Zero Trust: An Introductory Guide

The Network Perimeter

When the pandemic struck, global organizations hit the fast forward button on digital adoption. According to McKinsey, many accelerated a process that would have taken three or four years, in just months. Money was released to back investments in cloud infrastructure and applications, flexible working and mobile computing. New customer-facing online services were launched within weeks. Yet as important as these efforts were to mitigate the shocking impact of the crisis, they had another effect. With rapid digital transformation comes a further erosion of the traditional network perimeter model for cybersecurity.

In a world of mass remote working, BYOD and cloud everywhere, how do you know which users to trust? The answer is a zero trust approach rapidly gaining ground as a best practice way to secure this increasingly decentralized IT environment.But getting there isn't easy. It will require a strong focus on gaining end-to-end network visibility and enhancing collaboration between siloed IT teams.

This is where network detection and response (NDR) platforms can add real value—enabling organizations to adopt a zero trust model faster and at lower risk.

The Threat Landscape in 2021

Today's workforce is highly distributed. In just a few weeks in early 2020 the number of Americans working from home (WFH) doubled to around 62% as offices closed to halt the spread of the virus. A quarter (26%) say they'd prefer to continue doing so even after the pandemic recedes. These changes in turn drove a surge in cloud investment as organizations scrambled to support their WFH staff. Spending on infrastructure services rose 37% to $29 billion during the first quarter of 2020. Experts believe the shift to agile, cloud-driven computing models is here to stay.

The combined impact of these more fluid and flexible working patterns is to make locating and protecting key assets and data more challenging, whether they're in the cloud or on-premises.

Other recent trends include:

  • A growing reliance on suppliers: This isn't necessarily COVID-related, but rather a characteristic of organizations in most sectors today. Yet this reliance on third parties, especially in the digital domain, can expose organizations to new cyber-risks
  • An explosion in IoT endpoints: Alongside the huge increase in people working from home on their laptops, desktops and other devices during lockdown, we've seen an even bigger surge in smart, connected "things" globally. IDC predicts that by 2025 there will be 55.7 billion such devices worldwide, generating over 73 ZB. Unfortunately, many are unmanaged, poorly engineered and unprotected. If exploited, they can serve as a useful entry point for attackers into trusted networks
  • Threat actors continue to mature: Thanks to an underground economy worth trillion, attackers have more tools in their arsenal than ever before. Zero-days and unknown malware evade traditional defenses, encryption is used to hide malicious behavior, and stolen, phished or cracked credentials allow attackers to sneak into networks masquerading as legitimate users. Use of "living off the land" techniques and legitimate tools also hides post-compromise lateral movement from legacy security tools

For security teams facing these challenges, traditional network security controls—perimeter firewalls, intrusion detection systems (IDS) and VPNs—are simply no longer fit-for-purpose. The rules and signature-based threat detection techniques of legacy IDS, for example, fail to catch novel malware, use of hijacked credentials or lateral movement. VPNs have become overwhelmed during the WFH months of the pandemic, providing inbound security headaches alongside outbound challenges related to patching distributed endpoints.

What is Zero Trust?

The concept of zero trust has been with us for over a decade, but thanks to the perfect storm of challenges listed above it is now gaining serious traction among organizations worldwide. Zero trust articulates a vision for highly effective and flexible security in a de-perimeterized world where devices within the corporate network are no longer to be blindly trusted. Instead, users and devices are dynamically and continuously authenticated and verified, with access to resources restricted according to "least privilege" principles. Networks are segmented to further limit potential wrongdoing (lateral movement) and support granular access policies.

Zero trust is all about following the mantra of "never trust, always verify," which means assuming a breach has already occurred. Typical technologies used to support projects include identity and access management (IAM), end-to-end encryption and micro-segmentation. Visibility into network activity, threat intelligence and incident response capabilities are also critical, which is where NDR comes in.

