Zero Trust is a security concept that is based on the notion that organizations should not take trust for granted, regardless of whether access attempts originate from inside or outside its perimeters. An enterprise needs to verify any attempt for connection to its systems before granting access. At the same time, the defensive layers that define the Zero Trust model should enable access for enterprise users no matter where they are and no matter what device they’re using.
The balancing act between controlling accessibility and enabling usability introduces a challenge to security teams. They will need to ensure that business enablement isn’t impacted while making sure that the risk associated with users and network entities are properly managed and mitigated.
Zero Trust leads us to focus on all organization assets regardless of their location and the risk they represent, while threat intelligence approaches within a perimeter-driven environment focus on detecting the threat within. The driving concept behind Zero Trust is to enable access to enterprise applications while evaluating associated risks, taking everything into account–including signals from threat detection, device posture, and user behavior.
I believe threat intelligence in a Zero Trust environment should be re-shaped into a dynamic signal-based indicator of threats. These signal-based indicators should be data-driven and empowered by a variety of data sources.
In order to apply a signal based approach, proper mitigations should also be introduced, such as enabling non deterministic actions to enable mitigation of non-deterministic risks associated with users or assets.
For example, let’s take users’ accessibility patterns as a signal for risk. If a user always connects from the same location or during the same hours and suddenly we can see change in that pattern, it should represent a risk.
While such changes in accessibility behavior are considered a risk and might be the result of compromised credentials or device, it is not considered a risk that should result in automatic blocking or suspending users.
Therefore, the Zero Trust signal-based approach requires non-deterministic mitigations that will reduce risk and preserve accessibility at the same time while maintaining low impact on the user. An example of this can be found in multi-factor authentication
(MFA). Another example is applying limits to accessibility for users with abnormal behavior in order to reduce the risk of data breach.
At BSides San Francisco 2020, on February 24, at 3:00 p.m. PDT, I’ll be giving a talk titled: "Creating Data-Driven Threat Intelligence Signals in a Zero Trust Environment
I’ll present a data-driven approach that utilizes data sources to create threat vectors such as device posture, user traffic and behavioral profiling, and continuous threat detection. All of these data points are combined into a dynamic signal representing real-world risk to network entities, which can be used under action-based, policy-driven decision making to address threats under a Zero Trust model.
About the Author: Or Katz
is a Principal Lead Security Researcher at Akamai and is the head of research for Akamai's Enterprise Threat Protector
technology. Or is a frequent speaker at security conferences and has published numerous articles and white papers on threat intelligence and defensive techniques. He began his career in the early days of web application firewalls (WAFs) and used to lead the OWASP Israel chapter.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.