Zero Trust’s First Fal.Con – Unanswered Questions
The evolution has moved from trusted networks to zero-trust and extended zero-trust (ZTX). Likewise, the cost and complexity of the technology stack have grown while the curve of identity-centric threats continues to increase. Rather than add yet another set of technologies to the already complex IT security stack, CrowdStrike and Preempt have banded together to reduce the total number of products into a more elegant Zero Trust solution.
Zero Trust helps you change the curve downward, reducing the cost of securing identity in a way that is frictionless, making users part of your Zero Trust strategy. Giving users transparent interaction with the ZTX stack allows them to participate in a secure way with all the resources they need while keeping friction (the pain of constant re-authentication, checks, and logins) to a minimum.
Combining CrowdStrike’s endpoint and Zero Trust identity controls allows for true freedom in users location and activity while offering constant security automation with the ability to shut down threats and prevent lateral movement from compromised endpoints (CrowdStrike) and identities (Preempt). While we are only beginning to merge our roadmaps and our engineers are up all hours examining the possibilities, we imagine a beautiful synergy and single pane of glass that encompasses the Zero Trust picture from an endpoint to identities.
Having one platform is the cleaner and more effective way to manage extended zero-trust. As you think about your network and challenges, focusing on identity and the health of the endpoint makes everything transparent, and makes users part of the security solution instead of being the constant “weak link” of the last decade’s rhetoric.
We presented this strategy introducing the Zero Trust Platform at CrowdStrike’s Fal.Con conference and there were a few questions that we ran out of time to answer that we thought we’d address here:
Q: How does Zero Trust enforce the policy? A jump box in the cloud? How do you do that without an agent?
A: For on-premises AD, Zero Trust enforces the policy through a sensor on the domain controller. In the cloud, Zero Trust has an API to the Azure authentication and can interface directly with federation systems to add a risk-based profile for each authentication transaction.
Q: Does Zero Trust have logs to SIEM functionality or SYSLOG output if we wanted to get the logs?
A: Zero Trust has APIs for exporting events into other systems like SOAR or SIEM with pre-built connections for most of the major vendors of these technologies. It can send up event data in both CEF and LEEF formats.
Q: How does this differ from traditional PAM solutions?
A: Zero Trust offers an alternative approach to traditional PAMs in a way that addresses the top reasons administrators bypass PAM: time constraints, complexity, convenience, and prioritizing of scoped backlog, especially for legacy systems. Zero Trust can enforce transactions into the PAM for Privileged users while providing step-up security to RDP requests from service accounts to prevent misuse or the spread of ransomware (or other lateral movements). This decreases time to value, doesn’t force a habit change, or change how the network and people get their jobs done.
Q: How does this affect existing architecture?
A: Zero Trust fits seamlessly into your existing networks providing identity threat detection capability and frictionless conditional access with no requirement to re-model or change your architecture.
Q: If you detect strange activity, how do you verify the authentication?
A: Zero Trust examines many risk factors, from hours of business and physical location of the endpoint to health of the account and password, including group membership and baseline behaviour as well as common destinations and common threats the account may be involved with. If credentials attempt to travel to a new system, Zero Trust can push a step-up authentication through via either MFA or SSO to challenge the behaviour and prevent lateral movement. As an example, if a user on a system suddenly becomes a privileged user on that system, their risk score increases. Zero Trust has standard out-of-the-box rules that address most common use cases, including a challenge by increased risk score and enforce step-up authentication for unusual activity.
Q: Do must customers call up the Zero Trust APIs directly from the various apps, or does most interaction come from SSO or other existing solutions?
A: With Zero Trust technology, the monitoring is done from a central point – most commonly where the authentication happens – reducing the need to integrate with each application individually like some MFA or CASB solutions may require.
Q: What are examples of popular integrations, and how are they used?
A: Here is the Technology Integrations page with our most commonly installed integrations. Each of our partners collects identity risk data from the Preempt Platform. Then, depending on the integration, they assist with the automation of rule enforcement or collect and correlate incident and anomaly data into their own operations. Where Okta may have been previously only for cloud applications, Zero Trust integration allows it to reach back into the network to protect legacy apps and more.
Q: What OS platforms are supported by Zero Trust?
A: Preempt integrates with Microsoft AD, Azure AD, Okta, PingFederate, ADFFS, other SSO providers and monitor activities of systems connected via any of these systems.
Q: Can Zero Trust be used to enforce more rigorous levels of authentication for access to certain file shares?
A: Yes, Zero Trust can enforce on the File Server level, rather the individual share or file level. This aligns with the goals of Access Controls and Identity Threat Detection. Zero Trust can certainly enforce constant step-up authentication to sensitive systems, or even deny access by qualities such as group, account type, or even threat level.
Q: I am looking to know if Zero Trust can be used as a solution for remote mobile access for on-prem systems.
A: Absolutely. We’d be delighted to give you a demo! Identity is identity, no matter what devices it lives on.
We hope you enjoyed our Fal.Con talks as much as we did! If you missed our recorded session, you can catch it here.
Posted by Jeannie Warner on October 27, 2020 7:12 PM