Marcus Fowler is the CEO of Darktrace Federal & SVP of Strategic Engagements and Threats at Darktrace.
The core principles of zero trust (ZT) have been around long before the term itself, which the National Institute of Standards and Technology (NIST) defines as the “evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
In short, when it comes to accessing an IT environment or part of a system, organizations should practice the principle of “never trust, always verify.” This principle includes cornerstones of robust access control and authentication, network segmentation and “least access” policies.
Over the past five years, we have seen ZT evolve from a best practice to a core essential for cybersecurity programs. The Department of Defense (DoD) has been a leader in defining, prioritizing and implementing zero-trust principles, outlining the key organizational and process changes that can help these entities get ahead of emerging threats by shifting their security tactics away from traditional perimeter monitoring.
The DoD’s framework defines seven pillars—users, devices, applications and workloads, data, network and environment, automation and orchestration, and visibility and analytics—along with dozens of controls for successful zero-trust architectures.
In the era of remote work and the increasingly distributed enterprise, organizations are faced with the challenge of monitoring countless entities across multiple locations that are seeking access to mission-critical information and business functions.
With many organizations no longer having a clearly defined perimeter, core ZT methodologies are often sidestepped or compromised due to human error, incomplete implementation of ZT strategies or tedious access management approval processes.
This is opening the door for threat actors to slip through the cracks, infiltrate points of vulnerability and escalate privileged access. Additionally, the rise in complex threats, like the “North Korean fake IT worker scheme” to seed insiders into target companies, has proven that organizations across industries are increasingly targets.
In the age of AI, threat actors will accelerate from insider threat access to exploitation faster and with greater stealth than ever before, and in ways ZT programs of today have yet to consider. In response, traditional ZT approaches must evolve to include a behavioral understanding of users and assets, adding a critical dimension: “Never trust, always verify, continuously monitor.”
Insider Threat: Zero Trust’s Kryptonite And The Best Argument For ‘Behavioral Zero Trust’
At a high level, ZT ensures protection from external threats to an organization’s network by requiring continuous verification of the devices and users attempting to access critical business systems, services and information. However, even with this architecture and policy enforcement tactics in place, the risk of malicious insider activity remains.
The ZT fundamental of “least access” does what it can to try to mitigate incidents of insider threat or supply chain compromise; however, as learned from Edward Snowden or the more recent incident involving Jack Teixeira, malicious actors can still do significant damage to an organization within their approved and authenticated boundary. To circumvent the remaining security gaps, organizations must extend their strategy and adopt another dimension to all zero-trust approaches: behavioral understanding.
The DoD’s ZT visibility and analytics pillar references the importance of user and entity behavior analytics, such as utilizing log data to detect abnormal behavior on networks. However, this concept must go beyond static baselines and profiling using historical data.
Behavior analysis needs to be a continuous understanding and situational awareness of normal activity in real time, all the time. Behavioral understanding, along with active defense and enforcement, must become a higher priority—not only for the DoD and its operational units but also across public and private sector ZT programs and implementation practices.
The shift from traditional ZT frameworks to incorporating a robust behavioral ZT posture requires technology uniquely capable of understanding the complex patterns, behaviors and access areas tied to specific users or devices. It must also routinely monitor these activities at the most granular level to catch any deviations from standard behavior