6 CISO Takeaways from the NSA’s Zero-Trust Guidance – Dark Reading
The reality of cybersecurity for companies is that adversaries compromise systems and networks all the time, and even well-managed breach-prevention programs often have to deal with attackers inside their perimeters.
On March 5, the National Security Agency continued its best-practice recommendation to federal agencies, publishing its latest Cybersecurity Information Sheet (CIS) on the Network and Environment pillar of its zero-trust framework. The NSA document recommends that organizations segment their networks to limit unauthorized users from accessing sensitive information though segmentation. That's because strong cybersecurity measures can stop compromises from turning into full-blown breaches by limiting all users' access to areas of the network in which they have no legitimate role.
The guidance from the NSA also allows security teams to make a stronger business cases to management for security protections, but CISOs need to set expectations because implementation is a tiered and complex process.
While the document targets defense-related government organizations and industries, the wider business world can benefit from zero-trust guidance, says Steve Winterfeld, advisory CISO at Internet services giant Akamai.
"The reality is not [whether] you have unauthorized access incidents, it's if you can catch them before they become breaches," he says. "The key is 'visibility with context' that microsegmentation can provide, backed up with the ability to rapidly isolate malicious behavior."
Companies have embarked on zero-trust initiatives to make their data, systems, and networks harder to compromise and, when they are compromised, to slow attackers down. The framework is a solid set of guidelines for how to proceed, but implementing it is not easy, says Mike Mestrovich, CISO at Rubrik, a data security and zero-trust provider.
"Most networks have evolved over time and it is very difficult to go back and rearchitect them while keeping the business running," he says. "It is doable, but it can be costly both in terms of time and money."
Here are six takeaways from the NSA guidance.
The latest document from the National Security Agency dives into the fifth pillar of the seven pillars of zero trust: the network and environment. Yet the other six pillars are equally important and show "how wide-ranging and transformational a zero-trust strategy has to be to be successful," says Ashley Leonard, CEO at Syxsense, an automated endpoint and vulnerability management firm.
"Network and environment" is the fifth pillar in the National Security Agency's Seven Pillars of Zero Trust. Source: NSA
"For companies looking to get started with zero trust, I'd highly encourage them to review the NSA information sheets on the user and device pillars the first and second pillars of zero trust, respectively," he says. "If a company is just getting started, looking at this networking and environment pillar is a bit like putting the cart before the horse."
The network and environment pillar of the NSA's zero-trust plan is all about trying to stop attackers from expanding a breach after they have already compromised a system. The NSA guidelines point to the Target breach of 2013 without explicitly naming the company because the attackers entered via a vulnerability in the company's third-party HVAC system, but then were able to move through the network and infect point-of-sale devices with malware.
Companies should assume they will be compromised and find ways to limit or slow down attackers, NSA Cybersecurity Director Rob Joyce said in a statement announcing the release of the NSA document.
"Organizations need to operate with a mindset that threats exist within the boundaries of their systems," he said. "This guidance is intended to arm network owners and operators with the processes they need to vigilantly resist, detect, and respond to threats that exploit weaknesses or gaps in their enterprise architecture."
The NSA guidance is a tiered model, where companies should start with the basics: mapping data flows in their networks to understand who is accessing what. While other zero-trust approached have been documented, such as NIST's SP 800-207 Zero Trust Architecture, the NSA's pillars provide a way for organizations to think about their security controls, Akamai's Winterfeld says.
"Understanding data flow primarily provides situational awareness of where and what the potential risks are," he says. "Remember, you cant protect what you dont know about."
After tackling any other fundamental pillars, companies should look kick off their foray into the Network and Environment pillar by segmenting their networks perhaps broadly at first, but with increasing granularity. Major functional areas include business-to-business (B2B) segments, consumer-facing (B2C) segments, operational technology such as IoT, point-of-sale networks, and development networks.
After segmenting the network at a high level, companies should aim to further refine the segments, Rubrik's Mestrovich says.
"If you can define these functional areas of operation, then you can begin to segment the network so that authenticated entities in any one of these areas don't have access without going through additional authentication exercises to any other areas," he says. "In many regards, you will find that it is highly likely that users, devices, and workloads that operate in one area don't actually need any rights to operate or resources in other areas."
