Cybersecurity In-Depth

The Edge

Comprehensive Network Visibility Is Imperative for Zero-Trust Maturity

Distrust and verify, because you can't protect what you can't see.

Even before the Biden administration announced US federal agencies and contractors must adopt new zero-trust cybersecurity standards, many enterprise-level companies had already begun their journeys toward zero-trust architecture (ZTA) adoption.

According to a recent survey conducted by Forrester, 78% of global security leaders said they plan to bolster zero-trust operations this year, though only 6% said they have fully implemented their zero-trust projects. These organizations recognize that networks today can be local, reach into the cloud, or extend anywhere remote workers are — which limits the effectiveness of traditional defenses.

In dealing with direct attacks such as the recent Log4j vulnerability, indirect attacks such as phishing with malware, and internal lateral movement, traditional perimeter-based network access control has proven insufficient in detecting, much less preventing, compromise. Zero trust — based on the concept that users must be authenticated and continuously validated to be granted access to applications and data — is much more effective because it protects resources rather than network segments.

But successful execution is more like a journey than a switch that can be flipped on. It requires various technologies working together — including multifactor authentication, endpoint security, and identity protection — with full zero-trust adoption becoming an ongoing process of enhancements, refinements, and policy adjustments.

There's an old adage that became well known during the Cold War: "Trust, but verify." More of each is needed in today's highly distributed world, where networked environments are dynamic and network infrastructure, services, users, and more can rapidly change. Organizations cannot blindly assume their zero-trust architecture (ZTA) is always functioning as intended. Organizations need to actively distrust and verify as they refine their network infrastructure, services, and operational policies. Thankfully, continuous deep packet monitoring provides the independent intelligence necessary to improve policy enforcement decisions.

The Role of Deep Packet Monitoring

In the Zero Trust Maturity Model laid out by the Cybersecurity and Infrastructure Security Agency (CISA), five distinct pillars reflect how advanced an organization is in its zero-trust implementation. Cutting across these pillars are guidelines for visibility and analytics, automation and orchestration, and governance — suggesting the need for cross-pillar collaboration, integration, and management for more mature ZTAs.

In traditional, non-zero-trust deployments, packet monitoring at the perimeter and occasionally in sensitive areas of the internal network provides the foundation for network visibility and analytics. But as an organization's ZTA matures, traditional perimeters blur or even vanish altogether. North-south traffic will always need to be seen and controlled, but equally as importantly, east-west traffic must be seen and controlled to detect and prevent lateral or deeper compromise in the environment. To achieve zero-trust maturity, pervasive network visibility of the entire network through deep packet monitoring is required.

Packets are the best source of high-fidelity network data available, especially for organizations further along in their digital transformation journeys toward greater public or hybrid cloud use. In these environments, organizations often lose a degree of visibility compared with traditional data centers, and traditional cybersecurity safeguards like endpoint defenses may not even come into play. Packet data transcends the limitations of distributed infrastructure to help verify performance and policy compliance in near real time, offering a single source of truth that can be analyzed months or even years later.

While networking teams have traditionally used packet monitoring to analyze networks, manage traffic, and identify performance issues, the data that packets provide to security teams can be just as invaluable for threat detection and investigations. Packet data allows security teams to trace communications between interconnected devices and historical trends, for example, and can assist in orchestrating mitigation between management and enforcement tools through APIs. It also fills in visibility and data gaps left by other cybersecurity tools (e.g., security information, event management, and endpoint detection), making those tools and existing cybersecurity staff more effective. Finally, organizations can use packet monitoring to classify networks, servers, and services based on risk, allowing for very rapid and concise verification of ZTA.

In summary, enterprises just beginning their zero-trust journeys will require refinements to their architectures as they mature. Their solutions will increasingly rely on automated processes and systems, with greater integration across pillars and more dynamic policy enforcement decisions. For these systems to remain successful, continuous validation of zero-trust designs and enforcement boundaries is required, and deep packet monitoring offers the most comprehensive level of visibility available to verify their effectiveness.

At the end of the day, zero trust is a philosophy. To buy in completely, nothing can be taken for granted. Even organizations with more mature zero-trust implementations must continually verify their adherence with constant, pervasive network visibility. After all, you can't protect what you can't see, and what you can't see, you shouldn't trust.