The Role of Network Detection and Response in Zero Trust

Plans for zero trust implementation vary widely by sector. On one hand, federal agencies like the Department of Defense (DoD) are staunchly committed to a detailed timeline to achieve specific goals by the end of September 2024 and to become fully operational by 2027. On the other hand, according to the 2023 Global Digital Trust Insights report from PwC only 36% of CISOs say they have begun implementing components of zero trust and only a further 25% have plans to start in the next two years. ExtraHop believes the DoD Zero Trust Strategy will be a catalyst for implementation, forcing thousands of contractors in the private sector to follow suit.

The current and forecasted zero trust adoption trends are driven largely by regulations, including the White House’s 2022 requirements for federal agencies, cloud adoption, and ongoing security concerns about employees working from home. As employees continue to work from home, and others return to corporate offices with their own devices, it’s imperative for organizations to embrace zero trust security over traditional, perimeter-based security.

What Is Zero Trust Security?

The cybersecurity industry has offered several, sometimes competing, definitions of zero trust, with many security technology vendors vying to shape the definition to suit their interests. This has created confusion in the market and has led some security practitioners to conflate zero trust with a single solution, such as risk-based authentication or zero trust network access (ZTNA) for example.

Both the U.S. Department of Defense, in its zero trust strategy, and the U.S. National Institute of Standards and Technology in its special publication on zero trust, define zero trust as:

…an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).

While authentication and other identity-based tools are important components of zero trust, implementing zero trust involves a mix of technologies, policies, process changes, and workflows. No single practice or tool will create a zero trust environment. In fact, the DoD Zero Trust strategy sets out the following seven pillars of a zero trust security model:

User: Continually authenticate, assess, and monitor user activity patterns to govern access and privileges.

Devices: Understand the health and status of devices to inform risk decisions, and inspect, assess, and patch devices in real time.

Applications and Workloads: Secure everything, including applications, hypervisors, containers, and virtual machines.

Data: Achieve data transparency and visibility by enabling and securing enterprise infrastructure, applications, and standards and by using end-to-end encryption.

Network and Environment: Segment, isolate, and control the network environment with granular policy and access controls.

Automation and Orchestration: Deploy an automated security response based on defined processes and policies enabled by AI.

Visibility and Analytics: Analyze events, activities, and behaviors to derive context and apply AI and machine learning to achieve a highly personalized model that improves detection and reaction time.

The Role of Network Visibility and Network Detection and Response (NDR) in Zero Trust

Several leading organizations recognize the essential role that network- and packet-level visibility play in zero trust. In “The Forrester Wave™: Network Analysis And Visibility, Q2 2023,” Senior Analyst Heath Mullins writes, “There can be no Zero Trust without visibility into what’s happening inside networks,” and that “NAV technology provides intelligence on, correlation with, and visibility into all aspects of the network, from endpoints to the cloud.”

NAV capabilities work with security analytics platforms, SOAR solutions, and extended detection and response tools to provide complete IT visibility and enable zero trust, the report added.

An earlier Forrester report, The Network Analysis And Visibility Landscape, Q1 2023, made similar points: “Zero trust (ZT) architecture, which assumes that networks are inherently untrusted, requires visibility into and analysis of internal network traffic.”

In addition, the U.S. Cybersecurity and Infrastructure Security Agency, in its April 2023 Zero Trust Maturity Model report, advised federal agencies that network and device visibility, two key capabilities of NDR and NAV solutions, are foundational pieces of a zero trust security model.

Meanwhile, the DoD lists more than two dozen capabilities across its seven zero trust pillars that top NDR solutions can provide. Some of these capabilities include:

User

• Privileged access management – The DoD describes this capability as the removal of permanent administrator/elevated privileges in favor of a privileged account management (PAM) system. Advanced PAM capabilities enable automated privilege escalation approvals and leverage analytics for anomaly detection. NDR provides the visibility into end user behavior that enables organizations to monitor and audit privileged identities.
• User activity monitoring – NDR analyzes east-west traffic and combines rules and advanced analytics to identify post-compromise tactics such as lateral movement. It establishes behavioral baselines to uncover anomalous and malicious behavior. This information enhances DoD organizations’ risk-based authentication and access controls.

