Questions & Answers from The Zero Trust Model - Putting Data Protection First

On June 30th we hosted along with leading online resource for information security professionals, Dark Reading, the webcast The Zero Trust Model: Putting Data Protection First with guest speaker John Kindervag, Senior Analyst at Forrester Research, Inc. and Renee Bradshaw, Senior Product Marketing Manager of NetIQ. They explored a data-centric approach to protecting critical organizational data that weaves security throughout the IT infrastructure – one that renders obsolete our notions of "trusted users, networks, and interfaces" and replaces them with the concept of "Zero Trust."

If you missed it, don't worry. The Zero Trust Model: Putting Data Protection First is now available on demand. And, if you are tasked with managing the risk to sensitive data, which is now spread across physical and virtual locations, you probably have many questions yourself: How do I know my data is being accessed in a secure manner? Who is accessing this data – and do I trust them? What follows are the questions attendees asked and the answers (more questions will be added as they are transcribed); along with the webcasts they may well provide the information you are looking for:

Q) What security technologies work best in helping to manage the amount of log data I expect to get if I “log everything”?

John: Right, remember it’s not just “log everything”, because lots of people are logging lots of stuff. You have to proactively inspect it and then log it and then tie it all together analytically. So, I mentioned two tool sets that we think are very valuable. In fact a lot of people complain and say that this is too hard to do, but I don’t believe it is. We are not asking you take Wireshark and you open each packet on you own. We are not asking you to do anything manually. This is what computers are great at - processing large amounts of data. So you deploy two types of tools, we mentioned them already. NAV: Network Analysis and Visibility tools, where we look at the actual data contained in packets and SIM tools and they look at log files generated by devices. They also make great dash boarding and analytic solutions and I really think that the SIM market is moving much more towards being an analytical engine for helping IT people make really good decisions, not just on the security side but on other aspects of the IT business. So those two tool sets combined will give you that situational awareness and help you automate the inspect and log mandate of Zero Trust.

Q) When you talk about Re-engineering the network, with the DAN topology, how does IT justify the increase cost to put the architecture in place, mirroring of this infrastructure potentially represents a two fold increase in storage and archiving costs?

John: Well, I think the assumption that it’s going to be more expensive is not demonstrable right now. So, people are upgrading their networks currently; they are spending lots of money on their network. Now is the time to really think about how you should architect them for data centric security. You know if you let your plumber design your house he will put the shower in the garage next to the water heater, because that is most efficient. Networking folks are really the electricians and plumbers of the IT Business. They have to put better design, better structural engineering, into the networks because we’ve seen Sony, and RSA, and all these breaches prove to us that the current networks designs fall down when that earthquake or tsunami hits. So I am not certain that it is more expensive. There is nothing that leads me, as a networking guy, to believe that it has to be more expensive. Certainly it has to be redundant, but all networks have to be redundant. But the reality is the worst case scenarios, that are happening at places like Sony and RSA, are much worse, by an order of magnitude worse, than what the designers of those network ever imagine could happen.  So it is going to cost hundreds of millions of dollars, if not billions of dollars, for people to remediate these breaches. Why not build some structure in your network from the beginning. That is where the real cost savings is.

Q) What’s the best defense against hackers using probing, automated discovery tools?

John: Well, probing automated discovery tools, I call that the background radiation of the Internet. Researchers that I talk to say that the average publicly facing IP address gets scanned 5000 times a day, at minimum. You are not going to eliminate that. You can’t eliminate people trying to look in your windows. You’ve just got to keep them from coming in your doors and so you need to look at how ingress into your network is done. You need to look at how you track users. You need to make sure you have visibility into your internal traffic. Once an attacker gets past your perimeter then they can walk around your house like they are invisible. That’s the dangerous part, so you have to have a better situational awareness, better visibility on your network and you need to find all of your holes and plug them. A lot of stuff we see happening is security 101; basic failures. Stuff that, no way, should ever happen; embarrassments really for the industry and certainly for the people who are in charge. So, most people who get hacked right now are getting hacked because they screwed up the easy stuff or they didn’t pay attention, or they didn’t allocate enough budget. You know, less than 10% of the average IT budget goes to security; yet security is so important in this age. When you look at the hundreds of millions dollars Sony is going to have to spend, I would say, they were penny wise and pound foolish.

