Zero Trust (ZT) isn’t anything new. It’s just a rearrangement of long-described controls within NIST 800-53 to meet the objective of a Zero Trust Architecture (ZTA). Subsequently, NIST created Special Publication 800-207, which details a ZTA with seven basic tenets to achieve success. The primary focus, as driven by the security industry, is and had been on identity and access for the purpose of mitigating the risk of exfiltrated data with Tenets #1, #2, #3, #4, and #6. However, Tenet #5 specifically calls for the enterprise to monitor and measure the integrity and security posture of all owned and associated assets.
So, the question begs, what is “Integrity,” and how do you monitor and measure it? Integrity is when a system is designed, implemented, and operated in a way that can identify unauthorized deviations on a continuous basis and restore them to a previously known and trusted state of operation when unauthorized change happens. Deviations are essentially measured by anything that is added, modified, or deleted across the workload of an infrastructure, whether it’s servers, VMs, cloud configurations, containers, network devices, etc… This is accomplished through the implementation of a closed-loop workflow and ticketing system that include controls for system hardening, configuration management, change management, change prevention, change reconciliation, roll-back and remediation, STIX/TAXII feeds, and file allow-listing capabilities.
The problem that has plagued the implementation of integrity over the years has been threefold:
1. The amount of noise (alerts) due to the number of changes occurring on a daily basis.
2. The inability to scale to demanding enterprise levels.
3. The exorbitant amount of false positives.