A Conversation With Adam Pointon

All right, Adam, welcome to Unsupervised Learning. >> Thanks. Thanks. Great to be here. >> So, let me know what what's the problem that you're working on and uh what have you come up with to solve it? >> Yeah, so Knockk Knockock was created about 5 years ago to kind of solve that just in time network access thing. The actual problem that we're solving was exposure of services where customer couldn't use a VPN, they couldn't use a cloud routing thing. So we built v1 of knockknock to add IP addresses to firewalls and control layers and that was kind of the genesis 5 years ago 6 years ago it's expanded a lot but the kind of problem is just attack surface having something visible pre-authentication on the network on the internet especially these days just seems crazy and knockknock helps people not do that. >> Yeah. And so my background actually started in network security being a firewall engineer. So there was this thing port knocking. When was that? That wasn't 5 years ago. That was more like 10 or 15 years ago. >> Yeah. I want to say that was even further like 2002 or three or something there. >> Yeah. So port knocking was you hit the ports a certain way and you've got like IP tables or whatever listening for that exact pattern and then would make the firewall rule change. So is that what the the knocking uh comes from in the name? >> Exactly. That's where the name comes from. It's the it's the secret sequence as you say uh that then opens up. That was one of the foundational ideas, but but it evolved from there because the problem with port knocking was people would just throw scans and whatever and ports at at a firewall and you had to listen for that sequence which when you're listening then it's another attack surface. So the evolution of that was same idea super you know secret sequence to get in but uh in an indirect way is where we kind of landed. >> Yeah. And what's cool about it is if you don't have any SSH ports open, like before this whole listening, you know, exercise kicks off, it's just closed. Like there just aren't any SSH ports. It's like you're not getting through an SSH server if there's no listener. Say what you want to say about the parser and like attacking the SSH Damon. There's no Damon, you're not attacking the Damon. >> Exactly. Yeah. And SSH is great. It's got a great history, but if you can't see it, then the history and the future history is less important, right? cuz you can't attack it. >> Yeah. And then then there's this whole concept. I got in these military style debates about this over the years about security and obscurity. Does that come up a lot with people saying, "Well, you're just obscuring this or whatever." >> Uh, sort of. Obscurity is like where randomness is involved. If you don't know randomly where it is, then that's okay. But take your SSH example. Like if it's not listening, you can't connect to it. I guess security security through security would be putting SSH on a high port which is what a lot of people did right back in the day. You put on a random port and hopefully nobody will see it but you just scan the whole server and you can see it. So yeah, obscurity and lots of debates I feel I' I've had the same sort of thing. It it actually works security through obscurity if there's enough randomness. You can't just rely on it on its own. Arguably it does actually help. It's the question of um if you know the mechanism, does it allow you to actually solve the puzzle? If you just know how it works, are you instantly hacked? If the attacker knows how it works, are you instantly hacked? If the answer to that is yes, which is well, it's it's port 1337. That's the answer, which you didn't know before and now you know the answer. And the mechanism is simply, well, we assign a random port. But it's a little bit stranger than that because if you take like the spy case, you know, New York's uh Central Park, there's a drop zone somewhere. The CIA knows that the Russia is using this park as a drop points and vice versa, but they don't know where the drop points are. So, they know the mechanism, but you can know the mechanism without knowing the key, which is actually where the thing is dropped. You know, the key is the literal literal key is stuck to the bottom of a bench or whatever. Anyway, I I thought that was always uh interesting. It's like the mechanism versus the key. >> Yeah. It sort of comes back to something you know and something you have. So you know the keys in Central Park, you still have to find it. But even if you find the key in Central Park, what door does the key get used with? You find the key and it's got an address written on it. Sure, you know, that's that's too much information. But if it's like you find the key and then there's a separate piece of information somewhere else that says that key needs to be used at this location. So it's effective. It creates time and cost and effort that goes into these things which ultimately is part of you know the game. You want to make it expensive or difficult enough that it's not worth it as you know like getting into a system or a technology. It's just which way you need to go in and what is the most effective and least effort