Abstract image of a woman sitting on books and studying on a laptop

Moving to an endpoint centric zero trust security model

A
AdamAzrylJohan

Zero trust

Technology
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
SENTINELONE WHITEPAPER SentinelOne White Paper Movingtoan Endpoint-Centric ZeroTrustSecurity ModelwithSentinelOne October 2021
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 2 TableofContents Abstract 3 Introduction 3 History 4 Zero Trust Overview 5 Attack Simulation 6 Zero Trust Maturity Level 7 Building a Zero Trust security model 8 Zero Trust Best Practices 9 Zero Trust powered by SentinelOne 13 Conclusion 18
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 3 Introduction The requirements for security professionals have changed dramatically in recent years with the rapidly evolving threat landscape, redefinition of how and where employees work, and adoption of new technologies like cloud computing, Internet of Things (IoT), and 5G. Today, security teams embrace the concept of assuming breach, as many understand that it’s not if you will be compromised, but when. Therefore, organizations invest in people, processes, and technology that help them protect, detect, respond, and recover from threats as effec- tively as possible. Historically, most corporate applications and solutions that store corporate data were pro- tected behind the corporate network. With the adoption of cloud applications and the mo- bile workforce, this has changed dramatically. Today, many applications or storage solu- tions that were unthinkable to be accessible outside the corporate network are hosted on cloud-native solutions and are accessible from virtually anywhere. For this reason, the old perimeter that security professionals would set and protect no longer exists, and perime- ter-based security models are obsolete. As a result, many organizations are looking for a new security model that helps them to protect against the modern threat landscape, sup- ports remote work scenarios, and reduces the attack surface to a minimum aperture. These are all critical capabilities of Zero Trust, and when successfully adopted by an organization, they can equip organizations with a robust and flexible security model. Today, endpoints represent the most significant attack surface, with over 70% of breaches1 originating on the endpoint. Organizations have a heterogeneous mix of them connected to their network, whether laptops, mobile endpoints, servers, or IoT devices. Therefore, Sen- tinelOne recommends an endpoint-centric Zero Trust security model that works regardless of where the user is located, whether in the corporate network, at a coffee shop, or at home. SentinelOne’s approach brings trust verification as close to the user as possible, turning endpoints into effective zero-trust policy enforcement mechanisms. 1 IDC: 70% of Successful Breaches Originate on the Endpoint (Rapid7) 01 02 Abstract Zero Trust Network (ZTN) concept follows the mantra of never trust, always verify. Through this approach, organizations can reduce their open attack surface and adopt enhanced security capabilities beyond traditional defenses. In this paper, you will learn how Sen- tinelOne can help enterprises embrace an endpoint-centric zero trust strategy using the SentinelOne Singularity™ platform.
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 4 History There have been many security paradigms over the past decades including defense-in- depth, least privilege, micro-segmentation, containerization, and Multi Factor Authentica- tion (MFA). Each of these paradigms represents a mindset of how the different security tools in your organization should be architected to work with each other. Layered network defenses have been the traditional approach to security for decades. Network-centric methods relied heavily on physical sensors—like firewalls, Intrusion Pre- vention System (IPS), and Intrusion Detection System (IDS)—to control and secure north- south traffic. Access to corporate resources was binary, based on whether the user was inside or outside the firewall. Once inside the firewall, trust was implicit and given freely. In recent years, rises in phishing, supply-chain-based attacks, insider threats, and cre- dential compromise attacks have made organizations reconsider the ‘trust by default’ approach. Insider credentials can be taken advantage of for elevated access, therefore presenting themselves as attractive targets for attackers. In contrast to attacks originating from outside of the corporate network, adversaries can leverage the implicit trust given to identity to move laterally within an organization’s network. Additionally, the COVID-19 pandemic has accelerated digital transformation efforts for many organizations. IT teams were forced to rapidly stand up infrastructure to support an instant remote and later hybrid workforce. New solutions were deployed to enable busi- ness continuity, including cloud infrastructure and Software-as-a-Service (SaaS) platforms like Zoom and Office 365. IT teams adopted solutions that could scale and deploy without needing access to the physical data center, in some cases deploying applications that were exposed to the open internet. In parallel, many organizations needed to provide endpoints for new remote employees and roll out bring your own device (BYOD) programs. In reality, securing these new operating environments was a secondary concern. COMMERCIAL CLOUD Trusted Untrusted Employees Partners IoT Public Trusted (Perimeter) • Current state • Implicit trust within network • Perimeter security controls • Firewall ACLs • Static policies Endpoints AWS MS Azure Google Cloud Platform Office 365 G Suite SaaS Campus Corporate Network IT Public 03 Legacy Perimeter Internet
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 5 ZeroTrustOverview Whereas legacy models are focused on neutralizing threats originating outside an orga- nization’s network, Zero Trust acknowledges that threats may well exist both inside and outside the network. Legacy security models trust, by default, the endpoints and identities within their sphere of influence; In contrast, Zero Trust follows the principle of never trust, always verify all endpoints, all identities. By successfully adopting Zero Trust, organiza- tions can perform risk-based access control and leverage the concept of least privileged access for every access decision. ForresterdefinesZeroTrustas“movingsecurityfromanetwork-oriented,perimeter-based security model to one based on continuous verification of trust.” Zero Trust is not a prod- uct, but rather a modern security model composed of multiple cooperative trust verifica- tion layers that are triggered and tested regardless of the device’s location. A Zero Trust ecosystem aggregates multiple sources of trust signals from identity, endpoint, workload, and network to provide a point-in-time access decision. Guiding Principles of Zero Trust • Never trust, always verify Treat every user, endpoint, application or workload, and data flow as untrusted. Authenticate and explicitly authorize each to the least privilege required. 04 All of these radical shifts resulted in users accessing applications and data outsides of the traditional corporate network. While some organizations tried to scale their on-premises infrastructure to cope, creating a new perimeter around the new compute-where-you-are operating environment with legacy tooling requires too much effort and is prohibitively ex- pensive. Changes in attacks and attack surfaces have necessitated a new approach that ensures every endpoint can be trusted. COMMERCIAL CLOUD Zero Trust (Perimeter-less) • Eliminate implicit trust • Incorporate trust signals • Conditional risk- aware policies • Network micro- segmentation • Visibility and analytics Campus Employees Partners IoT Endpoints Cloud-Edge VPN / ZTNA IT Internet Public Trust Boundary ZeroTrust Perimeter Workloads & Data At-rest & In-transit AWS MS Azure Google Cloud Platform Office 365 G Suite SaaS Hybrid / Remote Work
AttackSimulation By comparing two attack simulations, we can begin to understand the strengths of Zero Trust’ continuous security compared to the prototypical (and now legacy) perimeter-cen- tric security model with a hard exterior and soft interior. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 6 05 Legacy Architecture ZeroTrust Architecture Legacy Architecture Zero Trust Architecture Endpoints and identities are trusted by default No inherent trust by default Malicious Access Malicious Access Compromised employee identity or unmanaged endpoint gives threat actor access to environment Compromised employee identity or unmanaged endpoint gives threat actor access to environment Malicious Activity Malicious Activity Threat actor has employee’s access and can move laterally Access attempts fail due to Zero Trust Network Access device posture controls • Assume breach Operate and defend resources with the assumption that an adversary already has a presence within the environment. Deny by default and scrutinize all users, endpoints, data flows, and requests for access. • Verify explicitly Dictate access to all resources in a consistent and secure manner using multiple trust signals for contextual access decisions.
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 7 ZeroTrustMaturityLevel As organizations move from a legacy to Zero Trust security model, they look for best practic- es and guidelines on achieving said model as quickly as possible, but changing the security model of an organization isn’t achieved overnight. The journey is a marathon, not a sprint. While some of the existing investments of an organization can be leveraged or integrated into a Zero Trust security model, the transition will require additional capabilities and re- sources to fully utilize all the benefits of a Zero Trust security model. To achieve that, Sen- tinelOne recommends the following components: Traditional – manual configurations and attribute assignment, static security policies, least-function established at provisioning, proprietary and inflexible policy enforcement, manual incident response, and mitigation capability. Advanced – some cross-solution coordination, centralized visibility, centralized identity control, policy enforcement based on cross-solution inputs and outputs, some incident re- sponse to pre-defined mitigations, some least-privilege changes based on posture assess- ments. Optimal – fully automated assigning of attributes to assets and resources, dynamic policies based on automated/observed triggers, assets have dynamic least-privilege access (within thresholds), alignment with open standards for cross-pillar interoperability, centralized vis- ibility with retention for historical review. 06 Identity Endpoint Network Workload • Password or multifactor authentication (MFA) • Limited risk assessment • Limited visibility into compliance • Basic inventory • Large macro- segmentation • Minimal encryption • Access based on local authentication • General purpose protection for known threats • Some cloud accessibility • MFA • Identity federation with cloud and on- prem • Compliance enforcement • Data access based on device posture • Micro-segmentation at ingress/egress • Basic analytics • Access based on centralized authentication • Protections for known threats with application- specific protection • Continuous validation • Real-time dynamic analysis • Constant monitoring and validation • Data access relies on real-time risk score • Distributed micro- segmentation • ML threat detection (NDR) • All traffic encrypted • Access is authorized continuously • Analytics to provide protections that account for application behavior Traditional Advanced Optimal Visibility,Analytics&Automation
