Detection and Response
What Is Zero Trust and Why Does It Matter?
There has been a lot of discussion around Zero Trust recently—is it a solution? A strategy? A pipe dream? Eric Skinner from Trend Micro gets real about Zero Trust and explains what it really is, and how organisations can use it to be more resilient.
As the remote workforce expanded, so did the attack surface for cybercriminals—forcing security teams to pivot their strategy to effectively protect company resources. During this time of change, the hype around Zero Trust increased, but with several different interpretations of what it was and how it helps. Eric Skinner from Trend Micro gets real about the true intent of Zero Trust and how you can use it better protect your organisation.
Zero Trust 101
Despite what you may have seen or heard, Zero Trust is not a product feature or a destination. Simply put, it is a philosophy that can be used to improve overall security. With a Zero Trust approach to your security strategy, it becomes very difficult for attackers to move laterally across your environment and successfully leverage a dumped credential.
Zero Trust is as the name suggests—trust nothing by default. Similar to how you wouldn’t give a stranger a key to your home, devices, applications, and identities shouldn’t be granted instant access to your network without first analysing their risk and health.
While Zero Trust isn’t a product that you can plug in and achieve optimal security, the philosophy can be leveraged to design solutions that provide risk insights by assessing, validating, and monitoring the health of endpoints, users, applications, and devices across your entire network.
Solutions can gather telemetry from the environment to calculate an overall risk score before establishing a connection. After the connection is made, the solution should be continually monitoring the endpoints so that if the health of the device, or the user identity or application changes, the connection can be quickly terminated to limit the potential impact. For example, if a user is sending phishing emails or logging in from multiple geographic locations simultaneously, that would be an indicator that their account has been compromised and the connection should be severed.
Choosing the right vendor
Be wary of vendors that claim they can help you “achieve” Zero Trust with what they offer —this shows that they don’t understand the philosophy or how to utilise it. To properly assess the trustworthiness of any devices or applications, you need comprehensive visibility across your environment. A platform solution eliminates siloed point product views so you can access information from one console and prioritise remediation actions across environments. Also, look for a solution with XDR capabilities so, for example, you can gather context around the health of a device and tackle the wide-open VPN challenge. An effective XDR offering also powers well-informed access control decisions by correlating user identity behaviour such as types of emails they’re sending or where they’re logging in from. Strong identity and access management is critical in today’s threat landscape, considering attackers often try to dump credentials to access and exfiltrate high-value data.
Eric Skinner: Hi everyone, my name is Eric Skinner. I'm the VP of market strategy at Trend Micro. I'm here with my colleague, Rachel Jin from the product management team. Hi, Rachel.
Rachel Jin: Hi, Eric. I'm very happy to be here to talk about some new things.
Eric: We have a few new solutions from Trend Micro that we're going to be explaining here today. It's fun. You're going to show us some demos a little bit later, right?
Eric: Okay, well, I'm looking forward to this. Let's get started and the topic area is zero trust. We want to start with a little bit of context around what this term means, because there has been certainly a lot of noise about what this term means in the industry. Certainly, there's been a lot of hype, there's been a lot of marketing, and there's been a lot of different opinions.
Really when we stand back and look at some of these opinions, people are talking about it's a destination… You've achieved zero trust, or you don't. Some people are saying: oh, this is magical thinking, and it really isn't going to work. And some people are saying: well, it's a good philosophy. We're really trying to help simplify the storyline and explain it in the context that it really is a good philosophy for people to be adopting for their security strategy. It's not a destination, it's not a binary setting where you either have zero trust or you don't, but it's a good philosophy to guide or what you do with your security strategy. It's a good enhancement to your current security strategy.
Let's dive into this cloudy terminology around zero trust and talk about why people are doing… So, what problem it's trying to solve, and then we'll get to what Trend Micro is going to be doing about it.
But this part is broader… It's the industry-wide perspective on zero trust. Really before zero trust came along, the old network approach was that everything was wide open, and employees and attackers had full access to the network. If you have a computer in the office, it can reach lots of other network destinations in the office because of communication for the user is different than the next communication layer. Even VPN users end up with wide open network access after they get past the DMZ. So that's problematic when a lot of organisations just want employees reaching one or two particular applications.