cost to get there. Uh cuz ultimately there will be a way in whether it's you know going through the SSH damon or turning up to the office and you know physically going after it. Ultimately, if somebody wants to get a piece of information, they'll they will. Depends just how much effort and time it takes. >> I mean, knowing the mechanism is not really the trick unless it's super easy to hit that key space, right? Cuz if someone is like, well, Russia is they're doing drops here in uh, you know, Central Park. All I have to do is search all of Central Park and then boom, I've got it. And it's like, okay, well, good luck with that. And it's changing all the time. And and that's why even moving your port, your SSH port, you're not actually doing like true security like, oh, do you do you have an assert on the Damon or something? Um, are you using private keys? That would be much more effective. But it turns out your probes and attacks the moment you move that port dramatically go down. All of that a bit of a diversion since you have something better, which is just don't have it open at all because you're able to move it behind completely. >> Exactly. A lot of the extension of that then is Okay. So, I don't attack the server directly. I just attack the knock-knock thing. And it's like, well, yes, you can go after the knock-knock thing, but that's not a direct path through knockknock into that SSH damon or behind the SSH service in a way. There's just another layer procedurally that people need, you know, an attacker needs to go through. So, an example is somebody will have Citrix on the internet and Citrix on the internet's open all of the time. Everybody's scanning and everybody's attacking and as soon as there's a Citrix zero day, the whole world is mapped. You just go and use your Cet Citric Zero Day straight up against that location and hopefully you beat every other hacker in the world that's going after every other nation state. You know, you want to be in there first. You want to patch it, you want to take control of it, that's fine. But if Citrix's not visible on the internet, then you don't you can't even map it out as an attacker. You don't know that that organization's using Citrix. So you have to kind of break into knockknock, go through that somehow to then get visibility of Citrix to even know that your victim or the person you're trying to get into is running Citrix. And that's even before you kind of build up this this mapping and this footprint in Arsenal. So it's, you know, back to your kind of Central Park analogy. It's like, you know, that maybe that that there's a drop zone in Central Park and they're using Central Park, but when what does it look like? You know, what time of day, what time of year? And just the fact of like blocking Central Park off to to check everyone's pockets on the way in or out tells you that well let's not use Central Park as the drop location anymore, you know, let's let's use another location. So this that analogy of of awareness and possibility of just searching everybody in Central Park just goes so far in preventing exploitation. And and that's kind of where we we see the future is everything is about response and like I can detect it quick enough and I if I can detect it, I can be aware of it and respond to it. Well, you just can't really do that anymore. The pace of vulnerability. I saw this morning I was reading that CVE were about to hit 50,000 for the year and that's the highest number ever. Well, it's February and we're already breaking new records. So, >> and that's just Gen AI, right? that the pace of vulnerability discovery and then the pace of exploitation like how do you keep up and >> and writing the pace of writing the submission to actually create a CVE. >> Yeah, that's right. And and discovery automatic exploitation creation and then using that the pace of defending is becoming impossible. It's already has been a hard race but the pace means it's no longer you can't respond anymore. And our view is you just have to prevent, you know, you just have to block everything, not have SSH on the internet at all because ultimately one day there will be an SSH thing and you just don't want to be in the firing line and that when it inevitably happens. >> Yeah. Yeah. Absolutely. So, so most attack surfaces, let's assume that they're hosting their own website, which usually they're probably not, but let's just say their website's in their DMZ or whatever. So, they have web open, they have like email open. Again, probably not. they're probably using cloud email, but let's just say they're passing it in. Certain things have to be available like that, but lots of people have other things available that don't have to be. So, they've got like, you know, I Ike or whatever, like UDP 500 for their IPSAC firewall. Maybe they have an SSLVPN. Maybe they have SSH like we were talking about. lots of different dammons that help them like connect in to the to the back office especially after COVID so many people are remote so the stuff is out there and I do a lot of this uh mapping myself on the side it's always been a thing for me at tax surface and there's just tons of stuff listening and so the idea here I guess is unless it's