Intermediate

Zero Trust: Network Security

Secure remote access is the capability that allows users to connect to network resources safely from remote locations. It has become critical as remote work and telecommuting have become...

Table of Contents

Module 1: Network Segmentation and Micro-Segmentation

Foundations of Network Segmentation

Network segmentation is the practice of dividing a large, flat network into smaller, more manageable segments so that fine-grained access controls can be applied to each one. This is a foundational technique for Zero Trust network security, because it directly limits how far an attacker can move once they gain a foothold anywhere in the environment.

The core benefits of network segmentation are:

  • Reducing the attack surface. By dividing a network into smaller segments, the number of pathways available to an attacker is limited. If one segment is compromised, the attacker cannot easily move laterally into other segments. For example, if a user’s workstation is infected with malware, proper segmentation ensures that workstation cannot reach critical database servers holding sensitive information — the compromise is contained and the blast radius of the incident is minimized.
  • Simplifying network management. Isolating segments means that problems occurring in one segment do not spill over into others. An issue on a printer network, for instance, can be resolved without affecting the HR network or any other department. This makes troubleshooting more straightforward and allows maintenance or updates to be performed in one segment without disrupting the rest of the organization.
  • Improving performance and compliance. Segmenting traffic — for example, separating guest Wi-Fi from the internal corporate network — ensures guest traffic does not interfere with business operations, giving both guests and employees a smoother experience. Segmentation is also frequently mandated by regulators, who require that sensitive data be isolated and access-controlled. By ensuring sensitive data is only reachable from specific, authorized segments, organizations can maintain compliance with industry standards and legal requirements.
flowchart LR
    subgraph Flat["Flat Network (No Segmentation)"]
        FA[Guest Device] --- FB[Employee Workstation]
        FB --- FC[File Server]
        FC --- FD[Database Server]
        FA --- FD
    end

    subgraph Segmented["Segmented Network"]
        direction TB
        subgraph SegGuest["Guest Segment"]
            GA[Guest Device]
        end
        subgraph SegEmployee["Employee Segment"]
            EA[Employee Workstation]
        end
        subgraph SegData["Data Segment"]
            DA[File Server]
            DB[Database Server]
        end
        SegGuest -.->|Blocked| SegData
        SegEmployee -->|Controlled Access| SegData
    end

Two real-world scenarios illustrate the value of segmentation:

  • Retail point-of-sale (POS) isolation. A retail company isolates its POS segment from both the guest Wi-Fi and general employee networks. If the guest Wi-Fi is compromised, the attacker cannot reach the POS systems that handle credit card transactions. This isolation protects customer payment data and helps the company meet Payment Card Industry Data Security Standard (PCI DSS) requirements.
  • University student vs. faculty separation. A university segments student network access from faculty access. If a student’s device becomes infected with malware, segmentation ensures the infection cannot spread to faculty systems, which may hold sensitive research data. This protects both security and the overall user experience for each population.

Micro-Segmentation Principles and Implementation

Micro-segmentation is a more granular technique within the Zero Trust framework. While traditional segmentation divides a network into large, broad segments (often mapped to departments or physical areas), micro-segmentation creates much smaller, more specific segments defined by detailed policy — down to the level of individual users, applications, or workloads.

Micro-segmentation is central to enforcing the Zero Trust principle of “never trust, always verify”: every request to access a network resource must be authenticated and authorized regardless of where it originates, and micro-segmentation ensures that even users within the same broad network segment have access strictly limited to only what is necessary for their role.

Two common patterns illustrate this:

  • User-based policies. In a traditional segmented network, an entire department might share access to the same set of resources. With micro-segmentation, access is tailored to the individual, based on specific role and responsibility. For example, an HR manager and an HR intern on the same team will have different access privileges — the manager can reach sensitive employee data, while the intern’s access is limited to less sensitive information.
  • Application-level segmentation. Segments can be built around specific applications rather than broad network areas. A company’s payroll system, for example, can be segmented away from its email system. Even if an attacker compromises the email system, application-level segmentation prevents them from reaching the payroll system and its sensitive financial data.
flowchart TB
    U1[HR Manager] -->|Full Access| HRSensitive[Sensitive Employee Records]
    U2[HR Intern] -->|Limited Access| HRGeneral[General HR Information]
    U2 -.->|Denied| HRSensitive

    subgraph AppSeg["Application-Level Segmentation"]
        Payroll[Payroll System]
        Email[Email System]
    end
    Attacker((Attacker via Email Compromise)) -->|Access Gained| Email
    Attacker -.->|Blocked| Payroll

A practical example: a financial institution implements micro-segmentation to protect customer data by creating micro-segments for different applications, such as customer relationship management (CRM) systems, transaction-processing systems, and core financial systems. Each segment is isolated and access-controlled — customer service staff can reach the CRM system but not the transaction-processing system — so that even if one segment is compromised, the others remain secure. Because micro-segmentation is dynamic and adaptive, if a user’s role changes, the access controls automatically adjust to reflect the new role, unlike the static rules typical of traditional segmentation.

