What is Zero Trust?
October 03, 2022
Zero-trust is the security program policy regulating certain apps' trust rating. As you can guess by its name, zero-trust supposes that no programs are trusted at all. Such a measure is harsh, but extremely effective when it comes to preventing malware injection. In that mode, an anti-malware program considers any application running in the system potentially dangerous and reviews the executed commands/accessed DLLs and folders.
By checking the activity of all applications, the security tool (it could be the EDR solution as well as the regular antivirus) can easily filter dubious things. Then, the security specialist who manages the protection system receives the report with all these cases and chooses which measures he wants to apply.
What is the need for a Zero Trust policy?
Earlier, at the dawn of the anti-malware software spreading, all programs of this type were dividing the third-party apps into trustworthy and untrustworthy. The third category - system apps - was also later grouped with trustworthy. So the apps from the trustworthy list were free to do whatever they wanted - antivirus programs were ignoring their activities. Ones that were considered untrustworthy were checked diligently. This classification was great unless we remember that it was pretty easy to reach the “trustworthiness”. Hence, only some dubious apps from the software-spreading sites, hand-made Java applets, and scripts were considered unsafe.
The overall model seems pretty good because it still has manual control, the possibility of editing, and other things that provide flexibility. Unless we remember about the vulnerabilities, the latter may appear in all kinds of apps - and ones considered safe are not an exclusion. Vulnerabilities can allow the hackers to execute arbitrary code, escalate privileges, modify system settings and do all other nasty things. Such a situation completely nails the efficiency of the divided trust system.
Initially, the problem was just ignored, since vulnerability exploitation was not so widespread. There were no special security solutions available on the broad market - you could only order them for a higher price. And companies were not worried about that - the efficiency of antivirus programs was enough for the time being. When cybercriminals switched the spreading ways from classic tricking to exploits, the classic solutions became much less effective. One may say - useless.
Principles of the Zero Trust
We have already described antivirus work with the Zero Trust policy above. It is a pretty primitive description since it has a much more extensive list of actions. Zero Trust is spread not only to the currently running applications but also to the files that are present on the disk but are not used at the moment. Controlling this needs various typical solutions and new approaches to be applied simultaneously.
Processes are obligatory checked with several detection mechanisms. In early variants, they were checked on the run, allowing the program to run in the system. Such an approach has its advantages but exposes the system to risk. More modern antiviruses with a zero-trust policy run each application in the sandbox before allowing it to run into a system. In the case of a website or remote server, it may be simultaneously launched in the sandbox and in the browser - to minimize the lag. The same thing is performed to the incoming connections - even when they are not performing any actions, the program keeps an eye on it and logs its every action when it turns active.
Actually, those check-ups are not new to anti-malware software. All applications that have an advanced check-up mechanism perform the described operations. But with a zero-trust policy, security precautions are applied to all apps and files. All these checks must be backed with the best detection systems to provide maximum efficiency. Heuristic engines and neural network detection mechanisms must have high performance with moderate resource consumption. Detection databases must be maintained correspondingly - with hour-to-hour updates and continuous monitoring of possible new threats.
Since zero-trust is almost synonymous with EDR systems, the most efficient application for this policy can be met only with the features of an endpoint solution. The latter usually offers dividing the protected network into parts to make the overall system easier to control. In that case, zero-trust allows you to set up some additional check-ups for the programs that are considered more dangerous or modify the list of applied verifications.
Zero-trust in anti-malware programs
Most programs with a zero-trust policy example are Endpoint Detection and Response solutions, or EDR. Those apps represent a new view of corporate cybersecurity. While earlier solutions protected each PC separately from each other, EDR solutions provided the shield that covers the whole network simultaneously. Since cybercriminals apply the use of advanced threats pretty often, scanning for possibly compromised apps requires having no tolerance.
Mass-market antivirus solutions for single-user systems rarely apply a zero-trust policy. The only one that is present on all computers with Windows 11 is Windows Defender - an infamous security tool by Microsoft. It shows decent results in on-run protection but has so many bugs and security issues that its usability is questionable. And although it runs a full-fledged zero trust, the aforementioned security mechanisms are restricted. For example, the sandboxing in network security mode works only with the Edge browser; advanced script monitoring mechanisms are available only for PowerShell scripts.
Why do anti-malware vendors delay applying this policy?
"Zero Trust" may look like a magic pill for computer security. The new ideology of how the anti-malware software reacts to the programs in the system may sharply increase its efficiency without any improvements to the detection mechanism. However, a few pitfalls make it less perspective or even useless.
- Zero trust affects the PC performance. Same tool will consume a much higher amount of RAM and especially CPU to make all the check-ups and run the sandbox. Imagine that you have on-run protection enabled, but it requires performing the operations that need three times more calculating power. Sure, you will not suffer any significant issues on the high-end systems, but anti-malware products are oriented at mass-market - otherwise, it will not pay off. EDRs with a zero-trust policy suffer much less because most calculations are done on the domain controller.
- Individual users are rarely attacked with advanced threats. While companies constantly face the risk of being attacked with the use of complicated malware, individuals don’t. The amount of places where zero-trust may be useful for a single user is scanty- compared to the negative effects we mentioned in the previous paragraph. To mirror the attack with “classic” malware, the regular antivirus with a trust list is enough.
- Complicated usage. Zero Trust is not only about controlling whatever is running in your system. To reach peak efficiency, the security tool must be set up specifically for the system where it will run - otherwise, it is just bloatware. And as you can guess, manual setups are not a thing the mass market will be happy about. Spending hours on manuals and settings, the app is OK for system administrators who established the protection in the corporation but not so good when you want the program running well out-of-box.
Zero Trust is a very prospective policy for anti-malware software. However, it can barely exist on the mass market because of the troubles above. It seems like it will be the complementary or even obligatory element of EDR solutions - it shows peak efficiency there. But we can barely imagine its future as a part of a regular anti-malware solution - at least on the mass market.