Subscribe to get the latest

#115 Blocking and Tackling of Security

on Wed Nov 30 2022 16:00:00 GMT-0800 (Pacific Standard Time)

with Darren W Pulsipher, John Evans,

Keywords: #zta #zerotrustarchitecture #cyberhygiene #cybersecurity #technology #process

In this episode, Darren talks about cybersecurity with returning guest John Evans, Chief Technology Advisor at World Wide Technology (WWT).

Foundational to all other cyber security is basic cyber hygiene. Many companies need to do these basics. This is evidenced by recent news headlines showing an uptick in attacks like denial of service attacks which should be easy to prevent.

From his experience working with the state community, John believes most attacks follow a typical kill chain. Most attacks hitting state and local governments result from exposed network protocols or email phishing. These are attractive entry points for hackers, and once they are in, bad patching practices are a typical culprit that allows them to gain a foothold and move laterally. That, combined with weak password policies or weak enforcement of password policies and an inability to recover, can lead to disaster.

In a well-publicized ransomware incident in 2019, the affected organization assumed that since they had the same amount of data in their production and backup environments, they were safe. But they had never tested their backups or recovery capabilities, which turned out to be poor. Basic cyber hygiene could have prevented this incident.

There are four essential basics that every organization should focus on. First, they must repeatedly train people to avoid phishing scams. Training might seem repetitive or mundane, but people falling for these schemes is a significant weakness in an organization. Hopefully, in the not-too-distant future, passwords will no longer be necessary.

Second, they must configure firewalls appropriately; just because RTP or network protocol ports are closed doesn’t mean there isn’t an open port in a less prominent spot. Security by obscurity doesn’t work.

Third, they must avoid bad patching policies, both with the client and the server, in the data centers and out at the edge. Many organizations are in technical debt and can’t update their old systems, so they accept the vulnerabilities and risk because they don’t want to invest in an update.

Fourth, they must have the ability to recover. Just because you know you can back up your data, can you use and recover with the backup? Testing is essential.

These four basics, along with a few others, are enough to stop almost all attacks coming into organizations that aren’t regular targets. That model doesn’t hold with organizations hit with nation-state attacks; they are doing all these things already and need additional security measures.

A consideration for many organizations is compliance versus risk. For some organizations to be compliant, they need to upgrade old machines, applications, and processes, which involves a significant cost. For organizations with a system that can’t be patched, it could take a risk-based approach that if something happens to the system, it would cost less than what it costs to upgrade the system. Of course, the secure thing to do would be upgrading to compliance, but most people think the risk-based approach is more secure. A small business could get away with this approach, but government organizations, for example, have regulatory compliance.

There are two reasons an organization might choose compliance other than a mandate. First, it’s an easy button for many organizations that don’t understand how to measure or prioritize risk. Compliance is a generalized framework to fall back on. It is not one-size-fits-all, however, because someone else is prioritizing risk in a generalized way. Second, if something terrible happens and you have to, for example, explain it to your board of directors, you can say that you followed accepted standards.

Compliance is a bit of a crutch mentality because you don’t have to do all the risk evaluations and figure out what needs to be done. But, for example, a small municipality without a CISO could direct a sysadmin to use a compliance framework as a good starting point. If there is no CISO on hand, there is also the option of a part-time virtual CISO for guidance. John does this for clients, which is a viable path to better security.

The concept of zero trust also looks at a level of assurance versus risk. You need to understand the risk of granting someone access to a particular system or piece of data and then have a commensurate assurance that the person is whom they say they are. The heart of zero trust is a high level of security that mitigates risk.

Zero trust does not mean everything will be locked down and slow all processes. If, for example, someone wants to get in and see rainfall levels, you don’t need a high level of assurance that the person is verified. Still, if someone wants to access your organization’s crown jewels, there must be additional controls to verify identity.

