Zero Trust security has arrived in full force, and that’s a very good thing for every cyber security practitioner. While the concept has been around since the 1990’s when Stephen Marsh wrote about “Formalising Trust as a Computational Concept,” the COVID-19 pandemic and resulting shift to a remote and hybrid workforce has ‘zeroed in’ attention on Zero Trust more than ever and accelerated adoption and implementation.
A Zero Trust architecture is a move in the right direction and a good match for a Work-from-Anywhere world. It turns the notion of “trust someone forever who has logged in” on its head and applies a model of “trust, but verify” to every interaction with a system. The requirement to constantly authenticate and authorize users and systems undoubtedly helps security. When applied to insider threat protection, however, we must be careful to avoid past mistakes that hamper user acceptance and productivity.
With Zero Trust top of mind for so many business and IT leaders, we realize there’s a need for more resources on the concept. For this reason, we recently co-authored an e-book with Splunk, “An Insider Risk Management Approach to Zero Trust,” which helps to educate readers on what Zero Trust is and isn’t, lessons learned from the misapplication of various security solutions that can help apply Zero Trust to insider threat protection, how to use risk-based analytics to prevent data theft, and more.
For those of you interested in more in-depth education, you can read the full e-book, or if you want the (semi!) Cliff Notes version, this two-part blog series summarizes the seven steps to an insider risk management approach to Zero Trust. Let’s dive in.
Step One: Understanding What Zero Trust Is
Zero Trust is a concept, not a product. Instead of verifying credentials once and trusting them thereafter, Zero Trust is centered on the idea that we cannot implicitly trust anything or anyone. Constant verification of identity and authorization is required.
As a real-world example, think healthcare. Anyone who has been to a healthcare facility knows that they will be asked their name and date of birth multiple times—often by every new person that interacts with them. This isn’t because the doctor or nurse doesn’t trust the individual, but only by continuously “authenticating” them can they ensure they are treating the right patient and performing the correct procedures. At a high level, this describes the principle of Zero Trust.
Step Two: Learning from Traditional Approaches to Insider Risk
Insider risk management solutions use a variety of approaches, each with their own strengths and weaknesses. These include Data Loss Prevention (DLP), User Activity Monitoring (UAM) and User/Entity Behavior Analytics (UBA/UEBA). And, as the market has matured, we’ve seen a convergence in the primary approaches leveraged in a Zero Trust architecture.
What’s often missing from these solutions, however, is a human-focused approach. Parts of each of these solutions have value in a Zero Trust world when coupled with a human approach to insider threats. For example, this means taking rules from DLP for known bad behavior, machine learning and behavior analytics based on meta-data derived directly from machines, applications and data to eliminate ‘noise.’ This can then help to more accurately identify malicious intent and deliver a privacy-first approach to UAM that protects employees in a risk proportionate manner.
Step Three: Understanding the Data Sources for a Human-focused Approach
Zero Trust relies on accurate data from users, devices, networks, and applications. It then uses automation and analysis to process that data to identify threats and block attacks in an effort to minimize the “blast radius” in the event of an incident.
Over time, enterprise security has adopted “layered security.” Organizations have deployed point solutions including firewalls, intrusion prevention, web application firewalls, and more on the network, as well as anti-virus, data loss prevention, and endpoint detection and response on endpoints. From an operational standpoint, it’s up to the SOC to manage the huge volume of information these solutions provide.
Much of this data is noisy, the product of cyber sensors that capture machine logs, and point-in-time user interaction with data, systems and other security mechanisms. The result is piles of uncorrelated data that must be stitched together to find sequence and meaning, all of which is reactive post-incident and thus does very little to prevent data loss or a malicious insider threat from achieving their goals. Therefore, it’s critical that organizations understand how to identify and analyze the right data.
Worthy of a Sequel
We know that we’ve shared a significant amount of background on Zero Trust, traditional approaches to insider risk and the crucial nature of accurate data sources. With that, we’d like to take a moment to pause as to not provide too much information at once in our Cliff Notes version.
Stay tuned for part 2, where we share the remaining four steps in the process of how to take an insider risk management approach to Zero Trust. And, if you can’t wait to learn more, please read the full e-book or reach out to our team directly for a live discussion: https://www.dtexsystems.com/contact-us/.