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 8 BuildingaZeroTrustSecurity Model Transitioning security models can be complex and time-intensive. Every organization has its own unique requirements, use cases, and existing technologies. These factors can af- fect the successful transition to a Zero Trust security model. SentinelOne recommends to map based on the Zero Trust maturity level line of businesses and then define a phased approach in transitioning the security model. The below is a suggested approach on how to jump-start the Zero Trust project for your organization. John Kindervag, former VP & Principal Analyst at Forrester, and creator of the Zero Trust methodology suggests a five-step deployment guide for Zero Trust: 01. Define Your Protect Surface Most organizations try to reduce the exposed attack surface as much as they can. But in re- ality, regardless of the investments, there will always be an open attack surface that attack- ers will find and exploit. Therefore instead of looking for the attack surface, the question becomes what is the protected surface which includes critical data, application, assets, and services (DAAS). 02. Map the Transaction Flows Most organizations as they transition from networker perimeter-based security to modern architectures are aware of their network and how to protect it. What changes is the fact that organizations need analytical insights of DAAS within the network? How are critical data accessed? How can anomalies be detected? 03. Architect the Environment There is no such thing as an architectural blueprint that fits all organizations in the world. This statement remains true as organizations embrace the move to a Zero Trust architecture. ZTN designs are unique per organization because they are determined by your protected surface and DAAS. Ideally, you want to bring security controls as close as possible to your protected surface by defining micro-perimeters and ensuring across all aspects that access requests are always verified based on the health state of the entity requesting the access. 04. Create the Zero Trust Policy Determine the Zero Trust policies by answering who, what, when, where, why, and how should get access to corporate resources and services. 07
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 9 05. Monitor and Maintain the Environment The final step is about gathering telemetry, leveraging autonomous solutions to perform analytics and detect anomalous and automatically respond based on the defined zero trust policies. ZeroTrustBestPractices SentinelOne can help organizations successfully adopt a Zero Trust security model for their entire organization from the digital estate, including workplace, data center, mobile, and cloud workloads. Endpoints Today endpoints, regardless if they are workstations, laptops, mobile devices, or servers, often have different configurations, patch statuses, operating systems, leading to incon- sistent approaches to applying security policy. This problem is compounded by the rise of bring-your-own-endpoint (BYOD) and the loss of visibility from legacy network controls due to the rise of remote and hybrid working practices. Adopting Zero Trust for endpoints can assist organizations in reducing this risk by providing the means to monitor, isolate, secure, control, and remove any endpoint from the network at any time. When integrated into a Zero Trust ecosystem, endpoints can provide valuable trust signals when determining whether to grant network access, including the endpoint’s identity, health, and compliance status. Endpoint Detection and Response (EDR) solutions provide visibility, detection, and re- sponse and act as an organization’s primary control point for endpoint security. EDR solu- tions collect telemetry from endpoints, correlate to detect malicious activity, and facilitate the response and remediation of threats. When EDR is paired with Endpoint Protection (EPP) as a preventative control, organizations have a complete understanding of the end- point attack surface and threat posture. Integrating endpoint trust signals into a Zero Trust ecosystem can help answer the follow- ing questions and deny access to applications and resources based on the policy: • Is the endpoint currently affected by malware? • Is the endpoint demonstrating aberrant network behavior? • Is the user accessing from a corporate managed endpoint? • Is the endpoint accessing from a known location? 08
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 10 While security teams deploy EPP and EDR controls to endpoints they manage, there are a significant number of endpoints that remain unmanaged or unable to take a manage- ment agent. Unmanaged endpoints are more vulnerable to compromise and introduce risk to the envi- ronment if allowed to access corporate resources. Organizations should strive to isolate un- managed devices, close the EDR deployment gap by leveraging technologies that can per- form network discovery, and automatically deploy the EDR agent on unmanaged endpoints. Workloads Digital transformation’s innovation pace is enabled principally by nimble cloud workload technology. However, organizations have traded reduced time to market for environmental security. Agile development practices that emphasize iteration and speed can overwhelm security teams who are not prepared to secure workloads as fast as they are created. This friction between DevOps and SecOps creates bottlenecks and an incentive for develop- ment teams to circumvent security and governance processes. As a result, there are often blind spots for security teams tasked with keeping cloud environments secure. Governance of workloads is often performed just once when the workload is deployed, or sometimes not at all. And the specific configuration of workloads is inconsistent, with many instances deployed without critical controls. Confusion often abounds and incorrect as- sumptions made by DevOps regarding workload security according to each cloud provid- er’s shared responsibility model. Regardless of the public cloud environment, it’s the orga- nization’s responsibility to monitor their cloud attack surface, which is just as vulnerable to compromise as user endpoints. According to Forrester, “public cloud migrations and other disruptive IT changes have often acted as a good vehicle for achieving a Zero Trust security model.” A Zero Trust solution for workloads must provide a repeatable and consistent approach to securing private, public, hybrid, and multi-cloud environments. It requires an active inventory of all cloud assets, configuration status and health, and measures to preserve workload immutability. As such, cloud governance is not a one-time activity but one that happens continuously. Workload controls can help answer the following questions and adjust container operation based upon policy: • Is the workload deviating from the baseline? • Is the workload affected by malicious activity? • Is the workload vulnerable to attack? • Who has access to the workload?
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 11 Using this information, security teams can create Zero Trust access policies using real-time information about workload’s runtime security, compliance status, and security posture. Identities Forrester notes that IAM is one of the least mature areas and one of the top 3 vectors for external attacks. Compromised credentials and insider threat attacks are a large and often difficult to mitigate attack surface. With compromised identities, attackers can imperson- ate employees as well as perform man-in-the-middle attacks to exploit trusted identities for their advantage. Identity is a critical component of a Zero Trust ecosystem and many organizations begin their Zero Trust journey by using identity as a lever. Identity serves as a one-to-many enforcement point for least privilege and identity and ac- cess management (IAM) remains an effective preventative control point. Identity manage- ment is complex - tracking employees, customers, partners, and service accounts across environments, each with varying levels of entitlement and privilege. Zero Trust for identity governs entitlement and provides least-privilege access policies. Rather than providing unfettered access, conditional access policies should provide the least required amount of privilege required to perform a task. Continual authentication for end-users often adds friction, so it is crucial that Zero Trust implementation automates the experience as much as possible. Common implementations of Zero Trust for identity are conditional access, single sign-on (SSO), and multi-factor authentication (MFA). These technologies should be deployed in conjunction with a formalized identity governance and entitlement access reviews to en- sure that users are not over-provisioned privileges. Networks Networks have evolved due to the rise of remote work, and our perception of the network perimeter has evolved as well. Managed networks are no longer contained to a single location; they exist wherever devices, cloud workloads, and mobile devices access corpo- rate resources. Previously, it was considered good practice to mirror network security after physical securi- ty. Once someone was through the front door, they could move around as needed, whether that was in the building or on the network. Now, with much of the population still distributed and working from home becoming a more permanent part of the culture, the boundary of the workplace moves from the organization’s firewall to the endpoints. This means that the assumption must always be made that any endpoint is connected via a hostile network and the operator may not be who they say they are. To operate in this environment, trust must be requested and granted on a granular scale which often means on a per application basis.
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 12 Zero Trust for network facilitates the proactive hardening of network-accessible resourc- es and east-west traffic within the network using micro-segmentation. Logical micro-seg- mentation creates isolated access zones for an application and its associated hosts, peers, and services. Micro-segmentation furthers Zero Trust by limiting the ability for attackers to move laterally within the environment. If a given segment of the network is compromised, micro-segmentation will ensure that the threat actor or ransomware cannot compromise adjacent resources or services. In a remote environment, Zero Trust Network Access (ZTNA) helps address the security of north-south traffic between the internal network and cloud-based internal resources. Zero Trust Network Access solutions inspect multiple sources of trust signals, from both end- points and identity providers to ensure that the request is valid before granting access to SaaS applications and corporate resources. Following Zero Trust principles of verifying ex- plicitly and assuming breach, the endpoint must prove that it is trustworthy to gain access. Using ZTNA with endpoints provides the means for a risk-aware network access policy. Additionally, Network Detection and Response (NDR) solutions provide visibility for detect- ing and are an effective control point for responding to network-borne threats. NDR solu- tions log, inspect, and continuously monitor all network traffic for suspicious activity. NDR solutions can help answer a broader range of questions when responding to an incident or hunting for threats, such as: NORTH-SOUTH NETWORK TRAFFIC EAST-WEST NETWORK TRAFFIC Internal Network External Network Data center Data center
