Why NDR Is Critical for NIST ZTA Architecture

Most organizations over the last several years have shifted towards a defensive strategy that assumes all networks are hostile, even the internal ones. Hardening internal system defenses the same way you would treat external systems facing the internet reduces the impact of a threat actor should they breach your perimeter. Zero trust architecture (ZTA) provides a collection of ideas, approaches and architectures designed to enable accurate access decisions.

What drives ZTA?

In modern network infrastructures, you can no longer assume that the traffic zipping through your networks is secure just because it is inside your perimeter. There are five fundamental assumptions that drive zero trust architecture:

Assume all networks are hostile
Adopting the mindset that all networks are hostile, including those your organization controls, changes everything. The posture of treating your internal networks just as precariously as the internet means system hardening is much more thorough and robust. This subsequently reinforces the ultimate need to secure all points of communication between entities.

Threats are present on your network at all times
Whether companies like it or not, there’s a good chance their networks have been breached without their knowledge. Even if this isn’t true, you can assume that it’s only a matter of time. You should take the stance that both internal and external networks used to facilitate business processes are lurking with threats. This is another way to support the “all networks are hostile” mentality to help inspire a positive shift towards better security.

Network locality is not sufficient enough to guarantee trust
Just because you own a network does not inherently guarantee its level of trust. This is a rather dangerous assumption to make, as you are making a claim that your networks are free from threats at all times. An on-prem network is just as susceptible to a breach as one that exists in the cloud.

This is especially true of all the managed web-based services that businesses have come to depend on. Due to their decreasing costs and lack of a need to deploy software on the endpoint, this option has attracted a large enterprise following, as well as the attention of threat actors.

All network connections should be authenticated and authorized
Users, devices and even the network appliances responsible for facilitating communications require implicit authentication and authorization for all communications. By leveraging technologies such as public key infrastructure and device fingerprinting, implementing ZTA can take on much of the heavy lifting of this demanding task. By validating the identity and extent of permissions of all entities, this reduces a threat actor’s ability to gain access to and traverse your networks.

Policies must be based on a wide collection of dynamic data sources
Regarding network operations and expected behavior, the more you know about how your systems function compared to how you assume they do, the better. Real data gleaned from the actual traffic flows, firewalls, switches and endpoints is necessary when properly defending networks. In a ZTA network, this information helps administrators and engineers align the on-paper security posture of your organization with operational reality.

As a centralized, third-party authority structure, a zero trust architecture leverages what is known as a control plane, which makes policy-driven decisions and grants conditional access to subjects. From that point, the authorization to interact with the data plane takes place, which is where the network flow is established to allow subjects to participate by accessing requested resources. Secondary layers of defense are often applied in a ZTA, which include the use of certificates, keys and temporary credentials to establish encrypted sessions.

Why organizations are adopting zero trust architecture

When it comes to maintaining strict control over authentication and authorization between every established traffic flow on a network, ZTA provides a robust solution to compensate for the inadequate perimeter security strategy of yesteryear.

Given the vast adoption of cloud services and the new work-from-home paradigm, ZTA is a leading security strategy to reduce organizations’ attack surfaces. Zero trust architecture manages the trust of connections being established by servers, laptops, desktops, mobile phones, tablets and the universe of IoT devices across multiple geographic locations.

Prior to the implementation of ZTA, solutions such as VPN were relied upon as an explicit control mechanism for determining trustworthiness on an endpoint. While certificate-based VPN services complimented by robust multi-factor authentication (MFA) hardened this type of remote access technology, there are still fundamental inadequacies.

Weak or reused passwords for authentication mean that should a system be accessed, either by theft of a mobile device or while a user’s workstation is unattended, the VPN provides an encrypted gateway to pilfer company information assets. Even with MFA, if a PIN is sent via email, the “always on” email client on that user’s device means the malicious party can log right into the VPN.

Where ZTA falls short

For more mature, brownfield networks, zero trust architecture is incredibly difficult to implement. The architectural challenges associated with retrofitting a control and data plane in conjunction with enhanced authentication and authorizations features do not

simply solve themselves overnight. The downtime caused by interruptions in service while “getting it right” can cost your organization more money than you can bear to part with.

The increase of users, applications, devices and data means that scaling an initial implementation of ZTA creates a complex management challenge. With so many layers of trust to establish and maintain long-term, ZTA implementation is certainly not a chore for the faint of heart.
Once a level of trust has been established, much is assumed about the continued assurance of each system involved without continuous revalidation, which is taxing on associated resources. These resources include the systems involved as well as administrators and security teams to ensure everything is working as expected 24/7. One fatal flaw that may be overlooked during the honeymoon phase of zero trust architecture is the security of the endpoints themselves.