Implementing micro-segmentation involves five steps:

  1. Identify assets and resources. Catalog all devices, applications, and data within the network.
  2. Define security policies. Develop detailed policies based on roles, applications, and data sensitivity.
  3. Segment the network. Create micro-segments based on the defined policies.
  4. Enforce access controls. Implement fine-grained access controls for each segment.
  5. Monitor and adjust. Continuously monitor the network and adjust policies as threats and organizational needs evolve.
sequenceDiagram
    participant Admin as Security Team
    participant Assets as Asset Inventory
    participant Policy as Policy Engine
    participant Network as Micro-segmented Network
    participant Monitor as Monitoring System

    Admin->>Assets: 1. Identify and catalog assets/resources
    Admin->>Policy: 2. Define security policies by role/app/data sensitivity
    Policy->>Network: 3. Create micro-segments from policies
    Policy->>Network: 4. Enforce fine-grained access controls
    Network->>Monitor: 5. Continuously monitor traffic
    Monitor-->>Policy: Feedback loop - adjust policies as threats evolve

An illustrative micro-segmentation policy, expressed as a declarative rule set (representative of the kind of policy-as-code used by micro-segmentation platforms), might look like this:

# Illustrative micro-segmentation policy definition
micro_segments:
  - name: finance-applications
    members:
      - role: finance-personnel
    allowed_destinations:
      - segment: finance-database
        ports: [1433]
    encryption: required-in-transit-and-at-rest

  - name: hr-sensitive-records
    members:
      - role: hr-manager
    allowed_destinations:
      - segment: hr-database
        ports: [5432]
    denied_roles:
      - hr-intern

  - name: it-admin-tools
    members:
      - role: system-administrator
    allowed_destinations:
      - segment: server-management
        ports: [22, 443]
    denied_roles:
      - it-support-staff

Micro-Segmentation vs Traditional Segmentation

Traditional segmentation typically divides a network into larger segments based on organizational departments or functional areas, most commonly implemented using virtual local area networks (VLANs). For example, a corporate network might have separate VLANs for Finance, HR, and IT. Each VLAN provides a basic level of isolation — traffic within a segment is contained and does not directly interfere with other segments — but the controls within a VLAN tend to be broad rather than granular. If the IT department has its own VLAN, everyone in that VLAN may still have broad access to all resources within it. If an attacker compromises just one set of credentials inside that VLAN, they can potentially reach everything else in the segment.

Micro-segmentation takes a much more granular approach, applying detailed, specific access-control policies within each segment — based on user role, application, or even data type — rather than only segmenting by department. Within the same IT department, for example, system administrators can be given full server-management access while IT support staff are limited to user-support tools only. This enforces the principle of least privilege, where users only have access to what is strictly necessary for their job function.

AspectTraditional Segmentation (e.g. VLANs)Micro-Segmentation
GranularityBroad (department/function-level)Fine-grained (user, application, or workload-level)
Basis for segmentsOrganizational structure, physical/logical network areasDetailed policy: role, application, data sensitivity
Access controls within a segmentBroad — most members share similar accessHighly specific — access tailored per user/role
AdaptabilityStatic rules; changes are cumbersome and error-proneDynamic — policies adjust automatically as roles change
Zero Trust alignmentPartial — assumes intra-segment trustStrong — enforces “never trust, always verify” everywhere
Typical technologyVLANs, subnetting, firewalls at segment boundariesIdentity-aware policy engines, software agents, SDN overlays
flowchart TB
    subgraph Traditional["Traditional VLAN Segmentation"]
        direction TB
        ITVLAN["IT VLAN"]
        SysAdmin1[System Admin]
        Support1[IT Support Staff]
        SysAdmin1 --- ITVLAN
        Support1 --- ITVLAN
        ITVLAN -->|Broad access to all IT VLAN resources| Servers1[Servers & Config Tools]
    end

    subgraph MicroSeg["Micro-Segmentation"]
        direction TB
        SysAdmin2[System Admin] -->|Full access| Servers2[Servers & Config Tools]
        Support2[IT Support Staff] -->|Limited access| Tools2[User Support Tools Only]
        Support2 -.->|Denied| Servers2
    end

Implementing micro-segmentation, as a repeatable process, follows the same five steps introduced earlier: identify and classify assets, define security policies, create micro-segments, enforce access controls, and continuously monitor and adjust.

Applied exercise — building a micro-segmentation plan. Consider a medium-sized organization with five departments: Finance, HR, IT, Sales, and Marketing, each with its own applications, data, and resources.

  1. Identify critical segments. Create segments aligned to departments: Finance (financial applications, databases, sensitive data), HR (employee records, confidential personnel information), IT (management tools, servers, network infrastructure), Sales (CRM tools, sales data, communication tools), and Marketing (marketing automation tools).
  2. Apply fine-grained access controls. For Finance, only authorized finance personnel can access financial applications and data, and encryption is applied to financial data both in transit and at rest. For IT, management tools and servers are segmented from the rest of the network, and only IT administrators can reach critical cloud components. For Sales, CRM access is limited to sales personnel and managers only.
  3. Monitor and adjust. Continuously review access logs, monitor network traffic, and update access policies to respond to changing threats and organizational needs — micro-segmentation is an ongoing process, not a one-time project.

The outcome of following these steps is a set of isolated segments with detailed access controls that protect each department’s resources from unauthorized access, meaningfully reducing the risk of a breach.

Case Studies: Micro-Segmentation in Healthcare

Case Study 1 — Interfaith Medical Center

  • Challenge: The hospital faced difficulty managing its wired infrastructure, securing patient information, and keeping network management simple. A growing number of connected medical devices added complexity and heightened security risk.
  • Solution: The hospital partnered with a network vendor to implement a Zero Trust environment using micro-segmentation, isolating different network segments and applying strict access controls based on the identity of devices and users, so that only authorized and authenticated personnel could communicate with the network.
  • Outcome: Micro-segmentation significantly improved patient safety by reducing the risk of data breaches and unauthorized access to medical devices, while the Zero Trust environment simplified overall network management, monitoring, and traffic control.

