Modernizing Cybersecurity: Preventing Breaches With Ken Morris

We trudge into the cyberspace, potentially vulnerable to identity theft or cyber-attacks. Your company should be protected against potential attacks. In this episode, Ken Morris, the CEO of KnectIQ, offers valuable insights on preventing attacks and breaches through modernizing cybersecurity. He mentions building a technology that removes the need for the persistency of secrets to create an ephemeral environment within the context of Zero Trust. KnectIQ looks at the space to deal with people who don’t control their credentials. Do you want to be secured beyond traditional network boundaries with KnectIQ? Then tune in to this episode and learn how the Zero Trust Based system works.

 

Watch the episode here

 

Modernizing Cybersecurity: Preventing Breaches With Ken Morris

 

We have this amazing guest. He’s a grandfather of two. He’s also an award-winning composer. We are going to have to talk about that because he enjoys writing and music arranging. You are trained on thirteen instruments, but your favorite and most popular is the piano. He loves reading all different types of novels and nonfiction. Welcome, Ken Morris. Thanks for being part of this.

Thanks for having me.

We are going to start off swinging here. If cyber risk was a pizza, what’s the riskiest topping you have seen, and what topping would you equate that to when it comes to cyber risk?

It’s more likely an amalgamation of toppings. Imagine a peanut butter, anchovy, broccoli, vegetarian cheese, nine kinds of cheese, to be specific, bacon, hamburger, sausage, and chocolate. That monstrosity is a state of how we are dealing with risk, particularly from a cyber standpoint. It’s all over the place.

I don’t want to eat that one.

 

 

Same here.

Most CEOs try to avoid that one. I have also seen the latest one, which is a pizza with cinnamon stuff on it. If you added all those together, that’s why it’s unappetizing to do cybersecurity, cyber risk transference, and all these other pieces that are out there. It is because there is so much to try and tackle all at once.

It doesn’t sound appetizing at all. This is the first time we have had somebody identify many ingredients, and we have to eat this pizza.

You sound like a lot of friends of mine who are CISOs. They were like, “Do I have to eat this pizza?” The short answer is yes, one bite at a time.

If you were to talk to anybody who was a big fan of veterans and hired veterans, they would say, “That’s why they made Tabasco. You put Tabasco on it. You can eat anything.” The question becomes, how does somebody eat such pizza? That’s always been my theory. How do you cram down something that may not sound appetizing to you? One pizza at a time with a lot of Tabasco.

If we put this in the context of risk and all of these toppings being various forms of risk, a lot of folks look at it as a whole. Amalgamate up to that, that’s true. At the end of the day, you have got to segment out and look at where you need to focus on first, Tabasco aside. It’s looking at what are some of the fundamentals. What’s the underlayment? The proverbial peanut butter pizza sits at the bottom, even below the cheese.

The question becomes if one does not like peanut butter and sees that as a problem, you deal with that first. What I tend to see happening is that a lot of CISOs and people who are in the space look to how we transfer this risk to someone else or something else. It’s done via technology. If you look at cloud service providers, there are shared risk models. All of these are done because we don’t have good ways yet to take care of the fundamentals.

 

 

One of the largest challenges that we still have now happened again with Move It, and this is a fundamental issue. MFA is nothing, if you are skilled, more than a bump in the road. If they get your credentials, they are getting inside your environment and going to get inside your device. As we have ignored that or done a little bit of handwaving, those guys operate with impunity in that regard.

We are left dealing with the remainder of the toppings, which is what’s the threat? Is it the broccoli? Is it the vegetarian piece? Is it the hamburger? This is the state of our industry because, for whatever reason, we have not dealt with fundamentals. It’s about how to protect the data. How do I protect access into my environment, be that devices, networks, or cloud services writ large?

That sounds like the biggest problem that you have seen in the industry, and we have seen the same thing. It’s complicated. The risk transference of going to the SaaS providers is one of the reasons that we went to that several years ago. Over time, nobody runs their email server anymore because the risk is too high. We have seen that.

 

 

There are other forms of risk transference. We have seen this in the insurance industry. Cyber insurance, no matter how you quantify it, qualify it, or define it, is difficult. I also came from that side of industry risk management years ago. One of the best things that those who are being covered can do is to mitigate the potential for loss.