These are some of the challenges of properly setting up ZTA:

  • Time and effort to set up: Reorganizing policies within an existing network can be difficult because it still needs to function during the transition. Often it’s actually easier to build a new network from scratch and then switch over. If legacy systems are incompatible with the Zero Trust framework, starting from scratch will be necessary.
  • Increased management of varied users. Employee users need to be monitored more closely with access only granted as necessary. And users can go beyond employees. Customers, clients and third-party vendors may also use the company’s website or access data. This means there’s a wide variety of access points, and a Zero Trust framework requires specific policies for each type of group.
  • More devices to manage: Today’s work environment includes not only different kinds of users, but several types of devices for each of them. Different devices may have their own properties and communication protocols which must be monitored and secured specific to their type.
  • More complicated application management: Likewise, applications are varied. Apps are often cloud-based with use across multiple platforms. They may be shared with third parties. In line with a Zero Trust mentality, app use should be planned, monitored and tailored specifically to user need.
  • More complicated data management: These days there’s more than one location data is stored, which means there are more sites to protect. Data configuration needs to be done responsibly with the highest security standards.

A comprehensive ZTA strategy requires NDR

NIST cautions in their SP 800-207 on ZTA that network traffic and the lack of visibility create quite a concern for organizations. The inability to see the contents of encrypted traffic traveling across an entire infrastructure prohibits analysts from effectively targeting malicious activity on their networks. Network detection and response (NDR) is crucial to monitoring inter-network endpoint communications and rapidly responding to malicious activity that occurs in a zero trust architecture network.

There are additional concerns with the explicit trust relationships in a ZTA network, where it is assumed that a trusted connection does not require any further safeguards. This is clearly an exposure to risk, as a compromised system in a ZTA network can leverage the same protective encryption technologies to hide malicious activity. With an effective NDR solution, the endpoints are able to be monitored and protected from an endpoint security perspective.

The management overhead and effort required to maintain a ZTA network means that there is plenty of room for human error. Should key pairs become compromised or an administrator incorrectly configure a device, this introduces a major gap in security. The concept of NDR steps in as a layer to your defensive strategy to identify compromised endpoints and halt a potential attack on the spot.

Attempting to implement a ZTA network in a mature environment is difficult to achieve. Given the number of legacy applications, end-of-life appliances and convoluted network topologies that have grown unwieldy over the years, ZTA is not a drop-in solution. As implementation is slowly being rolled out, some systems may be governed under entirely different security policies. This can allow inconsistencies to create inadvertent gaps in your infrastructure. NDR can keep organizations apprised of activity no matter the life cycle phase they are in while implementing ZTA.

Enter WireX NDR

Here at WireX Systems, we have developed a cutting-edge NDR solution that will close the gaps in your ZTA network strategy. Don’t shy away from adopting ZTA because of the uncertainty you may be left with. Consider WireX’s approach to offering a complete solution to monitoring zero trust architecture networks.

Contextual network-wide visibility

Our NDR solution’s contextual network-wide visibility removes blindspots for your security teams when monitoring zero trust architecture networks. By providing a comprehensive vantage point into ZTA network devices, entities and network traffic, analytics for all traffic flows in real time is made available to your teams. This includes ingress and egress traffic as well as lateral network traffic.

Having a 360-degree overview of all network traffic enriched by context also allows security teams to monitor users on their network, the data that is being accessed and even the actual activities that have been performed within this application. Teams have the ability to not only detect threats but also pinpoint the source, other points of propagation and the precise user-data actions suspected to be compromised.

Accelerated threat response
Early warning signs of a potential attack or the initial stages of a breach can be detected with the WireX NDR solution. Whether it is the identification of unusual remote access, suspicious access to a file server (including searching for specific files and then downloading/deleting them) or running an SQL transaction to extract records from a DB in your zero trust architecture network, we have you covered.

Our platform’s high-fidelity alerts mean fewer false positives than conventional solutions and the ability to prioritize by severity. The winning feature to support a truly secure ZTA network is the automated response capabilities that reduce time spent by teams and eliminate manual response. Your security team doesn’t have to waste their time chasing ghosts through the network with WireX, and they can focus their efforts on the real threats and proactive hunting.

Contact us today

Don’t put off your huge ZTA network implementation because of all the uncertainty and doubt involved with whether it’s a truly secure solution. As NIST describes advanced network visibility as a critical component to implementing ZTA effectively, let WireX cover the gaps in the strategy. Go from suspicion to fact in minutes with WireX Systems. Schedule a demo to learn more.

linkedin facebook twitter

Learn more about WireX paradigm shift to Incident Response

Top 3 requirements to turbocharge your Incident Response

Read about WireX Systems Incident Response Platform