Matching the level of assurance with the level of risk is challenging; it requires decision-point architecture. In the example of the risk it has in accessing a piece of data, an organization needs to know what and categorize it based on risk. For a mature organization, this can be difficult. John knows of one federal government organization that spent over two years ensuring its data was identified, classified, and tagged correctly before moving on to any decision-point type of architecture.

Identity and data are the two starting points for zero trust. In addition, it makes sense to avoid trying and doing everything at once. Starting with a piece of an organization might make the most sense, scaling it out through the rest of the organization over time.

Digital identity is becoming more sophisticated. John believes our transactions in the future will be primarily based on a zero-trust type of approach. For example, if he wants to transfer $10,000 out of his bank into an offshore account, the bank should make sure it is him and treat that transaction as if someone is trying to access a very sensitive, high-risk piece of information. If he goes to the store to buy a dollar cup of coffee, that level of assurance that it’s him purchasing the coffee is unnecessary. Many of these zero-trust principles will make their way into our everyday lives.

User behavioral analytics will also come into play. Just as a credit card company will raise a flag for unusual purchases, for example, if a system knows that John types 20 words per minute, and then all of a sudden, he’s typing 100 words per minute and trying to access sensitive information, there’s a red flag.

Podcast Transcript


Hello, this is Darren Pulsipher, chiefsolution.

Architect of public sector at Intel.

And welcome to Embracing

Digital Transformation,where we investigate effective change,leveraging people.

Process and technology.

On today's episode,

Blocking and Tackling of cybersecuritywith special guest John Evans from WWT.

John, welcome back to the show.

Thank you very much for having me back.

I had a great time last time and lookingforward to talk with you again today.

Well, todaywe're expanding things a little bit.

Well, kind of.

We're actually narrowing things downto cyber securitybecause we you teased me last time.

You teased me last time with the sharedcybersecurity model on cloud.

I said, John, we got to talk about cybersecurity in general.

There's so much tounpack here.

But let's first start by was talk aboutjust basic cyber hygiene, just the basics.

Where do you see a lot of companiesthat are failing in cyber hygieneand where do you see companiesthat are doingcyber hygienewell and what does that look like?

Yeah, so I think it's a great topic and,you know,foundational to all the other cyber stuffthat that that we do.

So it's probably a good placeto start the conversation.

You know, when you think cyber hygiene,it's those basic cyberthings that we all need to be doing.

But unfortunately,not everyone's always doing them.

And I think that that's been evidencedby news headlines recently.

You know, there's it'syou know, there's there'sthere's been an uptickeven just in distributeddenial of service attacks, somethingthat should be relatively easy to do.

I mean, those have been around forever.

We know how to defeat those, right?

Yeah. It's in some cloud services.

It's clickinga button, you know, it's, it's.

But I think cyber hygiene,it isn't always the cool, kind of sexycybersecurity thing happening.

So sometimes it doesn't get the,the view, you know, thethe level of the level of importanceisn't paid on it,that maybe it should be in a lot of cases.

And that's unfortunate.

You know, I used to be the CSOfor the state of Marylandand I still stay prettywell plugged in with the state.

So, so community.

And I think I can say relatively certainthat most attacksfollow a common kill chain.

So if you think about most attackshitting state and local government,it's exposed network protocolslike expose RTP, maybe somemaybe somebody put some RTP in a boxto make it easierfor them to get in to do maintenancewhen they're not not in the officemight have been forgot forgotten aboutbut that exposed networkprotocol is open to to the Internet.

Perhaps, and providesa real attractive entry pointfor hackers to get at once once they're inthat patch.

And practices are typically a culpritthat allows them to be ableto gain a foothold,start to move, move laterally.

Now you combine that with weakpassword policiesor weak enforcement of password policiesand then an inability to recover.

I was involved directly ina very large cyber incident that happenedin 2019.

So people can go back,they can read the headlines, whatever.

You can figure it outreally, really easily.

What it was probably.

But basically it was a ransomware attackwhere the affected organizationthey basically kind of said, well,we know thatwe've got the same amount of datain our production environmentand in our backup environment.

Therefore we must be good.

