Incident response

How will zero trust change the incident response process?

Gilad Maayan
January 19, 2022 by
Gilad Maayan

What is zero trust security?

Zero trust is a network security model that applies strict identity verification for any user, application, and device attempting to access resources on a private network. Whether the attempt originates from within or outside the network perimeter does not matter — all must abide by the predefined zero trust rules and policies. 

The zero trust model is applied holistically by employing various technologies and principles. Typically, it involves using zero trust network access (ZTNA) technology, which is designed especially for zero trust architecture, alongside additional network security tools and practices. The purpose of this variety is to ensure no entity within the scope of the network is trusted by default.

Zero trust security practices and policies help organizations avoid the high costs of data breaches. Zero trust processes often require verification from any entity attempting to access network resources. Zero trust creates an additional layer of security, which can help prevent data breaches. According to studies by IBM, the cost of a data breach can often reach well over $3 million.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Zero trust’s critical role in modern security

The traditional security paradigm tries to build security defenses around a perimeter. However, today’s organizations use modern practices that leverage cloud resources and remote work paradigms. Corporate networks are now required to allow access to devices that the organization does not necessarily control. As a result, there is no clear perimeter to defend, and personally-owned laptops and tablets can turn into entry points for attacks.

Organizations need to defend their networks and IT assets from all threats — those existing within the network and those allowed remote access, including devices, applications, infrastructure, data, and identities. Modern security paradigms consider the distributed and complex nature of today’s network, offering organizations tools, techniques and technologies capable of securing modern networks.

Zero trust adoption in the U.S.

Zero trust is a modern security concept designed to help organizations protect complex and distributed ecosystems. It is even mentioned in Section 3 of the EO, which asks the federal government to modernize its cybersecurity approach. According to Section 3, to modernize cybersecurity, government agencies need to accelerate their move to secure clouds and implement zero trust security controls, such as end-to-end data encryption and multifactor authentication.

The National Institute of Standards and Technology (NIST) of the US Department of Commerce is developing federal standards and guidance for zero trust security. Here are key tenets of zero trust, as defined by NIST: 

  • Use dynamic resource authentication and authorization — these processes should be dynamic to allow flexibility and strictly enforced before any access is allowed.
  • Evaluate any access to trust in the requester before granting access — grant access with the least privileges required to complete a task.
  • Remain on the defensive — ensure your assets always act as if a threat actor is present on the network.

Zero trust helps organizations become more consistent, resilient, and responsive to new attacks. An end-to-end zero trust strategy makes it harder for threat actors to get into your network while minimizing the potential blast radius by preventing lateral movement.  

The five zero trust domains

Organizations need to break down their IT security domains into foundational components to implement zero trust security. Instead of applying zero trust across the entire organization, you need to first analyze all zero trust domains that can support IT security and then prioritize them and map a plan for moving the maturity model up for each domain. 

Here are several zero trust domains:

  1. Automation and orchestration — achieve proactive security by automating prevention, detection, and response actions via integrated security controls. By automating investigative tasks, operations and security teams can become more productive. By orchestrating pre-defined incident response activities in near real-time, teams can detect threats and quickly take action to isolate and neutralize them.
  2. Identities — the core component of zero trust architectures. Identities serve as the new perimeter. By centralizing authentication and authorization, you can allow your workforce to quickly and securely access company resources, using access management and streamlined authentication.
  3. Data — an effective zero trust strategy classifies data. It protects data in transit and at rest using encryption, data loss prevention (DLP), and advanced data discovery capabilities to protect sensitive data.
  4. Networks — the corporate network is in charge of carrying traffic between devices, applications and users. Zero trust practices for network security include segmentation, monitoring and activity analysis. The goal is to operate on the assumption that any network connection request is untrustworthy.
  5. Devices — including known or managed devices, unmanaged devices and smart devices like Internet of Things (IoT). All devices that can connect to enterprise assets should be continuously assessed for threats and risks. You can use the identity of the device, the logged in user or other contextual signals in order to inform risk-based adaptive access decisions. 

Quick primer to the incident response process

Incident response is a core process at any security organization. It ensures that an organization can identify security threats and respond to them in a timely manner, minimizing damage to the organization. Like other aspects of network security, incident response will be dramatically affected by implementing zero trust.

