What is Zero Trust?
Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.
This framework is defined by various industry guidelines such as Forrester eXtended, Gartner’s CARTA, and more recently NIST 800-207, as an optimal way to address current security challenges for a cloud-first, work from anywhere world.
Execution of this framework combines advanced technologies such as multi factor authentication, identity and access management (IAM), identity protection, and next-generation endpoint security technology to verify the user’s identity and maintain system security. Zero Trust extended also requires consideration of encryption of data, securing email, and verifying the hygiene of assets and endpoints before they connect to applications.
Zero Trust is a significant departure from traditional network security which followed the “trust but verify” method. The traditional approach automatically trusted users and endpoints within the organization’s perimeter, putting the organization at risk from malicious internal actors and rogue credentials, allowing unauthorized and compromised accounts wide-reaching access once inside. This model became dated (and in some cases obsolete) with the cloud migration of business transformation initiatives.
Zero Trust architecture therefore requires organizations to continuously monitor and validate that a user and their device has the right privileges and attributes. It requires that the organization know all of their service and privileged accounts, and can establish controls about what and where they connect. One-time validation simply won’t suffice, because threats and user attributes are all subject to change
As a result, organizations must ensure that all access requests are continuously vetted prior to allowing connection to any of your enterprise or cloud assets. That’s why enforcement of Zero Trust policies rely on real-time visibility into user credentials and attributes such as:
- user identity and type of credential (human, programmatic)
- number and privileges of each credential on each device
- normal connections for the credential and device (behavior patterns)
- endpoint hardware type and function
- geo location
- firmware versions
- authentication protocol and risk
- operating system versions and patch levels
- applications installed on endpoint
- security or incident detections including suspicious activity and attack recognition
Organizations should thoroughly assess their network structure and access privileges to contain potential attacks and minimize the impact if a breach should occur. This can include segmentation by device types, identity, or group functions. I.e., suspicious protocols such as RDP or RPC to the domain controller should always be challenged or restricted to specific credentials.
Over 80% of all attacks involve credentials use or misuse in the network. With constant new attacks against credentials and password hashes, additional protections for credentials and data involve email security, CASB-type products, and web gateways that ensure greater password securities, integrity of accounts, and organizational rules and enforcement avoiding high-risk shadow IT services.
The Complete Guide to Frictionless Zero Trust
Download the white paper to learn about frictionless zero trust and the key principles of the NIST 800-207 framework.Download Now
Why is Zero Trust important?
Zero Trust is one of the most effective ways for organizations to control access to their networks, applications, and data. It combines a wide range of preventative techniques including identity verification and behavioral analysis, microsegmentation, endpoint security and least privilege controls to deter would-be attackers and limit their access in the event of a breach.
It is not enough to establish firewall rules and block by packet analysis – a compromised account that passes authentication protocols at a network perimeter device should still be evaluated for each subsequent session or endpoint it attempts to access. Having the technology to recognize normal versus anomalous behavior allows organizations to step up authentication controls and policies rather than assume connection via VPN or SWG means the connection is fully safe and trusted.
This added layer of security is critical as companies increase the number of endpoints within their network and expand their infrastructure to include cloud-based applications and servers – not to mention the explosion of service accounts on microsites and other machines hosted locally, VM, or via SaaS. These trends make it more difficult to establish, monitor and maintain secure perimeters. Furthermore, a borderless security strategy is vital for organizations with a global workforce who offer employees the ability to work remotely.
Finally, by segmenting the network by identity, groups, and function, and controlling user access, Zero Trust security helps the organization contain breaches and minimize potential damage. This is an important security measure as some of the most sophisticated attacks are orchestrated by rogue credentials (insider or compromised).
The Next Sunburst Attack Example
The recent software supply chain attack Sunburst demonstrates the importance of why organizations can’t drop their guard with even standard service accounts and previously trusted tools. All networks have automated updates within their technology stack, from web applications to network monitoring and security. Automating patches is imperative to good network hygiene. However, even for mandatory and automated updates, Zero Trust means anticipating potential malicious actions.
