Zero Trust ─ Part II: A Layered Approach against cyber threats

This article will serve as a follow up to the Zero Trust primer 'Zero Trust - An Introduction'.?In this second part of the series, we'll be going more in depth into how organizations can adopt identity-centric approach and secure their corporate environments.

The following article will serve as 'Notes from the field' blog where I share various principles and recommendations for a Zero Trust framework aligned with modern security principles based on experience and past engagements.

While the pandemic has certainly put more pressure on organizations to?prioritize Zero Trust, it is not a new concept. For the last 10 years, security researchers and leading security companies have been shaping and refining how companies can implement Zero Trust into their corporate environment. And even though the Zero Trust approaches may slightly vary from one vendor to other, all frameworks align on one thing: Identity is at the core of Zero Trust.?

However, integrating Zero Trust isn't an effortless process and it isn't a technology that you can just buy and integrate. Instead, you'll have to redefine your organization's entire approach to identity and security. You will have to first switch away from the 'perimeter security approach' and lean towards a more granular security approach that revolves around continuous evaluation of risk.

In order to simplify the Zero Trust journey, I created the following diagram to showcase my view of a layered approach to Zero Trust and how every organization can adopt an Identity centric approach to secure its assets.

The Core (Layer 1) - Creating an Identity-Centric Control Plane

Protecting the core is a crucial step of the process and identities are the bonds that bind all the other components together; so protecting these crown jewels and having pre-emptive security measures in place is essential.

In order to assess your identity posture, an organization has to start with an assessment that will help gain an understanding of its identity ecosystem. And it comes to down to the following questions around high privileged accounts:

• Which users have access to critical assets?
• Among those users, how many use high privileged accounts?
• How are we securing our high privileged accounts?
• Do we any dormant accounts with high privileges on the tenant?
• Do we have a lifecycle management system in place for high privileged accounts?
• Are we monitoring & logging our high privileged accounts?

Best Practices

• Implement adaptive security controls using multifactor authentication: FIDO2 tokens for critical workloads and authenticator application for 'less-critical' workloads.
• Implement least privileged access Just in Time (JIT) access for high privileged accounts: Use Azure AD Priviliged Identity Management to provide access when needed.
• Create an automated lifecycle management for high privileged accounts using Azure AD Access Reviews: this will help you control those administrator accounts that are just left there after projects or migrations.
• Always monitor the high privileged and create policies that will block access whenever any suspicious activity occurs: You can use Azure AD Identity Protection, Defender for Cloud Apps & Azure Sentinel for setting up policies that will detect/block such actions.

Layer 2 - Creating an adaptive Zero Trust architecture

As companies continue on moving a big numbers of their applications and workloads to the cloud, they will need new processes to secure their environments as old security concepts are rendered obsolete (as seen in the previous article). In order to simplify the new architecture requirements and to better understand this Zero Trust approach, NIST created the Zero Trust Logical Approach.

This approach revolves around a policy engine that allows us to enforce the core principle of Zero Trust

never trust, always verify

The policy engine handles the ultimate decision to grant, deny, or revoke access to a resource for a given subject. The policy engine calculates the trust scores/confidence levels and ultimate access decisions.

Azure AD Conditional Access gives you the power to enforce the core principle mentioned earlier. Whenever a user signs in to an application or a cloud service, Azure AD takes identity related signals such as user behavior, location, and the risk score, device type of the sign in and then determines the action to take, such as allowing the sign in, asking for Multifactor authentication or blocking access for example.

Best Practices

• Increase the tenant's security posture: Use Microsoft 365 Secure Score to implement security recommendations and to harden our cloud security controls and configuration
• Use Azure AD Conditional Access and bring in as many signals as possible: Enable integrations with other services like Azure AD Identity Protection, Defender for Endpoint, Intune, and Defender for Cloud Apps

- Create policies per population: Administrators, guest users, & enterprise users.

