In today’s world of cyber threats, organizations are prioritizing zero trust security to safeguard their digital assets. , the founding father of Zero Trust, explains in a recent conversation with WEI, “Trust is a human emotion and has no business in digital systems.” This strategy assumes no user or system is inherently trustworthy, emphasizing the need for continuous validation and strong access controls.

A clear approach provides a roadmap for implementing a secure framework to protect an organization’s assets. Let’s outline actionable steps to implement zero trust security in your organization while incorporating best practices to minimize risks.

Why Zero-Day Malware Prevention Is Essential

Watch: Demystifying Zero Trust With John Kindervag

Why Zero Trust Matters

We hear news about data breaches almost every day, showing how traditional security models relying on perimeter defenses are not enough. These outdated methods fail to keep up with sophisticated threats, leaving your critical assets vulnerable.

Zero trust security operates on a fundamental principle “Never trust, always verify.” Rather than assuming that users or devices within your network are inherently trustworthy, Zero Trust requires authentication and verification at every step. Despite its effectiveness, many organizations misunderstand Zero Trust. As Kindervag notes, “The objective is to stop data breaches, but to do that, you need to know what you need to protect.” This foundational step is often overlooked, leading to ineffective deployments.

By recognizing that zero trust is a strategy and not a single product, organizations can take deliberate steps toward its successful implementation. The journey begins with identifying what needs protection and understanding how your systems interact. These initial steps lay the groundwork for the critical actions that follow – from mapping transaction flows to continuous monitoring.

Let’s look at the steps every organization needs to take in building a resilient security framework.

1. Define Your Protect Surfaces

To implement Zero Trust, begin by identifying what needs protection, your “protect surfaces.” These include sensitive data, applications, assets, and services. Kindervag advises starting small: “Focus on one protect surface at a time. It makes the process incremental, iterative, and non-disruptive.”

Start by using tools and conducting audits to gain a clear understanding of your environment. Identify your most valuable assets and break them into smaller, manageable protection surfaces. To make it simpler, here’s a quick look at some key areas in your operations that may need attention:

• Data: Financial records, customer information
• Applications: ERP systems, CRM platforms
• Assets: Servers, devices
• Services: DNS, authentication services

These initial steps establish the foundation for subsequent critical actions, including mapping transaction flows and implementing continuous monitoring.

2. Map Transaction Flows

Once you identify your protect surfaces, map the data transaction flows to understand how they interact. This step involves understanding how data and applications interact. “You have to see how the system works together as a system. You can’t protect what you don’t understand,” Kindervag explains. This knowledge helps you identify potential vulnerabilities and ensures that your zero trust policies align with real-world data flows.

3. Enforce Identity Access Management (IAM)

IAM is essential to zero trust security. It ensures that users only access the resources they absolutely need, and only when necessary.

To effectively implement IAM, consider the following best practices:

• Implement role-based access controls (RBAC) to minimize unnecessary access.
• Use multi-factor authentication (MFA) such as passwords, biometrics, and security tokens to verify user identities. Studies have shown that MFA can effectively block 99.9% of automated cyberattacks.
• Conduct periodic audits to identify and remediate any inconsistencies or outdated access privileges.

Organizations can significantly enhance their security posture and minimize the risk of data breaches within a zero trust framework by diligently implementing this approach.

Watch: WEI Cyber Warfare & Beyond Roundtable Discussion

4. Apply Network Segmentation

Network segmentation, also known as micro-segmentation, is a cornerstone of zero trust. It limits the blast radius of potential breaches by restricting access to segmented areas within the network. Kindervag highlights its importance, stating, “Segmentation stops malicious actors from gaining access to the protect surface.”

Here’s how to implement segmentation following a layered approach:

1. Employ software-defined micro-segmentation to create distinct zones within your network. This approach enhances security by isolating critical systems and data.
2. Restrict traffic flow between these zones according to the principle of least privilege. This ensures that each zone only has the necessary access to other zones and resources, minimizing the potential impact of a security breach.
3. Implement monitoring and logging capabilities to track all communication between segments. This provides valuable insights into network activity, helps identify and respond to threats promptly, and facilitates compliance with security regulations.

By controlling the “blast radius” of potential breaches, this approach ensures that even if a breach occurs, its impact is contained to a limited segment of your network.

5. Implement Continuous Monitoring

Continuous monitoring is essential to ensure your zero trust framework adapts to emerging threats. Because zero trust generates a lot of data, integrating this information into a modern SOC platform becomes effective for threat response and framework maintenance. 

Investing in advanced monitoring tools, such as intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions, provides real-time visibility into network activities. These tools detect anomalies, such as unusual login attempts or unexpected data flows, enabling swift responses to potential breaches.

