The National Security Agency (NSA) released a Cybersecurity Information Sheet (CSI) that advocates adopting a Zero Trust (ZT) security model using Automation and Orchestration to protect government and industry data and systems. The document emphasizes that automation and orchestration are essential to achieving a mature zero trust posture, enabling faster, more efficient responses to cybersecurity threats.
The guidance is primarily intended for the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) networks. However, the guidance is far-reaching in relevance to the commercial and private sectors.
Three critical zero trust capabilities for Automation and Orchestration
The CSI outlines three critical capabilities within the automation and orchestration pillar, including:
- Organizations should employ automation and orchestration methods to address repetitive, labor-intensive, and predictable tasks for critical functions and access control.
- Organizations should employ advanced algorithms and analytics, specifically artificial intelligence (AI) and machine learning (ML), to enhance critical functions.
- An organization’s ability to coordinate security operations and incident response is vital to its security and should be aided by AI and ML and other automation efforts to more quickly and effectively detect, respond to, and mitigate threats.
The NSA’s Eight Pillars of Zero Trust Cybersecurity
The “Automation and Orchestration” category is the eighth pillar of the agency’s recommendations for zero trust architecture.
Other zero trust pillars, according to NSA, include:
- “Embracing a Zero Trust Security Model”
- “Advancing Zero Trust Maturity Throughout the User Pillar”
- “Advancing Zero Trust Maturity Throughout the Device Pillar”
- “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar”
- “Advancing Zero Trust Maturity Throughout the Data Pillar”
- “Advancing Zero Trust Maturity Throughout the Application and Workload Pillar”
- “Advancing Zero Trust Maturity Throughout the Visibility and Analytics Pillar”
- “Advancing Zero Trust Maturity Throughout the Automation and Orchestration Pillar”
What the NSA recommends for Zero Trust through Automation and Orchestration
The CSI provides practical guidance and recommendations for organizations to progress through different maturity levels for each capability. This includes employing automation for repetitive tasks, utilizing AI/ML for advanced threat detection and response, and establishing robust security operations centers (SOCs) to coordinate security efforts effectively.
Automation is critical to improve the speed and scale of security actions and reactions within an organization. The document provides guidance on how to mature an organization’s automation and orchestration capabilities to better defend against increasingly sophisticated cyberattacks.
Finally, the CSI stresses the importance of continuous improvement, urging organizations to regularly evaluate and update their ZT implementations based on evolving threats and technological advancements.
Policy Orchestration using Policy Decision Points
- Modern ZT environments often separate the functions of PIPs, PDPs, and PEPs, unlike traditional networks where these functions might be combined in a single device like a firewall. This separation enhances security policy versatility, enforcement, and response actions in ZT environments.
- Storing policies in a machine-readable format allows PDPs to interpret them and PEPs to enforce them properly. This also facilitates automated policy changes based on evolving conditions, enabling dynamic policies that adjust to the current risk environment. Policy as code (PaC) techniques are used to implement such dynamic policies.
- In a modern ZT environment, a ZT-enabled network access capability might send an access request with network metadata to a PDP (e.g., an access control engine). The PDP would then gather the relevant access policy from a PIP (central policy store), request additional attributes and metadata from other PIPs (e.g., identity information, authentication validation, environmental confidence levels), and then evaluate all this contextual information to make and relay an access decision.
Critical Process Automation (CPA)
- CPA within a ZT framework emphasizes that automation should not compromise the core principles of Zero Trust. Continuous verification and validation of trust for all users and devices accessing resources remain paramount.
- Robotic Process Automation (RPA) plays a vital role in CPA by taking over repetitive tasks, freeing up human resources, and reducing the possibility of human error. User provisioning, access request approvals, and security policy enforcement are ideal RPA use cases.
- Integrating AI and advanced analytics can significantly bolster an organization’s ZT posture. This includes continuous risk assessment, behavioral analytics, predictive threat detection, and automated response.
Artificial Intelligence (AI)
- Artificial intelligence (AI) is a collection of technologies enabling computers to mimic human-like reasoning and learning.
- AI in ZT is presented as a way to analyze vast datasets, potentially leading to earlier threat detection and more efficient incident response.
- To mitigate risks associated with AI implementation, human-in-the-loop (HITL) techniques such as human auditing, regular training of AI models, and employee awareness programs are recommended.
Machine Learning (ML)
- Zero Trust environments generate large amounts of data from access logs, network traffic, user behavior, device attributes, and security events. This data can be used to train ML models to establish baselines of normal activity for users and system components.
- ML can detect unusual activities, including previously unseen anomalies, when implemented correctly. ML models can inform User and Entity Behavior Analysis (UEBA) solutions to determine unusual user behavior, perform root cause analysis for faster investigation using large language models, and integrate into network access controls and endpoint protection platforms to mitigate threats.
- Regular testing and human review are essential to improving the accuracy of ML models and validating suggested actions. AI and ML capabilities should also adhere to relevant legal, regulatory, privacy, and other requirements.
Security orchestration, automation, and response (SOAR)
- SOAR tools offer a powerful way to enhance an organization’s security posture by automating and orchestrating security tasks. These tools can ingest alert data from different sources, trigger automated playbooks for incident response and remediation, and even leverage AI/ML for more advanced autonomous cyber defense capabilities.
- Threat and vulnerability management, security incident response, and security operations automation are the three primary software capabilities within a comprehensive SOAR product. By integrating these capabilities, organizations can strengthen their defenses, improve collaboration among security teams, and mitigate threats more swiftly.
- Organizations should develop a maturity table adhering to the SOAR implementation stages. Organizations typically establish logging and auditing policies and acquire suitable SOAR tools. As they progress, they implement predefined playbooks for initial automation. They gradually refine their SOAR tools to achieve more sophisticated threat and vulnerability management, leveraging data from sources like UEBA solutions. The ultimate goal is integrating AI/ML into SOAR capabilities and implementing complex decision logic for highly effective automated responses.
Security Operations Coordination and Incident Response (SOC and IR)
- SOCs can improve response times through rapid analysis, automated data collection (logs, PCAPs), and automated responses to mitigate threats. However, the sheer volume of data flowing into a SOC often overwhelms human analysts, necessitating SOAR to enhance response times and coverage rates.
- Robust incident response plans are crucial for mitigating potential damage from intrusions and ensuring mission continuity. Organizations should develop and regularly test these plans, including tabletop exercises and scenario simulations, to maintain effectiveness.
- Like SOAR implementation, organizations should adopt the maturity table implementation guidelines for progressing security operations coordination and incident response. This table highlights critical milestones, from initial plan development and solution procurement to advanced incident response workflow automation leveraging threat intelligence, user activity monitoring, AI-based anomaly detection, and UEBA. The ultimate aim is to achieve fully automated playbooks that leverage historical data for informed decision-making.
Additional Zero Trust Cybersecurity Research
To learn more about zero trust cybersecurity strategies and methodologies, I encourage you to read each of the NSA’s Zero Trust pillars linked above. Additional reading on zero trust cybersecurity, how cybersecurity is adopting AI, and Generative AI for zero trust.
Automation and orchestration are vital to strengthening zero trust cybersecurity, as the hiring gap between the industry’s talent, burnout, mental health, and companies unable to afford cybersecurity experts is increasing.
Discover more from Cybersecurity Careers Blog
Subscribe to get the latest posts sent to your email.