New NIST Guidelines on Zero Trust Architecture Calls for Deeper Visibility Into the Network

October 7, 2019
Jonathan Barrett
MXDR Security Analyst
New NIST Guidelines on Zero Trust Architecture Calls for Deeper Visibility Into the Network

What is NIST's Zero Trust Architecture

On September 23, the National Institute for Standards and Technology (NIST) released the draft publication for Zero Trust Architecture (NIST SP 800-207), or ZTA.

According to NIST, “No enterprise can completely eliminate cybersecurity risk. When complemented with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and general cyber hygiene, ZTA can reduce overall risk exposure and protect against common threats.”

Vectra welcomes NIST’s publication and perspective, especially as it aligns closely with what we have discussed previously on the importance of network visibility to strengthen a Zero Trust Architecture. And while this nearly 50-page document covers several deployment models and use cases, there are two key points on ZTA we want to focus on for this blog: deprioritizing decryption and looking beyond hosts.

Why NIST recommends to deprioritize traffic decryption

Modern enterprise networks are undergoing large and rapid changes, due both to an increasingly mobile and remote workforce and the rapid expansion of cloud services.

In addition, organizations are relying on more non-enterprise-owned systems and applications. These third-party systems and applications are often resistant to passive monitoring, which means that examination of encrypted traffic and deep packet inspection (DPI) is not viable in most cases.

As a result, traditional network analysis tools that rely on visibility at endpoints of on-premises networks, like intrusion detection systems (IDS), are quickly becoming obsolete.

But as NIST notes, “That does not mean that the enterprise is unable to analyze encrypted traffic that it sees on the network. The enterprise can collect metadata about the encrypted traffic and use that to detect possible malware communicating on the network or an active attacker. Machine learning techniques…can be used to analyze traffic that cannot be decrypted and examined.”

We have written before that you don’t have to rely on decryption to detect threats.

It fundamentally boils down to a few key points:

  1. You gain nothing by decrypting packets. All the information needed to detect threats can be determined from the traffic and metadata itself.
  2. It will be harder to decrypt traffic. The adoption of security extensions like HTTP Public Key Pinning (HPKP) will make inspecting traffic more difficult by design.
  3. You will never be able to decrypt attacker traffic. Attackers won’t be using your keys anyway.

Instead, a successful implementation of ZTA requires a modern network detection and response (NDR) solution that can collect metadata about encrypted traffic and use machine learning to detect malicious communications from malware or attackers in the network.

Get visibility into all user and system behaviors with a Zero Trust Architecture

A fundamental part of Zero Trust Architecture relies on monitoring how privilege is used on the network and continuously controlling access based on behaviors. DHS calls this Continuous Diagnostics and Mitigation (CDM).

But CDM goes further than just observing hosts. It seeks to answer the following:

  • What devices, applications and services are connected to the network and being used by the network?
  • What users and accounts (including service accounts) are accessing the network?
  • What traffic patterns and messages are exchanged over the network?

Again, this goes back to the importance of network visibility. Organizations must have visibility into all actors and components on their network to monitor and detect threats. In fact, as noted in the NIST report, “a strong CDM program is key to the success of ZTA.”

Vectra Cognito is a cornerstone of a successful Zero Trust Architecture

Vectra is the only US-based FIPS-compliant NDR on the Department of Homeland Security’s CDM approved products list that uses artificial intelligence. Our AI includes deep learning and neural networks to give visibility in large-scale infrastructures by continuously monitoring network traffic, logs and cloud events.

The Cognito platform from Vectra can detect advanced attacks as they are happening in all enterprise traffic, including data centers and the cloud. We do this by extracting metadata from all packets. Every IP-enabled device on the network is identified and tracked, extending visibility to servers, laptops, printers, BYOD and IoT devices as well as all operating systems and applications.

The Cognito platform scores all identities in the platform on the same criteria as hosts. This allows you to see the observed privileges in your system as opposed to the static assigned privilege.

We applaud NIST for highlighting the importance of an NDR solution as a key part of any ZTA. At Vectra, we’re proud to be able to offer a turnkey NDR solution to any organization on their journey to implementing a modern secure architecture.