Skip to main content

Aviz Deep Network Observability Examines NIST SP 800-207 Network Visibility Gap

Despite progress on identity and device controls, many federal Zero Trust deployments still fall short of NIST SP 800-207 network visibility expectations, according to the vendor post. The gap matters because the trust algorithm depends on continuous, credible evidence of activity across east-west traffic, encryption, and agentless systems.

Research Overview

The post frames its review around NIST SP 800-207, which it describes as requiring an organization to observe activity across its network. It distinguishes perimeter and endpoint observation from the need to observe communications between hosts, encrypted traffic, container communications, and activity from unmanaged systems without an agent.

The post also connects the observability requirement to continuous access control, describing the policy engine and trust algorithm as relying on available inputs to make access decisions. It argues that when network visibility becomes incomplete, the trust algorithm operates with limited inputs.

Key Findings

The post states that federal Zero Trust adoption has progressed for identity and device components, while networks have not been fully adopted. It attributes this status to the CISA Zero Trust Maturity Model, indicating that network maturity lags the other components.

It asserts that attackers can move through networks undetected for months even after identity platform improvements, device compliance, and real-time policy enforcement. The post characterizes the issue as a visibility problem rather than a policy-related problem.

Technical Breakdown

To address network visibility, the post describes a wire-level approach using deep network observability, positioning packet capture as the source of ongoing activity evidence. It contrasts packet-derived information with device logs, describing packet-derived data as captured directly from the wire and not dependent on logs from monitoring tools.

The post describes two outputs from a single capture point: optimized raw packets for security detection tools such as NDR and IDS, and enriched packet-derived metadata for SIEM and analytics platforms. It says the metadata includes flow and session information, visibility into DNS activity, application identification, and TLS posture information, made available in open formats.

Operational Impact

The post argues device logs alone are insufficient because adversaries can disable endpoint logging and erase auditing and event logs. It cites MITRE ATT&CK techniques T1070 and T1562 as examples of approaches that can remove logging and impair defenses, enabling lateral movement without device-level visibility.

It adds that if an attacker disables EDR and cleans logs, network packets can still be captured and reflect the true network activity, independent of endpoint tampering. In a sample implementation described in the post, the IDS analyzing optimized raw packets detected behaviors including C2 beaconing check-ins, credential harvest attacks against Active Directory, lateral movement in east-west traffic, and C2 communications for malware.

Evidence and Alignment to NIST SP 800-207

The post states that the observed detections in east-west traffic were in cases where traffic was never captured by the perimeter. It says device logging alone could not discern these behaviors in its described testing, linking the results to the need for packet-level visibility.

It concludes that NIST SP 800-207 foresees total visibility, while agencies still face gaps in networks despite improvements in identity and device controls. It describes wire-level visibility and packet-derived telemetry as the means of proving necessary facts for continuous verification within a Zero Trust architecture.

This vendor blog signals that federal Zero Trust progress under NIST SP 800-207 has advanced on identity and devices, while networks remain incomplete, with wire-level packet capture and packet-derived telemetry presented as the mechanism to satisfy the network visibility requirement. Blog Signals brief is a fact-based summary of the vendor blog.