Case Study 2 — Bupa Cromwell Hospital

  • Challenge: This London facility needed to enhance its cybersecurity posture against a new wave of threats specifically targeting unmanaged medical devices running on legacy systems. These devices often lack traditional IT security controls, creating significant ransomware and cyberattack risk.
  • Solution: The hospital partnered with two vendors: one providing identity-based micro-segmentation (allowing fine-grained access controls without additional hardware or network downtime), and the other providing device discovery and risk-assessment capabilities that integrated with the micro-segmentation platform.
  • Outcome: The combined solution delivered real-time visibility into medical devices, ongoing vulnerability assessment, and enforcement of robust security policies. The identity-based approach ensured only authorized personnel and devices could access critical network segments, meaningfully enhancing the hospital’s overall cybersecurity posture.
flowchart TB
    subgraph Bupa["Bupa Cromwell Hospital Architecture"]
        MedDevice[Unmanaged Legacy Medical Device] --> Discovery[Device Discovery & Risk Assessment Platform]
        Discovery --> IdentitySeg[Identity-Based Micro-Segmentation Platform]
        IdentitySeg -->|Authorized Only| CriticalSeg[Critical Network Segment]
        IdentitySeg -.->|Blocked| CriticalSeg
        Discovery --> RiskDash[Real-Time Visibility & Vulnerability Dashboard]
    end
QuestionAnswer
What were the main security challenges faced by Bupa Cromwell Hospital?Protecting unmanaged, legacy medical devices lacking traditional IT security controls, and mitigating ransomware risk.
How did micro-segmentation address these challenges?Identity-based micro-segmentation provided fine-grained access controls so only authorized personnel and devices could reach critical network segments.
What were the outcomes of the implementation?Real-time visibility into medical devices, ongoing vulnerability assessment, enforced security policies, improved operational efficiency, and better regulatory compliance.

Knowledge Check: Module 1 Quiz

#QuestionAnswer
1What is the primary benefit of network segmentation?Reduces the attack surface.
2What is a key advantage of micro-segmentation over traditional segmentation?Detailed, specific access policies.
3Which technique applies fine-grained access controls within network segments?Micro-segmentation.
4What is a typical outcome of implementing a Zero Trust environment using micro-segmentation?Simplified network management.
5In the Bupa Cromwell Hospital case study, what two capabilities were combined to enhance security?Identity-based micro-segmentation and device discovery/risk assessment.

Module 2: Secure Remote Access Technologies

Introduction to Secure Remote Access and Zero Trust

Secure remote access is the capability that allows users to connect to network resources safely from remote locations. It has become critical as remote work and telecommuting have become the norm. Secure remote access creates an encrypted connection between the remote user’s device and the organization’s network, protecting the confidentiality, integrity, and availability of organizational data and systems even when accessed from outside the traditional network perimeter.

Within a Zero Trust security model, secure remote access is essential to enforcing “never trust, always verify” — every access request must be authenticated and authorized regardless of whether it originates from inside or outside the network. Zero Trust also emphasizes continuous verification: even after access is granted, monitoring and re-evaluation of access permissions must continue for the duration of the session.

Three technology categories provide secure remote access, each with distinct strengths:

  • VPNs (Virtual Private Networks): create an encrypted tunnel between a remote device and the organization’s network, protecting data from eavesdropping and interception, widely used for reaching internal resources such as file servers, databases, and applications.
  • ZTNA (Zero Trust Network Access): an access-control approach that enforces strict identity verification for every user and device attempting to reach resources on a private network, without assuming that users inside a traditional network perimeter are inherently trustworthy.
  • SDP (Software-Defined Perimeter): a security framework that dynamically creates secure, encrypted connections between users and the resources they need, hiding resources from unauthorized users so they are invisible and inaccessible until the user is authenticated and authorized.
mindmap
  root((Secure Remote Access))
    VPN
      Encrypted tunnel
      Site-to-site & client access
      Legacy, widely deployed
    ZTNA
      Per-request identity verification
      No implicit perimeter trust
      Continuous session evaluation
    SDP
      Dynamic, encrypted point-to-point connections
      Resources invisible until authenticated
      Controller + gateway architecture

Virtual Private Networks: Capabilities and Limitations

A VPN creates an encrypted connection — often called a tunnel — over the internet between a remote device and the organization’s network, so that data transmitted between the device and the network is secured against eavesdropping and interception. VPNs are widely used to give remote users access to internal resources (file servers, databases, applications) as if they were physically on-site.

sequenceDiagram
    participant User as Remote User Device
    participant Internet
    participant VPNGW as VPN Gateway
    participant Net as Internal Network

    User->>VPNGW: Establish encrypted tunnel (handshake + auth)
    VPNGW-->>User: Tunnel established
    User->>Internet: Encrypted traffic
    Internet->>VPNGW: Encrypted traffic (opaque to eavesdroppers)
    VPNGW->>Net: Decrypted traffic delivered to internal resource
    Net-->>User: Response routed back through the tunnel
AdvantagesLimitations
Secures data transmission over the internet through encryption, protecting login credentials, financial data, and confidential communications.Can introduce latency, especially when the VPN server is geographically distant or when internet speed/capacity is constrained.
Protects against eavesdropping, particularly important on unsecured public Wi-Fi networks.Poses a significant security risk if not properly managed — outdated VPN software or weak authentication can leave the network vulnerable.
Enables remote users to access internal resources seamlessly, as if physically on-site.If an attacker compromises a device connected to the VPN, they could potentially reach the internal network and its resources.
Requires strong compensating controls (multi-factor authentication, regular software updates, strict access policies) to mitigate the above risks.

Demo: Configuring a Basic VPN

The following walkthrough reconstructs a hands-on demonstration comparing two VPN client solutions — one open-source and one closed-source/paid — to illustrate how simple it is to stand up a basic VPN.

Setup:

  1. Download and install the VPN client executable/binary to a local workstation. This was repeated for two separate solutions to compare the experience of an open-source vs. a paid offering.

Solution A — a paid/closed-source client (bundled with a password manager subscription in this walkthrough):

  • Network preferences: choose to trust Ethernet over specific ports/protocols, and optionally trust cellular networks; list out specific networks if multiple exist within the home or business.
  • Transport selection: choose “Fastest Available” for general use, or select a specific region to host the VPN connection from, depending on the intended use case.
  • Updates: configure automatic update checks (daily/weekly/monthly) and optionally opt in to beta updates.
  • Support tab: available for troubleshooting issues.
  • Advanced settings: a simple DNS leak protection toggle.
  • Operation: the VPN is toggled on/off via a small system-tray icon; there are no additional per-session controls beyond that toggle.