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 13 Visibility, Analytics and Automation Hygiene - Risk - Hardening ZeroTrustpoweredbySentinelOne SentinelOne’s approach to Zero Trust provides the means for security teams to continuous- ly monitor and manage the hygiene, risk, and hardening of their entire estate as part of a Zero Trust strategy. • Did another asset begin to behave strangely after communicating with the potentially compromised asset? • What service and protocol were used? • What other assets or accounts may be implicated? • Has any other asset contacted the same external command-and-control IP address? • Has the user account been used in unexpected ways on other devices? 08 SentinelOne forZeroTrust Endpoint Monitor, secure and enforce endpoint policy Apply least-privilege and risk-aware policy Inventory and protect multi-cloud workloads Segment and control network access Identity Workload Network
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 14 Hygiene Preventing, detecting, responding, and recovering from cyber threats In a Zero Trust environment, everything is assumed to be breached, and endpoints and cloud workloads must prove otherwise. Before granting access to corporate resources, a Zero Trust solution must first check whether the device requesting access is compromised. • SentinelOne’s patented on-endpoint Behavioral AI predicts, stops, and corrects the effects of known and unknown threats in real-time. SentinelOne’s agent can be deployed across all major operating systems to monitor and continuously assess endpoint health with or without an internet connection. • Patented 1-click remediation automates threat resolution with fully autonomous responses that trigger protective actions in real-time. SentinelOne provides a clear picture of an endpoint’s health, management status, and the ability to automatically quarantine or remediate it to bring the device into compliance. • SentinelOne Singularity Cloud provides runtime protection and EDR for virtual machines (VMs) and containerized workloads. Organizations can manage and secure hybrid, private, and multi-cloud workloads from a single console with a single agent. Workload health status is available in real-time and automatically brought back into compliance. • Singularity Mobile brings behavioral AI-driven protection, detection, and response to iOS, Android, and ChromeOS devices. Part of the Singularity™ Platform, SentinelOne delivers mobile threat defense that is local, adaptive, and real-time, to thwart mobile malware and phishing attacks at the device, with or without a cloud connection. And because it’s mobile, data privacy is built-in at every level. Singularity Mobile works with or without an MDM, and integrates with all leading MDM solutions. The on-device agent provides protection and detection of both mobile malware and phishing, known or unknown, with minimal battery consumption for an optimal end-user experience. Risk and Governance Visualizing, managing, and mitigating risk Making data-driven decisions is critical for security teams. Organizations need to fully un- derstand possible risks, blind spots and the attack surface before security policies can be effectively applied. • With the exponential increase of connected endpoints and the often complex and varying configurations of cloud workloads, it has become difficult for organizations to understand who is inside the network and how workloads are configured compared to industry standards like CIS.
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 15 • To gain visibility into the network, SentinelOne Singularity Ranger turns endpoints into distributed network sensors that provide monitoring of the enterprise attack surface in real-time. SentinelOne agents actively fingerprint and inventory all IP- enabled endpoints on the network to identify abnormal communications and open vulnerabilities. • With Ranger, risk from devices that are not secured with SentinelOne can be mitigated by either automatically deploying an agent or isolating the device from the secured endpoints. This is how Ranger can be used to effectively reduce the attack surface. • Singularity Conditional Policy is SentinelOne’s endpoint-centric Conditional Policy engine. SentinelOne empowers organizations to dynamically change security policies based on the risk level of the endpoint through this capability. With that, endpoints are no longer trusted by default but rather are continuously verified. When an incident occurs, the security policies are dynamically hardened in real-time to reduce the attack surface and prevent any potential damage. Hardening Designing and implementing preventative measures One of the core principles of Zero Trust is to embrace the least privilege and default-deny policies until a user can prove they require elevated privileges. • SentinelOne inventories all locally running applications from across the endpoint fleet and uses Storyline Active Response (STAR) rules to create a default-deny policy. A default-deny policy would restrict access to only approved applications and publishers, allowing the security team to manage by only by exception. This approach would significantly reduce the risk of compromise from unapproved or potentially malicious applications. • SentinelOne’s Device Control suite helps organizations embrace a more hardened posture for data loss prevention by restricting USB, Bluetooth, and Bluetooth Low Energy communications. Admins can restrict by endpoint class - for example, USB mass storage endpoints - which dramatically reduces the potential attack surface for insider threats and data loss. • Preserving the unchanging, immutable state of a workload is an essential control for cloud workload protection. Application Control preserves the immutable nature of the workload by employing a default-deny posture for any new code not present in the validated initial VM or container image. Not only does this harden the image itself, but it prevents attackers from executing arbitrary code that could be used for compromise or lateral movement. Additionally, cloud application access control enables default-deny policies for access to cloud workloads and services. Cloud services are denied by default, reducing the amount of shadow IT and shadow cloud usage. Only approved endpoints will access the cloud resources and can be managed by exception by the security team.
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 16 Singularity Marketplace Connecting The Zero Trust Ecosystem An effective Zero Trust framework integrates best-of-breed solutions and existing infrastruc- ture to fill security gaps without a forklift upgrade of the security stack. SentinelOne has part- nered with leading identity and network vendors to deliver validated Zero Trust solutions: 01. Network SentinelOne’s integration with Guardicore provides centralized visibility of network activ- ity, including network data generated from endpoints and cloud workloads. SentinelOne agents report metadata to Guardicore that creates detailed visibility and network to- pology in the Guardicore for decision-making, forensics, and micro-segmentation pol- icy creation. Policies can be exported from Guardicore, where they are enforced by SentinelOne’s native firewall controls. Guardicore can define segmentation and micro-seg- mentation policies and then use the SentinelOne APIs to enforce them on the agent. SentinelOne’s integrations with Zscaler and Cloudflare use device signals from Sen- tinelOne to inform Zero Trust Network Access decisions. Information about the end- point, including whether it is managed and has a SentinelOne agent installed, is provided to Zscaler and Cloudflare. This information is combined with contextually relevant infor- mation from an identity provider to determine a point-in-time network access decision. SentinelOne integrates with a number of NDR solutions including Vectra AI, Awake Security (Arista Networks), and Fidelis. The combination of SentinelOne’s EDR with partner NDR Step 1: User requests access to an application. Identity Management Contextual Factors Device Security Posture Step 2: A ZTNA provider directs user to an authentication page where SentinelOne evaluates device posture for policy adherence. Additionally, user’s identity and context such as geolocation and certificate are also assessed. User Apps Step 3: If user’s request adheres to policy, access is granted. Self-Hosted SaaS Zero Trust Network Access Provider
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 17 EnforceAccessControl Requirements Changerequirements uppon ofdetection of risky eventsor activities capabilities provides visibility, detection, and response for both managed and unmanaged endpoints. While NDR connects related network activity into a broader attack map, Sen- tinelOne provides contextual awareness by enriching information coming from managed endpoints such as device name, last logged-in user, operating system details, and other endpoint characteristics. This provides comprehensive threat detection, rapid and effective response, endpoint containment, and forensic analysis capabilities. 02. Identity SentinelOne integrates with Azure Active Directory to provide identity-focused Zero Trust solutions. Conditional access is a key part of Zero Trust because it helps to en- sure the right user has the right access to the right resources. Enabling Conditional Ac- cess allows Azure Active Directory to make access decisions based on computed risk and preconfigured policies. When an endpoint is compromised SentinelOne pushes this information in real-time to Azure Active Directory ensuring that the organization can leverage their conditional policy to block a user, limit user’s access, or trigger MFA. Additionally, SentinelOne can share identity risk information with Azure AD that is factored into conditional policy. For example, if SentinelOne detects an attack on an endpoint, it will provide the last logged-in user to Azure AD with a high user risk level. Using this informa- tion, Azure AD will enforce identity policy, such as resetting the password or blocking a user. Finally, the risk score that Azure AD generates for a given identity can be used in Sen- tinelOne to inform triage and investigation. Identity risk information is surfaced within the SentinelOne console and provides analysts with at-a-glance context about a given identity. • Phishing Attack • Compromised Credential • Lateral Movement • Abnormal Activity • Threat Detection Type of Devices Modify user risk Conditional Access Policy Enforcement Azure AD User Related Activity Location Application Device Trust Level Limit Access Require MFA Block Access
MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 18 SentinelOne natively integrates with Okta to bring identity context and response actions directly within the Singularity XDR platform. SentinelOne consumes logs and contextual events from Okta and displays them alongside relevant endpoint detections. With identity visibility, analysts can see additional identity activity that may be relevant for an investiga- tion. When corrective mitigation needs to take place, response actions within SentinelOne can revoke an identity or trigger MFA. Conclusion SentinelOne’s approach helps organizations advance Zero Trust maturity by leveraging ex- isting endpoint, cloud workload, identity, and network security investments. With native ca- pabilities and integrations, organizations can begin the journey to more effectively applying Zero Trust principles. 10 To learn more about Singularity Marketplace ecosystem partners, visit To get started on your Zero Trust journey today, request a demo from a SentinelOne expert REQUEST A DEMO MARKETPLACE
SENTINELONE WHITEPAPER © SentinelOne 2021 Moving_to_an_Endpoint-Centric_Zero_Trust Security_Model_with_SentinelOne_10142021 Contactus sales@sentinelone.com +1-855-868-3733 sentinelone.com About SentinelOne More Capability. Less Complexity. SentinelOne is pioneering the future of cybersecurity with autonomous, distributed endpoint intelligence aimed at simplifying the security stack without forgoing enterprise capabilities. Our technology is designed to scale people with automation and frictionless threat resolution. Are you ready?

