Cybersecurity is growing in importance as cyberattacks are a huge threat to organizations of all sizes. The frequency and magnitude of data breaches is growing year after year. The security industry has responded by developing the Zero Trust model—a security architecture that can help organizations effectively defend the modern, distributed IT environment.
According to the IBM Data Breach Report, the cost of data breaches rose to $4.24 million on average, the highest average cost in the 17-year history of the report. The same report showed that organizations experienced 41% lower costs if they had a mature zero trust implementation.
The world’s biggest technology companies, including Google, Microsoft, and Amazon, are implementing the zero trust model at large scale, and all major security vendors are implementing it into their latest security solutions. But despite the huge potential of zero trust, organizations cannot simply implement it and forget it. Managing zero trust is a huge, ongoing responsibility. Without someone to manage it, zero trust will not live up to its promise.
What is Zero Trust?
Zero trust is a series of policies, principles, frameworks, architectures, and initiatives founded on an “always verify and never trust” approach. Zero trust security makes the assumption that an asset, resource, or user is untrustworthy and thus has to be checked and continually monitored for every activity and session prior to granting access.
In short, zero trust is a type of highly distributed and granular trust founded on the computing session data, users, scenarios, and systems involved.
A zero-trust architecture (ZTA) involves zero trust technologies, policies, and systems architecture to oversee security as it relates to identities, credentials, operations, access, hosting environments, infrastructure, and endpoints. ZTA is an end-to-end approach. A ZTA deployment may feature components that are cloud-based or on-site.
The zero-trust security process typically involves three main principles:
- User behavior: authenticate and continually check each individual that connects to the organization
- Asset behavior: authenticate and continually check each asset (such as networks, devices, applications, and systems) that connect to the organization
- Access control: intelligently limit and monitor access to assets, resources, and users
How to deploy the Zero Trust model
Putting in place a zero trust model involves adopting an awareness of security and encouraging cybersecurity best practices, while continually verifying login and access requests.
Organizations may choose from various technologies and software tools to help them deal with their specific challenges. Most commonly, a Zero Trust Network Access solution provides the primary facilities for implementing zero trust.
An effective zero trust strategy requires addressing the following considerations:
- Data protection: is a very basic security layer in zero trust. When data is safeguarded under a zero-trust approach, cybercriminals have restricted access to sensitive information once they have breached the perimeter, even before the on-premises systems can isolate abnormal behavior and access requests for information.
- Network segmentation: by dividing up the network, a zero trust model restricts cybercriminals from gaining access to different parts of the network through lateral movement.
- Monitoring of personnel: insider threats are an increasing security concern, so a zero trust approach involves keeping track of all user permissions, login credentials and activities.
- Workloads and devices: by not putting trust in any device or software by default, a zero trust process more or less eliminates another threat vector, restricting the ability of infected devices or malicious applications from introducing malware into the protected environment.
- Visibility: an organization must give its IT security team the tools it needs to achieve a holistic view of all connections and operations across the corporate network. The security team must have access to analytical tools for understanding any incident, while machine-learning algorithms can help handle unknown threats.
- Automation: no organization can maintain a zero trust approach by manually monitoring the whole network and responding to incidents. Orchestration and automation are key components of implementing zero trust.
What is Managed Detection and Response (MDR)?
In the current climate of improving network security and monitoring event reporting, it wasn’t long before the state of big data became increasingly difficult to handle. Endless security alerts result in logistical issues and crises for overstretched security executives who experience high levels of job attrition and burnout.
Although managed security services (MSS) provide some leeway by permitting a third party to watch the enterprise dashboard, MSS providers (MSSPs) have primarily become a way to offload every day and mundane security jobs.
For organizations seeking a more complex organizational response, managed detection and response (MDR) offers a more effective, holistic vision that begins with security event monitoring but can expand to include investigation, contextual analysis and support for making decisions regarding the most effective response.
MDR is rapidly growing and is increasingly adopted by the security teams. The MDR service market is predicted to reach $2.2 billion by the year 2025. Gartner notes that 50% of organizations will employ MDR services by then. This speedy increase is due to MDR’s capability for dealing with the most pressing issues affecting cybersecurity teams in organizations across all industries. The risk of a breach is high, so it is not a matter of if, but when.