Solution B — OpenVPN (open-source):

  • Startup behavior: choose whether the client starts automatically with the operating system.
  • Language and logging preferences: configure UI language and logging/connection-type verbosity.
  • Proxy settings: configure an HTTP or SOCKS proxy if required by the network environment.
  • Advanced settings: configure log file storage/location and script timeouts.
  • Operation: once connected (“OK” selected), the tunnel is active; it is disabled the same way, via the system-tray icon.
flowchart TB
    Start([Download VPN client installer]) --> Install[Install client on workstation]
    Install --> Config{Configure client}
    Config --> NetPrefs[Set network preferences: trusted networks/ports]
    Config --> Transport[Select transport/server region]
    Config --> Proxy[Configure proxy settings, if required]
    Config --> Advanced[Configure DNS leak protection / logging / timeouts]
    NetPrefs --> Toggle[Toggle VPN ON via system tray]
    Transport --> Toggle
    Proxy --> Toggle
    Advanced --> Toggle
    Toggle --> Encrypted[All traffic now encrypted through the tunnel]

This demo highlights a key operational point: regardless of vendor, a basic VPN client reduces to a handful of configuration screens (network trust, transport/region, proxy, and logging/DNS-leak protection) and a single on/off toggle — the security value comes from ensuring strong authentication and keeping the client and server software current, not from the simplicity of the UI.

Zero Trust Network Access (ZTNA)

ZTNA is an access-control approach that enforces strict identity verification for every user and device attempting to access resources on a private network. Unlike traditional models that assume users within the network perimeter are trustworthy, ZTNA assumes no user or device is inherently trusted, whether inside or outside the network.

Key advantages of ZTNA:

  • Fine-grained access control: policies can be based on user role, device security posture, and the sensitivity of the resource being accessed, ensuring users only reach what is necessary for their job function.
  • Enhanced security posture: continuous verification of user and device identity means that even if credentials are compromised, additional layers — MFA, contextual access policies — help prevent unauthorized access.
  • Continuous verification of identity: access decisions are not based solely on the initial authentication event; identity, behavior, and context are continuously evaluated throughout the session.

Implementing ZTNA involves three steps:

  1. Identify and classify resources. Catalog applications, data, devices, and services that need protection, and understand the sensitivity/criticality of each.
  2. Define access policies. Determine who can access which resources, under which conditions — based on role, device security posture, location, time of access, and resource sensitivity. For example, a finance user might be allowed to reach financial data only from a corporate device that meets defined security standards.
  3. Implement continuous monitoring. Monitor user activity, device health, and access patterns in real time to detect anomalies. If unusual behavior is detected — such as an attempt to access sensitive data from an unfamiliar location — the system can prompt additional verification or revoke access outright.
flowchart TB
    Req[Access Request] --> Identify[1. Identify & classify the requested resource]
    Identify --> Policy[2. Evaluate access policy: role, device posture, location, time, sensitivity]
    Policy -->|Meets policy| Grant[Grant scoped access]
    Policy -->|Fails policy| Deny[Deny access]
    Grant --> Monitor[3. Continuous monitoring of session/device/behavior]
    Monitor -->|Anomaly detected| StepUp[Prompt step-up verification or revoke access]
    Monitor -->|Normal| Grant

Software-Defined Perimeters (SDPs)

A Software-Defined Perimeter is a security framework that dynamically creates secure, encrypted connections between authenticated users and the resources they need to access. SDPs operate on the principle of making resources invisible to unauthorized users, reducing the attack surface by hiding critical assets until a user is authenticated and authorized.

Practical example: a manufacturing company needs to provide secure remote access to its production management system for remote employees. By implementing an SDP, only authenticated users can access the production system, and all connections are encrypted.

Advantages of SDPs:

  • Enhanced security through obscurity: hiding network resources from unauthorized users prevents attackers from discovering and directly targeting them.
  • Dynamic and scalable access controls: access policies can be adjusted easily as needs and threats change, supporting a modern, dynamic workforce.
  • Reduced attack surface: by exposing resources only to authenticated users, SDPs significantly reduce the number of potential entry points for attackers.

Implementing an SDP involves three steps:

  1. Identify users and devices — employees, contractors, and other authorized users, along with the devices they use.
  2. Define security policies — who can do what, under which conditions, using which devices.
  3. Deploy SDP controllers and gateways — controllers authenticate users and devices and determine which resources they may access, establishing a secure encrypted connection; gateways act as intermediaries, ensuring only authenticated and authorized traffic reaches protected resources.
sequenceDiagram
    participant U as User/Device
    participant C as SDP Controller
    participant G as SDP Gateway
    participant R as Protected Resource

    U->>C: Request access (identity + device posture)
    C->>C: Authenticate & authorize against policy
    alt Authorized
        C->>G: Instruct gateway to permit and establish connection
        G->>R: Establish encrypted point-to-point connection
        R-->>U: Resource reachable (previously invisible)
    else Not authorized
        C-->>U: Connection refused; resource remains invisible
    end

Case Studies: Fortinet and Organogenesis

Case Study 1 — Fortinet

  • Challenge: Securing remote access for a distributed workforce that needed to reach sensitive internal resources from various locations, while enhancing security and simplifying access management.
  • Solution: A combination of ZTNA and SDP. ZTNA enforced strict identity verification for every user and device; SDP further enhanced security by making resources invisible to unauthorized users and dynamically creating secure, encrypted connections.
  • Outcome: Significantly enhanced security posture, with tightly controlled, fine-grained access policies ensuring only authorized users could reach sensitive data and applications — a secure, scalable remote-access solution supporting the distributed workforce.

