A Guide to Embracing a

Zero Trust Security Model

A security strategy in the age
of cloud and remote work
Cybersecurity has changed dramatically in recent years. The strategies that
chief information security officers (CISOs) once employed were turned upside
by two monumental events in less than a year — COVID-19 and the SolarWinds
attacks.

Cybersecurity used to revolve around building a hardened perimeter, and then

!
layering security tools like moats and walls around a castle. This concept made
sense when cyberthreats only emerged from outside, and assets lived on-
premises.

Today’s new landscape — cloud, remote workforces and mobile devices — fails
to conform to traditional security strategies. Instead, it opens up the attack
surface by allowing data and workloads to live, operate and be accessed
outside traditional means.

Organizations were already shifting their security mindset to adapt to cloud

migration and digital transformation. Those shifts were only accelerated by
COVID-19 and SolarWinds.

This is where adopting a zero trust security strategy comes into play.

In this short guide, we’ll explore some of the driving forces that necessitate
a zero trust strategy, as well as what that strategy entails and how it can be
implemented.

A Guide to Embracing a Zero Trust Security Model | Splunk 2

Remote work is forcing organizations to
keep up with the times
A lot has changed since the COVID-19 pandemic hit. The crisis served as a And not all data is created equal. As security teams fight to protect the
wake-up call that pushed organizations and companies around the world to enterprise, one thing has become abundantly clear: not all assets can — or
accelerate their transformation. Overnight, employees were forced to work should be — protected at the same level. It’s essential to gauge the sensitivity
remotely, which put a significant strain on IT and security infrastructure. and importance of data to help drive meaningful and effective security
measures as the perimeter dissolves, and data moves outside enterprise walls.
Typically, organizations rely on virtual private network (VPN) solutions to
manage remote access to the enterprise, but this became extremely difficult Without addressing these issues, simply moving to the cloud or modernizing
to scale due to the massive increase in workload and influx of traffic in such a infrastructure will fail to yield effective results. Companies wouldn’t be able to
short time frame. properly protect assets and realize the potential benefits technology advances
have to offer.
This also exposed organizations to new security threats. The legacy tools that
teams often rely on use an old school “defense-in-depth” approach to security, Organizations need a modern approach that can look beyond perimeter-based
which needs a defined enterprise perimeter to secure an organization. But the security strategies to survive in the era of remote work — and beyond.
rapid shift in work habits caused by a global pandemic stretched the traditional
approach to cybersecurity to its breaking point.

In a traditional approach to security, a threat would penetrate the network,

and once the perimeter was breached, a hacker could exploit existing Traditional Network
vulnerabilities. As soon as they had authorized access, bad actors moved
across the organization’s network — including connected systems —
compromising assets and causing irrevocable damage.

When organizations move to the cloud, user access moves outside their
traditional perimeter, creating new challenges for visibility, control and
securing data.

Coupled with the threat and adversary landscape, organizations must

assume they’ve already been compromised, and take the necessary steps
to protect themselves.

With this mindset, every user, device and service that requires access to
an organization’s network is considered hostile — even if it’s a known and
approved entity.

A Guide to Embracing a Zero Trust Security Model | Splunk 3

A new approach to security:
Trust no one
One approach to security that has the potential to improve the way Now when the employee attempts to connect to the system, their new trust
organizations protect their data and systems is a concept known score could mean access to the case management system will be denied, or
as zero trust. downgraded, depending on agency policy.

Zero trust enhances security posture by eliminating the sole reliance on This shows how leveraging multiple factors (in this case, the combined scores of
perimeter-based protection. In effect, organizations decrease their reliance on the user, device and resource) allows the agency to reduce risk to the enterprise
network security — instead focusing on securing users, assets and resources. resource dynamically. A zero trust system needs the ability to factor in changing
conditions for continuous evaluation.

