The Zero Trust Hub

Nobody wants to be in The Big Book of Breaches. And yet every year, more organizations end up in it.  

They had security teams, tools, and budgets. Their architecture just gave attackers room to turn a small compromise into a catastrophe.

I’ve spent nearly three decades in cybersecurity — in uniform, in the federal government, and now in the private sector. I’ve watched organizations pour billions into security tools, hire elite teams, and build layered defenses. And I’ve watched them get breached anyway.

What The Big Book of Breaches highlights for me is that the problem is architecture.

Attackers got in through common network weak points and walked away with billions in damage. What they all had in common was flat, permissive network architecture that gave attackers unrestricted room to move once they were inside.

Zero Trust is how you stay out of next year’s edition.

“Assume breach” means rethinking how your environment is built

I hear “assume breach” constantly, to the point it’s become almost meaningless.  

The problem is that most organizations respond to it by adding detection layers. That response treats a structural problem like an operational one.

Assume breach means designing your environment as if the attacker is already inside. The question to ask is: if someone has valid credentials in this segment, what can they reach?  

If the honest answer is a lot more than they should, you have an architecture problem.

The Change Healthcare breach featured in this year’s book of breaches answers that question at scale.  

ALPHV/BlackCat entered through a single remote access path and spread across claims processing, pharmacy systems, and payment platforms — all connected through shared network paths.  

The result was 193 million patient records exposed, $22 million in ransom paid, and over $1.6 billion spent on recovery.  

Change Healthcare’s architecture made it extraordinarily efficient to operate. It also made a single compromised path enough to take down an entire national healthcare system.

A Zero Trust architecture grounded in real-time visibility and microsegmentation treats each of those platforms as an independent, isolated segment. The ransomware still might have gotten in, but segmentation would’ve stopped it from reaching anything beyond its initial foothold.

Attack blast radius is the security metric to track

Mean time to detect and mean time to respond tell you how quickly you found the fire. They say nothing about how much burned while you were looking.

Marks & Spencer’s attackers were inside the environment for months before deploying DragonForce ransomware over Easter weekend — one of the busiest retail periods of the year.  

Using stolen credentials, they moved through Active Directory and across e-commerce, logistics, supply chain, and point-of-sale systems. By the time detection happened, the estimated damage was £300 million.

At TriZetto, attackers pulled 3.4 million patients’ Social Security numbers, dates of birth, and insurance records through a provider-facing web portal undetected for nearly a year. The access looked legitimate because in an unsegmented environment, there was no boundary to cross, no anomaly to flag, nothing to make the theft visible.

An attack’s blast radius, which describes how far an attacker moves from their initial point of compromise, is what actually captures organizational risk. A Zero Trust architecture grounded in visibility and microsegmentation is what shrinks it.

The cost of waiting is in the report

The organizations in this report had teams, tools, and cybersecurity budgets. What they shared was an architecture that assumed the perimeter would hold, with no structural plan for limiting damage once access was gained.

The attackers in these breaches used common techniques and went as far as the environment allowed. And in every case, that was far enough to cause catastrophic damage.

Zero Trust changes what far enough means. When access is earned at every boundary, a compromised credential stays an isolated incident and the blast radius shrinks from catastrophic to manageable.  

Nearly all the CISOs I talk to understands this. The ones who haven’t made it an architectural priority are the ones I worry about.

The architecture you have today defines the blast radius of your next breach.