May 3, 2017
Zero Trust principles have, thus far, been mainly aimed at the network and the technology that makes our interconnected systems “live.” That’s how the concept was originally meant to be applied, but the reality of the threat vectors and need for better security capabilities means that Zero Trust has to adapt just like everything else does. The concept for Zero Trust is super, and it's being adopted at quite a few major organizations, but there's still a problem:
Think about it. If you watch TV or listen to the news, you hear a constant stream of reporters and technology talking heads all saying how a major breach started with a phishing email or a targeted threat attack. Usually, it was someone clicking on something on a webpage that was, in reality, a malicious link, or an iframe, or a cross site script, or a web redirect, or a watering hole attack against the browser, or some other evil shenanigan that targeted a user via their interaction.
In quite a few cases, major breaches have started with nothing other than a bad guy simply changing a domain link from something like Forrester.com to Forester.com (See that? Just one "r" makes a difference). And with a bit of work, anyone can copy and use a website's source code and find URLs and hot links that can be modified for malicious purposes. There are entire frameworks for sale on criminal forums just for this purpose. Heck, the bad guys even have services that will do the technical part of these operations for you. The point is that there are a lot of pretty easy ways to target and hack meatware, and we have no patch lifecycle or automated vulnerability scans (even though we may someday if Mr. Musk has his way). So that means, if we really want to tackle this security issue holistically, we need to apply Zero Trust to the user as well. But there's a problem with that.
How do we stop users from being targeted (and yes, in some cases doing dumb and possibly very dumb things online) and still enable them to leverage the web? We are calling it “Building a Zero Trust Workforce,” and within this arena there are already a variety of tools and technologies that are available to help enterprises and security leaders dramatically reduce the threat vectors that users present to their network. By using the best-of-breed tools and techniques that are now present in this space, security leadership can start applying Zero Trust to the final frontier of threats within their network: the users. We can actually “patch the meatware.”
The entire point of the Zero Trust mantra initiated by John Kindervag is to point out the areas of a network that could and could not ever be trusted to handle data and that it's essentially impossible to determine what should and should not be a trusted connection by default. His ideas of breaking free from the paradigm of trusting whatever is bouncing around a network and then hoping that you can catch the bad guys in the act of cybercrime are a game-changing concept for better security. Imagine if we applied that same concept of not trusting our employees and users' interactions online. Instead, we look at them as most likely being malicious first and trusted only after real validation, even if this approach only got it right 50% of the time, the reduction in threats from our user base are well worth the investment.
In Zero Trust, nothing is trusted (see how the wording works there). The network and everything it contains is seen as the crux of the fail point for security. As such the environment must be segregated and isolated to aid the defenders in protecting what can be protected.
Great, super, congrats…That makes total sense, but we need to apply that concept to the folks that are doing all the clickety-clicking on the web to help push that Zero Trust beachhead outward.
A security team can throw all the whiz-bang AI and crazy machine learning at the problem of detecting threats, and an ops team can have the sexiest UI being used in the most Star Trek looking SOC in history, but if one user takes their BYOD laptop home and lets little Timmy or Kimmy use it for homework, and they click something malicious, then all that fancy crap is rendered useless. In Zero Trust, we protect what we can protect, isolate and segregate everything else, and we never trust the system or its connections inherently. In doing so, we can greatly improve our security posture. But just like any defense, it fails when there are holes in the wall. And trusted meatware means holes in the wall, period.
The only trick is that, if you want to know which tools, methods, and technologies are the real best-of-breed in this space, you'll have to check out my research on the topic. Just go click this link to read up on it:
Got ya, meatware!