Protection and authentication need to be continually applied at the A recent Forrester Report found that we live in a time where organizations
device and user level for each transaction, ensuring continuous have “to assume you have already been compromised; you simply don’t know
and adaptive authorization. it yet. That is the necessary mindset in today’s hostile environment. ‘Trust but
verify’ leaves you flatfooted and sets you up for crisis management. Zero trust
may seem stark, but it is the proactive, architectural approach to align with
This ensures a level of trust at each access point and removes some of the
mission priorities.”
anxiety around securing a remote office. It also reduces the threat of “data
leakage,” or employees accidentally losing sensitive company data downloaded
to personal devices.
Cloud
A simplified example of what this looks like in the real world is an employee
who is authorized to use an organization’s case management system from Wireless
Connection Home
a newly assigned device. The employee makes a request from that device
and is granted access. Public
On Site Kiosk
After some time, the employee downloads a driver from a website in an effort
to be helpful. Since the device is continuously monitored in a zero trust strategy,
the update is flagged. The addition of the unknown component has altered the
approved configuration and therefore the trust score of that device will
be updated.

Lower Sensitivity/ Data Sensitivity Higher Sensitivity/

Less Restrictions More Restrictions

A Guide to Embracing a Zero Trust Security Model | Splunk 4

How to build a zero-trust model
Industry and security experts have embraced the zero-trust model as a ACT-IAC lays out the six pillars of a zero trust security model that are built upon
good framework to secure organizations during — and even after — the a foundation of data, summarized as:
COVID-19 pandemic.
Users The ongoing authentication of trusted users, the
Regardless of the approach, data is the foundation for an effective zero
continuous monitoring and validating of user
trust strategy.
trustworthiness to govern their access and privileges.

Devices Measuring the real-time cybersecurity posture and

trustworthiness of devices.

Network The ability to segment, isolate and control the network,

Zero Trust including software-defined networks, software-defined
wide area networks and internet-based technologies.

Applications Securing and properly managing the application layer as

well as containers and virtual machines.
Applications

Automation

Analytics
Network
Devices

Automation Security automation, orchestration and response (SOAR)

Users

allows organizations to automate tasks across products

through workflows and for interactive end-user oversight.

Analytics Visibility and analytics tools like security information and

event management (SIEM), advanced security analytics
platforms, user and entity behavior analytics (UEBA)
Data enable security experts to observe what is happening and
orient defenses more intelligently.
Source: Zero Trust Cybersecurity Current Trends, April 18, 2019, ACT-IAC

A Guide to Embracing a Zero Trust Security Model | Splunk 5

By definition, a successful zero trust
security program must:
The enterprise collects as much information as possible about the current
state of network infrastructure and communications, and uses it to improve its
• Assume the network is always hostile.
security posture.
• Accept that external and internal threats are always on the
These reports highlight that zero trust is a natural evolution in an organization’s
network.
cybersecurity mindset — moving from a defense-based approach that focuses
• Know that the location of a network locality is not enough to on network defenses and static perimeters to focusing on users, assets and
decide to trust in a network. the resources available to them. Especially in the time of remote work, this has
become a global imperative.
• Authenticate and authorize every device, user and network flow.
To be effective, the zero trust approach requires organizations to focus on
• Implement policies that are dynamic and calculated from as leveraging company-wide data as its foundation. Understanding that all data
many data sources as possible. is security-relevant is key.

Bringing data from across the organization delivers the holistic visibility —
including context — required to make informed access decisions. Risk scores
NIST similarly provides its own for entities requesting access can be dynamically calculated against a variety
guidelines for implementing a of conditions such as device, user credentials, behaviors, time of day and any
other attributes collected through continuous monitoring
successful zero trust strategy:
• All data sources and computing services need to be considered resources. Legacy Modern
• All communication needs to be secured regardless of where a network is.
Static, Perimeter-Based Protect Assets, Users, Resources
• Access to individual enterprise resources is granted on a per-session basis.
• Access to resources is determined by dynamic policy — including the Assumption of Compromise/
Implicit Trust Within Perimeter
observable state of client identity, application and the requesting asset — Continuous Evaluation
and may include other behavioral attributes.
Comply to Connect to Network Comply to Connect to Resource
• The enterprise ensures that all owned and associated devices are in the
most secure state possible and monitors assets accordingly.
Product/Tool Based “Agency-Wide” Approach
• All resource authentication and authorization are dynamic and strictly
enforced before access is allowed.

Source: Zero trust cybersecurity current trends, ACT-IAC, April 2019

A Guide to Embracing a Zero Trust Security Model | Splunk 6
Splunk and the zero trust model
.

