The Zero Trust mindset assumes that one’s perimeter defenses have been breached, and priorities pivot to containing the lateral movement of malicious actors. Illumio published the 3-stage Zero Trust Plan, which individuals use to plan and operationalize their Zero Trust journey.
Metrics play a valuable role in helping organizations operationalize and achieve Zero Trust (ZT). Our customers use metrics to identify where to begin, define key milestones, advance their Zero Trust capabilities, and describe what success looks like. Let’s double-click on some of these metrics in the context of our three-step plan for implementing Zero Trust.
Step 1: Discover
During this initial stage, our customers focus on identifying what to protect, which ZT pillars to focus on, and designing the initial roadmap for expanding the scope and maturity of their ZT implementation. Compliance, such as Payment Card Industry Data Security Standard (PCI DSS) and SWIFT CSF, or risk management using NIST CSF or the CIS Top 20 Security Controls are typical business drivers. Our customers use these drivers to narrow the scope of their initial ZT plan to specific applications and business processes, thus making their plans more consumable. The executive sponsors and C-suite will be looking to measure strategic business benefits, such as a reduction in the number of breaches that require notification in the last 12 months. The operational team will focus on metrics that enhance visibility and planning.
Forrester’s ZT architecture consists of multiple pillars or competencies, and it would be ridiculously expensive and high-risk to attempt to do it all at once. Getting buy-in from various key stakeholders can be difficult. The smart and effective approach to getting everyone to support ZT is to use an industry framework supported by internal metrics to identify which security competencies to address first and how to make that progression.
Many practitioners have used Forrester’s Zero Trust Maturity eXtended Security Self-Assessment Tool to do this (subscription required). The results have spurred internal conversations on where and how to advance their Zero Trust competencies. For example, the result of a customer’s ZT capability assessment might suggest the implementation of fine-grained segmentation of traffic across PCI-connected systems. Examples of key metrics the organization may want to track as indicators of program efficacy are:
How many PCI connected systems are accurately in-scope?
What was the improvement in accuracy vs. prior periods (before enabling real-time visibility)?
Once our customers narrow their initial scope and prioritize the Zero Trust competencies, their activities will pivot to policies, controls, and then to prescribing the specific data they need to continuously enforce ZT and maintain their security postures. In many instances, this phase is closely aligned with broader GRC (governance, risk, and compliance) programs. Operational and tactical metrics help them objectively describe what success looks like at each stage of their ZT roadmap, and what indicators they will use as proxies to measure their progress and identify critical gaps. A lot of these metrics are often used as evidence data for their compliance testing and audit reporting. If a customer has a risk management and continuous monitoring program, it will also use these metrics to identify its security baseline and track how well the organization is performing against their target security indicators. When looking at PCI compliance, for example, , ZT metrics at this phase will answer questions like:
What percent of our critical applications and enterprise connections have overly broad and/or out-of-date firewall rules prior to segmentation?
What was the percent reduction in out-of-date and overly broad firewall rules after micro-segmentation?
As we transition to a remote work operating model,
What percent of endpoint devices have legitimate connections to the payment applications?
What percent of the legitimate endpoint devices are managed vs unmanaged/BYOD?
What percent of endpoint devices are monitored for suspicious connections and policy violations?
What percent of legitimate remote user connections (via corporate issued laptops or BYOD) to the payment applications are micro-segmented?
Step 3: Enforce
This is the stage where you will get down to brass tacks. Once the initial deployment and implementation are complete, the focus shifts to continuously monitoring and validating their target Zero Trust posture. Zero Trust isn’t a “one and done” activity because individual environments are dynamic. In the enforce phase, organizations will want to make sure that they are able to keep up with changes in their environment.
With Illumio’s ability to constantly monitor the connections and flows across environments – peer-to-peer connections across endpoints, user connections to enterprise applications, and workload-to-workload connections – organizations easily gain contextual information. They use these insights to automate and orchestrate policies, incident response, and remediation, which are often cited by our customers as key benefits of the solution. Once again, operational and tactical metrics help organizations identify the key indicators to let them know that their Zero Trust programs are working according to design. Examples of questions and relevant metrics include:
What was the average time to detect new and changes in IP connectivity in the payment applications and PCI connected systems?
What was the average time to update the applicable firewall rules in response to changes in IP connections to the payment applications?
What was the reduction in the number of high and medium severity vulnerabilities in the payment applications, which exceeded the company’s patch window?
What was the number of unpatched (due to operational constraints) but critical applications using micro-segmentation?
Measuring the Value of Microsegmentation for Zero Trust
Microsegmentation is a critical component for containing lateral movement attacks, which is the end game of Zero Trust. A typical Illumio customer faces a lot of competing security priorities, so there will be instances where stakeholders will want to know “by how much.” Having a methodology that documents and quantitatively demonstrates the efficacy of microsegmentation will help a microsegmentation advocate sell its initiative to its internal stakeholders.
We recently partnered with red team specialists, Bishop Fox, to develop an approach for measuring the efficacy of microsegmentation based on the main components of the MITRE ATT&CK® framework. The outcome of this collaboration is the: “Efficacy of Micro-Segmentation Assessment Report”. The report describes a repeatable methodology that customers can use to conduct testing in their own environments.
The team found that properly applied microsegmentation policies made it more difficult for malicious actors to move laterally, thus increasing the time to compromise. The Bishop Fox team also finds that microsegmentation increases the number of detectable events for the attacker to reach the targeted systems.
The report notes that increasing coverage size of microsegmentation capabilities, while maintaining the same policy state, results in measurable gains in delaying the attacker. It forces the attacker to change techniques in order to traverse the network more efficiently. Therefore, customers can use microsegmentation, not only to contain the lateral movement, but also to force the attacker to behave in avenues that optimizes the customer’s threat monitoring and detection capabilities. This conclusion points to an opportunity to investigate and develop Zero Trust metrics that answer questions on:
Number of detectable events and indicators of compromise
Improvements in time to detect an attack by enhancing threat hunting capabilities
Improvements in time to contain an attack (like ransomware)