By Joshua Brant
What if an attacker slipped by your network defenses undetected? Would you know if they were lurking within your network? What type of damage could be done if they were rooting around for weeks, or even months, exfiltrating data or simply wreaking havoc?
According to security research firm CrowdStrike, the 2017 average cyber threat dwell time – that is, the amount of time that it took for security teams to detect something bad in their network – was nearly three months. Three months!
All too often, the dwell time was many months, or sometimes even years. While this seems like an impossibility with today's myriad security detection and protection tools, it illustrates the need for change in our network cybersecurity strategy.
Historically, significant effort and resources were applied to preventing breaches by fortifying the data center and network perimeter; this is often called the castle-and-moat approach. Everything outside the firewall was considered ‘dangerous.’ The fallacy of this model was believing that everything within the network should be considered ‘safe.’ Minimal security controls and network segmentation were typically the only barriers between servers, workstations and other hosts. Network and security teams utilized the trust but verify model for allowing access to those internal systems and resources, but likely didn't verify authorization in most cases.
Today, we understand that breaches inevitably happen, and those breaches expose the flaw of the old strategy. After compromising the perimeter, attackers encounter relatively weak or nonexistent security mechanisms in their path when moving within the network.
This allows attackers to hide, move laterally and steal information without impediment or detection for far too long. The castle-and-moat approach also does not account for one of the significant threats that organizations face today: the insider threat. The model does nothing to limit the damage caused by legitimate users, whether accidental or malicious in nature.
While perimeter protection remains a mandatory piece of the overall security posture, internal protection must be given equal consideration. Cyber-defense strategy must include reducing or eliminating the opportunity for attackers to dwell within the network. It must focus more heavily on prevention than detection.
If bad actors are unable to move about, access or steal data, potential exposure is minimized. To achieve this objective, network protection can be augmented in several ways: hardening servers, patch management, anti-malware tools, and IPS. However, all these solutions should be elements of a greater Zero Trust strategy.
Zero Trust isn't new - the model was developed in 2010 by John Kindervag, at Forrester Research, Inc. - and if you've made no effort to adopt it, now is the time to begin. Zero Trust changes the data access philosophy to one of always verify, never trust. Think about that for a moment: you should never trust a connection or user in your environment. Verify everything before granting access.
Previous network designs layered controls within a network to achieve security through defense-in-depth. Zero Trust suggests building the network from the inside out to achieve greater security. With a quick search, you can find numerous resources discussing the merits of Zero Trust and how to implement it successfully.
However, Forrester’s basic requirements are:
- Ensure that resources can only be accessed securely, utilizing user identity and location as part of the authorization process.
- Enforce need to know access controls. This reduces the number of avenues for attackers to traverse the network.
- Review logs regularly. Ensure that all network traffic is inspected and logged.
You’re likely using some of these approaches to secure your network today. But, if you’re just now learning about Zero Trust, or want to further strengthen your security posture, start by understanding the systems and resources to be protected in your environment. Spend time mapping your data and data flows, along with understanding how your users access the data. Utilize next-generation firewalls to provide advanced functionality, such as decryption and micro-segmentation, in addition to providing border control. Use multi-factor authentication, IAM tools and other verification methods to increase your ability to verify users correctly. Finally, implement logging and correlation tools to gain visibility of network traffic as it crosses your network.
It should go without saying that fully implementing this framework is a process, not a project. Building a Zero Trust network will come with expense but will provide a greatly enhanced security posture for your organization, regardless of industry vertical. Forrester describes Zero Trust as being applicable to all industries and organizations, independent of any specific technology or vendor, and a scalable model.
Understanding and implementing the concepts now is important to support coming security transformation and will allow you to better understand what’s happening on your network at any given time.
About the author
Joshua Brant is our Security Subject Matter Expert; he focuses on helping customers identify gaps and achieve security goals. Prior to joining LRS, Joshua served for years as Chief Information Security Officer for a manufacturing corporation. He holds multiple certifications in the area of Information Security, including CISSP, CISM, and CCISO.