Wrangling the Wild West Through Persistent Policy Enforcement | Bob Almond

Episode 33 | Reimagining Cyber
Wrangling the Wild West Through Persistent Policy Enforcement | Bob Almond

Bob Almond  00:03 

There's a term in the military called Broken Arrow. And you know, when a field officer picks up the mic and says Broken Arrow, what it basically means is that the enemy has gotten through all of the perimeter defenses, and they're inside of the camp. And I would just start yelling, ‘broken arrow’ all the time to corporate America, because if you don't know that they're inside your firewall, you've got an even bigger problem. They're in and they're getting in. 

Rob Aragao  00:38 

Welcome to the Reimagining Cyber podcast where we share short and to the point perspectives on the cyber landscape. It's all about engaging yet casual conversations and what organizations are doing to reimagine their cyber programs, while ensuring their business objectives are top priority. With my co-host, Stan Wisseman, Head of Security Strategist. I’m Rob Aragao, Chief Security Strategist. And this is Reimagining Cyber. So, Stan, who do we have joining us for this episode? 

Stan Wisseman  01:06 

Rob, Bob Almond is the Chief Operating Officer of Full Armor Corporation, a software development firm he co-founded. And Bob has over 20 years of experience creating and bringing to market security enterprise management products that are used by more than 1000 enterprise customers worldwide. Bob, it's great to have you with us today. Can you expand a little bit more on your background for our audience? 

Bob Almond  01:28 

Absolutely. And thank you, Rob and Stan, for having me on, really appreciate the opportunity to talk about a subject that means a lot to us. So, myself and a couple of partners founded Full Armor Corporation, as you said, 20 plus years ago. Our DNA is really security, we grew up in that space going without dating myself too much going out, back to the days of file and directory and hard drive locking. And we've really, we've really had a great run, watching the industry evolve and change and go from, you know, everything being based on you know, single machines to internal networks, to the growth to the internet and just the now explosion of, you know, people working wherever they want to work, and whenever they want to work and needing to have access to everything. So, you know, we're a highly innovative development shop. We love the stuff that we do, and the folks that we partner with and the customers that we get to serve. So hopefully, that's enough on me for now. 

Stan Wisseman  02:37 

No, that's great. That's great. And I, personally have a history with security policies in the sense that in the mid-90s, I was teaching classes on how to do security policies, and I helped create a security policy for Exodus Communications back in ‘98. And, you know, what you've done is, you come up with these corporate policies, which are great, shall statements, right. But how do you actually get them implemented? You know, and how do you help ensure they're consistently being deployed? And as you look at how, you know, Windows has turned to these are, like that core focus with Active Directory as a way of actually helping implement policies, you know, what were some of those initial pain points, so that you helped the IT admins deal with, as they were trying to help, you know, flow down those policies from the corporate high level shall statements down to reality? 

Bob Almond  03:36 

Yeah, so I'm starting to wonder whether or not I should be interviewing you based on some of your history. So yeah, going back to what I was saying, during my intro, you know, there was a day when having a password on your computer meant your computer was pretty protected. And as long as you didn't leave it at Walmart or the airport, the chances of somebody having the time to break into it was, you know, you were pretty safe. You know, the worst thing that was going to happen is they'd format the hard drive and then sell it to somebody else as a new computer. 

Stan Wisseman  04:13 

Those days have changed, haven’t they? 