More Related Content

PPTX
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
prasanna212623
 
PDF
How Zero Trust Can Protect Your Business from Cyber Attacks
DataSpace Academy
 
PPTX
Revolutionizing Cybersecurity: Implementing Zero Trust Security Models
Digital Premium Solutions
 
PDF
Zero Trust Network Security- A New Era of Cyber Defense.pdf
jvinay0898
 
PDF
Understanding Zero Trust Network Security_ A Comprehensive Guide.pdf
shitolesonam7
 
DOCX
“Verify and never trust”: The Zero Trust Model of information security
Ahmed Banafa
 
PDF
SAP Application Access with Instasafe Zero Trust
InstaSafe Technologies
 
PPTX
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
prasanna212623
 
How Zero Trust Can Protect Your Business from Cyber Attacks
DataSpace Academy
 
Revolutionizing Cybersecurity: Implementing Zero Trust Security Models
Digital Premium Solutions
 
Zero Trust Network Security- A New Era of Cyber Defense.pdf
jvinay0898
 
Understanding Zero Trust Network Security_ A Comprehensive Guide.pdf
shitolesonam7
 
“Verify and never trust”: The Zero Trust Model of information security
Ahmed Banafa
 
SAP Application Access with Instasafe Zero Trust
InstaSafe Technologies
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 

Similar to Moving to an endpoint centric zero trust security model (20)

PDF
InstaSafe Zero Trust Access - Key Features and Benefits
InstaSafe Technologies
 
PDF
What Is Zero Trust Architecture and Why Do You Need It.pdf
Mesh Security
 
PDF
The Zero Trust Security Model for Modern Businesses!
Caroline Johnson
 
PPTX
Zero Trust and Data Security
Career Communications Group
 
PPTX
Zero Trust: Redefining Security in the Digital Age
Arnold Antoo
 
PDF
br-security-connected-top-5-trends
Christopher Bennett
 
PDF
Protecting Your Business with the Zero-Trust Security Model.pdf
businessviewpointsoc
 
DOCX
What is zero trust model of information security?
Ahmed Banafa
 
PPTX
Strategically moving towards a secure hybrid it
Avancercorp
 
PDF
Protect your hybrid workforce across the attack chain
David J Rosenthal
 
PDF
What Is Network Security Definition, Types, and Best Practices in 2024
gabasakshi592
 
PDF
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern
 
PDF
Top reasons why Endpoint Security should move to Cloud | Sysfore
Sysfore Technologies
 
PDF
Zero Trust Network Security- A Modern Approach to Cyber Defense (1).pdf
jvinay0898
 
