COVID-19 Will Force Sec-Ops to Do More With Less

Applying zero-trust principles WITHIN endpoints will help enterprise cybersecurity programs shift their priorities to conform to the new realities of COVID-19. These are driven by expectations for near-depression-like economic times, which demands that cyber defenses do more with less. This approach is at odds with the last five or more years of what some call the 'detect & react' paradigm: collect more data, monitor & investigate more alerts, and do all of this with more sensors, more tools, more integration, and more people. Choices for any addition or change will have to weigh more heavily in favor of cost savings than increased assurance benefits. To help, we're going to look at benefits from the zero-trust approach that might be new to you. After reading this article, executives should seek discussions with their technical personnel about boldly validating what is written here.


Endpoint Zero-Trust is Micro; Enterprise Zero Trust is Macro


Almost none of what you've read or heard is about endpoint zero-trust; pretty much all of it only concerns enterprise zero-trust. The principles applied to both are pretty much the same. They simply apply 'trust but verify' concepts in different contexts. Enterprise Zero-Trust - mistrusts things within an enterprise and Endpoint Zero-Trust - mistrust within an endpoint. From an enterprise perspective, endpoint zero-trust might seem like a vaccine.


Enterprise Zero-Trust: Reduce your 'Detect & React' Workload

Enterprise zero-trust applies 'trust but verify' challenges to users, devices, and to lesser extent applications seeking access to an enterprise network, web application, server, or other resources. Its underlying assumption is that a malicious actor may potentially control any device, user account, or user application session. High assurance authentication of the user and integrity checks of the device or application provides some assurance that subsequent activities will not be harmful. Any failure of these checks causes termination, quarantine, and loss of privilege. This leaves fewer ongoing activities that might ultimately prove malicious. 

The remaining or allowed activities are then subject to 'detect & react' workflows: alerting, monitoring, investigating, and responding to 'suspicious' actions. Analysts working with intrusion detection systems look for lateral movement. Others deploy entity user behavior analytics (EUBA) tools for anomalous account usage. SIEM analysts try to detect what was not earlier detected. And so on, and so on!


Zero-Trust: Snuff-out Untrustworthy Actions to Reduce 'Detect & React' Workload


Where humans or constant change are involved, things cannot be perfectly locked down. Actions must be allowed that may eventually turn out to be malicious. Detect and react tools must identify these malicious activities. An enterprise might snuff-out access to a business intelligence web application without two-factor authentication, remote desktop sessions from unauthenticated devices, and API calls from endpoints, not on a whitelist. The more snuffed-out, the fewer ongoing activities that must be monitored for anomalies and indicators of malice. This represents the greatest value of zero-trust, especially in the aftermath of COVID-19, where cost savings will be necessary. 


Endpoint Zero-Trust: the very Small Drives the very Large


No doubt you're familiar with penetration testing. It is performed at different levels: penetrating an enterprise, penetrating an endpoint, and penetrating a single application to see if it is secure enough to be exposed. Consider how these examples represent different levels of scope, micro to macro.

Most of the activities monitored by the 'detect & react' workflows mentioned already, as well as others, ultimately originated from one or more of compromised endpoints. These macro detections follow a malware attack that compromised endpoints. These result from applications and utilities on these endpoints letting malware in or doing harm afterward. Zero-trust WITHIN endpoints expect applications and utilities to go rogue and uses controls that do not allow hijacked applications to download/execute malware; steal credentials from the memory of other applications; allow remote execution attacks from other endpoints, etc. Snuffing these out prevents the micro-compromises that precede the macro-compromises that IDS, EUBA, and other macro detection tools seek. So, neutralizing the 'micro' WITHIN the endpoint neutralizes the 'macro' before they manifest at the enterprise. 

Specifically, how zero-trust WITHIN endpoints do this is a big topic better addressed separately. For now, imagine the implications on the many different layers and workflows of your cybersecurity operations. How much of the many different pieces depending on what happens at the endpoints? How much labor could be freed up?