Fundamentals
TA0005Zero Trust Architecture
What Zero Trust means in practice -- the principles, microsegmentation, identity-based access, and how SOC analysts work in a Zero Trust environment versus a traditional perimeter model.
View on Graph
What Zero Trust Is and Why the Perimeter Model Is Dead
- Zero Trust is a security model that eliminates implicit trust and requires continuous verification of every access request — every user, every device, every application, every network flow.
- The foundational principle: “Never trust, always verify.” Traditional security relied on a hard perimeter — a firewall separating the trusted internal network from the untrusted internet.
- If you were inside the firewall, you were trusted by default.
- This model is broken because: (1) Users work from anywhere — VPNs extend the perimeter without verifying device posture. (2) Cloud applications live outside the perimeter. (3) Attackers who breach the perimeter have unfettered lateral movement. (4) Zero trust removes the concept of “inside” entirely.
The Core Principles of Zero Trust
| Principle | What It Means | How It Affects SOC Operations |
|---|---|---|
| Continuous verification | Every access request is authenticated and authorized, not just the initial login | You investigate access events, not trust zones. “Was this request authorized for this identity at this time?” replaces “Was this from inside the network?” |
| Least-privilege access | Users get only the minimum access needed for their role, for the minimum time needed | A compromised user account has limited blast radius. Lateral movement requires privilege escalation, which is detectable. |
| Assume breach | Design the network assuming an attacker is already present | You monitor east-west traffic, not just north-south. Every connection is suspect until proven authorized. |
| Microsegmentation | Network segments are isolated — traffic between segments requires explicit authorization | Lateral movement becomes visible. An attacker can no longer freely scan and pivot between segments. |
| Device trust | Access is granted based on device health, not just user identity | An unpatched device or a device without EDR cannot access sensitive resources even if the user is authorized. |
How SOC Investigation Changes Under Zero Trust
Old Model: Was This from Inside the Network?
[Alert: Lateral movement detected from 10.0.1.50 to 10.0.2.100]
Investigation path:
1. Check if the source IP is inside the corporate network → Yes
2. Allow — internal traffic is implicitly trusted
3. No further investigation
This model missed every insider threat and every attacker who breached the perimeter. The “trusted network” was a monolith — once inside, attackers moved freely.
Zero Trust Model: Was This Access Authorized?
[Alert: Resource access from identity jdoe to server db-prod-01]
Investigation path:
1. Check if jdoe is authorized to access db-prod-01 → Check policy
2. Check jdoe's device posture → Device health score, EDR status
3. Check request attributes → Time, location, protocol
4. Check session behavior → Is this a human or automated pattern?
5. If any check fails: deny access and alert
Specific Investigation Changes
| Investigation Type | Traditional Approach | Zero Trust Approach |
|---|---|---|
| User account investigation | ”Where did the user log in from?" | "What resources did the user access? What was each access request’s risk score?” |
| Endpoint investigation | ”Is the host inside the network?" | "What is the device’s health score? Is it compliant? What is its recent authentication history?” |
| Lateral movement detection | ”Is traffic between internal IPs?" | "Is this traffic authorized by the microsegmentation policy? Was it explicitly permitted?” |
| Data access investigation | ”Who accessed the file share?" | "Who accessed which files, from which device, using which application, at which time?” |
| Privilege escalation detection | ”Did the user get admin access?" | "Did the user request admin access? Was it granted with just-in-time approval? Was MFA required?” |
Key Monitoring Changes
| What You Used to Monitor | What You Monitor Now in Zero Trust |
|---|---|
| North-south firewall logs | East-west traffic between segments + all identity provider access logs |
| VPN connection logs | Per-request authentication logs from the identity provider |
| Failed login attempts across the perimeter | Failed authorization requests — an authorized user failing to access a specific resource |
| Intrusion detection on ingress traffic | Policy enforcement logs — “deny” events from the Zero Trust policy engine |
| Antivirus/EDR per endpoint | Continuous device posture assessment — device health score changes |
| Static network segmentation (VLANs) | Dynamic, identity-based microsegmentation |
Detection — Investigating in a Zero Trust Environment
Log Sources That Replace Traditional Network Monitoring
| Zero Trust Log Source | What It Reveals | Legacy Equivalent |
|---|---|---|
| Identity provider (IdP) logs (Azure AD, Okta) | Every authentication request, MFA status, risk score, device used | N/A — no legacy equivalent |
| Policy engine logs (BeyondCorp, Zscaler, Cloudflare Access) | Every access decision, policy applied, reason for allow/deny | Firewall permit/deny logs (but contextual, not IP-based) |
| Device posture logs (EDR, MDM, device compliance) | Device health score over time, OS patch status, EDR running/stopped | AV/EDR (but not integrated with access decisions) |
| API gateway logs | Every API call, authentication method, rate limit hits | N/A — API traffic was invisible |
| East-west netflow | Traffic between segments — authorized and unauthorized | Internal network flow logs (but without segment context) |
Zero Trust Alert Triage — Understanding the Kill Chain in Zero Trust
| Alert | Zero Trust Investigation | Escalation Criteria |
|---|---|---|
| User denied access to sensitive resource | Check IdP logs: was the user’s device compromised? Was the user’s risk score elevated? Did they fail MFA? | If device non-compliant AND MFA failed — lock account |
| Device health score dropped | Check EDR: is the device compromised? Check MDM: is it jailbroken, unpatched, missing AV? | If EDR detects malware — isolate device |
| Unusual resource access pattern | User accessing resources they have never accessed before, from a new location — a key indicator (IoC) | Check with manager, review if role changed |
| Privilege escalation via JIT approval | User requested admin access via just-in-time system and was approved | Verify the JIT request was legitimate (ticket, justification) |
| Lateral movement attempt blocked | Microsegmentation denied traffic between segments that is not authorized | Check source and target: was network recon active? Investigate source host. |
Building Zero Trust as an Analyst — What to Look For
When evaluating whether your organization’s Zero Trust implementation is effective:
- Can a compromised workstation reach the domain controller? If yes, you are not microsegmented. The attacker can still move laterally using legitimate credentials.
- Can a contractor access HR files? If the identity provider does not differentiate between employee and contractor access at the application level, you are not identity-segmented.
- Does a user’s device health score affect access? If any device can access any application as long as the user has valid credentials, device trust is not enforced.
- Can an admin access sensitive data on a Friday night without approval? If just-in-time (JIT) admin access is not required, privilege is not scoped.
- Are you alerted when a denied access event occurs? Zero trust generates a lot of deny events — but not all are security-relevant. Tune to distinguish reconnaissance (many denys from one source) from accidental misconfiguration (single denys).
Related
- Zero Day & CVE Response — detection and response for T1588.006 techniques
- Active Directory Basics — covers the active directory basics concepts
- AWS Misconfigurations — detection and response for T1525, T1613 techniques