The technical analysis of the attack illustrates how any tool, especially one commonly used in a network, can be taken over from the vendor/update mechanism – and how Zero Trust architecture principles should be applied to mitigate these threats.
Zero Trust and the principle of least privilege mandate strict policies and permissions for service accounts. Service accounts in general should have known behaviors and limited connection privileges. They should never directly attempt to access a domain controller or authentication system like AD FS, and any behavior anomalies should be quickly identified and escalated as they happen.
What are the Core Principles of the Zero Trust Model?
The Zero Trust model is based on the following principles:
- Re-examine all default access controls
- Employ a variety of preventative techniques that touch on identity, endpoint, data, and application access
- Enable real-time monitoring and controls to identify and halt malicious activity
- Align to a broader security strategy
1. Re-examine all default access controls.
In a Zero Trust model, there is no such thing as a trusted source. The model assumes would-be attackers are present both inside and outside the network. As such, every request to access the system must be authenticated, authorized and encrypted.
2. Leverage a variety of preventative techniques.
A Zero Trust model relies on a variety of preventative techniques to stop breaches and minimize their damage.
Identity Protection and Device discovery are core to a Zero Trust model. Keeping credentials and devices in an audit-ready state of knowing what devices exist and which credentials are on each is the first step in Zero Trust, establishing what is normal and expected on the extended network ecosystem. Knowing how these devices and credentials behave and connect allows organizations to employ effective identity challenges and step-up authentication for anomalies.
Multi factor authentication (MFA) is one of the most common ways to confirm the user’s identity and increase the security of the network. MFA relies on two or more pieces of evidence, including security questions, email/text confirmation or logic-based exercises to assess the user’s credibility. The number of authentication factors an organization uses is directly proportional to network security — meaning that incorporating more authentication points will help strengthen the organization’s overall security.
Zero Trust also prevents attacks through least-privilege access, which means that the organization grants the lowest level of access possible to each user or device. In the event of a breach, this helps limit lateral movement across the network and minimizes the attack surface.
Finally, the Zero Trust model uses microsegmentation — a security technique that involves dividing perimeters into small zones to maintain separate access to every part of the network — to contain attacks. This can be done via devices and functions or, most effectively, by identity and controlling groups and users. If a breach occurs, the hacker is unable to explore outside the microsegment.
Preventative Zero Trust models can employ email security solutions, encryption, and cloud access security brokers to protect credentials and ensure that challenges and zero trust are extended out to software service provider transactions as well.
3. Enable real-time monitoring and controls to identify and halt malicious activity quickly.
While a Zero Trust model is largely preventative in nature, the organization should also incorporate real-time monitoring capabilities to improve their “breakout time” — the critical window between when an intruder compromises the first machine and when they can move laterally to other systems on the network. Real-time monitoring is essential to the organization’s ability to detect, investigate and remediate intrusions.
Identity challenges need to occur in real-time as they happen at the domain controller, rather than merely logged and passed to a SIEM. Brute force attacks against credentials and suspicious movement to critical systems like the domain controller need to be stopped or challenged as they occur, and then sent to monitoring systems to collate against other incursions and attempts.
4. Align to the broader security strategy.
A Zero Trust architecture is just one aspect of a comprehensive security strategy. In addition, while technology plays an important part in protecting the organization, digital capabilities alone will not prevent breaches. Companies must adopt a holistic security solution that incorporates a variety of endpoint monitoring, detection and response capabilities to ensure the safety of their networks.
Companies should examine (and update) older or obsolete authentication protocols like LDAP and NTLM wherever possible, removing “easy access” for identity attacks. And, consistent with security advice since the dawn of time, patch all devices, services, applications, and firmware as quickly as possible when new zero-day vulnerabilities are announced by vendors.