When an attacker gets into the environment and maybe they phish and employee, and they're able to dump credentials and elevate to an admin credential… They can do a lot of damage. They can traverse the network, they can spread ransomware. They can exfiltrate data because that network is so available to them.
Network segmentation is a strategy that people started to adopt because it makes that lateral movement more challenging by putting various parts of the network in different boxes and saying: OK, is traffic from this network segment can't flow to this other segment or only under these circumstances. What evolves of course, is a very complex set of rules. Those rules and policies are very, very hard to manage. Either you have a really, really strong set of micro-segmentation rules, or you have a practical set that isn't that strong and that gets even more challenging and more complex with the shift to infrastructure as a service, all kinds of adoption of cloud services, SaaS services, [Microsoft] Office 365 and salesforce.com, and other cloud services, where now you have even more complexity with respect to traffic patterns of that are going to be legitimate and the traffic patterns that you want to protect against.
The SaaS applications introduce one final challenge, which is that the employees are especially the remote employees, these employees are able to connect directly to those services without going through any corporate IT, and that reduces the visibility.
A zero trust approach has started to emerge where the fundamental principle is you start by trusting nothing by default. That's the zero trust part. Right? You trust nothing by default. That means you allow no network connections by default. That endpoint that is trying to reach out and connect to all kinds of places in the network… It isn't allowed to do that. Before it gets allowed to connect to a particular place it's trying to go, it has to be assessed. The risk gets assessed, the health of the device, the health of the identity, the nature of the destination, the data that's being accessed or the data that's being uploaded, and the overall application health.
That assessment feeds into a decision about whether or not to allow a purpose-built connection from that endpoint to the particular application and that connection then gets assessed continuously, so that if the health of the device, or the user identity, or the application changes that connection can in fact be terminated.
This is a very different approach, but it's a very effective approach at making life more difficult for attackers. Attackers have more trouble moving laterally. They have more trouble successfully leveraging a dumped credential. This complements an XDR approach. Detection doesn't go away. You continue to try to do detection, but you're actually giving detection improved odds because you're making the attackers and movements or challenging. Of course, XDR is helping gather context around the device health, for example. This eliminates the wide open VPN challenge. Now you're able to have employees onsite or offsite connect to specific applications, and you're able to determine an access policy driven off the risk insights that you're deriving from the environment. That means your overall policies are going to be a little less complex around what you allow, because so much of it can boil down to only allow healthy users and healthy devices. Of course, there's going to be more than that, but it does simplify the definition of what's allowed in the environment.
I hope that helps set the context. Now let's talk a little bit about what Trend Micro is doing in this area. We have two major capability areas that we're going to be showing you today that are rolling out in the near term from Trend Micro. Those are Zero Trust Risk Insights and Zero Trust Secure Access.
What we’re doing with risk insights is gathering telemetry from the environment as users are going about their workday and assessing the overall level of risk related to the SaaS applications that they're using, the identity behaviour… What's going on with that user's identity and what's going on with that user's device… Is there malware on the device and that sort of thing and what data they're accessing and we derive risk insights that can be used for a wide variety of things. We'll go into that in a few moments, but one of the specific things that the risk insights get used for is Zero Trust Secure Access, where based on the risk insights and based on context about what data the employee is trying to access and what application is the employees trying to access, there can be a access control and authorisation decision and a policy decision about whether that connection should be allowed. And an enforcement decision can result, either when the connection is being set up, or during the connection in real time because of the user's health or the device health changes.
This is pretty exciting stuff. These are substantial layers of functionality. We're going to dive into a little bit more detail, but at a high level, how we deliver this is… We leverage the same endpoint infrastructure that exists already for EPP and EDR to deliver ZTNA, which is a zero trust network access technology for helping set up these connections, and to gather insights in a variety of areas related to the device health, the data access, and so on. We leverage ZTNA gateways that we deploy, either in the infrastructure as a service environment or in the data centre environment. We deliver a CASBY, which can then be used to gather insights from cloud applications and act as an enforcement point. We leverage our network presence and the third-party network presence to gather visibility and to deliver enforcement action.
