This was originally published in October 2011 on q1labs.com (which has been integrated into ibm.com and securityintelligence.com).
Give up the façade of control. Trust no one. Verify everything. Resistance is futile.
Okay, I added the last statement, but the first three come straight from a recent Forrester Research report, “Applying Zero Trust to the Extended Enterprise” by John Kindervag. In today’s zero-trust environment – driven by mobile computing, cloud computing, social media and partner collaboration – it’s impossible to control the network perimeter, the number of users accessing the network or the configuration of devices connecting to the network. It’s also impossible to predict when an employee will attempt insider theft or fraud, rendering the notion of a trusted insider obsolete.
As John first wrote last year:
The concept that there are trusted and un-trusted users is errant and dangerous. This is something we call Zero Trust. … Some of the key components of Zero Trust are that all users are un-trusted and that all traffic, both internal and external, must be inspected and logged.
This blurring of profiles between internal and external networks means organizations must perform comprehensive monitoring and analysis of all their networks, all the time.
John’s absolutely correct in my view (he was a security systems integrator before joining Forrester), but how do you do it?
Let’s consider three of the report’s recommendations, and apply practical Security Intelligence solutions for implementing them:
Monitor what users are doing on the network. Forrester advises companies to monitor their employees’ activity on the network, because as the 2011 Verizon Data Breach Investigations Report notes, “insiders were at least three times more likely to steal IP [intellectual property] than outsiders.” This can be accomplished with a user activity monitoring solution that establishes baseline patterns of activity for each user, and then creates alerts when anomalous behavior is observed – applications/systems accessed, volumes of data sent/received, and so on. Security Intelligence solutions today provide a 360-degree view into what users are actually doing and the potential impact of their activities – by collecting and correlating not only log data, but also Layer 7 network flows, asset data, configuration information and vulnerability data to cover the pre-threat exposures.
- Inspect and log all traffic. As if you needed another reason to collect and analyze logs, Forrester highlights one of the Verizon breach report’s more striking observations – that good evidence of breaches usually exists in the victims’ log files. John therefore recommends “inspect[ing] and log[ging] all traffic… [using] threat mitigation controls such as firewalls and network IPSes, security information management (SIM) solutions, and network analysis and visibility (NAV) tools.” Logging is already well understood and commonly performed, but inspecting all traffic? That’s a whole other animal. One of the key points I take from this report is the importance of triangulating intelligence on risks and threats through multiple types of network data – logs from firewalls and IPSes, network flows from NAV solutions, and much more, all correlated and analyzed by a SIM/SIEM solution. Logs, even from multiple sources, aren’t enough any longer; deeper network insight is required. Security Intelligence technologies are equipped to provide just that through Layer 7 flow analysis which is incorporated into a holistic and strategic security solution.
- Deploy NAV tools to watch data flows and user behaviors. This recommendation elaborates on the need for situational awareness via proactive monitoring of internal networks. Would you know if an employee were stealing valuable product plans? Or downloading customer data to take to a competitor? Or if his system had been silently compromised by a bot? These are often difficult to detect until well after the fact, if ever. But a modern Security Intelligence solution will consume and correlate all the data you need to identify these scenarios in real time, by taking a 360-degree view of suspected incidents and ruling out false positives. That may sound like a tall order given the frequently massive data volumes involved, but current solutions are architected for just this kind of scale.
Ultimately, I suspect that most security and networking professionals realize “zero trust” is the right approach to take. The question is how to embrace that view and evolve one’s security operations.
Hopefully the ideas suggested here – and in my “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask” blog series – will provide ideas and inspiration to enhance your own security posture. Please share any thoughts on how you are evolving your organization’s security operations to respond to the new zero-trust reality.