Zero Trust: Driving Modern Cybersecurity
Key Points
- Zero trust has surged to the top of cybersecurity priorities because hybrid‑cloud adoption exposes “elephants in the room,” especially the difficulty of knowing where sensitive data resides—only about 7 % of organizations feel confident about their data visibility.
- The practical implementation of zero trust focuses on the four‑R principle: ensuring only the right users get the right access to the right data for the right reason.
- Companies are concentrating on a core set of controls—most notably identity governance—to verify who has access to what, which is considered the foundational, “table‑stakes” element of a zero‑trust strategy.
- IBM’s experience with hundreds of clients shows that successful zero‑trust projects are built around a handful of repeatable controls rather than abstract philosophy, translating the concept into concrete, actionable measures.
Sections
- Zero Trust in Hybrid Cloud - Bob from IBM highlights zero trust as a key cybersecurity trend, noting its rise due to hybrid cloud challenges and organizations' lack of visibility into sensitive data.
- Key Identity Controls in Zero Trust - It outlines core identity governance, identity analytics, privileged account management for insider threats, and adaptive authentication as essential controls for implementing zero‑trust security.
- Zero Trust: Access Monitoring & Fraud Detection - The speaker outlines how zero‑trust initiatives incorporate data/file activity monitoring, encryption key management, and “data risk insights” to audit user access over time and apply fraud‑detection analytics to protect sensitive information.
- From Needles to Real‑Time Analytics - The speaker outlines the difficulty of filtering true security incidents from overwhelming alerts, describes a three‑step process of detection, risk assessment, and remediation, and notes that organizations usually begin with SIEM log aggregation before progressing to real‑time network flow analytics.
- Missing Incident Response Playbooks - The speaker points out that roughly 75% of organizations lack current, comprehensive incident‑response playbooks, forcing ad‑hoc reactions during cyber events, and urges greater awareness through cyber‑range exercises, automation of response procedures, and adoption of zero‑trust models to mature security posture.
- Federated Cloud‑Native Threat Intelligence - The speaker proposes replacing centralized data ingestion with a federated, cloud‑native microservice approach that queries each cloud provider in real time for threat indicators, enabling faster, more scalable investigations.
Full Transcript
# Zero Trust: Driving Modern Cybersecurity **Source:** [https://www.youtube.com/watch?v=FMMWSLIcaME](https://www.youtube.com/watch?v=FMMWSLIcaME) **Duration:** 00:17:55 ## Summary - Zero trust has surged to the top of cybersecurity priorities because hybrid‑cloud adoption exposes “elephants in the room,” especially the difficulty of knowing where sensitive data resides—only about 7 % of organizations feel confident about their data visibility. - The practical implementation of zero trust focuses on the four‑R principle: ensuring only the right users get the right access to the right data for the right reason. - Companies are concentrating on a core set of controls—most notably identity governance—to verify who has access to what, which is considered the foundational, “table‑stakes” element of a zero‑trust strategy. - IBM’s experience with hundreds of clients shows that successful zero‑trust projects are built around a handful of repeatable controls rather than abstract philosophy, translating the concept into concrete, actionable measures. ## Sections - [00:00:00](https://www.youtube.com/watch?v=FMMWSLIcaME&t=0s) **Zero Trust in Hybrid Cloud** - Bob from IBM highlights zero trust as a key cybersecurity trend, noting its rise due to hybrid cloud challenges and organizations' lack of visibility into sensitive data. - [00:03:14](https://www.youtube.com/watch?v=FMMWSLIcaME&t=194s) **Key Identity Controls in Zero Trust** - It outlines core identity governance, identity analytics, privileged account management for insider threats, and adaptive authentication as essential controls for implementing zero‑trust security. - [00:06:23](https://www.youtube.com/watch?v=FMMWSLIcaME&t=383s) **Zero Trust: Access Monitoring & Fraud Detection** - The speaker outlines how zero‑trust initiatives incorporate data/file activity monitoring, encryption key management, and “data risk insights” to audit user access over time and apply fraud‑detection analytics to protect sensitive information. - [00:09:39](https://www.youtube.com/watch?v=FMMWSLIcaME&t=579s) **From Needles to Real‑Time Analytics** - The speaker outlines the difficulty of filtering true security incidents from overwhelming alerts, describes a three‑step process of detection, risk assessment, and remediation, and notes that organizations usually begin with SIEM log aggregation before progressing to real‑time network flow analytics. - [00:12:49](https://www.youtube.com/watch?v=FMMWSLIcaME&t=769s) **Missing Incident Response Playbooks** - The speaker points out that roughly 75% of organizations lack current, comprehensive incident‑response playbooks, forcing ad‑hoc reactions during cyber events, and urges greater awareness through cyber‑range exercises, automation of response procedures, and adoption of zero‑trust models to mature security posture. - [00:15:52](https://www.youtube.com/watch?v=FMMWSLIcaME&t=952s) **Federated Cloud‑Native Threat Intelligence** - The speaker proposes replacing centralized data ingestion with a federated, cloud‑native microservice approach that queries each cloud provider in real time for threat indicators, enabling faster, more scalable investigations. ## Full Transcript
Hi, I'm Bob with IBM,
and I'd like to take a few minutes and share with you what we're seeing as
the 3 trends that are driving cybersecurity forward right now.