We try to do that in cyber, but what insurers are beginning to figure out, and we have heard this from the CEO of Swiss Re, Munich Re, and a few others who have said, “This might be uninsurable.” In this whole concept of risk transference, can we even transfer it? Do we have to figure out a better way to manage it or do something that I would call risk management 101, which is you lower the risk profile? One of the ways to do that is to stop bad guys from making access.

We have got data and studies. We have looked at this. Verizon, IBM, and the Parliament Institute. Every year, they keep coming back with 60% to 70% of all initial intrusions happening because the bad guy walked in your front door, cited an entry, and had valid credentials. You didn’t know they were in there until you are like, “We think we may have a threat. Hopefully, you catch them before they do damage.” This is the state of our industry. A gentleman formed Mandiant. He’s fond of saying, “All we do is clean up on aisle nine.” He’s right. My point is, why are we waiting until the mess is there? Why don’t we adopt fundamental principles that prevent bad guys from using valid credentials in the first place?

 

 

Many CEOs have their head in the sand or many executives. Along that same line, the next step is a bunch of regulations are going to come from the government because people are getting tired of the credentials or identities being stolen. You are seeing that with some of the laws that are being passed in California. From that standpoint, what are your biggest challenges when meeting regulatory requirements?

In the regular requirement space, one of the challenges is the regulators don’t understand the risk profile. They are leaning on the industry. The industry has put up the narrative that you cannot prevent a bad guy from getting it. That has the benefit of being true. However, it’s a style analysis they want and are not looking at what the data have been saying to us for the last several years.

There are areas of focus. We tend not to do that. The regulators will tend to go along with what we say in the industry, which is, “You can’t prevent it anyway. The best you could do is mitigate.” That is partially a fallacy. It puts the regulators in the position of regulating based on the fallacy. They can’t get it anyway. The best you can do is try to clean up the mess on aisle nine. Put all these things in place, but they are after the fact.

It gets interesting when you think about financial services, critical national infrastructure, the Department of Defense, and national security. You need to be able to handle trusted connections and data movement in real-time securely. There’s this constant trade-off where people see security that weighs one way, managing the data, monetizing the data, and utilizing the data goes another way.

If I’m in business, guess which one I’m going to pick? I’m going to pick the one I need to be able to monetize and do with the data over security. We have seen this where people get the hand wave on security. We don’t believe that is a mutually exclusive question, but that’s how we tend to approach that in the industry.

I often consider the challenge of whether you want to attack risk from the compensating control mitigation perspective or not. I have always seen the issue of this real world of crime, but uniquely, you get to choose where you park your car and build your house location, wherever you want to go. You are probably not going to park your car in a bad neighborhood because there’s a risk of it getting broken into. In an internet-delivered world, you are always parked in the worst part of town, allegedly.

It’s reasonable to say that as much as we like to think we can understand every single IP address that exists on the internet, it’s like trying to chase a ghost. In terms of risk mitigation, what do you think is the answer in terms of the approach and understanding that, in the real crime world, you are not going to stop crime? In a digital world, is it going to be 100 times more difficult? If you can’t stop it, what is the approach? What is the balance and the answer?

Here is a way to think about this. Our friends at Mitre and a few others have created continuance, which is not a bad framework to think about the initial intrusion, attack, mitigation, and all the way through to the cleanup on aisle nine. It is not a bad idea. The question becomes, where can you get the best bang for your security buck?

We know what’s happening with these initial intrusions, but there are control mechanisms that organizations are putting into play. Cubikey has one. I will use them because I think it’s good. Those types of hardware-based are challenged with that friction. Anytime you are going to do friction, human beings resist. That’s part of our nature. While a good mitigation on the front end, people seem to be resistant. We tend to default back into, “We will have to try and catch them when they get in.”

There are other modalities and ways to think about this problem. First of all, how can you create technological control systems that will aid the human? Humans will make mistakes. We will do things that we shouldn’t do. It happens all the time. How do you control for that while allowing for optimal utilization of what we all want, which is the data?

One way to do that is to follow what the Ponemon Institute has talked about. IBM has talked about this in their report. Fortinet has looked at this proof point. It continues to come back to the front end of this issue. This is parking on the wrong side of town. If we use that as an analogy, let’s stop the bad guy from using one of the best weapons they have to get into environments. We talk about ransomware. Let’s not wait until we talk about privilege escalation.

When I’m inside your house, let’s deal with how am I going to keep you out. I look at this from the defender. I am deluged with way many alerts. I can’t keep up. People are looking at it and all those types of things to help, but it’s many. The question becomes, can I reduce that? Can I get that out of an overload space? The short answer is you can. One of the ways you can do that is to deal with this question of, “You are not getting in my front door. Even if you have valid credentials, you are not coming in. It’s a bit analogous to loosely. I’m not gonna park my car in the bad neighborhood even though the internet writ large is the bad neighborhood. We have to deal with that as we can.

It’s not an easy problem to solve it. One of the reasons that cyber risk is, all of a sudden, an important topic because you have to demonstrate you did everything possible. You have to teach your staff how to do the right thing. Bad behavior is bad behavior.

We are also humans. I have seen where maybe somebody is dealing with something in life, something happens, and they are not able to pay attention. That’s where it can come in. If somebody passes away, they are distracted. They get that email that has a simple click. It’s like the 25 emails they already processed that day, and there it is. It’s a click. It’s still human nature, and we have to manage that. Tell me a little bit about the solution you have developed. How do people get around this?

You stop unauthorized people, unknown untrusted devices, or individuals from using valid credentials to get in. How does one make that work? I’m a big fan of Isaac Asimov. He’s got his three laws of robotics. We have our two laws of data and device security. The first law is that no secret exists outside of its immediate function, full stop.

I will give you an example of what that looks like. For those who might be inclined to think about the digital nuts and bolts. When you look at key management, we have this infinity problem where you store the keys in the warehouse somewhere, and you have to have some digital key or access to get in there, so you can pull the key to use cryptographic purposes, sign in, or whatever you do. You take the key, put it in a vault, and secure it with another key.

The key one is in vault one. What do you do with key two? You put key 2 in vault 2. You can see where this is going. Now I have got key three in the wild. Bad guys understand this game. You can have in number, but there’s always a plus one, that’s hanging out in the wild. They don’t care about the ends. They want the plus one. They grab it and do their thing, and they are in your environment. Persistency of secrets is our enemy, but our cryptographic control systems, by and large, are based around the persistency of keys and certificate authorities. You have all of these groups involved. They are all threat surfaces because you have secrets hanging around outside of their immediate function.

The second law is when you are establishing an identity for a device, and we are working on moving that to a person, you cannot violate the first law. Think about what we do now. We have tables. Tables allow this. You get to do this. They are encrypted and hashed, but at the end of the day, somebody has a secret somewhere that allows them to unlock that.

The question becomes, how do you create completely ephemeral environments, but you do ephemeral environments within the context of zero trust? I know zero trust has been out there. It has been beaten up appropriately because it’s cognitively dissonant, but that’s okay. The underlying principles are sound. It’s challenging to do that with contemporary considered best practices because they all rely, by and large, on the persistence of secrets. We built the technology that removes the need for persistence.

Imagine if I tell you you don’t need PKI for most purposes, certainly not for data protection. There are a lot of people who might grow hair if they are in my situation or lose hair because it’s considered a standard. I’m a big believer that if standards are not operating well, let’s not continue to do them. Let’s pass. What if you don’t need certificate authorities? What if you don’t need certs? We have things such as TLS and MTLS. These all use certs, which are threat services. People acquire those, and they do bad things.

Imagine a world where you can eliminate that infrastructure. You are much more agile, nimble, flexible, and secure because you have eliminated the ability of bad actors to take something they acquire either external to your environment or device. If they are inside, the principle is still the same. You don’t allow unknown, untrusted devices and individuals to gain access to where they shouldn’t go. You do it all in real-time. You capture everything about them and send that off to your SOC, SAM, or fusion center and let them deal with the bad guys, but you don’t let them in your house.

 

Preventing Breaches: Imagine a world where you can be more agile, nimble, flexible, and more secure when you eliminate that infrastructure that allows the bad actor to take something they acquire external to your environment or device or if they’re inside the principal.

 

In the spirit of Isaac Asomiv, I often think of the Foundation series. I don’t know if you have read it, but I wonder if some of these guardrails and regulations. There’s a standard for how the internet is built. IETF is supposed to govern it, which is another story. What does that look like? How is everyone going to get on the same page? What’s interesting is, are we missing a Hari Seldon? Do we need someone who can look into the future, understand what has to happen, and carve that path through regulation as part of the equation? How is that going to help?

Being an ardent capitalist, I am mindful of economic and financial interests in regulations and standards. Let me give you an example. This is happening, and this is all public. We can talk about it within the defense industrial base. Let’s look at cyber specifically. You have the Department of Defense, particularly on the services, saying, “We need to be able to talk to our colleagues and coalition partners in real-time.”

There’s something called Type-1 crypto. It’s in a box. It’s a hardware. We are not going to share the box because we don’t want them to have our crypto. How do I talk to them in real-time? You could do it over the wire or air. That’s not a good idea because it’s not secure. You can see the mission is negatively impacted by standards because of what we standardize around this model.

You have the DOD saying, “Give us industry something because you are the smart ones. Help us understand what we need to do.” The industry says, “No, give us the requirements, and we will build it. The DOD is saying, “We don’t know the requirements. You help us build the requirements.” They were like, “No, tell us what the requirements are.” It’s a mindful of three stooges slapping each other, and nobody’s getting anywhere.

This is a fundamental challenge that we have. It’s not just in our defense industrial base. This is true in the private sector. When we look at the forces and the interests here, even though we all talk a lot about it. We want better data security and access security. Behaviors are to continue and reinforce the status quo or, if you want to rewire that or reframe that, current standards.

Even though we know they are not serving us well, we continue to do that because not doing that risks one’s particular physical and economic well-being. The question becomes who and what is going to stand in the gap and continue to talk that we need to be here. We need to get rid of these types of regulations, even though a lot of economic interest is at stake. At the end of the day, security and flexibility to do cool things using the internet are also at stake.

There’s a balance point, but that’s great feedback in terms of the issue revolving around standards. When it becomes a standard, it’s a little bit different. What’s amazing about our country is that we are a country of argument. We tend to do everything around in terms of judicial matters, our executive, congressional and judicial branches.

Somebody has got to make the call on how prescriptive you make a standard. Generally speaking, most of them are not that prescriptive until you get into New York Shield. One might argue that it might stymie innovation or make it more difficult for innovators to continue to address cybersecurity in general. Too much is sometimes not good for finding that balance of putting guardrails in place instead of standards. This is what you should be doing. How you do it is up to you.

 

 

That is the line of thinking. I look at economic behavior. I understand the argument about guardrails and what we can and should be doing. You are right. There should be a balance. Observationally speaking, looking at the defense industrial base, there is more of a move toward maintaining the status quo, even though there’s a lot of language and discussion around moving into more innovative areas. Where we see investment and behavior is in maintaining the status quo.

I harken back to a point I made earlier. At the end of the day, if a standard is not serving us well, and there are a lot of standards that do serve us well, I’m not anti-standard. I am anti-standards that are no longer efficacious. We have the courage to challenge what we hold to be sacred. It’s a standard working force. If the answer is no, let’s create a path to get to a better position.

Even a simple guardrail with where you get to interpret on your own or a slight change, we would call them frameworks. A good example is password encryption. Rather than encryption, the entropy would be like, “How long the password should be?” To the point where now we have people saying, “The password is not as important.”

It feels like the business is like, “What do you want me to do? You want me to have a strong path. Tell me what to do.” That’s a big part of human behavior and elements, and perhaps the lack of confidence because this target is moving quickly. You look at what it takes to stop a hacker. For many years, we have been trying to stop the hacker. How successful have we been?

I always wonder if, culturally, in the environment, things do change fast, and 60% of the workforce goes back to your old DiSC profiling. They don’t like change.

