Yes, describing Zero Trust is not going to cut it. I do like your Sisyphusian word, if it is not in the OED it ought to be. Such a perfect image of how we address security challenges - Sisyphus was a Greek mythical character who was made to roll a very heavy boulder uphill, and just before reaching the top, it was destined to roll down again. Zero Trust past processes are not going to stop APTs (Advanced Persistent Threats). For example, Russia's cyber attacks on Ukraine have evolved rapidly over the past year.
@Bernard Coetzee I think determining risk has to be a given. For example, I snowboard and surf, and I change my style according to the conditions. When the conditions are difficult, I focus on safety. Business and technical risk are the same thing, risk of exposing information/data/resources to threat actors.
The European Union is taking the lead again this year, as it did on data privacy and GDPR. There are new EU cybersecurity rules for hardware and software products scheduled. The EU Cyber Resilience Act is being enacted in 2023.
https://ec.europa.eu/commission/presscorner/detail/en/ip_22_5374 - the premise behind this act is "the majority of cyberattacks rely on exploiting tech vulnerabilities"
I'd like to see a practical approach to Zero Trust that uses in depth knowledge of existing and potential vulnerabilities, combined with a risk reduction strategy to address potential damage, as an architecture and design prerequisite.
To this end, a few of us have got together, and we are developing a Zero Trust Proof-of-Concept, following best practice cyber security architecture and design principles. We'll keep you posted of progress, as we intend to publish in the next couple of months. The approach is based on 9 years hands on customer experience of security architecture, and I do try to keep up with threat evolution :)
I really do think you expressed it very well, Richard, 'the need to prioritise based on the risk/value of the asset to the business'
Bernard, did you mean that AI & ML are helping APTs expose vulnerabilities? If so, I concur.
Nya
PS Thanks for the heads up on Mitre Att@ck - I did not know it existed.
------------------------------
Nya Murray
Director
Trac-Car
------------------------------
Original Message:
Sent: Jan 02, 2023 08:19:50 AM
From: Richard Baker
Subject: Zero Trust and Insider Threats
Nya,
I think the challenge facing zero trust the that it is attempting to break the traditional security mould that has been based on the compliance as a snapshot model.
We are not going to be able break that easily for the very reason that you suggest is that too many vendors and application developers/ integrators need to get MVP to market or to a client. This is not just true with ZT but more generally and I have attempted to get some recognition for this in the citizen identity space where the ramifications are socially greater.
So part of the business case discussion is going to be how to communicate constructively (for the business) that ZT is THE journey and not the destination, it is an process of maturation and not Sisyphusian (is this a word) in nature were we keep on getting knocked back with every change in the attackers modus operandi.
I have seen a number of attempts to describe ZT maturity that is typically presented as Prep/ Discovery, Basic, Intermediate, Advanced. I suspect we might want to use language more aligned to CMM along the lines of Discovery, Manual Process, Automated, Optimising. We are going to have to present this as an ongoing structured exploration that can respond to the changing world / context. Accepting that a client will need to prioritise based on the risk / value of the asset to the business and its associated context. So different parts of an organisation's infrastructure might be at different levels of maturity.
So if insider threats are emerging let's take a leaf out of the Mitre Att@ck playbooks and map what they are doing to update the wider strategy not just to propose a point solution.
Richard
Original Message:
Sent: 1/2/2023 10:30:00 AM
From: Bernard Coetzee
Subject: RE: Zero Trust and Insider Threats
Indeed Nya
Original Message:
Sent: 1/2/2023 6:22:00 AM
From: Nya Murray
Subject: Zero Trust and Insider Threats
Happy 2023!
One of the biggest problems in Australia in 2022 was insider cyber threats. I am sure that the Australian government is not the only one to face this type of stealth attack, opportunistic, and wide ranging. Interesting views from Security Brief Australia Insider threats stories - SecurityBrief Australia
Given that one of the problems with Zero Trust is that it becomes a snapshot of perceived best practice, unless there is a provision for evolution within the maturity model, does the circle have a view on how to ensure that cyber security architecture evolves to cover AI enhanced threat actors?
My view is that focus on end user security could have been the focus over the past five years, when, instead, the market opted for quick turnaround on applications. I do think the current level of identity fraud is a net result. And I do not see the average CISO having any leverage on the business drivers, in fact I see cyber security professionals losing influence, because of investor pressure for quick financial returns.
Looking forward to your views!
Best
Nya
------------------------------
Nya Murray
Director
Trac-Car
------------------------------