How Zscaler combined active threat defense and zero trust

Zscaler's cloud acts as a hub for security resources to connect with one another. Now it is adding active defense with the acquisition of Smokescreen.
Written by Zeus Kerravala, Contributor

Zscaler, which specializes in data security for cloud-based applications, had had quite a year. At its fourth annual Zenith Live event (all-digital format again, as in 2020), the company talked about how the pandemic helped its cloud-based security products go from being considered "nice to have" to "must-have" in protecting the massive number of home-based workers. 

In actuality, the strong momentum for Zscaler started long before the pandemic, because the rise of cloud apps, enterprise embracing SaaS models, mobility and an eroding defensive perimeter mandates a different type of security. In today's world, traditional on-premises security principles are rendered ineffective. Zscaler's cloud security model is designed for the cloud and mobility apps, enabling it to be deployed anywhere an organization has resources--including home offices.

An easy way to think about the need for cloud resident security is to consider how the IT environment has changed. Years ago, all of an organization's data, users and applications were centrally located on the company premises. In this case, it made sense to have a moat around the environment with a single entry point protected by a centralized security infrastructure. The few users that were off the company network could connect via VPN and be protected by the same security.  

Apps, users and data are now highly distributed and dynamic. This requires a security model that is equally dynamic and distributed, which is what Zscaler offers from its cloud. VPNs were fine when they were the exception, but, as any network manager knows, VPNs can expose the network to would-be attackers and can get expensive very fast. This is because of the cumbersome processing overhead required to provision an entire company. This is why the interest in Zscaler has been growing and accelerated during the pandemic.

Zero trust the top-level topic

One of the big themes at Zenith Live was zero trust, because this has become the security industry's latest focal point. The concept of zero-trust network access (ZTNA) is fairly simple: The internet was designed with a model in which any thing or person can talk to anything else, and that's why it works so well. The downside is that threat actors exploit this to breach organizations. ZTNA flips the model around and denies anything from talking to any other connected asset unless explicitly allowed. This essentially makes all company resources invisible to the bad guys and protects the company assets. 

The term zero trust is now being used by almost every security vendor, but the reality is that there are multiple approaches. Zscaler offers a Zero Trust Exchange, where its cloud acts as a centralized hub for resources to connect with one another. During his keynote at Zenith Live, CEO Jay Chaudhry outlined the three tenets to Zscaler's approach. They are: 

  • Connect users and applications to resources, not the corporate network, preventing lateral movement of threats, thus reducing security and business risk. 

  • Make applications invisible to the internet. Applications protected behind the Zero Trust Exchange are not visible and cannot be discovered, thus eliminating the attack surface.

  • Use a proxy architecture, not a passthrough firewall, for content inspection and security. The only way to ensure effective cyberthreat defense and data protection is by requiring content inspection, including encrypted traffic, and policy enforcement before it reaches its intended destination.

Examples of zero-trust security

A good analogy to the way this works is to think of the network as a secure building, where a user would need to go to the reception desk and ask for permission to access a room. The person would then be escorted there until they completed their tasks and then escorted back, with permission revoked. 

Traditional ZTNA done with on-premises firewalls is quite different. In this case, the network or security team would create secure segments and give a user perpetual access only to the assets required. So, someone in finance would give access to the accounting servers, and that's all that would be required. The downside of this approach is that managing all of the policies to ensure that people have access to the things they need can be incredibly complicated, particularly in highly dynamic environments.  

The upside of the Zscaler model is that policies are defined at the user, device, application and content level, making the IP addresses invisible. The argument against it would be that Zscaler now becomes a single point of failure; that would be a concern if it only had a single or only a few points of presence, but the company has built out a massively distributed cloud environment, so that seems unlikely.  It would be like shopping at a brick-and-mortar store instead of Amazon, because that person was worried its cloud would go down.

Active defense uses decoys, honeynets

The other topic of interest at Zenith Live was what Zscaler will do with the recently closed acquisition of Smokescreen, which does active defense through the use of decoys, lures and honeynets. These are fake domains, controllers, active directory servers and other enterprise resources used to fool threat actors. The assumption with active defense is that the environment is already breached and provides a fast way to identify and remove attackers.  Because these are fake resources, there should be no activity; so, by definition, any activity at all indicates a breach, and action can be taken. 

Smokescreen can help reverse a growing asymmetric problem facing security pros. With an eroding perimeter, corporate IT needs to protect a number of entry points that are growing exponentially, but the bad guys need to find only one way in. With Smokestack, attackers need to stay hidden as they move laterally, and in the fake environment, the security team now needs to only find a single sign of activity to know it has been breached.

The combination of ZTNA and active threat defense is a powerful combination as zero trust assumes the Fox Mulder mentality of "trust no one" and makes everything invisible. However, because everything is invisible, it can be difficult to identify a breach. Conversely, Smokescreen assumes a breach has happened and looks for signs of activity to expose it. This duality offers a practical path to zero trust and offers a simple but effective way to find and eliminate attackers who are trying to move laterally.

Editorial standards