But they never testedtheir backups, never tested recovering.

So poor, poor recovery capabilities.

But yeah, it's a fairly common kill chain.

They get in from one or two places,mostly either email, which.

Phishing attacks.

Write phishing attacksor expose net network protocols.

There's very oftensome poor patch compliancetype of component to itand then an inability to recover.

So cyber hygiene is still very important.

We need to be, I think, putting moreemphasis on it, you know, in the future.

You know, this reminds me of I remember

I played football in high school.

I rememberwe had a horrible, horrible gameand we had all the talent in the world.

And the coach said, back to basics, man,back to basics, blocking and tackling.

And I hated that week.

That was a miserable weekbecause it was the same thingover and over again until we got it right.

So that sounds like if we were to saythe blocking and tacklingof cybersecurity arephishing.



Making sure that you're trainingpeople on phishing.

We get this intel all the time.

I get phishing.

I like to sayit just wants me to take more trainingbecause I'm, you know, fish bait, right?

That's me. Right?

I'm like, oh, that looks interesting.

Now I'm learning it takes me some time.

But so training your people on phishingis, number one,exposing network protocol.

So this is configuring your firewallsappropriately, basically, right.

Having something in front of themif you're going to have them.


I don't care if it's VPN or but don'tbut don't have it just exposed andyou know, one of the things that we foundwas, you know,

I'd go into agencies and say, you knowwhat, we're going to do a full port scan.

They would show me portscans of the standard ports and say, well,we don't have anything exposed.

And it's like, well.

No, I.

You mean 22 was closed in 80.

Yeah, just. In four for three.

Yeah. Those are the ones you closed.

Just because your standard, you know,

RTP or network protocol ports are closeddoesn't mean somebody couldn'thave put it somewhere else.

And we very often would find thatthat was the case.

So securitybiosecurity doesn't doesn't doesn't work.

I like how you said that because a lot ofpeople rely on security by obscurity.

But that doesn't it doesn't work.

No, not at all.

I mean, especially now with all the toolsthat that hackers have out there,even scripts, script kiddies aremuch more sophisticated probablythan they were just a few years ago.

There's so many tools out there, so manyscanners available.

Nobody's just lookingat the standard ports anymore.

Yeah, another thing that you saw,the third one was bad patching policies.

You're talking about client patching,but also in the server,in the data centers as well.

And even out on the edge, right?

Oh, absolutely.


We have you know,

I imagine there's a lot of organizationsthat have we were talking abouttechnical debt last time a little bit.


And I imaginethere's a lot of organizationsthat have acquired a lot of technical debtin certain systems,and now they're at a pointwhere they can't even update those systemsbecause.

The software has been eold, right?


So they know that they have to run on thisoutdated operating systemthat has all these vulnerabilitiesassociated with it.

And it's just a risk that they acceptbecause they don't have or theythey don't want to invest the moneyinto updating this system.

It's a large undertaking, perhaps, butso they're just sitting out thereas known vulnerabilities.

So would you say if and the other.

I want to quickly go over the other ones.

I want to kind of the weakpassword policy.

I totally get it. I'm horrible at this.

If you hack one of my passwords, you canfigure out all the other ones guaranteed.

And it doesn't take long.

So we need to do a better job at password.

But can we get rid of passwords?

I know that's a whole nother story,but and this goes into digital identity,which we're going to talk aboutanother time.

That'd be great.


I'm I'm hoping that that we canin the not too distant future.

I think there's a lot of organizationthat are still going to be reluctantto give up their passwords.

But I think that agood intermediate step is MFA everything.

MFA everything.

Yeah, I think MFAeverything is a great intermediate step.

And then hopefully that will take usto the promised land of of Passwordless.

Which would, which would be nice.

And the last one I think is, isreally important, the ability to recover.

And I love how you said, yeah,oh you back things up.

Can you actually use the backup rightnow? Well, I've never tested it.

I don't know. Right.


I mean, when this big eventhappened in 2019, they foundthey didn't have a lotof their organizational structures,so they had the raw data.

