On September 23, the National Institute for Standards and Technology (NIST) released the draft publication for Zero Trust Architecture (NIST SP 800-207), or ZTA.
According to NIST, “No enterprise can completely eliminate cybersecurity risk. When complemented with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and general cyber hygiene, ZTA can reduce overall risk exposure and protect against common threats.”
Vectra welcomes NIST’s publication and perspective, especially as it aligns closely with what we have discussed previously on the importance of network visibility to strengthen a Zero Trust Architecture. And while this nearly 50-page document covers several deployment models and use cases, there are two key points on ZTA we want to focus on for this blog: deprioritizing decryption and looking beyond hosts.
Deprioritize traffic decryption
Modern enterprise networks are undergoing large and rapid changes, due both to an increasingly mobile and remote workforce and the rapid expansion of cloud services.
In addition, organizations are relying on more non-enterprise-owned systems and applications. These third-party systems and applications are often resistant to passive monitoring, which means that examination of encrypted traffic and deep packet inspection (DPI) is not viable in most cases.
As a result, traditional network analysis tools that rely on visibility at endpoints of on-premises networks, like intrusion detection systems (IDS), are quickly becoming obsolete.
But as NIST notes, “That does not mean that the enterprise is unable to analyze encrypted traffic that it sees on the network. The enterprise can collect metadata about the encrypted traffic and use that to detect possible malware communicating on the network or an active attacker. Machine learning techniques…can be used to analyze traffic that cannot be decrypted and examined.”
We have written before that you don’t have to rely on decryption to detect threats.
It fundamentally boils down to a few key points:
Instead, a successful implementation of ZTA requires a modern network detection and response (NDR) solution that can collect metadata about encrypted traffic and use machine learning to detect malicious communications from malware or attackers in the network.
Get visibility into all user and system behaviors
A fundamental part of Zero Trust Architecture relies on monitoring how privilege is used on the network and continuously controlling access based on behaviors. DHS calls this Continuous Diagnostics and Mitigation (CDM).
But CDM goes further than just observing hosts. It seeks to answer the following:
Again, this goes back to the importance of network visibility. Organizations must have visibility into all actors and components on their network to monitor and detect threats. In fact, as noted in the NIST report, “a strong CDM program is key to the success of ZTA.”
Vectra Cognito is a cornerstone of a successful ZTA
Vectra is the only US-based FIPS-compliant NDR on the Department of Homeland Security’s CDM approved products list that uses artificial intelligence. Our AI includes deep learning and neural networks to give visibility in large-scale infrastructures by continuously monitoring network traffic, logs and cloud events.
The Cognito platform from Vectra can detect advanced attacks as they are happening in all enterprise traffic, including data centers and the cloud. We do this by extracting metadata from all packets. Every IP-enabled device on the network is identified and tracked, extending visibility to servers, laptops, printers, BYOD and IoT devices as well as all operating systems and applications.
The Cognito platform scores all identities in the platform on the same criteria as hosts. This allows you to see the observed privileges in your system as opposed to the static assigned privilege.
We applaud NIST for highlighting the importance of an NDR solution as a key part of any ZTA. At Vectra, we’re proud to be able to offer a turnkey NDR solution to any organization on their journey to implementing a modern secure architecture.
Marcus Hartwig is a director of product marketing manager at Vectra. Has been active in the areas of IAM, PKI and enterprise security for more than two decades. His past experience includes product marketing at Okta, co-funding a company in cybersecurity professional services, as well as managing a security product company – a combination that has left him passionate about all parts of product marketing, design and delivery.