Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

The Path to Zero Trust: Is it Time to Rethink What We're Calling a Vulnerability?

Reconsidering how we define "vulnerability" is more than a thought exercise. It could represent a sea change in how organizations manage risk.

For most of us in cybersecurity, the definition of "vulnerability" has always been fairly straightforward: "a flaw in code or design that creates a potential point of security compromise for an endpoint or network." 

Outside IT circles, though, the word has a far broader meaning. According to the Oxford English Dictionary, vulnerability is "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." 

Has the cybersecurity sector done itself a disservice by not giving more consideration to this second meaning — and how it factors into the design of enterprise security architectures?

These questions arise as we consider two significant trends: the rise of ransomware attacks around the globe, and the resurgence of interest in the principles of zero trust

Trust is a vulnerability

For ransomware to succeed, attackers must first gain an initial foothold and then find a way to move laterally within an organization by exploiting vulnerabilities and misconfigurations in systems such as Active Directory. In a typical organization, user access and privileges are granted based in part on the notion that one user is fundamentally more trustworthy than another, based on their role or standing in the organization.

If we take the view of John Kindervag — who first coined the zero-trust concept as a Forrester analyst in 2009 and remains a leading evangelist in his current role at On2IT — then we have to consider the notion that trust itself is a vulnerability. 

In a 2017 blog post, Kindervag wrote: "Trust is no different from a vulnerability in Apache Struts. It's something we must address in our organizations and digital systems as much as any software vulnerability. And if we've learned anything from recent data breaches, it's that vulnerabilities are what are exploited, and all vulnerabilities must be mitigated."

Kindervag elaborated on his point of view more recently, during a May 6 panel discussion hosted by the U.S. National Security Telecommunications Advisory Committee (NSTAC). The session — moderated by my Tenable co-founder Jack Huffard — explored the challenges of adopting zero trust in both government agencies and private enterprises. Kindervag emphasized that the concept of trust comes from our drive to anthropomorphize the network, seeing "people" where we should be seeing "packets."

According to Kindervag, the goal is to eliminate the human emotion of trust in our digital environments. "Zero trust is a strategic initiative that helps prevent successful data breaches, meaning the exfiltration of sensitive information ... by eliminating trust in your organization," Kindervag said. "It is designed to prevent lateral movement. No matter which technology or vendor you use to deploy zero trust, the strategy always remains the same ... The technology will always change but the strategic objectives will remain in place for a long time to come."

What do we mean by 'vulnerability'?

At Tenable, we believe disrupting attack paths in order to foil lateral movement represents one of the best defenses against all manner of cyberattacks, from the commonplace to the most sophisticated ransomware. While we agree in principle with Kindervag's positioning of trust as an inherent vulnerability, we believe it's only the beginning of a sea change in how the cybersecurity industry at large defines "vulnerability." In our view, the meaning of "vulnerability" also needs to include factors such as:

  • misconfigurations in Active Directory and cloud services, which often provide a primary attack path for ransomware actors; 
  • mismanagement of identities, which are vital IT assets that can be compromised; 
  • security gaps in the software supply chain in order to prevent the next SolarWinds-style attack. 

For cybersecurity leaders, preparing for a zero trust journey is less an exercise in evaluating technologies and more an exercise in strategic thinking, requiring you to answer fundamental questions such as:

  • What is your organization's core mission or value proposition?
  • What are the workflows required to fulfill that mission? 
  • Who owns those workflows? 
  • How does data flow in the organization?
  • Which are your high-value assets, the so-called "keys to the kingdom"?
  • How does the organization determine who is granted access to these high-value assets?
  • How often does the organization audit user permissions once they are set?
  • How will you design a "protect surface" to secure your most critical assets?

Answering these questions requires full visibility and continuous monitoring of your entire attack surface, including IT, internet of things and operational technology assets, and the ability to assess the criticality of each asset to deliver on your organization's core mission. No zero trust journey can begin without first addressing these fundamentals of cyber hygiene. 

Learn more

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training