Tag: data resilience

Why Zero Trust

Why Zero Trust?

Posted on

As a security architect within IBM Security Services, I often get asked the question, “What exactly is a Zero Trust architecture?” Well, there is no single or unique answer to that question for two reasons.

First, Zero Trust is not an architectural model but rather a set of guiding principles that should be applied to existing and new designs. With that said, these principles present a number of architectural patterns or use cases that can serve as a starting point for implementation.

Second, the implementation of Zero Trust principles results in very different technical solutions and approaches for different uses cases. For example, applying the same Zero Trust principles for an employee remote access use case would be addressed in a very different way than handling micro-services connectivity in a service mesh running on containers.

So, where does one even start and how would Zero Trust change the way security solutions are designed? To answer these questions, I propose starting at the right architectural entry point: enterprise security architecture (ESA). In this article, I’ll briefly describe how the principles of Zero Trust could be introduced at your organization through the different architectural governance levels and against ESA.

Looking at Zero Trust Architecture Through an ESA Lens

To establish an IT security governance model, most organizations define an ESA as part of a wider enterprise architecture program. In an ESA, all aspects of IT security are defined through the different stages of design. You’ll typically find the following stages: the contextual or business layer, the conceptual layer, the logical layer and the physical layer. Below I provide a summarized overview of the concepts.

Zero Trust Architecture Elite Paradigm LLC

Source: IBM Security

In addition, an ESA should address the governance of how the solutions and artifacts are maintained at the different layers like what is shown above. Security operations will need to manage the day-to-day operational risks while architecture review cycles ensure that the solution’s building blocks are identified and up to date. I’ll come back to this last topic later.

Also, the security controls of an ESA should be designed, implemented and managed at the enterprise level. A security control is typically a solution that combines your people, processes and technology. From a high-level perspective, both the actions required to mitigate identified IT risks and the actions required to ensure regulatory compliance are translated into a set of security policies that are then enforced and implemented through an extended collection of security controls. An ESA helps to define the approach of how to achieve that goal in line with business requirements.

Combining Security Architecture With a Zero Trust Governance Model

If we start applying the Zero Trust principles to security architecture, it is clear that the contextual level does not change. The regulations, risks and business drivers are not changing, but the way an organization would address these requirements might change. Therefore, implementing Zero Trust principles will start at the conceptual layer of your architecture. IBM Security’s four-tenet Zero Trust governance model could be leveraged to structure the approach (see figure below).

IBM Security Zero Trust Governance Model

Source: IBM Security

1. Define Context

Defining context is key for Zero Trust across all security domains. Here, the foundation for your Zero Trust implementation road map has to be defined. New security policies will have to be defined and existing policies might require adaptation. The use cases within the organization should be identified as soon as possible, including what kind of integrations should be established between the controls at the different layers. Integrations will be one of the major changes coming with Zero Trust implementations in the next couple of years.

The vanishing perimeter paradigm will have to result in more integration between the security controls installed at the different layers of defense. The result is consolidated insights that can be used to make the access decisions for your data dynamically (under the principle of “Always Verify”) and access is no longer solely based on static access-control lists (ACLs).

From the ESA point of view, this “Define Context” tenet is where the security policies are set. Moreover, security services are needed to support the organization’s requirements. The capabilities needed to provide the services should be compiled and the high-level solution patterns built on these capabilities will need to address the Zero Trust use cases. The new and adapted capabilities have to be defined at the technical level and then deployed. The ESA should also define how to move from architectural version N to version N+1 through a transformation road map. In the picture below, I map the IBM Zero Trust governance model to the ESA example.

Zero Trust implementation Elite Paradigm LLC

Source: IBM Security

2. Verify and Enforce

The “Verify and Enforce” tenet in the IBM governance model is where most security vendors position their Zero Trust solutions. In an ESA context, this is where the logical architectures define the required security building blocks (SBB).

Next, the logical architecture is worked out into technical designs based on the selected technologies. For example, the implementation of micro-segmentation for infrastructure in the data center will require a detailed technical design at the network layer. The role of ESA is to ensure the overall principles are followed during design and that the design goals like integration are achieved.

3. Resolve Incidents

Next comes everything related to security operations. This third tenet is called “Resolve Incidents” in IBM Security’s Zero Trust governance model. It is here where security operations are defined. This is also where security teams learn how to cope with security incidents impacting trusted connections and speed up both the detection and response for these incidents.

From my perspective, the operational architecture within ESA is the most important concept here. You could have the best security technologies available, but if they’re not properly managed by the security operations team, it won’t meet expectations and can result in failed outcomes. We all know that security maturity can’t be achieved in every layer at the same moment. To overcome this challenge, adequate security monitoring solutions and automated response measures are the best tools to overcome possible gaps in maturity.

4. Analyze and Improve

The tenet of “Analyze & Improve” is a key element of the Zero Trust governance model and it should also be a standard component of every ESA. In a rapidly evolving technology landscape, where there are accelerated product releases thanks to Agile approaches combined with automated CI/CD delivery models, an ESA should focus on the continuous improvement loop.

Implementing Zero Trust principles won’t be achieved overnight. The changes should be tested on a single use case that’s relevant to your business and the effectiveness of that implementation should be consistently measured with improvements applied in an Agile way. Once your initial use case is deemed ready, the same approach can be scaled out to other enterprisewide use cases, meaning that all activities related to “Analyze & Improve” will have to occur at an accelerated pace.