Yeah, but then. Yeah, yeah.

What a nightmare, you know.

Oh, we don't have the right accountsto access that,that dataor the applications don't have the right.

There's, there's a whole list ofwould you say if Idid these four basic things, how,how much of the security issuesthat I'm having inmy organization would go away?

I think it depends on the typeof organization that you're in.

I think if you're talking aboutand maybe it's not for wewe chose to hit on four I think.

Yeah,those are the four. Of the most important.


But you know, maybe it's, you know,six or seven things, it's certainlyless than ten probably that we couldreally come up with a solid list and say,you know, if you're an organizationthat isn't getting hit with zero daytype threats, that isn't getting hitwith nation state type attacks,we can stop, you know,

I mean, you could probablystop 98, 99% of attackscoming into your organization.

If you do these half dozen things.

Well, that that model doesn't hold true.

If you're talking about three letteragencies, you know.

They better be doing all those thingsalready.

Anyway, that's that's that's true.

That's a good point.

I'm sure that they are.

But there's a lot more resources beingthrown at those types of organizations.

So that model doesn't hold truefor for those types of organizations.

But if you're talking aboutmost state,local education, small businesses,those types of things probably holdspretty, pretty true, I would say.

No. Very cool.

All right.

So you mentioned one thingand it was around patching.

Now, this is really interestingbecause this ties usinto our second topic,which is really compliance versus risk.

And the reason I tie this to patching alittle bit, because you mentioned before,

I may havemachines that I can't patch anymore.

So now you got a wayto be compliant.

I would have to upgrade all those machinesand upgrade applicationsand change my process.

Big cost,but what is the real risk involved?

So there's this this push and pullon compliance and risk.

And if I am completely compliant,does that mean that I'm completely secure?

Then there's all these questions

I've got in my in my head.

So teach me.

Oh, great, John.

Well, so you brought upan interesting use case for itbecause that's not one that peopletypically think of when they think of orwhen they start discussions on complianceversus risk.

What you kind of brought up is a use casewhere compliance mightpotentially lead you to the better place,which isn't a use case.

What I mean by that is if I've got asystem that

I'm unable to to patch,

I could make a riskbased approach that says, you know what,if something bad happens to the system,the cost of that bad thing happeningcosts me more.

Or I'm sorry,the costs are going upand it costs me less than what it's goingto cost me to actually update the systemin order to patch it.


I might just let that bad thing happen,or I might just run the risk ofof having that that that bad thing happenin that case compliant being,you know, I would be out of complianceif I tried to get into compliance.

It may be validfrom a risk based approach,but the more secure thing to dowould be to be compliant in that case,which is an odd kind of call out the way,because most people think ofthe risk basedapproach as being more securethan than compliance.

Either way, they are certainly different.

I think that that example shows showsthat they're different,you know, a lot of times.

So I have to doboth is what you're telling me.

I can't just I can't just say

I'm going to using a risk basedapproach and you can't just say

I'm doing a compliance based approach.

Well,so if you're if you're a private industry,if you're a small business,you could probably get awaywith just a risk based approach.

Most government organizationscan't just rely on a riskbecause there are compliance issuesor complianceregulatory compliancethat they have to adhere to. So

I think, you know,if we have to prioritize one or the other,a risk based approach is probablythe better choice for most cases.

Even in the case that we were justtalking about, about not patching,yeah, you'd be more securewith a compliance based approach,but you could also arguethat you've wasted moneyby using a compliance based approach.

So for a business, it's probably not the,the, the, the best decision.

But, you know,if you look at there's,there's been a tax out there releasedinto the wild that were,you know, rated very lowon the CD Cvss scoring.

And if thoseif someone had been using more of a riskbased approach, they would say, you knowwhat, we're seeing an uptick in the damagebeing done by these types of attacks,remote code executable,some of those other factors.

And you could use those.

You'd also look at your internalorganization and say, you know,what do I have?

What what dataand how sensitive is that data?

