“Zero trust (ZT) is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.” – NIST

Last year, I wrote about the National Institute for Standards and Technology (NIST) draft publication for the Zero Trust Architecture (NIST SP 800-207) or ZTA. We’ve also recently covered the reasons why network detection and response (NDR) is an essential component of NIST ZTA.

With the wide adoption of encrypted traffic and software as a service (SaaS) apps and non-enterprise-owned assets (e.g. contracted services that use the enterprise infrastructure to access the internet), monitoring solutions that rely on deep packet inspection (DPI) will struggle to assess a possible attacker on the network.

But as NIST notes, “That does not mean that the enterprise is unable to analyze encrypted traffic that it sees on the network. The enterprise can collect metadata about the encrypted traffic and use that to detect an active attacker or possible malware communicating on the network. Machine learning techniques…can be used to analyze traffic that cannot be decrypted and examined.”

Don’t Decrypt

We’ve written that you don’t have to rely on decryption to detect threats, and why decrypting to inspect traffic is an ill-advised approach. In fact, we have been encouraging our customers to encrypt everything for a long time.

It fundamentally comes down to a few key points:

• You gain nothing by decrypting packets. All the information needed to detect threats can be determined by applying machine learning to the traffic and metadata itself, as noted by NIST.
• It will be increasingly difficult to decrypt traffic and solutions that rely on this. The adoption of TLS 1.3 and security extensions like HTTP public key pinning (HPKP), HTTP strict transport security (HSTS), DNS over HTTPS (DoH), and encrypted server name indication (ESNI) will make inspecting traffic more difficult by design.
• You will never be able to decrypt attacker traffic. Attackers don’t use your encryption keys, and in many cases won’t go through your endpoints that decrypt man-in-the-middle traffic.
• There are also numerous Data Protection and Compliance issues with decrypting data for analysis and storing it. For example, this could lead to stored PII or other sensitive data such as payment card or SSN.

Encrypting all traffic on the network is fundamentally good. Therefore, successful implementation of ZTA requires a modern NDR solution that can collect metadata about encrypted traffic and use machine learning to detect malicious communications from malware or attackers in the network – without relying on the overhead of agents.

Full Visibility

Vectra is the only U.S.-based FIPS-compliant NDR on the Department of Homeland Security CDM approved products list that uses artificial intelligence. Our AI includes deep learning and neural networks to provide visibility in large-scale infrastructures by continuously monitoring all network traffic, accounts, identities, relevant logs, and cloud events.

Every IP-enabled device on the network is identified and tracked, extending visibility to servers, laptops, printers, BYOD, and IoT devices as well as all operating systems and applications.

The Cognito platform from Vectra can detect advanced attacks as they are happening in all traffic, from cloud/SaaS and data centers workloads to user and IoT devices. We do this by extracting metadata from all packets and logs, without requiring decryption – read more in our white paper here.

The Cognito platform scores all identities in the platform on the same criteria as hosts. This allows you to see the observed privileges in your system as opposed to the static assigned privilege.

We applaud NIST for highlighting the importance of an NDR solution as a key part of any ZTA. At Vectra, we’re proud to offer a turnkey NDR solution to organizations on their journey to implementing a modern security architecture.

To find out how both NDR and Zero Trust will help organizations achieve these goals, schedule a demo today.