The Splunk Data-to-Everything Platform offers a continuous monitoring and Splunk specifically maps to the zero trust model in three ways:
analytics solution for chief information security officers (CISOs) and security
professionals who need to ensure secure access to their data and applications 1. Splunk increases confidence and trust in access decisions to enterprise
in the modern, perimeter-less enterprise. resources by continuously monitoring and delivering visibility across users,
assets and services.
The platform helps drive confidence and ongoing trust in access decisions, 2. Splunk delivers full-stack visibility into service health, component
while ensuring component performance, policy adherence and availability relationships and infrastructure, ensuring performance and availability, and
across the zero trust ecosystem. predicting issues before they happen with machine learning.
The Splunk Platform helps organizations ingest data from almost any source, 3. Splunk helps reduce manual effort, analyst fatigue and costs by enforcing
monitor its infrastructure end-to-end, and optimize and increase effectiveness zero trust policies through task automation and workflow orchestration
of the zero trust ecosystem.

Devices
Laptops, Mobile,
Configurations, Anomalies
User and Entity Behavior
Analytics (UEBA)
Users
Entities

Continuous Monitoring
Usage, Experience,
Performance, Quality
Real-Time Visibilitiy
Workloads/Applications
Laptops, Mobile,
Configurations, Anomalies Behavior Analytics

Middleware/APIs Enterprise Phantom

Traffic, Anomalies, Security (SOAR) Continuous Risk Scoring
Infrastructure

Performance, Identity

IoT/OT/Machines Automation/Orchestration
Identity, Utilization,
Behavior, Configurations
Compliance
Cloud
Availability, Performance,
Behavior Service Insights
IT Service Intelligence
(ITSI)
Threat Intelligence
Intel

Vulnerabilities, Threats,
TTPs, IOs Saas Cloud

A Guide to Embracing a Zero Trust Security Model | Splunk 7

Increasing confidence, More uptime,
reducing risk less stress time
The fundamental premise of zero trust is to secure an organization’s data Splunk also helps optimize and increase the effectiveness of the entire zero
— wherever it might live — while allowing legitimate access to entities that trust ecosystem. It delivers continuous, full-stack visibility into service health,
need them. Splunk increases confidence and trust in access decisions to component relationships and infrastructure, ensuring performance and
enterprise resources by providing visibility through continuous monitoring. availability, and predicting issues before they happen with machine learning. If
This information helps the policy engine validate user, asset, and service a component goes down or does not perform as expected, IT and security staff
trustworthiness and govern their access and privileges at each step dictated by are alerted quickly and the issue is pinpointed, saving hours in troubleshooting
an organization’s security policy. and helping recover lost data.

Organizations can rely on the Splunk Platform for rich, contextual details on Additionally, organizations can gain real-time visibility across their network,
any user, asset or service requesting access to enterprise resources, at endpoints and application stack to ensure compliance, faster audits and
intervals dictated by the org’s policies, for fast and informed decisions. orchestrate any remediations of configuration drifts. They can continuously
monitor components of the zero-trust infrastructure to ensure assets remain
Event management is combined with advanced security and behavior analytics in the most secure state possible.
for a sophisticated set of capabilities that are further augmented with machine
learning. This enables the policy engine to determine the trustworthiness and
risk posed by the entity requesting access to enterprise data at any given time
in a dynamically adaptive manner.

A Guide to Embracing a Zero Trust Security Model | Splunk 8

Reduce analyst fatigue and
manual effort, go home early
Splunk Phantom is a leading SOAR solution, automating tasks and
orchestrating workflows to help enforce zero trust policies. Phantom’s
extensible automation and orchestration capabilities help organizations
work smarter, respond to threats faster and strengthen cyberdefenses.
Phantom’s flexible application model supports hundreds of tools and
thousands of unique APIs, enabling organizations to connect and
coordinate complex workflows across their team and tools.

Phantom can also execute a series of actions — from detonating files to

quarantining devices — across your security infrastructure in seconds,
versus hours or more if performed manually. This reduces costs for
organizations and frees up analysts to proactively hunt for cyberthreats
and address higher-priority issues.

Implementing zero trust principles goes beyond technology. It must

be embraced within the processes and by the teams supporting the
organization. Phantom can increase collaboration and consistency with
these standard operating procedures by codifying them into reusable
templates, orchestrating human and machine tasks, and keeping all related
data and activity in one centralized location.

A Guide to Embracing a Zero Trust Security Model | Splunk 9

Accelerate your zero trust
strategy with Splunk
Splunk’s security suite acts as an organization’s security nerve center, delivering attack. Splunk ES also provides continuous risk assessment providing visibility
the visibility and necessary context to make decisions and take action. and real-time insights on information assurance and adherence to policy and
controls.
Splunk does this by collecting, aggregating, de-duplicating and prioritizing
threat intelligence from multiple sources. The solution is continually Splunk UBA is a user and entity behavior analytics (UEBA) solution that provides
augmented with actionable use case content to help protect against the latest advanced and insider threat detection using unsupervised machine learning.
cybersecurity threats, assess risk profiles and activity status, and communicate This helps organizations find unknown threats and anomalous behavior across
them across the organization. devices, users and applications.

Splunk Enterprise Security (ES) is an industry-leading SIEM solution Splunk UBA extends the power of Splunk ES by allowing organizations to
that delivers an end-to-end view of an organization’s security posture with act on high-fidelity threats, while optimizing threat detection and enabling
actionable intelligence to prioritize incidents and respond appropriately. targeted incident response. It delivers dynamic risk evaluation capabilities
by continuously monitoring access control and user behaviors — internal
Splunk ES has comprehensive security-specific views of data, which helps and external — to detect any abnormal or unauthorized activities. It can
security teams detect cyberthreats faster and optimize incident response. automatically stitch together multiple anomalies across multiple entities —
It also provides rapid investigation capabilities, making it possible to detect users, accounts, devices and applications — into a single threat, simplifying
malicious activities or breaches, and investigate the scope of a threat or an analysis and accelerating actions.

Search and Dashboards Incident and Monitoring Threat Security Automation Discover Detect
Investigate and Reports Breach and Alerting Detection Operations and Anomalous Unknown
Response Orchestration Behavior Threats

Unified Security Platform – CDM, Compliance, SOC Operations, Zero Trust

A Guide to Embracing a Zero Trust Security Model | Splunk 10

As mentioned earlier, Splunk Phantom is a leading SOAR solution. Phantom’s Data is at the center of any successful zero trust strategy — regardless of its
extensible automation and orchestration capabilities helps organizations work source or type. The biggest barrier to unlocking the full potential of data are
smarter, respond to threats faster and strengthen cyberdefenses. Phantom’s the systems and structures trapping its value. Removing these roadblocks
flexible application model supports hundreds of tools and thousands of unique will unleash a potential gold mine for organizations. This very flexibility
APIs, enabling organizations to connect and coordinate complex workflows and openness of the Splunk portfolio allows teams to connect disparate
across teams and tools. technologies together — helping teams make better, faster, and more effective
decisions across security, IT operations, and every other part of the enterprise,
Splunk IT Service Intelligence (ITSI) is the solution that helps organizations as well as take precise action to defend an organization, and ultimately,
prevent service disruptions before they occur, applying machine learning embrace zero trust
to data for full-service monitoring, predictive analytics and streamlined
incident management. It can predict service degradations and get ahead of
investigations by empowering teams to take action quickly before any impact.

ITSI correlates and applies machine learning to metric, log and trace data,
and integrates monitoring, event management and incident response into
one platform. ITSI’s alert management and analytic capabilities provide near
real-time, predictive performance dashboards to monitor service health. This
can integrate with IT Service Management (ITSM) and orchestration tools like
VictorOps and Splunk Phantom, so teams can monitor, detect, respond and
resolve incidents all from one place.

A Guide to Embracing a Zero Trust Security Model | Splunk 11

Learn More
Ready to learn more about how the Splunk Data-to-Everything™ Platform
can help you build a zero trust policy? Speak with a Splunk expert to discuss
your environment and assess your requirements so we can help you navigate
these challenging times.

Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of
Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong
to their respective owners. © 2021 Splunk Inc. All rights reserved.

21-17850-SPLUNK-Embracing a Zero Trust Security Model-EB-102