A New Paradigm for Zero Trust

Intrusion Team
Jul 19, 2021

According to AT&T: Zero Trust is a cybersecurity model with a tenet that any endpoint connecting to a network should not be trusted by default. With Zero Trust, everything, and everyone— including users, devices, endpoints —must be properly verified and “trusted” before access to the network is allowed.

They say the protocols for a Zero Trust network ensure very specific rules are in place to govern the amount of access granted and are based upon the type of user, location, and other variables.If the security status of any connecting endpoint or user cannot be resolved, the Zero Trust network will deny the connection by default. If the connection can be verified, it will be subject to a restrictive policy for the duration of its network access.

And furthermore, AT&T says Zero Trust networks operate under the least-privilege principle, in which all programs, processes, devices, or users are limited to the minimum privileges required to carry out their functions. Access rights don’t need to be too restrictive; privileges can range from full access to no rights at all, depending on the circumstances.

Microsoft concisely describes it saying Zero Trust requires that every transaction between systems (user identity, device, network, and applications) be validated and proven trustworthy before the transaction can occur. In an ideal Zero Trust environment, the following behaviors are required:

  • Identities are validated and secure with multifactor authentication everywhere.Using multifactor authentication eliminates password expirations and eventually will eliminate passwords. The added use of biometrics ensures strong authentication for user-backed identities.
  • Devices are managed and validated as healthy.Device health validation is required. All device types and operating systems must meet a required minimum health state as a condition of access to any Microsoft resource.
  • Telemetry is pervasive.Pervasive data and telemetry are used to understand the current security state, identify gaps in coverage, validate the impact of new controls, and correlate data across all applications and services in the environment. Robust and standardized auditing, monitoring, and telemetry capabilities are core requirements across users, devices, applications, services, and access patterns.
  • Least privilege access is enforced.Limit access to only the applications, services, and infrastructure required to perform the job function. Access solutions that provide broad access to networks without segmentation or are scoped to specific resources, such as broad access VPN, must be eliminated.

Zero Trust according to MalwareBytes is billed as a comprehensive approach to securing access across networks, applications, and environments from users, end-user devices, APIs, IoT, micro-services,containers, and more. While aiming to protect the workforce, workloads, and workplace, Zero-Trust does encounter some challenges. These include:

  • More and different kinds of users (in office and remote)
  • More and different kinds of devices (mobile, IoT, biotech)
  • More and different kinds of applications (CMSes, intranet, design platforms)
  • More ways to access and store data (drive, cloud, edge)

It all makes perfect sense, and you would think by this day and age, everyone is moving forward rapidly to achieve Zero Trust for their networks.

While there is a lot of variances from different sources on how they specifically define Zero Trust, the common denominator that exists across all definitions is that devices in your environment should only connect and communicate with devices that are trusted. While that sounds straightforward enough, getting to Zero Trust has proven to be expensive, time/resource consuming, and difficult to sustain.

Pay closer attention to what MalwareBytes is saying.It is just not so easy to migrate whatever your current environment is to a complete Zero Trust without most likely causing some hiccups along the way. Think of it this way, if the cybercriminal really wants to hurt you, they just must scare you enough to make you want to migrate to a Zero Trust environment as fast as possible. They know you are going to break pieces of your network and processes trying, costing you time and a lot of money.If the cyber criminal’s only intent is to see you suffer and lose business, watching you try to migrate to Zero Trust too quickly will surely accomplish their mission.

What can you do? Most Zero Trust models as described above focus on internals and behaviors to establish the zero trust among validated users and devices. As AT&T says above: If the security status of any connecting endpoint or user cannot be resolved, the Zero Trust network will deny the connection by default. The connection of an authorized user to an authorized network resource to perform authorized actions. Considering connections, and having Zero Trust between your network users and resources, why wouldn’t you also consider the trust or lack of trust of every single incoming and outgoing packet to and from your network?

Your approach needs to take that word connecting, or anything that establishes connections seriously. You cannot rely on man-made firewall rules that rely on constantly changing IP and DNS environments. You simply cannot keep up.Also, you need to think about connections both coming in and leaving your network for the internet.You may think your current firewall and IDPS solution is all you need. Keep this in mind, nearly every major ransomware attack probably walked right through those companies’ current firewalls and IDPS. Why?

Zero Trust is more.It includes at the top level of connectivity to the internet that you should not trust any packets in any direction in or out of your network.You need to know that every packet originates from or is destined for a validated, highly reputable, low-risk domain and IP.If each packet comes from or is going to anything else, that packet should be killed in its tracks.We prove this over and over with each new client that they have devices on their networks communicating with high-risk, low reputation domains and IPs.Why?Your network already has infected devices or IoT living on it.We prove this everywhere we go; in every demo we provide on new clients’ networks.

A new paradigm for Zero Trust

At Intrusion, we have built a solution, Shield, that delivers Zero Trust naturally and instantly. The cornerstone of Shield is our advanced threat intelligence with historical reputation on over 8.5B IPs (5.1B of which are known good and 3.5B are known bad). It inspects all incoming and outgoing connections and determines, in real-time, if the connection is trusted or not and kills the connection if the latter is determined. It also instantly kills any connection with an unknown IP.

For Zero Trust to be effective, you need 100% of your network traffic packets inspected in real-time, without introducing latency to your network. Your approach must consider such a solution if you want the last tactical mile of assurance in a Zero Trust environment. Whether your users believe they are in a secure, encrypted internet browsing mode; or your unpatched zero-day-vulnerable operational software is beaconing out to anyone listening, we have a solution that inspects every single packet regardless of source and use an AI to determine if it should be allowed or killed in its path.

We recommend you continue to perform network hygiene, patching, and rock-solid account management. You should continue to have your SOC analysts continue researching alerts from your current Firewall and SIEM products and triple-check proper device and network configurations. But if you would like to really enforce Zero Trust on your network, push the fight out to the most distant edge by contacting us to learn more.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.