Finally, as we learned from the recent Sunburst attacks, even innocent-seeming software updates to common systems can potentially cause damage. Having a solid incident response plan as well as business continuity and recovery plans help at both ends of any unexpected incidents or potential breaches.
Tips to Achieving Zero Trust
Although each organization’s needs are unique, CrowdStrike offer the following recommendations to develop and deploy a Zero Trust model:
1. Assess the organization.
Define the attack surface and identify sensitive data, assets, applications, and services (DAAS) within this framework. Identify and audit every credential active within your organization and remove stale accounts more than 30 days unused, and review all privileges for risk and impact. Assess the organization’s current security toolset and identify any gaps within the infrastructure. Ensure that the most critical assets are given the highest level of protection within the security architecture.
2. Create a directory of all assets and map the transaction flows.
Determine where sensitive information lives and which users need access to it. Consider how various DAAS components interact and ensure compatibility in security access controls between these resources. Know how many service accounts you have and where they need to connect. Review all authentication protocols and remove/raise connection challenges on any outdated or weaker (LDAP, NTLM) systems (often local legacy systems). Get a list of all sanctioned cloud services and enforce access to only low-risk services. Consider removing stale accounts and enforce a mandatory password rotation.
3. Establish a variety of preventative measures.
Leverage a variety of preventative measures to deter hackers and thwart their access in the event of a breach, including:
- Multifactor authentication: MFA, 2FA, or third-factor authentication, are essential to achieving Zero Trust. These controls provide another layer of verification to every user inside and outside the enterprise, and should be triggered by risk increases or anomalous traffic.
- Least privilege principles: Once the organization has determined where the sensitive data lives, grant users the least amount of access necessary for their roles. Review privileged accounts regularly, and assess if those elevated privileges are required as a user moves from group to group.
- Microsegmentation: Micro-perimeters act as border control within the system, identity/credential, and preventing any unauthorized lateral movement. The organization can segment based on user group, location or logically grouped applications.
4. Monitor the network continuously.
Figure out where the anomalous activity is occurring and monitor all the surrounding activity. Inspect, analyze and log all traffic and data without interruption.
Escalate and store authentication logs for anomalous or suspicious traffic and activity. Have a clear action plan for Service account and other critical resource behavior anomalies.
Challenges of Zero Trust
To truly understand Zero Trust at a granular level, we must understand the challenges enterprises face with implementing a Zero Trust framework. Here are a couple of examples:
1. Legacy apps, legacy network resources, legacy authentication protocols, administrative tools, are part of the network and enterprise operations. For example, Mainframe, HR Systems, Powershell, PSexec, are too often excluded from the Zero Trust architecture. Remote Desktop Protocol (RDP) use has exploded in use for work from home employees, and DevOps requires RPCs from VMs and cloud instances in multiple locations. However, they can be essential tools for operations; like authentication protocols such as LDAP and NTLM that could use upgrading but are required for existing legacy systems. Maybe the cost for development has been continually put off in favor of new projects.
Traditionally, these have not been protected with identity verification, posing a cost-prohibitive obstacle (it’s often too expensive to re-architect these systems). Many times these legacy systems are excluded from the approach, which makes them the weakest link. In other cases, security teams create an inconsistent user experience, or when possible (e.g. PSexec), prohibit tools from being used, which reduces staff productivity. Adaptive or conditional access tools can extend step-up authentication via MFA or SSO to legacy systems, offering a frictionless Zero Trust experience that doesn’t get in the way of daily activity while still monitoring what goes on.
2. Regulations have not yet adopted the Zero Trust model, which means the organizations under compliance may have trouble passing an audit. If PCI-DSS requires the use of Firewalls and Segmentation of sensitive data how do you pass audits if there are no firewalls? Will such a move put the whole environment under the regulation? What are the implications of regulations are about segmentation and Zero Trust is not? Regulations will need to change before we can completely use this model in a robust way.
