Zero Trust security has arrived with a bang, and it’s a very good thing for every cybersecurity practitioner. Although the concept has been around since the 1990s, when Stephen Marsh wrote of “Formalize trust as an IT concept,“The COVID-19 pandemic and resulting shift to a remote and hybrid workforce has focused more attention than ever on Zero Trust and accelerated adoption and implementation.
A Zero Trust architecture is a step in the right direction and a good match for a Work-from-Anywhere world. It flips the notion of “trusting someone forever who has logged in” and applies a “trust but verify” model to every interaction with a system. The requirement to continuously authenticate and authorize users and systems undoubtedly contributes to security. However, when it comes to insider threat protection, we need to be careful to avoid past mistakes that hinder user acceptance and productivity.
With Zero Trust in mind for so many business leaders and IT managers, we realize there is a need for more resources on the concept. For this reason, we recently co-wrote an eBook with Splunk, “An insider risk management approach to Zero Trustwhich helps educate readers on what Zero Trust is and is not, lessons learned from misapplying various security solutions that can help apply Zero Trust to insider threat protection, how to use risk-based analysis to prevent data theft, and Suite.
For those of you interested in more in-depth training, you can read the full e-book, or if you want the (semi!) Cliff Notes version, this two-part blog series summarizes the seven steps of a insider risk management at Zero Trust. Let’s dive into it.
Step One: Understand Zero Trust
Zero Trust is a concept, not a product. Instead of verifying credentials once and trusting them afterwards, Zero Trust centers on the idea that we cannot implicitly trust anything or anyone. Constant verification of identity and authorization is required.
As a concrete example, consider health care. Anyone who has visited a healthcare facility knows that they will be asked for their name and date of birth many times, often by each new person who interacts with them. It’s not because the doctor or nurse doesn’t trust the person, just by constantly “authenticating” them to make sure they’re treating the right patient and performing the right procedures. At a high level, this describes the principle of Zero Trust.
Step Two: Learn Traditional Insider Risk Approaches
Insider risk management solutions use a variety of approaches, each with its own strengths and weaknesses. These include data loss prevention (DLP), user activity monitoring (UAM) and user/entity behavior analysis (UBA/UEBA). And, as the market has matured, we’ve seen a convergence of key approaches leveraged in a Zero Trust architecture.
However, what these solutions often lack is a human-centric approach. Parts of each of these solutions have value in a Zero Trust world when combined with a human approach to insider threats. For example, this means taking rules from DLP for known bad behavior, machine learning and behavior analysis based on metadata derived directly from machines, applications and data to eliminate “noise”. This can then help more accurately identify malicious intent and provide a privacy-focused approach to UAM that protects employees commensurate with risk.
Step 3: Understand data sources for a human-centered approach
Zero Trust relies on exact user, device, network and application data. It then uses automation and analytics to process this data to identify threats and block attacks with the goal of minimizing the “blast radius” in the event of an incident.
Over time, enterprise security has embraced “layered security”. Organizations have deployed point solutions including firewalls, intrusion prevention, web application firewalls, and more. network, as well as antivirus, data loss prevention, and endpoint detection and response on endpoints. From an operational point of view, it is up to the SOC to manage the enormous volume of information provided by these solutions.
Much of this data is noisy, the product of cyber sensors that capture machine logs and occasional user interaction with data, systems, and other security mechanisms. The result is stacks of uncorrelated data that must be pieced together to find sequence and meaning, all of which are reactive after the incident and therefore do very little to prevent data loss or a malicious insider threat from achieving their goals. . Therefore, it is essential that organizations understand how to identify and analyze the right data.
Worthy of a sequel
We know we’ve shared a significant amount of information about Zero Trust, traditional approaches to insider risk, and the crucial nature of accurate data sources. With that, we’d like to take a moment to pause so that we don’t cram too much information into our Cliff Notes version at once.
Stay tuned next week for Part 2, where we’ll share the remaining four steps in the process of adopting an insider risk management approach at Zero Trust. And, if you’re eager to learn more, please read the full eBook or contact our team directly for a live chat: https://www.dtexsystems.com/contact us/.
The post office Insider Risk Management – A 7-Step Approach to Zero Trust (Part 1) appeared first on DTEX Systems Inc..
*** This is a syndicated blog from the Security Bloggers Network of DTEX Systems Inc. written by Jonathan Daly. Read the original post at: https://www.dtexsystems.com/blog/insider-risk-management-a-7-step-approach-to-zero-trust-part-1/