How will zero trust change the incident response process?
What is zero trust security?
Zero trust is a network security model that applies strict identity verification for any user, application, and device attempting to access resources on a private network. Whether the attempt originates from within or outside the network perimeter does not matter — all must abide by the predefined zero trust rules and policies.
The zero trust model is applied holistically by employing various technologies and principles. Typically, it involves using zero trust network access (ZTNA) technology, which is designed especially for zero trust architecture, alongside additional network security tools and practices. The purpose of this variety is to ensure no entity within the scope of the network is trusted by default.
Zero trust security practices and policies help organizations avoid the high costs of data breaches. Zero trust processes often require verification from any entity attempting to access network resources. Zero trust creates an additional layer of security, which can help prevent data breaches. According to studies by IBM, the cost of a data breach can often reach well over $3 million.
Learn Incident Response
Zero trust’s critical role in modern security
The traditional security paradigm tries to build security defenses around a perimeter. However, today’s organizations use modern practices that leverage cloud resources and remote work paradigms. Corporate networks are now required to allow access to devices that the organization does not necessarily control. As a result, there is no clear perimeter to defend, and personally-owned laptops and tablets can turn into entry points for attacks.
Organizations need to defend their networks and IT assets from all threats — those existing within the network and those allowed remote access, including devices, applications, infrastructure, data, and identities. Modern security paradigms consider the distributed and complex nature of today’s network, offering organizations tools, techniques and technologies capable of securing modern networks.
Zero trust adoption in the U.S.
Zero trust is a modern security concept designed to help organizations protect complex and distributed ecosystems. It is even mentioned in Section 3 of the EO, which asks the federal government to modernize its cybersecurity approach. According to Section 3, to modernize cybersecurity, government agencies need to accelerate their move to secure clouds and implement zero trust security controls, such as end-to-end data encryption and multifactor authentication.
The National Institute of Standards and Technology (NIST) of the US Department of Commerce is developing federal standards and guidance for zero trust security. Here are key tenets of zero trust, as defined by NIST:
- Use dynamic resource authentication and authorization — these processes should be dynamic to allow flexibility and strictly enforced before any access is allowed.
- Evaluate any access to trust in the requester before granting access — grant access with the least privileges required to complete a task.
- Remain on the defensive — ensure your assets always act as if a threat actor is present on the network.
Zero trust helps organizations become more consistent, resilient, and responsive to new attacks. An end-to-end zero trust strategy makes it harder for threat actors to get into your network while minimizing the potential blast radius by preventing lateral movement.
The five zero trust domains
Organizations need to break down their IT security domains into foundational components to implement zero trust security. Instead of applying zero trust across the entire organization, you need to first analyze all zero trust domains that can support IT security and then prioritize them and map a plan for moving the maturity model up for each domain.
Here are several zero trust domains:
- Automation and orchestration — achieve proactive security by automating prevention, detection, and response actions via integrated security controls. By automating investigative tasks, operations and security teams can become more productive. By orchestrating pre-defined incident response activities in near real-time, teams can detect threats and quickly take action to isolate and neutralize them.
- Identities — the core component of zero trust architectures. Identities serve as the new perimeter. By centralizing authentication and authorization, you can allow your workforce to quickly and securely access company resources, using access management and streamlined authentication.
- Data — an effective zero trust strategy classifies data. It protects data in transit and at rest using encryption, data loss prevention (DLP), and advanced data discovery capabilities to protect sensitive data.
- Networks — the corporate network is in charge of carrying traffic between devices, applications and users. Zero trust practices for network security include segmentation, monitoring and activity analysis. The goal is to operate on the assumption that any network connection request is untrustworthy.
- Devices — including known or managed devices, unmanaged devices and smart devices like Internet of Things (IoT). All devices that can connect to enterprise assets should be continuously assessed for threats and risks. You can use the identity of the device, the logged in user or other contextual signals in order to inform risk-based adaptive access decisions.
Quick primer to the incident response process
Incident response is a core process at any security organization. It ensures that an organization can identify security threats and respond to them in a timely manner, minimizing damage to the organization. Like other aspects of network security, incident response will be dramatically affected by implementing zero trust.
Before we examine the impact of zero trust on incident response, let’s review the two frameworks most commonly used to structure incident response processes:
- SANS Incident Response Framework — SANS is the world's biggest security training and certification provider, operating a system for warning organizations of the latest cyber threats. SANS has published an Incident Response manual that provides a structured incident response. This encompasses six steps from pre-incident preparation to lessons learned from the incident.
- NIST Incident Response Framework — The National Institute of Standards and Technology (NIST) is an organization run by the U.S. Department of Commerce, which establishes various industry standards and provides recommendations for incident response. NIST offers an incident response strategy with four steps, which stipulates that incident response efforts must be continuous, with organizations learning and improving over time to strengthen their defenses.
The following table summarizes the recommended incident response procedures for each framework.
The isolation strategy may differ according to the degree of damage, the requirement for continued access to the affected system, and the time it takes to implement the solution.
Once an incident is contained, you can remove all threats from your environment, restore systems to normal operation, and take steps to prevent the targeted assets from being attacked again.How will the zero trust domains impact incident response?
Zero trust changes the structure and operating characteristics of networks. This means it also changes the way we do incident response. The following table summarizes how each of the zero trust domains will impact different stages of the incident response cycle.
Learn Incident Response
Evolution of zero trust
Zero trust is changing everything about how we do security — and incident response is no exception. The zero trust model, and its supporting technology solutions, have tremendous potential to improve incident response. Zero trust provides:
- Additional context about security events that can help identify incidents and respond faster and more effectively
- Sophisticated tools for network segmentation and isolation that can rapidly contain threats
- Ability to adapt access policies in a highly granular manner in the wake of an attack — to prevent similar threats from recurring
Change is never easy, but once incident responders modify their process to adjust to the new environment, they will be much better equipped to deal with the emerging threats of the 2020s and beyond.