Look to the Roman Empire to Truly Understand Zero Trust

With the network border blurry at best, we no longer have a single and convenient point of telemetry collection to force the attacker in the open.

It seems that the term “zero-trust” is emerging as the latest buzzword in network security and cybersecurity communities. To explain it, one can look to the Days of Antiquity, at the height of the Roman Empire when its borders encompassed most of Europe, Northeast Africa and the Middle East. Much of the early years of the Empire was focused on what was known as “Preclusive Security” which was an expansionist approach of fighting opponents either in their own lands or at a heavily fortified border. 

The problem was that as the Empire expanded, so did its borders, which increasingly proved difficult to staff and resupply with loyal legionnaires, and ultimately became significantly harder to defend. Once invaders like Attila the Hun were able to breach the heavily guarded border, there was little that stood in their way from nearly capturing both Constantinople and Rome.  

These challenges associated with the ever-sprawling border precipitated a shift in the Empire’s strategy to what’s called “defense-in-depth,” which established a series of lightly-defended sentry posts at the borders instead of heavily fortified outposts. 

While the border may not have been hardened any longer, the sentry posts served as the eyes and ears of the Empire. In the event of an enemy invasion, instead of holding their ground and fighting their opponents at the border, sentries retreated to reinforced positions within their own territory for a better chance to repel invaders. 

Fast Forward Two Millenia 

In the 1980s and beyond, we began applying this same defense-in-depth philosophy to our IT networks, layering protection and redundancies to reduce vulnerabilities, instead of a hardened border. In “those days of antiquity” with .rhosts files and unencrypted telnet protocols, often simply penetrating the firewall could lead to a total compromise of an entire network. 

As our networks evolved into their modern-day software-as-a-service-heavy, hybrid-cloud infrastructure equivalents, much like the Romans, we find our networks further at the edge than ever before. Many contend that they are so far and distributed that it is difficult to clearly define a border to defend.   

Nemo Sine Vitio Est (No One is Without Fault) – Seneca the Younger 

At its core, zero trust is the idea that your networks are already compromised. From simple malware running cryptominers to advanced foreign nation-state attackers who are carefully working to stay hidden to sabotage or steal your data, much like Attila, the invaders are inside your networks.  

Complicating matters is that for every line of code written worldwide, new vulnerabilities may be introduced, hackers create more capable malware, and the number of possible attacks, backdoors and persistence tricks grows as well.  

The defenses that we have traditionally erected—like firewalls, UTMs, IDS/IPS, and malware filters—remain critical but are no longer sufficient without greater visibility. While they create barriers and tripwires, a zero-trust environment requires acknowledging that these will be scaled, circumvented and tip-toed around to gain access to your networks. Think of these traditional static defenses as barriers that force your adversary to change their behavior, giving you a chance to identify.  This only works, however, if you are paying attention.  

Despite the efforts to protect, visibility is often poor in dispersed, hybrid, network environments. Without either a well-defined border to defend or cybersecurity sentries keeping watch, it may be difficult to determine exactly when or where intruders have penetrated your networks.

It should not escape anyone that the complex supply chain SUNBURST attack from last year went undiscovered for the better part of a year despite having dozens, if not hundreds, of organizations and agencies compromised. The alarm bells simply did not go off as the attack vectors were never seen.  

Nil Desperandum (Never Despair) – Horace 

So how does one defend a sprawling network with shifting borders and an ever-increasingly number of ways in which the adversary may slip in and stay in? It takes a paradigm shift in thinking and approaches.  

With the network border blurry at best, we no longer have a single and convenient point of telemetry collection to force the attacker in the open. Instead, we must rely on a patchwork of overlapping barriers and telemetry sources over the entire network stack.  

Endpoint detection solutions must be combined with endpoint forensics and log collection. Infrastructure as a service requires a more traditional firewall approach while enabling the capturing packets and flows for cyber hunting. SaaS solutions will increasingly need to expose usage and security APIs to detect and gain insight into potential adversarial behavior.

The mantra of the next decade is going to be overlapping angles—do not deploy a defensive solution without sources of forensic visibility. Apply policy on the endpoint, the data center, IaaS and SaaS while collecting, storing and creating visibility angles on all. 

Visibility telemetry, much like the Roman sentries of yesteryear, are the eyes and ears of the cyber hunter. This is how we spot the most dangerous of all threats: The one that knows how to stay hidden.

Vincent Berk is chief technology officer of Riverbed Technology.

NEXT STORY: Make Your Mom Happier

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.