Bob Almond  04:16 

They definitely have. The evolution for us really started back in the mid-to-late 90s with Microsoft System Policy. And there they were really trying to take what was the Wild West at the time and sort of rein it in and apply policies to individuals and to all of the corporate assets, that the company needed to manage whether it was the physical assets like computers or networks and different storage devices and things like that. And then in 2000, Microsoft came out with Microsoft Active Directory and this new policy vehicle called group policy or GPO Group Policy Objects. And our company was sort of uniquely positioned at the time, because of all the work that we had been doing around System Policy. And in the really, really early days of access, and policy management, where really all we were doing was creating one, two or three policy levels. And based on a user's login, you would give them limited or either almost no access, limited access, or full access. And, you know, if somebody was an IT administrator, well, the default was full access. And if somebody was a user, like me, it was little or no access. But with group policy in Active Directory, the ability to manage at a granular level exploded, and I think initially, there were like, 800 settings in every individual group policy object, and you're like, “Oh, my goodness, how do you go from three to 800.” And, you know, over time, that's actually now grown to I think, over 6000 individual settings in GPO. So, you know, what we focused on was what we could do to help the IT administrators in these enterprises manage all of those settings and manage the ability to apply policy dynamically to their users and the company’s corporate assets in a way that actually made sense so that you didn't have policy overlapped, or drift and all this other stuff. And what we've seen in really over the last, you know, 20 plus years, hasn't just been that increase from 800, to 3000, to 6000, different settings, you know, which those settings have to come from somewhere. Well, that was really the expansion of what a network meant both on premise and then, wide area networks, and then the internet coming into play, and then all the applications that can be hosted and whether a SaaS application or things that you're hosting inside of your network, and now there were virtually millions of settings, that can be applied inside your network dynamically. And our focus was trying to rein that in and make it easier for the IT administrator, to manage all of those settings, but really focus on security and protecting new organization from the inside out. And that's really been the evolution for us to go from, you know, 1995 to 2022. 

Rob Aragao  07:38 

So, Bob, I think you just started touching upon the security aspect of it, right? Because if the listeners are kind of coming in and saying, we're talking about policy management, we're talking about configuration settings and whatnot, on the Windows environments, you know, what's the cybersecurity aspect? Well, there's a lot that's going on, as you've been talking about, we've had conversations in the past. And it's not just now at this point around the windows environment, right? It's expanded itself into the other types of operating systems out there, cloud environments, devices, mobile devices, and so on. So maybe you can kind of set this specific on, you know, different approaches from the cyber perspective related to policy management to help the listeners kind of understand that interconnection point.  

Bob Almond  08:22 

Sure, well, we could probably do a full day of talking about zero trust and cyber resiliency and the way that it is growing and expanding and morphing into something that is really, I think, very powerful for the CISOs and the IT administrator and heads of security inside a company, we could just dive into that for hours and hours. But at a high level what we've seen with the expansion of the company footprint, all of the, for lack of a better term, call it all of the new surface areas that they have to cover and manage all those surface areas eventually become potential attack surfaces for bad actors, whether inside or outside of the organization. And the cyber play in this is, I think, in a past conversation, we talked about the evolution from the early 2000s, where almost everything was on premise, and there were these connections to the cloud to go out and get things from the internet or from a hosted environment that was also behind a firewall. And then you saw this evolution to SaaS applications and the explosion of the use by employees. And this industry, in turn came into place called Shadow IT. So, Shadow IT basically meant that an individual IT administrator could go out and provision an app for a bunch of its users say somebody wanted to use something like Salesforce, and they didn't really have permission all the way up the stack, but they went out and they sign up for a trial, you know, license for Salesforce and the next thing that all they convince somebody and they're paying for five or six licenses, and you have an IT administrator that's running security for the organization, and they don't even know that this hosted application by Salesforce is being used. And that just exploded, I mean, every area management, sales, management, marketing, HR, there are apps for all of these things that are out there. And they really exploded in a dynamic way. And not always with the permissions of the IT administrator going up the corporate food chain to the CISOs. And so when they finally woke up to the reality that their users weren't just doing everything the way they were supposed to on prem, but they were finding dynamic ways to achieve better productivity and higher sales results and faster production of whatever the services or products that they were building, IT then couldn't say, “Well, we're going to shut all those things down, and we're going to rein you back in,” they literally had to now say, “Alright, how are we going to manage all of these crazy things that are out there all over the place, and sometimes we don't even have control over.” And that was really the explosion of this on premise and cloud hybrid lifestyle for employees, that has created such a diverse set of additional attack surfaces for bad actors to go after. 