PDF
Zero Trust Security Why Managed Cybersecurity Services Are Adopting This Model
pana Tech
 
DOCX
HOW TO AUGMENT YOUR CNI CYBERSECURITY WHEN USING CLOUD TECHNOLOGY.docx
VOROR
 
PDF
Zero Trust vs Defense in Depth
CIO Talk Network
 
PDF
A new Frontier in Cybersecurity - ZTNA.pdf
Bert Blevins
 
PDF
Fortifying Cybersecurity_ The Imperative of Zero Trust Network Access
Nitel USA
 
PDF
Ultimate Guide to Choosing Zero Trust Security Vendors.pdf
Mesh Security
 
InstaSafe Zero Trust Access - Key Features and Benefits
InstaSafe Technologies
 
What Is Zero Trust Architecture and Why Do You Need It.pdf
Mesh Security
 
The Zero Trust Security Model for Modern Businesses!
Caroline Johnson
 
Zero Trust and Data Security
Career Communications Group
 
Zero Trust: Redefining Security in the Digital Age
Arnold Antoo
 
br-security-connected-top-5-trends
Christopher Bennett
 
Protecting Your Business with the Zero-Trust Security Model.pdf
businessviewpointsoc
 
What is zero trust model of information security?
Ahmed Banafa
 
Strategically moving towards a secure hybrid it
Avancercorp
 
Protect your hybrid workforce across the attack chain
David J Rosenthal
 
What Is Network Security Definition, Types, and Best Practices in 2024
gabasakshi592
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern
 
Top reasons why Endpoint Security should move to Cloud | Sysfore
Sysfore Technologies
 
Zero Trust Network Security- A Modern Approach to Cyber Defense (1).pdf
jvinay0898
 
Zero Trust Security Why Managed Cybersecurity Services Are Adopting This Model
pana Tech
 
HOW TO AUGMENT YOUR CNI CYBERSECURITY WHEN USING CLOUD TECHNOLOGY.docx
VOROR
 
Zero Trust vs Defense in Depth
CIO Talk Network
 
A new Frontier in Cybersecurity - ZTNA.pdf
Bert Blevins
 
Fortifying Cybersecurity_ The Imperative of Zero Trust Network Access
Nitel USA
 
Ultimate Guide to Choosing Zero Trust Security Vendors.pdf
Mesh Security
 
Ad

Recently uploaded (20)

PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
Unlock new opportunities with location data.pdf
Precisely
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
August Patch Tuesday
Ivanti
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Ad