Can identity segmentation via identity security solutions satisfy auditing requirements for appropriate credential and segmentation controls? There is no doubt that regulations are constantly being rewritten and improved, but often those individuals writing the regulations have only a narrow understanding of all the new security tools and processes on the marketplace.
Additionally, Zero Trust architecture can be measured mostly by success (lack of successful breaches) which is harder to measure against major deliverables or findings. In the best sense, therefore, Zero Trust may be measured by the simplicity of it’s composite pieces, and how well they all play together in terms of interoperability and integration without causing undue security burden on the end user.
3. Audits vs Penetration Testing/Engagements: While passing audits is on every CISO’s mind, there needs to be equal effort on “Red Team” engagements where current TTPs and incidents are simulated against the environment to see where real security holes lie. Both MITRE’s ATT&CK Framework and Security Intelligence feeds can help organizations understand what major groups are attacking their industry/interests, and which steps can be taken to minimize the high-likelihood attackers.
4. Visibility and Control within the network are often one of the major factors challenging enterprises’ implementation of Zero Trust networks. Most organizations don’t have a comprehensive view into – or ability to set protocols around – all service accounts, individual users, and the privileges of each within their network, and are thus vulnerable to threats posed by unpatched devices, legacy systems, and over-privileged or stale users.
While there are more examples, these topline points highlight the fact that we are a long way away until organizations will become 100 percent Zero Trust compliant, and could represent rethinking IT infrastructure as well as combining Security with Architecture in decisions and planning. In the near term, a hybrid approach to Zero Trust will likely be the status quo.
How CrowdStrike Can Help
The CrowdStrike® Falcon platform provides real-time, continuous visibility and security across the organization’s assets regardless of whether they are on or off the enterprise network. CrowdStrike helps customers establish a comprehensive security strategy, including Zero Trust principles, to create a cybersecurity solution that is:
- Customizable: CrowdStrike Falcon® is easy to install, maintain and operate, and can be tailored to address each organization’s unique needs and protect individual assets.
- Actionable: CrowdStrike Zero Trust Assessment, available in Falcon Insight, determines endpoint health across the organization. With this real-time security posture assessment, customers can easily identify and update Falcon sensor policies and OS settings that are out of date or increase risk. Customers can share assessment scores with CrowdStrike zero trust ecosystem partners for real-time conditional access enforcement.
- Focus on Identity: Falcon Identity Protection tools offer full identity audits and understanding of accounts, protocols, and services accessed by each. The Falcon platform offers multiple APIs into partner MFA/IAM providers, SIEM, SOAR technologies, and more, letting you see end to end all your devices and identities, and control over those pieces in real time.
- Comprehensive: The Falcon platform provides continuous visibility and security across a variety of touchpoints, including endpoint hardware type, firmware versions, operating system versions, patch levels, vulnerabilities, applications installed, user and programmatic logins, and security or incident detections and, in the case of identity incidents and many types of lateral movement, prevention.
- Continuous: The Falcon platform enables ongoing, automatic monitoring, detection and response capabilities.
- Flexible: The Falcon platform is built for the future. The cloud security model is designed to protect against new threats, adapt to the landscape and scale to meet the organization’s changing needs.
- Open API First Platform: The Falcon platform provides a full-spectrum set of Restful / JSON APIs that enable end customers and the CrowdStrike partner ecosystem to integrate third-party tools that help to seamlessly implement your Zero Trust Architecture. Some examples of third-party integrations include Okta, ZScaler, NetSkope, ForeScout, Splunk/Phantom and many more. CrowdStrike’s Identity Protection can feed directly into SIEM via JSON, CEF, and LEEF formats, and many SOARs.
Benefits of Frictionless Zero Trust
Download this infographic to get a sneak peek of Frost & Sullivan’s analysis of how our customers realize ROI with frictionless Zero Trust.Download Now