Zero trust, Threat Management

It’s time to give zero-trust to zero-days

CISA Director Jen Easterly has been a strong advocate for the security industry adopting zero-trust principles. Today’s columnist, Emil Sayegh of Ntirety, says zero-trust offers the best way for the industry to stop zero-day attacks. (Photo by Kevin Dietsch/Getty Images)

Like a stealthy drone hovering above, it’s not possible to see zero-day threats until it’s too late. While it sounds a bit like a setup for a bad horror movie, zero-day threats are unfortunately quite real. Zero-day attacks are enabled by a combination of security flaws, malware, software vulnerabilities, ransomware, and other seemingly invisible weaknesses that manifest as digital cracks in an organization’s security.

So why call it zero-day? The name refers to the lack of advanced knowledge by the target about these cracks: only the attacker is aware of the vulnerability, exploit and the timing of their planned attack. The cyberattack that follows could be immediate, it could play out over weeks, months, or years. Once launched, attackers are very patient, collecting information, launching additional attacks, elevating privileges, or they may complete their mission immediately. Traditional security methods, such as reactive signature-based threat detection offer no protection over threats that only the attacker knows about.

Welcome to zero-trust

Zero-trust has emerged as one of the most effective strategies to deal with zero-day threats. This set of security principles essentially make every day a day zero. Systems and networks are set up to not trust anything. Basically, security teams must vet and validate every transaction, change, and request. The approach can also offer an edge to address the real danger of insider threats. After all, once an outsider makes their way inside of a system, they are no longer an outsider. Zero-trust systems are redefining the perimeters of network protection.

Both flexible and granular, zero-trust leverages tools such as multi-factor authentication with tools such as active session-based risk detection to produce higher levels of security. Where we would once protect the known entry points, zero-trust secures digital assets themselves. Only known and approved processes are allowed to run in a zero-trust environment. Every access touchpoint gets engineered and validated according to design, whether the user is an administrator, client, partner, outside user, or employee.  

Stepping into the zero

Security teams will easily discover platforms and technologies that will help their companies adopt zero-trust principles. However, zero-trust adoption follows a recurring series of steps that serve as general guidelines:

  • Identify the most critical and sensitive data access workflows. Begin by building access policies and controls to protect critical data using multi-factor authentication, encryption, session management, and privileged access protections.
  • Determine which assets the company plans on supporting. Do this whether the company uses standard perimeter controls, or if the team plans on maintaining a hybrid protection or plans to completely migrate to zero-trust networks and systems.
  • Develop a solid plan for a greenfield deployment. Many organizations build zero-trust frameworks on greenfield networks. Reworking existing networks into the systems sometimes becomes prone to missteps and challenges. If the team goes this way, build it new and then transition.
  • Reduce the attack surface. Create a thorough network, data, and resources strategy that reduces the overall attack surface using network and logical segmentation.
  • Review requirements within the organization for network access, for all users. Consider and account for access to sensitive data and systems. It’s ultimately a business exercise that specifically defines the roles and needs of various users, allowing for structured plans and policies to build from. Identities and users should only ever have access to just the information they need and nothing more.
  • Roll out the plan in phases. By creating phases and corresponding segments in the zero-trust transition, the steps to get to the final state include migration to roles, stronger methodologies, and operations during the transition.
  • Get everyone on board. The company will need all employees and executives in the company to get proper information and education about the company’s security principles. They may not buy-in initially, but they need to know that these processes are non-negotiable. The company will always face a tradeoff between security and convenience. It’s important to strike that balance.

Not quite zero problems and challenges

Once the team has defined a strategy, there are some challenges to watch for when implementing zero-trust:     

  • Strike that balance between productivity and zero-trust. The team never wants its zero-trust policies to break the productive usability of users. Especially executives.
  • Focus on compatibility. Not all networks, appliances, and systems are compatible with zero-trust out of the box. They may require upgrades, updates, or replacement. It’s part of the phased build-out approach where the team introduces zero-trust strategically and networks built from the ground up offer the most sensible approach for many.
  • Avoid security gaps throughout the transition. It’s possible that gaps in security are created during the deconstruction of legacy systems. Again, understand that there will be a period of transition at some point in time, so stick to the strategy.
  • Zero-trust does not mean zero-administration. Only by adjusting to the rapid and continual changes and requirements of the company can zero-trust maintain its protections.

After security teams dive into zero-trust, they must continually tune and maintain it, and sometimes the team must build new environments. Think of zero-trust as a living, breathing construct that requires regular and rapid maintenance, policy updates, and review. 

Companies evolve. People evolve. Threats evolve. The company’s security should also evolve. For example, employees and even entire departments can change roles, change managers, and change locations while trampling on the organization’s once-perfect policies along the way.

Remember that zero-trust and comprehensive security takes courage – and it’s not for the undecided. If organizations can’t commit to this fully with internal resources, then partner with a cybersecurity firm that can own the process end-to-end and get a comprehensive security solution implemented. It’s important to offload the security work, unless the organization can commit the resources to get it done, without gaps.

Many companies that have dealt with major security threats and those that have enhanced security goals gravitate to zero-trust systems. The availability and adoption of zero-trust systems help protect data and systems where it counts most – at the point of access. Zero-trust principles can stop breaches from spreading. Adopting a zero-trust security architecture will help the organization make a proactive defensive stand when it comes to both known and unknown threats.

Emil Sayegh, chief executive officer, Ntirety

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.