![scott-rodgerson-5v235ueAU58-unsplash](https://www.architectureandgovernance.com/wp-content/uploads/2023/10/scott-rodgerson-5v235ueAU58-unsplash-678x381.jpg)
Zero Trust Network Architecture (ZTNA) has emerged as a foundation of mature cybersecurity and is gaining momentum with government mandates like the Biden administration’s directive to adopt zero trust. It embodies the principle of “never trust, always verify,” emphasising least privilege access. Systems are set in default-deny mode and then made explicitly open when access criteria are met across network, applications, data segregation, and so forth.
The zero trust approach restricts access to resources based solely on explicit need and verification, effectively locking the network against unauthorised activity. It builds on five key pillars, giving comprehensive control and protection across all facets of an organization’s IT infrastructure: Identity, Device, Network, Application, and Data. Across the five pillars, Visibility and Analytics, Automation and Orchestration, and Governance play a vital role in cross-pillar coordination.
Organisations are embracing zero trust because of its ability to mitigate risk, reduce attack surfaces, and provide enhanced visibility. Zero trust moves beyond traditional perimeter-based security models to address the complexities of modern hybrid environments by treating every user, device, and application as a potential threat.
While Gartner estimates that only 10% of organisations will achieve full zero trust maturity by 2026, some estimates suggest that 90% of businesses are in the deployment phase. The journey offers transformative benefits, including explicit access controls and granular telemetry collection.
The zero trust maturity journey
Adopting zero trust is a journey toward greater security maturity. At the outset, organisations focus on defining explicit access controls, where every access request is documented and evaluated. This results in quality telemetry that supports advanced analytics.
Analytics serve two primary objectives in zero trust. It prioritises maturity improvements by measuring the ratio of catch-all deny rules to explicit allow rules and enabling teams to gauge their progress and identify areas for refinement. And it facilitates threat management because protecting, identifying, detecting, and responding to threats becomes more effective as analytics evolve.
However, zero trust generates an overwhelming volume of data as it matures. Each logged access attempt, denied rule hit, or anomaly adds to the telemetry pool, and most of the detections will be false positives. In essence, it enhances alert fatigue, which already poses a significant challenge to Security Operations Centers (SOCs) teams today.
Alert fatigue is plaguing the SOC, leading to errors and lack of attention, and fragmented alert investigation makes it difficult to see the complete picture. A paradigm shift in how threats are analysed and managed is necessary. AI can flip the script, particularly hypergraphs and large language models (LLMs).
How hypergraphs and LLMs can help
As the complexity of zero trust environments grows, so does the need for tools to handle the data explosion. Hypergraphs and generative AI are emerging as game-changers, enabling SOC teams to connect disparate events and uncover hidden patterns.
Telemetry collected in zero trust environments is a treasure trove for analytics. Every interaction, whether permitted or denied, is logged, providing the raw material for identifying anomalies. The cybersecurity industry have set standards for exchanging and documenting threat intelligence. By leveraging structured frameworks like MITRE ATT&CK, MITRE DEFEND, and OCSF, activities can be enriched with contextual information enabling better detection and decision-making.
Hypergraphs go beyond traditional graphs by representing relationships between multiple events or entities. They can correlate disparate events. For example, a scheduled task combined with denied AnyDesk traffic and browsing to MegaUpload might initially seem unrelated. However, hypergraphs can connect these dots, revealing the signature of a ransomware attack like Akira. By analysing historical patterns, hypergraphs can also predict attack patterns, allowing SOC teams to anticipate the next steps of an attacker and defend proactively.
Hypergraphs can reduce the volume of alerts presented to analysts by clustering related events and prioritise detections that require immediate attention by assigning risk scores to chains of events. Instead of isolated alerts, SOC teams receive enriched narratives that highlight the sequence and significance of events.
LLMs complement hypergraphs by making sense of the structured data. They excel at tasks like translating technical details into actionable insights for analysts, identifying overlaps between threat intelligence and vulnerabilities in the organisation, and assisting with remediation by suggesting next steps based on observed patterns.
For example, if a hypergraph identifies a sequence of detections indicative of an attack, an LLM can assess whether the activity warrants human intervention, recommend specific countermeasures, and generate reports for stakeholders, summarising the threat and its impact.
Addressing alert fatigue
Integrating hypergraphs and LLMs into zero trust architectures unlock multiple benefits for SOC teams. It enhances threat detection by connecting the dots between seemingly unrelated events and can reveal complex attack patterns. It also allows the SOC teams to focus on high-priority threats by removing the need to act on individual detections, improving efficiency.
By predicting attack phases, SOC teams can harden defences before an attack progresses, while LLMs can simplify communication by translating technical findings into actionable insights. In essence, AI and hypergraphs address the data overload and alert fatigue inherent in zero trust, ensuring these architectures not only protect but help organisations to mature and respond effectively.
Zero trust is transforming the cybersecurity landscape, providing organisations with the tools to minimise risk and enhance visibility. However, the journey toward zero trust maturity is fraught with challenges, including the deluge of data and alerts. Organisations can turn data overload into a powerful asset by adopting AI and hypergraphs. These technologies enable SOC teams to uncover hidden patterns, prioritise threats, and respond more effectively.
Christian Have, CTO, brings years of cybersecurity expertise to his role at Logpoint. He oversees security and threat research. Before joining the company, he was the head of network security for the Danish National Police. He is also a guest lecturer on cybersecurity at leading Danish universities and holds a Bachelor of IT from the IT University of Copenhagen.