Device

• Device inventory – NDR can automatically and continuously discover and classify all assets communicating on the network to create a complete inventory of devices. NDR also determines whether assets have agents, a key capability for identifying managed and unmanaged devices to help address coverage gaps. Per DoD policy, only known, authorized devices listed in the inventory are permitted access.
• Device authorization with real-time inspection – DoD organizations should have policies and tools in place to identify any device attempting to access the network and determine whether access should be granted. NDR can passively monitor assets on the network and provide visibility into user and device activity in real time. Top NDR solutions use advanced analytics to establish baselines based on observed behaviors and peer grouping to alert about suspicious or malicious activity, which enables informed access decisions.

Application and Workload

• Application inventory – All applications and application components must be identified and inventoried. Only authorized applications or application components may be utilized. Top NDR solutions automatically discover and classify applications, provide real time application analytics, and map application dependencies.
• Continuous monitoring and ongoing authorizations – Under the DoD roadmap, organizations should employ automated tools and processes to continuously monitor applications and assess their authorization to operate. NDR solutions can scale to continuously monitor large volumes of network throughput per sensor and enable organizations to identify suspicious and malicious behavior from applications and workloads to support zero trust initiatives.

Data

• Data loss prevention (DLP) – DoD organizations should identify enforcement points, deploy approved DLP tools, and integrate tagged data attributes with DLP. As a result, data breaches or exfiltration transmissions should be detected and mitigated. NDR provides a failsafe when DLP tools are bypassed or don’t work as intended. Through continuous monitoring and optional packet storage, NDR enables forensic investigators to quickly filter to relevant network traffic for a specific suspected data exfiltration.
• Data monitoring and sensing – The DoD Zero Trust Strategy states that data owners should capture active metadata that includes information about the access, sharing, transformation, and use of their data assets. The best NDR tools are always on and passively monitor network packets for the highest fidelity metadata.

Network and Environment

• Data flow mapping – An NDR tool understands normal data flows based on observed behaviors and creates alerts when it detects anomalous and/or suspicious data flows. Additionally, NDR can detect malicious behaviors such as C2 communications and lateral movement in the east-west traffic corridor used in data exfiltration attempts. It’s vital for DoD organizations to understand data flows so they can set the foundation for network segmentation and access control.
• Software defined networking (SDN) – The goal of SDN is to provide control of network packet flows through a centralized server to enable dynamic and efficient network configuration. NDR plays a key role by providing the visibility necessary to inventory and audit the SDN infrastructure.

Automation and Orchestration

• Policy decision point (PDP) and policy orchestration - DoD organizations should collect and document all rule-based policies to orchestrate across the security stack for effective automation. PDPs should be established to make resource determinations and enable, monitor, and terminate connections according to predefined policies. The network visibility and behavioral insights NDR provides can be used to develop and tune these policies and to create a holistic enterprise security profile.

Visibility and Analytics

• Log all traffic (Network, Data, Apps, Users) – DoD organizations should collect and process all logs including network, data, application, device, and user logs and make them available to the appropriate SOC or service provider. NDR solutions passively collect raw packets and convert them into transactions, metadata, detections, analytics, and more while maintaining the integrity of the original data. Some logs can be deleted or bypassed, but best-of-breed NDR solutions use continuous packet capture and can’t be evaded.
• Security Information and Event Management (SIEM) – SOCs should monitor, detect, and analyze data logged into a SIEM tool. This enables effective security analysis of anomalous user behavior, alerting, and automation of relevant incident response to common threats. NDR tools can be configured to feed metadata derived from real-time network packet analysis into the SIEM to provide high-fidelity data, eliminate blind spots, and accelerate threat detection.

Every zero trust program will rely on a variety of tools and solutions to reach maturity. Due to their powerful capabilities across all seven of the DoD pillars, NDR deserves close consideration by zero trust decision makers. The ExtraHop Reveal(x) NDR platform supports 23 out of 45 DoD Zero Trust Capabilities.