Implementing a Zero Trust Network

There is no single, definitive zero trust model to begin your work in this area. However, a good start would be to implement the following, as Microsoft has internally:

  1. Validate and secure all identities with multi-factor authentication (MFA): the end goal being to eliminate passwords. Biometrics-backed MFA can support strong authentication.
  2. Validate, secure and continuously manage devices: even if users are authenticated the device they are using may be vulnerable or have already been compromised. They must be checked for a baseline level of security and health before being allowed access to corporate resources.
  3. Utilize security telemetry everywhere: to understand your current security state, where the organization may be exposed, and how effectively new controls are working. Auditing, monitoring and telemetry should be robustly applied across all users, devices, applications, services, and access patterns. According to NIST, information on network traffic and access requests is particularly important here, and should be used to enhance policy creation and enforcement, as well as to provide context for user access requests.
  4. Enforce least privilege policy: so that users only get access to the apps, services and infrastructure they need to do their job, and no more. That means solutions such as broad access VPNs should be removed.

NIST has a useful list of basic zero trust tenets, although admits that it may not be possible for organizations to implement all of them in their purest form. Remember the following:

  • All data sources and services are considered resources
  • Secure all communication regardless of network location
  • Grant access to individual resources only on a per-session basis
  • Determine access to resources via a dynamic policy—which assesses client identity, application/service, the requesting asset and possibly other behavioral or environmental attributes
  • Assess the security posture of all assets when evaluating requests
  • Maintain a continuous cycle of granting/denying access, scanning and assessing threats, adapting, and continually re-evaluating trust in ongoing communications
  • Collect as much information as possible on asset security posture and network traffic and access requests, to continually improve policies and make effective access request decisions

What Are the Main Barriers to Adopting Zero Trust?

Zero trust cannot be achieved by simply buying and deploying a single technology platform. It may require a fundamental rethink of your current security controls and culture, beginning with the identification of all business-critical assets and resources.

Here are some of the most common challenges to bear in mind:

You can't protect what can't see: Your organization is a complex blend of hardware, applications and data distributed across cloud, WFH endpoints, office-based facilities and the network edge. You need continuous visibility of this dynamically evolving infrastructure.

Zero trust takes time: Any deployment will need to be implemented over your existing environment, which could mean major disruption to staff productivity if not properly managed. It could also expose the organization to cyber-threats if you don't have effective threat detection and response tools in place.

IT and stakeholder siloes: These can be a serious roadblock on progress, especially if zero trust is not treated as a mission-critical mandate. All relevant stakeholders need to change their mindset to assuming the network has been breached and proceed accordingly.

Micro-segmentation alone is not enough: Some micro-segmentation tools require the installation of agents on all endpoints, which may not be possible with BYOD assets, WFH endpoints, IoT devices and cloud resources not owned by the company. Organizations must layer-up defenses to take into account any deficiencies in certain areas.

How Can Network Data Support Zero Trust Adoption?

NDR is a new approach to network-based threat detection and response that supports rapid investigation, internal visibility, intelligent response and enhanced threat detection across on-premises, cloud, and hybrid environments. Unlike log-based approaches like SIEM or agent-based tools like EDR, data cannot be deleted and tampered with. In fact, the network provides an unrivalled "ground truth" for IT teams in that it's almost impossible for attackers to avoid certain key activities, which NDR can spot.

Visibility is further enhanced by capabilities designed to peer into encrypted traffic flows. And cloud-powered machine learning can be used to baseline the "normal" behaviors of entities on the network and contextually identify anything suspicious—a huge improvement over legacy rules and signature-based detection.

Although NDR isn't a core component of zero trust, it can help to accelerate adoption, by enhancing the IT visibility organizations need to get going and supporting enhanced collaboration for traditionally siloed teams.

In short, it offers:

360-degree visibility into hybrid networks, cloud transactions, and device types: including automatic discovery of every asset on the network and profiling of every managed and unmanaged device, including IoT endpoints.

Real-time detection of threats and performance anomalies: using high fidelity advanced machine learning and behavioral analysis. Also continually monitors and safeguards network traffic—including SSL/TLS encrypted traffic—up to 100 Gbps, to validate policy enforcement.

Intelligent, integrated threat response across the zero trust environment: including accelerated investigation workflows from a customized dashboard. Integration with third-party solutions (EDR, SIEM etc) enhances both automated responses and manual investigation and remediation.

Improves analyst productivity and IT collaboration: A single integrated workflow for SecOps, network operations, cloud, and DevSecOps teams helps to streamline operations. Automated response and workflows save analysts time and empower operational staff to work on high value investigations.