Interested in learning how you can begin your Zero Trust adoption? Learn about the steps you can take with an integrated, multi-disciplinary governance model that advances progress toward maturity.

Access Management | Enterprise Security | Governance | IBM Security | Identity | Identity and Access Management (IAM) | Incident Response (IR) | Security Controls | Security Framework | Security Operations and Response | Security Strategy | Threat Detection | Threat Management
Reinforcing Data Resilience Eliteparadigm LLC

Reinforcing Data Resilience

Posted on

Last year, many organizations stopped talking about when the workforce would be back full-time in the office. Instead, they focused on how we build a hybrid work model for the future. 2021 was active and interesting – for lack of a better word. There’s a lot to say in terms of cyber crime in general and ransomware specifically.

As we progress further into 2022, we wanted to pause to reflect on 2021. What’s in store going forward? We spoke with Camille Singleton, a threat intelligence expert within IBM Security X-Force, to get her thoughts. See how we can prepare for what’s ahead.

Question: What Did 2021 Bring?

Singleton: We’ve seen a number of new trends in 2021, including an uptick in triple extortion. We began seeing double extortion in 2019 and 2020, during which gangs either leak or threaten to leak stolen data, which puts more pressure on victims to pay the ransom than if their data was only encrypted. Now we are seeing some groups threaten triple extortion, adding distributed denial-of-service attacks when a victim doesn’t pay after the group encrypts, steals and then leaks the data. This technique is still in its infancy, but it may become more prevalent if ransomware gangs figure out how to use it to their advantage.

On a positive note, 2021 was also the year of a crackdown on ransomware. We’ve seen a flurry of arrests worldwide, including that of Clop ransomware actors and members of the REvil/Sodinokibi ransomware group. We also saw many groups, such as REvil/Sodinokibi, DarkSide, Black Matter and Avaddon, shut down, although I expect some will come back next year. But at least for now, the tempo of attacks may be a little slower.

What Are Your 2022 Predictions for Ransomware?

First, I don’t think ransomware is going away – even with the shutdowns and government crackdowns. Ransomware actors are earning a ton of money, billions of dollars every year from ransomware attacks, which continues to attract cyber criminals to the ransomware space.

Second, I think a lot of the big groups that were shut down will rebuild and come back. I don’t know what their new names or focus will be, but they will learn from their experience to develop new ransomware and continue their operations. While I can’t predict the number of new groups, I think it may be somewhat comparable to the number shut down in 2021.

Finally, I am hopeful we will see more arrests of ransomware actors in 2022 than we did in 2021. Ideally, these arrests will eventually have a lasting effect on the ransomware landscape. For example, in 2016, hacktivism was huge, and the group Anonymous was extremely active with a high level of hacktivist attacks. But the strong law enforcement crackdown from 2016 to 2018 dramatically changed the hacktivist threat landscape, decreasing the level of hacktivist activity. There may be some hope that we will see a similar threat landscape change with ransomware over time.

What Can Organizations Do to Prevent Ransomware Attacks in 2022?

After reviewing numerous ransomware attacks spanning most geographies and industries, X-Force has found that many ransomware attackers are using similar tactics, tools and techniques. Cyber criminals are figuring out what works and communicating that to one another. In particular, X-Force has identified five stages of a ransomware attack that threat actors are using again and again. Recently, we’ve seen some changes in the details of these attacks, such as the frequent exploitation of Active Directory to steal credentials and to move laterally within the network. If organizations pay more attention to Active Directory, monitor it closely and know what suspicious activity to look for, they might be able to catch ransomware actors before they execute their objectives. We’ve also noticed that 88% of ransomware attacks used the tool Adfind, which wasn’t the case even three years ago.

Organizations should also focus on domain controllers. Almost every single ransomware attack today involves the attackers trying to get access to domain controllers and domain administrator accounts and deploy the ransomware from there. Previously, many ransomware strains “wormed around,” such as with WannaCry, self-propagating from computer to computer through the network. Now, attackers are using domain controllers to deploy ransomware on all or as many devices as possible within an enterprise network simultaneously.

In terms of how ransomware attackers are initially getting in, phishing and vulnerability exploitation are the two infection vectors we are commonly observing. Ransomware attackers are cooperating with QakBot, Emotet and Trickbot operators who gain initial access through phishing emails and drop malicious attachments. They then deploy their malware, and the ransomware affiliates continue the attack from there. Organizations should continue to protect against phishing through user awareness training, behavior-based anti-malware detection and phishing email software solutions. Organizations should also use a robust vulnerability management program to address relevant vulnerabilities quickly.

While there is no way to 100% prevent ransomware, understanding the techniques threat actors are using today can help organizations know where to focus to prevent attackers from getting into the network and then finding them once they breach the network.

What Should Organizations Do to Prepare for an Attack?

On a certain level, organizations should expect that a ransomware attack will happen. They should prepare for an attack beforehand by planning their response, considering how to diminish the impact on their network and putting backup plans and redundancy in place so they can get up and running quickly. Organizations should also consider how to handle the public relations aspect of a massive ransomware attack. Everyone from the CEO to the lowest level security operations center analyst needs to know what they are going to do next in a response scenario. The goal is to prevent attacks as much as possible but be ready in case one happens, whether that’s in 2022 or beyond.