Dear Abby: Why Should I Trust a Vendor Selling Me Zero Trust?

#1710653: Dear Abby: Why Should I Trust a Vendor Selling Me Zero Trust?

Description:	In the same breath as a vendor will try to sell you a zero trust solution, they will also implicitly ask for your trust about their pitch. No one wants to come off in a bad light, but why do vendors risk losing trust by going for a “perfect pitch?” This week’s episode is hosted by me, David Spark, producer of CISO Series and Dan Walsh, CISO, Datavant. Joining us is our sponsored guest, Rob Allen, chief product officer, ThreatLocker. [Voiceover] Best advice for a CISO, go! [Rob Allen] Listen to the CISO Series Podcast. Tell other CISOs, spread the word. [Voiceover] It’s time to begin the CISO Series Podcast. [David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series, and it’s so awesome. I’m thrilled to announce we have a guest co-host today who you probably know his voice very well because he’s been on many times before. It is the CISO for Datavant, none other than Dan Walsh. Dan, thank you so much for joining us. [Dan Walsh] It’s great to be here today, David. [David Spark] Awesome. And by the way, for those of you who are not aware, Rob at the beginning, who I’ll introduce in just a moment, he mentioned the CISO Series, and you can find the CISO Series over at CISOseries.com. Kind of easy to find there. Also, if you type CISO Series in Google, it’ll take you to CISOseries.com as well. You’ll get there. Today’s episode is sponsored by ThreatLocker. You know them as the Zero Trust Endpoint Protection Platform. Well, we’ve got something new to tell you about – Defense Against Configurations. Pretty darn cool. That’s coming up later in the show. But first, Dan, you brought up something off-recording just moments ago, talking about that you’re going into and many other CISOs are going into budgeting season, and I was interested to know, what should vendors know about when you go into that? Because my thinking is they just want to hammer you at this time. What should they know? [Dan Walsh] Yeah, so while the vendors are going into, a lot of them are going into year end, right, and they’re trying to get that last sale before close, I think what they need to know from a CISO point of view is we’re evaluating how our current vendors are doing, how the current tools that we have are doing. We’re evaluating feature creep, so like when you purchase something on a multi-year deal or even on a one-year deal, presumably that company is developing new features and how do those feature overlap with other vendors or tools in your portfolio? And so, I think the big thing is to really come at it from a value proposition, like here’s how we can add value, without necessarily increasing the price, and lead with value and not pricing because if the value’s there, then the CISOs will pay the price. [David Spark] Very, very good point. Good tip. All right, let’s get into today’s episode. Thrilled he’s back. He gives me a hard time. We love him regardless. And he gave us a great plug at the very beginning of the show, but yet you’re already listening to the CISO Series. It’s none other than the chief product officer over at ThreatLocker, our sponsored guest, Rob Allen. Rob, thank you for joining us again. [Rob Allen] Most welcome, Dave. Great to be here. Why has this topic suddenly become the center of attention? 2:44.953 [David Spark] What’s your backup when EDR fails? The Register recently reported that at least a dozen ransomware games are now routinely using kernel-level EDR killers before deploying their payloads. Techniques range from abusing legitimate but vulnerable drivers to disable endpoint detection to targeting specific vendors using hard-coded lists to disable kernel hooks. This sparked a conversation on the cybersecurity subreddit that EDR is mitigated. Does network telemetry remain the ultimate truth-teller in cybersecurity? No matter how stealthy the malware, post-breach activity like lateral movement, command and control, and exfiltration must traverse network, threat actors can’t execute these attacks without generating network telemetry. So, I’ll ask you, Dan, first. If ransomware crews can routinely disable your primary detection layer, EDR, what’s your backup plan? [Dan Walsh] Well, I don’t know if routine is maybe the right way to describe it, but the fact that it is a very real threat. [David Spark] Good point. It is a real threat. Yeah, it’s not like it’s happening… Because if it was routine, then there’d be no point for having an EDR. [Laughter] [Dan Walsh] Right. But I think beyond that, I think that’s there’s a couple things. I think one, defense in depth is more than just like a catchphrase or a slogan. These EDR bypasses are real and so they’re no longer theoretical. So, what that means is like we have to layer technical controls and so if one fails, we don’t have a complete total disaster. I do think network telemetry is extraordinarily critical, but obviously now it’s not necessarily sufficient on its own. And so what does that mean? Well, it means we have to look