That is susceptibleto this type of an attack?

Do I have mitigating controlsin front of it?

Therefore, I don't need to prioritizeit quite as quite as high. Sousing that risk based approachwill allow you to, one,really spend your moneywhere it needs to be spentand focus your resources,where they should be focusedultimately with the goal of making itmore secure in the long run. But,you know, it'sit's it's really about in a lot ofand I would say it's mostly reallyabout that prioritizationof your resources and your moneybeing able to make a risk based decision.

So why even do compliancedoes it every and no, it's anhonest question why it why is governmentbecause it sounds like maybe compliancemight just bea heavy handedway of doing riskor someone's already decidedthis is too risky so you can't do it.


I mean, I think it's two reasons.

I think one is it'sit's somewhat of an easy buttonfor a lot of organizations.

If organizations don't understandhow to prioritize risk or how to measurerisk, it's very difficult.

So then you can fall back on a compliancebased type of an approach where they havesort of generalized risk for youin some sort of framework,because that's really what they're tryingto do in a lot of the cases.

They feel like the CIS, where theyprioritize the different controls,they're sort of trying to prioritize riskfor you, but in a very generalized way.

It's not a one size.

It shouldn't be a one size fits all.

They're kind of tryingto make it do that, but.

But their lead.

I see where you're sayingthey're leading you down a path today.

Are these types of things are risky,right?

You need to pay attention to these thingsand put some kind of risk measureagainst it.


So, you know, the other thing isit gives you a sort of a CIA position.

If you say, well, I followed these,

I follow national standardsand something bad happens, you can fallback on that when you're tryingto explain it to your board of directorsor trying to explain it to the governoror whoever you need to toto explain that that that issue, too.

And then thirdly, and probablythe biggest reason it's done withingovernment is because you have to do itaccording to some mandate.

So like state, local government,if you want your money from CMSto pay for your billion dollar

Medicaid system, you have to be compliantwith Marcy if you're not and you may notget your your your your funding.

And that's a huge amount of fundingcoming into the States. So.


Well, in general, do youdo you believe that some of thesesecurity frameworks or standards, dothey help the industry as a whole,or do you see them as a crutch that,oh, I just did the complianceand that's good enough.

Where are you seeing that vetting?

Yeah, I thinkthere's a little bitof the crutch mentality.

I think there you know, if you look at,you know, saying it's a way to kind ofcover yourself, that that that goes backto the kind of crutch mentality, I think.

And then I think there's a little bit of

I don't want to call it laziness,a little bit of, you know,this is good enough.

I do this.

I don't have to spend the timedoing all of my risk evaluationsand really figuring things outfor what needs to be done.

I can just kind of followthis, this, this, this playbook.

So, yeah,

I would say I think in some waysit is a bit of a crutch having it's a.

Little morelet's say that I'm a small municipality,going to a compliance frameworkmay be a good start for me because I don't

I can't afford a C, so I just have this,you know,this sysadmin that says he likes security.

I can point him in this direction and saythere is a good starting point for you.


I mean, they're not all bad.


I mean, you know, another thingto consider and I actually do this for

I have a call later todayor think about it.

I think I moved to tomorrow actually, butso through WWTand this isn't this wasn't plannednot trying to create a picturebut you know I do virtual

CSO types of engagements.

So there's a county I'm meeting with thisweek to talk to them aboutwhere we're kicking off the engagementactually.

So, you know, the contractsbeen signed, everything. Sobut we actually do some,some pieces of work.

I do somedirectly with some different customers.

So I would say, you know,if you don't have the staff on hand,it doesn't have to be hundredsof thousands of dollars either to getsome part of part time of a virtual saw.

So we'll be able to help walkyou through sort ofsome of these risk basedand prioritization of of activities.

You know, so, I mean, I would say thatthat's a a a feasible pathmaybe for some of these municipalitiesalso to kind of take.


All right.

Let's talk a little bit.

Let's extend this risk basedto zero trust,because all that's all the buzz right now.

