The Zero Trust security model assumes that the threat is already in the network. Every user, device, application, and data flow should not be trusted and must be monitored continuously for anomalous or malicious activity.
Zero Trust and Secure Access Service Edge (SASE) go hand in hand. The initial input into SASE is really around identifying the users and being able to restrict how users get into the environment. That’s where Zero Trust starts. One of the fears about SASE is that it requires a lot of changes. There are certain changes you must do in terms of approaches and policies, but it doesn’t require a huge re-architecture.
A good place to start is with Zero Trust and Privileged Access. Make sure you’re moving away from granting everyone access to everything on the network through a VPN. Provide users with very specific access to applications and resources based on their roles and responsibilities. That’s called least privilege. Whatever you’re supposed to be touching and doing is all you should have access to and that’s it. Having those types of granular policies is where Zero Trust is especially effective.
The challenge around Zero Trust is that it still doesn’t necessarily prevent a breach. A lot of marketing claims out there will say that Zero Trust can help prevent breaches. In actuality, Zero Trust can only help limit the scope of an attack. It may not limit the initial compromise, but it can help limit where an attacker can go if they don’t have the access rights, or they can’t get into certain applications based on least privileged access. Zero Trust does help with that.
The flaw is that threat actors have a ton of credentials they’ve harvested from multiple people at an organization. If attackers have a single set of credentials, they maybe get into one user’s account. But if they’ve gotten into multiple accounts or they’ve been able to harvest credentials from the dark web or get an organization’s list of username and passwords, you’re granting them full access. They may have least privilege, but they’ve got access to lots of different systems at that point. Zero Trust can reduce the noise for a security team, but it won’t solve all your problems. It’s not a silver bullet. You still need a strong threat detection monitoring program.
So where should you invest in 2022? You need look for ways to improve your security operations by incorporating better analytics that understand privileged access violations. That means leveraging behavior analytics. You need to be able to identify whether you’re looking at an insider threat, or whether you are being attacked by an external threat actor. You need to be able to identify all the information around a user that’s coming in and their different accounts and classify that risk. You need to be able to look at all the behaviors associated with that risk.
This is where you’ve got things like fraud analytics which monitors cross-channel transaction and identifies risky behavior patterns in real-time. If you can combine user behavior activity with privileged access and transaction patterns across cloud and on-prem solutions, then you’ve got a very, very strong detection program. Whether it’s around a Zero Trust program, or around insider threats, or whether it’s around external threat actors that are coming in through phishing attacks – whatever it ends up being it’s that combination of what’s occurring that’s incredibly valuable.
At the end of the day, all roads lead to Gurucul Next Gen SIEM. It’s incredibly effective to have all these different types of analytics powered by true machine learning with a risk engine that takes the analytics and prioritizes risk. Applying all these different analytics together is where you can really solidify your threat detection program without having to add additional resources to your current environment. A modular architecture is important. It might be that fraud analytics is for you. If you’re a financial institution, you definitely want it. Certainly, a healthcare organization needs to be able to detect and prevent fraud. But if you’re critical infrastructure, maybe you don’t care about fraud as much. So, you don’t need that. A module system is important.
Open architecture with out of the box (OOTB) machine learning models is key. Machine learning modeling is so important. And a black box architecture for your machine learning isn’t going to help you because then you’re very reliant on that vendor to be able to create those new models. If I have my security team and I have an easy way to build my own models, if I see something suspicious, or I know some activity is wrong, I can modify those models easily. Heck, if I have an open community sharing models, I can have other users in my environment contribute to that. That is much more efficient in terms of being able to stop threat actors, especially when new and emerging attacks and variants come up.
Want to hear directly from me on this topic? Watch this webinar where I talk about this topic and recommendations for 2022 that every CSO should consider.