about, hey, I’ve got all my stuff on OneDrive in Azure or in Google documents, or I consume Microsoft 365 as a service, or I consume my CRM application as a service. So these are software as a service, and they’re all coming from the cloud. And all of a sudden, when everybody seemed to go to one place to get their applications, that’s not the case anymore. Now they just need an Internet connection and they can go anywhere they want to with that.
Well, again, when you talk about the network, there’s two things you got to think about. One, the network is never going to go away because we can put anything anywhere we want to, but you still have to get from point A to point B, right? So that network is an incredibly critical component. And for everybody out there that says, hey, I’m on wireless, I don’t really have any kind of physical network connection. Well, you do because that wireless access point where that cell tower connects to a wire somewhere on the background, and goes to that network, and so that whole path, enterprises have to think about that entire path now. 5G is gaining a lot of momentum in enterprise. Business 5G is gaining a whole lot of momentum because of the promise of what 5G can bring to businesses, speed, connectivity, reliability, et cetera.
But, what you have to think about now is in the computer that has this wireless card in it, or the cellular card in it, to the point where my data is or my application is, or where I’m accessing a DocuSign, for instance, there is a lot of in between there and therefore there is a lot of opportunity to get in between there with bad guys. So think about going down a street with a lot of stoplights. At each stoplight, a bad guy has a chance to come up and say, give me your money at each time you have to stop. Well, that’s essentially the way the network is. There’s many, many stops along the way, and each point of those are vulnerable. So as an enterprise, you have to think about that.
You have to think about the older technologies like VPN, for instance. You say, is that as effective as it needs to be? Is that as effective as, and meet the business requirements of what I have today versus again even four or five years ago. When you talk about VPN technology and the traditional VPN technology, you give somebody or you give their computer a VPN client. You give them a static password and you say go ahead and connect. That is one of the most easy things to hack in the world and to grab. People go into Starbucks, they’ll put up their own access point, they’ll say I’m Starbucks. People connect to it and all of a sudden they’re hacked. It’s really that simple to do it. So you got to think about things like okay, if it’s not VPN, how do I connect to these resources?
Now we’ve got to talk about secure service edges, zero trust networking. VPNs by the very nature allow somebody to get into the network and have access to an entire network segment. So be that where all of your corporate network is, where all your servers are, anything like that, you think about that and you go, wow, I’m giving them a lot of explicit access without really thinking about it. And we deal with companies all the time that have the problem of that coming. And we had a customer come to us last year, you know, a new customer come to us last year and say one of my laptops got hacked, they VPN’ed in and my whole network was subject to ransomware all of a sudden. And I was shut down. Because again that threat plane that’s between point A and point B is now much larger. It’s not just a simple from the firewall to the LAN to the computer any longer. So you think about those things and you think about how that’s changed.
You got to think about what do I need to consider in my business requirement now? I need to consider things like zero trust, where instead of explicit permission, I’m giving that implicit permission. Meaning that, with zero trust, I’m only going to give that computer access to one thing, that application that that person needs to use. And I’m going to check that person and I’m going to check them every five minutes. I’m going to check their laptop, I’m going to check their log on, I’m going to check their access. If any of that comes back and says you are not trusted because your laptop firewall got turned off, for instance, I’m going to kill your access immediately. And that’s what secure service edge is really all about. It’s a constant checking and lack of trust, quite frankly, of what those connections are to a point where it’s not crippling the business, but moreover, it’s something that you can use as a threat plane detector and stop those from ever happening.
Kirstin Burke:
You gave a very cool practical example of this based on your naval history that was just such a good visual picture for me to understand this as someone who doesn’t live it like you do. I wonder if you could take 60 seconds and just explain in the practical naval term how this zero trust and micro segmentation plays out.
Ross Rehart:
Sure. So the concept of micro segmentation is it goes beyond traditional again, networking, virtual LANs, VLANs. That’s traditionally the way that we’ve segmented out parts of our networks is used VLANs. Micro-segmentation takes that to a whole other level. It brings it out down even to the process level on the computer and says this process is allowed to get from point A to point B. Or this user is allowed to get to this process from point A to point B. And that’s it.
The analogy I used when I was serving in Desert Storm, when we went into the combat area, every naval ship, at an interval of every 15ft, they have doors that can be closed and opened, in every ship, in every 15ft. These doors get closed and open and locked down in what we call condition zebra, which means they are completely locked down, they are sealed airtight. And when you go into a combat area you say, set conditions zebra. So we close everything.
