Page 19 - Cyber Defense eMagazine April 2023
P. 19
Many organizations are implementing Zero Trust to help them restrict access to valuable data, systems
and IP to only those individuals or systems that should have access.
This is a laudable initiative because it forces three things. First it forces organizations to identify what is
most valuable. Secondly it forces them to clarify exactly who (or what systems) needs access to those
resources. And lastly it forces organizations to examine both their network architecture and their
authentication mechanisms.
Undertaking this analysis can help improve security posture across the board, as teams need to know
and define what “good” looks like. Importantly, it also helps teams identify where additional monitoring
and visibility is required to protect the crown jewels, and highlights which threats warrant the highest
priority. If an attack is detected that may provide access to highly valuable assets, then it must be
prioritized over attacks on assets of lesser value. Teams can also better target proactive security activity
– such as threat hunting and deeper vulnerability analysis – in areas where it matters most.
Successful Zero Trust implementation depends on careful analysis of the environment and a methodical
design and implementation process. But it’s also crucial to ensure, as you re-architect the environment,
that you don’t create monitoring blind spots. Indeed, you may need to increase visibility in certain areas
of the network to help better detect and defend against attacks on high-value, crown jewel assets.
You need the ability to test and validate your infrastructure as well as monitor it. So collecting the evidence
you need – including network and endpoint data -- is crucial. Organizations frequently deploy additional
evidence collection – such as continuous full packet capture – in segments of the network where high-
value assets are located to ensure they have maximum visibility into all activity and can thoroughly test
their defenses.
Issue Three: Gaining greater visibility into threats, as early as possible.
Detection tools must be as accurate as possible. That’s not an insignificant issue, given the difficulty of
detecting attacks such as Zero Day threats, threats hidden inside encrypted traffic, and supply chain
compromises like the Solarwinds “Solarflare” attacks that originate from trusted systems.
As network speeds increase, it’s critical to ensure that NDR, IDS and AI-based monitoring tools can keep
pace. A monitoring tool that maxes out at 10 Gbps is going to flounder when network speeds increase to
40 Gbps or beyond and is going to have difficulty detecting threats that are hidden inside encrypted
streams or that leverage common protocols such as DNS to disguise malicious activity, such as
beaconing or data exfiltration.
AI-based detection tools can help supplement other monitoring tools by identifying anomalous behavior
that might not have triggered alerts. But you also need the ability to quickly investigate these anomalies
to determine whether they pose a real threat or are simply anomalous but not malicious. Again, it’s crucial
for analysts to have the right evidence to quickly investigate and prioritize events and flag false positives
back to detection tools to improve accuracy.
19