Renee: Right, and to reiterate, John, what Verizon [Verizon Data Breach Investigations Report] found, year after year, is that if even the most basic security tools would have been in place a lot of breaches could have been avoided or the extent of damage minimized. What we like to have, at minimum, is a SIEM solution in place. And if we can combine that with an identity management solution, you can truly get to the point where you are actually monitoring what everyone is doing. You can track your users. Just like you said, you have to be able to track a particular user. I think the terminology you use is, not cyber, but silicone or carbon based, right?

John: Yeah

Rennie: That’s what we need to able to get to.

John: Yeah, All breaches are insider breaches, all cybercrime is an inside job because either a human being is helping or the network components, the servers, the silicone insiders, are helping those cyber criminals once they get inside.

Q) If you eliminated the downloading of files, can you stop copy and paste as another way to breach the Network?

John: Well, yes and no. There’s lots of ways to stop breaches, but you can also grind your business to a halt. So, you want to be able to inspect files, to see if there is malicious payload in those files and so copy and pasting isn’t so much the problem or downloading isn’t so much the problem. It’s that a lot of people don’t have controls in place to do anti-spam, to protect against spear phishing, to look for kind of vulnerabilities that are found in adobe files for example that seem to have the recent breaches. So you have to inspect all that traffic including the actual payload of emails and web traffic to make sure there is not malicious contact embedded in the payload itself.

Q) Very interesting concept of network access control, do you see it as also applying to physical access control as within a data center?

John: Oh, absolutely you have to have Zero Trust ID in a data center and your physical security. That’s called social engineering and it’s kind of fun to go into a company and our culture especially precludes us from asking “Hey, do you have any business being here?” But that is how a lot of attacks happen. People pretend to be the UPS guy, FedEx guy. I ran a Vulnerability Assessment practice for a while and we had a lady who was awesome at this. She pretended to be pregnant and asked to use the bathroom and could get anywhere and nobody would ask her a question. You don’t ask a pregnant lady a question, even though she is not really pregnant she could just have a little pillow or whatever there. So, there are lots of ways to social engineer networking and you have to train people to ask the right questions, and not be afraid to say “Hey, I don’t know you. What is your role here? Show me some identification?” and if they are somewhere they are not supposed to be; if you cannot verify who they are, you have to be able to feel good about calling security.

Q) After a near real time analysis is performed, how do you treat log files and captures from a records management retention prospective? Same as enterprise records? Something shorter? I can imagine a large storage cost will be involved here to save everything.

John: Yeah, so on the NAV stuff you have to determine if you need the full packet or just the metadata and then of course there’s lots of good data compression technologies that these tools will use. Then on the log retention: most people use PCI requirement 10 to define log retention by policy. Usually that requires that you keep a log file for a year and you have a way to easily access it for about 3 months. So, if you have a compliance requirement it will probably be that you need to keep the file for a year, if you don’t have a compliance requirement, then 3 to 6 months is a norm.

Q) How does the Zero Trust model work for the Cloud?

John: It’s a cloud ready architecture; for those of you who subscribe or get the SC Magazine, Zero Trust is June's feature story and the CISO of Cox Communications points out that it is a really good model for the Cloud. It can support multitenancy, those kinds of things, and quite frankly we’ve got all these aaS’s: SaaS and Infrastructure as a Service (IaaS), Security as a Service (SaaS), Platform as a Service (PaaS), but who is really watching your ’aaS? Have you ever thought about that? Have you ever thought, who is the person behind the Cloud whose got access to all of your data? So absolutely, you need a Zero Trust model, because someone could easily take control of your ‘aaS if you are not careful.

More questions will be added shortly...

| Follow us on Twitter | Follow us on Facebook