All three of these are having a profound effect on the industry, so let's dive in.
The first one won't be a surprise to anyone, and that is zero trust.
This has become a top shelf issue around the industry.
It's a concept which has been around over a decade,
which is based on the thought of "never trust, always verify".
The reason why this topic has gotten hot in the last couple of years is because
as organizations move to hybrid cloud,
they're learning about a lot of elephants in the room around cybersecurity that either they didn't realize were there
or tried to ignore that were there.
For example,
when you move to hybrid cloud, one of the big issues is:
do you really know where all of your sensitive data is across the organization?
I saw a study not long ago that asserted
that only 7%, I mean, singularly, number 7 percent,
only 7% of organizations are confident they know where all of their sensitive data is in a hybrid cloud deployment.
And frankly, 2 of the 3 last clients that I've talked to said to me,
"... and that 7% are probably lying", right.
So zero trust has gotten super hot in the last year or two because
it helps you address the elephants in the room around cybersecurity, such as
proper focus on sensitive data: where is it, and are we protecting it?
Now, I'm not going to give you a philosophical view of zero trust
because frankly, everybody's got their own point of view on it.
What I'm going to show you is, based on our experience with hundreds and hundreds of clients,
are what are people actually doing for zero trust?
So what we've seen is very, very interesting
is that you can describe every zero trust engagement as some combination of the following topics.
First of all, we want to make sure that only the right users can come in.
Right?
So only the right users can come into our systems.
You want to make sure that only the right users can get only the right access.
Then you want to make sure that they can only get access to the right data, for only the right reason.
So essentially, what people are doing for zero trust today to implement the philosophy
is make sure that only the right users can get only the right access to only the right data for only the right reason.
So as we look at how organizations are addressing this,
we're seeing that they're really focusing on
about a dozen different controls to really implement the core concepts here.
So when you look at what are the controls, out of the hundreds of risk management controls that are out there,
the ones that we see people spending most of their time on these days,
on zero trust engagements, are really easy to notice because they keep showing up.
So for example, first, we have identity governance.
What does that mean?
That means, do you know who has access to what?
That's just table stakes, right?
If you don't know who has access to what, then how can you possibly protect anything?
So that's the first control.
The second one, which has gotten hotter very recently, is identity analytics.
What that means is it's one thing to know who has access to wha, but does that really make sense?
Should that group of people have access to all of these different things?
And this control helps us address that.
The third one is around insider threats, and that's privileged account management.
It is amazing that 19 years after Sarbanes-Oxley came out
and that that regulation said, "Thou shalt do privileged account management",
it's amazing that this is still a huge topic for people.
But because it's focused on insider threat,
oftentimes organizations will naturally prioritize external threats more.
And this one also often gets a short thrift
and so privileged account management is showing up in every one of these projects.
Now what about right access?
The things people are focusing on there is, first of all, access management itself.
Can this person get access to this application, for example.
But probably the whitest hot control in all of these zero trust projects is around adaptive authentication.
What does that mean?
That means that in a hybrid cloud world,
every time someone wants to access something that's sensitive, you should develop a risk score around it.
In other words, OK, is it someone that I recognize, from a device I recognize, at a time of day I recognize?
Or is it someone that, maybe I recognize them, but they're on a jailbroken device that I've never seen before,
coming at me from a part of the world they've never been in before, at least when they've connected to me.
So adaptive authentication allows me to set what level of multifactor authentication do I use
to actually allow someone to come in based on the risk score.
