Sanjay Raja | vmblog.com »
Many companies are looking to implement a Zero Trust Architecture (ZTA), which is a framework and set of policies built around the concept that no actor, system, network or service operating outside or within the security perimeter is inherently trusted. Instead, every user or entity must be authenticated, authorized and continuously validated for security configuration and posture before being given access (or access maintained) to applications, data and other resources. As the saying goes, “the user is the new perimeter.” When done successfully, a ZTA ensures that the right users and entities get full access to only the right resources, while restricting access to unauthorized users and specified resources. This can optimize resources and availability, reduce alerts and noise for security teams, and limit movement by threat actors in some cases.
However, ZTA can lead to a false sense of security and actually expose an organization to greater risks from organized and persistent threat actors if not properly planned out and executed. To avoid this, organizations must implement a threat detection, investigation and response (TDIR) systems that incorporates behavioral baselining and analytics before implementing a ZTA. A TDIR system also works alongside a ZTA to better secure critical data from threats. This article will explore the behavioral analytics and highlight the role it plays in developing and monitoring a ZTA.
How Does a ZTA Work?
As mentioned above, ZTA is based on the principle that nothing can be trusted. It’s designed to prevent data breaches and lateral movement within a network. And as networks get more complex and the corporate perimeter continues to expand, ZTA works to validate the identity and integrity of devices regardless of location and provides access to applications and services based on both device identity/health and user authentication. This type of approach is even more critical as remote workers and distributed organizations have fueled further migration to the cloud. Access to resources is determined by dynamic policy – including the observable state of client identity, application/service, and the requesting asset – and may include other behavioral and environmental attributes, such as time of day, frequency and location, access requests, library calls, etc.
In essence, a ZTA does a thorough check at the door and once allowed inside, only allows access to certain areas inside the building.
However, implementing a ZTA without also complementing it with a fundamental understanding of users, entities, access privileges and entitlements, and then applying behavioral modeling and analytics to them, can create significant risk. One of these problems is that a ZTA relying on identity access management (IAM) or privileged access management (PAM) cannot detect whether a user’s credentials are false or stolen. Doing this requires data on what network, IP address or location a given user is coming from compared to historical data on their normal usage patters. Using behavioral analytics, especially combined with other analytics, can give secure teams the visibility they need to determine if ZTA is working properly and adhering to current policies (and if those policies are effective). Therefore, organizations need a way to not only use behavioral analytics understand current access, but also monitor what each user is doing to make sure that ZTA policies are not being misused or violated.
What are Behavioral Analytics?
In cybersecurity, behavior analytics is an area of data analytics that establishes a baseline into the actions of people and non-person entities that is considered “normal.” This baselining is much more effective when the solution can integrate with identity and access solutions to understand policies already in place. Once a baseline of “normal” is created, ongoing monitoring of the infrastructure is continuously compared to the baseline of expected “normal” behavior. Behavioral analytics can ingest all data from various sources, autonomously learn the patterns of users’ behaviors, devise individual risk scores that are continuously updated with each user’s actions, and orchestrate and automate a desired response.
When these systems incorporate a trained (not rule-based) machine learning (ML) engine and set of models, it can converge and then adapt to an improving baseline and better determine what is anomalous versus what is malicious. This drastically reduces false positives over behavioral solutions with rule-based models, which is what many traditional SIEM and XDR solutions have.
How Does Behavioral Analytics Support a ZTA?
Behavioral analytics play a crucial role in ZTA in the following ways:
- Behavioral Analytics characterizes how current access policies are working or not working and can identify expected, unexpected, risky or even malicious behaviors. This is incredibly useful for baselining where you are today and how to establish or refine current access policies and privileges against a zero-trust framework.
- When used with trained machine learning (not traditional rule-based ML), behavioral analytics can learn over time to distinguish what is normal vs. abnormal and ideally suspicious vs. malicious. The ability to separate various activity based the organizations applications, usage, exceptions, etc., drastically reduces false positives and helps security teams that are monitoring for internal risks and threats and external credential-based attacks be more much effective in working with identity and access management teams to stop an attack and improve (ZTA) security posture over time.
- Behavioral analytics makes it possible to measure the risk of specific actions or individuals (note that this requires highly-sophisticated analytics and is not widely available). That “risk score” can affect a user’s access in a proper ZTA. For example, if a user has previously screenshotted documents, downloaded sensitive files that are outside their department or transferred data to an external storage device like a USB drive, then the security teams might want to restrict certain permissions. While many solutions measure risk based on CVE/CVSS scores, this is a limited metric that does not include the full potential impact of these actions on the organization.
- Behavioral analytics complements ZTA by detecting when adversaries are using stolen credentials. In essence a set of stolen credentials means that from a ZTA perspective, no rules or policies are being violated. While the ZTA can still limit the movement of a threat actor based on least privileged access, if a whole stack of usernames/passwords have been purchased off the darkweb, a threat actor has essentially evaded ZTA altogether. This is where behavioral analytics is critical in spotting unusual, though authorized activity. When coupled with other telemetry such as network traffic analytics, analysis of endpoints, threat content/intelligence, etc., behavioral analytics can more rapidly distinguish threat actor activity from just unusual behaviors, which is critical in preventing the attack campaign from doing any damage as quickly as possible.
ZTA is a truly effective way to protect data and restrict unwanted user access within a network, but this is only possible through the power, support and implementation of behavioral analytics technology at the foundational level. If you can’t understand and baseline normal behavior and identity of devices and users, then you can’t identify anomalous activity and restrict access. Not only does behavioral analytics make a ZTA possible, it also complements the framework and reduces the workload for security professionals by accelerating credential-based threat detection and improving the accuracy and context when doing investigations and automating response actions. This ultimately helps establish a more iron-clad zero-trust program, ensures it is running properly, and equips the security team to identify gaps and associated threats and make continuous improvements.
Behavioral Analytics Makes Zero Trust Possible
External Link: How Behavioral Analytics Makes Zero Trust Possible