Enhancing zero trust access through context-aware security posture
Expanding inputs to the policy engine.
As an onslaught of ransomware attacks accelerates, cyber criminal organizations are demonstrating increasing levels of sophistication and guile. Most recently, the Federal Bureau of Investigation (FBI) revealed that some groups are specifically targeting organizations facing time-sensitive financial events to maximize leverage over their victims. These events include planned earnings report releases as well as mergers and acquisitions (M&A).
Seeing as how ransomware gangs are increasingly operating like businesses themselves (albeit in a distinctly criminal manner), it only makes sense that they would seek to improve their negotiating position by applying pressure to their counter-parties at the most inopportune times. Due to the massive potential sums that can be extorted, this threat will continue to metastasize. Thankfully, there is a silver lining to such behavior, as it is becoming more predictable and thus - in some aspects - more easily defended against. The very events that increase criminal hackers’ leverage against their victims will at the same time make the timing of their attacks foreseeable.
Zero trust access (ZTA) models are increasingly in vogue as a method to protect against a broad array of threats, including ransomware. Although zero trust principles are broadly applicable, in light of the new threats facing organizations - specifically from financially-motivated actors that engage in extortion - special attention is due for the policy engines at the heart of ZTA systems.
A policy engine is the “brain” of a ZTA-based architecture, which dictates the level of scrutiny applied to human and machine network agents as they attempt to authenticate themselves and gain access to resources. These engines make decisions about whether to approve or deny access - or demand additional authentication factors - based on a variety of different factors, including implied geolocation, time of day, threat intelligence indicators, sensitivity of data being accessed, and other technical inputs.
ZTA does not merely facilitate heightened scrutiny of network actors that behave suspiciously. It also allows for streamlined access by clearly bona fide users to enhance productivity and reduce business interruptions resulting from security measures. Thus, properly implemented zero trust systems achieve the best of both worlds: enhanced cybersecurity and more rapid generation and delivery of business value.
To make this model even more powerful in the face of the evolving ransomware threat, I would suggest that ZTA systems incorporate additional factors - in concert with the aforementioned technical ones - to allow organizations to assume a context-aware security posture. This could take the form of increasing or decreasing the baseline level of scrutiny applied to network agents based on both publicly-announced and privately-contemplated events.
The days before the release of quarterly earnings, a critical shareholder vote, or a major contract award decision are all examples of generally higher-risk times. During these periods of heightened threat, organizations could calibrate their policy engines to be more “suspicious,” driving more stringent authorization requirements. Similarly, when an enterprise knows confidentially that it is at higher risk - such as during acquisition discussions with a potential buyer or after a key cybersecurity executive has given notice of intent to depart the company - it could also increase the level of scrutiny applied by the policy engine.
Conversely, during lower risk times, employees would experience reduced levels of resistance when attempting to access various resources. This would ameliorate some frustration that employees have with security-related controls, making them generally less likely to attempt to evade such measures.
Implementing such a model would require substantial investment, to be sure. A key to maintaining a continually-adjusted context-aware security posture is automation, which would rely on integrations between human resources, financial reporting, contract management, and similar systems and the policy engine. Furthermore, developing and tuning the algorithms driving the policy engine’s decision-making will require substantial time and research.
Additionally, organizations implementing such context-driven policies will need to be sure they don’t tip their hand through enhancing or relaxing security measures. For example, if authorized users could clearly detect an increase in security measures at an unexpected time (e.g. not before a scheduled earnings announcement), they might be able to intuit that something else is afoot that they should not otherwise know about, such as a planned merger. Similarly, a patient unauthorized intruder might be able to monitor fluctuating security requirements and determine what an especially critical juncture for its target might be.
With that said, I think that on the balance, a well-designed and -implemented context-aware security posture could incrementally reduce the likelihood of a company suffering a devastating cyber attack at the worst possible moment. It would also drive additional value generation by reducing unnecessarily restrictive security burdens during lower-risk periods.
Context-driven security policies could be applied outside the private sector as well, in government- and government-adjacent fields. The stringency of federal, state, and local department and agency security policies could increase prior to major events such as elections, to defend against malicious cyber actors attempting to improperly influence or disrupt them. In addition to other security measures, political campaigns could automatically harden their networks in the run-up to the polls to avoid doxxing or espionage.
Of course, just like their corporate counterparts, governments would need to be careful not to reveal non-public plans or activities, such as a clandestine military action or movement. The U.S. Army is closely focused on signature management efforts to help achieve victory on future battlefields, and these efforts should consider the impacts of automated changes in an organization’s cybersecurity posture.
Despite these caveats, the potential use cases for a context-aware security posture are numerous. Given the incredible damage being wrought by malign cyber actors of all stripes - from purely profit-seeking ransomware gangs to nation-state advanced persistent threat actors - novel solutions are in dire need. Allowing organizations to adjust their cybersecurity defenses based on an increased range of factors, a context-aware security posture would help to prevent some of the massive harm that is bound to continue otherwise.
Thanks for reading Deploying Securely! Subscribe to receive new posts.
Note: This article originally appeared on CSO Online. Reprinted with permission. © IDG Communications, Inc., 2021. All rights reserved.