Case Study 2 — Organogenesis

  • Challenge: Replace an existing employee access solution with a more advanced ZTNA solution, providing more robust security for remote access, internet access, and secure non-VPN connectivity for third parties — addressing security-risk concerns within a short timeframe.
  • Solution: Partnered with a specialized security-solutions provider to implement ZTNA. The project included a plan, budget, and timeline aligned to organizational objectives, coordinated between internal security staff and third-party vendors.
  • Outcome: Advanced ZTNA provided secure remote access for employees and third parties without relying on VPNs, improving overall security and continuous monitoring while addressing the highest-risk groups first, in a phased approach, within the specified timeframe.
flowchart TB
    subgraph Fortinet["Fortinet: Combined ZTNA + SDP"]
        FUser[Distributed Workforce] --> FZTNA[ZTNA: Identity Verification]
        FZTNA --> FSDP[SDP: Dynamic Encrypted Connection]
        FSDP --> FRes[Sensitive Internal Resources]
    end

    subgraph Organogenesis["Organogenesis: Phased ZTNA Rollout"]
        direction TB
        Phase1[Phase 1: Highest-risk user groups] --> Phase2[Phase 2: Remaining employees]
        Phase2 --> Phase3[Phase 3: Third-party/vendor access, non-VPN]
        Phase3 --> Monitor2[Continuous monitoring across all phases]
    end
AspectFortinetOrganogenesis
Primary driverSecure a distributed workforceReplace legacy access solution, remove VPN dependency for third parties
Technology combinationZTNA + SDPZTNA, phased rollout
Key differentiatorResources made invisible via SDP in addition to ZTNA identity checksCoordinated internal/third-party rollout under a tight timeline
OutcomeSecure, scalable remote access for a distributed workforceSecure non-VPN third-party connectivity, risk mitigated on schedule

Analyzing the Organogenesis Implementation

Reviewing the Organogenesis case in more depth surfaces both benefits and challenges that generalize well to other organizations undertaking a ZTNA migration.

Benefits realized:

  • Enhanced security for both remote access and general internet access.
  • Secure, non-VPN connectivity options for third parties.
  • Continuous monitoring and strict access controls throughout.
  • Outstanding security risks addressed within a short timeframe.

Challenges encountered:

  • Coordinating activities between internal security teams and third-party vendors.
  • Managing the project against tight timelines.
  • Ensuring executive (CIO-level) buy-in and support for the new solution.

Key takeaways applicable to other organizations:

  • The importance of thorough planning and stakeholder engagement.
  • The need for ongoing monitoring and policy adjustment after go-live.
  • The value of partnering with a specialized security-solutions provider rather than attempting a fully in-house build.
QuestionAnswer
What was the main security challenge Organogenesis faced?Needing to replace its existing employee access solution with a more robust ZTNA solution, enhancing security for remote access and providing secure non-VPN connectivity for third parties.
How did the chosen technology address this challenge?ZTNA enforced strict access controls, provided continuous monitoring, and ensured secure encrypted connections, while a phased approach addressed the highest-risk groups first.
What were the outcomes?Enhanced security for remote access, improved coordination between internal staff and third-party vendors, security risks addressed within the specified timeframe, and sensitive data kept protected under monitored, controlled access.
flowchart TB
    Plan[Thorough planning & stakeholder engagement] --> Rollout[Phased ZTNA rollout: highest-risk groups first]
    Rollout --> Coordination[Coordinate internal security + third-party vendors]
    Coordination --> ExecBuyIn[Secure CIO-level buy-in]
    ExecBuyIn --> Monitor3[Ongoing monitoring & policy adjustment]
    Monitor3 --> Outcome[Secure, non-VPN access for employees & third parties]

Knowledge Check: Module 2 Quiz

#QuestionAnswer
1What is the primary benefit of ZTNA over traditional VPNs?Continuous verification of user identity.
2Which technology dynamically creates secure, encrypted connections between users and resources, hiding them until authenticated?Software-Defined Perimeters (SDPs).
3What does “never trust, always verify” mean in the context of secure remote access?Authenticating and authorizing all access requests, regardless of origin.
4What key challenge led Organogenesis to implement a ZTNA solution?Enhancing security for remote access and providing secure non-VPN connectivity for third parties.
5Which of the following is NOT an advantage of SDPs?Increased latency and network congestion (this is a drawback, not an advantage).

Module 3: Continuous Monitoring and Analytics

Introduction to Continuous Monitoring in Zero Trust

Continuous monitoring is the ongoing surveillance of network activity to detect anomalous behavior and potential security threats. It is a cornerstone of the Zero Trust model, which assumes threats can originate from both inside and outside the network. Continuous monitoring involves collecting and analyzing data from various network sources in real time to identify suspicious activity, vulnerabilities, and potential breaches, with the goal of detecting and responding to threats as quickly as possible to minimize the impact of security incidents.

Within Zero Trust, continuous monitoring supports “never trust, always verify” by providing real-time insight into network activity, allowing security teams to verify the legitimacy of actions and detect deviations from normal behavior.

Continuous monitoring rests on three key components:

  1. Real-time data collection — gathering information on network traffic, user activity, and system events as they occur.
  2. Automated threat detection — using advanced algorithms, machine learning, and AI to identify potential threats from collected data without manual intervention.
  3. Incident response — taking immediate action to address and mitigate identified security risks.
flowchart LR
    A[Real-Time Data Collection] --> B[Automated Threat Detection]
    B --> C[Incident Response]
    C -->|Post-incident lessons| A

Real-Time Data Collection Methods and Tools

Real-time data collection is the process of continuously gathering information on network traffic, user activity, system events, and more. In the context of Zero Trust, it supports continuous verification of user activities and network events, ensuring no threat goes unnoticed.

Three primary methods are used to collect this data:

  • Network traffic analysis — analyzing data packets flowing through the network to identify unusual patterns.
  • Endpoint monitoring — tracking the behavior of individual devices (computers, smartphones, IoT devices) to detect compromised systems; endpoints are frequently an attacker’s initial point of entry.
  • Log aggregation — collecting and consolidating logs from firewalls, servers, applications, endpoints, and security appliances, then correlating them together to build a picture of network activity and match it against known threat patterns.

