Listen to learn how network segmentation can support your compliance and security efforts.
"With network segmentation, we really are looking for isolation. We want to get that 'thing' and put it into a safety deposit box where you have secure access to it. Nobody else has physical or logical access to it. That's really what we are trying to do with segmentation."
Network segmentation is often used to reduce the scope of a PCI DSS compliance assessment, but it is even more important as a security strategy for your environment.
Chris Skarda (PCI DSS QSA, CISSP, CISA, CCNA) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss how network segmentation can support your compliance and security efforts.
Listen to learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. My name is Jen Stone, and I am one of the principal security analysts here at SecurityMetrics. Today, I have a super interesting conversation with, one of my fellow auditors here at SecurityMetrics. His name is, Chris Skarda. And, we're gonna talk to you about networking, but the kind of networking that kind of increases your security, reduces your risks. So we're gonna be talking about network segmentation.
A lot of times, organizations will say to me, hey. How do I take this compliance piece and make it smaller? Network segmentation. How do I reduce risk for, sensitive data in one area where, maybe a riskier part of the network is in another area?
Network segmentation. So these are the topics for today. Chris, welcome. Thank you.
Thank you very much.
Happy to be here.
Oh, so so glad that you're here. So, Chris, I asked for a bio and he's he gave me well, I have these certifications. So I'm gonna tell you what they are. So he is one of our QSAs for so that's a PCI DSS thing.
He has a CISSP and a CISA.
Pass certifications include Cisco CCNA routing and switching and Cisco CCNA security. I think that means, you know, like, networking and stuff.
I know some networking stuff.
Yeah. So tell me, what what is like, before you came to SecurityMetrics, what's your networking background?
Yeah. That's a good question. So, my first job that really involved a lot of networking was actually with Digicert.
Digicert was a very unique experience.
I was hired fresh out of college. And when I went in for my interview, I met with the founder of Digisert, and he had me in an office that was totally blank. Nothing on the walls. Nothing on the desks. It was empty. And, he basically told me that he had been running the company from his mother in law's basement.
This is nice. Not an exaggeration.
Oh yeah. This is a job I'm taking.
And he's, and I'm, I'm just thinking, am I get, am I gonna get paid?
Yeah.
And, the first day he kind of showed me the ropes, showed me how to handle it. I was doing a customer support for him.
Oh, okay.
And so, anyway, he showed me the ropes, showed me how to do things. And, then he went on a trip to Canada for two weeks.
So you got to take care of customers for Yeah.
So I was kind of thrown in the deep end, and it was actually a great experience.
I learned a lot about security, about networking.
Digital certificates, obviously, was the focus. And the company grew, and it grew fast. So it went from being run from the founder's mother in law's basement to, being sold for about, well, a substantial amount of money. Put it that way, about nine years after I was hired.
I think everybody has at least heard of DigiCert. It's a it's a pretty significant force in that, area of our industry.
Absolutely. And as the company grew, my role evolved a lot. At the beginning, if you've been in a small company, you kind of understand that in a small company, you have to wear a lot of hats. Right? The the CEO is also the janitor. Right? And, when you are doing customer support, that also means that there's a good chance if you know how to do some web development, you're gonna be doing a little bit of web development.
That sounds familiar. I think I might have done that when I was on help desk. I know I did that. Yeah.
Yeah. So, and I was involved with the with, a little bit of the network configuration and and getting things set up that way. It helped get a voice over IP phone system in place. And so, anyway, that's where I got a lot of my, networking experience. Actually, back in high school, if I go back that far, I had an internship with with Novell.
Oh, nice.
That was a fantastic experience. I worked in the SuperLab, had about fifteen hundred computers.
Okay.
I actually got my certified network engineer certification back then.
I didn't put that on the list because it's so old, but that was actually a really good experience too.
After Digicert, I was a director of operations for Mountain West Telecom, and that's where I got my Cisco certifications, which let me tell you, if you've ever heard of, Cisco certifications, being easy, that's probably because people cheated their way through them.
I've never heard of them being easy.
They are not.
They're not. So if people think they are, then they're the only way.
Is it because they cheated?
If people brain dump them, then then that can be easy. But if you actually learn the material and understand it well enough to pass the test, those people really understand networking very well. Even at even at the CCNA level, there's higher levels, CCNP, CCIE Mhmm. For example.
