**Quick personal note**: I normally try to get these posts out once a week, but there may be some delays for the rest of this month, so I apologize in advance. My Wife and I just closed on a new home last week and are in the process of getting ourselves packed up and moved in. Luckily, it’s a local move but doing it with two small children is no easy feat while still working full time. I appreciate the patience, and I promise there will be some more regular content soon!

In the last few years the term “Zero Trust” has been used to both define a new security strategy, and as a buzzword to sell more security products. Depending on which one you were marketed, your understanding and trust (see what I did there?) of the phrase could vary wildly. Our goal in today’s short article is simple:

1. Define what Zero Trust means and discuss it’s purpose

2. Discuss how Microsoft Sentinel can support a Zero Trust strategy for an organization.

What is Zero Trust?

Zero Trust, by definition, is not a product or a service. It’s a strategic security approach to designing and implementing a core set of principles in your environment. Those principles are:

1. Verify Explicitly: Just because I say who I say I am, or tell you I should be here, doesn’t make it true. Check my creds, cross-check your list, and verify it’s true.

2. Use least privileged access: No, you don’t need Global Administrator to reset a password. You get Password Administrator. Use the role that gives you the bare minimum required to do your job, and use Privileged Identity Management (PIM) for Just-in-Time (JIT) access

3. Assume breach: Just because the alarm bells aren’t ringing and you’ve got a fancy new AI-empowered firewall doesn’t mean there isn’t someone snooping around. Use encryption, verify everything, don’t put all your eggs (or in this case, data or network segments) in one basket to be stolen all at once.

This is why the tagline behind Zero Trust is “Never trust, always verify.”

Where did it come from?

The term “Zero Trust” was originally coined in 1994 by Stephen Paul Marsh in a doctoral these on computer security. Since that point the term morphed and evolved throughout the different eras of IT until 2018 when research conducted by the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) led to the publication of the NIST SP 800-207, Zero Trust Architecture.

The publication defines Zero Trust as a collection of concepts that reduce uncertainty by enforcing per-request access decision in IT systems and networks that were already viewed as potentially compromised. This led to the concept of Zero Trust Architecture, which is a cybersecurity plan that include all three of the following elements:

• Enhanced identity governance and policy-based access controls.

• Micro-segmentation

• User overlay networks or software-defined perimeters

Okay, but how does Sentinel play a part in Zero Trust?

Sentinel is Microsoft’s cloud native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) product that allows organizations to receive and view security events and respond to those events in a variety of automated ways. As both a SIEM and a SOAR tool, Sentinel can support a Zero Trust Architecture in a variety of ways, but here’s a few that I find to be most significant:

1. “Assume Breach”: With a core tenant of ZT being the assumption that any organization’s IT could already be breached, Sentinel provides the tooling to continuously monitor your environment for malicious activity. With its plethora of 1st and 3rd party solutions and connectors, Sentinel can aggregate a huge amount of log data into meaningful alerts and incidents, giving SOC Analysts an opportunity to find threats in near real-time.

2. Automation: The threat landscape for most organizations is only getting larger. From Internet of Things (IoT) to Bring-your-own-Device (BYOD), and an increasing number of 3rd party SaaS solutions for everything from Collaboration to Sales and Engineering to Marketing, the number of attack vectors a SOC Analyst has to be aware of quickly becomes daunting. With built-in automation in the form of Playbooks and Automation Rules, Sentinel gives Analysts and Hunters the power to handle known threats automatically, freeing them up to look for more obscure threats around critical systems.

3. Integrated Zero Trust Solutions: A little on the nose, but did you know that Sentinel has a native Zero Trust offering? The Zero Trust (TIC 3.0) solution provided by Microsoft helps organizations respond to Zero Trust principles and the Trusted Internet Connections (TIC) 3.0 initiative. While Zero Trust and TIC 3.0 aren’t the same, they share a lot of common themes. This solution helps teams from all parts of the organization gain visibility into how their architecture aligns with these two frameworks and provides recommendations for improving your alignment with Zero Trust and TIC 3.0. Make sure you check out the prerequisites so you get the most out of this solution!

Summary

Zero Trust is a valuable framework for securing organizations against threats by adhering to the three core principles of:

• Verify Explicitly

• Use Least Privileged Access

• Assume Breach.

By integrating Microsoft Sentinel into your Zero Trust architecture, organizations can improve their security posture through advanced threat detection, automated response, and comprehensive visibility. Sentinel’s capabilities align seamlessly with Zero Trust principles, providing a robust framework to protect against evolving cyber threats and ensuring a resilient security environment.

Thanks for reading!

For those interested, I’ve put together a short survey so I can get an idea of what content my readers would like to see. If you have a few minutes to spare, I’d really love to hear from you!