6. Create And Enforce Policies

With these steps in place, the next course of action is to establish and enforce security policies. These policies clearly define the specific conditions under which access to systems and data is granted.

For instance, a policy might stipulate that access to sensitive financial records is permitted only during regular business hours, exclusively for authorized members of the finance team, and mandates the use of MFA for added security.

By adhering to a “default-deny” principle, organizations can significantly strengthen their security posture and minimize the potential damage caused by unauthorized access.

Avoiding The Most Common Mistakes

Zero Trust is a powerful strategy, but it’s not uncommon to hit a few bumps along the way. Sometimes, organizations become too eager to implement this approach that they forget how to do it properly. Here are some familiar mistakes and areas to focus on:

1. Starting too big: It’s tempting to tackle everything at once, but trying to implement Zero Trust across your entire network can be overwhelming and costly. As Kindervag mentions, organizations should start small and focus on manageable protect surfaces, like a specific application or database. From there, you build your experience and maintain normal enterprise operations.
2. Focusing on products instead of strategy: Remember, zero trust is a mindset, not a shopping list. It’s easy to get caught up in buying tools and software, but without a clear understanding of what you’re protecting, even the best tools can fall short. Start by identifying your assets and understanding how they interact before layering in technology.
3. Neglecting policies: A well-crafted policy is your strongest ally. As Kindervag says, “All bad things happen within an ‘allow’ rule.” Review your policies regularly and make sure they’re as precise as possible. Tight policies mean fewer opportunities for attackers to exploit gaps.

Avoiding these pitfalls simplifies the process and sets your organization up for long-term success with zero trust.

Final Thoughts

Zero trust has consistently demonstrated its effectiveness in real-world applications. Successfully implementing Zero Trust Security requires thorough planning, phased execution, and a steadfast focus on monitoring and improvement. Kindervag shares, “In a managed services environment, we managed over 100 Zero Trust deployments. During that time, only one ransomware attack occurred, and it caused no harm.” 

WEI offers the expertise to guide your organization through this transformative journey. Reach out today to learn how we can help protect your digital assets and establish a resilient zero trust framework.

The post The Zero Trust Security Roadmap: Six Steps To Protect Your Assets appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

See Bill Frank’s biography and contact information at the end of this article.

[Note: This is an updated version of the original article posted on March 21, 2024. I replaced the term “Governance” Controls with “Performance” Controls to eliminate any confusion with the NIST Cybersecurity Framework 2.0 use of the term “Governance.”

I focus here on automated controls that monitor and measure the “performance” of “Defensive” controls that directly block threats or at least alert on suspicious activities.

How well are your cybersecurity controls performing? Measuring control efficacy is challenging. In fact, under-configured, misconfigured, and poorly tuned controls, as well as variances in security processes are the Achilles Heels of cybersecurity programs.

A mismatch between risk reduction potential and performance results in undetected threats (false negatives) as well as an excessive number of false positives. This leads to an increase in the likelihood of loss events.

All controls, whether people, processes, or technologies, can be categorized in one of two ways – Defensive or Performance.

• Defensive Controls: These are controls that block threats or at least detect and alert on suspected activities. Effective Defensive Controls directly reduce the likelihood of loss events.
• Performance Controls: These are indirect controls that measure the performance of Defensive Controls, highlight Defensive Control deficiencies, and/or evaluate the maturity of Defensive Controls’ configurations. Performance includes, but is not limited to, offensive security controls.

Most controls are easily categorized. Firewalls and EDR agents are examples of Defensive Controls. We categorize Offensive Controls as Performance because their purpose includes testing the efficacy of Defensive controls.

Vulnerability management (discovery, analysis, and prioritization) is a Performance Control because vulnerabilities, whether in security controls, application code, or infrastructure, are a type of control deficiency.

Patching is a Defensive Control because patched vulnerabilities prevent threats targeting those vulnerabilities from being exploited.

Manual Performance- Human Penetration Testing

Attempting to conduct Performance functions manually is time-consuming, limited in scope, and error prone. Human Penetration Testing has been the go-to Performance Control for decades. However, only the very largest organizations can afford to fund a Red Team to provide anything close to continuous testing.

Most organizations hire an outside firm to perform pentesting. Due to high costs, the scope of human pentesting is limited. In addition, it is typically performed only once a year or once a quarter. Therefore, for most organizations, human pentesting is little more than a checkbox exercise.

Note that human pen testers use a variety of tools to address many of the standard and repetitive tasks associated with pentesting. However, in general, these tools are not revealed to the client.

