Conversations around federal zero trust efforts typically focus on one of the five distinct “pillars” in the Cybersecurity and Infrastructure Security Agency’s zero trust maturity model, such as identity or data.
The zero trust model, however, also features three “cross-cutting capabilities” that provide “opportunities to integrate advancements across each of the five pillars,” CISA writes in its model.
To no surprise, “automation and orchestration” are among those cross-cutting capabilities that could feature in many facets of agency’s future cyber defenses.
But Jaci Tomek, the vice president for public sector for Cortex by Palo Alto Networks, is quick to point out, “automation doesn’t mean automatic.”
“It is about creating efficiency and effectiveness,” Tomek said. “With automation does come orchestration to really empower people to make the right human decision at the right time.”
Agencies will also have to apply zero trust principles to their existing IT infrastructure and legacy systems, in many cases, using automation where possible, but not necessarily in every case, Tomek added.
“Especially things that have sort of a low risk, where we definitely block these items,” she continued. “And then we have a way to say, ‘You know what, I need to look at that one more time.’”
The cybersecurity industry is also moving toward “enriched telemetry,” where logs and other cyber data is used to make better decisions in the future, according to Kevin Brownstein, senior manager for systems engineering for Cortex by Palo Alto Networks.
“Taking in rich telemetry from endpoints from the network, combining it to make good decisions,” he said. “Some of that can be automation, based on the machine learning. But also being able to take that information, and then run a standard playbook against it. And this aligns well with zero trust in that it adds consistency. So you know when these things occur, our standard operating procedures are to take these steps, and automation can help enable that.”
Agencies and other organizations have long been required to retain network logs to aid in cybersecurity investigations. The Office of Management and Budget recently doubled down on those logging requirements for agencies in the wake of the 2021 SolarWinds campaign, based on directives stemming from the May 2021 cybersecurity executive order.
But Brownstein said logs are critical to zero trust implementations, where agencies are expected to automate and orchestration cyber response activities by using contextual information from multiple sources.
“It’s a change in approach,” Brownstein said. “I think the executive order, not only lays down mandates and recommendations around the types of logs to keep, but really the rich telemetry that enables AI and ML, because it provides the context that’s necessary for automation and machine learning that’s actually relevant.”
Tomek said automation should also help aid a cybersecurity workforce that often finds itself understaffed and overburdened by cyber alerts.
“It also frees up the analyst to have real high impact capability,” Tomek said. “We’ve really kind of flipped the model, and that’s one of the things that excites me about the day job, is to really lead with automation first. And so that by the time we need a highly trained, skilled analyst, it’s something that really needs their attention and their skill set.”