These methods are typically operationalized through the following tools:

  • SIEM (Security Information and Event Management): crucial for log management — collecting, correlating, and analyzing data in real time.
  • SOAR (Security Orchestration, Automation, and Response): increasingly built directly into SIEM platforms, providing the automation layer that can contain a host, reset a password, or open a ticket for further investigation.
  • Network monitoring tools: analyze network traffic performance, flag unusual patterns, and forward findings to the SIEM for further analysis.
flowchart TB
    subgraph Sources["Data Sources"]
        NetTraffic[Network Traffic]
        Endpoints[Endpoint Activity]
        Logs[Firewall/Server/App Logs]
    end
    Sources --> Agg[Log Aggregation & Correlation]
    Agg --> SIEM[SIEM: Collect, Correlate, Analyze]
    SIEM --> SOAR[SOAR: Automated Response Actions]
    SOAR --> Actions["Contain host / reset password / open ticket"]
    SIEM --> Analysts[Security Analysts: Investigation]
MethodWhat It CapturesTypical Risk It Surfaces
Network traffic analysisPacket-level flow patternsUnusual or malicious traffic patterns
Endpoint monitoringDevice-level behaviorCompromised endpoints — the common initial point of entry
Log aggregationConsolidated logs from firewalls/servers/apps/endpointsCorrelated multi-source indicators of compromise
ToolPrimary Role
SIEMReal-time log collection, correlation, and analysis
SOARAutomated orchestration and response actions, often integrated into the SIEM
Network monitoring toolsContinuous performance/traffic pattern monitoring, feeding the SIEM

Demo: Threat Detection and Incident Investigation

The following walkthrough reconstructs a hands-on log-analysis demonstration using an endpoint detection and response (EDR) platform to investigate two generated detections in a lab environment. (Other categories of tools — SIEMs, NDRs, EDRs, and antivirus platforms — can serve a similar purpose; this walkthrough uses a leading EDR platform as the example.)

Detection 1 — a benign test trigger:

  1. A command prompt was launched on a Windows host to intentionally generate a low-risk test detection.
  2. The platform’s detection summary displayed a severity rating, the objective the platform believed the activity served, and the MITRE ATT&CK tactics/techniques it mapped to.
  3. The detection was labeled with an Indicator of Attack (IOA) name of “test trigger,” along with the exact command line executed and the file path of the executed binary.
  4. Scrolling further revealed the file hash, any associated indicators, full host information, and the logon type of the user (interactive, in this case).
  5. The process actions view showed every process spawned on the host, including disk operations (in this case, simply the DLLs loaded to open the command prompt) — normal background Windows behavior. Had this been malicious, the same view would surface DNS requests to a command-and-control server, suspicious registry changes, or abnormal network operations.
  6. The same event could be viewed as a process table or process tree, providing a hierarchical view of parent/child process relationships (in this case, showing that PowerShell was subsequently launched from the command prompt).

Detection 2 — a blocked credential-theft attempt:

  1. An attempt was made to launch a known credential-dumping tool (Mimikatz) from the host.
  2. The EDR platform blocked the process immediately and labeled it a high-severity detection, mapping it to a specific MITRE ATT&CK technique ID and classifying it as a PowerShell-based exploit attempt.
  3. The process operation view displayed the full command-line history: PowerShell was launched, followed by the invocation of the credential-dumping module.
  4. A pre-configured automated workflow triggered an email notification the moment the high-severity, blocked detection occurred — providing near-instant analyst awareness.
  5. The process tree view again showed the parent/child relationship: command prompt → PowerShell → attempted tool invocation.
  6. The events timeline view listed every step with exact durations — in this case the entire sequence (PowerShell launch through the blocked invocation) completed in nine seconds — providing a clear evidentiary trail useful for incident documentation.
  7. The process graph view offered a final visual representation of the full sequence, from initial detection through the interaction and execution attempt.
sequenceDiagram
    participant Host as Windows Host
    participant EDR as EDR Platform
    participant Analyst as Security Analyst

    Host->>Host: cmd.exe launched
    Host->>Host: PowerShell launched from cmd.exe
    Host->>Host: Attempt to invoke credential-dumping tool
    Host->>EDR: Process telemetry streamed in real time
    EDR->>EDR: Match against IOA / MITRE ATT&CK technique
    EDR->>EDR: Classify as High Severity, Block Process
    EDR->>Analyst: Automated workflow sends email notification
    Analyst->>EDR: Review process tree, timeline, and process graph
    Analyst->>Analyst: Confirm blocked credential-theft attempt, document timeline
ViewPurpose
Detection summarySeverity, objective, IOA name, mapped ATT&CK technique
Process actionsEvery disk, registry, process, and network operation tied to the event
Process table / treeHierarchical parent-child process relationships
Events timelineChronological list of actions with exact durations — key for documentation
Process graphVisual sequence from detection through interaction and execution

Automated Threat Detection Techniques

Automated threat detection uses automated systems, advanced algorithms, and machine learning to identify potential security threats without manual intervention, continuously analyzing network traffic, user behavior, and other data for signs of malicious activity.