Zero-trust networking requires companies to have the ability to quickly react to potential attacks, making software-defined networking (SDN) a key approach to not only pursuing microsegmentation but also to lock down the network during a potential compromise.
However, SDN is not the only approach, Akamai's Winterfeld says.
"SDN is more around governance of operations but depending on your infrastructure might not be the optimal solution," he says. "That said, you do need the types of benefits that SDN provides regardless of how you architect your environment."
Finally, any zero-trust initiative is not a one-time project but an ongoing initiative. Not only do organizations need to have patience and persistence in deploying the technology, but security teams need to revisit the plan and modify it as they face and overcome challenges.
"When thinking about starting on the zero-trust journey their guidance on starting with mapping data flows then segmenting them is spot on," Winterfeld says, "but I would add that is often iterative as you will have a period of discovery that will require updating the plan."
Read the original here:
6 CISO Takeaways from the NSA's Zero-Trust Guidance - Dark Reading
- Working with new NSA Director General has been good thus far Bawa Majeed - Citi Sports Online - May 15th, 2024 [May 15th, 2024]
- NSA top Trinity Christian to advance to VISAA Division II semifinals - The Suffolk News-Herald - Suffolk News-Herald - May 15th, 2024 [May 15th, 2024]
- Former NSA head Paul Nakasone to helm national security institute at Vanderbilt - The Record from Recorded Future News - May 15th, 2024 [May 15th, 2024]
- US is still chasing down pieces of Chinese hacking operation, NSA official says - The Record from Recorded Future News - March 18th, 2024 [March 18th, 2024]
- St. John's M.S. in Cyber and Information Security Earns Key NSA Validation - St John's University News - March 18th, 2024 [March 18th, 2024]
- NSA girls lacrosse unleash the offense in defeat of First Flight - The Suffolk News-Herald - Suffolk News-Herald - March 18th, 2024 [March 18th, 2024]
- Three Things to Know About an NSA Career in 2024 - ClearanceJobs - January 3rd, 2024 [January 3rd, 2024]
- Senate votes to confirm Lt. Gen. Timothy Haugh to lead CYBERCOM and NSA/CSS - United States Cyber Command - December 23rd, 2023 [December 23rd, 2023]
- NSA Highlights AI, Partnerships in 2023 Cyber Review - MeriTalk - December 23rd, 2023 [December 23rd, 2023]
- NSA Blocked 10 Billion Connections to Malicious and Suspicious Domains - SecurityWeek - December 23rd, 2023 [December 23rd, 2023]
- Unsanctioned election of new Rugby Ghana board null and void NSA - GhanaWeb - December 23rd, 2023 [December 23rd, 2023]
- NSA Publishes 2023 Cybersecurity Year in Review - National Security Agency - December 23rd, 2023 [December 23rd, 2023]
- Senate votes to confirm Lt. Gen. Timothy Haugh to lead CYBERCOM and NSA/CSS - National Security Agency - December 23rd, 2023 [December 23rd, 2023]
- NSA Reiterates Achievements in AI & Defense Against Russia, China in 2023 Cybersecurity Review - Executive Gov - December 23rd, 2023 [December 23rd, 2023]
- How to Make $500 Monthly From NSA Stock - Yahoo Finance - December 23rd, 2023 [December 23rd, 2023]
- NSA appoints new Cyber Command head | SC Media - SC Media - December 23rd, 2023 [December 23rd, 2023]
- Senate Confirms Biden's Pick To Lead NSA and Military's Cyber Force - The Messenger - December 23rd, 2023 [December 23rd, 2023]
- NSA Releases International Cybersecurity Guidance on AI System Development; Rob Joyce Quoted - Executive Gov - December 1st, 2023 [December 1st, 2023]
- Guidance for Securing AI Issued by NSA, NCSC-UK, CISA, and ... - National Security Agency - December 1st, 2023 [December 1st, 2023]
