Visibility and Analytics: Keys to Zero-Trust Success
As organizations move to operating in mature zero-trust environments, we can expect the behaviors of adversaries to match and attempt to overcome zero-trust technologies to maintain their capability and achieve their objectives. We have seen this throughout history with a recent example being the uptick in multi-factor authentication (MFA) fatigue attacks. These attacks send repeated push notifications to a victim to get them to approve an associated adversary login attempt.
Detection and response capabilities continue to evolve but are reactive to the adversary. Generationally, these defenses were signature-based, then behavior-based, and now rely on those previous capabilities as well as that of detecting anomalies. One major point to understand is that these capabilities are developed against a broad understanding of normal behaviors at scale. How do defenders best leverage these capabilities while also adapting their defenses to the differences of their environment, and how do they understand abnormal behaviors within the architectures they look to defend?
Visibility and Analytics should be a key component of your zero-trust strategy, making sure your defensive cyber operators have the tools, data and analytics required to quickly identify, stop and remediate threats. Networks, systems and applications exist to enable the functionality of an organization. Even in a zero-trust world there will be users and devices that are allowed to access resources to accomplish their functions. Adversary behavior may shift to mimic more closely that of an authorized user as they target those who have access to the resources they desire.
In addition to minimizing these risks through addressing configuration gaps such as eliminating the ability to login from multiple devices via your identity provider (IDP) it necessitates a robust defensive cyber operation (DCO). This DCO is fully enabled through fusing the distinct capabilities brought to the table by security operations, threat hunt and insider threat. These teams will need to coordinate more closely while still maintaining required limits between groups to address threats at speed.
One example: Working in a common platform and sharing analytics to reduce duplication of effort and provide a common operating picture. Operating in this fused environment allows for easy and expedient sharing of derived insights between the DCO groups, letting them quickly shift as understanding of a threat may lead to the determination that the insider threat they have been investigating is actually an advanced persistent threat (APT) better handled by the threat hunt group.
Zero-trust environments will lead to an increase in the amount of security-relevant telemetry data. This increase in data will create both challenges and opportunities. The data produced, stored and analyzed will require a different approach to derive insights and drive operational decisions before becoming stale. However, this data will give defenders the best opportunity to deploy analytics that understand the normal behavior among an organization’s user base and enable the detection of anomalous behaviors with increased accuracy. This will allow rapid identification of threats whether they are adversarial, insider or involve the co-opting of valid user access rights through technical means or coercion.
Lastly, as we become aware of new adversary approaches or we identify novel insider threat patterns within our organizations, we must exercise our own defenses to validate our level of protection and visibility against the adopting threat and ensure our resiliency. Continuous testing against the most recent threats is the best way to understand the visibility of our defenders and adjust where we identify gaps.
Steven Kapinos is ManTech’s vice president and Cognitive Cyber Technology Focus Area lead responsible for new innovations and capabilities that turn cybersecurity-relevant data into insights that support mission operators.