MDR services can be delivered in different ways—however, the industry appears to agree on these elements as the fundamental deliverables of an MDR service:
- Proactive response
- Cyber threat hunting
- 24/7 operations
What challenges does MDR solve?
Putting in place a sturdy cybersecurity program is a challenge for a lot of organizations due to various factors. Managed isolation and response offers a solution to many of the issues experienced by organizations trying to maximize their security maturity and minimize their cybersecurity risk, including:
- Personnel limitations: the cybersecurity industry is experiencing a marked talent shortage, with many more open positions than there are appropriate professionals to carry out these tasks. This makes it hard and costly for organizations to hire people for critical security positions internally. MDR lets an organization fill employee gaps with security professions from outside the organization.
- Limited access to specialized expertise: in addition to the lack of cybersecurity expertise overall, organizations have difficulty filling particular jobs that demand abilities such as malware analysis, cloud security, and incident response. MDR gives an organization immediate access to cybersecurity expertise outside the organization, when it is needed without needing to recruit and retain talent within the organization.
- Advanced threat identification: advanced persistent threats (APTs) and additional sophisticated cyberattackers have created techniques and tools to remain unnoticeable by various conventional cybersecurity methods. MDR lets organizations isolate and remediate such threats via proactive threat hunting.
- Slow threat detection: a lot of cybersecurity events go unnoticed for a marked amount of time, increasing the impact and the cost to the target organization. MDR gives isolation and response times supported by service level agreements (SLAs), making sure that the damage incurred by organizations as a result of a cybersecurity incident is low.
- Security immaturity: creating a successful cybersecurity program may be costly because of the necessary licenses, tools, and personnel. MDR lets an organization quickly carry out a full security program alongside 24/7 threat isolation and response with a lot of the associated charges spread over the MDR provider’s customers. This minimizes the total cost of ownership (TCO) of security and lets an organization gain a good level of cybersecurity maturity faster than it could internally.
The promise of Zero Trust and the need for Managed Security
Zero trust means that entities cannot communicate with elements in the corporate network, unless they are determined not to be malicious, and identified by identifying attributes and strong authentication requirements.
How does zero trust reduce risk?
A zero trust architecture reduces the risk and cost of cyber attacks by providing visibility over how assets communicate with the outside world. Once a baseline is defined, the zero trust model reduces risk by continuously verifying the identity and credentials of all entities.
Because the zero trust model is workload-focused, security teams can easily identify and prevent malicious activity. The zero trust approach continuously checks if unverified workloads communicate with a command and control (C&C) center, or with other hosts or applications in an unauthorized way.
How does a zero trust architecture benefit from MDR?
Zero trust provides a powerful, centralized way for organizations to detect and control risk. However, monitoring all communications inside and outside of the corporate network requires time and expertise.
Internal security teams are stretched thin and may not be able to fully implement a zero trust model. Abnormal connection attempts can generate more alerts and prevent security analysts from responding in a timely manner, leading to blocked connections, productivity issues, and service outages.
This is where MDR comes in. MDR services are well suited for taking over monitoring and fine-tuning of zero trust networks. MDR is useful in the following ways:
- Performing 24/7 monitoring by SOC experts
- Enabling rapid, expert investigation of abnormal events
- Proactive threat hunting to discover threats
- Leveraging threat intelligence to gain more context about abnormal events and respond to them
If zero trust is a promise, MDR can help deliver on that promise. As organizations adopt a zero trust mentality, they should keep this in mind—without a tireless outsourced workforce at your service, it may be difficult to keep zero trust working day after day, year after year.
With a complete zero trust implementation and skilled MDR specialists monitoring the network, we may move closer to a future without devastating cyber attacks. Attacks will continue to happen, but their scope will be limited, they will be detected much more rapidly, and the damage caused to organizations will be substantially reduced.
A closing thought—in the future, organizations protected by zero trust will be perceived as a “minefield” for attackers. Sophisticated attackers will scan to discover signs of zero trust—and move on to less protected organizations. We may discover that zero trust, effectively backed by managed security services, is an effective deterrent to all but the most determined attackers.