With this, we know selective trust, which is a technology we built based on zero-trust principles. My good friend Dr. Asimov, we know that works. That’s been proven. You can have all the credentials you want. Everything is ephemeral. If you are not in a trust relationship, you cannot unilaterally place yourself into it. Think about what that means.

All of the tools and places where bad actors may want to grab a package, which they can do on the internet, any twelve-year-old that’s been around knows how to do that, with a strong long enough key, not much you can do with it certainly with conventional computing. The whole issue with PKI is another problem with public keys in terms of Shor’s algorithm, and that’s probably five other episodes.

We are in this place where willingness to look at things that are orthogonal is being thrust upon us simply by virtue of where we are. What we did here at KnectIQ was look at what’s in this area here, initial intrusion and escalation of privileges. What’s the fundamental root cause of why that happens? Can we kill that?

Nature is a great example. When you prune something, you get more of it. What we have been doing in cyber is we keep pruning. We have this many years of history to illustrate. We still can’t keep the bad guy out of our front door with valid credentials. That problem needs to be fixed and solved. There are plenty of others that are going to be here. There are other ways to get inside devices and environments. We can see that. We also know the bad guy says, “I’m going to use the easiest tool I have. I’m going to figure out a way to acquire your secrets.” They get it done and they move on.

If we look at the data, bad guys get inside environments. Where do they go? Where are the credentials? I want to escalate privileges. I want to root and own this environment. The best way to do that is to let me get my hold of the credentials. We say, “Let’s stop that 50%, 60%, and 70% of initial intrusions that are silent.” That’s one of the things we go about doing. What gets you is an agile security environment that allows people to do things they can’t do now simply because of this problem of how do I deal with humans who don’t control their credentials?

It sounds like things are moving forward now. What events could somebody go to learn more about this? Are there any books that you would recommend people read?

There’s always starting with cryptographic science is always helpful. Bruce Schneier is always a good one to read. There are others out there. He gets deep in a hurry. He also can bring this up to the level of a layman. There are tons of conferences. We went to RSA. It’s probably a good place if somebody hasn’t gone to at least try to get a root understanding of what’s happening in the cybersecurity space.

One of the things I did notice there, interestingly enough, is that the majority of vendors there are all doing the same thing. That’s one of the challenges that we have in industries. Everybody is doing the same thing. We are getting the same results. The question says, “We probably should stop the train and think about it for a bit.”

If you are into defense, national security, and AFCEA, it is a great international organization. If one has an interest in that space, there are tons of conferences out there. They could go in and google cybersecurity conferences. They are everywhere. Israel is famous for cyberweek, which will be happening in Tel Aviv. There is CyberTech. The flagship is in Tel Aviv every January. There are a lot of those that are around either globally or locally that people can attend to at least get a sense of. Some of those aren’t free. It’s not a bad idea.

What excites you about the future? How does it work?

One of the things that drives us is we see the ability to transfer the risk back to the bad actor by what we do. We think that’s one of the coolest things. The future is bright, provided that we as an industry are willing to challenge our thinking, standards, and fundamentally held beliefs. There are areas like cryptography where math is math, got all that, but practices, procedures, tools, tactics, and all of those are fair game to be looked at.

I’m excited about the basic understanding of cyber and data security, which is now starting to happen in high schools. There are some junior high schools around the country that have begun to broach this subject to help people at large understand what this is all about. There is a dearth of understanding in the broader public about what cyber security means. It’s not about encryption. That’s a tool that helps you do what you need to do.

There are voices that are beginning to speak about maybe we ought to consider fundamentals. This is happening in Congress. This is also happening across Europe. There are a lot of agencies that are beginning to look at fundamentals. That’s helpful and useful. As long as we head down that path and we are willing to adapt at tactically relevant speed, we are going to be okay. We haven’t done that as an industry. We have been focusing more on layers, thinking that more layers make it harder. If I’m a bad guy, at the end of that chain is all I care about. I don’t care about your layers. I’m going to get through those.

Even the UK has the cybersecurity basics for any business, no matter how big or small. No matter how many layers you add, we are still getting hacked. It makes more complexity. Managers are having too many errors. It becomes unwieldy quickly. Thanks for all that. Tell us a little bit about you. How did you get here? What important moments happened along the way, and how did you become Ken?