a an actual public thing just completely take it off and then You basically have this one Damon, the knockknock system, and that's where you manage the actual rules that open and close. >> That's right. >> Is that right? >> Yeah, that's right. And it's it's a web application, which means you don't need to install anything on the client machine. That's you know, the IKE example, you have to has keys and certificates and all of this pre-established work. And they're they're complicated. The IKE processing has to take, you know, all this SSL complication which presents more attack surface. So yeah website log into it ties into your identity platform you know for single sign on and then our architecture is we have orchestration agents that subscribe to those events those login events and then they do the work that might be running on SS SSH server directly that says you know Dan's logged in from this IP address so allow Dan's IP for the next 6 hours and it pulls that information down orchestrates it and then allows that direct IP access from you know from that trusted location and then automatically removes it. So you've got this direct path. But yeah, all those services just don't need to be publicly accessible except for your email and you know your public brochure where sites and those sorts of things but everything that's internal or B2B or third parties that all just moves behind procedurally behind a process to just take that visibility off the off the naked internet. >> That's outside. >> Yeah. But what you're actually talking about is control of devices. Oh, I AI. I want to I want to think about this. You mentioned I'm not sure if you mentioned agents or if I just heard agents because I hear it every day all day. Um >> I think I might have mentioned as well. Yeah. >> Okay. You mentioned Okay. So So there are there's work being done. There are workers who are first of all they have to understand the operating system of the control mechanism, right? Is it is this a router ACL? Is this a checkpoint firewall? Is it a PaloAlto? So whatever that control mechanism has to be you know you got to have some sort of access to that. I imagine that's tied in somehow with the strong off that is being used here. >> That's right. >> Um so so what does that look like in terms of the control mechanism? >> Yeah. So there's the authentication part that happens for the user the validation and then there's the consumption of that login event and the application I guess of that IP into the control layer. Um, so we don't, you know, the the identity and authentication process is sort of handed off if you like. We're all about post that then what can the the user have access to? But that's a human identity. It's a non-human identity. It can be machines. We've got customers that are using it to using knockknock to open up SFTP automated file transfers cuz just procedurally it's like, "Hey, let me in. Knock on the door. Yes, you're allowed in. Okay, now go and do your work over there." that just workload kind of continues whether it's a human or machine just procedurally then happens. >> Yeah, that makes sense. So could you potentially do that for internal firewalls for internal apps firewalls? What about like endpoint rules like what like there are infinite like so many tech not infinite but like hundreds of technologies have come out for like gating controls filters across the different layers right endpoint network application like what all options are there what all can you do now and what are you thinking about for the future >> yeah yeah so you sort of mentioned PaloAlto checkpoint that's kind of and edge that's where we started so take things off the naked internet by using a palo or you 40 net whatever uh but then we moved into host so Linux Linux has a great firewall it's built in so host becomes self-defending like last year released Windows support so Windows nodes are then self-defending so internally yeah so you can do internally >> the stuff you already have >> we just released that in December yeah the windows so you can actually do just in time RDP like from internal network to internal machine next week we're releasing HPU UX on risk and Solaris Spark uh architecture which is cool. A customer came to us and said you're doing the Linux thing we you know the Windows thing great but you know we've got these old machines over here and we'd love to do just in time exposure of them their HPUX and on risk and we're like oh our Solaris you know Spark that's that's not that old surely Golang on Solaris Spark like surely that's just a thing. Turns out no. Um, so we we but but that idea of like the receiving endpoint should be self-defending and it's it's reading in the rules and become, you know, being self-defending and exposing access only after it's had that identity process. It's different. It's a kind of new way of doing it, but it just makes sense when you look at it from a from an attacker's perspective. I can't get to that thing at all until, you know, I've gone through this process. Well, that's super annoying. all out of band and and and just more platforms is uh is kind of where we're building out now. >> Yeah, I love that. Back in the day, there used to be this company