Have said that, I am not here to denigrate human pen testing. There are surely many pen testers that have deep expertise and creativity that goes beyond what any automated tool can provide. This is why bug bounty programs are popular.

The cybersecurity market has responded to the need for automated Performance Controls. Since no two organizations are the same, my goal for this article is to describe different types of Performance Controls to help you decide which approach is right for you.

Automated Performance Controls

There are five types of automated Performance Controls I will discuss:

1. Attack Simulation
2. Risk-based Vulnerability Management
3. Metrics
4. Security Control Posture Management
5. Process Mining.

Note that since virtually all of these tools are SaaS platforms, factors including costs, support and training, community, data security, and compliance must always be evaluated!

1. Attack Simulation

Attack Simulation is my simplified term that covers a variety of vendors who use terms like Automated Penetration Testing, Breach and Attack Simulation, and Security Control Validation.

The one thing they all have in common is executing simulations of known threats against deployed controls. However, the vendors in this space use a variety of architectures to accomplish their goals.

The key factors to consider when evaluating Attack Simulation tools are (1) the number of agents that are required or recommended, (2) integrations with deployed controls, (3) the degree to which the simulation software mimics adversarial tactics, techniques, and procedures (TTPs), (4) the vendor’s advice on running their software in a production environment, (5) firewall / network segmentation validation, (6) threat intelligence responsiveness, and (7) the range and quality of simulated techniques and sub-techniques.

Agents. The number of agents needed for internal testing. This ranges from only one agent needed to start the test to the requirement for agents on all on-premise workstations and workloads. No agents may be needed for testing cloud-based controls.

Defensive Control Integrations. Integrating Attack Simulation tools with Defensive Controls enables blue/purple teamers to better understand how a control reacted to a specific technique generated by the attack simulation tool.

Simulation. An indicator of how close a vendor gets to simulating real attackers is its approach to discovering and using passwords to execute credentialed lateral movement. Are clear-text passwords taken from memory? Are password hashes cracked in the vendor’s cloud environment (or on the vendor’s locally deployed software)? Adversaries use these techniques regularly, your attack simulation tool should too.

Production / Lab Testing. Attack Simulation vendors vary in their recommendations regarding running their tools in production vs lab environments. Of course, it’s advisable to perform initial evaluations in a lab environment first. But to get maximum value from an attack simulation tool, you should be able to run it in a production environment.

Firewall / Network Segmentation. There is a special case for testing firewall/intrusion detection efficacy. Agents may be deployed on each side of the firewall. This allows for validating firewall policies in a production environment without running malware on any production workstations or workloads.

Threat Intelligence Responsiveness. New threats, vulnerabilities and control deficiencies are discovered with alarming regularity. How quickly does the attack simulation vendor respond with safe variations for you to test against your controls? Do you need to upgrade the tool, or just deploy the new simulated TTPs?

Range and Quality of techniques and sub-techniques. Attack simulation vendors should be able to show you their supported MITRE ATT&CK techniques and sub-techniques. As to quality of those techniques and sub-techniques, it’s very difficult to determine. The data generated via the Integrations with deployed controls surely helps. We recommend testing at least two similarly architected tools in your environment to determine the quality of their attack simulations.

2. Risk-based Vulnerability Management

Vulnerability management is a cornerstone of every cybersecurity compliance framework, maturity model, and set of best practice recommendations. However, most organizations are overwhelmed with the number of vulnerabilities that are discovered, and do not have the resources to remediate all of them.

In response to this triage problem, vendors developed a variety of prioritization methods over the years. Despite its limitations, the Common Vulnerability Scoring System (CVSS) is the dominant means of scoring the severity of vulnerabilities. However, even NIST itself states that “CVSS is not a measure of risk.” Furthermore, NIST states that CVSS is only “a factor in prioritization of vulnerability remediation activities.”

Risk-based factors for vulnerability management include the following:

Business Context. What is the criticality of the asset in which the vulnerability exists? For example, production systems vs development systems.

Likelihood of exploitability. A combination of threat intelligence and factors associated with the vulnerability itself determine the likelihood that a vulnerability will be exploited. is an example of this approach.

Known Exploited Vulnerabilities. The Cybersecurity & Infrastructure Security Agency (CISA) maintains the Vulnerabilities on the KEV list should get the highest priority for remediation.

Asset Location. What is the location of the asset with the vulnerability in question? Internet-facing assets get the highest priority.

Compensating Defensive Control. Is there a Defensive Control that can prevent the vulnerability from being exploited?

3. Metrics

Modern Defensive Controls generate large amounts of telemetry that can be used to monitor their performance and effectiveness. Automating metrics reporting enables continuous monitoring and measuring the performance of a larger number of deployed controls.

