How many applications does your organization use? Systems? Networks? Now, how many devices try to access these assets daily? How about hourly? On average, a typical department has more than 200 applications in its tech stack. Multiply that by each department within the organization and that number snowballs, giving bad actors a plethora of endpoints to exploit while leaving blind spots in network defenses.
These blind spots are only part of security teams’ many challenges. Even if teams have a firm grasp on their endpoints, securing them is another story. According to Verizon’s 2022 DBIR Report, breaches due to ransomware rose 13% from 2021 (more than the last five years combined). The top two reasons a breach occurred were 1) compromised credentials and 2) phishing. And, according to the Ponemon Institute’s annual Cost of a Data Breach report, these two reasons are contributing to a new average cost of $4.35 million per breach.
As cyber attacks become more sophisticated and the cost of a breach becomes more detrimental to business, the private sector's security practices are under increasing scrutiny. Over the next few years, companies can expect cybersecurity standards and mandates to come from the federal and state levels. Each will shift the burden towards companies, incentivizing them to implement more stringent measures to strengthen identity verification and access control, prompting organizations to move from perimeter-based security toward zero trust.
What is Zero Trust?
Although the term and concept originated with John Kindervag’s coining of the term in 2010, zero trust is a security model that has gained much popularity in recent years as it is designed to provide the highest level of security for an organization's digital assets. Zero trust is widely accepted as the most secure security architecture to date. At its core, it ensures that only authorized individuals, devices, and applications can and are accessing an organization's networks, systems, and data. Built on the principle of “never trust, always verify,” this approach to cybersecurity assumes that every request to access a resource should be treated as a potential threat, even if it comes from within the network.
Zero trust security is moving enterprises away from perimeter-based security and toward a more systematic approach. Instead of relying on firewalls, VPNs, and multifactor authentication (MFA) to defend against bad actors, zero trust incorporates access policies, multi-level information architecture designs, and multiple authentication technologies in addition to MFA.
Implementing a zero trust architecture can significantly reduce the risk of unauthorized access, insider threats, and malicious attacks. However, cyber attacks are increasing in sophistication and often bypass traditional MFA solutions due to weak, shared, and compromised credentials. As organizations move towards a zero trust security model, ensuring security measures and technologies keep up is crucial.
Rethinking Multifactor Authentication for Zero Trust
Traditional MFA requires users to provide two forms of identification before granting access, typically a known password by the user and a one-time password or code from an email, text or app. While these methods work for perimeter security, they don’t provide the context-aware security required by zero trust and are easily circumvented by attackers who steal or spoof a user’s credentials. This is especially true in the case of phishing attacks, where attackers can trick users into divulging their credentials or steal them from compromised systems.
Another way attackers bypass MFA is through adversary-in-the-middle (AiTM) attacks, where threat actors intercept and steal passwords and session cookies from a user and the website they use. Microsoft found itself the target of a large-scale AiTM phishing campaign that circumvented the authentication process altogether, even though MFA was enabled, stealing passwords and hijacking user sessions. These unsettling attacks can be perpetrated by even unsophisticated threat actors by using a MFA Bypass toolkit readily available for purchase on the dark web. Microsoft estimates more than 10,000 organizations have been targeted by these types of attacks since September 2021.
Organizations need to rethink their MFA strategies and incorporate user and device identity to address these growing threats. Three areas of consideration supporting zero trust are behavior patterns, device profiles, and continuous authentication.
Validating user identity with behavior patterns
Every person is unique. They have different likes and interests, movements, and mannerisms, among other traits and preferences. Understanding how a person moves and behaves can help identify them. The same applies to how they use devices. Logging in at certain times and places, application usage patterns, keystrokes, and mouse movements are unique user traits organizations can use to detect malicious activity.
User and entity behavior analytics (UEBA) uses machine learning to analyze behaviors and identify patterns that deviate from normal usage. In cybersecurity, UEBA is used to identify potentially malicious activity and bad actors before they can cause damage. If any deviation is flagged, teams can automatically block that device from accessing the network unless authentication is re-established using additional authentication factors. More organizations are adopting this additional layer of authentication as an effective means to support a zero-trust environment, as it provides a rich, real-time view of users correlated with their activities and actions.
Validating user identity with device profiles
Similar to user behaviors, devices have a unique footprint. While UEBA captures how users interact with their systems and devices, device profiling looks at the machine and correlates it with an individual. Capturing data such as MAC address, user credentials, and configurations, among other data, and correlating it to users helps organizations verify an individual's identity using the authorized device before it connects to the network.
Device profiles can also assist in increasing network security. Based on the device profile, is the device configurated to policy? Is it patched to an appropriate level? Are there any unauthorized applications installed recently that could indicate stolen credentials or a compromised device? By leveraging device profiles, security teams can more quickly determine identity, assess the risk to network security and predict and prevent issues and incidents before they become events or breaches.
Validating user identity through continuous authentication
While authentication happens at the beginning of each session, continuously monitoring users' activities in the context of their behaviors and device profiles can further verify and validate identity throughout their session. If activities, behaviors, or device data deviate from established patterns and profiles at any time during a session, that session terminates immediately, and re-authentication is required to proceed. Security teams can then assess deviations in the context of profiles to more quickly understand if credentials or devices have been compromised.
Evolving MFA Strategies
While traditional MFA can be an effective security measure, more is needed for a zero trust model. Access to resources must be granted based on a continuous evaluation of the user's behavior, devices, and the security posture of those devices. Organizations must adopt more advanced security solutions that provide real-time context-aware security, like SOFTwarfare's Zero Trust Identity™ , to meet the upcoming cybersecurity standards and regulatory requirements. By doing so, they can protect their sensitive information from unauthorized access at every endpoint while reducing the risk of data breaches and cyber attacks.
