Why AI and Human Behavior Drive New Urgency for Zero Trust – Source: www.databreachtoday.com

Artificial Intelligence & Machine Learning
,
Governance & Risk Management
,
Next-Generation Technologies & Secure Development

How CISOs Can Leverage Zero Trust and AI to Protect Against the Human Element

Chris Novak, Senior Director, Verizon Cyber Security Consulting

•
July 18, 2024    

As a naturally trusting species, humans value the concept of relying on and maintaining trust in others. This philosophy falls in stark contrast to modern cybersecurity best practices, where success hinges on not applying trust to anyone inside or outside of an organization’s networks without specific, contextual permissions granted. This is one facet of the Zero Trust security approach.

See Also: 5 Requirements for Modern DLP

For example, Zero Trust requires continuous verification of identity and authorization for every access attempt, regardless of source or location. In other words, credentials are not automatically considered valid. Every packet is looked at from multiple dimensions to determine whether to grant access approval. Those dimensions include time of day, location of the requester, data or applications being requested, what’s happening during the session and more.

Zero Trust does not assume that a given set of privileged access credentials will always be used by the right user. Excess trust is removed that might otherwise lead to a breach, such as when threat actors try to use stolen credentials. This is one way Zero Trust provides a framework for addressing and securing infrastructure and data, offering additional protection across a wide range of modern computing norms – including hybrid and remote work, cloud environments, “bring your own device” usage and rising regulatory and compliance requirements.

Last year, the Biden administration rolled out the National Cybersecurity Strategy, underscoring the “inherent risk” to enterprise systems and networks that are geographically dispersed, complex and technologically diverse. According to the president, “As systems become more integrated, cyberthreats pose an increasing risk to our national security, economic well-being, public health and safety.”

Verizon’s 2024 Data Breach Investigations Report also highlights trends that support the Zero Trust approach:

• The human element was found to be present in 68% of breaches, with credential and vulnerability exploits of web applications as well as phishing playing significant roles. This demonstrates the critical need for a security model that does not implicitly trust users or devices, lowering human error-related security risks.
• The top internal threat involved privilege misuse, predominantly driven by unapproved or malicious use of legitimate privileges. Motives found were primarily financial – 88%, with espionage appearing 46% of the time. This is why monitoring and controlling access to sensitive data and systems is a necessity in modern computing infrastructures.
• Stolen credentials were used in 24% of breaches, furthering the need for stringent access controls and continuous verification as used in the Zero Trust approach.

Human Factors Driving Zero Trust

While technology is crucial to cybersecurity, we can’t overlook the human factor. The adoption of Zero Trust is a response to the vulnerabilities that human actions can introduce.

As the DBIR found, a high percentage of breaches involve humans. Zero Trust principles can help mitigate risks caused by human error or misuse, addressing the vulnerabilities in traditional security models that overly rely on perimeter defenses.

By adopting Zero Trust, “organizations can more effectively detect and respond to malicious activities, regardless of each activity’s origin or disguise,” said Chris Novak, Verizon’s Senior Director of Cybersecurity Consulting.

Insider threats highlighted in the 2024 DBIR present a particularly thorny challenge as individuals with legitimate access to an organization’s systems and data may try to exploit that access for malicious purposes. Whether driven by financial motives or espionage, coercion or disgruntlement, it’s clear that human emotions and vulnerabilities only raise the stakes.

Addressing the human element requires technical controls, such as access management and monitoring. But the 2024 DBIR also recommends that organizations foster a culture of security awareness and vigilance to minimize risks. These goals can be supported with comprehensive training and awareness programs that educate employees about cybersecurity threats and how to avoid them.

Zero Trust Obstacles and Opportunities

While focusing on human factors helps mitigate some risks, implementing Zero Trust across an organization also brings its own set of challenges.

Common obstacles to transitioning to a Zero Trust approach involve complexities in network segregation, along with difficulties managing application vulnerabilities. According to Ashish Khanna, Verizon’s Senior Director of Global Cyber Defense Practice, “A majority of our customers today simply aren’t aware of applications being consumed in their environments.”

He added that even if they know which applications are in use, most customers are unclear about the vulnerabilities applications present, and they need help to identify risks. As customers move toward Zero Trust models, having a comprehensive approach is key including understanding of how it links back to your business objectives. The following steps can help fast-track key priorities in your Zero Trust journey:

1. Establish a baseline of current capabilities.
2. Prioritize the capability model to your identified gaps.
3. Map potential supplier services and risks associated based on risk scores.
4. Map solutions to threat types, assign and continually evaluate your maturity levels.

Performing an assessment can help identify those risks. But Khanna views Zero Trust as a strategic imperative regardless. “As we move more customers to the cloud, these organizations must know all of the individuals attempting to access company resources in their ecosystems, as well as all of the devices on their networks,” he explained.

Most security leaders understand that nearly every asset has associated risks. According to Khanna, to make sure everyone understands the full cost of downtime from a breach, it’s also important for CISOs to quantify the value of each asset, mapping it to a business cost if that asset becomes unavailable.

As part of its cybersecurity consulting engagements, Verizon includes an overview of each customer’s Zero Trust transformation and road map journey, in which Khanna and his team work closely with CISOs and CIOs to help them better understand how to evaluate risks. “We help enterprises identify where better access controls or better segmentation is needed, and whether they have the right controls in place to never trust, always verify,” he said.

AI and Zero Trust Adoption

AI and machine learning are likely to play a key role in enhancing Zero Trust security, automating security elements such as continuous monitoring and helping to quickly analyze user behaviors and device activities to detect anomalies and potential threats, according to Verizon’s Novak.

AI-driven solutions are emerging today that can authenticate and authorize users based on their behavior, device posture and other contextual factors, permitting user access only when necessary and under the appropriate conditions. As Khanna explained, “AI algorithms are already being used to help detect and respond to security incidents in near real time.”

In the future, Khanna asserted, AI is expected to bring greater automation to help organizations achieve their cybersecurity objectives faster. In one example, Khanna shared how Verizon’s automated penetration testing can now be performed on applications. “This allows us to make sure we’re continually validating identities,” Khanna explained, “and avoids having someone physically perform penetration tests, improving efficiency.” “And those tests are also conducted at the right times” he added, “so that testing doesn’t disrupt daily business operations.”

That’s just one example of how automation is helping Verizon to react faster and enhance the mean time to recovery.

Overcoming Human Factors With AI and Zero Trust

In cybersecurity, the adoption of Zero Trust principles combined with AI advances marks a significant step forward. Due to the risks humans pose, the need for continuous verification and sophisticated threat detection is crucial. AI can help enhance the efficiency of security measures and enable a more proactive response to potential breaches.

But technology alone isn’t enough. Cultivating a culture of security awareness and vigilance among all employees is crucial. By integrating Zero Trust, AI, and comprehensive human-centric training, organizations can fortify their defenses, ensuring that both technological and human elements work together to protect critical assets and maintain organizational integrity.

CISOs interested in learning more about how to leverage Zero Trust and AI should review Verizon’s latest insights here.