Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Much has been written about zero-trust architecture and its principles since its introduction as a security concept some years ago. The term is endorsed by CISA in the US and similar security agencies elsewhere. The intent and principles of zero-trust are compelling, but what’s important is that even when zero-trust principles are in place, threat detection and even preventative security shouldn’t be forgotten.
The principles that underpin zero-trust are clear and simple – always assume that the network and attached devices are not secure and that they should only be operated with that in mind. Rather than assume that everyone who has access to the network is allowed that access; zero-trust demands a series of approaches that grant, allow and monitor access to particular data or systems only to validated users. What is sometimes left unsaid is that threats even in a zero-trust enterprise, if left unmanaged, can still impact the state of your security.
The basic network security model that companies still have in place, in many cases, harks back to when the network perimeter was the point where security happened. Everything inside the perimeter was secure, and anything beyond it was untrustworthy. To access the secure environment meant successfully passing through a policy enforcement point.
Approaches to zero-trust have revised the notion of a defendable perimeter. Instead, relying on user and device access and authentication, or treating the data as the focus, and controlling all access to it. Some advocates even require the re-design of corporate networks, as a series of segments or microsegments, to create and manage very small elements of an access request or user’s job role. The rationale being the improved protection of the rest of the environment and data from other segments of the network.
Irrespective of the architecture, the adoption of zero-trust is not easy, and it shows. Despite acceptance and its maturity as a concept, zero-trust outcomes often remain elusive. Even 15 years after its introduction, advisory white papers and guides are still being published to assist in its implementation.
What is absolutely true, however, is that there has been no let-up in the number and complexity of security breaches. So many, in fact, that one security news site has a long running “cyber breach of the week” column. More troubling, perhaps, is that many of these attacks continue to occur in regulated industries, like healthcare and government, where official mandates (like those from CISA and similar agencies) already exist for the use of zero-trust principles to bolster their cyber security defences.
Given this reality, questions like “Is zero-trust effective?” and after that the simple question: “is it all you need” spring to mind? Well, it turns out, like most things in cyber security, it depends! A key proviso of zero-trust despite its obvious benefits is that monitoring, so you know what to fix when things go wrong (and they do), remains an important management tool.
Threat Detection, Investigation and Response (TDIR) – yet another acronym from the analyst community – supports a range of critical detection, investigation and response processes. TDIR functions are important in the analysis and resolution of attacks, misuse or even understanding anomalous behaviour on your network.
Ongoing monitoring of activity and user actions to detect intrusions, or even gathering information in the event of a breach, ensures “logs” are key to support these investigation and response activities. Whatever your approach, your cyber security strategy should anticipate that an attack will occur at some point; and that you will need the data and logs to complete your TDIR activities.
In zero-trust networks, while you might deliberately “not trust” your infrastructure elements or workstations, it’s important to recognise that they can still form an important role in cyber defence. Like a “security layer” that augments, however imperfectly, your current security controls. So perhaps contrary to the more widely accepted zero-trust narrative environmental security data, even from untrusted sources, can assist in investigating suspicious local activity in a workstation environment.
Given the constantly changing nature of the threat environment there is an important task in just maintaining an understanding and visibility of the state of your mitigating security controls.
Again, this might appear to fly in the face of zero-trust where we trust nothing, and so concern ourselves less with the protection of the network, workstations and other assets. But these controls are there for a reason, they form the very foundation of much of our preventative cyber security effort.
An operating system vulnerability that allows direct access to data, perhaps via an attacker or ransomware infection, could quickly circumvent the zero-trust inspired controls put in place to manage user and entity-based access.
The need to continuously managing exposure to threats – continuous threat exposure management (CTEM) – is another critical activity of the CISO. No matter how complete the zero-trust implementation is, the systems and devices will be vulnerable to exploit unless preventative mitigation strategies are in place. The timely identification of vulnerabilities, their prioritisation and remediation as well as the subsequent assessment of the effectiveness of those processes, is key to informing security and business stakeholders about the state of cyber resilience – regardless of the level of trust placed on them.
This is the reason we see intelligence agencies like NCSC in the UK and ACSC in Australia recommending how to adopt a zero-trust approach while at the same time continuing to provide advice on how preventative controls can be improved to mitigate against malware and other threats.
The Australian Essential Eight Maturity Model is a notable example. It recommends that organisations adopt a zero-trust strategy for improved security but also maintain an appropriate level of maturity for their security controls to protect themselves against attack should other controls (like perimeter defences or for user awareness) fail.
It may be helpful to look at this situation from an attacker’s perspective. Zero-trust architectures and principles make a good deal of sense, but it’s important to remember that the raison d’être of any adversary is to find and exploit a vulnerability in an IT system. That means identifying just a single weakness, in an otherwise impenetrable defence, is all an adversary needs. Strict adherence to all the zero-trust principles in the world won’t protect an enterprise if ports are left open, operating systems are unpatched or the lessons of cyber security awareness are not followed.
The message is clear, while the introduction of controls to “enforce” explicit trust across the environment or at the permiter is important; unless controls are in place to ensure IT systems are patched, applications cannot be installed without authority (which borrows from zero-trust strategies) and admin rights and permissions are limited (which is also a zero-trust overlap) the risk of a cyber attack is not controlled.
Given this focus, these preventative and protective techniques complement each other in their efforts to reduce the risk of a successful attack. The inevitability of an attack, however, whether from a clever and targeted attack or by an opportunistic exploit of a single vulnerability means that organisations should:
Learn more about monitoring with Huntsman Security’s Enterprise SIEM and the maintenance of effective security controls with the Essential 8 Auditor and SmartCheck solutions.
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.