title of presentation title of presentation...9/28/2018 5 © 2018 forrester. reproduction...

9/28/2018

1

Privacy & Security 2018

Dr. Chase Cunningham, Principal

Analyst

Zero Trust

2© 2018 Forrester Research, Inc. Reproduction Prohibited

What is your security strategy?

9/28/2018

2


A Single Strategy for Long Term Success

›Being Compliant – not a strategy

›Being Secure – not a strategy

› Implementing Controls and Tech – not a strategy

Zero Trust – One Strategy, Multiple Avenues, Long Lifecycle


What is this?

- Bill

- Feathers

- Webbed Feet

- Sells Insurance

- Sounds like Gilbert

Godfried

9/28/2018

3


What is this?

- Securing Data

- Firewalls

- Workload Security

- User/Authentication

- Device Security

- Automate and

Orchestrating Security

- Visualizing and Analyzing

Threats


Zero Trust Tenets

› Focus on the outcomes

›Design from the Inside >

Out (micro to macro)

›Start with the assets or

data that need protection

›Determine who or what

needs access

›Need to know/Least-

privilege

9/28/2018

4

7© 2018 FORRESTER. REPRODUCTION PROHIBITED.

NEVER TRUST, ALWAYS VERIFY

Connecting from a particular network must

not determine which services you can access.

Access to services is granted based on:

BEYONDCORP

1what we know

about you 2what we know

about the entity 3All access to services

must be authorized

CORE PRINCIPLES OF ZERO TRUST


ZTX Framework Simplicity

Zero Trust Strategy

Zero Trust Capability

Zero Trust Technology

Zero Trust Feature

The Risk Owner Technology Provider

9/28/2018

5


FEWER BREACHES IN COST SAVINGSLESS ON TECHNOLOGY COSTS

Stop the Breach, Forrester, January 2017

Forrester finds implementing Zero Trust Best Practices results in tangible benefits


Confidence increases after adopting zero trust

MORE CONFIDENCE

ACCELERATING

NEW CUSTOMER &

PARTNER EXPERIENCES

MORE CONFIDENCE SECURING

DEV AND DEVOPS

MORE CONFIDENCE ADOPTING

NEW MOBILE WORK MODELS

9/28/2018

6


Zero Trust in Practice

› Google BeyondCorp

› California Dept of Public Works

› Rolls Royce

› MoD Canadian Forces

› Dept of Public Health Canada

› IRS

› Others…


Rep. Jason Chaffetz on Zero Trust:“Zero trust would have profoundly limited the attacker’s ability to move within OPM’s network and access such sensitive data.”

Source: Adopting a zero trust cyber model in government: http://federalnewsradio.com/commentary/2016/09/adopting-zero-trust-cyber-model-government/

9/28/2018

7


Committee on Oversight and Government Reform U.S. House of

Representatives 114th Congress

Recommendation 2: Reprioritize Federal

Information Security Efforts Toward a

Zero Trust Model

“To combat the advanced persistent threats

seeking to compromise or exploit federal

government IT networks, agencies should

move toward a "zero trust" model of

information security and IT architecture.

The zero trust model centers on the

concept that users inside a network are no

more trustworthy than users outside a

network…”

The OPM Data Breach: How the

Government Jeopardized Our

National Security for More than a

Generation - September 7, 2016

ePhoto/Imag

Here


9/28/2018

8


Security Situational Awareness


Your attack surface has grown exponentially

Third parties

Social

Mobile

Web (deep & dark)

Shadow IT

IT enviro-nment

9/28/2018

9


Lorem ipsum

Suspendisse

Third parties

Social

Mobile

Web (deep & dark)

Shadow IT

IT enviro-nment

Known, corporate-controlled digital footprint

Unsanctioned, rogue activity and occurrences of affiliated footprint

Fraudulent or malicious spoofing and impersonations

Nefarious threats, mentions, and sales on unaffiliated channels

Rapidly expanding attack surfaceD

ecre

asin

g c

on

trol


Base: 404 global network security decision-makers whose firms have had an external security breach in the past 12 months

Source: Forrester Data Global Business Technographics® Security Survey, 2017

0%

5%

10%

15%

20%

25%

30%

Ransomware Phishing Social engineering

“How was the external attack carried out?”