Three techniques provide comprehensive coverage:

  • Behavioral analysis — examines patterns of activity to identify deviations from an established baseline of “normal.” For example, an employee who typically works 9-to-5 suddenly accessing the network at 3 a.m. would trigger an anomalous-activity alert worth investigating.
  • Anomaly detection — uses statistical models and machine-learning algorithms to identify patterns or behaviors that do not conform to expected norms. For example, a sudden spike in data transfers from a specific device could indicate a data-exfiltration attempt.
  • Signature-based detection — matches observed activity against a database of known threat signatures (malware patterns, known attack techniques). Effective for known threats, but not effective against new or unknown ones.
flowchart TB
    Data[Collected Network/User/Endpoint Data] --> Behavioral[Behavioral Analysis: baseline deviation]
    Data --> Anomaly[Anomaly Detection: statistical/ML outliers]
    Data --> Signature[Signature-Based Detection: known threat patterns]
    Behavioral --> Alert1["Alert: e.g., 3 a.m. access by 9-to-5 employee"]
    Anomaly --> Alert2["Alert: e.g., sudden spike in data transfer volume"]
    Signature --> Alert3["Alert: match against known malware signature"]

The benefits of automated threat detection include faster identification of threats, reduced false positives (by more accurately distinguishing normal variation from actual threats), and scalability to handle large volumes of data across complex network environments — from small businesses to large enterprises.

TechniqueDetectsStrengthLimitation
Behavioral analysisDeviations from an established activity baselineGood at catching insider-style anomaliesRequires an accurate, up-to-date baseline
Anomaly detectionStatistical outliers in volume/patternCan catch novel threats without prior signaturesProne to false positives if models are poorly tuned
Signature-based detectionKnown malware/attack patternsFast, low false-positive rate for known threatsIneffective against new or unknown threats

The Incident Response Process

Incident response (IR) refers to the coordinated efforts to detect, analyze, and respond to security incidents, minimizing the impact of a breach and ensuring a quick return to normal operations. The IR process typically involves four stages:

  1. Detection and analysis — identify unusual activity (unauthorized access, a data breach) and determine its nature, scope, and potential organizational impact. This is where the SIEM plays a central role.
  2. Containment, eradication, and recovery — containment isolates affected hosts to prevent the threat from spreading (disconnecting infected devices or shutting down a compromised server); eradication removes the threat from the environment (deleting malware, closing vulnerabilities); recovery restores affected systems and data to normal operation, ensuring all traces of the threat are removed.
  3. Post-incident review — after resolution, the response process is analyzed, actions taken are documented, and lessons learned are captured for future improvement.

Tools central to this process include SOAR platforms (which automate and streamline response, often built into the SIEM) and formal incident response plans, which define roles, responsibilities, communication strategies, and step-by-step procedures for detecting, containing, eradicating, and recovering from incidents. These plans should be regularly reviewed, updated, and tested to remain effective.

flowchart LR
    Detect[Detection & Analysis] --> Contain[Containment: isolate affected hosts]
    Contain --> Eradicate[Eradication: remove threat, close vulnerabilities]
    Eradicate --> Recover[Recovery: restore systems to normal operation]
    Recover --> Review[Post-Incident Review: document & capture lessons learned]
    Review -.->|Feeds back into| Detect
StageKey ActivitiesPrimary Tooling
Detection & analysisIdentify unusual activity, determine scope/impactSIEM
ContainmentIsolate affected hosts/devicesSOAR, network controls
EradicationRemove malware, close vulnerabilitiesSOAR, endpoint tools
RecoveryRestore systems and data to normal operationBackup/recovery tooling
Post-incident reviewDocument actions, capture lessons learnedIncident response plan, reporting

Analytics for Threat Detection

Analytics for threat detection is the process of using data-analytics methods to analyze network activity, user behavior, and system events to identify potential security threats, gaining insight from large volumes of data to make informed security decisions. There are three main types of analytics used:

  • Descriptive analytics — analyzes historical data to understand what has happened in the past. For example, generating reports on previous security breaches detailing the nature of the attack and the systems affected.
  • Predictive analytics — uses statistical models and machine-learning algorithms to forecast future events based on historical data, helping identify potential threats before they occur. For example, analyzing user behavior to detect signs of insider threats, or forecasting the likelihood of specific attack types based on past trends.
  • Prescriptive analytics — goes a step further by recommending specific actions to take, based on insight gained from descriptive and predictive analytics. For example, suggesting a specific security measure to address an identified vulnerability, or recommending changes to access controls based on predicted threat scenarios.
flowchart LR
    Historical[Historical Security Data] --> Descriptive[Descriptive Analytics: what happened]
    Descriptive --> Predictive[Predictive Analytics: what is likely to happen]
    Predictive --> Prescriptive[Prescriptive Analytics: what action to take]
    Prescriptive --> Action[Recommended security control or policy change]

Two categories of tools support these analytics:

  • Machine-learning algorithms — crucial for analyzing large data volumes and recognizing patterns of normal behavior versus deviations that may signify malicious activity, enabling automated, real-time analysis and faster response times.
  • Big-data platforms — provide the infrastructure needed to collect, store, and analyze vast, multi-source data streams (network traffic, endpoint activity, log data) across the environment, giving a comprehensive view of the entire security landscape.
Analytics TypeQuestion AnsweredExample
DescriptiveWhat happened?Reports detailing the nature and impact of past security breaches
PredictiveWhat is likely to happen?Forecasting insider-threat risk or likely attack types from historical trends
PrescriptiveWhat should we do about it?Recommending a specific control or access-policy change to close a predicted gap

Case Studies: AI-Driven SIEM in Financial Services

Case Study 1 — AI-Driven SIEM Implementation

  • Challenge: A large financial institution struggled to identify and mitigate advanced persistent threats (APTs) due to their complexity and stealthy nature. Traditional security measures were insufficient for timely detection and response, leaving potential vulnerabilities exposed.
  • Solution: The institution implemented an AI-driven SIEM that used machine learning and predictive analytics to enhance threat detection, automating the complex processes of data aggregation and normalization to enable proactive threat detection and response.
  • Outcome: Improved real-time threat detection with AI-driven real-time alerts for suspicious activity; more proactive defensive mechanisms, detecting and responding to threats before they could cause harm; reduced overall false positives; and improved compliance with regulatory standards.