Those people are really masters.
Yeah. You know, I and I know that this is about I know this is about networking, but just as a side note, a lot of people come to me and ask, how do I get into security? Because you make it sound so cool. And it is.
This is the coolest job. If you can do this job, do this job. But they're like, how do I do it? And the answer is, sure.
Get certification. Sure. Get education.
But if you can start in a small company Yeah.
That lets you hands on everything, it's going to be pretty massive.
Yeah. Yeah. That's the kind of experience. I always used to think, especially in college, that working for a big company was like the grand, you know, the grand goal. Yeah. But, honestly, I really, really like working for small companies.
Yeah. You learn so much.
You do. Right? And you get you have so much more influence Mhmm.
On the company, its direction Yeah.
And, and where it goes.
Right. Where if you're in a big company, you really get slotted into. You are sysadmin, two, and that those jobs are these certain things, and you're only allowed to do those things. So even if an interesting question comes along, you're not allowed to figure it out.
Yeah. Your your realm of influence and, responsibility is so much smaller.
And, anyway, I I really like working for a small company.
Yeah. Yeah. I I too, came through that direction starting on a help desk and then going through all of these different levels of, well, now that you know this, I guess, you can be that. And then if you can figure this out, you can do that.
And, oh, by the way, can you also do the website?
Which website has nothing to do with really the operational side of things. Yeah. Exactly. It was fun. I enjoyed that.
So okay. So now that we've kind of got to know, what what you what your background is, I would like to talk about network segmentation. We have, people who are listening who who don't know what that means and except for, you know, listening to the words you can kind of figure it out. But maybe you can do a little rundown on what is network segmentation.
Yeah. So let me give kind of well, first of all, network segmentation from a PCI DSS kind of standpoint is isolation. Yeah. So that's that's a good word to keep in mind when you think of segmentation.
It's kind of same meaning.
And I'm glad you pointed that out because, when I first started in the PCI DSS world specifically, I had to get that in my head because segmentation can mean so many different things Yeah. Depending on where you are Exactly.
In in the in the IT security world. Segmentation applies to a lot of stuff. But the idea that it is isolation in PCI really helps drive what is the security benefit of network segmentation. So go ahead. What is network segmentation?
Well, let me give kind of a, a hypothetical example. Okay. Right? So this is this is more of a real world example.
But say you have some a really valuable asset, like, for example, you you won the lottery, you got your lottery ticket. Right? And you don't want anybody else to be able to impact the security of that. It's very valuable to you.
There's different ways you could handle that. Right? You could put it in you could lock it in your car and leave it out, you know, in a parking lot overnight.
Mhmm.
Well, you know, that's Probably not advisable.
Yeah. You could say, you know, you could play the game of, well, my my doors are locked, but the reality is anyone at the crowbar might have access to that. Right? And so, with with segmentation, we really want to isolate that.
We want to get that thing and put it in a safe deposit box, right, where where you have secure access to it. Nobody has physical or logical access to it. And that's really what we're trying to do with segmentation. It's also important to note that segmentation isn't really a requirement of the PCI DSS.
If you really want all of your network to be in scope, you can do that. Yeah. It's a really bad decision. Don't do that.
I agree. Even if you use and some people do. And and I I actually advise it in some cases.
Even if you use the PCI DSS standard Uh-huh.
As a way to, implement security your security program.
Yeah. Absolutely.
And you can do that. You don't wanna be like, well, I'm not gonna protect this section at all.
But even if you do that, you wanna have a section that is under scrutiny of your QSA. That's your segmented your your the the piece that you take and really look at for PCI rather than these unrelated bits.
Yeah. Exactly. So unless you want, you know, your QSA to have to review things like your printers and your, could be your voice phones, you know, your network phones, or, all your various different components that you would have on your network, it really doesn't make sense to do that. Right. And it costs a lot of time, it takes a lot of effort, and the, the resources it takes to, you know, maintain the PCI DSS requirements on all of the devices throughout your network are very expensive.
Right.
Right. And, frankly, most network engineers, most system administrators don't have the, patience for it. Right. Right? So if you wanna keep your staff, it's a good idea to limit how many devices really need all of those, all of those standards maintained on them.
Right. And and some of them do and some of them need some of the requirements.
