Zero Trust
Overview
Implementing security controls and monitoring for a Zero Trust architecture, focusing on identity verification, least privilege access, and micro-segmentation to enhance security posture.
Sample products
- Zscaler
- Cisco Duo
- Okta
- Palo Alto Networks Prisma Access
- Entra ID
Use Case Categories
| Category | Description |
|---|---|
| Identity Verification | Ensures robust authentication and continuous monitoring of user identities, devices, and applications. Leverages comprehensive logs to validate and trace user access, minimizing the risk of unauthorized activities and potential threats. |
| Least Privilege Access | Implements fine-grained access controls based on the principle of granting the minimum necessary permissions. Zero Trust logs track and analyze user privileges, helping organizations enforce the principle of least privilege and prevent privilege escalation. |
| Micro-Segmentation | Utilizes logs to meticulously monitor and control communication between network segments. Enables the creation of isolated environments, restricting lateral movement of threats and containing potential security breaches within specific network zones. |
Core Use Cases
| Alert Name | Description |
|---|---|
| Multi-Factor Authentication Monitoring | Monitors authentication logs for multi-factor authentication events. Alerts triggered for failed attempts, multiple successful authentications, or unusual access patterns. |
| User Account Behavior Analysis | Analyzes user account behavior for identity verification. Alerts triggered for deviations from normal user behavior, unusual access patterns, or potential account misuse. |
| Device Authentication Tracking | Monitors authentication logs for device-based authentication. Alerts triggered for unauthorized devices, suspicious access times, or anomalies in device identification. |
| User Login Anomaly Detection | Monitors network device logs for abnormal user login patterns. Alerts triggered for multiple failed login attempts, unusual login times, or logins from unexpected locations. |
| Privilege Escalation Detection | Monitors access logs for signs of privilege escalation. Alerts triggered for unauthorized access attempts, sudden changes in user roles, or anomalies in permission assignments. |
| Abnormal Account Activity Monitoring | Focuses on abnormal activities related to user accounts. Alerts triggered for unusual login times, unexpected access patterns, or deviations from normal user behavior. |
| Access Permission Anomaly Detection | Analyzes access control logs for anomalies in permission assignments. Alerts triggered for unexpected changes in access permissions, unauthorized role modifications, or suspicious access to critical resources. |
| Role-Based Access Control Monitoring | Monitors access logs for adherence to role-based access controls. Alerts triggered for violations of access policies, unauthorized role assignments, or anomalies in role-based access patterns. |
| Abnormal Network Traffic Analysis | Analyzes network traffic logs for anomalies in micro-segmentation. Alerts triggered for unauthorized data transfers, unusual communication patterns, or deviations from defined micro-segmentation policies. |
| Policy Violation Detection | Monitors micro-segmentation policies for violations. Alerts triggered for instances where communication patterns deviate from defined policies, indicating potential security policy violations. |
| Segmentation Boundary Breach | Focuses on detecting breaches of segmentation boundaries. Alerts triggered for attempts to bypass micro-segmentation, unauthorized access between segments, or anomalies in network traffic indicating a breach. |
| Dynamic Segmentation Adjustment | Adapts micro-segmentation based on dynamic analysis. Alerts triggered for automated adjustments in segmentation boundaries, unexpected changes in communication patterns, or anomalies in network behavior. |
MITRE ATT&CK
T1111, T1550, T1536, T1574, T1133, T1527, T1078, T1552, T1548, T1087, T1100, T1546, T1134, T1048, T1570, T1083, T1043, T1055