Fundamentals

TA0005

Zero Trust Architecture

What Zero Trust means in practice -- the principles, microsegmentation, identity-based access, and how SOC analysts work in a Zero Trust environment versus a traditional perimeter model.

View on Graph

What Zero Trust Is and Why the Perimeter Model Is Dead

  • Zero Trust is a security model that eliminates implicit trust and requires continuous verification of every access request — every user, every device, every application, every network flow.
  • The foundational principle: “Never trust, always verify.” Traditional security relied on a hard perimeter — a firewall separating the trusted internal network from the untrusted internet.
  • If you were inside the firewall, you were trusted by default.
  • This model is broken because: (1) Users work from anywhere — VPNs extend the perimeter without verifying device posture. (2) Cloud applications live outside the perimeter. (3) Attackers who breach the perimeter have unfettered lateral movement. (4) Zero trust removes the concept of “inside” entirely.

The Core Principles of Zero Trust

PrincipleWhat It MeansHow It Affects SOC Operations
Continuous verificationEvery access request is authenticated and authorized, not just the initial loginYou investigate access events, not trust zones. “Was this request authorized for this identity at this time?” replaces “Was this from inside the network?”
Least-privilege accessUsers get only the minimum access needed for their role, for the minimum time neededA compromised user account has limited blast radius. Lateral movement requires privilege escalation, which is detectable.
Assume breachDesign the network assuming an attacker is already presentYou monitor east-west traffic, not just north-south. Every connection is suspect until proven authorized.
MicrosegmentationNetwork segments are isolated — traffic between segments requires explicit authorizationLateral movement becomes visible. An attacker can no longer freely scan and pivot between segments.
Device trustAccess is granted based on device health, not just user identityAn unpatched device or a device without EDR cannot access sensitive resources even if the user is authorized.

How SOC Investigation Changes Under Zero Trust

Old Model: Was This from Inside the Network?

[Alert: Lateral movement detected from 10.0.1.50 to 10.0.2.100]
Investigation path:
1. Check if the source IP is inside the corporate network → Yes
2. Allow — internal traffic is implicitly trusted
3. No further investigation

This model missed every insider threat and every attacker who breached the perimeter. The “trusted network” was a monolith — once inside, attackers moved freely.

Zero Trust Model: Was This Access Authorized?

[Alert: Resource access from identity jdoe to server db-prod-01]
Investigation path:
1. Check if jdoe is authorized to access db-prod-01 → Check policy
2. Check jdoe's device posture → Device health score, EDR status
3. Check request attributes → Time, location, protocol
4. Check session behavior → Is this a human or automated pattern?
5. If any check fails: deny access and alert

Specific Investigation Changes

Investigation TypeTraditional ApproachZero Trust Approach
User account investigation”Where did the user log in from?""What resources did the user access? What was each access request’s risk score?”
Endpoint investigation”Is the host inside the network?""What is the device’s health score? Is it compliant? What is its recent authentication history?”
Lateral movement detection”Is traffic between internal IPs?""Is this traffic authorized by the microsegmentation policy? Was it explicitly permitted?”
Data access investigation”Who accessed the file share?""Who accessed which files, from which device, using which application, at which time?”
Privilege escalation detection”Did the user get admin access?""Did the user request admin access? Was it granted with just-in-time approval? Was MFA required?”

Key Monitoring Changes

What You Used to MonitorWhat You Monitor Now in Zero Trust
North-south firewall logsEast-west traffic between segments + all identity provider access logs
VPN connection logsPer-request authentication logs from the identity provider
Failed login attempts across the perimeterFailed authorization requests — an authorized user failing to access a specific resource
Intrusion detection on ingress trafficPolicy enforcement logs — “deny” events from the Zero Trust policy engine
Antivirus/EDR per endpointContinuous device posture assessment — device health score changes
Static network segmentation (VLANs)Dynamic, identity-based microsegmentation

Detection — Investigating in a Zero Trust Environment

Log Sources That Replace Traditional Network Monitoring

Zero Trust Log SourceWhat It RevealsLegacy Equivalent
Identity provider (IdP) logs (Azure AD, Okta)Every authentication request, MFA status, risk score, device usedN/A — no legacy equivalent
Policy engine logs (BeyondCorp, Zscaler, Cloudflare Access)Every access decision, policy applied, reason for allow/denyFirewall permit/deny logs (but contextual, not IP-based)
Device posture logs (EDR, MDM, device compliance)Device health score over time, OS patch status, EDR running/stoppedAV/EDR (but not integrated with access decisions)
API gateway logsEvery API call, authentication method, rate limit hitsN/A — API traffic was invisible
East-west netflowTraffic between segments — authorized and unauthorizedInternal network flow logs (but without segment context)

Zero Trust Alert Triage — Understanding the Kill Chain in Zero Trust

AlertZero Trust InvestigationEscalation Criteria
User denied access to sensitive resourceCheck IdP logs: was the user’s device compromised? Was the user’s risk score elevated? Did they fail MFA?If device non-compliant AND MFA failed — lock account
Device health score droppedCheck EDR: is the device compromised? Check MDM: is it jailbroken, unpatched, missing AV?If EDR detects malware — isolate device
Unusual resource access patternUser accessing resources they have never accessed before, from a new location — a key indicator (IoC)Check with manager, review if role changed
Privilege escalation via JIT approvalUser requested admin access via just-in-time system and was approvedVerify the JIT request was legitimate (ticket, justification)
Lateral movement attempt blockedMicrosegmentation denied traffic between segments that is not authorizedCheck source and target: was network recon active? Investigate source host.

Building Zero Trust as an Analyst — What to Look For

When evaluating whether your organization’s Zero Trust implementation is effective:

  1. Can a compromised workstation reach the domain controller? If yes, you are not microsegmented. The attacker can still move laterally using legitimate credentials.
  2. Can a contractor access HR files? If the identity provider does not differentiate between employee and contractor access at the application level, you are not identity-segmented.
  3. Does a user’s device health score affect access? If any device can access any application as long as the user has valid credentials, device trust is not enforced.
  4. Can an admin access sensitive data on a Friday night without approval? If just-in-time (JIT) admin access is not required, privilege is not scoped.
  5. Are you alerted when a denied access event occurs? Zero trust generates a lot of deny events — but not all are security-relevant. Tune to distinguish reconnaissance (many denys from one source) from accidental misconfiguration (single denys).

Sources