Bob Almond  11:41 

I think I've mentioned to you guys in the past that some of the biggest hacks have started on resources that were completely innocuous in the eyes of the organization. I hope I'm not quoting this wrong, but I believe it was the Target hack that led to millions of uses of data being exposed and stolen and put out there and on the dark web. It started with the hack of a simple Linux device that was controlling the HVA system at an office building. And the bad actors got into that, because security wasn't super tight, people weren’t paying that close attention to something that seemed like a, you know, what are they going to do turn our heat up, turn our heat down. And the next thing you know, they elevated the privileges on that device, and they move laterally throughout the organization until they were inside of customer records and financial information and data. And the organization, it took them quite a while to actually figure out what's going on. Because they weren't prepared for what now we talk about zero trust, and we talk about cyber resiliency, they didn't have you know, when these things were going on really good set of precepts and principles to apply policy in a dynamic way that will protect you on the inside and the outside and in the complete lifecycle of those devices. And those users that are coming into the organization to do their jobs, no matter how innocuous the job or the device might be. So, we've really seen an explosion in that. And we're excited to be one of the companies that are out there that are putting really fun resources together for IT administrators going up the food chain to protect themselves and to follow best practices to secure all of those resources. 

Stan Wisseman  13:36 

So, Bob, and one aspect of this security, governance, is that visibility, right? I mean at Target, they didn't actually have the visibility into that Linux server to know what the settings were the difference silos that you've got that either on-prem or in the cloud, as far as the challenge of getting that visibility in a way that they can actually manage effectively, the policies and ensure that they're, because one of the key things is consistency, right? You want to have a consistent set of access rules that can be applied, no matter where the individual user, or entity is in the environment, right. And so, as that perimeter has expanded, as we've gotten to a hybrid approach, maintaining that consistency of policy implementation and getting the visibility to validate that it truly is consistent, is part of the challenge you're trying to solve. Right? 

Bob Almond  14:40 

Yeah, that's correct. You know, when we think about zero trust, and when we think about cyber resiliency, I have to go back to, again, industry standards, things that have been evolving over the last 10 years to deal with these really complex issues. And when we look at it, I think there are, I won't go into all of them. But you know, I think there are eight pillars of the zero trust world and you've got users obviously, and devices, networks, infrastructure, applications, data, blah, blah, blah. And all of those things now have to be looked at holistically, you have to look at them inside the organization and say, you know, here are these eight sets of resources, that we have to have a consistent zero trust methodology for managing, and then we have to apply the standards that are both industry-wide standards, you know, best practices, along with a host of applications and security solutions. I'm going to pivot for a quick second. And say two things that, that we're seeing in the industry, a lot of folks, a lot of companies that are out there are trying to sell a product, which in most instances is a point solution, or solves one or two of these problems in the zero trust universe, and they're selling them a zero trust, that's not the right way to look at this. Zero trust is much, much bigger. I mean, I talked about those eight pillars, well, then we get into the seven tenants of what zero trust is, and you're talking about the rigorous enforcement of authentication and authorization, you're talking about maintaining your data integrity, gathering the information around improve security, granting access to resources dynamically, how you audit and how you report and how you will work on all of those things, those all play into the seven tenets of zero trust. So going back to your question, when we think about, how we're going to be resilient, and how we're going to, help this battle to get to zero trust, we think about policy in a really dynamic way, we think about policy in the full lifecycle of what it is to create, approve, deploy, manage, audit against, and then be resilient in making sure that the appropriate policies are being enforced at all times. And you know, that policy enforcement is sort of the end of that food chain, but it starts with the very inception of creation of a policy for a user or device or all of those things that we were talking about earlier as the corporate assets. And for us, I think what we're looking towards is how can we apply dynamic policy? How can we have the appropriate zero trust methodology in place from the creation of that policy, who reviews it and approves it, how it gets deployed, then once it's deployed, a whole new set of rules, rights and restrictions that go into place that go against the reporting on it, and the auditing on it, and the alerting when changes are made, and how you roll back to the correct policy, or approve and let a new policy go into place to enforce that the users and the devices and all of those corporate assets stay in compliance at all times. So that's a really exciting space to be in, in our industry right now. Because there are just so many different policy silos out there. You mentioned MDM, you know, we've got Linux and Unix and Mac and non Windows join devices that are out there in the wild, we've got MDM for your mobile devices, we've got network security, and then you throw in things like the way you authenticate and authorize using two factor authentication and strict passwords and forcing password changes. All of these things, you know, happen in different policy silos. And what we're trying to do is normalize all those policies down into one centralized policy that you can see in a single pane of glass, and then from cradle to grave, inception and creation all the way through auditing and enforcement, manage those in a dynamic way for the organization. And we think it's really, really exciting. I'm sure there are a lot of people that just heard that last three minutes of my soliloquy and are thinking, “Well, Bob, that's pretty boring.” But for us, it's actually really, really exciting. So cool.  

