As cybersecurity threats get more advanced, the industry is constantly working to stay one step ahead.
Traditionally, network protection has relied on blocking known threats. Anti-virus programs and firewalls have worked using a signature database of known threats and matched unknown applications against this to check if they are safe to run.
However, in recent years we’ve been seeing a rapid increase in ‘zero-day attacks’. A symptom of increasing advancement in cyberattacks, zero-day attacks are carried out using malware or malicious code that is brand new and therefore hasn’t yet been added to any threat databases.
Trying to defend against these unknown threats has led to new innovations in the cybersecurity industry and new strategies to remain protected. One of these new methods is a zero-trust model.
The principle behind a zero-trust model is simply to not trust any applications and to continuously monitor application behaviour for any deviations from what is considered normal.
There are several parts to a zero-trust model, that can be implemented either individually or all together.
- Application whitelisting – This involves registering every application that is allowed to run on your network and blocking everything else. Whitelisting is an effective way to protect against zero-day attacks because your system doesn’t need to know what the threat is, it just needs to know what applications are allowed to run. It’s important when implementing application whitelisting to ensure you:
- Run a thorough scan on your network, and then talk to all your employees to find out what software they’re using – especially the ones that are only used occasionally – to ensure you have a clear picture of everything that needs to be included on your whitelist.
- Schedule a regular review and update of your list. Occasionally when an application updates, it will need to be updated in your whitelist. You will also need to add any new applications you start using and remove any you stop using.
- Behaviour monitoring – By monitoring the way your trusted applications run, you can establish what is considered normal behaviour. If malicious code is injected into your application during an update, it will be immediately detected as outside of the application’s normal behaviour. This will remove the application from the whitelist while the issue is investigated.
- Multi–Factor Authentication – All accounts should be protected with multi-factor authentication, ensuring that when users sign in they have to enter a code that is either texted to them, or generated by an app such as Microsoft Authenticator. This is the most secure way of stopping cybercriminals from breaking into user accounts.
- DNS Filtering – Stop users visiting phishing websites, or other sites that may have harmful, offensive or malicious content by implementing a DNS filter.