Marcus Fowler is the CEO of Darktrace Federal & SVP of Strategic Engagements and Threats at Darktrace.
The core principles of zero trust (ZT) have been around long before the term itself, which the National Institute of Standards and Technology (NIST) defines as the “evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
In short, when it comes to accessing an IT environment or part of a system, organizations should practice the principle of “never trust, always verify.” This principle includes cornerstones of robust access control and authentication, network segmentation and “least access” policies.
Over the past five years, we have seen ZT evolve from a best practice to a core essential for cybersecurity programs. The Department of Defense (DoD) has been a leader in defining, prioritizing and implementing zero-trust principles, outlining the key organizational and process changes that can help these entities get ahead of emerging threats by shifting their security tactics away from traditional perimeter monitoring.
The DoD’s framework defines seven pillars—users, devices, applications and workloads, data, network and environment, automation and orchestration, and visibility and analytics—along with dozens of controls for successful zero-trust architectures.
In the era of remote work and the increasingly distributed enterprise, organizations are faced with the challenge of monitoring countless entities across multiple locations that are seeking access to mission-critical information and business functions.
With many organizations no longer having a clearly defined perimeter, core ZT methodologies are often sidestepped or compromised due to human error, incomplete implementation of ZT strategies or tedious access management approval processes.
This is opening the door for threat actors to slip through the cracks, infiltrate points of vulnerability and escalate privileged access. Additionally, the rise in complex threats, like the “North Korean fake IT worker scheme” to seed insiders into target companies, has proven that organizations across industries are increasingly targets.
In the age of AI, threat actors will accelerate from insider threat access to exploitation faster and with greater stealth than ever before, and in ways ZT programs of today have yet to consider. In response, traditional ZT approaches must evolve to include a behavioral understanding of users and assets, adding a critical dimension: “Never trust, always verify, continuously monitor.”
Insider Threat: Zero Trust’s Kryptonite And The Best Argument For ‘Behavioral Zero Trust’
At a high level, ZT ensures protection from external threats to an organization’s network by requiring continuous verification of the devices and users attempting to access critical business systems, services and information. However, even with this architecture and policy enforcement tactics in place, the risk of malicious insider activity remains.
The ZT fundamental of “least access” does what it can to try to mitigate incidents of insider threat or supply chain compromise; however, as learned from Edward Snowden or the more recent incident involving Jack Teixeira, malicious actors can still do significant damage to an organization within their approved and authenticated boundary. To circumvent the remaining security gaps, organizations must extend their strategy and adopt another dimension to all zero-trust approaches: behavioral understanding.
The DoD’s ZT visibility and analytics pillar references the importance of user and entity behavior analytics, such as utilizing log data to detect abnormal behavior on networks. However, this concept must go beyond static baselines and profiling using historical data.
Behavior analysis needs to be a continuous understanding and situational awareness of normal activity in real time, all the time. Behavioral understanding, along with active defense and enforcement, must become a higher priority—not only for the DoD and its operational units but also across public and private sector ZT programs and implementation practices.
The shift from traditional ZT frameworks to incorporating a robust behavioral ZT posture requires technology uniquely capable of understanding the complex patterns, behaviors and access areas tied to specific users or devices. It must also routinely monitor these activities at the most granular level to catch any deviations from standard behavior.
This approach allows security teams to quickly identify when a user’s routine activities, even within their own trusted and validated access area, unexpectedly veer into suspicious territory—despite successfully authorizing themselves—to better address potential threats in real time.
AI Doesn’t ‘Trust’ Anyone
Why is AI the most complete behavioral ZT partner technology? AI trusts no one and nothing. However, AI can build a granular understanding of patterns of normal operating behaviors across users, devices, environments and groups to identify changes in “trusted” activity with the appropriate application of specific AI techniques, like unsupervised machine learning.
This understanding can then be used to automate precise real-time threat containment responses, allowing security teams to stop anomalous activity without disrupting normal business operations. This type of AI application continually learns from its environment—keeping security teams one step ahead no matter how the threat landscape shifts.
Implementing New Ideals
Change doesn’t happen overnight—and shifting to a behavioral ZT framework is no different. According to Randy Resnick, Director of the DoD’s Zero Trust Portfolio Management Office, this is because there is a “whole constellation of supporting effort that has to go on to support zero trust” and “a culture change” is required across the entirety of an organization to ensure its success—from IT teams up to the C-suite.
Through his direct experience with the DoD, Mr. Resnick also noted that the implementations of these policies have typically required a three-month learning curve, leaving organizations with minimal time to delay their security improvements in the face of rising threats.
With adversaries increasing the speed, scale and sophistication of cyberattacks and insider threat tactics, it is vital that organizations take action now and build upon foundational ZT frameworks to incorporate behavioral understanding and autonomous detection and response as core elements of their cyber defense strategies.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?