called like Skynet or something or Skybox or something. >> Oh, yes. >> Um >> Yeah, >> from >> Yeah, I think they did some kind of modeling of like here's all your router rules and like if we were to change this one, your risk would go up by this many risky points or something. I thought it was really cool. But yeah, I wrote a thing a long time ago. I think probably inspired a lot by Marcus Random. >> Yeah. >> It was something along the lines of you just define a policy. >> You are the head of security or you're the head of the business or whatever if you have some technical understanding. You just say what should be able to talk to what, right? That is a policy that is universal. An intelligent should be able to reverse engineer that and then look at its list of controls and its list of controls it's like okay when you first started out guess what it's router ACL in Cisco >> that's all we got and then that become slowly turns into oh now it's a firewall oh it's a stateful firewall oh it's a reverse proxy right >> but and then so the controls get more advanced but like you said okay host firewall you know router whatever it is. Then you got application layer firewalls. Anywhere where there's a knob or a switch or a lever and we can make this change, you just make that visible to the policy and then there's an intelligence layer in between that says, "Oh, they must have meant this in the language of this filter system or this control system that means this as a firewall rule, >> right?" And so now the business they just get to manage this basically English policy. >> Mhm. >> Is that is that where you guys are? Is that where you guys are going? Is that how you're thinking about this? >> Yeah, it is. It is. It is where we're going. And how we're thinking about it is as you describe because the thing that's not said there is actually there is no access until that policy is applied at those control layers and only then is it is the network visible. So yeah, as you described, like you it's you eloquently put around the application of all of those controls at scale, but the effect is there's no access anywhere until you fit into that policy. And that's the approach we're taking. >> Default deny, >> default deny. Yeah, it's and the extension is like block everything and only specifically allow things that we know are good for a period of time and you know small window all that sort of stuff as opposed to default deny but allow web and SSH and IKE through and let's just hope that they're fine. It's just can't do that anymore. But I love that, you know, that future way of thinking about it, which is human policydrivens controls across all languages, all layers, and and the net effect is there's no access until you you proven you're appropriate. And as soon as that access is deemed inappropriate because that machine does something weird or, you know, the user's u being terminated or what, you need a removal of that access instantly across the whole environment. That's it's kind of the holy grail. >> No, I love this. The more I'm thinking about this, like the more I love it. Yeah. Let's get absolutely crazy here for a second >> cuz you know what else is also a policy? Who can use what chat GBT application? What type of data can go in and out of a of a system. >> So if you think about this, we're actually talking about a universal security policy which you also have like a business policy. Guess what that means? this type of data doesn't go to uh that continent. We don't therefore translated we don't host this type of customer in this type of a AWS region. It's all it's all statements and policies and rules at the end of the day across all these different stacks. So it's like now that you have this foundation and it's like built into what like you guys do, I mean this could translate into Yeah. And here's the new extension of the policy for AI use. Here's the new extension of the policy for data governance for different continents. >> Yeah. And it's getting down to that data layer that that is then it's the challenge, but it's still the same mechanism as you say like >> it is. Yeah. >> This data can't move in or out uh unless these things are in order. Um, so it's really the same model applied down at the data layer and particularly outbound. Uh, any movement at all has to be be opened up before it can can shift. >> I'm in love with this. It is like the port knocking concept because it's so clean and fundamental. It's just it's fundamental to so many other things. It it's like first of all fundamental is default deny which is classic security. Yeah. >> And then then the question is just how can you translate your English policy knowing the the specific schema and protocol of that control mechanism into the rules and then it's a matter of just monitoring what current state is versus desired state and just keep making these tweaks. >> Yeah. >> Um yeah very very cool. I I just love this stuff. I love the fact that it is a modern application of proven principles that we've had for 25 years, maybe longer, in security. >> Yeah, it's it's the foundational thing. Like I I sort of joke and say like it's it's boring, you know, the fact that you can turn everything off and just allow