How to Collect Real-time Forensic Data in a Zero Trust Architecture Model

Hybrid models have changed the way we work, but they’ve also had a significant impact on cybersecurity. A few short years ago, managing a network was built around perimeter-based security models. But modern internet-connected organizations have multiple remote access methods, allow mobile users, and integrate cloud services. Adding to this complexity are third-party suppliers and their networks, with multiple systems across multiple suppliers overlapping within supply chains.

There is no longer a single identifiable perimeter for a business, and if an attacker breaches any endpoint, they can often move laterally around the network, unhindered and potentially undetected. They can even move into a third-party network. In response, zero trust security architecture has developed to focus on users, assets, and resources, rather than the traditional perimeter. The approach is to ‘deny until verified,’ giving users access to the platforms and data that they need, and nothing more.

The National Institute of Standards and Technology (NIST)’s zero trust architecture (ZTA) highlights that the standard model of having only role-based access controls and trusted authentication mechanisms is not enough for a modern organization. No implicit trust should be granted to assets or user accounts based solely on their physical or network location.

ZTA is a solution to the new, extended threat landscape, but it also poses its own problems. For example, a tool that identifies and monitors advanced persistent threats (APT) and that can forensically analyze the actions of threat actors attempting to infiltrate a network or move laterally through organizational assets requires installation, administrative access, and permission to connect to external devices, all of which are anathema to the zero trust approach.

This leaves the question: how can attacker activity be detected and prevented without breaking zero trust protocols or bypassing them? Remember, threat actors are trying to exploit any vulnerabilities that let them bypass the authentication subsystem and role-based access controls, giving them administrator-equivalent access to the system.

If a cybercriminal does breach a network, security teams need to be able to gather the forensic data required to answer who, what, when, where, how, and ‘how bad is it’, in real time, as well as identify any suspicious activity quickly and efficiently. This is only possible through centralized log collection, analysis, and reporting of all important logs from critical assets in the business, including all servers and desktops, network devices such as firewalls, routers, switches, wireless access points, and other devices. And of course, it needs to adhere to ZTA.

To address this need, enforce ZTA, and help organizations meet existing and new cybersecurity requirements, Snare Central provides a comprehensive logging, detection, and analysis tool for any cyber team. Snare is designed to operate in air-gapped networks and does not need to phone home to the internet to send to receive information. Snare Agents can be used in networks separated by a data diode, where the physical return path of the network is cut, and the data can only travel one way due to the security of the network. This allows forensic log data to be collected from low security networks and consolidated and reviewed on higher security systems. It also helps to avoid the layers of authentication and access controls required by agentless solutions and negates the trust requirements between networks of different security levels.

Snare Central aligns with the U.S. Presidential Executive Order on Cybersecurity and the Maturity Model Memorandum M-21-31, ensuring centralized access and visibility across the highest-level enterprise and supporting a business security operations center (SOC).[1] With features like the Snare Management Center (SMC), enhanced automated alerting, and new log types, Snare Central expands coverage and investigation capabilities. Additionally, cloud-based log management and reporting support cloud or hybrid environments, crucial for modern organizations operating within a ZTA framework.

Enhanced through integration with extended detection and response (XDR) and Sysmon[2], Snare not only provides deeper insights into system activities to bolster cybersecurity defenses within a ZTA but also aligns with the MITRE ATT&CK framework to help organizations understand attack techniques and refine their defense strategies[3]. Additionally, Snare supports compliance with NIST SP 800-171[4], safeguarding controlled unclassified information (CUI) and emphasizing Snare’s commitment to comprehensive security and compliance solutions[5].

In fact, there are many areas and use cases that Snare Agents and Snare Central help facilitate such as:

  • constantly collecting data relating to the actions of users on systems and network devices
  • securely retaining data for as long as the organization needs, away from the systems that generated the data where the risk of data tampering is high
  • providing regular scheduled reporting on what users are doing and what commands or tools they are running; providing regular reviews of user privilege levels and access to sensitive information, in order to see unusual usage patterns
  • providing the capability to execute ‘what if’ data analysis and hunting for threats and usage patterns
  • using standard capabilities to see data patterns with heatmaps, graphs, and tabular output
  • cross-linking and correlating data over multiple data sources and systems for common data elements
  • tracking lateral movement around the network, and monitoring remote access from local systems
  • monitoring privilege escalation, and tracking whether escalation was via a privileged shell, a software flaw, or an application escalation
  • determining whether role-based access controls were circumvented
  • monitoring for abnormal software behavior to detect viral or supply chain compromise, such as an application that accesses systems or network ports or resources without reason, or running commands when it should not
  • detecting if data that has been changed or accessed in SQL databases through database activity monitoring (DAM), and determining what tools were used, privilege levels, and from which systems the databases were accessed, as well as the endpoints
  • monitoring system and network traversal for situations where data was copied out of the system or exfiltrated to other destinations.

All these questions and more can be answered with the collection of the relevant logs from systems, applications, and devices using Snare Central and Snare Agents. To find out how Snare can help your organization collect real-time forensic data, contact the team today.

Snare x Devo partnershipFive Cyberthreats Facing Organisations in 2024