Achieving Zero Trust with Network Data

After what we all had experienced last year, it's no surprise that Zero Trust interest and initiatives are on the rise. With COVID-19 came the rapid shift to working from home, and with unknown devices suddenly connecting to the network, phishing campaigns rose, ransomware attacks increased, and other advanced threats emerged—like the SUNBURST supply chain attack and the recent Colonial Pipeline shutdown.

This dangerous and persistent activity has served as a wake up call for many people—including the United States government—which has many security teams looking for a better way to secure their environments. The Zero Trust model has come to the forefront as one potential answer and is getting increasing attention.

Zero Trust isn't something that you just turn on overnight—it's a strategy to apply broadly across environments. Sound intimidating? Don't panic. You already have a powerful tool to help you, if you know how to use it: network data.

Why Zero Trust?

As John Kindervag, the creator of Zero Trust explains, trust cannot be determined solely based on a user or their device's location within the network. Just because we trusted something yesterday doesn't mean we should trust it today. This truth breaks down the efficacy of our traditional defense-in-depth cybersecurity frameworks—static rules that apply trust to broad categories no longer make sense. We need to think about how we can enable more secure access, especially as our reliance on third parties (contractors, third-party software, and various partners) increases.

What is Zero Trust? A Zero Trust approach determines trust dynamically and regardless of where the users are located. Access privileges are not just granted once the user and device identities are authenticated, but instead are continuously verified. Authorization to applications and resources is granular, lasting only for specific transactions on an as-needed basis. No asset or network segment is implicitly trusted.

5 Ways Network Data Can Help

#1 Visibility: Core to Cloud to a Remote Workforce

The move to a remote workforce means a growing list of devices. How can you tell the difference between unmanaged, IoT, uninstrumented, and rogue devices? This problem becomes even more challenging when advanced threats are masking their activity and bypassing traditional defenses.

Even with so many solutions available, cloud perimeters can also be challenging to monitor and protect. As organizations grow, both on site and especially in remote environments, their cloud workload expands, which can leave gaps in an already strained infrastructure. Although solutions like endpoint detection and response (EDR) are necessary and good, they're not really suited to a growing cloud environment or devices connecting from multiple locations.

To implement dynamic rules for when devices can access specific resources, you need a clear picture of every device and cloud workload. Network traffic can help identify and profile those devices, providing a foundation for implementing Zero Trust architecture. Everything touches the network, and that makes it the natural source of ground truth.

#2 Detect Over Prevention

The transition from a prevent mindset to one of detection and response parallels the ideas of Zero Trust. Machine-learning powered solutions will detect sketchy behavior regardless of whether it's a so-called trusted user account doing it. Many of the activities represented in the MITRE ATT&CK framework—including command & control, lateral movement, and data exfiltration—can stop even advanced attacks that have evaded preventative tools.

Common tools designed to track and log data, like a security information and event management (SIEM) system, are capable of detecting malicious behavior, but they have a few critical blind spots and, importantly, can be disabled or circumvented—like they were in the SUNBURST attack.

A network-based solution can act as a covert onlooker. It can't be seen or disabled by intruders and will continuously observe their behavior, even if they're using valid credentials or seemingly innocuous or difficult-to-log protocols.

#3 Reduce Friction and Eliminate Silos

The division of responsibilities and resources across NetOps, SecOps, and IT Ops teams can create unnecessary friction and barriers. Zero Trust demands a cohesive strategy and shared information across teams.

One thing that these silos forget is that they share a common bond—the use of network data. If you build your security strategy using network data as the foundation, you enable a coordinated effort across teams—and across the entire hybrid environment, from cloud workloads to the data center, remote sites, and IoT deployments.

With streamlined collaboration and a single source of truth, your plan to implement zero trust can leap a whole series of roadblocks.

#4 Enable Zero Trust in the Cloud

How does Zero Trust work in the cloud? When you're using network data, the answer is: the same as it does everywhere else.

Okay, that's an oversimplified answer, but the point is that a good network security solution is well-suited to adapt to cloud environments. Comprehensive visibility without needing an agent in every workload? Check. Behavior-based detections that catch advanced attacks? Check. Better cross-team collaboration? Check!

#5 ExtraHop Reveal(x) Brings Everything Together

As glorious and all-seeing as network data is, it's also a firehose of information. Network detection and response (NDR) solutions use machine learning to turn data into actionable insight. Reveal(x) helps you act on that insight with streamlined workflows and helpful visualization tools.

It can help you plan, implement, operate, and secure Zero Trust Architecture by helping you:

• Know everything that's on your network so you can implement Zero Trust policies
• Identify where Zero Trust isn't being followed
• Detect malicious behavior regardless of what's doing it

Dig into network insights in Reveal(x) on your own, online, in the full product (running on example data).