Last week we discussed the Four Tenets of Zero Trust Workload Protection. This week we're taking a closer look at the renewed buzz around the concept of Zero Trust security.
Guidelines from the NSA, NIST, and even Google, are all touting the benefits of Zero Trust. According to the NSA: “The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information.” [1]
This sounds like good advice, but in practice, Zero Trust has been difficult to achieve and doesn’t go deep enough to stop today’s advanced attacks. There’s also a common misconception that Zero Trust is all about access controls for users, devices, and networks. While it does include these, they are table stakes. The battleground for advanced attacks has moved into application workloads and is being fought in runtime.
So, let’s examine what’s good about Zero Trust, and how we can extend it to workloads, and make it automated, practical, and achievable.
The battleground for advanced attacks has moved into application workloads and is being fought in runtime.
Zero Trust Must Go Deep
Unfortunately, many people have a limited view of where Zero Trust applies. In the past it has been viewed largely as enforcing rules around access control – such as: “Bob can access accounting systems from his laptop, but not his iPhone, while Mary can view reports from her mobile device, but only during business hours…”
While these are valid examples, they only skim the surface, and miss much of today’s risk. Attacks like SolarWinds have demonstrated that the security battleground has moved into applications and is being fought in runtime – when code is executing. And if you can’t trust updates from a trusted software vendor, who or what can you trust?
Advanced attackers can often bypass humans, and derail legitimate code as it executes, at the memory level. Many exploits now leverage remote code execution (RCE) to hijack control during runtime, and open persistent backdoors into critical systems.
Zero Trust can and should be applied to protect critical workloads during runtime, but this requires visibility and awareness deep into the application realm. Unfortunately, most conventional security tools treat code during runtime as a ‘black box’ and lack insight or control at this critical stage.
Gartner has recognized this gap and recommends that we should “at runtime, replace antivirus-centric strategies with “zero-trust execution.” 4
Trust Requires Application-Awareness
It seems obvious – to enforce Zero Trust you must have an in-depth awareness of what is supposed to happen, and what is actually occurring during runtime. But if we dig into an application, there are a lot of moving parts – hundreds of files, thousands of processes, and millions of memory calls that define the correct execution and control flow of application code. Managing this manually is almost impossible, and many people have been frustrated by simply trying to whitelist acceptable files.
This is where Virsec has developed powerful technology that can automatically map applications in-depth across the complete application stack. Virsec’s patented AppMap® technology automatically identifies the correct files, scripts, directories, libraries, inputs, processes, memory usage, and more. This comprehensive application-awareness provides a deep foundation for Zero Trust that can be applied in real-time, as application code executes.
Zero Trust Must Be Automated
While it is a powerful concept, Zero Trust Security must be made practical – and that requires automation. Attacks are happening at compute speed and damage can be done in milliseconds, while human responses can take hours – at best.
At Virsec, we recognize that effective security must go deep and be application-aware, but it also must be automated, continuous, and easy to manage. The AppMap process is fully automated and enforced continuously as application code executes. Any deviations from acceptable execution are detected in milliseconds, and protection rules can be automatically triggered to stop attacks at the earliest stage, before damage is done.
Prior Knowledge Will Not Save You
Most security tools require prior knowledge to stop attacks. That means you’ll never stop attacks the first time, and will always be slow to react, and create new signatures or rules to stop newly discovered exploits. The attackers know this – and can easily create thousands of variants of malware, that will not trigger these reactive defenses.
This is why Zero Trust is so important and must be implemented in-depth, within application workloads, and be automated. Chasing every possible threat is an infinite problem, and a battle that we are losing. Instead, if we ensure that critical applications only do the right thing, and we prevent them from going off the rails during runtime, we can fundamentally change the security equation. This is a finite and solvable problem, and solutions like Virsec have demonstrated the ability to detect attacks like SolarWinds the first time, at the earliest stage, with no prior knowledge.
Achieve Zero Trust Workload Protection
The Virsec Security Platform provides Zero Trust throughout the software supply chain and workload operational lifecycle. Protect enterprises from sophisticated remote code execution or sophisticated supply chain attacks against on-premises, cloud, hybrid, or container-based workloads.
Virsec Security Platform
Virsec’s workload protection controls are purpose-built to support Zero Trust maturity for protection against sophisticated supply chain attacks. Virsec Security Platform's patented technology is delivered via the following three application-aware components:
• Memory Protection: leverages in-memory instrumentation to detect and protect when a workload starts executing attacker-provided shell code.
• Web Protection: leverages in-memory instrumentation to detect and protect when a workload starts executing attacker-provided byte code.
• Host Protection: leverages file integrity capabilities to prevent even single instructions from any unauthorized executables, libraries and scripts from executing.
Unlike EDR/EPP and other perimeter security controls, Virsec’s source of trust is the application’s code itself. Once a developer delivers an application, the Virsec source of trust never changes. This stands in contrast to conventional security controls, which depend on a moving target of threat feeds.
Additional Learning
White Paper: Zero Trust Workload Protection: Essential Security to Stop Advanced Cyberattacks.
White Paper: The Need for Application-Aware Workload Protection
Webinar: Defending Against Nation-State Attacks: Breaking the Kill Chain
Webinar: Zero Trust Cloud Workload Protection
[1] Embracing a Zero Trust Security Model, National Security Agency, Cybersecurity Information, February 2021
[2] Zero Trust Architecture, NIST Special Publication 800-207, August 2020
[3] CISO’s Guide to Cloud Security Transformation, Google, February 2021
[4] Market Guide for Cloud Workload Protection, Gartner, April 2020