at some of the other layers that are at play here. So, things like identity, right? What’s your IAM game? What kind of IAM events or are there any MFA bypasses that are occurring? What about any sort of Kerberos anomalies, if that’s in play? And then I think, what about resilience-oriented controls? So, things like immutable backups, rapid restore capability, so even if detection fails, we can recover and be successful with that. And then I think the other thing is you have to harden your EDR. It’s not a set it and forget it as much as we would like that to be. And so where there’s vulnerable drivers, making sure that you’re blocking those, and you’re having multiple endpoint layers where you’re having maybe application allow lists or something like that. So, I think those are some of the things that you can do. Again, with security, it’s never set it and forget it, and I think just making sure that security leaders and security operators keep that at the forefront of their mind. [David Spark] So, I’m going to toss this to you, Rob, pretty much kind of the same question. I mean, EDR has failed before, but like in anything in cybersecurity, all security defenses at one time do fail, and that’s why we have defense in depth as well. What are the other mitigation points you think for when EDR essentially can be bypassed? [Rob Allen] Well, first of all, just to absolutely agree with everything Dan said. I mean, really, I couldn’t have put it better myself. Layered security is important, and the other part about layers is layers should be different. They shouldn’t be the same type of layers. We’ve spoken to organizations and I know of organizations that have layers of EDRs, for example, fundamentally all looking for the same known bad things and very often falling over each other when they do actually find them. So, different types of layers. So, one thing that we espouse is both detection, but also controls. So, as Dan mentioned, allow listing. Allow listing is a perfect example of a control that’s blocking things from running that shouldn’t be allowed to run. Combine that with detection, so if somebody’s trying to run something they shouldn’t be able to run, you get alerted about it, and that’s a really good example of a well-balanced security posture, well-balanced security stack. So, that, as I said, basically everything that Dan said makes perfect sense. But there are other ways that EDRs can fail. So, obviously this is one example where they’re actually going after the EDRs to try and stop them and shut them down. There are other ways that detection can fail. So, zero days, things that have never been seen before. They’re also ways that EDRs fail, but they’re failing to detect the bad things because one of the problems with detection is you pretty much need to know all of the bad things in order to be able to block them. So, again, that’s another method of, I suppose you could call it EDR failure. It’s just bypassing an EDR because it doesn’t know that this thing is bad. So, how can it block it? So, again, it comes back to why layers are super important when it comes to protection. Will we really ever achieve zero trust? 7:30.000 [David Spark] “Leave if it makes too much sense.” That’s the Marwari saying Raghav Dinesh of IBM recently shared on LinkedIn, arguing that when vendor pitches feel too perfect, you’ve found your red flag. He outlined the psychology of influence in cybersecurity sales. You probably know the techniques, even if you can’t name them. The 90% true pitch, charisma masking contradictions, and the breathless claim that ‘I fought for you,’ with no proof to back it up. Why don’t we apply ‘zero trust’ to vendor pitches? A vendor who can’t explain their solution’s limitations,” by the way, we hear this all the time from CISOs that they want to know a solutions limitations, “but vendor who can’t explain their solution’s limitations probably doesn’t understand them either. We all have seen our fair share of vendor red flags, but what are the questions we should be asking?” and I’ll ask you, Rob, “And should every vendor be prepared to answer them?” And I’m going to just say, give you kudos first, before you even answer, Rob. You’ve been good at dealing with some of the super-tough questions that I’ve seen CISOs throw your way. [Rob Allen] Well, I was going to also say, thank you for throwing the question that beats up on vendors to the vendor. [David Spark] I’m throwing it to you first. No, but no, I’m giving you kudos because I have seen you handle really, really tough questions very well. And the thing is, no one product can do it all, right? [Rob Allen] Well, as we just discussed, as we said a moment ago, no one approach is the only true successful approach.
More info:	https://cisoseries.com/dear-abby-why-should-i-trust-a-vendor-selling-me-zero-trust/

Description:

In the same breath as a vendor will try to sell you a zero trust solution, they will also implicitly ask for your trust about their pitch. No one wants to come off in a bad light, but why do vendors risk losing trust by going for a “perfect pitch?”

