Incident Response, Security Strategy, Plan, Budget

Incident response: Where zero trust fits in

Zero Trust principles and architecture continue to gain momentum as private sector companies and government organizations try to stay ahead of increasingly sophisticated bad actors.

The National Institute of Standards and Technology (NIST) sees Zero Trust as an evolving set of cyber security paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location, NIST says.

The security model has taken on new significance as more organizations shift to remote and hybrid work models on a long-term basis, and as they adopt more cloud services and rely on a growing number of mobile devices.

Zero Trust Network Access (ZTNA) products and services create logical access boundaries around applications, based on identities and context. Research firm Gartner notes that with ZTNA, applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities.

The broker verifies the identity, context, and policy adherence of specified participants before granting access, and prohibits lateral movement elsewhere in the network, the firm says. This removes application assets from public visibility and significantly reduces the surface area for attack.

But while ZTNA helps organizations enhance control over their security infrastructures, it poses some challenges to internal digital forensics and incident response (DFIR) and security teams, such as the inability to effectively collect data from remote endpoints when needed.

Following an incident, security teams must be able to collect the related data, including what happened during the incident and immediately before it, to analyze the data so they can remediate the problem.

Organizations need incident response solutions such as Exterro FTK Enterprise, which can collect data from any Zero Trust platform.

FTK Enterprise, which quickly identifies and understands the activity putting an organization at risk and develops a plan for eliminating it before it becomes an issue, provides the ability to preview and collect triaged and needed data from endpoints using agents that run on the endpoints. This can save countless hours in an investigation where timing is of the utmost importance.

The solution has several key features that provide added functionality, including the ability for an agent to manipulate Microsoft PowerShell; the Windows operating system and files; the Linux operating system and its underlying service structure; and firewall services to detect what services are on a particular machine. All of this is useful when investigating an incident.

There is also the ability to isolate a machine that has been breached from the corporate network and at the same time maintain a connection with the agent in the machine from a central platform. This allows security teams to

continue conducting investigative procedures even as the end user continues to work from the machine.

The solution also takes extra security measures such as making sure that all traffic between the agent and the central platform is encrypted, so that while a team is investigating, no one -- including someone within the company -- can view the data inappropriately.

Another huge benefit is the ability to fully automate remediation tasks, by using templates that have been created and can be reapplied. This saves security teams a lot of time and effort in resolving vulnerabilities.

As the Zero Trust security architecture continues to gain momentum in many sectors, organizations will need effective ways to collect and analyze data as part of their DFIR efforts following an incident.

Solutions such as FTK Enterprise; along with FTK Central, an intuitive user interface and FTK Connect, which provides automation of manual processes in e-discovery and incident response workflows via application programming interfaces (APIs), provide organizations with a powerful capability to quickly investigate incidents and resolve the issues that enabled them to happen.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.