Case Study 2 — Advanced Threat Detection for Regulatory Compliance

  • Challenge: Financial institutions face the ongoing challenge of protecting sensitive data from sophisticated, evolving threats while also complying with stringent regulatory standards for the security and privacy of customer information.
  • Solution: Deployment of advanced threat-detection systems combining machine-learning-based anomaly detection and behavioral analytics, enabling real-time monitoring of network traffic, identification of suspicious activity, and earlier detection of potential threats.
  • Outcome: Improved overall security through machine learning and behavioral analytics; secure, non-VPN connectivity options extended to third parties; and continued compliance with regulatory standards, keeping the institution in good standing.
flowchart TB
    subgraph Exabeam["AI-Driven SIEM Architecture"]
        RawData[Raw Logs & Network Data] --> Normalize[Automated Aggregation & Normalization]
        Normalize --> ML[Machine Learning & Predictive Analytics]
        ML --> Alerts[Real-Time Alerts on Suspicious Activity]
        Alerts --> ProactiveDefense[Proactive Defense: act before harm occurs]
        ML --> FalsePos[Reduced False Positives]
    end
CategoryExabeam AI SIEM Case StudyRegulatory Compliance Case Study
Primary challengeDetecting/responding to advanced persistent threats (APTs)Protecting sensitive data while meeting regulatory standards
TechnologyAI-driven SIEM with machine learning + predictive analyticsMachine-learning anomaly detection + behavioral analytics
Key benefitReal-time alerts, proactive defense, fewer false positivesReal-time monitoring, earlier threat detection, secure third-party connectivity
Integration challengesIntegrating AI with legacy infrastructure, accurate data normalization, staff trainingOngoing compliance maintenance alongside evolving threats
Compliance impactMaintained regulatory complianceMaintained regulatory compliance

Key takeaways applicable across organizations: invest in integration and staff training when adopting AI-driven tools; favor proactive monitoring over reactive response; treat regulatory compliance as an ongoing outcome of good security practice, not a separate checkbox; and keep security teams focused on genuine threats by letting automation absorb the noise.

Knowledge Check: Module 3 Quiz

#QuestionAnswer
1What are the primary components of continuous monitoring in a Zero Trust model?Real-time data collection, automated threat detection, and incident response.
2Which technique is NOT commonly used in automated threat detection?Manual log review.
3In incident response, what is the primary goal of the containment phase?Isolating affected systems to prevent further damage.
4How does predictive analytics differ from descriptive analytics in threat detection?Predictive analytics forecasts future events, while descriptive analytics analyzes past events.

Summary

Zero Trust network security rests on three mutually reinforcing pillars covered in this course:

  1. Network segmentation and micro-segmentation shrink the attack surface by dividing networks into smaller segments and then applying fine-grained, identity-aware access policies within them — replacing broad, department-level VLAN trust with per-user, per-application control that adapts automatically as roles change.
  2. Secure remote access technologies — VPNs, ZTNA, and Software-Defined Perimeters — extend the “never trust, always verify” principle to users and devices connecting from outside the traditional perimeter, with ZTNA and SDP going further than legacy VPNs by continuously verifying identity and hiding resources until access is explicitly authorized.
  3. Continuous monitoring and analytics close the loop by collecting real-time data from network traffic, endpoints, and logs; applying automated (behavioral, anomaly, and signature-based) detection; running that data through descriptive, predictive, and prescriptive analytics; and feeding confirmed incidents through a disciplined detection-containment-eradication-recovery-review response process.
mindmap
  root((Zero Trust Network Security))
    Segmentation & Micro-segmentation
      Reduce attack surface
      Simplify management
      Compliance & performance
    Secure Remote Access
      VPN
      ZTNA
      SDP
    Continuous Monitoring & Analytics
      Real-time data collection
      Automated detection
      Incident response
      Descriptive/Predictive/Prescriptive analytics

Quick-Reference: Technology Selection Guide

If you need to…Consider…
Limit lateral movement across a broad networkNetwork segmentation (VLANs, subnetting)
Apply fine-grained, role/app-specific access controlMicro-segmentation
Give remote users encrypted access to internal resources with minimal change to existing architectureVPN, hardened with MFA and regular patching
Enforce continuous, per-request identity verification for remote/hybrid usersZTNA
Hide sensitive resources entirely until a user is authenticated and authorizedSoftware-Defined Perimeter (SDP)
Detect threats across network traffic, endpoints, and logs in real timeSIEM with real-time data collection
Automate response actions (containment, ticketing, notification)SOAR, integrated with the SIEM
Forecast likely future threats or insider riskPredictive analytics
Get concrete recommendations on which controls to changePrescriptive analytics

Zero Trust Network Security Checklist

  • Catalog all network assets, applications, and data, and classify them by sensitivity.
  • Segment the network so that a compromise in one segment cannot reach critical systems in another.
  • Layer micro-segmentation on top of broad segmentation for role-, application-, and data-specific access control.
  • Apply least-privilege access policies and ensure they adapt automatically as user roles change.
  • Replace or harden legacy VPN access with ZTNA and/or SDP where distributed workforce or third-party access is involved.
  • Enforce multi-factor authentication and continuous session verification for all remote access.
  • Deploy real-time data collection across network traffic, endpoints, and logs, feeding a central SIEM.
  • Layer behavioral, anomaly, and signature-based detection techniques rather than relying on any single method.
  • Automate response actions with SOAR where appropriate to reduce time-to-containment.
  • Maintain and regularly test a formal incident response plan covering detection, containment, eradication, recovery, and post-incident review.
  • Use descriptive, predictive, and prescriptive analytics together to move from understanding past incidents to preventing future ones.
  • Continuously monitor and adjust segmentation, access, and detection policies as threats and organizational needs evolve — Zero Trust is an ongoing practice, not a one-time deployment.

Search Terms

zero · trust · network · security · networking · systems · micro-segmentation · access · case · check · detection · knowledge · quiz · segmentation · studies · threat · analytics · continuous · incident · monitoring · organogenesis · remote · secure

Interested in this course?

Contact us to book it or get a custom training plan for your team.