- The Pannun Affair reveals a penetrated Indian government ... - Bharat Karnad - December 1st, 2023 [December 1st, 2023]
- "Unconscionable": Indian Student Held Captive, Forced Into Labour In US - NDTV - December 1st, 2023 [December 1st, 2023]
- Tinubu met a bad economy but he's worsening it | TheCable - TheCable - December 1st, 2023 [December 1st, 2023]
- Crack a 1999 NSA Cryptography Standard and Win a Bounty - The New Stack - October 23rd, 2023 [October 23rd, 2023]
- NSA Cybersecurity Information Sheet Pushes for Zero Trust Security in DOD Devices - Executive Gov - October 21st, 2023 [October 21st, 2023]
- Top 10 misconfigurations: An NSA checklist for CISOs - The Stack - October 21st, 2023 [October 21st, 2023]
- NSA and Partners Issue Additional Guidance for Secure By Design ... - National Security Agency - October 21st, 2023 [October 21st, 2023]
- NSA Shares Recommendations to Advance Device Security Within ... - National Security Agency - October 21st, 2023 [October 21st, 2023]
- NSA calls for a 'root and branch' review of Red Tractor - Farmers Guardian - October 21st, 2023 [October 21st, 2023]
- Nansemond-Suffolk tennis falls to Norfolk Academy Thursday - The ... - Suffolk News-Herald - October 21st, 2023 [October 21st, 2023]
- Israel's NSA warns of US intervention as Gaza conflict escalates - IndiaTimes - October 21st, 2023 [October 21st, 2023]
- The U.S. government is still in its Tumblr era. - Slate - October 21st, 2023 [October 21st, 2023]
- NSA Releases a Repository of Signatures and Analytics to Secure Operational Technology - HS Today - HSToday - October 13th, 2023 [October 13th, 2023]
- NSA releases a repository of signatures and analytics to secure ... - National Security Agency - October 13th, 2023 [October 13th, 2023]
- A Flourishing Wildflower: Sandra Seizes the Day at NSA - National Security Agency - October 13th, 2023 [October 13th, 2023]
- NSA and U.S. Agencies Issue Best Practices for Open Source ... - National Security Agency - October 13th, 2023 [October 13th, 2023]
- Medical societies representing radiology, emergency medicine and ... - Radiology Business - October 13th, 2023 [October 13th, 2023]
- Cybersecurity is a team sport; know your position and the defensive ... - University of Nevada, Reno - October 13th, 2023 [October 13th, 2023]
- Why only 1% of the Snowden Archive will ever be published - ComputerWeekly.com - October 13th, 2023 [October 13th, 2023]
- New NSA center will oversee development and integration of AI capabilities - SiliconANGLE News - October 5th, 2023 [October 5th, 2023]
- NSA- and CISA-Led Panel Release Report on Developer and Vendor Challenges to Identity and Access Management ... - HSToday - October 5th, 2023 [October 5th, 2023]
- NSA and ESF Partners Release Report on MFA and SSO Challenges - National Security Agency - October 5th, 2023 [October 5th, 2023]
- Unexpected Twists, Unified Community: Vivian's NSA Journey - National Security Agency - October 5th, 2023 [October 5th, 2023]
- NSA, CIA senior officials address artificial intelligence threats and ... - intelNews.org - October 5th, 2023 [October 5th, 2023]
- Food must be at the centre of environmental policy decisions NSA - Meat Management - October 5th, 2023 [October 5th, 2023]
- NSA to stand up AI security center - Defense One - September 29th, 2023 [September 29th, 2023]
- NSA, FBI, CISA, and Japanese Partners Release Advisory on PRC ... - CISA - September 29th, 2023 [September 29th, 2023]
- President Obama's NSA-Modified Cell Phones on Display at the ... - National Security Agency - September 29th, 2023 [September 29th, 2023]
- Striving for Excellence: Silvino's Path to an NSA Career - National Security Agency - September 29th, 2023 [September 29th, 2023]
