In May 2021, President Biden signed Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity,” pushing agencies to rapidly implement its Zero Trust Architecture (ZTA) requirements. As a result, compliance and budgetary support have driven this single-focused effort with the goal of making Zero Trust the foundation of every agency’s cybersecurity program. With these recent changes in mind, a question that is often posed is how Digital Risk Protection (DRP) services fit into an agency’s Zero Trust strategy (and budget).
To understand the connection, agencies must think differently about their existing approach, specifically about the data sources that feed into their Zero Trust infrastructure.To provide more insight into this shift in thinking, Keren Cummins, Director of Federal Civilian Sales at ZeroFox, sat down with ZeroFox’s John Beck, Senior Federal Sales Engineer, to discuss DRP’s role in a federal agency’s Zero Trust strategy. Additionally, they provided insight into ZeroFox’s threat intelligence and identity management feeds and how they are strengthening our customers’ ZTA in ways they had not previously considered.
ZERO TRUST ARCHITECTURE AND DRP Q&A
How does DRP fit into government requirements?
Keren: John, practically every agency I speak with these days has Zero Trust as one of its top priorities, if not in fact THE top priority. As a result, partners who sell to the federal government are trying to support the government’s ZTA requirement. Here at ZeroFox, we view our solutions as a valuable contribution to Zero Trust. Can you elaborate on how DRP, specifically ZeroFox solutions, fit into the government’s requirement?
John: Sure, I think this is an important question, because it’s not immediately obvious how leveraging open source intelligence can help align with ZTA. ZeroFox provides data that can feed into a Zero Trust policy engine, and helps to enhance two of the five pillars that CISA sets forth in its Zero Trust Maturity Model.
- Identity Pillar: ZeroFox provides feeds of compromised credentials.
- Device Pillar: ZeroFox intelligence provides feeds of botnet compromised systems/devices.
How is ZeroFox relevant to Zero Trust?
Keren: Ok, but aren’t there a lot of solutions that provide that information? How is ZeroFox able to provide relevant and unique data into a Zero Trust infrastructure?
John: ZeroFox has distinguished itself by the number and quality of the different data sources that it looks at. A lot of people know about our unique capabilities in social media, but I’d like to highlight some of our sources in the Dark Web. Our platform and supporting analysts provide a wealth of relevant intelligence data that can inform an agency’s Zero Trust policy engines. A list of compromised credentials could be used to force multi-factor authentication or a password reset for impacted users, and Botnet-infected hosts could be barred from accessing the intranet or isolated for mitigation purposes.
Keren: Can you expand on that? Help me with an example of a threat that would originate in the untrusted environment of a user requesting access to federal resources. What might it be and how could it impact an agency’s infrastructure?
John: A threat could come from a high-severity vulnerability, malware, or botnet activity. For example, botnets – I can’t imagine any department or agency wanting a botnet-infected host connecting to their network and accessing internal resources. Many botnet infections are logging keystrokes and network connection data back to a botnet master. If this is allowed to happen, valid credentials and the websites/resources that they allow access to could be streamed out and sold on Dark Web Forums.
Compromised credentials are another example. Unfortunately, government employees sometimes use their government email address to access websites for personal interest, and then those commercial websites get breached.
Q: How can external email compromise cause risk?
Keren: Okay, but they’re presumably not using their government password on those sites. Let’s hope, anyway. How can email addresses that have been compromised outside the agency’s network still cause a significant risk to the environment?
John: Let’s take that example. A government employee uses their government-issued email address to register on an external website or e-commerce site. Once that email address is part of a breach or a compromised credentials dump, the adversaries have a known good email address (which sometimes can contain a domain username), and they then have half of a valid credential set and only need to find the password to have a full set of login credentials.
The email address may also reveal enough information for full names and social media profiles to be determined. Sometimes this provides enough relevant background data to start guessing passwords. If the user is high level enough then breaking into their social media account may open the door for a Business Email Compromise.
Q: How does ZeroFox data strengthen ZTA implementation?
Keren: Practically speaking then, how do agencies using ZeroFox solutions apply ZeroFox data to strengthen their ZTA implementation?
John: ZeroFox’s threat intelligence feeds provide a direct API connection to easily consumable data, data that can provide fidelity about your users, compromised hosts, lists of C2 (Command and Control) Domains, and more. This helps you automate and shape your organization’s Zero Trust policies and keep them agile and effective on this ever-changing cyber battlefield.
ZeroFox is the leader in external threat intelligence and can also deliver a wealth of social media monitoring (impersonations, brand/agency sentiment), external cyber threat intelligence, plus Deep and Dark Web intelligence via API. This intelligence can help your agency or organization brace for undetected/unknown leaks or emerging threats as well.
What you don’t know CAN hurt you. Don’t let a lack of external threat intelligence limit the strength of ZTA and hinder the purpose of the federal government’s ZTA mandates. Try ZeroFox today and fill this gap in your armor.
About the Team
John Beck, CEH, is the Federal Senior Sales Engineer at ZeroFox. Throughout his 25 year+ career in cybersecurity, John has managed the processes, people, and solutions essential to keeping both private and public sector organizations secure. In a senior sales engineering capacity, John has played a key role in providing technical direction and support to sales teams at leading cybersecurity companies such as CrowdStrike, Forcepoint, and McAfee. At ZeroFox, John’s leadership and technical insights are helping federal Law Enforcement and Diplomatic Missions customers to better execute their mission by modernizing security operations and reducing organizational risk.
Keren Cummins is the Director of Federal Civilian Sales for ZeroFox. Keren has managed both state and federal technology programs. She became involved in cybersecurity while working for the US Department of Commerce, receiving multiple federal awards for her leadership at Commerce’s National Technical Information Service. She has since spent 20+ years in a Federal Sales Director capacity working for leading industry organizations in the areas of public key infrastructure, vulnerability management, log management and compliance monitoring. She joined ZeroFox in 2018 after becoming fascinated with the challenges of securing social and digital channels. Keren currently helps to drive greater understanding and adoption of digital risk protection across the federal sector.