I had the privilege and honor of attending a private prep school, Phillips Andover. Not because my parents had any money. My dad died when I was nine. My mom and my four other siblings are members of the Horde, as I used to call us. Now, the Borg because we are all part of the collective. I always had an interest in matters of technology, even as a kid.

Fast forward to high school, it was my first introduction to technology and the way we think about computers and teletype machines connected to a PDP-1140 out there. There were some friends of mine. We had punch cards. We rewrote the operating system remotely on punch cards. I realized, “It’s 0s and 1s. It can’t be easy to manipulate these things to change somebody’s perception of reality.” It turns out that’s true.

The interest was there. Fast forward, I was completely self-taught in the space. That includes programming languages, assembly back in the day, COBOL, PL/1, all the way up to what we deal with now with different versions of Python. I haven’t learned to Go yet, but it’s on the list when I get some time to get that done. I have an incredibly talented technical team here that understands that stuff well.

I’m passionate about next-generation youth. How do we get them trained adequately and pointed in directions that are helpful for society? The creative side is scratched a bit. I was a music major as an undergrad. People said, “That’s cool.” I said, “It’s Applied Mathematics and Applied Physics.” I loved it because I knew why everything sounded the way it did, what made it better, and what made it worse.

I tend to look at technology and tools in a similar fashion to bring this full circle. Whatever we are doing, the fundamental question becomes, is this additive or not to society as a whole? If it’s not, we should stop doing it. If it’s subtractive and we don’t need to subtract things, we certainly need to stop doing that. That tends to inform how I think about the world around technology.

It sounds to me like you have a thirst for knowledge between your music talents, technology, and programming. My understanding is you are also a lawyer. You have got a law degree on top of that to have such varied experience and levels. That lifelong learning has been well for you overall.

A friend of mine told me years ago, and his name is Mr. Green. He used to live downstairs from us on the in-base housing at Naval Air Station in Alameda. He said, “Everything is connected.” I had no clue what he meant, but now I do understand. It’s all connected at some point. The question becomes, “Are we pushing and pulling on the proper threads to get us the results we are looking for?

If you could go back in time and give your younger self some advice, what would that advice be?

Read more faster. Even though there are many hours in a day, I took part of that when it was time to take the bar exam. This doesn’t happen now. This tells how long ago I took it. A cassette tape for those who remember cassette tapes. I didn’t want to sit through the last bar review course because it took too long. It was three hours. I didn’t have three hours. I’m still working full-time running a computer consulting firm.

I figured out I could take and get a sped-up lesson with a lecture and I had a tape recorder. I sped it up again. I could complete a 3-hour session in 37.5 minutes. It’s not the acquisition of information and knowledge. It’s about how you transfer that to some useful action or activity at the end of the day. I think about my younger self as a thirst for knowledge is great. How are you going to use it to make things better?

How can people contact you?

They can find us on the internet, KnectIQ.com. I’m on LinkedIn. You can also do a Google search or a ChatGPT search, and you will find me. I’m out there.

We appreciate your time. This has been a great session and informative, along with some of the fiction books. Thanks to George and yourself on that one. We truly appreciate that and the new pieces. Also, for the creativity and the pizza, because I don’t want to eat the pizza. I’d be picking things off of that one. I’m sure vegetarians would have some issues with meat, and carnivores would have some problems with that, but that’s okay. To our audience, we’d like to thank you for reading. If you have laughed, had some fun, and learned something, please share this show with your friends. This has been another great episode of the show. Thank you very much, Everybody. See you next time.

Live long and prosper.

 

Important Links

About Ken Morris

Grandfather to two grandbabies.

Loves reading and writing.

Ken Morris demonstrates rare and essential abilities as a CEO and leader. He is a visionary and an executor. He is among the most respected and networked individuals.

Bringing SelectiveTrust™️, a modern, unified, and scalable targeted Zero Trust stack that eases deployments. Modernizing cybersecurity to prevent attacks, not merely responding post-breach.

KnectIQ – We stand-alone to prevent the most common form of breaches- credentials. They have been around 8 years. Primarily working with governments, national defense, and the private sector – health care, banking, and finance.