It seems that the term “zero-trust” is emerging as the latest buzzword in network security and cybersecurity communities. To explain it, one can look to the Days of Antiquity, at the height of the Roman Empire when its borders encompassed most of Europe, Northeast Africa and the Middle East. Much of the early years of the Empire was focused on what was known as “Preclusive Security,” which was an expansionist approach of fighting opponents either in their own lands or at a heavily fortified border.
The problem was that as the Empire expanded, so did its borders, which increasingly proved difficult to staff and resupply with loyal legionnaires, and ultimately became significantly harder to defend. Once invaders like Attila the Hun were able to breach the heavily guarded border, there was little that stood in their way from nearly capturing both Constantinople and Rome.
These challenges associated with the ever-sprawling border precipitated a shift in the Empire’s strategy to what’s called “defense-in-depth,” which established a series of lightly-defended sentry posts at the borders instead of heavily fortified outposts.
While the border may not have been hardened any longer, the sentry posts served as the eyes and ears of the Empire. In the event of an enemy invasion, instead of holding their ground and fighting their opponents at the border, sentries retreated to reinforced positions within their own territory for a better chance to repel invaders.
Fast Forward Two Millenia
In the 1980s and beyond, we began applying this same defense-in-depth philosophy to our IT networks, layering protection and redundancies to reduce vulnerabilities, instead of a hardened border. In “those days of antiquity” with .rhosts files and unencrypted telnet protocols, often simply penetrating the firewall could lead to a total compromise of an entire network.
As our networks evolved into their modern-day software-as-a-service-heavy, hybrid-cloud infrastructure equivalents, much like the Romans, we find our networks further at the edge than ever before. Many contend that they are so far and distributed that it is difficult to clearly define a border to defend.
Nemo Sine Vitio Est (No One is Without Fault) – Seneca the Younger
At its core, zero trust is the idea that your networks are already compromised. From simple malware running cryptominers to advanced foreign nation-state attackers who are carefully working to stay hidden to sabotage or steal your data, much like Attila, the invaders are inside your networks.
Complicating matters is that for every line of code written worldwide, new vulnerabilities may be introduced, hackers create more capable malware, and the number of possible attacks, backdoors and persistence tricks grows as well.
The defenses that we have traditionally erected—like firewalls, UTMs, IDS/IPS, and malware filters—remain critical but are no longer sufficient without greater visibility. While they create barriers and tripwires, a zero-trust environment requires acknowledging that these will be scaled, circumvented and tip-toed around to gain access to your networks. Think of these traditional static defenses as barriers that force your adversary to change their behavior, giving you a chance to identify. This only works, however, if you are paying attention.
Despite the efforts to protect, visibility is often poor in dispersed, hybrid, network environments. Without either a well-defined border to defend or cybersecurity sentries keeping watch, it may be difficult to determine exactly when or where intruders have penetrated your networks.
It should not escape anyone that the complex supply chain SUNBURST attack from last year went undiscovered for the better part of a year despite having dozens, if not hundreds, of organizations and agencies compromised. The alarm bells simply did not go off as the attack vectors were never seen.
Nil Desperandum (Never Despair) – Horace
So how does one defend a sprawling network with shifting borders and an ever-increasingly number of ways in which the adversary may slip in and stay in? It takes a paradigm shift in thinking and approaches.
With the network border blurry at best, we no longer have a single and convenient point of telemetry collection to force the attacker in the open. Instead, we must rely on a patchwork of overlapping barriers and telemetry sources over the entire network stack.
Endpoint detection solutions must be combined with endpoint forensics and log collection. Infrastructure as a service requires a more traditional firewall approach while enabling the capturing packets and flows for cyber hunting. SaaS solutions will increasingly need to expose usage and security APIs to detect and gain insight into potential adversarial behavior.
The mantra of the next decade is going to be overlapping angles—do not deploy a defensive solution without sources of forensic visibility. Apply policy on the endpoint, the data center, IaaS and SaaS while collecting, storing and creating visibility angles on all.
Visibility telemetry, much like the Roman sentries of yesteryear, are the eyes and ears of the cyber hunter. This is how we spot the most dangerous of all threats: The one that knows how to stay hidden.