it through like it's pretty boring. It's not a it's always constantly moving and so it's like you know the door is closed you know you knock politely you prove to the bouncer that you should be there and then the door is open and and you go through um it's a very foundational you know and then when we start to look at like IPv6 and all those things it it just transitions beautifully because it's just the same foundational protocols and with with you know traditional security thinking applied to it but in in a modern world. So, so you know what's crazy is it is boring. And you know what else is boring? Sleep, diet, and exercise. >> That's right. >> Turns out it saves you. >> It's required. Yeah, it's mandatory. Uh but yeah, very very effective. Sleep is sleep is effective. >> Well, like if if you get good sleep and good diet and good exercise, like suddenly things start to fall into place, right? It's Yeah. I mean doing fundamentals. Well, it's amazing. So, so what are you guys excited about? What new features are coming out? Are you guys going to be around RSA in uh couple weeks or >> Yeah. Yeah, we'll be out at RSA. Uh we're actually doing a number of conferences. So, it'll be obviously Black Hat and a couple of others around RSA trying to get to Bides on the Saturday, Sunday. Um what are we excited about? I guess we we're getting into really interesting places with customers. you know the HPUX and Solaris Spark clients is or orchestration agents is just it's an example of getting the technology into places that are hard you know it's not it's not talking to Amazon it's not talking to simple things it's like mechanical space it's ICST environments it's where things are hard and we love that we can kind of get in there and solve those problems because as you said you know it's foundational it just it just works it's it's really just applying it to those different environments that's that's what we're excited about at the moment cuz it's we're seeing how effective it is. You know, when there's all these recent events of edge devices being compromised constantly and we see a customer just removes that like we actually we feel good about that, you know, we feel good about >> Well, tell me how tell me how uh customers are are doing it. Like can you remember anyone going holy crap this I I sleep better because of this like I got to take nine different services or 900 different services offline and now it's all managed through this. >> Yeah, there's kind of two moments. There's the aha moment where the the file engineer or the people the OCSO like I I I can see where this will fit in. And then there's the firewall architectural people that go ah yeah ah okay. So I had that aha moment and then the best thing is like 3 or 6 months later a customer will come to us and say oh you know that vulnerability in XYZ product that went around. Thank you because we weren't affected like we had that thing on the internet and the vulnerability went around and you know we had 3 or 4 days to get our patches in order. We didn't have to panic. Uh so thank you. Like that's cool. >> Oh that's tremendous. Yeah. So, I'm trying to come up with like a list of like these services, lots of VPN services, lots of stuff exposed by these firewall public facing sides, but probably a lot of people just have stuff. I don't know people aren't in an ideal config, so they probably have a lot of stuff that's just kind of on the internet because that's just how it got launched and it's hard to change it. So they they have the opportunity of like reducing that technical debt by pulling that behind. Do you see that a decent amount? >> Yeah, definitely. There's remote access, file transfer, those things. But the other big one is like development and test environments. You know, they kind of >> Yeah. Yeah. >> Everyone wants to kind of have things on the network, you know, have things that they can just move quickly, you know, the move fast and break things, but they have whole test environments in AWS or whatever it is. Often those systems are in debug mode. So you attack a pre-production application that's in a test environment and it spews out error messages which are super helpful to an attacker. Well, they can just put all of that gear, you know, the whole subnets in AWS or whatever it is behind a knock-knock process. So only staff or, you know, offshore testing teams or whatever, only they can see it. And that's kind of a big one. they just sort of like hide whole subnets, not just the production remote access or VPN or file transfer, but like these whole test environments where they can just spin up, you know, the crazy, you know, claw body stuff and uh and not not have it just immediately visible to the entire internet. So, that's another another use case we didn't initially think of, but where people are kind of applying it. >> Yeah, I didn't think of that one either. That is a huge one. So, let me ask you this, cuz I'm imagining that. I'm imagining I'm an engineer. I have the ability to use this system. I've been trust trusted with the rights. So, I come in and I say like, is there a is there a bot that I can talk to that actually speaks the backend protocol and understands what I'm saying and can like recommend rule configurations or something like that? Cuz it would be super useful if I if I logged into the system and I'm like, this is my Tokyo apartment. This is my San Francisco apartment and here's the dev environment behind you know it's kind of publicly facing but we took it off and me and my entire team needs to get access to that and here's all the people here's all their IP addresses can it could just go make the rules based on that >> uh not yet we I love the future thinking but we're still sort of in the stage of like people know they they're using a lot of attack surface mapping tools you know lots of scanning But it's usually a whiteboard session. It's like, "Okay, what what have you got that's exposed that you know about cuz all your scanning tools? What are the highest priority things you want to solve first?" And then they have that aha moment. They're like, "You know what? Tokyo apartment, like that that thing doesn't need to be on the internet. It only needs to be accessible to these five people." And that's where I store all my gold. You know, let's let's fix that thing first. Uh so then and then they start to look at it and say, "What controls do we have in place? what's the best way to kind of take that Tokyo apartment off the network and and so it is a kind of a human-led process at the moment. But yeah, I love the idea of actually consuming those trolls in and then saying what's the most effective way to what's my exposure? What's the most effective way to fix this? And then and then set it up for that. Yeah, I guess that makes sense because it's kind of like a these are critical controls. So, you kind of don't want too much viby stuff going on with like because then the AI could be like, "Oh, well, let me just add, you know, just in case, let me add some extra access or let's just make that a class B cuz these are kind of restrictive." You know, it makes sense. So, there's more controls there. But yeah, I'm just trying to think about this translation between the the human policy and the actual implementation in the form of rule syntax. >> Yeah. Well, we've been toying with the consume existing standing rules. Map out red, amber, green. This is public accessible. That's in the red category. This we're not really sure. This is green. It's restrictive. Okay, let's focus on the red. You've got IKE open to the entire world. Let's let's look at that. So, I think the we we're thinking about using, you know, modern practice to pick that up and highlight that. But then, as you say, like the the the go and make change in those underlying systems. We want to be mechanical and and and boring and very, you know, human-ledd. I guess because, you know, former firewall engineer, you know, like if something is just randomly adding and removing rules, like that's that's just an absolute disaster. It kind of comes back to how we do things. We we try and always aim for least privilege. We always try and manage IP addresses or tokens as opposed to the rule, as opposed to the policy. And, you know, we we never want to have admin admin on a firewall. That's that's our worst case scenario. We always want to be as small and as precise as possible and predictable because as you say that you know that that one like SL8 instead of a SL32 away from from a major problem. It's it's the the old adage of like oh we couldn't get it to work so I just put an allow any any in the rule uh set >> and that's there no one's going to remove that because it's hard right? What are you going to what's going to turn off when you go and remove that one rule? No one wants to do that. So, it's um yeah, it's it's a hard problem and we always try and start as finite and as price precise as possible. >> That's absolutely the right answer. >> I love your idea about about the um request permission policy view of the world, right? Where you you get nowhere until you've been through these is it right for the organization and then the translation down to the control layer at the bottom ends. It's um yeah, it's a great future way to think about it. Well, because you want people to be able to request, you know, the whole pokes, right, through through the thing and they they don't understand foret versus PaloAlto. So, they just want to say when I'm at my apartment, I need to be able to get to these dev environments, >> right? So, what does my apartment mean? What does dev environments mean? That mean requires context from the org. Then it requires that it speaks the rule language of the the receiving device and then the translation is made and then I think the final magic sauce there is the human in the loop approval process that goes through you know four different people or whatever. I was in credit card processing, >> right? >> So it was like it was like 10nats in both directions, destination, sourcenat at every single translation and half the half the org was auditors, right? Because it's all finance, right? So any firewall change we had firemon any firewall change scrutinized massively. I I love the way you answered because it's like you can't vibe this You you can't be like, "Yeah, whatever." Well, why did you make that? and your boss had to sign off and their boss had to sign off or whatever. >> Yeah. Yeah. Multi. Yeah. And that's the other thing is like once that's in place, it's never coming out. >> Um so so over time the whole pokes end up being a plenty >> and no longer appropriate. So you know you you kind of think of like current state and desired state. A lot of that is also removing access. >> Uh you know like the the one thing with knockknock are people like oh yeah okay so this punches holes dynamically based on our identity. It glues the identity into the network, opens up stuff and it's like yes, but also it removes it >> because that's the most important part that the ideal state is nothing can traverse at all ever except for when a human's proven themselves etc. Now only then does it go through. So that removal process is you know a major piece of the puzzle. Oh, that's actually another cool idea is what about the agents themselves need to not your agents but in general there's there's going to be thous hundreds of thousands of agents on every network doing stuff. >> Yeah. >> Um guess what that's identity management that's access control. Once again, policy can be translated to this layer of this type of agent doing this type of role can do these types of things but no more. >> That's it. >> And it must be audited in this way. Guess what? That's also an English policy >> which ultimately this is the same idea. >> Exactly. And tying it to the network, tying it to access and and to your point tying it to data. >> So why can that data go in or out? it does it doesn't fit the policy and yeah the the whole agentic future where there's hundreds of thousands of these things crawling across an internal network all of the time it's impossible to respond to that what does bad look like has you have to shift to the preventative approach this agent can't go anywhere until it's you know proven it should and then what data can move or data can move around uh or not you have to shift to preventing cuz if you try and respond and react to that you're going to need clusters of machines just to do the sec ops uh after the act. It's just not going to work. >> Yeah. Well, I hope to see you uh at RSA and then again in uh in the summertime. But um anything else you want to mention? How can people find out uh about the the product and the site? >> Yeah, so it's it's knock, which is knc.io. There's a single free uh DIY home user license. You can get download, play with it. Love the feedback on the product. You can spin up a cloud thing to kind of shortcut that. But we are very much about on premise. So, you know, spin it up in a lab, play with it, and uh yeah, people will find it super effective and and then take it to work and, you know, remove the tax surface. But yeah, out at RSA, if you see me or any of the team wearing a shirt, please stop and say hello. And >> Awesome. Well, it was a great chat. Um, thanks for coming on. >> Great. Thanks, Dan. All right, take care.

Check out KnocKnoc here: https://ul.live/knocknoc_yt In this episode of Unsupervised Learning, I sit down with Adam to discuss Knock-Knock, a platform created to solve just-in-time network access and drastically reduce attack surfaces. Join us as we explore how hiding services behind pre-authentication modernizes default-deny security policies and keeps your infrastructure completely invisible to attackers until trust is proven. What we talk about: The Evolution of Port Knocking: How Knock-Knock was born out of traditional port knocking and evolved to completely hide network services, eliminating pre-authentication attack surfaces. Security vs. Obscurity: A deep dive into the "security through obscurity" debate and how hiding the mechanism while requiring a specific "key" drastically increases the cost, effort, and time required for attackers to map a network. Real-World Infrastructure Shielding: Practical use cases for the platform, from protecting frequently targeted services like Citrix from zero-day exploits to completely cloaking cloud development and test environments from the public internet. Self-Defending Endpoints at Scale: Expanding just-in-time access controls beyond edge firewalls directly to host machines, including Linux, Windows, and even legacy systems like HP-UX and Solaris SPARC. The Future of Universal Policy: How this foundational default-deny approach paves the way for universal security policies , translating human-readable business rules into strict access controls across all network levels and data layers. 00:00 - Introduction 01:54 - How vulnerability data is delivered directly into developer workflows 05:02 - The underlying technology combining AI and static analysis 07:02 - Real-world workflow examples using the Log4j vulnerability 09:53 - Securing legacy containers and managing golden images 17:42 - Applying context and guardrails to autonomous AI coding agents 26:00 - The future of automated security and the evolution of test-driven development 29:27 - Upcoming events and where to find more information about Endor Labs Subscribe to the newsletter at: https://danielmiessler.com/subscribe Join the UL community at: https://danielmiessler.com/upgrade Follow on X: https://x.com/danielmiessler Follow on LinkedIn: https://www.linkedin.com/in/danielmiessler/