Zero Trust - Brace for Impact

September 19, 2024

In the world of cybersecurity, we all know that there are bad things that could happen. But how can we best evaluate those things so we understand our risk?

 

When it comes to Zero Trust, we leverage the Likelihood X Impact = Risk formula.

 

As you modernize your tech stack and begin to think differently about security, remember the basic premise of Zero Trust: Assume Breach. These aren’t just words; assuming the worst has happened influences the way we think about security.

 

The “Assume Breach” Zero Trust basis shatters the traditional risk management approach and changes the risk paradigm in a major way. We are forced to think about risk and mitigation in a completely different way. One example is if we assume breach, likelihood gets maxed out in that calculation. The likelihood of a breach is 100% because we are assuming it already happened. In the diagram below, using the numbering and calculation method from the NIST RMF (Risk Management Framework), the likelihood is a 10 (Very High) and as security practitioners we find our opportunity in the x axis – or Impact. Our mission is now to contain, limit, restrain, disrupt, and respond at the speed of compute to an attack.

 

Figure-1.png

Figure 1

 

This means that preventative controls have failed, and we are now left to develop/leverage our detective, corrective, and compensating controls to influence the x axis or Impact.

 

Depending on an organization’s risk tolerance, the level of risk an organization is willing to accept has narrowed. Looking at figure 1 above, the x axis illuminates where we need to concentrate: limiting the “blast radius” or attack surface.

 

When applying risk in a Zero Trust world, most organizations will calculate a risk tolerance in the Low/Moderate range, depending on the sensitivity of the Data, Applications, Assets, and Services (DAAS). In Figure 2 below, once the risk calculation (Likelihood X Impact = Risk) is performed, we must choose mitigation that keeps us in the 0 – 79 risk calculated range meaning no more than a Moderate-level risk should be acceptable.

 

Figure-2.png

Figure 2

 

Again, the DAAS sensitivity plays into the decision for controls. We should always be pragmatic when choosing controls, in addition to aligning with the business to ensure our risk reduction measures aren’t breaking the business/mission.

 

Some may ask, “How do we limit the Impact?

 

I have highlighted a few “quotes” from people (some are not real) who did not say anything about Zero Trust (NOTE: these are not actual quotes):

 

  1. Dr. Young Frankenstein – “Work from the inside-out”. Start with what you know you must protect and develop controls as close to the critical asset as possible. Know how to spot “Abe Normal” when you see her (IYKYK).
  2. The Offspring – “You gotta keep em’ separated – Dynamically”. The Offspring never said those exact words because it didn’t rhyme. Develop a network strategy that best supports the objectives you are trying to achieve. SDN (Software Defined Networking) makes isolating critical assets easier.
  3. Mr. Mackey (South Park) – “Exposure is bad, mmkay?”. This unpopular cartoon character never said this. Develop a modern remote and partner access strategy that combines attribute-based identity controls and granular network controls to limit exposure to access that is completely necessary to perform tasks and/or activities.
  4. Kraftwerk – “Monitor, Automate, Analyze, Orchestrate”. Not very well-known song that was probably never recorded. Leverage modern technology to help you accelerate response and automate informed decisions.

 

We’re obviously having some fun with Zero Trust here, but it important to not lose the message: to reduce the impact we must reduce the “blast radius” or “attack surface”.

 

The adversary comes in many different shapes and sizes and ranges from an employee making a bad decision to an intentional and targeted DDoS attack (and everything in-between). Including Zero Trust design principles in the security roadmap and risk strategy will help you limit the harm from the breach you assume has already happened.

Mark Modisette
By:
Mark Modisette
Executive Director, Executive Solutions, Office of the CISO
Zero Trust Technologist, Mark Modisette is a veteran information assurance and security executive with more than 20 years of experience in multiple industry sectors. Mark's recent experience with Optiv + ClearShark has focused on Zero Trust evangelist/author, and advisory services, where he works with organizations to design roadmaps, perform Zero Trust readiness reviews, and make recommendations to ensure successful ZT implementations. Additionally, Mark helps clients understand where to start with zero trust and how to utilize security program management and security risk management to ensure continued success in the implementation of Zero Trust concepts.

Follow Optiv
LinkedIn: www.linkedin.com/company/clearshark
Facebook: www.facebook.com/optivinc
YouTube: www.youtube.com/c/OptivInc
Blog: www.optiv.com/explore-optiv-insights/blog

About Optiv + ClearSharkTM

Optiv + ClearShark is a cybersecurity and IT solutions provider focused exclusively on serving the U.S. federal government. From the data center, cloud and to the edge, we have decades of experience securing and modernizing federal agency data and infrastructure. Our world-class advisory and engineering team is comprised of mission-focused, results-driven subject-matter experts with deep technology and agency domain knowledge and security clearances.

 

Now part of Optiv, the cyber advisory and solutions leader, Optiv + ClearShark partners with federal agencies to advise, deploy and operate complete cybersecurity programs.