It is essential to ensure that any Zero Trust technology used is resilient to external factors
The growing threat of cyberattacks like SolarWinds, JBS USA, and Colonial Pipeline has underscored that organizations can no longer depend on conventional perimeter-based defenses to protect critical systems and data. The Log4j vulnerability is the latest sign that organizations must assume that cyber adversaries are already in their network. Against the backdrop of these high-profile incidents and growing concerns of retaliatory cyberattacks by Russia following its invasion of Ukraine, legislators have stepped up their efforts to bolster resilience and response capabilities against these threats (e.g., U.S. Cyber Incident Reporting for Critical Infrastructure Act, European Union Rules for Common Cybersecurity and Information Security Measures).
New regulations are aimed at shifting the cybersecurity paradigm – away from the old mantra of “trust but verify” and instead toward a Zero Trust approach, whereby access to applications and data is denied by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices.
A good example is the federal strategy that the Office of Management and Budget (OMB) released earlier this year. The strategy details a series of specific security goals for agencies, serving as a blueprint for shifting the federal government to a new cybersecurity paradigm – namely Zero Trust – that intends to help protect our nation. The strategy requires agencies to achieve specific Zero Trust goals by the end of fiscal year 2024 and aligns closely with the Cybersecurity and Infrastructure Agency’s Zero Trust Maturity Model (PDF) and its five complementary areas of effort:
Identity: Staff use enterprise-managed identities to access work applications. Phishing-resistant multi-factor authentication (MFA) protects personnel from sophisticated online attacks.
• Devices: Establish a complete inventory of every device operated and authorized for government use. Prevent, detect, and respond to incidents on those devices.
• Networks: Encrypt all DNS requests and HTTP traffic within the environment and begin executing a plan to break down perimeters into isolated environments.
• Applications and Workloads: Treat all applications as Internet-connected, routinely subject applications to rigorous empirical testing, and monitor external vulnerability reports.
• Data: Deploy protections that make use of thorough data categorization. Take advantage of cloud security services to monitor access to sensitive data and implement enterprise-wide logging and information sharing.
Where the Rubber Meets the Road
As with other cybersecurity frameworks, it is important to note that these standards and requirements are focused solely on strengthening federal government systems. However, much of our nation’s critical infrastructure is owned and operated by the private sector, and those organizations make their own decisions regarding cybersecurity investments.
However, the biggest shortcoming lies in the fact that OMB’s federal strategy misjudges the efficacy of Zero Trust technology. Unfortunately, post-mortem analysis of cyberattacks often reveals that the tools and software meant to protect against incidents are frequently impacted by faulty implementation, software collision, human errors, normal decay, and malicious actions. In fact, most hacks entail reconnaissance and disabling or bypassing any security controls.
Therefore, it becomes essential to ensure that any Zero Trust technology used is resilient to external factors.
Resilient Zero Trust is Better than Zero Trust
Zero Trust technology, and the range of threats to which those tools are susceptible, varies depending on the context in which cyber resilience is sought. In any situation, the priority an organization assigns to establishing cyber resilience measures across Zero Trust technologies should be driven by an assessment of the tactics, techniques, and procedures (so-called TTPs) that hackers are commonly applying when exploiting their victims.
For instance, endpoints are often used as an access point for hackers and cybercriminals to launch attacks or function as beachheads to laterally move within the network. In fact, a recent Ponemon Institute survey revealed that 68 percent of organizations suffered a successful endpoint attack within the last 12 months. Despite widespread attempts to secure endpoints, this number suggests that security has been rapidly eroding and therefore requires endpoint resilience, which is just one of the “flavors” that cyber resilience can assume. Endpoint resilience enables organizations to always know where their endpoints are, implement control and security actions on those devices, and have the ability to repair themselves whenever they’re disabled, altered, or otherwise compromised.
Cyber resilience strategies like endpoint resilience provide a range of benefits prior, during, and after a cyberattack. Some of the main benefits include:
• Hardened Security Posture: Cyber resilience not only helps with responding to and surviving an attack. It can also help an organization develop strategies to improve IT governance, improve security across critical assets, expand data protection efforts, and minimize human error.
• Improved Compliance Posture: Many industry standards, government regulations, and data privacy laws nowadays propagate cyber resilience.
• Enhanced IT Productivity: One of the understated benefits of cyber resilience is that it improves the daily operations of an organization’s IT team. It improves the ability to respond to threats, assists in the recovery efforts, and helps to ensure day-to-day operations run smoothly.
Considering these benefits, more and more cyber risk and security management frameworks are adopting the concept of cyber resilience. For example, the Department of Homeland Security’s Cyber Resilience Review (CRR) offers guidance on how to evaluate an organization’s operational resilience and cybersecurity practices. Another example is the National Institute of Standards and Technology (NIST) Special Publication 800-160 Volume 2, which offers a framework for engineering secure and reliable systems—treating adverse cyber events as both resilience and security issues.
Ultimately, cyber resilience is the only way to guarantee true Zero Trust. When implemented properly, resilient Zero Trust becomes a preventive measure that counteracts human error, malicious actions, and decayed, insecure software.