Moving to an endpoint centric zero trust security model

  • 2. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 2 TableofContents Abstract 3 Introduction 3 History 4 Zero Trust Overview 5 Attack Simulation 6 Zero Trust Maturity Level 7 Building a Zero Trust security model 8 Zero Trust Best Practices 9 Zero Trust powered by SentinelOne 13 Conclusion 18
  • 3. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 3 Introduction The requirements for security professionals have changed dramatically in recent years with the rapidly evolving threat landscape, redefinition of how and where employees work, and adoption of new technologies like cloud computing, Internet of Things (IoT), and 5G. Today, security teams embrace the concept of assuming breach, as many understand that it’s not if you will be compromised, but when. Therefore, organizations invest in people, processes, and technology that help them protect, detect, respond, and recover from threats as effec- tively as possible. Historically, most corporate applications and solutions that store corporate data were pro- tected behind the corporate network. With the adoption of cloud applications and the mo- bile workforce, this has changed dramatically. Today, many applications or storage solu- tions that were unthinkable to be accessible outside the corporate network are hosted on cloud-native solutions and are accessible from virtually anywhere. For this reason, the old perimeter that security professionals would set and protect no longer exists, and perime- ter-based security models are obsolete. As a result, many organizations are looking for a new security model that helps them to protect against the modern threat landscape, sup- ports remote work scenarios, and reduces the attack surface to a minimum aperture. These are all critical capabilities of Zero Trust, and when successfully adopted by an organization, they can equip organizations with a robust and flexible security model. Today, endpoints represent the most significant attack surface, with over 70% of breaches1 originating on the endpoint. Organizations have a heterogeneous mix of them connected to their network, whether laptops, mobile endpoints, servers, or IoT devices. Therefore, Sen- tinelOne recommends an endpoint-centric Zero Trust security model that works regardless of where the user is located, whether in the corporate network, at a coffee shop, or at home. SentinelOne’s approach brings trust verification as close to the user as possible, turning endpoints into effective zero-trust policy enforcement mechanisms. 1 IDC: 70% of Successful Breaches Originate on the Endpoint (Rapid7) 01 02 Abstract Zero Trust Network (ZTN) concept follows the mantra of never trust, always verify. Through this approach, organizations can reduce their open attack surface and adopt enhanced security capabilities beyond traditional defenses. In this paper, you will learn how Sen- tinelOne can help enterprises embrace an endpoint-centric zero trust strategy using the SentinelOne Singularity™ platform.
  • 4. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 4 History There have been many security paradigms over the past decades including defense-in- depth, least privilege, micro-segmentation, containerization, and Multi Factor Authentica- tion (MFA). Each of these paradigms represents a mindset of how the different security tools in your organization should be architected to work with each other. Layered network defenses have been the traditional approach to security for decades. Network-centric methods relied heavily on physical sensors—like firewalls, Intrusion Pre- vention System (IPS), and Intrusion Detection System (IDS)—to control and secure north- south traffic. Access to corporate resources was binary, based on whether the user was inside or outside the firewall. Once inside the firewall, trust was implicit and given freely. In recent years, rises in phishing, supply-chain-based attacks, insider threats, and cre- dential compromise attacks have made organizations reconsider the ‘trust by default’ approach. Insider credentials can be taken advantage of for elevated access, therefore presenting themselves as attractive targets for attackers. In contrast to attacks originating from outside of the corporate network, adversaries can leverage the implicit trust given to identity to move laterally within an organization’s network. Additionally, the COVID-19 pandemic has accelerated digital transformation efforts for many organizations. IT teams were forced to rapidly stand up infrastructure to support an instant remote and later hybrid workforce. New solutions were deployed to enable busi- ness continuity, including cloud infrastructure and Software-as-a-Service (SaaS) platforms like Zoom and Office 365. IT teams adopted solutions that could scale and deploy without needing access to the physical data center, in some cases deploying applications that were exposed to the open internet. In parallel, many organizations needed to provide endpoints for new remote employees and roll out bring your own device (BYOD) programs. In reality, securing these new operating environments was a secondary concern. COMMERCIAL CLOUD Trusted Untrusted Employees Partners IoT Public Trusted (Perimeter) • Current state • Implicit trust within network • Perimeter security controls • Firewall ACLs • Static policies Endpoints AWS MS Azure Google Cloud Platform Office 365 G Suite SaaS Campus Corporate Network IT Public 03 Legacy Perimeter Internet
  • 5. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 5 ZeroTrustOverview Whereas legacy models are focused on neutralizing threats originating outside an orga- nization’s network, Zero Trust acknowledges that threats may well exist both inside and outside the network. Legacy security models trust, by default, the endpoints and identities within their sphere of influence; In contrast, Zero Trust follows the principle of never trust, always verify all endpoints, all identities. By successfully adopting Zero Trust, organiza- tions can perform risk-based access control and leverage the concept of least privileged access for every access decision. ForresterdefinesZeroTrustas“movingsecurityfromanetwork-oriented,perimeter-based security model to one based on continuous verification of trust.” Zero Trust is not a prod- uct, but rather a modern security model composed of multiple cooperative trust verifica- tion layers that are triggered and tested regardless of the device’s location. A Zero Trust ecosystem aggregates multiple sources of trust signals from identity, endpoint, workload, and network to provide a point-in-time access decision. Guiding Principles of Zero Trust • Never trust, always verify Treat every user, endpoint, application or workload, and data flow as untrusted. Authenticate and explicitly authorize each to the least privilege required. 04 All of these radical shifts resulted in users accessing applications and data outsides of the traditional corporate network. While some organizations tried to scale their on-premises infrastructure to cope, creating a new perimeter around the new compute-where-you-are operating environment with legacy tooling requires too much effort and is prohibitively ex- pensive. Changes in attacks and attack surfaces have necessitated a new approach that ensures every endpoint can be trusted. COMMERCIAL CLOUD Zero Trust (Perimeter-less) • Eliminate implicit trust • Incorporate trust signals • Conditional risk- aware policies • Network micro- segmentation • Visibility and analytics Campus Employees Partners IoT Endpoints Cloud-Edge VPN / ZTNA IT Internet Public Trust Boundary ZeroTrust Perimeter Workloads & Data At-rest & In-transit AWS MS Azure Google Cloud Platform Office 365 G Suite SaaS Hybrid / Remote Work
  • 6. AttackSimulation By comparing two attack simulations, we can begin to understand the strengths of Zero Trust’ continuous security compared to the prototypical (and now legacy) perimeter-cen- tric security model with a hard exterior and soft interior. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 6 05 Legacy Architecture ZeroTrust Architecture Legacy Architecture Zero Trust Architecture Endpoints and identities are trusted by default No inherent trust by default Malicious Access Malicious Access Compromised employee identity or unmanaged endpoint gives threat actor access to environment Compromised employee identity or unmanaged endpoint gives threat actor access to environment Malicious Activity Malicious Activity Threat actor has employee’s access and can move laterally Access attempts fail due to Zero Trust Network Access device posture controls • Assume breach Operate and defend resources with the assumption that an adversary already has a presence within the environment. Deny by default and scrutinize all users, endpoints, data flows, and requests for access. • Verify explicitly Dictate access to all resources in a consistent and secure manner using multiple trust signals for contextual access decisions.
  • 7. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 7 ZeroTrustMaturityLevel As organizations move from a legacy to Zero Trust security model, they look for best practic- es and guidelines on achieving said model as quickly as possible, but changing the security model of an organization isn’t achieved overnight. The journey is a marathon, not a sprint. While some of the existing investments of an organization can be leveraged or integrated into a Zero Trust security model, the transition will require additional capabilities and re- sources to fully utilize all the benefits of a Zero Trust security model. To achieve that, Sen- tinelOne recommends the following components: Traditional – manual configurations and attribute assignment, static security policies, least-function established at provisioning, proprietary and inflexible policy enforcement, manual incident response, and mitigation capability. Advanced – some cross-solution coordination, centralized visibility, centralized identity control, policy enforcement based on cross-solution inputs and outputs, some incident re- sponse to pre-defined mitigations, some least-privilege changes based on posture assess- ments. Optimal – fully automated assigning of attributes to assets and resources, dynamic policies based on automated/observed triggers, assets have dynamic least-privilege access (within thresholds), alignment with open standards for cross-pillar interoperability, centralized vis- ibility with retention for historical review. 06 Identity Endpoint Network Workload • Password or multifactor authentication (MFA) • Limited risk assessment • Limited visibility into compliance • Basic inventory • Large macro- segmentation • Minimal encryption • Access based on local authentication • General purpose protection for known threats • Some cloud accessibility • MFA • Identity federation with cloud and on- prem • Compliance enforcement • Data access based on device posture • Micro-segmentation at ingress/egress • Basic analytics • Access based on centralized authentication • Protections for known threats with application- specific protection • Continuous validation • Real-time dynamic analysis • Constant monitoring and validation • Data access relies on real-time risk score • Distributed micro- segmentation • ML threat detection (NDR) • All traffic encrypted • Access is authorized continuously • Analytics to provide protections that account for application behavior Traditional Advanced Optimal Visibility,Analytics&Automation