While automated cybersecurity performance management platforms are not always considered an alternative to Attack Simulation and Risk-based Vulnerability Management solutions, they do have the advantage of being less intrusive because they are passive. All they need is read-only access to the Defensive Controls. There are no agents to deploy and no risk of unplanned outages.

The key factors when evaluating automated metrics solutions include the following:

Scope of Coverage. The range of metrics based on your priorities such as vulnerability management, incident detection and response, compliance, and control performance.

Integrations. Does the metrics solution vendor support integrations to your controls? If not, are they willing to add support for your controls? Will they charge extra for that?

Reporting flexibility. How flexible is the report building interface? What, if any, constraints are there to generate the reports you want? Can you build customized dashboards for different users? Is trend analysis supported?

Ease-of-Use. How easy is it to generate custom reports?

Scalability and Performance. Given the amount of data you want to retain, how fast are the queries/reports generated?

4. Security Control Posture Management

All security controls need to be configured and maintained to meet individual organization’s policy requirements, threat profile, and risk culture. The amount of time and effort needed to initially implement the controls and then keep them up to date varies depending on the control type and the functionality provided by the vendor.

Firewalls are at or close to the top of the list of controls requiring the most care and feeding. Therefore, it’s not surprising that the first security control configuration management tools were created two decades ago to improve firewall policy (rule) management. These tools eliminate unused and overlapping rules, and improve responsiveness to the steady stream of requests for changes, additions, and exceptions.

Security Information and Event Management (SIEM) systems are also at or near the top of the list of controls requiring extensive care and feeding. One critical aspect of a SIEM’s effectiveness is the extent of its coverage of MITRE ATT&CK techniques and sub-techniques. This also maps back to the SIEM’s sources of log ingestion. Furthermore, SIEM vendors provide hundreds of rules which generally need to be tailored to the organization.

To reduce the level of effort needed to tune SIEMs, consider tools that evaluate SIEM rule sets and provide assistance to detection engineers.

The variety of tools available for managing security control configurations will continue to grow, encompassing additional types such as endpoint agents, email security, identity and access management, data security, and cloud security.

5. Process Mining

Process mining is a method used to analyze and optimize business processes by collecting and analyzing event logs generated by information systems. These logs contain details about process execution, such as the sequence of activities, the time taken to complete each activity, and the resources involved. Process mining algorithms use this data to automatically generate process models that visualize how a process is executed in reality, as opposed to how it is expected to be executed.

While process mining is not a new concept, it is new for cybersecurity processes. For cybersecurity process mining to be useful, logs must be collected from non-security sources as well as cybersecurity controls.

Process mining is actually a separate class of higher-level analysis and measurement. All the others, with the exception of security operations platforms (SIEMs) here are testing, measuring, or obtaining data on individual controls. Having said that, at present, processing mining does not specifically measure the effectiveness of defensive controls.

An example of a common cybersecurity process use case is user on-boarding and off-boarding. To perform this analysis, the process mining tool must integrate with human resource systems in addition to authentication and authorization systems.

In addition to (1) improving compliance to defined processes, process mining will (2) expose bottlenecks, (3) reveal opportunities for additional process automation, and (4) make it easier for stakeholders to understand how processes are executed using visual representations of the processes.

While scalability, performance, and integrations are important, the way processes and variances are rendered in the user interface and the way you can interact with them is critical to understand the causes of variances and opportunities for improvement.

Individual vs. Aggregate Control Effectiveness

Having reviewed the types of Performance Controls available to monitor and measure Defensive Control efficacy, it’s worth noting that they all monitor and measure control effectiveness individually.

The processing mining folks might disagree with the above statement in the sense that they aggregate multiple control functions by the processes in which they play a role. However, process mining does not actually measure the efficacy of the individual controls in processes. It focuses on improving the effectiveness of processes.

While there is no doubt about the value of discovering and remediating deficiencies in individual controls, there is another function needed from a risk management perspective. That is calculating Aggregate Control Effectiveness. How well does your portfolio of Defensive Controls work together to reduce the likelihood of a loss event?

Aggregate Control Effectiveness must consider attack paths into and through an organization. A Defensive Control that has strong capabilities and is well configured will not reduce risk as much as anticipated if it is on a path that does not see many threats or is on a path with other strong controls.

In addition to discovering and prioritizing Defensive Control deficiencies, a Performance Control measurement program will improve the accuracy and precision of Aggregate Control Effectiveness calculations.

My next article will address the issue of Aggregate Control Effectiveness and its relevance to risk management. Stay tuned!