Zero trust is zero trust.

My product has zero trust,but I have a lot of ideas around thisand strong opinions about zerotrust, philosophy and principles,which I think is more important than zerotrust architecture.

And you and I talked about this before,and that's the same.

But really, when you look at Zero Trust,you're really looking at levelof assurance versus level of risk as well.

That's a great way to say it.

There's a you need to know the levelof risk with somebody or with a setwith with access to a particular systemor piece of data in you to understandwhat the risk could bewith granting access to that, if,you know,could it be disclosed or altered.

So you need to understand the riskand then you need to have a commensuratelevel of assurance that what's tryingto access the person or system,trying to access that that that datais who they say they areand they're supposed to have access.

So it's exactly what you just said.

It's risk of accessing somethingand assurance that I.

Know who that other personor entity really is.

Entity is and that they're supposedto have access to it. Yeah.

So would you say that's it in zero trust?

Zero Trust is high level of assurancemitigated by risk.

Mitigated mitigates risk.

That's a yeah.

I mean at the heart of zerotrust that's, that's what zero.

I mean that's really sort of what it is.

It's that security decisionpoint architecture that saysbased on the level of riskassociated with accessing this thing,

I am going to put more stringent controlsor more stringently evaluate,make sure that I have a higher levelof assurancethat this entity is who they say they areand that they're supposed to be accessingthis data.

So people talk about zero trust.

I think they get you know,

I think it's a term that some peopleare a little overwhelmed by at times.

But at the heart of it,that's really all it is.

So if we think practically, you know, ifif I've got somebodywho's trying to to get in to see,you know, rainfall levels,

I don't need to verify thatwith much level of,you know,very highlevel of assurancethat person is who they say they are,that they're supposedto have access to that data.

But if it's my crown jewels,

I need to make surethat there are some additional controlsput on that to really make surethat this person is who they say they'rein, that they're supposed to have access.

I really like how you describe that,because when I first heard about

Zero Trust, I thought, Oh,they're going to lock everything downand everything is going to havetemporal access.

I mean, I only have accessfor a short period of timeand high assurance on everything and knowthat this is going to be ridiculous.

Because if I do want to find outhow much it rained last night,they have to authenticate who I am.

And I can only look for 30 seconds.

I mean, that's just not reasonable.

So I love how you said that.

It is.

It's not

I don't trust anyone all the time.

It's I'm weighingthat assurance with the risk involvedin accessing an asset or data.

And you're the only one

I've heard really talk about it that way.

So you should write a book.

John Okay.

You made it so easy to understand.


No, thank you.

I try to.

That'syou know,you're not always going to have the luxuryof being able to explain it to peoplelike yourself who are, you know,very knowledgeable, very educatedin the technologies.

If that's the philosophy, the principles.


Matching thelevel of assurance with the level of risk.

How about implementing that? Is that hard?

Are there tools that I can just use todaythat let me do that effectively?

Or does this meana completely re architecture of the waythat I do access managementand the way that I doeverything that I've been doingfor 30 years, 40 years even?


So there's a lot to unpack in therein that question.

I'm going to sort of try to take it pieceby piece or say at a pretty high levelbecause there's a lot of depth,a lot of places you can go.

That was a big question to answer,sort of.

Is it hard? I mean, it can be.

I think it depends on the levelof maturity of your organization.

One of we talked aboutthe risk associated withaccessing a piece of dataas a as an example.

If my organization doesn't know what data

I have out thereand if I can't categorize that data,if I can't assign a riskscoring basically to that data,then it can be real.

It can be real hardbecause I know a pretty maturefederal government organizationtalking to their CTO.

They spent over two yearsjust making sure that they have their dataidentified, classified, taggedcorrectly before they moved on toany sort of the decisionpoint type of architecture. Soso it sounds likethe first thing you have to do isidentify your data and classify it,but sounds like that'sone of the first steps.

Yeah, it's it's definitely one of them.

You know, identityand data are probably the two big thingsthat you want to start start off with.

If you don't have a good handleon your identitiesand you don't havea good handle on your data,you can run those tracks in parallel,and you probably shouldbecause both of those can take quite upquite a bit of timeto get them into a placeto really move you to towardszero zero trust.

The other thing I would say ismaybepick up a piece of your organization.

Don't try to boilthe ocean. Don't do everything over.

Yeah, maybe pick a piece of itand work through it there.

Get some muscle memory work,working through it thereand then start kind of scaling that outto other pieces of of your organization.

It's interesting.

You threw in identity again.

Yeah, no identity.


This is a big topicthen I digital identity and.

Yeah well you know it's interesting too so

I'm going totransition if it's okay with with with youso digital identityyou mentioned that digital identityif you think about,you know, digital identity,we have identity proofing,making sure that this person iswho they say they are.

You know, we're getting intomore sophisticated ways of doing that.

But if we think about howthis all plays out in the future, move,move it moving forward,

I think our identities are going to bealmost based on our transactions.

I should say, in the real world,are going to be based on the zerotrust type of an approach.

So as a for instance, if I need toor, you know, if John is transferring$10,000, let's say, out of his bankaccount to an offshore accountsomewhere, mymy bank should make real search for that.

This is me trying to make thatmake the transaction just as if someone'strying to access some very sensitivehigh risk piece of information.

Whereas if I'm going to the storeand buying a cup of coffee,you may not need the same levelof assurance that that, you know,it's actually

John who's who's making this transaction,the impact, therisk associated withit is much lower in those cases. So

I think we're going to see a lot ofa lot of the principlesthat we're learning and or that we'redeveloping around zero trust,making their way into our everyday.

Life or day lives as.

We start to stop doing more of theof the digital identity type oftype type of framework.

You know,something else just popped into my head.

It's not just the one eventeitherthat you have to be able to identify.

And this is where I think we're goingto start seeing some interesting playsin a I and access over over time.

If Darren's acts if Darren buyscoffee every day at a certain placewhich I don't drink coffee so that shouldraise red alarms everywhere.

But we already see thiswith credit card transactions.

If I do something outside of the ordinaryof my normal buying patterns,they flag it, right.

We should see the same sorts of thingswhen I'm accessing data as wellinside at different classification levels,because I think you and I both know

I can gathera bunch of data from unclassified areasand one piece of datafrom classified areaand create top secret data. Yep.

And have situational awarenessthat no one else would have,which would make me a threat in that case.

So I think I think we're going to seean extensionto zero trust to a

I don't know what you would call it,but it's almost like what is your access?

What is your zero trust access over time?

And are youis that developing some kind of a threat?

I mean, user behavioral analytics,

UVA is hugely important.

We you're talking aboutthe concept of zero trust.

And, you know, that's that'spart of what you're talking about there isyeah I know some of thatsome of the super principles ofif the system is keeping trackand it notices that John Hunt impacts,you know,per minute in in the system.

And he's that's been pretty steady overthe course of his of his tenure there.

And all of a sudden.

He's talked for 100 words per minute.

Yeah, I'm type

And I'm trying to accessone of the most sensitive thingsthat my account has access to.

You know, that that that's a that's.

A really good that's a really good point.

Hey, John, this has beenabsolutely wonderful, very enlightening.

Thank you again for coming on the show.

And of course, we're going to talkabout digital identity.

So you got to come backor you're going to come back for me.

I would love to.

I would love to.

I've had a great time talking with youboth times now.

Digital identity is something that

I'm near and dear to me.

It's something I've been,you know, learning more and more about.

So I would love to come in and talktalk with you more about that.

Sounds great.

Thanks again, John.

And I can't wait to talk to you again.

Looking forward to it. Thank you.

Thank you for listening to Embracing

Digital Transformation today.

If you enjoyed our podcast,give it five stars on your favoritepodcast and site or YouTube channel.

You can find out more informationabout embracing digital transformationand

Until nexttime, go out and do something wonderful.