And my ship, the USS Missouri, was in the battle group with a couple of other ships, the USS Princeton, the USS Tripoli. And we were moving forward through an active minefield and the USS Tripoli she actually hit a mine, right off to our starboard side. And when she hit the mine, it blew a hole in the side of the ship. But the ship stayed afloat and stayed operational because the ship was essentially micro-segmented with all those doors being closed. So the part that got a hole in it absolutely flooded. Can’t do a thing about that. But the rest of the airtight and watertight integrity was maintained. So that one event did not affect the entire ship or all of her operations. And she was critical to operations, landing and using helicopters in that particular combat action. So that is a real clear illustration of how segmenting this and bringing the network down to the point where you’re protecting 15 foot sections of the ship, 15 foot sections of the network, not allowing something that affects that one 15 foot section to affect the rest of the thousand feet of the ship.
And I saw this yesterday on one of our customers that we did implement micro-segmentation in. We saw an incident where somebody was trying to laterally move through the network maliciously. The micro-segmentation did its job, and that lateral movement was stopped before it ever started. So the attempts were made, and there were five or six repeated attempts made by the hacker to get into that. But we were able to isolate that machine via micro-segmentation, take it offline, off of the network, remediate it before any damage was done.
It used to be when I started in this networking world, you know, way before 25 years ago, when I started in this networking world, the business would come to you and say, we need to be interconnected and we need to talk to each other, we need to talk out to our website or whatever it is. And so the design would be set up, the network, put a firewall in front of it, and you’re done. It wasn’t really the consideration of cyber attack, cybersecurity, cybercriminals, cybersecurity awareness. None of those concepts existed at that point in time.
And, referring back to what I said earlier when I talked about a lot of these current network engineers and architects, operations and security people, quite frankly, were raised with that kind of, this is the way I set things up. The problem with that thinking is, it’s like saying I’m going to build a house and put a front door on it and then I’ll figure out if I need a lock or not. Not sure if I really need that, right? The door closes, so I don’t get weather in. But do I really need a lock? Because I’m in a safe neighborhood, right? That’s the kind of thinking that you’re thinking about.
And nowadays what I try to get businesses to think about is that security, in any area, be it on the endpoint or be it on the network, be it on the servers, be it on the cloud, at any point, is no longer an add on to any of this. It’s a requirement of it. And this is exactly what I told my colleague yesterday because he was asking me, you know, if I get into this, I’m interested in network security. I said, network security shouldn’t be so much a discipline as a requirement. He says, what do you mean by that? And I said, when I design a network, I start with how is it secured? I start with what in the business needs to be secured? I start with the requirement of everything must be 100% closed. All doors must be dog zebra. They must be closed and locked. That’s the beginning.
Then I design the network on top of that and I open up the doors as they are necessary to open, not by default. Before, by default, it was everything is open and then I’ll close the front door. Now everything is closed, and I’ll open it if you have the right credentials to come into my building. If you have the right credentials to come into my room. So the thinking has to be kind of turned around, and stop thinking about these as separate things because they’re no longer separate things. They cannot be. If you’re going to, I mean, think about all the hacks that happened just last year, right? And all the major hacks. You think about MGM and Caesars and on and on and on.
You think about all these huge hacks that happened last year because these networks, and the thinking is, I have a cybersecurity department, I have a network department and they do their own thing, right? They need to be the same thing now. In fact, they need to be considered much like developers of the apps on your phone or developers of any kind of software, you have to develop in the security into the application itself before you actually develop the entirety of the application. And that’s what I try to get them to do. And then understand that there is no more wall, right?
The wall has come down. You have to defend wherever the hotspot is. And that hotspot may be on the other side of the world. Right? You and I talking, it might be here in Reno, Nevada or there in San Jose, right? You never know where that hotspot’s going to be. And I can use the LastPass hack as a really good example of this.
LastPass, last year, January, announced that they had gotten hacked and users passwords had been compromised. That hack actually started in August of the previous year. So they went five full months without even knowing it was happening before that happened. And what they found out was they had a developer who had a home network. He took his laptop home and he was working at home. Great. But he also had his own little personal media server at home. Awesome. He had never patched that media server, ever.
So a hacker got in to that media server, hacked into the media server because the patches were available a full three years prior to this hack happening, jumped into the server, said hey, this server is open, that patch isn’t applied. Got into his network, put a keylogger on on his laptop and when that hacker VPN’ed into LastPass’ network to do his development, the hacker had a clear path and every keystroke he needed to get in there and compromise everything he needed to do. So that hotspot in that case was at a developer’s home, 2,000 miles from the LastPass data center.
Kirstin Burke:
The hotspots are not only the corporate locations and corporate risk, but it’s yeah, it’s the media center, it’s the kid who, you know, takes your laptop and hops on. You just, you have such a broader spectrum of attack surface just because of the way we work now. And so the tools and the ground fighting, like you said, takes place in all sorts of places that you don’t expect, yet need to have that defense strategy up for wherever it comes from.
Ross Rehart:
Yeah, when you talk about the concept of, let’s say XDR, XDR is Extended Defense and Response. We use that first X on the top of it. What does that really mean? I mean we’ve all heard about EDR, you know, we’ve heard about MDR, we’ve heard about endpoint detection and response and whatever. That’s great. What does XDR mean? XDR means that I am considering every point of that path, again, I’m considering the endpoint, I’m considering the laptop, I’m considering the user, I’m considering the server, I’m considering the DNS, I’m considering the network. Every point of that, I’m looking at detection. And that into and of itself can be extremely overwhelming for people, right? Because you’re talking about an IT guy.
