The role of security analytics in a zero trust environment

Image of padlock against circuit board/cybersecurity background
(Image credit: Future)

The phrase ‘Zero Trust’ has been knocking around for a while now and it’s gathering rather a lot of attention. When looking at cybersecurity defence models, Zero Trust implies that all devices, resources, systems, data, users and applications are not to be trusted. As a security model, it requires strict identity verification for each person and device attempting to access resources on a private network. However, generally speaking there isn’t a single piece of technology associated with a Zero Trust model, but many emerging technologies that play a key role when looking to implement Zero Trust within an organisation.

Zero Trust as a security model originally stems from the late realisation that focusing on external threats at the expense of insider threats has proven to be a flawed concept. Organisations are now, more than ever, acutely aware of the consequence of cyberattacks and the devastation that insider threat can cause. According to the 2019 Verizon Data Breach Investigations Report, 34 per cent of data breaches involve internal actors and this number is only predicted to grow in the coming years as businesses begin to transition to the cloud.

IT infrastructures are becoming increasingly ‘borderless’. Despite the number of external actors being thwarted, the perimeter has become more porous as incidents are increasingly originating from the inside of organisations instead. Notwithstanding its apparently obvious name, insider threat isn’t as straightforward as it might seem at first glance. There are three main types of insider threats: user error, malicious insider and compromised accounts. One example of a malicious insider could be an employee who wants to “get even” with their company after a poor performance review. It could even be an IT admin who decides to use their unmonitored elevated access to distribute confidential data from secure networks without authorisation. Insider threats could also manifest as a disgruntled former employee whose access to certain applications or network drives hasn’t been deprovisioned, allowing them access to company files, even after leaving. Regardless of which type of insider threat a company is faced with, the outcome is always the same. To combat this eventuality, solutions should be proactive, rather than reactive.

Insider and unknown threats

The increasing adoption of hybrid cloud has seen many organisations choosing to store data both on-premises and in the cloud. Furthermore, users are now accessing applications from multiple devices in multiple locations. These key factors, among others, are quickly making legacy security protocols redundant. The fact that these previously respected methods can go from fundamental in the protection of core applications, to practically obsolete highlights how important it is to remain well-informed as to the current modes of IT infrastructure security. To make matters worse, many cybersecurity teams continue to use manual processes to intervene with security threats. However, these labour-intensive security operations significantly slow down the response time to cyberattacks, hindering a process in which every second counts. The decreased response time provides attackers with the opportunity that they need to steal data and inflict damage.

Often, it’s the case that companies will have a security information event management (SIEM) solution alongside a CRM, IAM, IGA, PAM and possibly a whole host of other solutions. While it’s great to have data coming in from multiple sources, it can occasionally be counterproductive. Sometimes, due to the dynamic nature of the sources, aggregated data has been known to conflict with itself, which is not ideal for anyone looking to build a complete and holistic view of their IT infrastructure. In a Zero Trust environment, it’s pivotal that organisations are equipped to monitor their entire IT environments for signs of malicious activity.

Unfortunately, SIEM, data loss prevention (DLP) and other rules-based security products can only detect known threats, while insider attacks represent unknown threats. While external attackers must first penetrate the network before finding the information they seek (while remaining undetected), malicious insiders already knows where all the valuable data is and how to access it.

Extracting context

A Zero Trust environment embraces automated security operations as a unique method of staying ahead of security threats. The average security staff member would never have enough time to sift through every alert that a SIEM system or similar tool produces. In order to implement a solid Zero Trust model, security analytics must play a crucial role. Through the adoption of automation and machine learning, it is possible to generate risk scores for potential threats as they occur. These scores then trigger automated risk-response workflows, allowing organisations to neutralise legitimate threats quickly and effectively. By leveraging big data and machine learning models to predict, detect and prevent insider threats, access abuse and cyber-fraud, organisations can align themselves with the five-step process outlined by Forrester. As the originators of the Zero Trust concept, Forrester present valuable advice for keeping systems secure. Step four of Forrester’s five-step process advises that that organisations should ‘Continuously Monitor Your Zero Trust Ecosystem with Security Analytics’ and step five goes on to recommend that enterprises, ‘Embrace Security Automation and Orchestration’. These guidelines are key when utilising security analytics in a Zero Trust model.

With machine learning-based behaviour analytics, context is extracted from big data so there is no reliance on rudimentary rules-based security controls that are often favoured by SIEM systems. With this capability, organisations have the ability to continuously monitor behaviour and dynamically adapt risk scores for real-time responses to anomalies. As is unfortunately the case, cyberthreats are becoming more complex and, as such, the speed at which threats are detected and eliminated is critical.

In the ongoing battle against ever more advanced cyberattacks, defenders must innovate to remain a step ahead of the newest threats. Being able to spot high-risk users with abnormal behaviours through machine learning is invaluable. Security analytics relying on algorithms rather than manual processes provides in-depth analysis that cannot otherwise be achieved through traditional, manual methods. As the threatscape continues to evolve, so do the solutions and a Zero Trust approach is one of the only fool-proof ways to prevent threats from escalating. As the world moves towards automation and machine learning algorithms become more complex, it is only natural that we take active steps, as a community, to work towards eradicating the most dangerous threats facing organisations.

Peter Draper, technical director, EMEA, Gurucul

You might want to check out our best business VPN.

technical director

Peter Draper, technical director, EMEA, Gurucul.