Rob Aragao  19:34 

Well, I think it's critically important when it comes down to right as you said about kind of holistic, persistent policy management, right? It's not back as you started our conversation, the Windows based environments and dealing with you know, the settings there of 800 to 6000 GPO settings, that's one thing. Never mind the other environments as you're talking about, right, go into Linux, Unix to the cloud environments, mobile devices and so on, but the persistent aspect of it or dynamic aspect of, you kind of use both words interchangeably, right? It's really what you're driving that. So, to me, what that does is it plays a major theme about the resiliency factor that you also alluded to. Right? So, a lot of organizations, and we've been talking to many different people about this, the emphasis around how can we be more resilient in our cyber programs, right, not just a cybersecurity aspect of kind of good hygiene, which this falls into. But this expands now into being more strategic and how they're actually protecting the organization from the Target type of attacks that you talked about in many other types of misconfigured type systems and security. Right. So that's critical. Now, Bob, take out the crystal ball for a second, right? Put on that wizard cap and tell me like, what is it that you're seeing out there going forward? What's the vision? Next phase of this? 

Bob Almond  20:45 

Yeah, so I think I alluded to it a little bit, based on the last question, and I think what we're seeing is the real necessity, let me take it in three pieces, you've got to create this awareness for the IT administrator of what that global set of problems are, and all of those different attack surfaces, and you have to help them understand that protecting, you know, if an organization has several different attack surfaces, protecting four of the most important means that two or three buildings become the focus of the bad actors, and they're going to get in, I hear all the time from IT administrators, “I don't really have to worry about that all my important assets are behind the firewall, and we use VPN.” Oh, great. Yeah, cause so did T Mobile, and JPMorgan, and the good folks at Target, and how many federal government agencies. All of those people were doing those things, all of those people had their most important stuff behind the firewall and were using VPN technology. And the simple truth is, there's a term in in the military called Broken Arrow. And you know, when a field officer picks up the mic and says Broken Arrow, what it basically means is that the enemy has gotten through all of the perimeter defenses, and they're inside of the camp. And I would just start yelling, broken arrow all the time to corporate America, because if you don't know that they're inside your firewall, you've got an even bigger problem. They're in and they're getting in, whether it's through stolen passwords, whether it's through phishing attempts, and malware, and users clicking on things that they don't, all of these different ways, all of these different attack surfaces, you have to holistically look at them, you then have to apply those seven tenants of zero trust, and you have to look at the way you're doing your policy, you know, as I said earlier, from date of inception all the way through your orchestration, and your auditing. Rob you specifically asked about the enforcement piece, and how do you be resilient? Well, I think if you can break down all of those different policy silos, you take your MDM, you take your Linux and Unix, that speak a different language than your on premise things that you're managing with AD. And you normalize those different policies into a, for lack of a better term, the term that we use internally is a universal policy. And you make all of those policies speak the same language. And you allow all of those policies to be enforced in a single pane of glass, and pushed out whether on premise, whether in the cloud, whether it's a user that has a hybrid lifestyle, where they're both on premise and in the cloud, and you enforce those policies. A simple example of that is, if an organization, you know requires multi factor authentication, and really strong passwords and changing those passwords, the last thing you want is somebody coming in that's somewhere outside of your perimeter working as an IT administrator to change by mistake. You know, inadvertently one of the policies for user that turns off one of those things