FIM and Four Pillars for Zero Trust Architectures – a ZTA Whitepaper
Cybersecurity Executive Order Demands Zero Trust
Zero trust is a hot button of the 2021 Cybersecurity Executive Order, and not surprising. As the SolarWinds and Colonial Pipeline hacks illustrated, devices and sensitive systems are getting compromised through deceptive practices such as ransomware and the compromising of code assumed to be trusted. In response to these sneaky, damaging attacks, the venerable approach of zero trust, and zero trust architectures and networks are making a comeback.
Cybersecurity EO Section 1, the Policy section, states that the Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to persistent and increasingly sophisticated hostile cyber actions and actors. Meanwhile, the private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the federal government to foster a more secure cyberspace. Trust in the digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences if that trust is misplaced. This last statement rings decisively of the need for zero trust.
The following zero trust architecture (ZTA) whitepaper explores the form zero trust takes across the cybersecurity disciplines of: training and awareness, endpoint protection, file integrity monitoring (FIM), authentication/least privilege/PAM, and layered security/defense in depth. This ZTA whitepaper is of interest to federal agencies and commercial organizations serving the public and DoD sectors.
What is zero trust and ZTA?
The zero trust architecture (ZTA) of cybersecurity is designed with no true perimeter and a never trust, “who goes there?” attitude. Devices and digital entities aren’t trusted by default. There’s a whole lot of sniffing going on at the file, device, and system level. So, as you might imagine, ZTAs involve deep file integrity monitoring (FIM) and complex identity access management, but they involve a human mindset as well, one of commitment, ongoing attention and resolve. For this discipline, many organizations need as much help as possible through tools and expert security service.
Zero trust and file integrity monitoring (FIM) in practice, and action—
Zero trust is not a matter of pushing a button or downloading software and expecting to be all of a sudden zero trust protected.
It is a progression, a continuous discipline, that requires cycles of learning and software evolution.
1) Training and awareness. Your training programs should be regular and cover everything from what not to plug into, to what not to click on, to confirming identity of the other, making the workforce cognizant of the types of cyberattacks both possible and common. Digital deception is rampant, and zero trust starts with your people knowing, anticipating and thwarting schemes being used to deceive them.
2) Strong endpoint protection (across all your computing devices). Your computing architecture must be protected by anti-malware, file integrity monitoring (FIM), access and authorization control, device hardening, 2FA, and vulnerability scanning. Perimeter defensive strategies belong to days bygone. Endpoint protection must extend into the cloud, with visibility and control at cloud access points. Trust nothing. Put the security as far down into the endpoint as possible – even into the hardware. Watch the real-time FIM video demonstration.
3) Authentication/least privilege/PAM. Zero trust often begins with the principle of least privilege, that is, only assigning users and devices the privileges they need to do their jobs and nothing more. Privileged access management (PAM) should also be governed by zero trust and least privilege, employing advanced and multi-layered access and authorization controls.
4) Layered security / defense in depth. Zero trust also means layered defense. Extend security at the kernel level and all the way out to your endpoint devices and the applications they work with. This means anti-malware and device hardening, MFA, encryption, and a variety of different layers of obstacles for bad actors. A zero trust security system should provide protection against brute-force attacks, such as DoS, by limiting the number of incorrect log-ins that can occur and shutting out suspicious accounts when a threshold is reached. Meanwhile, ransomware and zero day attacks can be thwarted through a combination of zero trust measures including automatic monitoring for ransomware text strings, web application firewalls (WAFs), and the advanced detection of file and system changes.
But a huge gap exists in most security programs: they are still way too dependent on external, hub-and-spoke security measures. Some people like the idea of deploying a “kiosk,” and routing everyone through it, instead of improving security holistically at all endpoints. Security systems too often are engineered from the outside-in, instead of from the inside-out, the latter which provides greater defense in depth and protection against lateral movement.
Atomicorp Zero Trust Architecture (ZTA) and cloud workload protection functionality
You can’t talk about zero trust today without factoring the internet and cloud into what was once known as a private enterprise network. As a result of these more public, outside network entities, the computing infrastructure is more complex and gray. Atomicorp protects workloads across physical servers and virtual machines, containers and multiple public cloud IaaS, all from a single cloud workload protection platform (CWPP) management framework and console.
Atomicorp brings zero trust and strong FIM toward compliance, too. Organizations use Atomic OSSEC intrusion detection and FIM to comply with standards and regulations such as PCI-DSS, HIPAA, Hitrust, FIPS 140-2, JSIG, NIST 800-53, NIST 800-171, NERC CIP, CIS, and GDPR. Toward the 2021 Cybersecurity Executive Order, Atomic OSSEC enables federal agencies and the vendors that serve them to support cloud environments and SaaS models as they modernize their infrastructures, as well as apply modern and advanced security over legacy systems they still use. It gives them the tools they need to ensure breaches and unauthorized changes are detected in their environments, prevent lateral vulnerabilities, and generate artifacts to respond to regulatory requirements.
Visit the Atomic OSSEC page to try free OSSEC rules or upgrade to OSSEC+ simply by registering, or get a demo of our enterprise-grade Atomic OSSEC.
FIM Tools for Zero Trust Architectures
Threat tactics like DoS, Trojan horses, malware, social engineering, redirected traffic, and others bombard enterprise attack surfaces, and it’s difficult to operate in today’s cloud based environments without risk of infiltration and deep damage. File integrity monitoring (FIM) is a sound method of protecting your assets and data toward safer security outcomes and improved compliance objectives. FIM is the practice of validating the integrity of operating system and application software by verifying a current file’s state against an established baseline. It provides an important measure of what in a digital or virtual environment changed, and is one of the most critical security functions today.
Atomicorp provides advanced FIM, monitoring more than just the files and data stores containing sensitive data. Atomic OSSEC also monitors configuration information and software native to the operating system, like registries, binary files, and libraries, as well as infrastructure components like the configuration of network and cloud devices, web servers, and firewalls – all this should be monitored in real-time. Check out our zero trust, defense-in-depth IDS and intrusion prevention system, Atomic Protector. Find out how zero trust architectures relate to the secure access service edge (SASE); download the SASE whitepaper.
Atomic OSSEC file integrity monitoring (FIM) and intrusion detection system – Get a video demo
Your security systems can’t stop an attack unless they detect there is one, making FIM, or the ability to automatically track changes to the environment, crucial in detection and prevention. This detection needs to be not only fast but deep enough to stop the likes of the SolarWinds Sunburst attack, which leveraged beaucoup lateral movement and a variety of live-off-the-land tactics, such as Windows powershell grabs, the deletion of digital trail files, privilege escalations, and system hijackings.
In the following video on our FIM page, Atomicorp’s Scott Shinn demonstrates how the Atomic OSSEC FIM and intrusion detection system (IDS) solution can provide defense in depth against a similar, simulated attack.
Leverage the easy, cost-effective, and highly secure Atomic ModSecurity Rules and WAF for web application security.
Schedule a demonstration.
Read more about the 2021 Cybersecurity Executive Order.
Atomicorp was founded in 2015 to solve the critical problem faced by the modern enterprise: i.e., How do you ensure security and compliance when workloads are continuously deployed across multiple cloud and data center environments. We knew the only answer was a lightweight, DevOps-friendly platform that could automate a wide range of functional requirements. We also knew that OSSEC was the ideal foundation on which to build this solution.
Today we help hundreds of customers around the world to meet their most critical security and compliance requirements efficiently and cost effectively.