Continued Innovation During DoD’s Zero-Trust Architecture Implementation
Demand for greater innovation and data-driven decision-making is advancing an evolution in IT environments. Coupled with the prevalence of hybrid cloud strategies, remote work as the new normal and increasingly sophisticated adversaries requires a different approach to cybersecurity. We can no longer rely on bigger walls and wider moats to secure applications. Instead, security must protect the currency of today—data.
This new approach to cybersecurity adopts a least privileged mindset for all transactions and no longer implicitly applies trust by user, device or network location. The federal government’s directive to all agencies to adopt a zero-trust architecture embodies this approach. A zero-trust architecture follows the mantra “never trust, always verify and assume compromise,” assuming all requests for resources, whether inside or outside an organization’s network perimeter, are hostile. All users and devices must authenticate, authorize and regularly validate before being granted access to an organization’s resources, applications or data.
The Department of Defense (DoD) adopted the zero-trust security model based on the National Institute of Standards and Technology (NIST) Special Publication 800-207, Zero Trust Architecture, to modernize its cybersecurity. Due to the unprecedented scale and complexity of the DoD’s networks, along with a lengthy budget and acquisition process, it will take the DoD time to implement a zero-trust architecture. At a FedTalks conference on August 24, DoD Chief Information Officer John Sherman stated, “What we’re aiming for is by 2027 to have zero trust deployed across a majority of our enterprise systems in the Department of Defense.” He continued, “Five years. That’s an ambitious goal … but the adversary capability we’re facing leaves us no choice but to move at that level of pace.”
As the DoD progresses toward a zero-trust architecture, implementing key components along the way, adversaries will continue to step up their efforts to penetrate DoD systems. According to CrowdStrike’s 2022 Global Threat Report, 80% of cyber attacks today leverage legitimate credentials, allowing access within the walls and bypassing traditional border and firewall security. Attackers then are able to conduct stealthy and seemingly innocuous reconnaissance and surveillance undetected and unchallenged.
It is imperative for the department to mitigate risks related to the timeline by focusing on offensive and proactive cybersecurity measures, such as identity protection, and to continue to partner with the private sector to innovate on the zero-trust approach.
DoD Leading Zero-Trust Design, but Faces Long Implementation Timeline
When the White House issued the Executive Order on Improving the Nation’s Cybersecurity in May 2021, a key component was its directive that all federal agencies, military and civilian alike, advance toward a zero-trust architecture. At this time, the DoD had already been making significant strides here as they rolled out their Zero Trust Reference Architecture weeks before this executive order was released.
“DoD has been leading the [zero-trust] messaging and technical reference design for the past year(s),” said Ned Miller, vice president of Federal, CrowdStrike.
While the DoD has been pioneering the concept of zero trust, its lengthy planning, programming, budget and execution process slows the acquisition of technology needed to implement its zero-trust architecture, Miller said. Changing the direction of the government on any issue has often been compared to trying to change the path of an ocean liner—it can only proceed slowly.
Miller noted that a lengthy implementation of the new zero-trust security approach allows the adversary to “come up with new attacks and mitigate the defenses we set up.”
Additionally, the DoD’s zero-trust journey is complicated by the use of large, multiyear contracts.
“In the zero-trust maturity model, as you progress your capabilities, you improve over time,” Miller said. “There’s a crawl-walk-run approach. Because of the way the DoD makes acquisitions—because of the size and scope of their programs—[the DoD must] issue large contracts that last for multiple years.”
In addition to budget and procurement challenges, its adoption of a zero-trust architecture is challenging due to the sheer size and complexity of the DoD’s IT infrastructure, decisions around how to secure legacy IT and the resources to do so.
Jeff Worthington, executive strategist for CrowdStrike, formerly served as the chief information officer and director, J-6, at the Joint Special Operations Command (JSOC) and was responsible for the strategic plan to implement multifactor authentication and zero trust across the JSOC.
“I had a five-year plan for moving to a zero-trust architecture,” Worthington said. “There was no way we could have done it any faster.” The same teams tasked to implement zero trust across networks were also the ones who ran the day-to-day network operations and responded to critical security and patching requirements from U. S. Cyber Command, the National Security Agency and others. There simply is not the capacity across the DoD to implement zero trust without a comprehensive and funded program with dedicated resources.
Facing Down and Shutting Out Forewarned Adversaries
As the DoD implements its zero-trust architecture, the department also is focusing on drawing down risk through U.S. Cyber Command’s “hunt forward” operations. For example, Cyber Command’s Cyber National Mission Force (CNMF) recently partnered with Lithuanian forces for three months to hunt “for malicious cyber activity on key Lithuanian national defense systems and Ministry of Foreign Affairs networks.”
“The objective of the hunt forward operation was to observe and identify malicious activity that threatens both nations, and use those insights to
bolster homeland defense and increase the resiliency of critical networks to shared cyber threats,” according to Cyber Command’s news release. To date, CNMF has undertaken 28 such hunts in 16 countries, including several NATO members and Ukraine.
The concept of hunt forward and detection of malicious cyber activity fits within the zero-trust paradigm and bolsters the department’s cybersecurity efforts, Miller said. For instance, the “DoD calls out endpoint detection and response (EDR) as critical for the decisions being made in the dynamic access control plane,” he said, where EDR provides real-time monitoring and detection of unusual behavior and malicious activity—a clear parallel to CNMF’s hunt-forward operations.
“We [at CrowdStrike] try to think like an adversary to develop defenses against them,” Miller said, taking into account the evolution of their tactics, techniques and how they create their attack methodologies.
Hunting forward—looking for anomalous behavior at the endpoints that signal potential malicious activity—is necessary because credential-stealing remains a growing risk.
Miller noted that identity protection is one area in the zero-trust technical reference model insufficiently developed at first. As cloud solutions proliferate, user identities are no longer controlled by a single source of authentication. Instead, cloud service providers have their own authentication methods, and users with access to more than one cloud—whether a multi-cloud or hybrid cloud environment—might have more than one identity.
Taking these changes into account, “Over time CrowdStrike has evolved its EDR platform, especially around identity protection,” Miller said. “The DoD talks about policy decision points, where the zero-trust architecture decides” whether to let packets through. The CrowdStrike approach is to stand between users or requesters trying to gain access to agency resources, and those policy enforcement points that act as gatekeepers, to confirm the identity of the incoming traffic.
Additionally, CrowdStrike can augment the DoD’s defensive cyber operations mission by enabling hunt forward activities with a zero-trust mindset. This is accomplished by harnessing the power of its cloud capabilities and drastically improving the time-to-value for a partner nation. Traditionally, teams would custom build and deploy their hunt forward infrastructure kits. This time delay creates opportunities for adversaries and greatly increases risk. By contrast, provisioning additional capacity for a new entity in the cloud is elastic and in near real-time.
Operators can leverage a single CrowdStrike sensor and platform not only for threat hunting and incident response, but teams easily can activate modules and further enable partners to illuminate network gaps and blind spots by activating additional zero-trust policy information points (PIP), such as:
• Identity threat protection
• Device hygiene
• Threat intelligence
Zero trust is not a destination, but a continuous process that morphs over time. Rapidly executing features and capabilities within the traditional acquisition timeline with novel contracting approaches is critical to the program’s success over the next five years.
Lifting the Cybersecurity Burden from Warfighters
The growing acceptance of the cloud in military circles is a boost to zero-trust implementation.
“We’ve been taking warfighters and turning them into IT specialists,” Miller said. “Evolving to the cloud means [the DoD] no longer needs to do that. The maturity of the DoD IT workforce is driving cloud acceptance. They’ve grown up in the cloud. They were born with an iPhone in their hands. By today’s standards, junior officers have come through on the cloud.”
Worthington agreed. “[Warfighters] just expect [computing] to be there, always on. Now there are two- and three-star general officers who are savvy and want to do things on the edge.” Innovation enabled by the cloud now supports critical warfighting missions. And when referring to cybersecurity, whatever solution is fielded must “have little to no impact on the mission or the user.,” Worthington stated. “I have seen, too often, operational decisions made because cybersecurity became an impediment. That doesn’t breed trust.”
For instance, the U.S. Army’s 18th Airborne Corps has created a Data Warfare Company as a way to innovate and advance new technologies that help the corps as it adapts to the changing cyber landscape and contributes to improving the use of technology throughout the Army.
That same attitude carries over to cybersecurity in the cloud, where personnel want security as a utility, an “ever-present persistence concept,” as Miller described it. He said there is a “refresh cycle” coming up for EDR across all of the DoD, which will provide an opportunity to align EDR with implementation of zero trust.
Knowing bad actors will continue to evolve means the path to zero trust must include a focus on continued innovation, such as new approaches to identity protection, refreshing EDR and the use of cloud strategies to benefit the warfighter. The continued collaboration between the DoD and industry, and continued team approach, will help ensure the success of the department’s zero-trust journey.
Visit CrowdStrike.com for more information.