Before we examine the impact of zero trust on incident response, let’s review the two frameworks most commonly used to structure incident response processes:

  • SANS Incident Response Framework — SANS is the world's biggest security training and certification provider, operating a system for warning organizations of the latest cyber threats. SANS has published an Incident Response manual that provides a structured incident response. This encompasses six steps from pre-incident preparation to lessons learned from the incident.
  • NIST Incident Response Framework — The National Institute of Standards and Technology (NIST) is an organization run by the U.S. Department of Commerce, which establishes various industry standards and provides recommendations for incident response. NIST offers an incident response strategy with four steps, which stipulates that incident response efforts must be continuous, with organizations learning and improving over time to strengthen their defenses.

The following table summarizes the recommended incident response procedures for each framework.

SANS Incident Response Process NIST Incident Response Process

1. Preparation Create security policies, perform risk assessments, identify sensitive assets, and establish incident response teams. 1. Preparation Prepare IT asset lists, identify key assets, define security incident types, set up security monitoring, and create an incident response program for each threat.

2. Identification Monitor IT systems, implement anomaly detection, identify the security incidents that present a real threat, and investigate priority incidents to determine the type of threat and their severity. 2. Detection and analysis Identify events by collecting data from security tools, IT systems, and external sources to identify and analyze precursors (which signal upcoming events) and indicators (which signal real attacks).

3. Containment To prevent the threat from spreading, perform short-term quarantine of infected assets, followed by temporary repairs and clean system reconfiguration.

3. Containment, eradication and recovery

The isolation strategy may differ according to the degree of damage, the requirement for continued access to the affected system, and the time it takes to implement the solution.

Once an incident is contained, you can remove all threats from your environment, restore systems to normal operation, and take steps to prevent the targeted assets from being attacked again.

4. Eradication Remove malware and other threats, remediate vulnerabilities and determine the root cause of the attack to help you prevent similar attacks from occurring in the future.

5. Recovery Take steps to prevent other attacks and bring production systems back online. Test, verify and monitor your system as it recovers.

6. Lessons learned Within two weeks of the end of an incident, review actual events and prepare a complete document, evaluating containment efforts and identifying areas for improvement in the process. 4. Post-incident activity Learn from past incidents to inform and improve your incident response strategy. Prepare for future incidents by using survey results to align your incident response policies and procedures.

How will the zero trust domains impact incident response?

Zero trust changes the structure and operating characteristics of networks. This means it also changes the way we do incident response. The following table summarizes how each of the zero trust domains will impact different stages of the incident response cycle.

Zero Trust Domain Incident Response Stages Impact on Incident Response

Automation and orchestration Identification / Detection and Analysis Zero trust automation can reduce alert fatigue and help incident responders discover relevant incidents faster. In a zero trust environment, it is easier to correlate identity and context to understand the significance of security events and the likelihood of real incidents.

Automation and orchestration Containment Zero trust environments provide automated tools for containing threats, primarily network segmentation. In the past, security teams would have to configure firewall rules or make changes on devices to isolate threats. This can now be centrally managed through solutions like ZTNA.

Identities, devices Identification / Detection and Analysis The concept of identities makes incident investigation much easier by providing granular information about the user, device, and context of a malicious access attempt.

Identities, devices Lessons Learned / Post-Incident Activity After a security incident is over, it can be used to fine-tune identity definitions in the zero trust environment. For example, if a certain type of identity was compromised, that category of identities should have more stringent access criteria going forward.

Data and networks Identification / Detection and Analysis The zero trust approach to data and network security improves the ability of incident responders to identify and respond to insider threats. In the past, the main focus of incident response was on attackers breaching the external network perimeter. With zero trust, incident responders are equipped to detect attacks on data sources or network segments from within the network perimeter.

Data and networks Eradication, Recovery In the past, recovering from a security breach was messy and time-consuming. Attackers could spread to any part of the network because there were no clear boundaries inside the perimeter. In a zero trust environment, attacker movement is inherently limited, and so it is possible to identify exactly what part of the network was compromised, clean it and rapidly recover systems.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Evolution of zero trust

Zero trust is changing everything about how we do security and incident response is no exception. The zero trust model, and its supporting technology solutions, have tremendous potential to improve incident response. Zero trust provides:

  • Additional context about security events that can help identify incidents and respond faster and more effectively
  • Sophisticated tools for network segmentation and isolation that can rapidly contain threats
  • Ability to adapt access policies in a highly granular manner in the wake of an attack to prevent similar threats from recurring

Change is never easy, but once incident responders modify their process to adjust to the new environment, they will be much better equipped to deal with the emerging threats of the 2020s and beyond.

Gilad Maayan
Gilad Maayan

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.