Zero Trust Security – Part 2 – War on Two Fronts

This is the second part in a two-part series about taking a Zero Trust approach to security. Read the first part here.

Organizations that want to avoid becoming the next Office of Personnel Management (or Yahoo, or Uber, or Equifax, or Sony) and prevent the exfiltration of their critical and sensitive data should address security as a war on two fronts – Identity and Behavior. But before an organization can begin the processes of managing identity for Zero Trust and observing behavior, they should first have a firm understanding of what their most sensitive data is, and where it is kept.

This process is frequently referred to as a data classification project. In addition to identifying the sensitive data and how it is stored, this initiative also requires companies to ask themselves the following questions:

• How sensitive is this data?
• Who needs access to this data?
• How do they access this data, from where, and at what times?

Here at IT1, we always tell customers kicking off a project like this is to try to have as few classifications of data as possible; perhaps three or four categories total. Remember, the purpose of a data classification project is not solely to answer the questions above. Rather, the objective is to create rules and automation around the different classifications of data. Fewer categories means simplified management of policies. Since the Zero Trust redesign of a network will be based on how requests for data are received and serviced across the network, mapping the flow of the data is another important element of the project.

Identity

As IT organizations start to implement Zero Trust, the next likely step will be looking for ways to “un-flatten” networks, creating microperimeters around critical systems. These microperimeters can be physical or virtual, and are usually where teams fall back to the principle of least privilege, granting access only to those individuals and applications who have a critical need for the resources behind the perimeter. However, forcing users to authenticate at every step along the way can be time-consuming, cost-prohibitive and have significant negative impact on user experience.

To manage the authentication issue, many companies look at using directory solutions like Microsoft Active Directory for more than just domain and lightweight directory services, and into a more comprehensive Identity Access Management solution. IAM tools allow IT teams to control access with role-based policies, and federate identity management solutions with internal and external applications for single sign-on. Enabling multifactor authentication (MFA or 2FA) in an IAM platform hardens systems further by protecting against stolen credentials. Because IAM systems incorporate tools and reporting to provide intelligence around all the user log-in information and the assigning and removing of privileges with role-based policies, iT1 advises clients to maintain a “Single Source of Truth.” That is, a single database containing all users, roles, and policies, that acts as the “final say” in case of any conflict with other applications that have been federated with the identity management system. That database most commonly resides in Active Directory, but can also be present in Okta, Ping, and many other emerging IAM solutions.

Behavior

After identity systems have been modernized and optimized, the next battle is on the front of Behavior. Remembering that Zero Trust mandates treating internal traffic with the same level of trust as external traffic (none), organizations need to make sure the connections they do allow onto their network are behaving as they should.

Depending on the size of IT environment, its relative geographic distribution, and nature and sensitivity of the data that resides on and traverses the network, organizations may favor implementing smaller, more plug-and-play solutions versus tackling a larger and more complex project like a Security Information and Event Management (SIEM) solution. One of those more easily-implemented solutions that is becoming common today is a Cloud Security Gateway (CSG).

Cloud Security Gateways provide important features out of the box that help security personnel monitor and detect suspicious behavior. Say, for instance, that a firm knows that someone in the Accounts Payable department usually accesses 20-30 billing records per day in an online accounting platform like Quickbooks. A CSG, properly configured, would monitor the connection between a user and the cloud software. If someone from Accounting downloaded several hundred records in a day, the CSG would detect this as suspicious or fraudulent activity and alert the IT security team. CSG’s can also monitor the flow of information from cloud-to-cloud, enabling Data Loss Prevention features that would be otherwise impossible with on-premise DLP technology.

iT1 sees CSG’s also implemented in scenarios where IT organizations are looking to lock-down access to unsanctioned cloud storage platforms, such as personal Box, Dropbox, or OneDrive accounts, and scan the sanctioned solutions for malware inadvertently uploaded. In all of the above scenarios, CSG’s are a great tool for monitoring and inspecting the behavior of people and programs on internal and external networks.

Companies with a little more money to spend, a few more people to put on a project, and a need for detailed analytics are turning towards implementing a SIEM solution. SIEM comes in many forms—Splunk, AlienVault, ArcSight, and LogRhythm are just a few. However, smaller or less experienced teams should keep a few things in mind.

First, these solutions are oftentimes differentiated by the amount of data they can produce. A truly enterprise-class SIEM solution can monitor, log, track, and analyze every bit and byte that goes across the networks they inspect. They detail every change, log every event, and some even present some basic recommendations back to their customers for changes to be made or behavior to analyze further. While these tools are very powerful, there are three common roadblocks to any large-scale SIEM implementation:

• Cost: an enterprise SIEM implementation is frequently a seven-figure endeavor, with TCO heavily weighted on operations. Teams without experience deploying or managing a SIEM tool are slow to recognize value.
• Too much data: The sheer vastness of the data may cause confusion over what’s important or where time is best spent.
• Too much noise: That same vastness of data can result in incorrectly tuned alerts. Teams get too many alerts for non-critical events, which leads to alert fatigue, and ends with a critical alert being silenced or ignored.

For those three reasons and more, iT1 recommends that organizations – especially those deploying a SIEM tool without much experience – consider using a managed security services partner that runs an industry-leading SIEM tool in a cloud environment, and layers their own Artificial Intelligence on top. The AI observes suspicious events and behavior globally, reducing false positives while also helping to identify malicious activity faster than traditional means. This helps to identify and address Day Zero exploits faster, and contain newly-discovered malware before it spreads further. The end result is a more effective and efficient implementation for the customer, and alerts that are tuned not just to the behavior on a single network, but the many other networks the service provider monitors.

Say goodbye to your castle-and-moat security approach.

As high-profile hacks, affecting millions of consumers at a time, occur with increasing frequency, and malware attacks become more sophisticated, IT teams are evolving from their castle-and-moat approach to security. Teams should be orienting themselves towards is that of Zero Trust architecture, and there are a number of solutions and partners that can break a complex modernization project down into actionable and achievable steps. By viewing the new security threats as a war on two fronts, Identity and Behavior, IT leaders can set their teams to work, classifying data, hardening networks, confidently validating identity, and monitoring for suspicious behavior.