In the last year, the Cybersecurity & Infrastructure Security Agency and executive orders from the Biden administration have assigned various new security mandates focused on zero trust. These executive orders lay out dozens of measures federal agencies need to take in the next two years to secure systems and limit the risk of security incidents, including the implementation of security orchestration, automation and response (SOAR) technology.
In January, the Biden administration released a new cybersecurity strategy for federal agencies that will move the government toward a zero trust security model. The strategy expands upon the May 2021 executive order, which seeks to improve the nation’s cybersecurity posture and goes as far as to mandate specific cybersecurity standards to be implemented by the end of 2024.
More recently, CISA announced in late July plans to update its Zero Trust Maturity Model, a roadmap for agencies to reference as they transition towards a zero trust architecture per the May 2021 executive order. Version 2.0 of the maturity is said to be an evolving document that reacts to feedback shared by organizations actually putting it into practice.
Agencies seeking to take steps to implement a zero trust architecture are already familiar with its foundational pillars, which call for enterprise identity management, device security, network segmentation, application workload security and data security. The reality is that security orchestration, automation and response (SOAR) capabilities sit at the intersection of these pillars and are required to connect it all while achieving comprehensive visibility.
This is no small task as these government-wide cybersecurity requirements directly impact the outlooks and roadmaps for individual agency security initiatives. SOAR is in the requirements for a reason, and more specifically, what’s needed is an ability to bring all the elements of a zero trust model together in an integrated and seamless way. This intersection of identity, network, system and application access requires not a solution but a program, and like many programs dependent on disparate tools across teams and departments, the ability to enable a converged solution set is key to success. While many people think of SOAR as focused on security operations center use cases, the truth is the underlying capability to integrate a diverse set of security tools and automate actions such as forcing reauthentication or session disconnections in real-time is critical to achieving the outcomes desired in implementing zero trust.
Considerations for implementing SOAR as part of zero trust
As federal agencies prepare to make the move to zero trust models ahead of the 2024 deadline, 55% of IT professionals find selecting the right vendors for implementing their zero trust strategy challenging. In particular, implementing security automation may feel daunting at first as government agencies transition from legacy technology toolsets and countless manual workflows. But it doesn’t have to be with the right strategy. In addition, there are parallel efforts that are mandating security automation as part of Executive Order M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents.
Agencies must get clarity on the difference between logging and SIEM to get their logging in line with a defined zero trust methodology and the logging and automation mandates. Proper data ingestion enables automated response. Agencies need to integrate SOAR with SIEM or log management tools to ingest alerts more efficiently, execute searches across platforms, and update rules.
Additionally, agencies must build automated incident response playbooks based on their primary alert categories before implementation. A comprehensive, active understanding of an agency’s security stack and attack surface will help security teams prioritize what processes should be automated first. This prioritization will bring the fastest value during the adoption of SOAR.
Leveraging low-code security automation
The implementation of security automation capabilities is referred to as a “practical necessity” in the January federal zero trust strategy memo. Zero trust relies on an agency’s ability to successfully standardize user authentication and ensure attempted access is validated before granting access to an organization’s network.
Regulating access on such a granular level is a complex process that will generate a lot of repetitive work for security teams without automation in place. Security teams must feel confident in their controls while managing their environments to succeed.
Low-code security automation is a crucial component in accelerating the adoption of SOAR that ultimately makes it easier for federal agencies to comply with zero trust and logging mandates. Through low-code powered automation, security teams can easily implement cybersecurity modular, repeatable playbooks that enrich and process real-time data. Automation platforms built on low-code are also designed to enable anyone from junior security analysts to line-of-business leaders to participate in building security automation.
As cyber threats to the federal government continue to evolve, agencies need solutions that are easy to navigate and allow anyone at the organization to contribute their knowledge and expertise to the agency’s protection. By integrating their entire security stack and automating manual tasks essential to keeping them secure, security teams can automate time-intensive manual processes and operational workflows to gain greater visibility into their risk posture.
There is no feasible way for federal agencies to handle the volume of security alerts, disconnected tools, and complex processes, while dealing with a smaller staff, without low-code security automation. This technology has the power to go beyond the SOC to become a singular system of record for security teams, making them a crucial component of the foundation for meeting these zero trust architectural and SOAR requirements. This approach means agencies can seamlessly track and automate security processes, cases and reports from one centralized interface. This comprehensive visibility allows government agency security teams to overcome resource constraints and respond to threats quicker, all while reducing the level of effort and total cost of ownership.
SOAR platforms vary significantly in the complexity of the use cases they can solve, and their service offerings differ accordingly. As agencies seek out the best ways to meet cybersecurity requirements and maximize incident response, they should ensure they choose an automation platform that supports use cases beyond traditional SOAR.
Cody Cornell is co-founder and chief strategy officer of Swimlane.