Zero Trust in the Modern Security Landscape

The days of perimeter-based security are quickly fading. Rising geopolitical tensions and ransomware attacks that continue to increase in number and scale underscore the importance of security controls that can keep pace with modern threats. Meanwhile, the 2027 deadline established by the U.S. Department of Defense (DOD) in its Zero Trust Strategy grows ever closer.

Organizations are turning to tools like security service edge (SSE) to secure cloud environments and enable employees to work from anywhere. But one-off security solutions aren’t enough in the modern security landscape. That’s where zero trust security architecture empowered by real-time network visibility comes in.

What Is Zero Trust?

There are several, often conflicting, definitions of zero trust in the cybersecurity industry. This has led to no small amount of confusion in the market as security practitioners try to make sense of security technology vendors’ claims. It might be easier to start with what zero trust isn’t.

Zero trust isn’t a single solution, like risk-based authentication or zero trust network access (ZTNA). It also isn’t a one-time project with an end date. As organizations grow and threats change, organizations’ zero trust implementations should adapt accordingly to protect their infrastructure, no matter what it looks like or shape threats take.

ExtraHop follows the definition of zero trust offered by the National Institute of Standards and Technology (NIST), which the DOD also uses in its Zero Trust Strategy:

Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned).

Zero trust requires a shift in security mindset, from implicitly trusting certain devices and users to “never trust, always verify.” This is more than a pithy catchphrase; it’s solid technical advice that forms the foundation for a new set of zero trust security policies.

In a zero trust model, security teams assume attackers are already inside the network and have already compromised assets. Acting as if this is true means doing everything possible to reveal and limit attackers’ movements. No user or device is trusted implicitly, even if it’s inside the firewall. Instead they must be authenticated and authorized every time. Under the principle of least privilege, users should be granted only the privileges they need to do their jobs in relevant applications, but no more.

Implementing a Zero Trust Framework

ExtraHop has written extensively about how organizations can get started with zero trust. Briefly summarized, the DOD outlines seven pillars of a zero trust security model:

1. User: continually authenticate, assess, and monitor user activity patterns to govern access and privileges.
2. Devices: Understand the health and status of devices to inform risk decisions and inspect, assess, and patch devices in real time.
3. Applications and Workloads: Secure everything, including applications, hypervisors, containers, and virtual machines.
4. Data: Achieve data transparency and visibility by enabling and securing enterprise infrastructure, applications, and standards and by using end-to-end encryption.
5. Network and Environment: Segment, isolate, and control the network environment with granular policy and access controls.
6. Automation and Orchestration: Deploy an automated security response based on defined processes and policies enabled by AI.
7. Visibility and Analytics: Analyze events, activities, and behaviors to derive context and apply AI and machine learning to achieve a highly personalized model that improves detection and response time.

ExtraHop recommends a few steps organizations can take to begin their transition to a zero trust architecture.

1. Begin with a complete inventory of assets, users (human and non-human), data flows, and business processes. You can’t protect what you don’t know about, so it’s vital to understand the current state of your architecture, including any shadow IT and privileged accounts.
2. Identify the first services or workflows to migrate. During this evaluation, make sure you understand how resources up- and downstream of the process will be affected. It’s better to start with a smaller application or process rather than one vital to the entire enterprise.
3. Choose solutions for the identified processes. No security solution is one-size-fits-all, which is why a detailed understanding of your architecture is critical. Consider the following factors when evaluating solutions:
   1. Does the solution require agents or other components to be installed?
   2. Will the solution work for both on-premises and cloud resources?
   3. Is the solution compatible with logs?
   4. Which applications, services, and protocols does the solution support?
   5. Will this solution require behavior changes?
4. Monitor new workflows and processes to ensure policies are effective and to establish a baseline of normal behavior. Be prepared to modify policies over time as you learn what works and what doesn’t. As you expand your zero trust implementation, you may need to adjust policies from earlier phases. That’s why zero trust is never “done.”

What Are the Main Barriers to Zero Trust?

Zero trust isn’t a product or solution you can buy off the shelf and add to your security stack. It’s a fundamental shift in security culture that will require rethinking your current security controls. This isn’t a process that can happen overnight, and most organizations will face challenges along the way. Here are a few of the most common.

You can’t protect what you can’t see. Every organization is a complex web of users, devices, applications, workloads, and data stretching across a network environment that may include cloud servers, offices and production facilities, and remote worker endpoints. To properly defend this dynamic infrastructure, you need continuous visibility into east-west traffic, including encrypted network traffic, like that offered by RevealX.

Zero trust takes time. Unless you’re starting from scratch, your organization won’t be able to implement a pure zero trust architecture immediately. For nearly every enterprise, zero trust and perimeter based security workflows will coexist during the transition. Organizations should ensure that security solutions shared between the old approach and their zero trust implementation are flexible enough to work in both architectures.

Stakeholders may be resistant to change. Moving to a zero trust architecture is a big shift that will require many stakeholders to change processes they’re familiar and comfortable with. It can be difficult to break old habits and establish new ones, but it helps to educate everyone on why the changes are necessary. Socialize planned changes early so no one is taken by surprise, and solicit feedback so stakeholders feel like they’re part of the process.

Microsegmentation isn’t enough by itself. Some microsegmentation tools require agents to be installed on all endpoints, which may not be possible with certain medical or operational technology devices, cloud resources not owned by the organization, or employee devices. Network detection and response (NDR) solutions like RevealX can help organizations monitor all the resources that can’t support an endpoint agent.

How Can Network Visibility Support Zero Trust?

According to the April 2023 Zero Trust Maturity Model report from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), network and device visibility, two key capabilities of NDR, are foundational elements of a zero trust security model.

Furthermore, RevealX provides more than two dozen capabilities across the seven zero trust pillars defined by the DOD. Here’s a brief summary:

• User: RevealX establishes baselines of normal user behavior, which can be used to monitor and audit privileged identities.
• Device: RevealX automatically inventories and classifies devices on the network and provides real time insight into user and device activity. This enables teams to make more informed access decisions.
• Application and Workload: RevealX automatically discovers and classifies applications, provides real time application analytics, and maps application dependencies. Top solutions also continuously monitor applications and workloads to uncover suspicious behavior.
• Data: RevealX provides full packet capture (PCAP) and is always on, passively monitoring network traffic. This provides a failsafe for data loss prevention tools and meets requirements to capture certain active metadata.
• Network and Environment: RevealX understands normal data flows so organizations can spot anomalous behavior. High-fidelity network data also provides the visibility necessary to inventory and audit software defined networking infrastructure.
• Automation and Orchestration: DOD organizations should use policy decision points to orchestrate and automate policy enforcement. NDR provides crucial network visibility and behavioral insights that organizations can use to develop and tune these policies.
• Visibility and Analytics: Full, continuous PCAP provides high fidelity metadata that can’t be deleted or bypassed like some logs. Feeding this data into a SIEM eliminates blind spots and accelerates threat detection. RevealX provides this visibility everywhere, including Netskope security service edge (SSE) traffic via the ExtraHop Zero Trust Extension.

The ExtraHop RevealX NDR platform supports 23 out of 45 DOD zero trust capabilities, including those listed above. Though every zero trust program will rely on a variety of solutions, zero trust decision makers should seriously consider how NDR can help their organization reach maturity.