Don’t Get Zero Trust Backward

You know the challenges of defending today’s data, network assets, and critical workloads. Digital transformation and increasingly distributed workforces, among other influences, have dissolved the traditional network perimeter. Threat actors are also becoming more sophisticated and more organized. And you know the solution. Vendors and analysts have told you the first step toward protecting your organization in this brave new world is deploying Zero Trust to keep out malicious actors. Unfortunately, that starts the Zero Trust journey on the wrong foot.

As a network security philosophy, Zero Trust implies that you shouldn’t trust anyone inside or outside the network without thoroughly validating their identity. Zero Trust also assumes that any attempt to access the network or an application should be considered a threat. Zero Trust Network Access (ZTNA) takes the model one step further by only granting access to data, applications, and processes that individual users need to do their jobs. For example, someone in Engineering should not have access to Finance or HR systems.

Starting your Zero Trust journey at access controls has become the go-to strategy for preventing breaches. You secure access to an organization’s applications, data, and services based on clearly defined access control policies. Unlike virtual private networks (VPNs), which grant access to an entire network, a Zero Trust approach grants access only to specific services or applications. As more users access resources from homes, coffee shops, airport lounges, and so on, this approach helps to eliminate gaps in VPNs and other secure remote access technologies and methods.

Is a malicious actor lurking in your network at this moment?

The approach sounds good in theory. Trouble is, bad things and threat actors will get past even the best-laid plans of IT professionals and security vendors. One false click on a phishing email attachment can take down your network or even your entire business. Cybercriminals have resorted to using slingshots to shoot contaminated USB drives over the fences of parking lots. Hackers have even been able to penetrate “air-gapped” systems that are supposedly isolated from any contact with public networks.

For another example, low-observable characteristic (LOC) attacks like fileless malware are virtually undetectable by antivirus, allow listing, and other conventional endpoint security solutions. They often take advantage of legitimate and useful tools like Microsoft Windows PowerShell, which system administrators use for task automation and configuration management. Since PowerShell comprises a command-line shell and associated scripting language, it offers adversaries an easy avenue to just about everything and anything in the Windows platform.

Supply chains — one of the weakest links in your security

A particularly worrisome attack vector, especially for ransomware, is the supply chain. According to a new report by Splunk regarding what bad things to watch for in 2022, ransomware is “the biggest security threat to most organizations today.” Plus, they go on to say it “will increase as cybercriminals professionalize — and leverage the supply chain.”

For example, in 2020, hackers weaponized legitimate software and successfully wreaked havoc on organizations around the globe, including the U.S. government. The U.S.-based software company SolarWinds provides system management tools for network and infrastructure monitoring to hundreds of thousands of organizations. Hackers compromised its Orion IT performance monitoring system. In this supply chain attack, they embedded malicious code in the software and used it to gain access to several government systems and thousands of private systems around the world.

We could go on and on, and include everything from advanced persistent threats (APTs) such as living off the land to Log4J attacks. However, the point of recounting all these risks is simply to emphasize the fact that at any given moment an attacker may have bypassed your controls and is inside your network. Once inside, if what they find is analogous to gaining access to the Tower of London and finding the crown jewels sitting around in unlocked boxes, you have a big problem.

 Start deploying Zero Trust for internal networks

This explains why we say the conventional wisdom about your Zero Trust journey is backward. Because what happens when, for example, a trusted user brings a trusted application into the network from a trusted source — but it contains malicious code (like a Trojan horse)?

This supply chain attack scenario highlights the need to start with a Zero Trust strategy for your internal network. Based on the current state of the art, that means segmenting your network and ringfencing your assets to prevent malware from spreading like wildfire inside your infrastructure.

The current best practice for protecting assets inside the perimeter — and preventing the spread of malware from one system to the next — is microsegmentation, which is essentially Zero Trust for your internal network. It extends the Zero Trust concept to the application layer and creates secure zones in data centers and cloud deployments to protect critical applications. That way, malicious code like ransomware or other APTs cannot freely roam your network, looking for high-value targets, and eventually stealing or encrypting data or damaging systems. In fact, a recently released Forrester New Wave report explains that since breaches are inevitable, organizations need to prevent lateral movement within their networks.

Now let’s look at what happens in the supply chain attack example above with microsegmentation deployed to protect internal assets. Even when a threat bypasses all of our perimeter defenses, the malicious code may be able to run on one infected machine but cannot propagate through lateral movement. As a result, you’ve minimized the impact of the breach.

To learn more about microsegmentation and why Forrester says it “is essential for Zero Trust private networks,” read the report.