What's really cool is what's happened in the industry is there's been a lot of focus on
taking some of the fraud detection algorithms from the banking sector, for example,
and marrying them into the identity and access management stack
to allow you to do this advanced capability.
And so this one probably is the one who gets the most of attention of all here.
Now what about data itself?
Once you get the right users getting the right access, then how do we actually handle the data piece of this?
Well, look at it this way.
The first thing that everybody focuses on is discovery and classification,
meaning let's make sure we know where all the sensitive data is both on-prem and in whatever cloud providers that we use.
Secondly, once I know that data is there, I need to lock it down.
And so that's where you get into, of course, encryption, which is one of the most popular controls here.
Then once you encrypt it, you want to make sure that when you do have access to it, you can limit access.
So you can say, OK, this person should have access to this, but not this particular set within that data.
And that's typically called data and file activity monitoring.
And then finally, you get into making sure that you can manage
the encryption keys that are protecting that data and you get into key management.
So that is a topic on every one of these zero trust engagements.
Finally, you get to the sort of artistic side of this
because once you make sure that only the right users have only the right access to only right data,
how do you figure out if they're only accessing it for the right reason?
So one of the things that everybody wants to be able to do but has always struggled to do
is say, "Well, can I look at all the access to my sensitive data over some period of time
and run fraud detection algorithms against it and look for accesses that maybe I didn't catch when they happened?"
Everybody wants to do that, but few organizations actually store much, if any, of that kind of data in their systems.
So the control that is emerged that addresses this is what some folks call data risk insights.
And what that means is if we go to a cloud-based architecture,
you can look at large swaths of data being used over long periods of time
and find things that you just missed the first time.
It's very powerful.
And part of almost every single zero trust project out there.
You then also want to make sure that you can handle transactional fraud.
And then finally, a big, big, big one here is configuration and management.
What does that mean in a zero trust environment?
Meaning in a hybrid cloud environment where you're applying the zero trust model of never trust, always verify,
there's three kinds of configuration and management you need to worry about.
First of all, is that devices, right?
Laptops, mobile devices, servers, etc..
Secondly, is network configuration and management a huge topic and zero trust.
And in third is the configuration management of the cloud native stack
that the modernizing organization is doing when they run an agile DevOps project and put workloads and sensitive data out to potentially multiple clouds.
That's the one that hurts a lot of cyber organizations today
because they don't have much insight, let alone wisdom in how to manage that and configure it properly.
And that's something that clearly is something that needs a lot of focus in the industry is something that certainly we do.
So those are the 12 controls that we see are showing up in almost every single zero trust project out there.
But there's another side of the story here.
What happens is that if you've ever read the zero trust spec from NIST,
they talk about a trust algorithm
and how one of the big influencers and how you implement these controls
is around how do you actually do your threat management?
So the second trend that is seeing a resurgence these days is around threat management.
Now, the way the typical organization does threat management is through a very simple model,
it's simple to say, but of course not necessarily simple to do.
And that's based on a model that says the first thing that I need to be able to do is find the needles in the haystack.
Find this suspicious things going into my systems that could indicate something wrong is going on over here.
As one client said to me recently, it's not finding the needle in the haystack,
it's finding needles in the needle stack because that's how it looks.
It looks like everything's a problem.
So how do I find that?
Then once I find the needles in the haystack, how do I confirm whether each needle is sharp enough to take action on?
Because cyber ultimately is a form of risk management, not just compliance management.
And so an indicator of compromise needs to be evaluated against whether it will really impact us.
And then when you do find the things that you do need, some kind of response, you need to go fix what you find.
So if you look at the tip of the organization, you find the needles in the needle stack.
You confirm whether they're sharp enough to take action on.
And then you go fix what you find.
Now, organizations have different levels of maturity, for example, around finding needles in the needle stack.
The first thing everybody does is collect, normalize, correlate, report and monitor and logs.
That's often called a SIEM tool, or Security Information Event Management.
But that only looks at what's already happened.
That's all old news, right?
And so where most people go is they'll then mature and go up into real time network flow analytics and then up into user behavior analytics.
And some even go beyond there.
But helping get more mature of how you do that is actually a really big topic for organizations of how do we get better at actually doing that?
Now, once we get into, how do you confirm that a needle, an indicator of compromise, is sharp enough to take action on?
Well, in that case, we did an informal study a couple of years ago of level one SOC analysts, Security Operations Center analysts,
and learned the most common practice around the world is a technique called Google Search, or whatever your favorite search engine is.