That's a lot of interesting, new technology… Let's have a little bit of a closer look. First thing we're going to talk about is the pain point around visibility, because visibility enables us to power the access control decisions that you need in a zero trust context. But, the risk insights are useful for so much more as well, they’re useful for your SOC team, they're useful for your managers. What it comes down to is gathering risk insights, doing it continuously, and delivering those insights. Not only through automation, for things like Zero Trust Secure Access, but also to deliver those insights to the CISO, to the SOC team to allow investigations.
Let's have a little bit of a closer look about how risk insights were. We talked a little bit about these four major categories of risk insights, and let's explain them a little bit more. Across this environment, as users are going about their workday, we're looking at what SaaS applications are connecting to, and we can help determine whether these applications have a bad reputation, If they have data sovereignty concerns, if they're unsanctioned or sanctioned, if they're misconfigured. These are typical CASB functionality.
We derive some insights with respect to the identity activity. This is super important given today's threat landscape, and the fact that attackers are dumping credentials and so on. We're monitoring how that identity is behaving across the environment, not just on the endpoint, but also for example, in the email system, is this user sending out a whole bunch of phishing emails internally, that would be an indication that their account has been compromised.
Is the identity log-in behaviour strange? Are they logging in too quickly from multiple geographic locations, things like this. Are they connecting from unusual locations? Are they connecting to risky places and so on? So, scoring the identity activity. Of course, the device health is important in this context of secure access and more broadly, is the device healthy? Does the device have malware on it? Does it have signs of suspicious activity? Does it have serious vulnerabilities that should rule out allowing this device to connect? Does have misconfigured applications or a misconfigured aspect of the operating system. All kinds of factors that flow into device health, and then we assess the content that's being accessed.
Yes, this leverage is our years of DLP expertise, as well as just the nature of what's being accessed. Are there unusual data transfers? Is the data being transferred to a risky app or is the data sensitive in nature? All of these things come together to allow us to calculate a risk insights score for a user, but of course you can drill into all the details or assess all of those details individually.
How do we obtain these risk insights? Well, we plug in sensors to the various sanctioned apps and email and identity services, and we do this with CASB technology and a few other things. We collect activity from the network layer because that helps boost the visibility with respect to what users are connecting to, especially when they have unmanaged devices, for example. We'll not only connect to Trend Micro’s network security infrastructure there, but also connecting to third party network security firewalls, for example. Then we leverage our endpoint from Trend Micro to collect a lot of visibility and device health telemetry.
We can do that without the customer having a rollout and additional agent. Often with these zero trust solutions you end up with multiple agents on your endpoint. This is something that can be done in an integrated way. If you're using our EPP and EDR capabilities, great, now you've got all of those capabilities in one agent package. If you're not using our EPP and EDR, that's OK. You can still leverage our capabilities for secure access for example.
The endpoint sensor functionality is looking at the device health activity. It's also gathering information about vulnerabilities it's gathering information about what data is being accessed and so on. All of this telemetry then flows to Trend Micro Vision One, our cloud where the overall risk insight is synthesised and it's made available, in a variety of ways, to applications and to people in your organisation.
When we think about how these risk insights are used, the first thing that really makes this real for you is you get a series of dashboards that the SOC team or the management team can use. Rachel's about to show us this kind of moment, but along with these dashboards, there are a few other important ways of the risk insights get used. They get used to help prioritise remediation actions, because if you have an environment that is… Or if you have a device that is particularly unhealthy or a user that has particular health indications with respect to the status of their identity, you probably want to prioritise intervention for those kinds of users or those kinds of devices and risk insights helps that prioritisation action.
It helps power a well-informed access control decision, which we're going to see in the next section, when we talk about Zero Trust Secure Access, and all of these insights also get made available to you through APIs so you or third-party vendors are able to leverage these insights to do all kinds of things that Trend Micro can imagine or can't imagine what you might end up doing with these things. We really expect that we're going to see some wonderful use cases for this data over time. Let's have a look now at the dashboards of that the CISO and the SOC team are able to see. Let's have a closer look at that. Over to you, Rachel, for a live demo.