But it kind of comes down to a risk assessment of your different Mhmm. Portions of your network. So let's say you have the portion that, is related to PCI.
Yeah.
Mhmm. And so, of course, it has to be applied there. But then let's say that you have other systems that in no way touch either credit card data or, any other sensitive data. Mhmm.
But you can't do business with business without them. So I had a customer who, or I heard of a customer, I should say, who, had a section that was PCI related and then everything else was not. And they had kinda loose security controls over the not, but pretty tight ones over the PCI. Mhmm.
They were hit by ransomware.
Yeah.
It did not touch their PCI environment, but it shut them down from doing business in other places that were important for being able to do business.
Yeah.
So so in in the when you look at, well, how would you apply PCI controls to this broader base, or how did how would you apply any security controls to the broader base? Well, what types of things are going to limit your ability to do business if you don't have those types of security controls like malware protection.
Yeah.
Right? So you can say we have, malware protection on everything, the PCI and the non PCI.
But do you really need the type of intensive logging, monitoring, and alerting Yeah. On the broader piece that you do on your on your very sensitive piece Yeah.
Probably not.
Probably not. And you probably want a little bit more flexibility on what applications can be installed on, you know, maybe employee workstations or, you know, if somebody wants to be able to have a little bit of flexibility on what they can install on their workstation, you know, having that outside of your CDE really helps your cardholder data environment. But, yeah, I absolutely one hundred percent agree that, first of all, the PCI DSS standard is basically industry standards. Right? It's industry security standards.
Yeah.
And the ideal situation is if you could implement all of it on all of your devices, that gives you the strongest security stance possible. Right?
But, yeah, it makes sense for most organizations to do segmentation just because it really reduced the cost of how many devices they're required to maintain those Mhmm. All of those various different controls on, and it helps reduce the cost of things like their, you know, penetration tests or assessments. So, yeah, it's a balance.
Yeah.
Well, part of, an assessment is always that, going to visit the physical places Yep.
And evaluate that. So if you have a lot of physical locations and, and you haven't segmented, the your assessor has to go to a sample of those locations.
Right.
Right? So and and, basically, that sample is going to be anything that's different.
So if you don't have consistency, they have to go see more.
Yes.
If you have a lot, you're gonna see, I think that that the rule of thumb is, like, ten percent. Uh-huh. But sometimes it's more than that. So if you only have five locations, you might get to see two, which is more than ten percent. Right? Sure. And so if you start adding up what is the cost of sending someone to visit these locations and verify, the security as required by PCI, that's a very different thing than if you have if you really focus that time and attention towards your PCI scope and then you have flexibility.
Yeah.
Right? Yep. It's not that you don't wanna maybe send a third party assessor out to these other places.
Yeah.
But you might do it at your own convenience or, or in thing in ways that maybe support, the business drivers in a better way.
Yeah. Exactly.
Right?
Yep. And they can do it more according based on their own risk and their own risk assessment.
Right. Also, if it's, if there's a location in Singapore, I think, I mean, that's always required. So.
You know, I've never made a trip to Singapore. You seem to do it all the time.
I don't. I've been for three years now, but, I've been there three times. And all three times, I just thought this is it's gorgeous. Right? So one of the fortunate things when you are an assessor is that if you're smart as an assessor, you actually go and see interesting places when you travel. Because if you don't, then the travel really is exhausting.
Yeah.
And then it's just travel, travel, travel, places that you don't get to enjoy the value of what what you see.
Yeah. That's so true.
So I try and and bring that kind of that work life balance Yeah.
While I'm working.
Then you get to enjoy it a little bit, and it gives a little bit more, I don't know, variety to your experience.
Yeah. Exactly. Exactly. So we've talked about how common that is in PCI, and it is, as well, I think, for a lot of the, like, HIPAA.
HIPAA has some very specific rules.
Mhmm.
And and so segmentation is super useful there.
Yeah.
Whatever you're talking about, I think, regulations or or compliance, segmentation is going to help as long as you think of it in in terms of isolation. So I want you to expand on that in a little bit more what what isolation means in terms of traffic Yeah.
Communication. Good. Yeah. Yeah. So, basically, with, segmentation, segmentation refers to, basically, your ability to see or otherwise impact the security of something.
