Challenges security teams face in understanding and implementing zero trust were laid bare in a survey CyberRisk Alliance Business Intelligence conducted in January and February 2022 among 300 IT and cybersecurity professionals.
But there is much security teams can do to move past those challenges. One of the less-understood elements is endpoint isolation, designed to improve device security.
It’s an approach championed by such security experts as Jonathan Gohstand, Director of Technical Marketing and Security at HP Wolf Security, which sponsored the CRA survey along with Attivo Networks. Gohstand recently discussed the survey findings and made the case for endpoint isolation in an SC Media webcast.
The survey represented organizations of all sizes and industries. Objectives were to gauge how well organizations understand zero trust and obtain current deployment and usage trends.
With all the attention focused on zero trust, one could reasonably expect that organizations would be in the advanced stages of implementation. But for many, deployment has been slowed by a struggle to fully comprehend the pieces that embody a zero-trust architecture, as well as lack of budget and boardroom buy-in. Among the findings:
- Only 35% are very familiar with zero trust concepts. The highest percentage — 40% — are only somewhat familiar, and 25% are “a little” familiar.
- Only 36% have implemented zero trust, while another 47% plan to adopt it in the next 12 months.
- Nearly half of those who have not implemented zero trust are constrained by management/investment. Twenty-six (26%) percent cite a lack of management support and an additional 23% cite lack of budget.
- Ransomware attacks and remote worker risks are driving current and planned zero trust strategies. Specifically, 55% said an increase in ransomware is a motivating factor, 53% point to the increased risks from remote workers, and 32% are driven to implement zero trust out of concern over potential supply-chain attacks.
- Only 35% are “highly confident” in their zero trust capabilities. Sixty percent (60%) are moderately confident, and 5% are slightly confident.
From Gohstand’s perspective, security teams must pay special attention to what it takes to better secure devices through zero trust.
“The endpoint is the key security battleground,” Gohstand said. “It’s where people, data, and the Internet meet. Organizations invest a lot in endpoint security, since that’s still where most attacks originate. So clearly, security teams have not ‘solved’ the endpoint security problem.”
Pillars of endpoint isolation
The concept of endpoint isolation is based on three pillars:
- Micro-virtual machines: The heart of Endpoint Isolation, which virtualizes tasks to massively decrease the attack surface while preserving user workflows. Each “risky” task such as opening a browser tab or Word file attached to an email is isolated inside its own CPU hardware enforced “micro-virtual machine”. When the task is completed, the uVM is destroyed, taking any malware with it.
- Introspection of each task: Real-time inspection of task activity within the uVMs, examining processes called, comparing suspicious actions, recording forensics information and processing behaviors. Unlike sandboxing, it leverages the actual endpoint environment, including user interaction with the malware. This makes malware execution far more accurate providing better data for analytics.
- Cloud analytics: The introspection data is correlated with threat intelligence historical data to surface suspicious behaviors, classify new threats, and maps events to TTP frameworks.
Using these, zero trust is achieved because all untrusted sources run within an isolated space on the endpoint. Nothing received is assumed to be trustworthy.
A broader view of zero trust and endpoint isolation for device security can be found here. More about CRA’s zero trust study – which delves deeper into all of the elements and provides NIST-based guidance to move forward, is available here.