Sometimes we get asked the question “Would Zero Trust prevent [insert high profile breach]?”. The breach could have been Equifax, SolarWinds or the United States Office of Personnel Management. We have not been asked about Microsoft’s announcement this month. They acknowledged […]
Sometimes we get asked the question “Would Zero Trust prevent [insert high profile breach]?”. The breach could have been Equifax, SolarWinds or the United States Office of Personnel Management. We have not been asked about Microsoft’s announcement this month. They acknowledged that they had been a target of NOBELIUM, the threat actor behind attacks on SolarWinds.
The meta-answer to this question remains the same. If Zero Trust had prevented the breach, the correct answer is:
“Zero Trust recognizes that bad things can happen to good people, and has put in place techniques to limit the blast radius and detect the incident and then respond automatically.”
Each breach has a specific and detailed answer that depends on the mechanism used to infect and/or propagate it. The initial threat vector for SolarWinds is not known. The previously trusted software supply chain is the dissemination method. Solorigate is another child of NOBELIUM. It was propagated by SolarWinds. This involves downloading and installing Cobalt Strike at an endpoint.
Modern Zero Trust architectures don’t promise to protect against these attacks or render the environment invulnerable to them. This is despite exaggerated vendor claims. Instead, the controls accomplish the following: endpoint protection and protection stops malicious activities; endpoint detection to respond finds what is missing; microsegmentation stops its spread; and crack security operations center uses security automatization to remediate.
For the recent case where NOBELIUM compromised a Microsoft support agent, we don’t have any details. Perhaps the most fascinating thing about NOBELIUM’s intrusion was what it did afterwards. It is interesting to see what NOBELIUM did after the intrusion. It also shows that spear-phishing campaigns, the most effective and pedestrian threat vector available today, is not going away.
Microsoft’s commitment to the minimum privilege access principle, which Forrester’s Zero Trust Model long advocated, saved it. This support agent likely only had access the customer information they were working on.
This announcement reminds you of the four core elements that Zero Trust must keep in mind.
- High-profile organisations will be breached.
- Zero Trust doesn’t make a company breach-proof.
- Zero Trust is a way to limit the damage when it’s correctly designed and applied.
- Zero Trust is a long-standing security principle that allows for least privilege.
This blog was written because security professionals can use the Microsoft breach to illustrate how Zero Trust reduces the impact of successful intrusions in real-world incidents. Zero Trust is our overnight success over the past ten years at Forrester. We think it this way because it is refreshing to read about a breach whose impact was limited by security failing. Microsoft’s Zero Trust security principles, which Microsoft endorses and adheres to, worked.
It disclosed a small security breach that only affected a few customers. This was largely ignored. There was no need to notify thousands of customers, set up a separate website for individuals to check if they are affected, or hire support staff to deal with the influx of calls. This breach was contained by adhering to Zero Trust principles. Microsoft quietly announced that a very limited intrusion had been made and stopped the bleeding.
This breach proves Zero Trust works.
This is a great example of what breach announcements could look like in Zero Trust world if we all accept the inevitable.
►►► ConnectPOS is a cloud-based POS software compatible with multiple platforms including Magento, Shopify & Shopify Plus, and BigCommerce.