2022: The Year of Zero Trust

This year, if there’s one thing you should change about the way you work, it’s this: trust no one. In fact, you shouldn’t even trust yourself.

And no, this isn’t about office politics, or interpersonal drama, or break room food heists. This is about the new prevailing school of thought in the cybersecurity industry: Zero Trust.

You may have heard this buzzword, or seen it recently pop up in your newsfeed, and for good reason. Cybercrime is on the rise. The bad actors that perpetrate it are growing in numbers. And to make matters worse, more than 80% of cyberattacks involve stolen credentials, or the misuse of credentials.

So what does this mean? Essentially, it’s bad no matter which way you spin it; either a bad actor breaks into your network using a password they stole via social engineering, an employee accidentally falls victim to a phishing email, or an internal user purposefully misuses their credentials to harm your network.

Basically, if a password exists, it’s only a matter of time before someone nullifies its purpose.

In fact, as we presented in our Coffee with Cobb episode: Future-Proofing Your Healthcare Organization, almost half of all healthcare-related cyber breaches were due to healthcare employees themselves stealing patient records to sell on the dark web.

MUCH ADO ABOUT SOMETHING - THE THREE PRINCIPLES OF ZERO TRUST ARCHITECTURE

Well, people have started to notice, and they started doing something about it. In 2020, NIST (National Institute of Standards and Technology) released a guideline that all federal offices must make use of Zero Trust Architecture.

In this release, three main principles were set forth that serve as the hallmarks of Zero Trust Architecture:

1. Continuous Verification: Every time a user accesses an account or system, they must input their credentials, no matter their permissions and security authorizations.
   
   
2. Limit the impact of breaches: Information should be siloed and protected using the principle of least privilege in order to reduce the “blast radius” of an intrusion.
   
   
3. Automate context collection and response: Use behavioral data to determine context, and identify endpoints, user identities, and workloads.

Let’s get into what this means for your network.

CONTINUOUS VERIFICATION

You’ve probably heard of multi-factor authentication by now. In case you haven’t, MFA adds another layer of security to an account by requiring a second, temporary piece of information is input in addition to your username and password when accessing an account or service.

Think of when you access your bank account online, and they send a six-digit code to your phone, which you then have to input before checking your balance.

Continuous verification works in a similar manner. Imagine you’re using Excel. When you open Excel, you’d need to input your username and password. If you used MFA, you’d then need to enter another code to finally gain access to your sheets.

Now, imagine you open a sheet that contains your organization’s quarterly report. This document would require you enter another password to access it.

That’s continuous verification: any time you access anything, you must provide the necessary key. Now, continuous verification isn’t without its caveats; it doesn’t mean that every time you open a file, you need to input a password. Such a security protocol would be too disruptive, and you’d never actually do any work — you’d just type passwords and read automated text messages all day.

Continuous verification uses risk based conditional access. Basically, every time you do something in an account or system that requires more user permissions than the previous task, you are prompted to input a new password or code.

Think of it like a skyscraper with a security checkpoint on each floor. Once you’ve entered your username and password, you gain access to the lobby. Want to use the elevator to get to the second floor? You’ll need a password for that, and for every floor above it.

In short, continuous verification boils down to “never trust, always verify.”

REDUCE IMPACT

An ounce of prevention is worth a pound of cure. Zero Trust embraces the fact that eventually, a network’s defenses will fail. The only truly secure computer is one that isn’t plugged in, after all.

So, how do you reduce the impact of an intrusion to your network? Well, most breaches follow the same pattern: a bad actor gains access to a set of credentials, which they use to gain access to a user with higher permissions, which they then use to access more secure systems, eventually leading to gaining control of the entire network.

This pattern is possible because at some point, the bad actor will gain access to a user or service account with more user permissions than the account should have. In almost every organization, there’s an admin account that can access any system, any account, and any device. Once a bad actor has that account under their control, there’s very little you can do to regain control of your network.

So, in order to best prevent this pattern from occurring, Zero Trust Architecture employs the “least privilege principle.”

What this means is that if a user only needs to access Excel, their email, and Word to complete their daily tasks, that’s all that user can access, without inputting a password.

Or, if a service account has the authority to access your organization’s print server, it will only have permissions to access and change that server. For a bad actor, a proverbial golden goose is a service account with too high a level of user permissions.

This is because service accounts are generally not used every single day — how often does a print server need to be maintained? If that print server also has access to network permissions, a bad actor can use this to their advantage, and wreak havoc throughout the network before anyone notices malicious activity coming from the service account.

If your accounts’ user permissions are appropriately set to only allow them access to the tools they need, and they must input a password every time they request a new level of access, a bad actor no longer has a smooth road to admin access — they’re faced with hopping from island to island, if they can even cross the choppy water between them.

Think of it like this; fuel bunkers are built with thick walls and flimsy roofs, so if they were to explode, the blast goes upwards, not outwards. The fuel bunker is still destroyed, but the buildings around it are saved. That’s the power of appropriate user permissions.