Manufacturing

Retail and wholesale

Business services andconstruction

Utilities andtelecommunications

Financial services andinsurance

Public sector and healthcare

9/28/2018

10


Those who have been breached take action

Base: 224 global network security decision-makers whose firms have had a security breach in the past 12 months (SMB)

Base: 349 global network security decision-makers whose firms have had a security breach in the past 12 months (Enterprise)Source: Forrester Data Global Business Technographics® Security Survey, 2017

14%

15%

15%

16%

18%

15%

17%

17%

22%

23%

18%

17%

18%

19%

17%

22%

21%

22%

19%

21%

0% 5% 10% 15% 20% 25%

Switched IT auditors

Offered optional 2-factor authentication for customers

Increased spending on incident response programs

Increased spending on endpoint detection technology

Increased spending on or hired external IT support

Increased spending on network detection technologies

Additional security and audit requirements

Increased spending on prevention technologies

Added required 2-factor authentication for all employees

Hired additional IT security staff

“What has changed at your firm as a result of the breaches occurring in the past 12 months?”

Enterprise (1,000 or more employees) SMB (20-999 employees)


What types of data were potentially compromised or breached in the past 12 months?

Base: Global network security decision-makers whose firms have had a security breach in the past 12 months

Source: Source: Forrester's Global Business Technographics Security Survey, 2016

31%

38%

25%

25%

31%

13%

31%

9%

3%

0%

6%

25%

26%

29%

17%

19%

23%

20%

15%

8%

1%

6%

30%

34%

28%

27%

31%

26%

28%

19%

6%

0%

3%

Payment/credit card data

Personally identifiable information (name, address, phone, SocialSecurity number)

Authentication credentials (user IDs and passwords, other forms ofcredentials)

Account numbers

Intellectual property

Corporate financial data

Website defacement

Other personal data (e.g., customer service data)

Other sensitive corporate data (e.g., marketing/strategy plans, pricing)

Other

Don't know

3 to 20(N = 32)

50 to 250(N = 84)

251 to 999(N = 148)

9/28/2018

11

© 2016 Forrester Research, Inc. Reproduction Prohibited 21

Power of the Framework

Integrations with ZTX

Networks

9/28/2018

12


Visibility & Analytics

Automation & Orchestration


Workloads

9/28/2018

13


Devices


Data

9/28/2018

14


How is Google implementing

Zero Trust?


Use Case: Enterprise rollout of ZT: BeyondCorp

www.beyondcorp.com

9/28/2018

15


ZTN: A Practical Example

Google’s BeyondCorp initiative:

• A complete redesign of Google’s

internal security

• Practical implementation of ZTN that

illustrates some of the limitations of the

ZTN model

•A working model for other organizations

that want to move towards ZTN models


Guiding Principles

www.beyondcorp.com

9/28/2018

16


BeyondCorp Definitions

www.beyondcorp.com


Google’s BeyondCorp Initiative• Access is organized into “Trust Tiers” by the

Trust Inferer and assigned to each device

• Trust Tier decisions are informed by data

collected by the Device Inventory Service

which aggregates device data from across the

environment

• When user attempts to access any device, the

Access Control Engine uses the DIS and

Access Policy to determine the context specific

access level

• Access Policy determines minimum trust level

required for data and resource access

9/28/2018

17


What is the most important item in Zero Trust?


Hint…It’s in the center

9/28/2018

18


Micro-Segmentation Everywhere

• User – Role Based Access, 2FA, NGA

• Device – Patches, Certificates, etc…

• Application – Control what it does and what it touches

• Protocol/Network – Control what goes where

User – Who

Device – What

Application – Why

Protocol/Network – Where


http://blogs.gartner.com/andrew‐lerner/2017/03/21/microsegmentation/

Micro‐Segmentation

• Software defined segmentation

• Isolates applications in virtual environment

• Focus on east‐west communication

• Security defined at granular level

http://blogs.gartner.com/andrew

9/28/2018

19


Ukraine Power Grid Cyberattack 2015



DMZ

SCADA

S1 S2

Office

Substation

SCADA

9/28/2018

20



Email with BlackEnergy malware

DMZ

SCADA

S1 S2

Office

Substation

SCADA



Pivot to server and establish C&C

DMZ

SCADA

S1 S2

Office

Substation

SCADA

9/28/2018

21


DMZ

SCADA

S1 S2

Office

Substation

SCADA


They found pre‐shared keyfor VPN on SCADA firewall


DMZ

SCADA

S1 S2

Office

Substation

SCADA


Firmware has been changed on SCADA devices

9/28/2018

22


DMZ

SCADA

S1 S2

Office

Substation

SCADA


They use SCADA HMI to open breakers



DMZ

SCADA

S1 S2

Office

Substation

SCADA

9/28/2018

23



Full document with all recommendations: http://www.nerc.com/pa/CI/ESISAC/Documents/E‐ISAC_SANS_Ukraine_DUC_18Mar2016.pdf

http://www.nerc.com/pa/CI/ESISAC/Documents/E