Leaning On Network Flows To Monitor Zero Trust Implementations

We spoke in a previous blog about having “zero trust for your Zero Trust.” It might be time to expand upon that concept and talk about how you might audit your Zero Trust implementation – all without necessarily leaning on machine learning, AI, or anomaly detection to do it.

ML-driven “anomaly detection” has been around a long time now, and has its place. But to hone in on Zero Trust policies and see if they’re working, complete network visibility is needed to evaluate the efficacy of those policies – not just the “anomalous” threats that slip through the cracks.

Anomaly Detection vs. Network Visibility

“Network visibility is essential to zero trust,” states Michele Festuccia, Senior Systems Engineer Manager at Cisco. It’s true. For a company to know how their Zero Trust initiatives are doing, they need to be able to see them in action.
However, with so many AI tools cropping up, “network visibility” has often been interpreted to mean nothing more than the ability to spot nefarious anomalies across the network. While this is important – even vital – it doesn’t get to the heart of the matter: your policies.

Bottom line? Network anomaly detection is not the same as comprehensive network visibility, and the latter is required to audit your ZT environment.

Network Visibility via Network Flows

When it comes to gaining the kind of network visibility that really matters, the ability to look back at every conversation on your network to see what happened is essential. Several solutions in the Network Security Monitoring (NSM) space overlap here in terms of the functionality they provide, but the key features we’re looking for today are 1) comprehensive lookback and 2) ease of use.

Unfortunately, many of the established tools fall short on these criteria. For example, typical Network Detection and Response (NDR) tools have the requisite anomaly detection capabilities, but lack a historical archive of the network flow data used for those detections. A SIEM’s main selling point is the ability to let you sift through old logs for the purpose of investigation and response, but in practice these tools are clunky and slow, or simply too intimidating to use day-to-day.

Some NDR tools have access to an historical archive of network flows – records of who talked to whom, and how much – but the key is to present this information in an intuitive, easy-to-use interface, so combing through millions of flows doesn’t sound so daunting.

We have experience here, through the development of our Insight sensor. In some cases, NDR tools like Insight can be an alternative to a SIEM by providing an independent set of eyes on the network traffic. Without requiring any configuration or log collection, Insight gives you access to a wealth of network flow data beyond IPs and protocols, including geolocation, ASN block, threat intelligence, and enhanced application protocol identification.

The Case for Network Flows

Here’s an example of when Network Flows can be called upon to provide the kind of network visibility that keeps Zero Trust.

We have a customer that keeps valuable client intellectual property on an ‘air gapped’ (not really, but close enough) network, segregated from the rest of the environment. ACLs limit access to only those users required to access these servers, and they lean on network segmentation to ensure the network is as isolated as possible. (Obviously, proper ACLs and network segmentation are key components of a Zero Trust framework.)

So, are we to rely on anomaly detection to identify any holes in these implementations? As Festuccia states, “In systems such as large networks or critical infrastructures, the high complexity may hide anomalies which can remain unknown or dormant for extended periods of time. Consequently, training an algorithm to recognize them is impossible.”

What if you want to check in to see how your Zero Trust solutions are doing without assuming that an absence of anomalies means that everything is doing its job? Is it? Or is it just a lull in malicious activity?

Verifying Zero Trust with Network Flows

Again, ML is useful, but you can also lean on simple traffic patterns to produce an alert (we call them “Signals”) that will notify you if a network segmentation rule has been broken. For example, In our customer’s case, custom Signals are in place to monitor traffic between the isolated network segments, and an alert notification is sent if the rules assumed to be in place are broken. No fancy AI; just a Signal that fires if Network A talks to Network B.

Sounds simple, and it is. But the solution requires active autonomous monitoring of network flows, an archive of traffic, and a tool that’s easy to implement and understand. These are easy customization signals that allow your team to get visibility into the effectiveness of your Zero Trust approach without investing heavily in AI or being left with unsettling “what-ifs.”

‍