So, if something is in a locked area, you don't have any access to see it, you can't, impact the security of it in any way, shape, or form. That's basically your goal with with segmentation. So from a networking standpoint, if you have devices that all share the same network and they have the ability to communicate, with other devices on the same network, well, they're they're clearly not segmented.
However, if you have and the most common method for implementing segmentation in a PCI environment would be you have all of your devices that handle, cardholder data or can impact the security of cardholder data, and you segment them off. You give them, dedicated networks where they, can't be reached from out of scope devices.
And, basically, the assumption you have to make is the things that we don't have the PCI DSS, standards and and requirements applied to, let's just assume those are gonna get compromised because they could. Right?
And so if they were to get compromised, is there a chance that they could impact the security of your cardholder data environment, your servers, web servers, databases, Mhmm.
Networking devices, things like routers, firewalls?
All of those, factors need to be considered because, that that's a very real possibility. And when you look at companies, large companies, and, if you just watch the news, you'll see a lot of organizations that get compromised all the time, and generally, that's the way how it happens. Right. Right? So they first will go to the devices that are the least secure and compromise those, get root access to them, administrative control where they can leverage that position to gain access to maybe devices, privileged access to servers that are deeper in the network. And, so the goal of segmentation is to make it so those critical devices that are handling cardholder data, or other sensitive assets, are blocked off and, and can't be accessed from devices that may not have all the PCI DSS requirements, applied.
Right. Right. And and so sometimes it feels like this is like a big old mystery. Yeah.
You know, what is what is this communication, and what is the segmentation, and how do these things happen? But it's not. No. It's not a mystery.
There we we have scanning tools Mhmm. That are readily available that will tell you, is there any externally available port Yes. Available in this network that we can go, hey. I see a doorway.
Mhmm. Right? And then you can use things like, compromised, account Mhmm. Information. So if you have username and password that somehow you get someone to talk someone into giving you or, brute force attacks where there's a whole list of bad passwords in out there.
So if you happen to have a username, which you can get from usually an email address Mhmm.
If you have an a username and then a whole list of passwords, you can put it against that port.
And if it's not properly secured, suddenly, hey. Welcome on in because you seem like the that you have access. Right?
Exactly.
And so a lot of times, that is easy on an like, an unsecured network, a network where, well, we're not gonna put multifactor on this network because it's not as important. Mhmm.
But but if that network can talk to this network that is important Yep.
There's there's your doorway.
That's right. Magic access. Right?
You're right. Exactly. So it's it it is conceptually, it can sound a little bit, confusing or or mysterious to people who aren't familiar. Mhmm. But it's the tools are out there.
Yeah. It's actually really, you know, intuitive. If you can see it, if you can impact the security of it, then you are a risk to it. Right? And so the idea is you wanna eliminate as many risks to your to your cardholder data environment networks as possible.
Right.
And the way how you eliminate those risks, well, if you can't see it, if you can't have any ability to impact security of it, then it's not a risk. And that's really why your scope gets reduced when you have, segmentation, true segmentation in place. And, sometimes, you know, you'll have network changes that happen.
You'll have systems that become obsolete, systems that get taken out of production, new systems that go into production. And so it's important that you whenever you have significant changes like that, you verify that no negative impacts, have occurred as a result of those changes.
Right.
So, service providers, for example, are required to verify that they, that their segmentation is effective at least twice a year Mhmm.
Where your average merchant, is only required to do it once a year. And regardless of whether it's a service provider or a merchant, they have to, perform those tests again after a significant change for just that reason. Right.
And what would a significant change be?
Yeah. That's a good question.
So a significant change would be, I would say, adding, like, a a new configuration to to your production environment, whether that be, like, a web server configuration, certainly things like changing out your firewall Mhmm.
Making significant firewall changes. Those those types of of changes certainly would warrant, retesting.
Right. Anytime you add, an externally available IP address.
Uh-huh.
So I I'm glad that you mentioned web servers because a lot of times, I'll talk to people who are like, oh, nothing changed, but we did add this. You know, you can now pay online.
Like that.
Well, seems pretty minor. Yeah. Let's ignore that.
That was sarcasm.
Don't ignore that.
So I I wanna talk about, something that's been in the news, and I've mentioned them before on the show. And and I, like, kinda feel bad beating up on them. But it's because we all kind of know the name, the Colonial Pipeline.