This week’s episode is hosted by me, David Spark, producer of CISO Series and Dan Walsh, CISO, Datavant. Joining us is our sponsored guest, Rob Allen, chief product officer, ThreatLocker.

[Voiceover] Best advice for a CISO, go!

[Rob Allen] Listen to the CISO Series Podcast. Tell other CISOs, spread the word.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series, and it’s so awesome. I’m thrilled to announce we have a guest co-host today who you probably know his voice very well because he’s been on many times before.

It is the CISO for Datavant, none other than Dan Walsh. Dan, thank you so much for joining us.

[Dan Walsh] It’s great to be here today, David.

[David Spark] Awesome. And by the way, for those of you who are not aware, Rob at the beginning, who I’ll introduce in just a moment, he mentioned the CISO Series, and you can find the CISO Series over at CISOseries.com. Kind of easy to find there. Also, if you type CISO Series in Google, it’ll take you to CISOseries.com as well.

You’ll get there. Today’s episode is sponsored by ThreatLocker. You know them as the Zero Trust Endpoint Protection Platform. Well, we’ve got something new to tell you about – Defense Against Configurations. Pretty darn cool. That’s coming up later in the show.

But first, Dan, you brought up something off-recording just moments ago, talking about that you’re going into and many other CISOs are going into budgeting season, and I was interested to know, what should vendors know about when you go into that? Because my thinking is they just want to hammer you at this time.

What should they know?

[Dan Walsh] Yeah, so while the vendors are going into, a lot of them are going into year end, right, and they’re trying to get that last sale before close, I think what they need to know from a CISO point of view is we’re evaluating how our current vendors are doing, how the current tools that we have are doing.

We’re evaluating feature creep, so like when you purchase something on a multi-year deal or even on a one-year deal, presumably that company is developing new features and how do those feature overlap with other vendors or tools in your portfolio? And so, I think the big thing is to really come at it from a value proposition, like here’s how we can add value, without necessarily increasing the price, and lead with value and not pricing because if the value’s there, then the CISOs will pay the price.

[David Spark] Very, very good point. Good tip. All right, let’s get into today’s episode. Thrilled he’s back. He gives me a hard time. We love him regardless. And he gave us a great plug at the very beginning of the show, but yet you’re already listening to the CISO Series.

It’s none other than the chief product officer over at ThreatLocker, our sponsored guest, Rob Allen. Rob, thank you for joining us again.

[Rob Allen] Most welcome, Dave. Great to be here.

Why has this topic suddenly become the center of attention?
2:44.953

[David Spark] What’s your backup when EDR fails? The Register recently reported that at least a dozen ransomware games are now routinely using kernel-level EDR killers before deploying their payloads. Techniques range from abusing legitimate but vulnerable drivers to disable endpoint detection to targeting specific vendors using hard-coded lists to disable kernel hooks.

This sparked a conversation on the cybersecurity subreddit that EDR is mitigated. Does network telemetry remain the ultimate truth-teller in cybersecurity? No matter how stealthy the malware, post-breach activity like lateral movement, command and control, and exfiltration must traverse network, threat actors can’t execute these attacks without generating network telemetry.

So, I’ll ask you, Dan, first. If ransomware crews can routinely disable your primary detection layer, EDR, what’s your backup plan?

[Dan Walsh] Well, I don’t know if routine is maybe the right way to describe it, but the fact that it is a very real threat.

[David Spark] Good point. It is a real threat. Yeah, it’s not like it’s happening… Because if it was routine, then there’d be no point for having an EDR. [Laughter]

[Dan Walsh] Right. But I think beyond that, I think that’s there’s a couple things. I think one, defense in depth is more than just like a catchphrase or a slogan. These EDR bypasses are real and so they’re no longer theoretical. So, what that means is like we have to layer technical controls and so if one fails, we don’t have a complete total disaster.

I do think network telemetry is extraordinarily critical, but obviously now it’s not necessarily sufficient on its own. And so what does that mean? Well, it means we have to look at some of the other layers that are at play here. So, things like identity, right?