AUTOMATE CONTEXT COLLECTION AND RESPONSE

When your network experiences a breach, there’s only one way to be sure that it doesn’t happen again: learn from it. NIST Zero Trust Architecture guidelines state you should collect information on the following data points:

• - User Credentials
• - Workloads (think workspaces)
• - Endpoint (any device connected to the network)
• - Network
• - Data
• - Other sources: APIs, SIEM, SSO, Identity Providers, Threat Intelligence

So, basically, if it’s digital, and is connected to your office’s network, it needs to be monitored and tracked.

How do you realistically monitor all this data? A scope of work such as this would necessitate an entire IT team to constantly monitor your network for intrusion forensics. That’s why NIST recommends (and standardizes) automation.

Luckily, the anti-virus industry has seen a ton of advancement in the past few years. One such advancement is Endpoint Detection and Response, more commonly referred to as EDR. EDR fulfills the same purpose as standard AV software but takes protection against viruses to a whole new level.

We have a blog about EDR that goes in depth about the topic, but let’s quickly cover how EDR differs from standard AV.

AV software is reactionary when faced with a new virus. If your AV software has a virus profile, and detects that virus, it will automatically quarantine the infected file, and cordon it off from the rest of your computer. It will then send you an alert about the attempted intrusion.

If your AV software meets a virus it’s never seen before, it will allow the virus to pass through unhindered. Essentially, AV software only blocks viruses because the developer of the AV software sends out virus profiles to computers that have their AV installed. This is why it’s so important to update your AV software regularly — without the updates, there’s no way for your AV to know what to protect against.

EDR makes use of virus profiles just like AV software, but also uses artificial intelligence to detect uncharacteristic user behavior, strange file properties, and CPU usage and RAM spikes. Basically, EDR learns what your usual usage patterns are. Do you check your email every five minutes? Do you download the same automated report every week? Do you take three minutes every morning to listen to your favorite song?

EDR pays attention to what you do, how you do it, and when you do it. Imagine you download that automated report, but the file name is vastly different than usual, or the size of the file is bloated compared to the usual megabytes it takes up. EDR will flag that file as suspicious, and automatically cordon it off.

After a file is flagged, you’ll be notified, and your IT team will be notified as well. They’ll then have the opportunity to inspect the file before it has the chance to infect your computer. If the file is clean, it will be released, and you can interact with it as normal. If the file carries a virus, your IT team can create a virus profile based on the information the EDR collected, and then delete the file, all without it actually infecting your computer or your network.

In short, EDR collects data on all points laid out by NIST Zero Trust Architecture guidelines and automates the context collection and response portions. Check and mate.

HOW TO BUILD ZERO TRUST ARCHITECTURE IN YOUR ORGANIZATION

Below is a list of what a Zero Trust Architecture must monitor in real time, to allow continuous vetting of user and device behavior:

• - User profiles and credentials (as well as if it’s a user or a program)
• - Device privileges
• - Behavior patterns for users and devices
• - Device hardware and functions
• - Device geo locations
• - Firmware
• - Authentications
• - Operating system versions and patches
• - Applications installed on devices
• - Incident detection and reporting

Now, that seems like a lot, because it is. But, luckily, EDR automates the reporting and monitoring for all of those data points required by NIST.

The hard part is figuring out how to implement Zero Trust Architecture; which devices should be privileged? Which users should have which permissions? What are the necessary tools an employee needs, without giving them too much access, and without stifling their ability to work? What permissions, files, and programs have a higher risk factor? What permissions, files, and programs have a low risk factor? How will your employees keep track of all these passwords?

As you can see, there’s a lot of questions you’ll need to ask and answer to determine what your Zero Trust Architecture will actually be, and how it will be implemented throughout the network of your organization.

We recommend you start with 3 steps:

1. Visualize your network. Get a whiteboard and map it out. Users, endpoints, servers, and applications.
2. Create barriers of trust. Determine what is high and low risk, and set user, account, and device permissions based on each risk factor.
3. Educate your users on the changes, so they know what to expect and how to navigate their new user experience based on the permissions you set in step 2.

From this point, your IT team will have their work cut out for them to set permissions and passwords, but there’s nothing uniquely challenging about doing so.

HOW TO KNOW IF YOUR ORGANIZATION WILL BENEFIT FROM ZERO TRUST ARCHITECTURE

Below, you’ll find a list of use cases that will immediately benefit from implementing Zero Trust Architecture:

• - Cloud and hybrid environments
• - Legacy systems
• - SaaS applications
• - You suffered a ransomware attack
• - You suffered a supply chain attack
• - You suffered an attack from an internal malicious user
• - Your organization needs a SOC
• - Industry standards are regulations dictate the need for Zero Trust Architecture
• - Cyber Liability Insurance requirements dictate the need for Zero Trust Architecture

There’s a lot that goes into designing and implementing Zero Trust Architecture. Even thinking about the work required can be scary. What’s even scarier, however, is what can happen if your network is too trusting.

If you’d like to learn more about Zero Trust Architecture, or have questions about how to implement it, reach out to us here.