Do you trust software and applications that run in your enterprise?
When it comes to designing a Zero Trust Architecture (ZTA), security leaders often focus on controlling the access and actions of users across their distributed enterprise, or the devices they use to access network resources. While these approaches are certainly useful, there is a deeper level of abstraction for control that has been largely ignored: Zero Trust for Software. Adopting a stance that all software is considered untrustworthy until proven otherwise, and controlling application behavior accordingly, can fundamentally change how organizations protect their endpoints, users, networks, and data.
Zero trust is a security strategy that has been discussed for more than a decade, but has recently taken on more attention thanks in no small part to an executive order issued by President Biden in May 2021. This executive order directed the U.S. Government to advance toward adopting Zero Trust Architecture, which “allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access”.
Too often hackers are able to exploit implicit trust models that are embedded in our IT systems. As an example, a user who is connected to the corporate network might need access to engineering resources to do their job, but may also have unnecessary access to finance and HR resources, due to the manner in which the network is designed and access privileges are granted. Zero Trust Architecture aims to eliminate these sources of implicit trust, blocking unauthorized access and shrinking the blast radius associated with an attack should a breach occur.
Modern IT systems place a lot of trust in software. Our current security model for software is essentially binary: you either block something from running because it's known to be bad, or allow it to run in the context of a user, with full privileges to do anything the user can do.
Unfortunately, we don't always have the context at runtime to make a good binary decision. The world is filled with new and unknown code. Data collected by Xcitium shows that more than 10% of users in the average enterprise encounter at least one unknown piece of software each week, the vast majority of which is perfectly benign code run by authorized users just getting their job done.
Malware exploits this knowledge gap by impersonating trustworthy software or using various trickery to convince a user that the malware is trustworthy enough to execute it. Once the malware achieves execution it is then free to leverage the implicit trust granted by the underlying operating system to achieve its malicious objectives, such as encrypting data, stealing credentials, or seeking out and exfiltrating sensitive information.
The fundamental issue here is that with a binary security model (where unknown software either runs, or is blocked), the needs of the business force our hand. Unless we've got a very good reason to block something, we must let it run if we don't want to be on the receiving end of a lot of calls from irate users just looking to do their jobs.
It is clear that if we're going to get ahead of the enormous challenges imposed by ransomware and other malware, we need a new trust model for software. The principles of zero trust provide an ideal starting point.
Zero Trust for Software flips the standard security model on its head by taking the stance that just because software is running doesn't mean it should have full access to system resources and data. Instead, we approach unknown software with a skeptical eye, where all software is deemed untrustworthy by default, until proven otherwise. Done properly, this security model closes the gap and effectively chokes off malware before it can gain a foothold and produce damage in the environment.
This approach might sound similar to Application Allowlisting solutions, such as Microsoft Defender Application Control, CarbonBlack, and other similar solutions. These solutions work by essentially managing a large list of known trusted applications (the allow list), and blocking everything else. This approach is highly effective at stopping malicious software from running, but it retains the challenges of the binary trust model and ignores the reality of dynamic modern IT systems. In any sizable organization it's nearly impossible to know in advance with certainty every piece of every application that users will need to do their jobs, as new and updated applications are introduced daily. Allowlisting in a modern enterprise is rarely feasible due to high costs to maintain and high impact to users when it interferes with doing their jobs.
Application containment provides a path forward, to achieve Zero Trust for Software without the high costs of allowlisting. With application containment, we allow unknown software to execute, but tightly control what it's allowed to do until trustworthiness can be established. An unknown piece of software, such as a new DLL delivered via a security update, would load and execute, but would not be granted privileged access to write to the file system, Windows registry, or other sensitive repositories. Any data that the contained software needs to write is emulated in the contained environment until the application can be fully verified.
Taking this granular approach to software trust delivers a number of benefits. For starters, it cleanly defangs any malware that manages to evade existing security controls and find a way into the environment. Although the malware may still leverage trickery to achieve execution, any potential damage from malicious software is neatly contained, ensuring zero impact to the system.
At the same time, we minimize impact to end users from potential false positives. Recall that the vast majority of unknown software that most users encounter regularly is benign and useful. By leveraging principles of zero trust, we can safely deal with unknown software, giving us the benefits of the allow listing solutions, but with a very low cost to monitor and maintain.
Perhaps most importantly, however, containment gives defenders more of a very precious commodity: time. Security professionals too often operate in continuous crisis mode. When a threat enters your network, a race begins where defenders must detect, understand, and contain the threat before the adversary can achieve their damaging objective. When security controls get in the way of doing business, security teams are often called on to immediately disable the control to allow everyone to get back to work. Implementing Zero Trust for Software gives defenders the breathing room they need to better understand potential threats and make informed security decisions without slowing down the business.
Zero Trust for Software is a critical, but often overlooked component of a Zero Trust Architecture; Xcitium helps organizations fill this gap in a simple, cost-effective manner. Xctium's patented ZeroDwell Containment technology provides a turnkey solution to address this piece of the puzzle, by not only delivering a lightweight, high-performance containment technology, but also providing fast and highly-effective analysis of unknowns. To learn more, visit Xcitium.com and consider registering for a free demonstration.
Source: Xcitium