Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

The Path to Zero Trust: Is it Time to Rethink What We're Calling a Vulnerability?

The Path to Zero Trust: Is it Time to Rethink What We're Calling a Vulnerability?

Reconsidering how we define "vulnerability" is more than a thought exercise. It could represent a sea change in how organizations manage risk.

For most of us in cybersecurity, the definition of "vulnerability" has always been fairly straightforward: "a flaw in code or design that creates a potential point of security compromise for an endpoint or network." 

Outside IT circles, though, the word has a far broader meaning. According to the Oxford English Dictionary, vulnerability is "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." 

Has the cybersecurity sector done itself a disservice by not giving more consideration to this second meaning — and how it factors into the design of enterprise security architectures?

These questions arise as we consider two significant trends: the rise of ransomware attacks around the globe, and the resurgence of interest in the principles of zero trust

Trust is a vulnerability

For ransomware to succeed, attackers must first gain an initial foothold and then find a way to move laterally within an organization by exploiting vulnerabilities and misconfigurations in systems such as Active Directory. In a typical organization, user access and privileges are granted based in part on the notion that one user is fundamentally more trustworthy than another, based on their role or standing in the organization.

If we take the view of John Kindervag — who first coined the zero-trust concept as a Forrester analyst in 2009 and remains a leading evangelist in his current role at On2IT — then we have to consider the notion that trust itself is a vulnerability. 

In a 2017 blog post, Kindervag wrote: "Trust is no different from a vulnerability in Apache Struts. It's something we must address in our organizations and digital systems as much as any software vulnerability. And if we've learned anything from recent data breaches, it's that vulnerabilities are what are exploited, and all vulnerabilities must be mitigated."

Kindervag elaborated on his point of view more recently, during a May 6 panel discussion hosted by the U.S. National Security Telecommunications Advisory Committee (NSTAC). The session — moderated by my Tenable co-founder Jack Huffard — explored the challenges of adopting zero trust in both government agencies and private enterprises. Kindervag emphasized that the concept of trust comes from our drive to anthropomorphize the network, seeing "people" where we should be seeing "packets."

According to Kindervag, the goal is to eliminate the human emotion of trust in our digital environments. "Zero trust is a strategic initiative that helps prevent successful data breaches, meaning the exfiltration of sensitive information ... by eliminating trust in your organization," Kindervag said. "It is designed to prevent lateral movement. No matter which technology or vendor you use to deploy zero trust, the strategy always remains the same ... The technology will always change but the strategic objectives will remain in place for a long time to come."

What do we mean by 'vulnerability'?

At Tenable, we believe disrupting attack paths in order to foil lateral movement represents one of the best defenses against all manner of cyberattacks, from the commonplace to the most sophisticated ransomware. While we agree in principle with Kindervag's positioning of trust as an inherent vulnerability, we believe it's only the beginning of a sea change in how the cybersecurity industry at large defines "vulnerability." In our view, the meaning of "vulnerability" also needs to include factors such as:

  • misconfigurations in Active Directory and cloud services, which often provide a primary attack path for ransomware actors; 
  • mismanagement of identities, which are vital IT assets that can be compromised; 
  • security gaps in the software supply chain in order to prevent the next SolarWinds-style attack. 

For cybersecurity leaders, preparing for a zero trust journey is less an exercise in evaluating technologies and more an exercise in strategic thinking, requiring you to answer fundamental questions such as:

  • What is your organization's core mission or value proposition?
  • What are the workflows required to fulfill that mission? 
  • Who owns those workflows? 
  • How does data flow in the organization?
  • Which are your high-value assets, the so-called "keys to the kingdom"?
  • How does the organization determine who is granted access to these high-value assets?
  • How often does the organization audit user permissions once they are set?
  • How will you design a "protect surface" to secure your most critical assets?

Answering these questions requires full visibility and continuous monitoring of your entire attack surface, including IT, internet of things and operational technology assets, and the ability to assess the criticality of each asset to deliver on your organization's core mission. No zero trust journey can begin without first addressing these fundamentals of cyber hygiene. 

Learn more

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.