The Intersection between Zero Trust and Zero Time
December 15, 2019 | Matthew Fulmer
Security Admin 101 - Call me Z3R0
When it comes to the endpoint, security has come under heavy fire lately! All over the news and social media businesses are under siege by ransomware that were expected to be prevented by their installed security products. It seems almost every day there are new reports of businesses infected with ransomware. Why are businesses faltering everywhere when it comes to preventing these attacks? The answer to this can be attributed to the major shortcomings of legacy AV solutions that the majority of enterprises are using. Considering these shortcomings of legacy AV, there needs to be more conversation about two different models that can, and should, be employed in your environment to bolster security.
Many are aware of the Zero-Trust based model and how it’s designed to limit the access of programs/users internally. Indeed, it’s a fantastic start to implementing a solid security strategy. Far fewer are aware of the Zero-Time model, although it is gaining traction. The idea behind the zero-time model is nothing out of the ordinary as it’s the ability to detect/prevent threats in what most would call “real-time”. The irony, however, is that “real-time” by many security vendors really involves up to 60 seconds for detection to occur, 10 minutes to analyze and investigate, an hour to contain and remediate, and sometimes even longer depending on the solution being utilized. Two different models with different scopes, but which surprisingly overlap, such that if you’re planning to implement either model in your environment, it just makes sense to do both.
A major topic of conversation that comes up often is about IP (Intellectual Property) and how “data breaches” are extremely worrisome to organizations. Imagine having a product that would revolutionize your industry only for the public or worse, your competitor, getting their hands on your “secret sauce”. That concern has many executives and cybersecurity managers scrambling to find a way to keep things “in-house”, a task which is extremely challenging. Enter the zero-trust model of which a major factor is limiting user access to data they need and not just giving blanket access because it’s easier (read: lazy).
This exact scenario demonstrates the statistics around data breaches and the timetables provided by the Verizon Data Breach Information Report (DBIR) which found that from amongst their 73 contributors with 41,686 security incidents, 2,013 had confirmed breaches. Not all of these were physical breaches, but in many cases, (~24%) the breach would be from an external based initiator (malware/ransomware). One major focus with a zero-trust model is migrating “privileged users” or users with admin access toward the same permission set of “normal users” to limit the chances of a data breach.
Assuming you have implemented a very solid zero-trust model you are still potentially missing the ~24% of threats which caused a breach, such as ransomware. Ransomware never ceases to make headlines, as this article was written a ransomware hit Virtual Care Provider Inc. (VCPI). An IT company which provides countless services (cloud data hosting, security, and access management) to more than 100 nursing homes. The impact of this is absolutely catastrophic as it could involve putting patients in a critical condition due to the inability to access records or medicine dispensing records. How would zero-time help in this scenario? For 14 months this VCPI’s environment was probed and hit with different variants of malware/ransomware, particularly Ryuk which is a variant of the Trickbot trojan, as the environment was vulnerable, having no form of prevention.
What VCPI was hit with is not new, but the detailed analysis showed that it followed a trend in how companies are impacted by ransomware. 14 months prior the attacks were not successful, but the attackers kept persevering until they found a way to disable the current AV solution on the machines. Once achieved, they were able to run custom scripts and then drop the ransomware. Would zero-time have prevented this? Absolutely! Zero-time actually means zero-time, not 60 second “real-time”. Today’s “next-gen” solutions have the capability to utilize AI technologies like deep learning to provide actual zero-time prevention thus tangibly increasing the overall security level of the environment. Zero-time is what you want implemented to help prevent against ransomware attacks and against things like dual-use tools that could be weaponized and then utilized to wreak havoc on your environment.
You’re probably wondering how much can actually happen in 60 seconds? The answer - A LOT! Deep Instinct’s testing lab has found that if a dropper gets on a machine and is not detected then chances are the payload is also not detected and it took less than 60 seconds for a whole machine to become encrypted. Is this a risk worth taking in your environment? Is it worth risking what the above-mentioned provider was quoted to get all their data back ($14 million in bitcoin?).
Caption: The Zero/Zero symbiotic relationship
Zero-trust covers the internal side of things and Zero-time covers the external side, but what features make the zero-time model an absolute “killer-app”? What needs to be included in a program to make it capable of zero-time? You need to have more than just detection and prevention of known items, almost all AV solutions can do that with a DAT file or a simple set of instructions. The product being used should offer the ability to block/prevent any “questionable” applications prior to reaching the machine.
Optimally, the solution should also involve the ability to prevent the exploitation of Powershell scripts, Wscript and Cscript (the more common targets of file-less malware). Most importantly, it needs to have actual zero-time analysis and determination of files specifically to prevent that delay in “finding” and convicting a file optimally with advanced learning on the back end. Lastly, it needs to make your life easier and not take substantial amounts of increased resources to manage (read: this doesn’t mean “easy-bake oven” set and forget management). Deep Instinct has these capabilities and more, within the provided console, specifically designed to be the next-gen solution for your environment to make your security life easier and allow you to implement a strong zero-time solution in combination with a zero-trust model.
In the overlap between the models, zero-trust can and will assist with the prevention of programs/scripts internally if the user is locked down, while zero-time becomes crucial in the event a user, for example, accidentally downloads a macro-enabled word document or PDF with a binary segment set to autorun on launch. The overlap between the models pays off and bolsters your security! Zero/Zero takes time to implement, but with the right solution your zero-time implementation can and will be successfully easier to manage and vastly less painful!
Want to know more? Reach out, let’s have a conversation!
Deep Instinct, we prevent what others can't find.