 back to blog

Why the NIST Zero Trust Architecture No Longer Requires Decryption

Jonathan Barrett
Consulting Analyst
January 14, 2021
Please note that this is an automated translation. For the most accurate information, refer to the original version in English.

NIST's Zero Trust Architecture model and NDR

“Zero trust (ZT) is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”
     – NIST

Last year, I wrote about the National Institute for Standards and Technology (NIST) draft publication for the Zero Trust Architecture (NIST SP 800-207) or ZTA. We’ve also recently covered the reasons why network detection and response (NDR) is an essential component of NIST ZTA.

With the wide adoption of encrypted traffic and software as a service (SaaS) apps and non-enterprise-owned assets (e.g. contracted services that use the enterprise infrastructure to access the Internet), monitoring solutions that rely on deep packet inspection (DPI) will struggle to assess a possible attacker on the network.

But as NIST notes, “That does not mean that the enterprise is unable to analyze encrypted traffic that it sees on the network. The enterprise can collect metadata about the encrypted traffic and use that to detect an active attacker or possible malware communicating on the network. Machine learning techniques…can be used to analyze traffic that cannot be decrypted and examined.”

Why you should not decrypt according to NIST

We’ve written that you don’t have to rely on decryption to detect threats, and why decrypting to inspect traffic is an ill-advised approach. In fact, we have been encouraging our customers to encrypt everything for a long time.

It fundamentally comes down to a few key points:

You gain nothing by decrypting packets

All the information needed to detect threats can be determined by applying machine learning to the traffic and metadata itself, as noted by NIST.

It will be increasingly difficult to decrypt traffic and solutions that rely on this

The adoption of TLS 1.3 and security extensions like HTTP public key pinning (HPKP), HTTP strict transport security (HSTS), DNS over HTTPS (DoH), and encrypted server name indication (ESNI) will make inspecting traffic more difficult by design.

You will never be able to decrypt attacker traffic

Attackers don’t use your encryption keys, and in many cases won’t go through your endpoints that decrypt man-in-the-middle traffic.

There are also numerous Data Protection and Compliance issues with decrypting data for analysis and storing it

For example, this could lead to stored PII or other sensitive data such as payment card or SSN.

Encrypting all traffic on the network is fundamentally good. Therefore, successful implementation of ZTA requires a modern NDR solution that can collect metadata about encrypted traffic and use machine learning to detect malicious communications from malware or attackers in the network—without relying on the overhead of agents.

Vectra's NDR: a key element of the NIST's Zero Trust Architecture

Vectra is the only U.S.-based FIPS-compliant NDR on the Department of Homeland Security CDM approved products list that uses artificial intelligence. Our AI includes deep learning and neural networks to provide visibility in large-scale infrastructures by continuously monitoring all network traffic, accounts, identities, relevant logs, and cloud events.

Every IP-enabled device on the network is identified and tracked, extending visibility to servers, laptops, printers, bring your own device (BYOD), and IoT devices as well as all operating systems and applications.

The Cognito Platform from Vectra can detect advanced attacks as they are happening in all traffic, from cloud/SaaS and data centers workloads to user and IoT devices. We do this by extracting metadata from all packets and logs, without requiring decryption—read more in our white paper here.

The Cognito Platform scores all identities in the platform on the same criteria as hosts. This allows you to see the observed privileges in your system as opposed to the static assigned privilege.

We applaud NIST for highlighting the importance of an NDR solution as a key part of any ZTA. At Vectra, we’re proud to offer a turnkey NDR solution to organizations on their journey to implementing a modern security architecture.

To find out how both NDR and Zero Trust will help organizations achieve these goals, schedule a demo today.

Want to learn more?

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure – both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization.

If you’d like to hear more, contact us and we’ll show you exactly how we do this and what you can do to protect your data. We can also put you in contact with one of our customers to hear directly from them about their experiences with our solution.

Get in touch