that you've said as a corporate policy in terms of authentication, and whether it's using multi factor authentication or strong passwords or whatever. And now you've got what's called policy drift. And maybe it doesn't impact the user on premise, but it impacts the user in the cloud. And so having a dynamic way to constantly be looking at and reporting on those policies, knowing when a policy has been changed, and if it hasn't gone through the appropriate workflow and been approved, it's dynamically caught and rolled back to the policy that was approved. And boom, the user has what they were supposed to, and they're allowed to work. You know, zero trust simply comes down to, we trust no one ever, you literally have to prove at every step from authenticating onto your network, all the way down to every application you use, and the type of activities that you're using them for, you have to continually prove that you have the right to be there and do the things that you're doing. And policy is the best mechanism for enforcing those things and ensuring that those things stay in place. So that the users, we know who they are, they are who they are. And they're doing what they're supposed to be doing. They haven't been hacked, it isn't a bad actor. And even if it's an internal bad actor, when they start elevating privileges or changing the rights and responsibilities, we can catch it and we can roll it back to what it should be, we alert the appropriate people through sim technology. And you're able to catch those things. So many of the hacks that have taken place lacked that resiliency piece, they lacked that ability to know when things are changing, dynamically roll them back. And if they had those, even if there was a breach, it would end up being for several hours or a day, not for months and months. I won't call up the company that had the issue. But recently there was a major hack. 

Bob Almond  26:30 

And the company said, “Yep, we've caught it, we've figured it out, we've locked them out, they got nothing”. And the hackers were so spiteful, that they went online and posted everything they did, how they were doing it, and the fact that they were still there, and they still had access. I mean, it's the Wild West when it comes to protecting and locking down all of these corporate assets. And we really do believe that normalizing all of these policy silos and having a single pane of glass, using that dynamic, you know, change management and enforcement and rollback is the best way to protect the organization. And again, it's not one product, it's a lot of different products working together. It's a policy mechanism that enforces the rules and rights and responsibilities, regardless of what the activity is. And regardless of what the security product is that's enforcing the zero trust at every layer of the company stack. 

Rob Aragao  27:34 

Well Bob, I think your example that you just kind of walk us through is really interesting. And when you think about one of the aspects of trying to keep the attackers out, right, it's making it more difficult for them to get in. And your approach of being persistent in the policy dynamic on the policy and being able to roll back makes it more difficult. You talked about the different pillars of zero trust and how this ties back in. Absolutely. And again, making it more difficult for the attacker coming in, it makes them frustrated. They're saying “I'm moving on from this target. It's too difficult. Let me go to the next one.” It's a great approach. You make it more resilient as well. So, you've tied it all together. We appreciate you joining us here for this episode and sharing policy management and interconnection to how it helps people be more resilient. So, thank you. 

28:17 

Thank you guys, again for having me on. This was a lot of fun. There's nothing that I like to talk about more than the things that we're doing in this. This is an exciting time to be in the industry. So, thank you.  

Stan Wisseman  28:25 

Thanks, Bob  

Rob Aragao  28:27 

Thanks for listening to the Reimagining Cyber podcast. We hope you enjoyed this episode. If you would like to have us cover a specific topic of interest, feel free to reach out to us and you can find out how in the show notes. And don't forget to subscribe. This podcast was brought to you by Cyber Res, a Microfocus line of business where our mission is to deliver cyber resilience by engaging people process and technology to protect, detect and evolve