It is common knowledge that any defense is only as good as its weakest link. An adversary only needs one momentary lapse in coverage to find an avenue for attack and to exploit it. This has been true for generations of human history, and it remains true today in the cyber landscape. In the modern world of constant intrusion attempts from cyber-criminals, zero trust and network visibility are key.
Recently, the GovCyberHub spoke with Andrew Green, Product Marketing Manager at NETSCOUT, to unpack just why zero trust has become one of the standards of modern cybersecurity. During our discussion, Green noted that zero trust has become the de facto cybersecurity standard for the government because malicious actors have continually found ways around the perimeter defenses that agencies have long relied on to keep their networks safe. The zero trust approach takes perimeter security a step further, adding additional layers of security that seek to better track and understand who is accessing networks and data, and what they’re accessing.
However, to gain transparency into who is on the network and what they’re accessing, agencies require network visibility. What exactly is network visibility? What does it mean for agencies and organizations looking to embrace zero trust? What can high fidelity network visibility provide that other approaches may not? Green shares his thoughts below.
GovCybersecurityHub (GCH): You’ve referenced visibility a few times in our conversations, can you unpack what good visibility is and the role it plays in zero trust?
Andrew Green: There are two ways of thinking about visibility: partial and full. Partial visibility is all about metrics including netflow, which identifies source and destination, IP address, ports, really anything with some manner of statistical significance around who is talking to who on your network. Full visibility, on the other hand, allows you to have complete packet-level captures, to actually look at the payloads of the traffic as it goes across the network. This means a full understanding of whether a packet is carrying valid, safe data, or something suspicious.
“You need to have that process happening throughout the network, on-prem, and in your hybrid network. This is where both levels of visibility come into play.” – Andrew Green
Those two depths of information provide equally valuable information, but they take a significantly different process to implement. As such, network visibility needs to be tailored to what your network looks like, to what your zero trust systems need to operate properly as a monitor. If you have a robust security stack at the edge, then you likely are already using a visibility-layer device such as a packet broker which ingests network traffic and then sends copies of those packets to or through a monitoring device.
But here is where we fall into the traps of the older more monolithic design. Whereas one area of the network, the perimeter, is where packets are gathered and sent to monitoring tools, that is not enough for a proper zero trust approach. You need to have that process happening throughout the network, on-prem, and in your hybrid network. This is where both levels of visibility come into play. The idea here is there is no permanent boundary, instead, it is a flexible system that must be adaptive to what the network looks like, who is on it, and how they are using your services.
“The more visibility you have, and the deeper that visibility goes, the stronger the confidence will be in that specific zero trust model and the overall security of the network.” – Andrew Green
Often, these conversations about zero trust turn into a conversation about a “mature zero trust.” One thing that organizations need to know is that a robust and effective zero trust approach cannot be achieved immediately. You must work your way there; in fact, it may never be finished as network services and architectures continually change. You cannot build it perfectly from the start and a proper zero trust approach will likely have many iterations over its life.
For some organizations who have clearly defined security core requirements, such as banks, governments, etc., they will likely need stronger levels of enforcement, and as such, they will need more full visibility. Enterprises on the other hand might not be so nervous given the relatively low risk of a breach being as catastrophic.
So, to summarize, there isn’t a cookie-cutter answer to the question of, “What does network visibility look like for my organization?” The frustrating answer is, “It depends.” One thing I can say for certain is that the more visibility you have, and the deeper that visibility goes, the stronger the confidence will be in that specific zero trust model and the overall security of the network.
GCH: Does having that level of visibility into a network make it future-proof? Does an effective zero trust approach really provide the best way to prepare for the future of cybersecurity?
Andrew Green: Future-proofing will happen with a zero trust model, and that is by its very nature. I said earlier that zero trust is a philosophy, not a guideline. It doesn’t say do this; it asks how your specific model can be made more secure. How are you going to control and enable rather than what solutions do you have? How can you leverage existing solutions?
To put it plainly, zero trust is the best model we have until the next one comes along. Zero trust is not an end-all-be-all for cybersecurity. It is, however, an intelligent and thoughtful way to approach cybersecurity that is far and beyond better than the old perimeter monolith which has been the end-all-be-all for years. Combined, they create a very robust and significant defense, but the shift in the industry is towards zero trust for a reason. It is, right now, the future-proof model.
“Perimeter defense is a great first barrier, but as these attackers get more sophisticated, comprehensive network visibility will be a core part of malware and breach detection.” – Andrew Green
And that is the most important role of network visibility, to monitor packets that make it through the perimeter. Full visibility identifies malware and tracks it back to its source so cyber teams can isolate and remove it from the network. Visibility, as a foundation of zero trust, will be increasingly important going forward. It will be the key to all security operations and detections, and not just for zero trust approaches. It’s a key part of the methodology, but it also provides services all on its own. Adopting visibility, along with using it to empower a zero trust approach, is one of the best ways to prepare.
GCH: What are the ideal ways to approach bolstering network visibility? Is there an ideal way to approach that challenge?
Andrew Green: So, the short answer is that network visibility needs to be pervasive, which takes a combination of things. Network taps, a network visibility layer such as packet brokers, virtual taps, these are all solutions that we at NETSCOUT routinely provide for organizations looking for that next level of cybersecurity.
“A lot of the time, organizations look at this process and get lost in the weeds. Partners like NETSCOUT understand how zero trust principles… you don’t have to go it alone.” – Andrew Green
As a longer answer, the first step will be to do that discovery phase, to dig deep into your network, on-prem and in the cloud, and figure out what your network looks like as a whole – in other words the knowing threat surface. Then focus on the data or the services that are most valuable to your organization – in other words the protect surface. Ideally, as you go you do ongoing monitoring to determine which data & services can be appropriately grouped into the zero trust approach. From there, it’s a matter of approaching remaining services and determining how to make them play nice in the new architecture. This is where having a partner like NETSCOUT can be crucial.
A lot of the time, organizations look at this process and get lost in the weeds. Partners like NETSCOUT understand how zero trust principles can be worked into a network, how these networks have changed due to remote work, how the cloud impacts the threat surface; you don’t have to go it alone. We have the tools to bring network visibility, virtual taps, regular taps, packet brokers, probes, into your network, the ability to do wireline decodes of packets into services, and to identify things that were out running in the network, including different types of systems that might be out there.
The ideal way to approach the challenge of cybersecurity, and I don’t know how many times I’ve said this but I’m going to say it again, is by using network visibility to establish and maintain a zero trust model, and the best way to do that is to reach out to us yesterday. The next best way is to do all that today.
