Skip to main content

Zero Trust: Faustian bargain?

By Martin Roesch

The movement toward Zero Trust architecture has been a powerful advance in security, but it also comes at a price. The point of Zero Trust is to move the default posture of an organization’s IT assets from one of implicit access, where a successful login grants relatively open access to resources and devices in a network, to explicit access, where every access to every resource is brokered by an identity-and-attestation based permission model that is constantly tested. The fundamental enforcement mechanism that forces access to resources to be unlocked on a case-by-case basis is encryption of memory, disks, and the network. In theory, this blast containment concept is great because it limits the extent of a compromise. In practice, the identity-based access control system can be abused to gain deep access into the network, and encryption blinds deep packet inspection (DPI) appliances we’ve traditionally relied on to detect attacks on the network, which makes these compromises incredibly difficult to prevent. 

How do you gain network visibility and control when DPI is an endangered species and you’re left depending on endpoint detection and response (EDR) solutions to do the job? To answer that question, let’s look at how these capabilities operate within the context of a defense in depth strategy.

Reframing defense in depth
For years organizations have used a “defense in depth” approach, layering multiple tools to arrive at a set of capabilities intended to fully secure their network. Prior to Zero Trust and the pervasive utilization of encryption, we could detect attacks on the network using traditional network intrusion prevention systems (IPS) and network detection and response (NDR) tools, and EDR solutions to detect compromises on the endpoint. But the truth is, defense in depth is a misnomer. It’s really “defense in adjacent scope”. In other words, there is very little overlap between what IPS and NDR tools are used to detect, concentrating on packets and protocol violations, and how EDR tools work, concentrating on files and anomalous system behaviors. This distinction helps clarify the implications when DPI to detect protocol-based attacks at the network layer is no longer effective. In the absence of traditional defensive analysis, validation, and protection on the network, attacks can land unhindered on a device and the only line of defense at that point is EDR. So, what happens when EDR misses an attack? 

If you look at the attack continuum, organizations spend a lot of time focusing on before and during an attack, but the after phase is also critical because damage can escalate exponentially post compromise. Rapid response can mean the difference between a minor incident and a major breach.

EDR is obviously valuable and provides unique visibility into local processes and system activities. However, it’s capabilities to help can be extremely limited in the wake of a successful compromise. Additionally, not every endpoint and device on a network can support an EDR agent and most organizations aren’t even aware of every endpoint connected to their Atomized Network, which leaves entire classes of devices unprotected. 

Post compromise, you need a way to monitor network infrastructure that is unaffected by encryption so that compromises can be detected, scoped, contained, and remediated. In the wake of a successful compromise, the priority is to minimize the amount of time to detect and contain a breach, so that attackers can’t leverage their footprint in the network. 

A flow-based approach
In a Zero Trust world, Netography shrinks attacker loiter time with an architecture that deploys and can protect everywhere in minutes. We do this by monitoring behaviors and activities of devices across your Atomized Network without relying on packets. Instead, we use metadata in the form of flow data. Our flow-based system provides visibility into activities, behaviors, and indicators of compromise that traditional NDR and EDR tools can’t pick up. And we do this without resorting to on-premise infrastructure or agents. 

The Netography Fusion SaaS-based universal platform provides customers with complete network visibility across their entire network infrastructure – on-premise and cloud – for real-time and retrospective attack detection so you have the opportunity for rapid response. A single portal allows you to see and control everything all in one place, eliminating the need to jump between multiple consoles and conventions to figure out what is going on. We enrich this data with business and threat intelligence to accelerate and simplify detection, hunting, and analysis.

With no hardware, no software, and nothing to install, you can quickly replace the network visibility you’re rapidly losing in a Zero Trust world and complement EDR with capabilities you’ve never had before to better protect your ever-expanding enterprise network. 

As it turns out, when you look at Zero Trust critically and architect for it appropriately, it isn’t a Faustian bargain after all.