What’s your IAM game? What kind of IAM events or are there any MFA bypasses that are occurring? What about any sort of Kerberos anomalies, if that’s in play? And then I think, what about resilience-oriented controls? So, things like immutable backups, rapid restore capability, so even if detection fails, we can recover and be successful with that.

And then I think the other thing is you have to harden your EDR. It’s not a set it and forget it as much as we would like that to be. And so where there’s vulnerable drivers, making sure that you’re blocking those, and you’re having multiple endpoint layers where you’re having maybe application allow lists or something like that.

So, I think those are some of the things that you can do. Again, with security, it’s never set it and forget it, and I think just making sure that security leaders and security operators keep that at the forefront of their mind.

[David Spark] So, I’m going to toss this to you, Rob, pretty much kind of the same question. I mean, EDR has failed before, but like in anything in cybersecurity, all security defenses at one time do fail, and that’s why we have defense in depth as well.

What are the other mitigation points you think for when EDR essentially can be bypassed?

[Rob Allen] Well, first of all, just to absolutely agree with everything Dan said. I mean, really, I couldn’t have put it better myself. Layered security is important, and the other part about layers is layers should be different. They shouldn’t be the same type of layers.

We’ve spoken to organizations and I know of organizations that have layers of EDRs, for example, fundamentally all looking for the same known bad things and very often falling over each other when they do actually find them. So, different types of layers.

So, one thing that we espouse is both detection, but also controls. So, as Dan mentioned, allow listing. Allow listing is a perfect example of a control that’s blocking things from running that shouldn’t be allowed to run. Combine that with detection, so if somebody’s trying to run something they shouldn’t be able to run, you get alerted about it, and that’s a really good example of a well-balanced security posture, well-balanced security stack.

So, that, as I said, basically everything that Dan said makes perfect sense.

But there are other ways that EDRs can fail. So, obviously this is one example where they’re actually going after the EDRs to try and stop them and shut them down. There are other ways that detection can fail. So, zero days, things that have never been seen before.

They’re also ways that EDRs fail, but they’re failing to detect the bad things because one of the problems with detection is you pretty much need to know all of the bad things in order to be able to block them. So, again, that’s another method of, I suppose you could call it EDR failure.

It’s just bypassing an EDR because it doesn’t know that this thing is bad. So, how can it block it? So, again, it comes back to why layers are super important when it comes to protection.

Will we really ever achieve zero trust?
7:30.000

[David Spark] “Leave if it makes too much sense.” That’s the Marwari saying Raghav Dinesh of IBM recently shared on LinkedIn, arguing that when vendor pitches feel too perfect, you’ve found your red flag. He outlined the psychology of influence in cybersecurity sales.

You probably know the techniques, even if you can’t name them. The 90% true pitch, charisma masking contradictions, and the breathless claim that ‘I fought for you,’ with no proof to back it up. Why don’t we apply ‘zero trust’ to vendor pitches? A vendor who can’t explain their solution’s limitations,” by the way, we hear this all the time from CISOs that they want to know a solutions limitations, “but vendor who can’t explain their solution’s limitations probably doesn’t understand them either.

We all have seen our fair share of vendor red flags, but what are the questions we should be asking?” and I’ll ask you, Rob, “And should every vendor be prepared to answer them?” And I’m going to just say, give you kudos first, before you even answer, Rob.

You’ve been good at dealing with some of the super-tough questions that I’ve seen CISOs throw your way.

[Rob Allen] Well, I was going to also say, thank you for throwing the question that beats up on vendors to the vendor.

[David Spark] I’m throwing it to you first. No, but no, I’m giving you kudos because I have seen you handle really, really tough questions very well. And the thing is, no one product can do it all, right?

[Rob Allen] Well, as we just discussed, as we said a moment ago, no one approach is the only true successful approach.

More info:

https://cisoseries.com/dear-abby-why-should-i-trust-a-vendor-selling-me-zero-trust/

Date added	Nov. 7, 2025, 4:49 p.m.
Source	CISO Series
Subjects	PodCasts / Webcast / Webinar / eSummit / Virtual Event etc. Security Management/Strategic Security/ROI/ROSI - CISO and Higher Level Zero-Trust / Zero Trust Security / Zero Trust Models / Zero Trust Network Access / ZTNA