Extending Zero Trust To The Endpoint
Zero Trust on the Network - A Familiar Tune
Zero Trust is an increasingly accepted and celebrated network architecture security model. The phrase “never trust, always verify” rings a familiar tune for those focused on securing networks. Zero Trust focuses on the principle that an organization should not trust anything inside or outside its perimeter and that everything trying to connect to the network should be verified before access is granted.
Accomplishing a Zero Trust architecture requires network segmentation and granular enforcement based on user, data and location. All traffic must be logged and inspected at various inspection points that identify and permit traffic based on established rules. This maintains least-privileged access
and strict access control that gives you the network visibility and context necessary to limit lateral movement and identify attacks from within your network.
As security technologies have advanced, the volume of data to secure has grown immensely. Data moves with endpoints in today’s highly mobile world, making endpoints attractive targets for cy- berattacks. Accordingly, security policy must move with users and data and should not be tied to a particular location. With data and applications being accessed from devices all around the world, Zero Trust and its prevention-first approach should expand beyond your network and into endpoints.
Zero Trust on the Endpoint – A Holistic “Zero Trust” Story
Endpoint security products secure and collect data on the activity that occurs on endpoints, while network security products do the same for networks. To effectively combat advanced threats, both need to work together. An integrated platform approach that combines endpoint and network security is the only way to achieve holistic protection and implement the Zero Trust model across your entire security architecture. This approach must be part of everything we do so that prevention occurs wherever traffic occurs, everywhere data lives.
Four criteria must be met to extend Zero Trust to the endpoint:
1. Protect Endpoints With Multiple Layers of Security
Traditional security measures fail if an attacker finds a way to circumvent the weakest link, such as by delivering malware or exploiting application vulnerabilities. It is more effective to layer network and endpoint protections together so that, if an attacker succeeds in bypassing one measure, they will be confronted with another, making it progressively more difficult for them to succeed.
The role of network security is to stop as many attacks as possible – be they malware, phishing attacks or exploits – from reaching an endpoint through the network. If an attack reaches the endpoint through a USB drive or other non-network means, the traffic is encrypted, or the user is oThine or off-network, the role of endpoint security is to neutralize an attacker’s ability to do damage.
Combining these disciplines for a Zero Trust architecture makes integration between endpoint and network security even more effective.
2. Integration With Network Security
Extending Zero Trust to the endpoint weaves endpoint security with network security for a single, holistic security architecture. Intelligence gained on the endpoint should be fed into the firewall and vice versa. Policies should be set on the firewall such that, if the endpoint experiences an event, that endpoint can be quarantined until it can be fully scanned and cleansed.
Additionally, ingesting user and traffic data from firewalls into a network security management tool provides context as to what is happening throughout the network. This allows you to write security policy to reflect such activity appropriately and to be enforced on the endpoint.
The Zero Trust model also includes partnering endpoint security with virtual private network, or VPN, security so that global policy moves with the user and endpoint. To ensure endpoints are always protected, the VPN capabilities should be transparent to users and require no manual intervention to log in or connect. When endpoint security and VPNs work in conjunction with one another, endpoints are protected no matter their location, preventing bad traffic from getting to the VPN and firewall. To further enhance this integration, VPNs placed on a next-generation firewall extend policy enforcement into the tunnel. If traffic is encrypted and enters the network through a compromised endpoint, policy remains enforced.
The granular visibility delivered by endpoint and network security integration must be augmented with automation for rapid, informed and accurate multivariate decision-making. This integration must also be seamless and lightweight so that it does not negatively affect the user.
3. Managing Multiple Kinds of Endpoints
All organizations have multiple kinds of endpoints that must be managed, such as servers, workstations, desktops, laptops, tablets and mobile devices. To harden security posture and implement Zero Trust, endpoint protection needs to integrate with a firewall so that security policy follows the endpoints, no matter where they are. Multi-factor authentication, or MFA, should be enforced on a next-generation firewall for scalability and to move the line of exposure farther away from critical applications. This integration must not negatively affect system performance, so that users will not notice security running in the background and potentially try to remove or close security tools.
4. Layer 2–7 Access Control
When implementing Zero Trust across your security architecture, ensure traffic is being inspected for malicious behavior both as it enters and leaves the endpoint. It’s common for endpoints to assess traffic for potential threats as it enters the network. It is less common for traffic to be assessed as it leaves the network, under the assumption that the user and the user’s activity are valid. However, if a user is compromised, an attacker could be exfiltrating data or intellectual property from the endpoint or using the compromised device for other nefarious activities.
To prevent data or intellectual property from leaving your network, you need visibility into the activity on the endpoint, enabled through integration with a next-generation firewall. Based on policy set on the firewall, if a user or application traffic falls outside the scope of the defined security policy, the firewall can intervene and stop suspicious activity. This policy must enforce threat prevention rules, URL filtering and malware sandboxing features inside the encrypted VPN tunnel.
The next-generation firewall also should have SSL decryption capabilities to decrypt encrypted traffic and gain the visibility necessary to determine if the traffic is malicious or not. If malicious traffic is identified, the integration between the firewall and endpoint should allow the firewall to block any command-and-control traffic and isolate the endpoint from your network.
Palo Alto Networks Approach
Palo Alto Networks® Next-Generation Security Platform is designed to enable and align to a Zero Trust architecture.
A key component of Palo Alto Networks Next-Generation Security Platform is Traps™ advanced endpoint protection, which employs multiple methods of protection at critical stages of the attack lifecycle to prevent known and unknown malware, exploits and ransomware, as well as zero-day threats. Traps performs local analysis to identify malicious and benign files based on file property classification and previously known verdicts.
On top of local analysis, Traps integrates with WildFire® cloud-based threat analysis service. On its own, WildFire performs dynamic and static analysis, machine learning and bare metal analysis to identify even the most evasive threats. As part of the platform, WildFire enables Traps and the next-generation firewalls to become sensors and enforcement points for your network and endpoints.
Palo Alto Networks next-generation firewalls inspect all traffic, including applications, threats and content – even if it’s encrypted – and tie that traffic to the user. The resulting visibility and data help security policy align with your organization’s unique needs and initiatives. Like Traps, the next-generation firewall works with WildFire to protect against known and unknown threats. When WildFire identifies a new threat anywhere, it automatically creates and disseminates updated protections throughout the platform and to other members of the WildFire community to support a coordinated security infrastructure. These updates include threats newly identified by Traps for more comprehensive and effective protection across the architecture.
Tying the policies from your network to your endpoints is GlobalProtect™ network security for endpoints, which extends your security policy to remote networks and mobile users. GlobalProtect inspects traffic using next-generation firewalls for full visibility of all network traffic, applications, ports and protocols. This visibility allows the seamless enforcement of security policy on endpoints, wherever the user is located. GlobalProtect provides user information to power User-ID™ technology and integrates with MFA protections in the firewall to prevent attackers from moving laterally using stolen credentials..