Uh-huh. Yep.
And and so I was really interested in in how can something that is that is this critical to the livelihoods, and and health and well-being of people. You know, energy is really important for everyday functioning.
Yeah.
So we have the the colonial pipeline went down for ransomware attacks. It was a massive, intrusion onto people's lives.
And and you you gotta wonder why it happened. So I started digging, and I I still haven't gotten all of the answers on how that that happened. But but one of the things we know is that business network shared space with the operational network. So can you speak to the kind of the difference between a what a business network should look like and what an operational network should look like and why the Tween should not meet?
Yeah. That's a good question. So and this would this would be the case for really any any environment where you have different roles, different responsibilities, and different security levels, right? So you may have, you know, people in your organization that have very important roles, but don't necessarily need access to all the various different systems.
If when those access controls are implemented, that's not taken into account, then people have access to things they really shouldn't. Like I say, we don't know all of the details of that particular compromise that happened, but generally speaking, and I would almost guarantee that it happened in this case, you never know, but there's probably people that had access to things, systems that had access to systems that didn't really need it. Yeah. Right? And so, because of that, there's risk that was exposed.
Right.
And so that's part of the challenge. And it's not always easy, you know, to go through all your systems and say, Okay, for this particular system, what does it need access to and what does it really not need access to? And sometimes it can be a little bit of a power trip thing for some people saying, I need access to everything. Yep.
No. No. You don't. Right?
And Well and we see this often, especially with senior management Yep.
Where they think they need access, but they have their their job has nothing to do with that access.
Yeah. And it and it's a little bit of a a tough situation. Tom sometimes it can be for network administrators or system administrators to say, look. Your your job is very important, but you don't need access to this.
Okay. Let's be honest. Not all IT people have that kind of tact that was you delivered that so well.
Yeah. So this is one of the values, honestly, that I see often with, my clients. Right?
So we go through an assessment and they can actually use an opportunity like an assessment to go to management and say, look, you're very important, but the assessor says you don't need access to this.
Right? And so if you if you know how to leverage these things properly, it gives you an opportunity to improve your security stance that you may not otherwise have.
I that's actually one of my leading questions with some of the groups that are brand new, brand new customers. I'll say, can you tell me, how you're hoping to use this, report on whatever compliance assessment is? And usually, they'll say, well, we have to do it. And then I'll say, alright. From a security standpoint, what do you know is not being done that so we can make sure we address that upfront?
Yeah.
And and their eyes just like, like, oh oh, there's this problem. I've been trying to take care of him. Nobody will listen to me. Do you think this is a problem? And I'll listen and almost always, I'll say, oh, yeah. Yeah.
Not just a problem.
It's probably a big deal. You're gonna are you getting breached right now? Yeah.
So, a lot of times we can use, that to be able to help communicate the level of risk Yeah.
To the seniors.
Sometimes I'll talk to to groups that think that there's a problem because they don't really understand the full implications or other things that are in place, and then I can help them understand me how the whole system works Yeah.
And why it might not be the risk that they think it is.
Mhmm.
And so so I'm not always gonna come down on the side of the IT guys, but a lot of times I will because they know their systems really well.
They do.
So I I I don't know how this Colonial Pipeline attack actually worked, but I'll tell you how. If I were the bad guy Uh-huh. Let me tell you how I did.
Okay.
Just as a as a thought exercise.
You tell me if this is crazy.
So let's say the receptionist sometimes had to do work, involving the operational side by sending a report or or getting some information off of a server in the operational side for the CEO and had full access because the IT guys are like, no. We're overworked and underpaid or whatever. I don't know what they got paid. But Yeah.
Right. Okay. We're just gonna give you full access because we don't wanna figure out the granularity of access you need. So here is this person sitting in the middle that has access to everything.
Right? Right. Let's say that the receptionist one day gets an email that says, your your taxes are being audited in order to prevent this audit from going forward. Click here for more information.
Right? Because that's something taxes kinda freak us all out.
Right? Sure.
That gets her gets her all worked up. Well, I need to find out what's going on. Clicks on the thing. That click brings malware into her system.
She suddenly has downloaded all. So here she is, and maybe it's a he. I don't know. But when I was receptionist I can see this happening in some of the situations that I was in back when I was, young and uninformed and and didn't know everything.