I actually had a large, very large enterprise company in one of my past jobs coming to us when Covid happened. He said, I have three major call centers and I have to send everybody home. How am I going to do this? And how am I going to, you’re talking about call centers that have to comply with PCI, have to comply with HIPAA, You know, all these regulations. How do you do that when you’ve dispersed? And they scrambled for that answer. Well, now that, you know, we’re back into pretty normal operations after Covid, right? As normal as you can call it. Now people are going, okay, I weathered that storm as good as I could. Now how do I plan for that going forward so it never happens again? That’s what we’re talking about when we talk about XDR. It’s planning for every point that you can.
Kirstin Burke:
What might somebody think about right away as they look at their network, as they try to assess the health of it? What would you recommend? What do you tell people? What do you look for? That either signals danger right away or that signals, hey, you’re okay.
Ross Rehart:
You know, it’s funny you ask that because I always ask the same question anytime I go into any business for any reason, to assess a network, to build a network, to help them with a problem that they’re having, anything. I always ask the same question. The first question I always ask is what’s your business requirement? And people are going, I need the network to do X, Y, and Z. But they’re not asking the question why? Why do I need the network to do X, Y, and Z? Because I need a better network. Because I need to refresh my network, because modern technology says I can have AI. Awesome. All those are great awesome answers, but they’re not the answer you need.
The question you need to ask yourself is what does my business need to operate successfully today, a year from now, 18 months from now, five years from now? Where am I going with this? Because, again, if you think about the old data center model, everybody used to come to one central point and go out. That is not the case and it’s certainly not going to be the case five years from now. Five years from now, people have stuff on prem, they are really behind the eight ball at that point. It’s just not going to be the case.
So I always start with that question: what’s your business requirement? Because the simple fact is anybody can build a house. Anybody can build a building. House has a roof and four walls essentially and a couple of rooms in it and a couple doors and you got a house. Awesome. But does it meet your needs? If I build a two story house and I’m in a wheelchair, that’s not going to meet my needs, right? I need to build a one story house and I need to have it, you know, ADA compliant for that to work for me. Because that’s my requirement versus anybody else.
Starting there and then, again, taking the consideration of I know my business requirement, now I’m going to layer security on all of that and then I’ll start building from there. And using that mentality of start with my objective first, and then use the network or your servers or your endpoints as utilities as a way to get to that endoint and be successful in business. If you do that, you’re always going to be much more successful than you will if you say I’ve got to do X on my network without really understanding the reason why. I can’t tell you how many clients come to me and ask me that question. And I go, well what are you trying to do? Do you know what you have today? Well, not really. Okay, well if you don’t have knowledge of what you have today, you don’t know what you’re trying to do. How do you expect to build what you need to build?
I had a client in one of my past jobs, they moved their data center from an on-site data center in their corporate headquarters into a managed data center, like when AT&T or Windstream, or whatever. When they moved it, they took it up and they did a lift and they moved it over the other one and they tried to build the exact same network in the data center. And when they came to me, they said, this isn’t working for us. This is not doing what we need it to do. We’re having performance issues, we’re having connectivity issues, the applications aren’t right. I said, okay, well when you moved it over into that new data center, did you have your business requirements first? No, we just lift and shifted. I’m like, well then how do you expect it to do something new if you just did the same thing again? What did Einstein say? The definition of insanity is doing the same thing over and over and expecting different results. You can’t do that anymore.
You have to change the thinking to give me an objective, and then figure out the tools and the designs and what that building needs to look like and what your house needs to look like after the fact.
Kirstin Burke:
That makes sense. So start with the end in mind. Then have security first. It’s kind of like what we talked about a couple months ago on one of our last TECH talks, which was that whole shift left concept where instead of thinking about things like security at the end that you layer on, you shift that thinking left to the beginning of the process. And you know, it sounds like with network security it’s the same thing. Don’t try to tack it on and hope it works, but start with that.
And you know, we do have a network health check that we do offer folks. So if you are in that mindset of gosh, I don’t really know where I am, I don’t really know if what I have is meeting my business objectives or maybe I even need someone to help me think about my business objectives, given the business I’m in, what should I expect? We have a lot of very productive conversations that, you know, in some cases require very little adjustments to get something healthy. And in other cases, it’s like, gosh, you know, we really need to rethink this. And Ross is behind all of this. Thank you so much for your time. Thank you for your perspective, and again, for anyone who is interested in how to make sure that that network is secure and is productive together, at the same, time we’d love to help. So we’ll just put that health check out there for you. It’s complimentary. And just reach out to us if that’s something you’d be interested in.