Zero-Trust. PHOTO: Cybercrime Magazine.

CISOs Learn How To Zero-Trust

Combating the insider threat

David Braue

Melbourne, Australia – Jul. 25, 2022

For all the talk about nation-state attacks and malicious malware infections, any CISO will tell you one of the biggest issues they face on a daily basis is insider threats — particularly in hospitals and other large organizations where sensitive data is plentiful and easy to take.

Figuring out how to block those insider threats remains a challenge — it necessarily involves a mature insider threat program and human security staff denying or limiting access to workers who are likely to push back against restrictions — and that’s one of the many reasons Scott Greaux believes security practitioners are embracing zero-trust architectures that remove the subjectivity by treating absolutely everyone and everything as an insider threat.

“It’s the same principle that they used to teach us when we were younger,” Greaux told Cybercrime Magazine, “which was ‘don’t trust strangers.’ In zero trust, everyone is a stranger — and since we’re talking about computers, everything is a stranger.”

“Don’t trust anything,” he continued, “because if we trust nothing, we’re more likely to prevent bad things from happening.”

But how can enterprise security architects go from that broad, overriding philosophy to a workable, effective protection against insider and other threats?

There’s the rub, admits Greaux, who is vice president of products at security firm Conceal.

Cybercrime Radio: Don’t Trust Anything

How to implement zero-trust security

“Zero trust is so broad,” he explained.

“It’s everything from managing the identities to making sure you have proper authentication models and proper authorization, and understanding the difference between assets and humans and what is requesting access to what, why, when, and where. And all those things come together.”

Despite their best intentions, even security-conscious contemporary environments often fall down at critical hurdles by maintaining security exceptions that zero-trust architectures wouldn’t allow — but can’t always anticipate.

The success of business email compromise (BEC) attacks, for example, has increased over time not because companies have bad security but because they typically give one person too much control over a key business process — for example, the payment of large sums of money to suppliers.

Once an individual has discretionary control over such a process, they have been implicitly enabled to circumvent it — making them an obvious weak spot in the organization’s defenses.

“The reason BEC was successful is that it was missing a control,” Greaux said, referring to the need to impose controls on individual executives’ ability to make large payments.

Cybercriminals look for such weak spots — exceptions to security controls — and may lean on outside information, such as healthcare data that suggests they may be fighting chronic or terminal conditions that could make them more amenable to outside influence.

“I hate to compare it to [Breaking Bad’s] Walter White,” Greaux laughed, “but it’s very much like that when you have nothing left and you want to provide for your family.”

“It’s an opportune moment for someone to turn you from a trusted employee into an insider threat: you’re already flying under the radar because you’re part of that organization, and it makes it easier for you to steal things. Attacks like that are why organizations are starting to worry about zero-trust models.”

Learning how to zero-trust

Just what zero trust involves, however, isn’t always obvious — and CISOs, Greaux advised, need to be careful not to rely too heavily on vendors promising that their solutions will magically transform their environments to zero-trust standards.

“If you ask ‘will you make me zero-trust?’ and they answer yes to that, just turn around and run,” he laughed, “because it’s really more of a methodology and a framework that you’re trying to achieve. People are setting themselves up for failure if they think this is just something you go and buy off the shelf.”

Just what constituted a zero-trust environment remained highly subjective in its early years, but NIST’s publication of a standardized reference architecture, known as SP 800-207, has given interested organizations a target state to aim for.

Applying this framework requires intimate knowledge of the organization’s existing strategic investments, to ensure that any new investments “play well with what you already have.”

Careful planning will allow you to show progress throughout your zero-trust journey – crucial, Greaux said, “otherwise you may not receive the funding for your project in year two. So make sure that you make it consumable.”

That means setting small goals — for example, a six-month plan that can be evaluated by mid-year to early in the third quarter “so that,” he said, “by the time you’re in your budgeting cycle, you can get the resources you may need to further your zero-trust project.”

He recommends that companies follow three key steps to gain real traction towards zero trust — including, initially, “starting really basic.”

“There are things that you’re not doing today that you should,” he said, “that fit into a zero-trust framework and can really further your organization’s security posture without additional spend; it’s time and money, but you might not have to spend another nickel on licensing.”

Greaux’s second key advice is to “trust your vendors.” “If you share with them what your challenges are and are very open about what your approach is, that’s where the growing and learning really comes together — and it makes for a more successful relationship long term.”

Finally, he said, it’s important to stay in touch and talk with your peers about your zero-trust journey. “They’re going to share a lot more about the reality of their zero-trust endeavors” that will help guide your own transition.

Ultimately, taking it slow — but steady — will help you adopt a zero-trust posture that will propagate across the organization over time.

This change needs to be tied to increasing acceptance that threat actors will continue to think of new ways to exploit any procedural weaknesses in a company’s defenses.

“We need to make sure we’re not exposing ourselves unintentionally to risk,” he said, “by being so bold as to think that we’re not going to be the one [that gets compromised].”

“It’s interesting to see the way the threat actor’s mind works, but we have to think exactly the same way. Because then we can implement that whole control framework and a zero-trust model that actually helps to defend better against it.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.