New NIST Zero Trust Guidelines Require Enhanced Network Visibility

October 7, 2019
Jonathan Barrett
MXDR Security Analyst
New NIST Zero Trust Guidelines Require Enhanced Network Visibility

What is NIST's Zero Trust Architecture

On September 23, the National Institute for Standards and Technology (NIST) released the draft publication for Zero Trust Architecture (NIST SP 800-207), or ZTA.

According to NIST, “No enterprise can completely eliminate cybersecurity risk. When complemented with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and general cyber hygiene, ZTA can reduce overall risk exposure and protect against common threats.”

Vectra welcomes NIST’s publication and perspective, especially as it aligns closely with what we have discussed previously on the importance of network visibility to strengthen a Zero Trust Architecture. And while this nearly 50-page document covers several deployment models and use cases, there are two key points on ZTA we want to focus on for this blog: deprioritizing decryption and looking beyond hosts.

NIST Recommends Deprioritizing Traffic Decryption in Zero Trust

Modern enterprise networks are undergoing large and rapid changes, due both to an increasingly mobile and remote workforce and the rapid expansion of cloud services.

In addition, organizations are relying on more non-enterprise-owned systems and applications. These third-party systems and applications are often resistant to passive monitoring, which means that examination of encrypted traffic and deep packet inspection (DPI) is not viable in most cases.

As a result, traditional network analysis tools that rely on visibility at endpoints of on-premises networks, like intrusion detection systems (IDS), are quickly becoming obsolete.

But as NIST notes, “That does not mean that the enterprise is unable to analyze encrypted traffic that it sees on the network. The enterprise can collect metadata about the encrypted traffic and use that to detect possible malware communicating on the network or an active attacker. Machine learning techniques…can be used to analyze traffic that cannot be decrypted and examined.”

We have written before that you don’t have to rely on decryption to detect threats.

It fundamentally boils down to a few key points:

  1. You gain nothing by decrypting packets. All the information needed to detect threats can be determined from the traffic and metadata itself.
  2. It will be harder to decrypt traffic. The adoption of security extensions like HTTP Public Key Pinning (HPKP) will make inspecting traffic more difficult by design.
  3. You will never be able to decrypt attacker traffic. Attackers won’t be using your keys anyway.

Instead, a successful implementation of ZTA requires a modern network detection and response (NDR) solution that can collect metadata about encrypted traffic and use machine learning to detect malicious communications from malware or attackers in the network.

Achieving Complete Network Visibility with Zero Trust Architecture

A fundamental part of Zero Trust Architecture relies on monitoring how privilege is used on the network and continuously controlling access based on behaviors. DHS calls this Continuous Diagnostics and Mitigation (CDM).

But CDM goes further than just observing hosts. It seeks to answer the following:

  • What devices, applications and services are connected to the network and being used by the network?
  • What users and accounts (including service accounts) are accessing the network?
  • What traffic patterns and messages are exchanged over the network?

Again, this goes back to the importance of network visibility. Organizations must have visibility into all actors and components on their network to monitor and detect threats. In fact, as noted in the NIST report, “a strong CDM program is key to the success of ZTA.”

Vectra AI: Essential for Successful Zero Trust Architecture

Vectra is the only US-based FIPS-compliant NDR on the Department of Homeland Security’s CDM approved products list that uses artificial intelligence. Our AI includes deep learning and neural networks to give visibility in large-scale infrastructures by continuously monitoring network traffic, logs and cloud events.

The Vectra AI platform can detect advanced attacks as they are happening in all enterprise traffic, including data centers and the cloud. We do this by extracting metadata from all packets. Every IP-enabled device on the network is identified and tracked, extending visibility to servers, laptops, printers, BYOD and IoT devices as well as all operating systems and applications.

The Vectra AI platform scores all identities in the platform on the same criteria as hosts. This allows you to see the observed privileges in your system as opposed to the static assigned privilege.

We applaud NIST for highlighting the importance of an NDR solution as a key part of any ZTA. At Vectra AI, we’re proud to be able to offer a turnkey NDR solution to any organization on their journey to implementing a modern secure architecture.


What is Zero Trust Architecture?

Zero Trust Architecture ensures no implicit trust, continuously verifying each access request to enhance security.

Why does NIST recommend deprioritizing traffic decryption?

NIST advises deprioritizing traffic decryption due to the increasing difficulty and limited benefits.

What is Continuous Diagnostics and Mitigation (CDM)?

CDM involves monitoring and managing security risks through continuous diagnostics and mitigative actions.

What are the benefits of Vectra Cognito for Zero Trust?

Vectra AI provides comprehensive visibility, threat detection, and compliance support for Zero Trust.

How does Vectra AI detect threats in encrypted traffic?

Vectra AI uses metadata and machine learning to detect threats without decrypting traffic.

How does Vectra AI support Zero Trust Architecture?

Vectra AI enhances Zero Trust by providing deep network visibility and automated threat detection.

How can organizations achieve deeper network visibility?

Organizations can achieve deeper network visibility through continuous monitoring and advanced threat detection.

How does machine learning enhance network security?

Machine learning analyzes patterns and detects anomalies, enhancing proactive threat detection in networks.

How does Zero Trust Architecture differ from traditional security models?

Unlike traditional models, Zero Trust assumes no implicit trust, requiring verification for every access attempt.

What are the key components of a successful Zero Trust implementation?

Key components include continuous monitoring, identity verification, and comprehensive network visibility.