The goal of the cybersecurity industry is to prevent successful cyberattacks – "success" meaning the exfiltration of sensitive and/or valuable data. This is becoming progressively more difficult to achieve due to the growing sophistication and scale of attacks. As an industry, we need to change our approach and architectures to protect our environments.
Although there are many point products available in the industry to tactically address threats, the industry is still struggling with some additional challenges: proliferation of products, duplicate features, increasing operational costs and shortage of skilled resources. Traditional approaches to cybersecurity have increased these challenges because they lack automation and integrated capabilities. Forrester® introduced Zero Trust as a modern strategy to prevent successful cyberattacks. This paper will explain how to achieve Zero Trust by transforming to a prevention-based architecture with the Palo Alto Networks® Security Operating Platform.
Zero Trust is a cybersecurity strategy designed around the concept that users, applications and data should never be trusted, and their actions should always be verified in an environment. The strategy involves limiting the scope of an attack and blocking lateral movement by leveraging micro-segmentation based on users, data and location. To achieve Zero Trust, you must start with identifying what needs to be protected and where it is located. This is called the "protect surface" – the users, applications, data and services to be protected – and should be limited to the smallest possible scope. The transaction flows across the protect surface must be understood so that policies can be created to prevent successful attacks against it. This differs from traditional approaches in that it focuses on the individual pieces to be protected instead of perimeter protection.
Figure 1: A model of Zero Trust
Zero Trust is implemented with a prevention-based architecture, which numerous capabilities of the Security Operating Platform provide the tools to achieve. A prevention-based architecture grounds your security approach in prevention. The process of transformation to this architecture is defined in four levels.
This model, depicted in Figure 2, focuses on four levels of adoption of platform functionality to achieve specific outcomes and, ultimately, Zero Trust. Fully achieving each transformation level also requires operational transformation. This ensures the processes and expertise are in place to maintain the current capabilities and avoid reverting to traditional approaches.
Figure 2: Prevention-based architecture transformation levels
The primary focus of this level is to migrate from legacy technologies and achieve a baseline of visibility and awareness into user activity, network traffic and threats. Greater visibility means lower risk. This begins with the foundational requirements for the successful integration of the platform into the environment, followed by the functions of the platform that provide visibility into activity and usage so that operations personnel can refine controls and utilize the rich information this visibility provides.
The aim of this level is to achieve complete visibility into the environment, based on your organization's business goals and requirements. You can use the information you gain through this visibility to make better and safer decisions on how to secure your environment. This allows for tighter controls around network traffic through application recognition and enforcement, file transfer restrictions, and segmentation.
The third level focuses on refining the existing configurations for enhanced prevention enforcement, measurement and analytics. At the completion of this level, all desired features of the platform are functional, and operational processes exist to operate, maintain and continually update prevention controls as required by the ever-changing threat landscape.
The fourth level achieves a full technology and operational transformation across all deployment scenarios, including network, endpoint and cloud, as adopted based on your business needs. Following Level 3, you have achieved a best-practice stance for granular visibility and precise control of users, apps and threats. The fourth level is about enhancing and expanding the capabilities of the platform by providing advanced features in the areas of securing software-as-a-service type applications, threat analytics, Application Framework applications and other cloud-based alternatives to contemporary services. The Security Operating Platform has advance features to assist you on this journey.
The four levels of transformation are only complete when paired with the operational components necessary to operate and maintain the platform features. Operational transformation establishes the steady-state processes and people changes required to maintain the transformation after the project is complete. This includes process documentation, education and training, prevention assessment, application of automation, and measuring/revising progress.
Confidence in your controls comes in two categories: configuration confidence and operational confidence. Configuration confidence is the assurance that your technologies are running as intended and configured according to best practices. Operational confidence is the assurance that you have the skilled resources and processes in place to handle an attack when it happens. Various tools provided by Palo Alto Networks can measure this confidence.
The Security Lifecycle Review, or SLR, is a tool that can help you gain visibility into what is happening on your network. It provides a full understanding of which applications are being used, including "shadow" applications that your IT depart may not have authorized. It will show URL traffic and content types, as well as catalog all potential threats on the network, known and unknown, including those linked to user behavior. The final report includes recommendations for handling the risks identified.
Figure 3: SLR excerpt example
The Best Practice Assessment, or BPA, is a tool that can help you assess security capabilities in different parts of your environment as well as your adherence to best practices. The results are provided as a heatmap depicting feature use throughout your network. Additionally, the online report includes detailed information about controls that do not align with best practice recommendations and information about how to update them.
Figure 4: Heatmap results from a BPA
Figure 5: Example output of a BPA
The Expedition transformation and best practices adoption tool will help with your initial migration and policy consolidation from legacy technology as well as take advantage of machine learning to refine security policies. The tool will create security policies for implementation based on application consumption analyses by users and servers. It will also enrich security policies and reduce the attack surface by replacing objects to open with the current users, applications and zones seen in traffic logs. Expedition makes it easy to replace old application override rules with new custom timeouts, from services available with PAN-OS®, to increase visibility.
Figure 6: Example output from the Expedition tool
In a collaborative workshop environment, our expert consultants will perform a health check to analyze your configuration and traffic, determine the effectiveness of your controls, and provide recommendations on how you can improve your prevention posture. The traffic analysis is performed with your team to help you make evidence-based modifications to your controls to better protect against active threats.
Figure 7: Example output from the threat assessment
This transformation can be performed over time, incrementally, without disrupting your environment. We recommend you start with a well-known and well-understood part of your network, such as a branch office or a main data center. This will further reduce risk because of your team's knowledge of, and comfort with, the existing architecture. You can also run the new policies with the old once to gain confidence in their effectiveness. Once you've transformed one area of your network, you can expand to other parts of the environment.
You may also consider moving workloads to the cloud. Since controls are close to the protect surface, policies are not tied to a location and will move with the workloads as they migrate to the cloud.
Once achieved, Zero Trust provides numerous benefits, including: