ABCs of UEBA: Z is for Zero Trust

WOW!  Alert the presses!  It’s our last entry in the book of ABCs of User and Entity Behavior Analytics (UEBA). It’s both a poignant yet fulfilling moment when you reach the final episode in a series.  And we are leaving you with the ultimate end game: don’t trust anyone or anything inside or outside the perimeter.  Everyone and everything attempting to connect to systems must be verified before granting access.  Yes indeed, Z is for Zero Trust.

In an era where diverse and innovative attacks are increasing to fast and furious levels, many organizations are completely rethinking their security architectures.  Adding to the complexity is that the managed perimeter is less well-defined than in the past.  The proliferation of computing systems such as IoT devices, public cloud and private cloud systems, mobile phones, building systems, and industrial control instruments add to the challenge of protecting modern networks.

All of these disparate pieces are now a part of the wider corporate network.  But the complexity in managing this network is many times more than when it consisted of PCs and servers.  It’s not feasible for all of these devices with different purposes and different locations to establish and maintain mutual trust.  Attackers may be able to replace peripheral devices such as IoT sensors to get access to the network and use those devices to enhance credentials.  Rather than having a defined perimeter with a set number of well-understood computers, you have a network that includes multiple different devices that may change in and out on an ongoing basis.

Mutual Authentication Eclipses Mutual Trust

Enter Zero Trust.  If the different systems on a network can’t mutually trust one another, than no systems on the network should.  That’s Zero Trust; it means that every interaction between every device on a network should begin with establishing trust between those devices.

That sounds straightforward in theory.  But you manage Zero Trust architectures in very different ways than traditional trust networks.  First, rather than mutual trust, you have mutual authentication.  What that means is that each device provides access based on individual authentication, rather than automatically trusting each other.  Prior to access, a device authenticates and checks the integrity of the requesting device, and the requesting device does the same.

Second, the devices authenticate the user trying to access them.  The user of the applications, data, or services on a device has to be known to the network and confirmed by the device providing those services.  And it has to be known for every application and service requested.  Users may be human application users with network logins, or they may be communications between individual systems and other devices, such as printers or disk storage.

Trust is a Privilege, not a Right

It sounds like a lot more computing work than the classic mutual trust model, but it’s necessary today.  There are simply too many different computing devices on organizational networks, and mutual trust represents a far too simplistic way of managing security across a network.  The network perimeter is not nearly as solid and uniform as it has been in the past, forcing organizations and vendors into creative new ways of protecting networks.

Zero Trust is based on the idea that trust is not a right, but a privilege, granted individually on a one-time basis, that opens up certain services based on that trust.  The name “Zero Trust” is really a misnomer, in that we need trust between members of a network in order to accomplish computing tasks.  The question is how we go about establishing that trust.  In the case of Zero Trust, it is checked on an ongoing basis in response to network interactions.

Beyond Authentication and Authorization

Zero Trust establishes a solid trust framework for application and network activity through regular interactions.  But Zero Trust is only the beginning; it also means more than mutual authentication.  It also means continuous monitoring of the network, all devices and users, on an ongoing basis.  Mutual trust has to be reestablished every time there is a new session or interaction between network participants.

In other words, trust between devices or between users and devices can still fail.  Networks and devices may be attacked and spoofed into trusting a user or trusting another device, which can often be propagated across the network.

Once trust fails once, it can potentially fail many times, as a device or user accepts a connection that is falsely trusted.  The attacker can then gradually gain access to other resources on the network, by making requests from a source already on the network.  A determined attacker can gradually gain access to critical parts of the network.

Supplementing Zero Trust Architectures

What can organizations do to supplement their Zero Trust network?  The best way to continue to maintain control over the network is to monitor all activity through User and Entity Behavior Analytics (UEBA).  UEBA security enables analysts to examine traffic, often in real time, to determine the legitimacy of that traffic.  If devices that don’t normally connect, or users are connecting with services that are beyond their privileges, trying to establish a trust connection might be flagged as a potential attack.

The problem with many UEBA products is that they can generate a large number of false positives; that is, seemingly anomalous activities can actually be normal in a larger context.  Security analysts can find themselves having to sort through hundreds of potential anomalies in order to find a single possible attack.

This is where machine learning (ML) comes in.  ML models can learn from network data feeds and be trained to tell the difference between false positives and activities that require further investigation.  If your UEBA system learns about normal patterns of network and user behavior on your network, it can more easily distinguish between an attempted attack and a false positive.  At the very least, ML models will slim down the potentials into a more manageable set of abnormalities to explore.

Zero Trust makes a lot of sense for today’s networks that often don’t have a well-defined perimeter.  But while Zero Trust is necessary, it’s not usually sufficient to fully protect a diverse and distributed network.  UEBA represents a critical method to supplement Zero Trust to make such networks even more secure.

Learn More About Zero Trust

The zero trust security model is in vogue and the term is being adopted by all manners of security vendors, whether it truly applies to them or not. At Gurucul, we’ve embraced the zero trust concept since our founding in 2010. We invite you to schedule a demo to see our security analytics platform in practice. Learn how we can protect you from new and emerging cyber threats, regardless of where they originate.

Watch our Webinar

Watch the Zero Trust Security Webinar for an expert analysis on the unique role that behavior analytics and security automation plays in achieving a genuine zero trust environment.

Webinar on Demand: Security Analytics Makes Zero Trust Possible

Prev: ABCs of UEBA: Y is for Yield