They typically say, "Well, I'm seeing this and this, is anybody else seen this?".
The problem, of course, with that approach is A) It's manual,
and B) our X-Force research team tells me that roughly only 20% of the world's threat intelligence is indexed and searchable.
So, it means the most common practice around the world is to actually manually search through 20% of the data, which makes no sense.
But people haven't felt like there's an alternative.
So the way to improve on this one is by leveraging artificial intelligence, right?
Some people have gotten cynical a bit in the industry around cyber and AI because everybody claims to do everything.
Clearly from our point of view, we've been doing Watson for decades, and we've been teaching Watson for over five years now to ingest and digest threat intelligence.
So we have over a million sources a day coming into it, so you can use an engine like that
to actually radically speed up how you confirm whether a given needle in the haystack generates enough risk for you to actually take action on.
Then finally, we get to the piece of how do you fix what you find?
The latest study I saw says that three quarters of organizations still don't have well-defined, up-to-date incident response playbooks
for all of the cyber events they're worried about.
So what that means is that when you get one of those cyber events and you haven't built a plan to respond to it,
it means you have to make it up as you go.
So I was a math minor in college, so I like math symbols.
I'm going to write null set.
75% of organizations are making it up as they go.
It does not take a social psychologist to point out that the worst time to come up with a plan
to respond to a cyber event - a collaborative plan across an organization to respond to a cyber event -
the worst time is when everybody's running around pointing fingers at each other, trying to figure out what happened.
And yet that's what three quarters of the organizations do.
So the way to get better at that is, first of all,
is grow awareness through things like cyber range activities, to go through live fire exercises.
And then the ultimate here is, of course, to also not only address, but automate
the incident response playbooks to actually make that happen.
So helping organizations get more mature on all of these things is something, right, that is a big focus in the industry.
So let me close now with the third trend that we see happening in cybersecurity today.
First is implement the zero trust model
because of all the cyber elephants in the room that hybrid cloud deployments are exposing for clients.
Secondly is refine how you do threat management,
so you're much better at detecting the threats that influence how you implement these controls over here.
Finally, the third trend in Cyber Today and this one is the most profound one,
and that is, how do you support the modernization of your organization?
I will tell you something that we see all over the world is that every organization is modernizing now digital transformation.
And yet most cyber teams are trying to support this modernization of the organization around them
by taking the same approach they've used for the last two or two decades or more to address cyber.
What is that?
Well, the way everybody does it is when there's a new source of threats and stuff,
then the idea is, "Oh, I know what I'm going to do, I'm going to take all that data
and I'm going to put it into whatever technology I'm using over here for my fine bubble, my security analytics platform."
This does not scale to hybrid cloud.
Why?
Because when you get to hybrid cloud, a lot of that cyber data is being generated in one or more public cloud providers
like AWS, Azure, Google Cloud, IBM Cloud.
And so why wouldn't I just take that data and move it over here?
Well, the cloud providers charge you an egress fee to take that data out and put it into your tool,
and depending on what tool you're using, you might even get charged to ingest it in there by the tool that you're using.
And so that causes huge problems.
And that approach does not scale.
So what the alternative is is we started thinking about this about three years ago and realized that there was a missing scope here.
The missing step is that instead of forcing everything to come into the same place, even from the public cloud providers,
instead, what if we could do a federated approach to threat investigations and applying threat intelligence.
What does that mean?
Well, when you see a new indicator, a compromise crop up anywhere
instead of waiting for all the data to end up over here, instead, ask your security analytics platform,
ask your various security tools, ask AWS, and Azure, and Google Cloud and IBM Cloud,
what are they seeing at this?
And then make a decision right there.
That approach is simple, it's fast and it's effective.
So we started building that about three years ago
and going to a cloud native version of doing that, of doing federated searches and investigations
and tying it into this entire process has a radical impact
on not only your ability to threat management, but it allows you to modernize your approach to
providing cyber services to the modernizing organization around you because it's all built on cloud native microservices.
So this ability to move from standalone products and ingestion from all over the place
into cloud native microservices that use a federated approach
is far more powerful, and with the clients we've seen using it has a huge impact.
So that's the three trends we see that are having the biggest impact on Cyber today, and I thank you for your time.
Thank you.
If you like this video and want to see more like it, please like and subscribe.
If you have questions, please drop them in the comments below.