- Create Risk-based policies that leverage machine learning signals and can block and revoke access automatically

- Leverage the Defender for Cloud Apps integration with Conditional Access in order to monitor sessions and block users from performing certain actions such as downloading files in a session.

- Leverage the integration with Microsoft Intune in order to force MDM & MAM policies.

• Harden the security configuration of your tenant (Azure AD security settings, Azure AD B2B, Microsoft Teams, SharePoint/OneDrive external access and sharing, Intune device registration policies, etc.)

Layer 3 - Defend against Threats

The third layer is all about monitoring and responding to everything that happens on our tenant. This is usually the responsibility of the Security Operations Team (SOC).

It is highly recommended that every organization has a unified platform that correlates all the gathered alerts across all the different security solutions. Having such a platform in place makes it much easier for the SOC team to detect and respond to potential cyberattacks. This type of unified security solution is what we call nowadays XDR (Extended Detection & Response).

In the Microsoft 365 ecosystem, this is referred to as Microsoft 365 Defender stack and it's a unified security platform that correlates all the logs from the below solutions and it gives the threat hunter better visibility and much clearer detection & response capabilities across your workloads.

On top of that, Microsoft Sentinel (Cloud native SIEM/SOAR) gives you the possibility to create customized intelligent queries using Kusto Query Language (KQL) to find suspicious activities across your cloud services. You can also create Automated response using Azure Logic Apps that you can customize to conduct specific actions whenever a certain alert is triggered (block AAD user whenever a suspicious action is detected for example)

Best Practices

• Add M365 Defender logs to Sentinel (Defender for O365, Defender for Cloud Apps, Defender for Endpoint, Azure AD Identity Protection Logs, Defender for Identity)
• Use advanced multistage attack detection in Microsoft Sentinel (Fusion)
• Create DLP policies across your cloud services and endpoints
• Activate the integrations between your M365 security solutions: Defender for Cloud Apps integration with Identity Protection, Defender for Endpoint & Defender for Identity; this will allow you to extend the Defender for Cloud Apps capabilities to endpoints & to identities.
• Activate ransomware detection policies on Defender for Cloud Apps

Layer 4 - Assume breach mentality

An assume breach mentality is a cybersecurity approach that takes into consideration that cyberattacks will happen, as opposed to assume that they 'might' happen'.

This shift in mindset transitions defense strategies from a passive to an active framework. By assuming data breaches will occur, or are presently occurring, organizations cultivate their defense solutions, and continuously monitor for vulnerabilities throughout their environments.

By implementing an assume breach mentality, we verify that protection, detection and response mechanisms are implemented properly.

Best Practices

• Have remediation plans in place in case of cyberattacks (ransomware, tenant compromise: account cleanup, what to do when files get encrypted, isolated impacted assets, support tickets with Microsoft, etc.
• Have 'break the glass' accounts process in place
• Have a regular backup systems in place in case your organization needs to recover any damaged assets

Layer 5 - User Training & Awareness

The weakest links of many organization are their users. Most cyberattacks have a human element involved that usually sets off the kill chain cyber attack. Therefore a 'security culture' all over the organization is very important and cybersecurity is a team effort where everyone has to contribute by staying aware and by protecting their assets.

Best Practices

• Train your users about Cybersecurity and make them understand the risks involved: How to handle corporate sensitive data, how to detect phishing emails, etc.
• Regularly conduct attack simulations (phishing to monitor and measure your workforce's readiness to cyberattacks: This will allow you identify the vulnerable population, therefore making it easier to know which users to target with more security & awareness training.

Feel free to comment on this article, would gladly discuss any related matter down below.

References:

CISO Workshop: https://docs.microsoft.com/en-us/security/ciso-workshop/ciso-workshop-module-3?view=o365-worldwide

Microsoft Cybersecurity Reference Architectures:https://docs.microsoft.com/en-us/security/cybersecurity-reference-architecture/mcra