  • 8. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 8 BuildingaZeroTrustSecurity Model Transitioning security models can be complex and time-intensive. Every organization has its own unique requirements, use cases, and existing technologies. These factors can af- fect the successful transition to a Zero Trust security model. SentinelOne recommends to map based on the Zero Trust maturity level line of businesses and then define a phased approach in transitioning the security model. The below is a suggested approach on how to jump-start the Zero Trust project for your organization. John Kindervag, former VP & Principal Analyst at Forrester, and creator of the Zero Trust methodology suggests a five-step deployment guide for Zero Trust: 01. Define Your Protect Surface Most organizations try to reduce the exposed attack surface as much as they can. But in re- ality, regardless of the investments, there will always be an open attack surface that attack- ers will find and exploit. Therefore instead of looking for the attack surface, the question becomes what is the protected surface which includes critical data, application, assets, and services (DAAS). 02. Map the Transaction Flows Most organizations as they transition from networker perimeter-based security to modern architectures are aware of their network and how to protect it. What changes is the fact that organizations need analytical insights of DAAS within the network? How are critical data accessed? How can anomalies be detected? 03. Architect the Environment There is no such thing as an architectural blueprint that fits all organizations in the world. This statement remains true as organizations embrace the move to a Zero Trust architecture. ZTN designs are unique per organization because they are determined by your protected surface and DAAS. Ideally, you want to bring security controls as close as possible to your protected surface by defining micro-perimeters and ensuring across all aspects that access requests are always verified based on the health state of the entity requesting the access. 04. Create the Zero Trust Policy Determine the Zero Trust policies by answering who, what, when, where, why, and how should get access to corporate resources and services. 07
  • 9. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 9 05. Monitor and Maintain the Environment The final step is about gathering telemetry, leveraging autonomous solutions to perform analytics and detect anomalous and automatically respond based on the defined zero trust policies. ZeroTrustBestPractices SentinelOne can help organizations successfully adopt a Zero Trust security model for their entire organization from the digital estate, including workplace, data center, mobile, and cloud workloads. Endpoints Today endpoints, regardless if they are workstations, laptops, mobile devices, or servers, often have different configurations, patch statuses, operating systems, leading to incon- sistent approaches to applying security policy. This problem is compounded by the rise of bring-your-own-endpoint (BYOD) and the loss of visibility from legacy network controls due to the rise of remote and hybrid working practices. Adopting Zero Trust for endpoints can assist organizations in reducing this risk by providing the means to monitor, isolate, secure, control, and remove any endpoint from the network at any time. When integrated into a Zero Trust ecosystem, endpoints can provide valuable trust signals when determining whether to grant network access, including the endpoint’s identity, health, and compliance status. Endpoint Detection and Response (EDR) solutions provide visibility, detection, and re- sponse and act as an organization’s primary control point for endpoint security. EDR solu- tions collect telemetry from endpoints, correlate to detect malicious activity, and facilitate the response and remediation of threats. When EDR is paired with Endpoint Protection (EPP) as a preventative control, organizations have a complete understanding of the end- point attack surface and threat posture. Integrating endpoint trust signals into a Zero Trust ecosystem can help answer the follow- ing questions and deny access to applications and resources based on the policy: • Is the endpoint currently affected by malware? • Is the endpoint demonstrating aberrant network behavior? • Is the user accessing from a corporate managed endpoint? • Is the endpoint accessing from a known location? 08
  • 10. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 10 While security teams deploy EPP and EDR controls to endpoints they manage, there are a significant number of endpoints that remain unmanaged or unable to take a manage- ment agent. Unmanaged endpoints are more vulnerable to compromise and introduce risk to the envi- ronment if allowed to access corporate resources. Organizations should strive to isolate un- managed devices, close the EDR deployment gap by leveraging technologies that can per- form network discovery, and automatically deploy the EDR agent on unmanaged endpoints. Workloads Digital transformation’s innovation pace is enabled principally by nimble cloud workload technology. However, organizations have traded reduced time to market for environmental security. Agile development practices that emphasize iteration and speed can overwhelm security teams who are not prepared to secure workloads as fast as they are created. This friction between DevOps and SecOps creates bottlenecks and an incentive for develop- ment teams to circumvent security and governance processes. As a result, there are often blind spots for security teams tasked with keeping cloud environments secure. Governance of workloads is often performed just once when the workload is deployed, or sometimes not at all. And the specific configuration of workloads is inconsistent, with many instances deployed without critical controls. Confusion often abounds and incorrect as- sumptions made by DevOps regarding workload security according to each cloud provid- er’s shared responsibility model. Regardless of the public cloud environment, it’s the orga- nization’s responsibility to monitor their cloud attack surface, which is just as vulnerable to compromise as user endpoints. According to Forrester, “public cloud migrations and other disruptive IT changes have often acted as a good vehicle for achieving a Zero Trust security model.” A Zero Trust solution for workloads must provide a repeatable and consistent approach to securing private, public, hybrid, and multi-cloud environments. It requires an active inventory of all cloud assets, configuration status and health, and measures to preserve workload immutability. As such, cloud governance is not a one-time activity but one that happens continuously. Workload controls can help answer the following questions and adjust container operation based upon policy: • Is the workload deviating from the baseline? • Is the workload affected by malicious activity? • Is the workload vulnerable to attack? • Who has access to the workload?
  • 11. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 11 Using this information, security teams can create Zero Trust access policies using real-time information about workload’s runtime security, compliance status, and security posture. Identities Forrester notes that IAM is one of the least mature areas and one of the top 3 vectors for external attacks. Compromised credentials and insider threat attacks are a large and often difficult to mitigate attack surface. With compromised identities, attackers can imperson- ate employees as well as perform man-in-the-middle attacks to exploit trusted identities for their advantage. Identity is a critical component of a Zero Trust ecosystem and many organizations begin their Zero Trust journey by using identity as a lever. Identity serves as a one-to-many enforcement point for least privilege and identity and ac- cess management (IAM) remains an effective preventative control point. Identity manage- ment is complex - tracking employees, customers, partners, and service accounts across environments, each with varying levels of entitlement and privilege. Zero Trust for identity governs entitlement and provides least-privilege access policies. Rather than providing unfettered access, conditional access policies should provide the least required amount of privilege required to perform a task. Continual authentication for end-users often adds friction, so it is crucial that Zero Trust implementation automates the experience as much as possible. Common implementations of Zero Trust for identity are conditional access, single sign-on (SSO), and multi-factor authentication (MFA). These technologies should be deployed in conjunction with a formalized identity governance and entitlement access reviews to en- sure that users are not over-provisioned privileges. Networks Networks have evolved due to the rise of remote work, and our perception of the network perimeter has evolved as well. Managed networks are no longer contained to a single location; they exist wherever devices, cloud workloads, and mobile devices access corpo- rate resources. Previously, it was considered good practice to mirror network security after physical securi- ty. Once someone was through the front door, they could move around as needed, whether that was in the building or on the network. Now, with much of the population still distributed and working from home becoming a more permanent part of the culture, the boundary of the workplace moves from the organization’s firewall to the endpoints. This means that the assumption must always be made that any endpoint is connected via a hostile network and the operator may not be who they say they are. To operate in this environment, trust must be requested and granted on a granular scale which often means on a per application basis.
  • 12. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 12 Zero Trust for network facilitates the proactive hardening of network-accessible resourc- es and east-west traffic within the network using micro-segmentation. Logical micro-seg- mentation creates isolated access zones for an application and its associated hosts, peers, and services. Micro-segmentation furthers Zero Trust by limiting the ability for attackers to move laterally within the environment. If a given segment of the network is compromised, micro-segmentation will ensure that the threat actor or ransomware cannot compromise adjacent resources or services. In a remote environment, Zero Trust Network Access (ZTNA) helps address the security of north-south traffic between the internal network and cloud-based internal resources. Zero Trust Network Access solutions inspect multiple sources of trust signals, from both end- points and identity providers to ensure that the request is valid before granting access to SaaS applications and corporate resources. Following Zero Trust principles of verifying ex- plicitly and assuming breach, the endpoint must prove that it is trustworthy to gain access. Using ZTNA with endpoints provides the means for a risk-aware network access policy. Additionally, Network Detection and Response (NDR) solutions provide visibility for detect- ing and are an effective control point for responding to network-borne threats. NDR solu- tions log, inspect, and continuously monitor all network traffic for suspicious activity. NDR solutions can help answer a broader range of questions when responding to an incident or hunting for threats, such as: NORTH-SOUTH NETWORK TRAFFIC EAST-WEST NETWORK TRAFFIC Internal Network External Network Data center Data center
  • 13. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 13 Visibility, Analytics and Automation Hygiene - Risk - Hardening ZeroTrustpoweredbySentinelOne SentinelOne’s approach to Zero Trust provides the means for security teams to continuous- ly monitor and manage the hygiene, risk, and hardening of their entire estate as part of a Zero Trust strategy. • Did another asset begin to behave strangely after communicating with the potentially compromised asset? • What service and protocol were used? • What other assets or accounts may be implicated? • Has any other asset contacted the same external command-and-control IP address? • Has the user account been used in unexpected ways on other devices? 08 SentinelOne forZeroTrust Endpoint Monitor, secure and enforce endpoint policy Apply least-privilege and risk-aware policy Inventory and protect multi-cloud workloads Segment and control network access Identity Workload Network
  • 14. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 14 Hygiene Preventing, detecting, responding, and recovering from cyber threats In a Zero Trust environment, everything is assumed to be breached, and endpoints and cloud workloads must prove otherwise. Before granting access to corporate resources, a Zero Trust solution must first check whether the device requesting access is compromised. • SentinelOne’s patented on-endpoint Behavioral AI predicts, stops, and corrects the effects of known and unknown threats in real-time. SentinelOne’s agent can be deployed across all major operating systems to monitor and continuously assess endpoint health with or without an internet connection. • Patented 1-click remediation automates threat resolution with fully autonomous responses that trigger protective actions in real-time. SentinelOne provides a clear picture of an endpoint’s health, management status, and the ability to automatically quarantine or remediate it to bring the device into compliance. • SentinelOne Singularity Cloud provides runtime protection and EDR for virtual machines (VMs) and containerized workloads. Organizations can manage and secure hybrid, private, and multi-cloud workloads from a single console with a single agent. Workload health status is available in real-time and automatically brought back into compliance. • Singularity Mobile brings behavioral AI-driven protection, detection, and response to iOS, Android, and ChromeOS devices. Part of the Singularity™ Platform, SentinelOne delivers mobile threat defense that is local, adaptive, and real-time, to thwart mobile malware and phishing attacks at the device, with or without a cloud connection. And because it’s mobile, data privacy is built-in at every level. Singularity Mobile works with or without an MDM, and integrates with all leading MDM solutions. The on-device agent provides protection and detection of both mobile malware and phishing, known or unknown, with minimal battery consumption for an optimal end-user experience. Risk and Governance Visualizing, managing, and mitigating risk Making data-driven decisions is critical for security teams. Organizations need to fully un- derstand possible risks, blind spots and the attack surface before security policies can be effectively applied. • With the exponential increase of connected endpoints and the often complex and varying configurations of cloud workloads, it has become difficult for organizations to understand who is inside the network and how workloads are configured compared to industry standards like CIS.
  • 15. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 15 • To gain visibility into the network, SentinelOne Singularity Ranger turns endpoints into distributed network sensors that provide monitoring of the enterprise attack surface in real-time. SentinelOne agents actively fingerprint and inventory all IP- enabled endpoints on the network to identify abnormal communications and open vulnerabilities. • With Ranger, risk from devices that are not secured with SentinelOne can be mitigated by either automatically deploying an agent or isolating the device from the secured endpoints. This is how Ranger can be used to effectively reduce the attack surface. • Singularity Conditional Policy is SentinelOne’s endpoint-centric Conditional Policy engine. SentinelOne empowers organizations to dynamically change security policies based on the risk level of the endpoint through this capability. With that, endpoints are no longer trusted by default but rather are continuously verified. When an incident occurs, the security policies are dynamically hardened in real-time to reduce the attack surface and prevent any potential damage. Hardening Designing and implementing preventative measures One of the core principles of Zero Trust is to embrace the least privilege and default-deny policies until a user can prove they require elevated privileges. • SentinelOne inventories all locally running applications from across the endpoint fleet and uses Storyline Active Response (STAR) rules to create a default-deny policy. A default-deny policy would restrict access to only approved applications and publishers, allowing the security team to manage by only by exception. This approach would significantly reduce the risk of compromise from unapproved or potentially malicious applications. • SentinelOne’s Device Control suite helps organizations embrace a more hardened posture for data loss prevention by restricting USB, Bluetooth, and Bluetooth Low Energy communications. Admins can restrict by endpoint class - for example, USB mass storage endpoints - which dramatically reduces the potential attack surface for insider threats and data loss. • Preserving the unchanging, immutable state of a workload is an essential control for cloud workload protection. Application Control preserves the immutable nature of the workload by employing a default-deny posture for any new code not present in the validated initial VM or container image. Not only does this harden the image itself, but it prevents attackers from executing arbitrary code that could be used for compromise or lateral movement. Additionally, cloud application access control enables default-deny policies for access to cloud workloads and services. Cloud services are denied by default, reducing the amount of shadow IT and shadow cloud usage. Only approved endpoints will access the cloud resources and can be managed by exception by the security team.
  • 16. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 16 Singularity Marketplace Connecting The Zero Trust Ecosystem An effective Zero Trust framework integrates best-of-breed solutions and existing infrastruc- ture to fill security gaps without a forklift upgrade of the security stack. SentinelOne has part- nered with leading identity and network vendors to deliver validated Zero Trust solutions: 01. Network SentinelOne’s integration with Guardicore provides centralized visibility of network activ- ity, including network data generated from endpoints and cloud workloads. SentinelOne agents report metadata to Guardicore that creates detailed visibility and network to- pology in the Guardicore for decision-making, forensics, and micro-segmentation pol- icy creation. Policies can be exported from Guardicore, where they are enforced by SentinelOne’s native firewall controls. Guardicore can define segmentation and micro-seg- mentation policies and then use the SentinelOne APIs to enforce them on the agent. SentinelOne’s integrations with Zscaler and Cloudflare use device signals from Sen- tinelOne to inform Zero Trust Network Access decisions. Information about the end- point, including whether it is managed and has a SentinelOne agent installed, is provided to Zscaler and Cloudflare. This information is combined with contextually relevant infor- mation from an identity provider to determine a point-in-time network access decision. SentinelOne integrates with a number of NDR solutions including Vectra AI, Awake Security (Arista Networks), and Fidelis. The combination of SentinelOne’s EDR with partner NDR Step 1: User requests access to an application. Identity Management Contextual Factors Device Security Posture Step 2: A ZTNA provider directs user to an authentication page where SentinelOne evaluates device posture for policy adherence. Additionally, user’s identity and context such as geolocation and certificate are also assessed. User Apps Step 3: If user’s request adheres to policy, access is granted. Self-Hosted SaaS Zero Trust Network Access Provider
  • 17. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 17 EnforceAccessControl Requirements Changerequirements uppon ofdetection of risky eventsor activities capabilities provides visibility, detection, and response for both managed and unmanaged endpoints. While NDR connects related network activity into a broader attack map, Sen- tinelOne provides contextual awareness by enriching information coming from managed endpoints such as device name, last logged-in user, operating system details, and other endpoint characteristics. This provides comprehensive threat detection, rapid and effective response, endpoint containment, and forensic analysis capabilities. 02. Identity SentinelOne integrates with Azure Active Directory to provide identity-focused Zero Trust solutions. Conditional access is a key part of Zero Trust because it helps to en- sure the right user has the right access to the right resources. Enabling Conditional Ac- cess allows Azure Active Directory to make access decisions based on computed risk and preconfigured policies. When an endpoint is compromised SentinelOne pushes this information in real-time to Azure Active Directory ensuring that the organization can leverage their conditional policy to block a user, limit user’s access, or trigger MFA. Additionally, SentinelOne can share identity risk information with Azure AD that is factored into conditional policy. For example, if SentinelOne detects an attack on an endpoint, it will provide the last logged-in user to Azure AD with a high user risk level. Using this informa- tion, Azure AD will enforce identity policy, such as resetting the password or blocking a user. Finally, the risk score that Azure AD generates for a given identity can be used in Sen- tinelOne to inform triage and investigation. Identity risk information is surfaced within the SentinelOne console and provides analysts with at-a-glance context about a given identity. • Phishing Attack • Compromised Credential • Lateral Movement • Abnormal Activity • Threat Detection Type of Devices Modify user risk Conditional Access Policy Enforcement Azure AD User Related Activity Location Application Device Trust Level Limit Access Require MFA Block Access
  • 18. MOVING TO AN ENDPOINT-CENTRIC ZERO TRUST SECURITY MODEL WITH SENTINELONE SENTINELONE WHITEPAPER 18 SentinelOne natively integrates with Okta to bring identity context and response actions directly within the Singularity XDR platform. SentinelOne consumes logs and contextual events from Okta and displays them alongside relevant endpoint detections. With identity visibility, analysts can see additional identity activity that may be relevant for an investiga- tion. When corrective mitigation needs to take place, response actions within SentinelOne can revoke an identity or trigger MFA. Conclusion SentinelOne’s approach helps organizations advance Zero Trust maturity by leveraging ex- isting endpoint, cloud workload, identity, and network security investments. With native ca- pabilities and integrations, organizations can begin the journey to more effectively applying Zero Trust principles. 10 To learn more about Singularity Marketplace ecosystem partners, visit To get started on your Zero Trust journey today, request a demo from a SentinelOne expert REQUEST A DEMO MARKETPLACE
  • 19. SENTINELONE WHITEPAPER © SentinelOne 2021 Moving_to_an_Endpoint-Centric_Zero_Trust Security_Model_with_SentinelOne_10142021 Contactus sales@sentinelone.com +1-855-868-3733 sentinelone.com About SentinelOne More Capability. Less Complexity. SentinelOne is pioneering the future of cybersecurity with autonomous, distributed endpoint intelligence aimed at simplifying the security stack without forgoing enterprise capabilities. Our technology is designed to scale people with automation and frictionless threat resolution. Are you ready?