Zero Trust Race is On: Do You Have the Right Engine?

The shift to a Zero Trust security model has become a top priority for many organizations, driven by record levels of ransomware attacks and a rapidly expanding attack surface stemming from the move to remote work and accelerated cloud adoption.

A recent survey by market research firm Statista found that 72 percent of organizations plan to adopt Zero Trust in the near future or have already started their journey. Even the U.S. federal government has mandated that agencies develop plans to move to and meet specific Zero Trust goals by 2024. Yet Zero Trust remains misunderstood by many, with no one universally accepted definition of what this security model might mean. The reality is that the journey to Zero Trust will be different for every organization and will happen in increments. 

Like any other transformation initiative, the shift away from a perimeter-based security model (where trust inside the network was implicit) toward a Zero Trust model (where nothing is trusted and trust is assessed on a continuous basis) will take time and will require organizations to choose a strategic partner that truly understands what it takes to reverse the adversary’s advantage.

Zero Trust: What’s Under the Hood?

If Zero Trust is the vehicle by which organizations are going to modernize their defenses to meet the challenges of today’s sophisticated adversaries, it’s imperative that defenders take a look at what lies under the hood. Not all shiny vehicles come with an engine powerful enough to get you across the finish line, let alone win the race.

The real question isn’t how one gets to Zero Trust but rather how one makes meaningful progress toward it now, not in a deferred view of perfection. To paraphrase Voltaire, perfect is the enemy of the good.

At Cybereason, we’ve supported Zero Trust since our inception, and our vision for how to secure against advanced, modern attacks like nation state malicious operations, supply chain compromises, and ransomware relies on trusting nothing in the environment. The old adage of trust but verify says that we allow things to operate and then we continuously verify behavior with an ability to revoke privileges. Because of our experience, we know that there are certain components that every successful Zero Trust solution requires.

Zero Trust Requires Early Detection as Trust Verification

Extended Detection and Response (XDR) platforms deliver the ability to predict, understand, and end attacks from the endpoint to everywhere attackers may move. To achieve early detection and response capabilities, an advanced XDR platform requires the collection of all relevant security telemetry from not only endpoints but also application suites, user personas, cloud workloads, and more. This is critical not only to XDR but also to Zero Trust. Nothing is exempt or “trusted” to be benign.

Traditional endpoint security solutions rely on limited Indicators of Compromise (IOCs) - the artifacts from previously-known attacks. Cybereason goes beyond IOCs, leveraging Indicators of Behavior (IOBs) to detect the subtle signs that indicate an attack. Any given action or activity in an advanced attack will attempt to look benign but over time the chains of behavior inevitably show malice of intent.

These chains of behavior reveal an attack among the earliest steps by surfacing malicious human and machine activity to uniquely expose and provide the opportunity to end never-before-seen attacks before they get close to becoming a material or meaningful compromise or breach.

The automated correlation capabilities within Cybereason Advanced XDR ensures identities, authentication, and authorization to cloud accounts, endpoints, and devices takes a Zero Trust validation model approach to ensure even the deepest threats and suspicions lurking in your enterprise can be surfaced.

But this doesn’t mean investigating more alerts. Cybereason Advanced XDR takes an operation-centric approach to security that leverages the Cybereason MalOp(malicious operation) engine for multi-stage visualizations of attack sequences that are context-rich and correlate attack sequences to construct the full history and activity of an attack, from a root cause to all systems and processes affected and from how it impacts each affected device and user to how to correct and remediate the situation in real-time. The MalOp tells the full story of the attack in real-time without complex queries and protracted investigations.

Leveraging the breadth of Cybereason’s integrations with identity, email, workspace, and cloud services, Cybereason Advanced XDR can correlate across a time spectrum to ensure the effective, high fidelity detection of stealthy threats before they escalate to damaging attack steps. Early detection by Cybereason Advanced XDR can ensure effective data loss prevention and allow for protection against complex ransomware and data theft exploits.

The first step in the Zero Trust journey begins with removing trust blinders and truly instrumenting, monitoring, and seeing malicious behaviors hiding in plain sight behind trusted identities and applications without disrupting or causing harm to IT and the business.

Zero Trust Requires Visibility

Today’s defenders are often hampered by a siloed tech stack that often introduces major blind spots, particularly in areas like identity and email. The reality is that it’s harder in today’s distributed environment to follow and end attacks. When an attacker pivots to target prized data, it’s no longer simply within the corporate network. They likely will steal an identity and move to a SaaS application or may pivot to cloud infrastructure.

This is where the power of XDR comes into play. Any organization planning to move to a Zero Trust architecture must first meet the demand for actionable incident response against top threats like ransomware, business email compromise, and account takeover.

Cybereason Advanced XDR collects and analyzes 100% of event data in real-time, processing more than 23 trillion security-related events per week, with absolutely no “filtering.” This allows customers to improve their detection and response intervals by 93%.

The Cybereason XDR Platform is designed to provide visibility organizations require to be confident in their security posture across all network assets, and delivers the automated responses to halt attack progressions, eliminating the need for both SIEM and SOAR solutions. Organizations can enjoy these benefits whether they drop their SIEM and SOAR entirely or augment it with Cybereason XDR.

Cybereason Advanced XDR:

    • Supports Your Unique Zero Trust Journey: The automated correlation capabilities within Cybereason’s XDR ensure identities, authentication, and authorization to cloud accounts, endpoints, and devices take a Zero Trust validation model approach to ensure even the deepest threats and suspicions lurking in your enterprise can be surfaced.
    • Planetary Scale Protection: Experience undefeated ransomware prevention, instant attack detection, and built-in incident response capabilities across your entire enterprise. 
    • 10X Faster Incident Response: Instead of alerting on individual behaviors, understand the complete malicious operation, now across email, cloud, endpoint, and network as an actionable attack story. Only the Cybereason MalOp illustrates the entire attack story and delivers a guided response to reduce human error, ​​upskill analysts, and achieve a 10x faster time to response.
    • Cybereason Advanced XDR Powered by Google Chronicle: This strategic partnership combines the industry-leading Cybereason Defense Platform which analyzes more than 23 trillion security-related events per week - five times more than any other vendor on the market – with Google Cloud’s cybersecurity analytics that ingests and normalizes petabytes of telemetry from across the entire IT environment.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason Zero Trust here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry