Zero trust is a data security model that aims to protect networks against all devices and users. The model assumes that any device and user can be compromised at any time, and therefore should not be trusted even if they were previously authenticated.
Traditional data security approaches use firewalls and virtual private networks (VPNs) to create a perimeter around the network to protect it from external threats. A zero trust architecture aims to protect the network from insider threats as well as any external party that manages to gain unauthorized access.
Zero Trust and Microsegmentation
Zero trust security tools and policies require device and identity authentication across the network. Another key component is the use of microsegmentation to split the network into logical parts. You can then assign privileged access to certain areas of the network rather than the entire network.
Microsegmentation is a key strategy for preventing lateral movement. If a threat actor manages to breach the network, you can contain it inside a microsegment. It can also help you apply different controls in specific network areas and better monitor and control access and activity. You can apply granular policies in each microsegment to protect sensitive data and critical resources.
An extended detection and response (XDR) solution aims to guard against cyberattacks by identifying ongoing attacks and providing an automated response. There is no absolute definition of XDR; however, an XDR implementation will typically include technology that addresses the following topics:
- Endpoint security – including endpoints such as laptops and corporate PCs and virtual and physical servers. These servers can be on-premises, or in data centers. Or, they can include virtual servers in the cloud.
- Protection against threat vectors – securing delivery vectors, such as business email, corporate portals, and websites.
- Automatic file and threat isolation – including microsegmentation and sandboxing.
- Threat intelligence – providing analytics, alerting, and reporting.
An XDR implementation demands the wrangling of security products and network architectures. These products and architectures are then capable of acting as one unit. By combining inputs from all data security layers into one dataset, XDR can use advanced analytics to provide advanced threat identification and response.
Here is how XDR works:
- Detects persistent attacks, unknown malware, and other advanced threats – many cyberattacks utilize extended periods of covert remote access. Attackers use this time to map the network, identify the sensitive data they want to exfiltrate, and implement data exfiltration or ransomware attacks with maximum impact.
- Identifies threats that cut across security silos – the analytics and monitoring detect patterns of behavior, activity, and different warning signs, which might seem benign on their own but appear malicious when combined. Traditional protection approaches would overlook these signs.
The vision of XDR is to unite data security controls and defenses, and security operations. The outcome is an end-to-end holistic solution that can identify all phases of the kill chain.
When used alone, XDR has effective security capabilities; however, organizations can improve their security approach when XDR is used together with a zero trust method. XDR has two key assets that support a zero trust strategy: strong endpoint (user, device, cloud workload, and more) controls and organization-wide data correlation and collection from across the IT infrastructure.
Strong endpoint controls: Endpoint controls provide teams with visibility into endpoint and device activities and potential threats. This visibility offers a good framework for establishing and verifying trust. If teams don’t have visibility, they can’t verify trust and establish authentication.
XDR collects and correlates data on an ongoing basis. This process enforces the continuous assessment aim of the zero trust strategy. This approach means that XDR will continue to assess and review an endpoint even after an organization has approved employee access to the asset, ensuring that the asset has not been compromised.
If an endpoint starts displaying suspicious activating, for example, multiple logins for different locations in close time frames, XDR will notify security teams. Once notified, these teams can revoke access from the asset and prevent a potential attack vector.
Saves time for data security teams: Contrary to common thinking, zero trust can actually help reduce the workload of security teams. With a zero trust approach that utilizes XDR, XDR can identify and block many security vulnerabilities and gaps automatically.
The automated process can eliminate weaknesses and lessen the workload for security teams, who traditionally had to review thousands of alerts, identify the most relevant ones, and respond manually. This basic layer of data security allows security teams can invest more time in investigating advanced attacks.
In this article, I explained the basics of a zero trust model and explained how XDR tools complement it. XDR unifies security data across hybrid environments, enabling continuous verification of entities on the network, which is a basic tenet of zero trust.
To implement zero trust, it’s not enough to just implement strong authentication and microsegmentation. Sophisticated attackers can quietly take over accounts and establish a hold on the network without being detected. XDR can spot these evasive attackers by cutting across segments and security boundaries, raising the level of confidence that trusted entities really can be trusted.