Right? Mhmm.
Not that I know everything now. But he so so she's sitting there downloading something, thinking she's doing the right thing. Malware's on her system. Suddenly, somebody has a keystroke logger.
Somebody gets her password because of that, gets gets access to her login Yeah.
Because they know because she clicked on this thing. Right?
Sure.
So now they've got her, login information, and they can log in to her system from, remote and get to all the places that she can get to.
That's all it takes.
That's all it takes. Now we're gonna deliver that malware onto the the operational systems because it wasn't segmented from the business side of things. Bam. You're locked down.
Yep. And that gives that attacker that next level of access that they need to get in, you know, either even deeper into, you know, your systems and organization. Right. And that's what they do.
That's the game they play. Right? And so the goal should be to stop them as early as possible and as strictly as possible so that, because game, the reality is security is always, kind of a game of cat and mouse. Right?
And the attackers generally go after the low hanging fruit. That's just how it is.
Yeah.
So if you make your systems difficult enough to get into Mhmm. You add enough security controls, they're gonna go look for something else. Right. Right? Because they're just like me. I don't have patience for that.
Right.
You know, I'll go find something that's an easier target. Not that I attack systems, but you know what? Oh, yeah. We're all lazy.
Right? We all have the same kind of mentality where, Hey, well, I'm going to go do the easiest thing to meet the objective that I'm trying to meet. Right? And so that's, that's one of the secrets of security is you can't have low hanging fruit that's valuable.
Right. You need to get all of those assets that are high risks and put them deep enough, high enough up on the tree Mhmm. That that attacker is gonna have to waste months, years, decades of his time to even try to get to it. Yeah.
So he just goes somewhere else.
He's gonna go to a different tree.
That's right. Go find another tree.
This has been absolutely delightful. Thank you for for sharing this time with me. Is there anything else that you can think of people should maybe know about network segmentation?
Or Well, keep in mind that it can be implemented various different ways.
Right? So the common way that we talked about is with firewalls. Right? But it can also be done with things with, more advanced network configuration, so, like, network access control. Right.
Things like, routers. Right? So routers have access control list the same way that firewalls do. We also have current technologies that people are are migrating to, things like, virtualized environments, like Amazon security groups.
Mhmm. So those types of controls meet the same objectives. Right? And so when you're preparing for your assessment, make sure you keep that in mind.
And if you have questions about it, reach out to your assessor.
Mhmm.
We're here to help. We're actually anxious to help you, especially early on so that we don't have to go back and change a bunch of stuff. It's always easier to change stuff early on. So if you are trying to put together a new network configuration and trying to decide, okay, what's the best way that we can do this that gives us efficient, scope reduction?
Right.
Reach out to your assessor, and they'll give you, some pointers. Right? And if you have questions about whether or not a particular control that you're planning on using qualifies for scope production, they'll be able to help you with that. Yeah.
We're not allowed to do the actual work of, hey. Let me rearchitect this for you and tell you, but we sure can give you the nod or the negative on on plans. Yes.
And I don't know about you. You probably have the same thing, but I have customers that reach out to me during the year, three or four times Oh, yeah.
And say, hey. This is a change that we're planning or this is a a a result we got on our one of our scans. Can you help me figure this out?
Or Sure.
When do you think we should do penetration test? Do you think the scope is right? Mhmm. And and it's in our interest to help them.
Right? Because I don't wanna get to the assessment and go, hey.
Bad news.
Yeah. Yeah. Exactly. That's all.
This completely wrong. I don't like that feeling. Right?
A painful experience.
A painful experience.
And it's not something assessors wanna go through.
I mean, the reality is that assessors and clients have the same goal.
Yeah.
And that is to make, your compliance as easy as possible.
And and make your environment as secure as possible.
That's right. And so if you, if you reach out to us, we'll be happy to help you in any way we can.
That awesome. Thank you, Chris. I really appreciate it, and, hope I get to have you talk to me again another time.
I'd love that. Thank you.
Thank you for joining us again here at the SecurityMetrics podcast. Remember to subscribe, share, comment, like. I don't know all of the things, but I'm quite sure that you do. So I hope you've enjoyed it.
If you know someone who is thinking about a network segmentation, needs a little more information on it, make sure you send the link to them as well. Take care.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
