Martin Riley, Director of Managed Security Services at Bridewell tells us about zero-trust strategy and building a successful hybrid environment
With cyber-attacks continuing to dominate headlines, Martin Riley, Director of Managed Security Services at Bridewell explains why organizations must implement an effective Managed Detection and Response (MDR) strategy to build an effective zero-trust model in a hybrid environment.
With 64% of companies worldwide experiencing at least one form of a cyber attack, there’s no denying that cyber-attacks are on the rise. This is happening at a time when remote and hybrid working models have become dominant across all businesses, with employees able to work flexibly, across different locations. This makes, managing the starters process and endpoint security in remote and hybrid environments challenging. Perimeters have expanded and employees are working from uncontrolled environments via their own devices making the attack surface bigger. Essentially, in a dispersed environment, the threats have changed. Therefore, the increase in cyber security risks directly correlates to poorly managed and secured end-user devices.
Many businesses also still have an IT architecture that relies on devices being within the office at some point to receive updates, patches, and policies. In a hybrid model, this is no longer sufficient and organizations need to modernize cyber security systems fast to reflect the changes to working models and threat landscape.
At a basic level, this means preventing employees from connecting to business networks and using personal machines that don’t meet a minimum-security baseline. The technology to address these problems has been available for many years, but in recent years this has moved to a cloud delivery model making it easier to govern and scale. More critically, it means moving towards a zero-trust model to reduce risk.
What is zero-trust?
A zero-trust strategy security model simply assumes one thing: trust no-one and no device. An effective strategy is based on three basic principles. First, verify explicitly. This means authenticating and authorizing users and devices based on all available data points, including user identity, location, data classification, device health, service or workload, and any anomalies. Second, use the least privileged access; This means limiting user access with just-in-time, just-enough-access, and risk-based adaptive policies while employing data protection to ensure both the security of data and productivity.
Finally, always assume a breach; Organizations need to accept breaches will happen and focus on minimizing the blast radius and preventing any lateral movement by segmenting by the user, devices, network, and app awareness. All sessions need to be encrypted end-to-end and analytics used to drive visibility, threat detection and improve defenses.
Applying zero-trust to a hybrid environment
In a hybrid working environment, zero-trust is even more critical. Businesses are now highly connected and distributed and the increasing migration of data and applications into the cloud to help remote collaboration and access adds to cyber security complexity. Lack of secure cloud configuration is the biggest contributor to security breaches after software vulnerabilities.
Even for organizations without data on third-party servers, the adoption of cloud platforms like Office 365, Salesforce, or Gmail has extended risk profiles. In this environment, organizations need to separate users and devices as much as reasonable from corporate assets such as data, applications, infrastructure, and networks and follow the Identify, Authenticate, Authorise, and Audit model (IAA).
The IAAA model uses the identity provider and secondary authentication systems to identify and authenticate the user or device. Importantly, it assumes they have no access and provides access to only what is needed at the time of the request. Stricter rules around conditional access can also be built-in, such as time and geography. For example, users from the UK could be granted read-only permissions, while logins from IP addresses in China or Russia could be fully restricted. Lastly, by using session information and telemetry, organizations can conduct a comprehensive audit trail for real-time detection of a policy breach.
Aligning zero-trust with security monitoring
While zero-trust is critical in protecting modern IT environments, ultimately to be truly effective, it should be integrated with an effective Managed Detection and Response (MDR) strategy and assume breach. MDR combines human analysis, artificial intelligence and automation to rapidly detect, analyze, investigate and actively respond to threats and is instrumental in facilitating a transformation to a zero-trust approach.
This can be deployed rapidly and cost-effectively as a fully outsourced service or via a hybrid security operations center (SOC) and helps to develop a reference security architecture that enables organizations to safeguard on-premise systems, cloud-based applications, and SaaS solutions. It also enables companies to quickly respond to new threats, reducing cyber risk and the dwell time of breaches.
The most effective methods of MDR are those that utilize Extended Detection and Response (XDR) technology to enable detection and response capabilities across network, web, email, cloud, endpoint, and most crucially, identity. This ensures that wherever the cyber-attack comes from, users, assets, and data remain safeguarded, adding a protective layer to the zero-trust environment and ensuring proactive action against threats.
XDR combines several security products that allow for detection and response, providing greater visibility, coverage, and performance across areas such as cloud, endpoint network, and identity. XDR integrated with security information and event management systems (SIEM) that can correlate data from artificial intelligence (AI) and machine learning and security orchestration, automation, and response technology (SOAR).
Choosing a solution that leverages existing investments in Microsoft 365 licensing can enable organizations to consolidate security suppliers and reduce security spending while increasing coverage and visibility. It also pays to consider an MDR solution that can be offered as part of a hybrid SOC to rapidly mature and enhance an existing security team.
Running a SOC in-house can pose difficulties in terms of skills and resources, while a completely outsourced SOC often lacks alignment to the organization’s objectives and culture. A hybrid SOC approach combines the best of both and leverages the skills of in-house professionals while benefiting from the expertise of a managed security services provider to strengthen security posture and plug any gaps where in-house skills may not exist. Ultimately, only by bringing the concepts of zero-trust and MDR together, can organizations take control of their sensitive data and reduce the likelihood of security and privacy breaches occurring.
Rethinking cyber security
The pandemic presented an opportunity for organizations to rethink how they do security. Remote and hybrid working is now the norm and information security needs to be overhauled to reflect the changes to the threat landscape.
It’s no longer a case of if a cyber attack will happen but when. Organizations much assume a breach and any business that hasn’t already must shift to a zero-trust model, focused on trusting nothing and securing user identities and devices just as much as network perimeters.
Crucially, zero trust is not a technology but a holistic approach that can be built into the existing architecture and used across the entire organization. With the help of technologies such as XDR which allow rapid detection and response of threats across endpoint, network, web and email, cloud and importantly identity, businesses can enable people, technology, and applications to work together to create a culture that immediately questions attempted access to the network from any device or user. Most importantly, organizations can be confident that all users, assets, and data remain protected, regardless of where the user resides.