Next Steps: WEI provides enterprises with increased visibility at all touch points of the IT estate, and that includes at the edge and applications within the data center. How can we help your enterprise with its current and future cybersecurity architecture? Contact our experts today to get started.

About The Author

Bill Frank has over 24 years of cybersecurity experience. At present, as Chief Client Officer at Mr. Frank is responsible for leading Monaco Risk’s cybersecurity risk management engagements. In addition, he collaborates on the design of Monaco Risk’s cyber risk quantification software used in client engagements.

Mr. Frank is one of two inventors of Monaco Risk’s patented Cyber Defense Graph. It is the core innovation for Monaco Risk’s cyber risk quantification software which enables a more accurate estimate of the likelihood of loss events.

Prior to Monaco Risk, Mr. Frank spent 12 years assisting clients select and implement cybersecurity controls to strengthen cyber posture. Projects focused on controls to protect, detect, and respond to threats across a wide range of attack surfaces.

Prior to his consulting work, Mr. Frank spent most of the 2000s at a SIEM software company where he designed a novel approach to correlating alerts from multiple log sources using finite state machine-based, risk-scoring algorithms. The first use case was user and entity behavior analysis. The technology was acquired by Nitro Security who in turn was acquired by McAfee.

Bill Frank’s contact information:

• Email: bfrank@monacorisk.com

The post Using Performance Controls to Address Cybersecurity’s Achilles Heel appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

What Is Network Segmentation?

Network segmentation is an architectural method of splitting a network into multiple segments or subnets. This allows each segment to act as its own small network. In other words, this segmentation allows network administrators such as yourself to have full control over the traffic flow between subnets that is based on your granular policies. Simply put, this technique divides a computer network into smaller physical components. The high-level purpose of splitting a network is to improve network performance and security.

Network segmentation is one of the best approaches to take against data breaches, ransomware attacks, and other types of cybersecurity threats. In a segmented network, groups of servers only have the connectivity required for business use, which limits the ability of ransomware to pivot from system to system.

Benefits Of Network Segmentation

Businesses may hesitate when it comes to setting up network segmentation because subdividing a network into functional domains may seem intimidating. However, the benefits outweigh the challenges. The of network segmentation include:

1. Improved Operational Performance

There are fewer hosts per subnetwork on a segmented network, which helps to reduce congestion. provides an excellent example by sharing that, “a hospital’s medical devices can be segmented from its visitor network so that medical devices are unaffected by web browsing.” This reduced congestion minimizes local traffic and ultimately leads to improved operational performance. And ultimately allows for improved patient-to-provider interaction as so much has already been asked of healthcare facilities across the nation.

2. Limits Cyberattack Damage

Network segmentation helps reduce the time and effort spent recovering from a cyberattack. When a segmented network is breached, the activity of the hacker is restricted to a single subnetwork. Not only does this make the attack harder to spread, but it also gives security teams time to upgrade the security controls in the other segments, making it harder for the attacker to gain access to the whole system.

3. Protects Vulnerable Devices

Not all devices in a network are built with enhanced security defenses. Network segmentation can help prevent cyberattacks on these unprotected devices by making them difficult to reach.

4. Reduces The Scope Of Compliance

Network segmentation is an excellent way to boost network security, but it can also help reduce compliance scope. In a non-segmented network, the whole network is in-scope for compliance, which drastically increases the costs and effort needed to secure the business network. Utilizing segmentation-only systems or subnets limits the number of in-scope systems, in turn reducing compliance requirements.

A Fresh Outlook On Network Segmentation

Increased network complexity from the rapid adoption of digital transformation across the globe makes it more difficult for security teams to protect enterprise data and systems. The usual security approaches can’t keep up with the growth of digitization and protect large amounts of data. Fortunately, provides a strategic and innovative approach to network segmentation. It helps organizations reduce risk, simplify their audit profile, and protect data.

Cisco’s segmentation service is customer-specific to help develop a model that will meet your business needs. By looking at an organization’s network architecture, this service can also help you apply separate controls over different systems and data with a secure management system. Additionally, it incorporates reusable design patterns that can be used as your business changes.

The objective of network segmentation is to simplify the application of security by using a centralized management point. When this process is integrated, it helps reduce complexity and doesn’t need much maintenance.

Conclusion

Whether you’re trying to reduce compliance scope or enhance security in your business, network segmentation is an essential way to prevent cyberattacks from spreading across your organization’s network, keeping your valuable files safe. If you’d like to discover more about building an effective segmentation strategy for your business, contact WEI to work with our network security professionals today.

Next Steps: To learn more about agile network security solutions and services for your enterprise, download our Tech Brief,

The post How An Innovative Approach To Network Segmentation Improves Data Security appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.