- Commissioners, mayor meet with NSA Crane's new commanding ... - Sullivan Daily Times - September 29th, 2023 [September 29th, 2023]
- Privacy watchdog fractures over 702 opinion - POLITICO - POLITICO - September 29th, 2023 [September 29th, 2023]
- Nic Carter doubles down on theory Bitcoin was invented by NSA - Cointelegraph - September 23rd, 2023 [September 23rd, 2023]
- Reality Winner Release Date, Trailer, and More - The Mary Sue - September 23rd, 2023 [September 23rd, 2023]
- Cyber Firm Started By Ex-Director Of NSA Prepares For Bankruptcy - Aviation Week - September 23rd, 2023 [September 23rd, 2023]
- No special exemption for actions like this: US NSA - IndiaTimes - September 23rd, 2023 [September 23rd, 2023]
- New revelations from the Snowden archive surface - ComputerWeekly.com - September 23rd, 2023 [September 23rd, 2023]
- Readout of NSA Jake Sullivan's Meeting with CCP Politburo ... - US Embassy & Consulates in China - September 23rd, 2023 [September 23rd, 2023]
- NSA to hold webinar on impacts of UK livestock vaccine shortage ... - Agriland.co.uk - September 23rd, 2023 [September 23rd, 2023]
- NSA Scotland to host field day at the end of next month - Agriland.co ... - Agriland.co.uk - September 23rd, 2023 [September 23rd, 2023]
- Cyber Command, NSA pick advances to Senate floor, but path to confirmation remains blocked - The Record from Recorded Future News - July 30th, 2023 [July 30th, 2023]
- Former NSA-er Harry Coker Nominated National Cyber Director - Dark Reading - July 30th, 2023 [July 30th, 2023]
- Preventing Web Application Access Control Abuse - CISA - July 30th, 2023 [July 30th, 2023]
- Viv takes on double role at NSA North Sheep - The Westmorland Gazette - May 20th, 2023 [May 20th, 2023]
- Food security action call as Sunak talks hailed by NSA - The Press & Journal - May 20th, 2023 [May 20th, 2023]
- Mother arrested for abandoning baby like 'trash' in US: Reports - NewsDrum - May 20th, 2023 [May 20th, 2023]
- EAM holds talks with Swedish PM, NSA in Stockholm - United News of India - May 20th, 2023 [May 20th, 2023]
- Sheep farmer hailed for 'unwavering work' in protecting native breeds - FarmingUK - May 20th, 2023 [May 20th, 2023]
- Airtel MD on 5G rollout: Not in a maniac rush to compete on the number of sites - Times of India - May 20th, 2023 [May 20th, 2023]
- Personal injury + the No Surprises Act - Chiropractic Economics - May 20th, 2023 [May 20th, 2023]
- NSA Gives Assessment of Cyber Threats from Russia, China, and AI - Data Center Knowledge - May 6th, 2023 [May 6th, 2023]
- Nagaland: NSA for immediate restoration of peace and order - Morung Express - May 6th, 2023 [May 6th, 2023]
- Sullivan to convene US-India-Saudi-UAE NSAs meet in Riyadh over weekend - Economic Times - May 6th, 2023 [May 6th, 2023]
- Leaked Data Reveal the US is an Unchecked Surveillance Empire - teleSUR English - May 6th, 2023 [May 6th, 2023]
- China's report on U.S. cyber attacks only scratches surface of ... - CGTN - May 6th, 2023 [May 6th, 2023]
- Where is our national cybersecurity strategy? All over the place - SiliconANGLE News - May 6th, 2023 [May 6th, 2023]
- Scottish sheep sector 'concerned' amid lynx reintroduction talks - FarmingUK - May 6th, 2023 [May 6th, 2023]
- Bear caught on video at NSA Bethesda - FOX 5 DC - May 4th, 2023 [May 4th, 2023]
- VIDEO: Bear caught on camera rummaging through trash near NSA Bethesda - WJLA - May 4th, 2023 [May 4th, 2023]
- Bear spotted roaming on installation at NSA Bethesda - CBS News - May 4th, 2023 [May 4th, 2023]
- Anticipated increases in corporate legal spend: Are they a good thing? - Thomson Reuters - May 4th, 2023 [May 4th, 2023]
- Federal Gov't Withdraws Corruption Charges Against Ex NSA's Aide - Leadership News - May 4th, 2023 [May 4th, 2023]
Tags: