Elastic’s capabilities in the world of Zero Trust operations

Zero Trust (ZT) has become one of those omnipresent buzzwords we see everywhere in the information technology (IT) ecosystem lately. The basic idea of Zero Trust has actually been around for a long time (the phrase was originally coined in 1994!¹), but the practical application of Zero Trust as a real security paradigm is somewhat new and still being formulated. What Zero Trust represents is a hard shift from traditional perimeter-based and defense-in-depth approaches where multiple layers of boundary security are used to protect the resources within. The move towards Zero Trust Architectures was necessitated by the proliferation and growing complexities of interconnected cloud, edge, hybrid and services-based architectures — there is no longer a solid outer perimeter that can be defended. 

Over the years, we’ve learned (often the hard way) that the main problem with relying solely on perimeter-based security is the assumption that perimeter access also conveys permissions to the resources inside that boundary. That’s a bad assumption because it’s between those layers where the enemy thrives. Once a bad actor has gained a foothold inside one of those perimeters, they can “live off the land” and hide inside until they find a path to their next target; it’s usually just a matter of time until they are able to exploit the resources within. 

The distillation of Zero Trust is to never trust, always verify. This core tenet takes away that faulty assumption of perimeter-based defense and instead says that no transaction should be implicitly trusted. There are a lot of implications packed into that simple credo, and those implications start with a fundamental set of principles:

1. Assume breach: Organizations operate as if a breach has already occurred, designing security controls to minimize potential damage.

2. Identity-centric security: Identity becomes the primary security perimeter, replacing traditional network boundaries.

3. Microsegmentation: Resources are isolated and secured individually to limit lateral movement within networks.

4. Least privilege access: Users and systems receive only the minimum permissions necessary to perform their functions and only for the required duration.

5. Continuous verification: Every access request must be authenticated and authorized before granting access, regardless of the user's location or the resource being accessed.

6. Comprehensive monitoring: Continuous monitoring and analysis of all network traffic and activities enables rapid threat detection and response.

If we were to claim that those principles cover the what in what we need to do to get to Zero Trust, then the where that we apply those principles is specified by the so-called pillars of Zero Trust.

Not surprisingly, there have initially been several interpretations² of Zero Trust, which has resulted in slightly different pillar definitions. In the end, Zero Trust pillars span the entire breadth of enterprise operations.

Zero Trust requires a much more active and comprehensive approach to security. 

The core capability at the heart of Elastic’s Search AI Platform is distributed search. Instead of forcing your organization to back-haul all data into a centralized repository — usually one that is only good at cost-effective storage and not made for fast flexible search and retrieval — Elastic allows data to be collected and ingested locally into a distributed platform that’s able to search both locally and globally. 

On top of this distributed platform are all of the enterprise-grade features your organization requires for ingesting, analyzing, and managing all types of data at huge scales.

• Automated near real-time ingestion, processing, normalization, analysis, detection, and alerting on any and all types of data — structured, unstructured, semi-structured, numeric, geospatial, vectorized

• Full-spectrum search and analytics — full-text lexical, semantic/vector, and hybrid retrieval, aggregations, and filtering; multiple query modalities to suit any data and use case

• Automated data resilience, high-availability, and cost-effective data lifecycle management, including searchable snapshots, which allows data archives to remain fully searchable throughout their entire retention timeframes

• Fully integrated unsupervised and supervised machine learning (ML), including the ability to import third-party large language models (LLMs) and apply them to your data streams

The entirety of the stack is built API-first, making it easy to integrate with and allowing Elastic’s Search AI Platform to become a unified data layer spanning all data sources. Our Search AI Platform is a general-purpose distributed data platform that can power any number of use cases and applications. 

Nearly every organization today is actively investigating the potential use of artificial intelligence (AI) in multiple aspects of their business operations. The hope for AI is that it will vastly speed up, automate, and improve the scope of large scale data analytics required for everything from basic research to critical decision making. So, it’s no surprise that AI initiatives would be considered within the context of Zero Trust operations as well.

For Zero Trust operations to succeed, they must be based on fast, well-informed risk scoring and decision making that takes into account myriad indicators that are continually flowing from all of the pillars. Elastic can immediately upgrade and empower your organization’s Zero Trust posture by providing a unified speed layer for all data. 

One of the biggest hurdles with current approaches to Zero Trust is that most ZT implementations attempt to glue together existing systems through point-to-point integrations. While it might seem like the most straightforward way to step into the Zero Trust world, those direct connections can quickly become bottlenecks and even single points of failure. Each system speaks its own language for querying, security, and data format; the systems were also likely not designed to support the additional scale and loads that a ZT security architecture brings. Collecting all data into a common platform where it can be correlated and analyzed together using the same operations is a key solution to this challenge.

The first and perhaps most important capability Elastic brings to Zero Trust is the ability to monitor and analyze all of the infrastructure, applications, and network involved. Elastic can ingest all of the events, alerts, logs, metrics, traces, host, device, and network data into a common search platform that also includes built-in solutions for observability and security on the same data without needing to duplicate it to support multiple use cases. This allows the monitoring of performance and security not only for the pillar systems and data but also for the infrastructure and applications performing Zero Trust operations.   

Let’s use an example. Within the conceptual ZT users pillar will likely be an Identity, Credential, and Access Management (ICAM) system that is used to verify and control user/entity access and permissions. There might also be a User and Entity Behavior Analytics (UEBA) system that analyzes the traces of activities a given user (correlated to an ICAM-validated account) leaves in various systems. UEBA looks for suspicious or unusual behaviors for that account either based on their normal activity baseline or in comparison to other entities of a similar role/permissions level. 

From a Zero Trust monitoring context, Elastic could:

• Index application logs from the ICAM, UEBA, and any other systems in the users pillar

• Automate the capture of system metrics using a variety of approaches, including OpenTelemetry, and use them to report on system uptime, performance, and SLOs 

• Monitor network flows in and out of the users pillar

• Ingest and correlate processing traces from the users pillar applications themselves

• Collect logs and metrics on the various infrastructure and orchestration platforms that the users pillar systems are deployed on

• Use its built-in observability and security solutions in service to the Zero Trust visibility and analytics pillar

With data from each pillar ingested into a common speed layer (and one that doesn’t add additional query load to the underlying data systems/repositories), we can cross-correlate signals across sources to automatically detect suspicious behavioral indicators and then use them to adjust risk scoring on the actors within our Zero Trust Architecture. 

Originally developed as part of the built-in Elastic Security solution, the Search AI Platform includes a general-purpose detection engine that can be used on any type of data. Detection rules use several different query mechanisms, including standard query syntax (DSL); event sequences (EQL); piped queries (ES|QL); and even anomalies found through built-in machine learning, to correlate and identify patterns within incoming data streams and fire alerts on the matches. 

Detection rule alerts get stored into their own index and can also immediately trigger additional alert-based actions to third-party systems and integrations like SOAR or ticketing systems. There currently are over 1,100 prebuilt detection rules that have been developed, curated, and tested by the Elastic Security Labs team, but those rules are open source and easily duplicated and edited to suit the data streams and parameters of the implementation. 

Whether it’s using the existing risk scoring mechanisms in the Elastic entity store or purpose-built objects for the customer’s Zero Trust implementation, Elastic’s Search AI Platform provides the flexibility to build risk scoring indices to track and query any type of entity.  Again, perhaps some examples would help illustrate the possibilities:

• Users: Individual or service accounts can have unsupervised ML jobs tracking their access requests throughout the systems and fire anomalies on unusual requests that are then used to adjust the entity’s overall risk score (and possibly to alert a UEBA system).

• Devices: Whenever a compliance scan is run on a given device, the resulting report could also be used to adjust the device’s risk score index. 

• Network: Unusual volumes or types of traffic between network nodes might fire an alert to adjust the risk score for that network route and perhaps to send traffic through alternate systems with deeper inspection.

• Data: Because Elastic includes a number of hybrid search and AI-driven data analysis capabilities, we can use various methods to characterize and categorize the data within each repository (especially powerful for unstructured sources) and generate or update its overall risk score.

• Applications and workloads: Elastic can keep an inventory of our application versions, dependencies, and vulnerabilities otherwise known as a Software Bill of Materials (SBOM) to assign risk scores for certain types of interactions and align those with the requests being made to them.

• Automation and orchestration: The infrastructure, orchestration, and automation platforms themselves can introduce risk into the Zero Trust landscape; perhaps any process that’s not vetted by human oversight should get a slightly higher risk score associated with it.

• Visibility and analytics: Sudden changes in system performance and/or the level of observability of a system (or lack thereof) could factor into the risk profile given to a Zero Trust transaction.

You might also be wondering if a search platform is able to keep up the pace with all those activities — after all, Elasticsearch was really not created to be a transactional database. That question is actually related to a classic database design decision about whether to normalize or denormalize the data structures. Normalizing them reduces potential data duplication by keeping one table for a set of related fields and combining them through relational fields. Denormalizing them stores and renders data in a form that’s best suited for searching it quickly. 

Elastic can handle a lot! Some of our customers ingest multiple millions of records per second, but it’s not meant for constantly updating the same record over and over again with a new value. What Elastic is exceptionally good at is operationalizing data and making it readily available for near real-time search and analytics at huge scales. 

If the ultimate goal of a Zero Trust Architecture is to observe and validate that every transaction within the system is authorized (not implicitly trusted), what would that look like? When we have all of our systems being actively monitored and are able to assign dynamic risk scoring to the components of our Zero Trust Architecture, that means we’re almost there! 

Many Zero Trust decisions could be distilled down to a relatively straightforward formula: If the criteria are met, allow the transaction to proceed; if not, block it. The risk scores become inputs into our formula:

The Zero Trust security paradigm is absolutely necessary; we can no longer rely on simplistic perimeter-based security. But the requirements demanded by the Zero Trust principles are too complex to accomplish with point-to-point integrations between systems or layers. Zero Trust requires integration across all pillars at the data level. Elastic’s Search AI Platform provides exactly that: fast operationalized data that’s able to be used in any way the organization needs. 

Start your free trial today. Learn more about how Elastic helps in your organization’s Zero Trust journey:

• Explore Elastic Security 

• Blog: Zero Trust: The benefits of a multi-vendor approach

• White paper: Does your Zero Trust strategy have a unified data access layer?

• Article: Zero Trust: What it is and how it works