Zero Trust and Assuming Breach: Reduce Risk First - Validate Later

This is the third article in a continuing series exploring the meaning and real-world impacts of the three tenets of the Zero Trust security model.

You don’t know what you don’t know. It’s a simple concept but one that enterprises ignore at their peril.

The recent Solar Winds hack is only the latest example. The attack, which began in September 2019, wasn’t discovered until December 2020, some fifteen months later. But this length of time is not in any way unusual. Indeed, the average length of time it takes to detect and contain a data breach is now 280 days.

The impact in the lag in breach detection is uncomfortably clear:  the victim doesn’t know until months later that attackers are inside their walls, rampaging at will across the most valuable real estate of its data center.

At Symantec, a division of Broadcom, we know the fact that enterprises just don’t know whether a specific endpoint was breached is precisely why it’s so important to develop a security plan that starts with the assumption that a breach has occurred. And that’s where the Zero Trust security model plays such an important role.

Log Everything to Ensure Pervasive Privilege

The focal point of the Zero Trust model is that enterprise data needs to be protected at all costs. The third principle of Zero Trust: log everything, is the fail-safe, last line of defense for the enterprise. It ensures that secure access and enforcing least privilege, the first two pillars of Zero Trust, are constantly re-evaluated based on the analysis of the logged data, over and over again – even when the enterprise itself doesn’t know if any threat is taking place.

The third principle of Zero Trust is important in multiple ways to limit the damage of any potential breach.

• Adopt least privilege. By granting and restricting access in only the least way possible, the enterprise is automatically reducing the scope of the damage that a breach can do. Logging every activity by any user or software program ensures that any deviation from the least privileged set of permissions can result in a timely alert that can significantly reduce the amount of time to detect a successful breach.
   
• Automate response as much as possible. It’s no secret that with the threat landscape so pervasive, the enterprise security operations center (SOC) is overloaded. One survey estimates the average enterprise SOC receives upwards of 10,000 alerts per day. Adopting intelligent automation that sets policies that leverage a risk scoring approach across endpoints, identity, and devices in order to make access decisions to data in real-time provides the help the SOC needs to get ahead of the cat-and-mouse, cyber warfare game.
   
• Record and validate everything. Only by logging everything can the enterprise accurately analyze the data and evaluate the risk. To assess the correct degree of risk or deviation from a baseline requires as much contextual information around the user or device activity as possible. The more information that can be collected, the better result the analytics system can provide and the better the odds a breach will be discovered and contained quicker and more efficiently.

Reduce Risk First

The secret sauce as to why the third tenet of Zero Trust is so effective is it's imperative to take action first. Unlike the traditional enterprise security model, Zero Trust is not based on validating user activity first and then reducing the risk based on that real time validation. Zero Trust turns that model on its head. It calls upon enterprises to reduce the risk first by putting in place the automated artificial intelligence (AI) and machine learning (ML) systems that will record user and device activity, and then reduce risk by assigning the risk parameters through data policies around the information access of users and their devices.

By putting the focus on corporate data, Zero Trust ensures that when an enterprise needs to respond to a breach, it has the data context it needs to understand the breach, it’s scope and take an action as quickly as possible. And by assuming there is always a breach, the third tenet of zero trust also ensures there is always a balance between the productivity of the enterprise, its people, and its security.

SASE and Zero Trust

In closing, it is worth noting that one of the advantages of the new Secure Access Service Edge (SASE) security model introduced in 2019 is how it so neatly aligns with Zero Trust and, in particular, the assume breach tenet of Zero Trust.

SASE implementations such as Symantec, allow enterprises to adjust access to data in real time based on user and device context and risk. The result helps protect enterprises from what they don’t know, enhancing their security while still allowing user productivity.