Why NIST Zero Trust Architecture No Longer Requires Decryption

January 14, 2021

NIST Zero Trust Architecture and the Role of NDR

“Zero trust (ZT) is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”
– NIST

Last year, I wrote about the National Institute for Standards and Technology (NIST) draft publication for the Zero Trust Architecture (NIST SP 800-207) or ZTA. We’ve also recently covered the reasons why network detection and response (NDR) is an essential component of NIST ZTA.

With the wide adoption of encrypted traffic and software as a service (SaaS) apps and non-enterprise-owned assets (e.g. contracted services that use the enterprise infrastructure to access the Internet), monitoring solutions that rely on deep packet inspection (DPI) will struggle to assess a possible attacker on the network.

But as NIST notes, “That does not mean that the enterprise is unable to analyze encrypted traffic that it sees on the network. The enterprise can collect metadata about the encrypted traffic and use that to detect an active attacker or possible malware communicating on the network. Machine learning techniques…can be used to analyze traffic that cannot be decrypted and examined.”

Why NIST Advises Against Decryption in Zero Trust

We’ve written that you don’t have to rely on decryption to detect threats, and why decrypting to inspect traffic is an ill-advised approach. In fact, we have been encouraging our customers to encrypt everything for a long time.

It fundamentally comes down to a few key points:

1. You gain nothing by decrypting packets

All the information needed to detect threats can be determined by applying machine learning to the traffic and metadata itself, as noted by NIST.

2. It will be increasingly difficult to decrypt traffic and solutions that rely on this

The adoption of TLS 1.3 and security extensions like HTTP public key pinning (HPKP), HTTP strict transport security (HSTS), DNS over HTTPS (DoH), and encrypted server name indication (ESNI) will make inspecting traffic more difficult by design.

3. You will never be able to decrypt attacker traffic

Attackers don’t use your encryption keys, and in many cases won’t go through your endpoints that decrypt man-in-the-middle traffic.

4. There are also numerous Data Protection and Compliance issues with decrypting data for analysis and storing it

For example, this could lead to stored PII or other sensitive data such as payment card or SSN.

Encrypting all traffic on the network is fundamentally good. Therefore, successful implementation of ZTA requires a modern NDR solution that can collect metadata about encrypted traffic and use machine learning to detect malicious communications from malware or attackers in the network—without relying on the overhead of agents.

Vectra's NDR: Essential for NIST Zero Trust Architecture

Vectra is the only U.S.-based FIPS-compliant NDR on the Department of Homeland Security CDM approved products list that uses artificial intelligence. Our AI includes deep learning and neural networks to provide visibility in large-scale infrastructures by continuously monitoring all network traffic, accounts, identities, relevant logs, and cloud events.

Every IP-enabled device on the network is identified and tracked, extending visibility to servers, laptops, printers, bring your own device (BYOD), and IoT devices as well as all operating systems and applications.

The Cognito Platform from Vectra can detect advanced attacks as they are happening in all traffic, from cloud/SaaS and data centers workloads to user and IoT devices. We do this by extracting metadata from all packets and logs, without requiring decryption.

The Cognito Platform scores all identities in the platform on the same criteria as hosts. This allows you to see the observed privileges in your system as opposed to the static assigned privilege.

We applaud NIST for highlighting the importance of an NDR solution as a key part of any ZTA. At Vectra, we’re proud to offer a turnkey NDR solution to organizations on their journey to implementing a modern security architecture.

To find out how both NDR and Zero Trust will help organizations achieve these goals, schedule a demo today.

FAQs

Why does NIST recommend against decryption in Zero Trust?

NIST recommends against decryption due to the increasing difficulty and limited benefits, advocating for metadata analysis instead.

What is the role of metadata in threat detection?

Metadata provides crucial insights into network traffic patterns, enabling effective threat detection without decryption.

Why is continuous monitoring essential in Zero Trust Architecture?

Continuous monitoring ensures real-time detection and response to threats, a key principle of Zero Trust.

What are the benefits of not decrypting network traffic?

Not decrypting traffic reduces overhead, improves privacy compliance, and still allows effective threat detection.

How does Vectra AI's NDR solution comply with NIST Zero Trust Architecture?

Vectra AI's NDR solution complies by continuously monitoring network traffic and using AI for threat detection.

How does Vectra AI handle encrypted traffic?

Vectra AI uses metadata and machine learning to detect threats in encrypted traffic without needing decryption.

How does machine learning enhance network security?

Machine learning analyzes patterns and detects anomalies, enhancing proactive threat detection in networks.

How does Vectra AI implement Network Detection and Response (NDR)?

Vectra AI implements NDR by using machine learning to detect threats and provide actionable insights.

What are the challenges of decrypting network traffic?

Decrypting traffic is increasingly difficult with modern encryption standards and poses privacy risks.

What is Zero Trust Architecture?

Zero Trust Architecture ensures no implicit trust, continuously verifying each access request to enhance security.