How telemetry can guide an agency’s zero trust journey

After applying a new zero trust control, measuring changes from current state via telemetry will indicate the success or failure of the control.

July 14, 2022 12:01 pm

3 min read

This content is sponsored by Microsoft.

The White House has been clear about its mandate for federal agencies to move to a zero-trust posture as quickly as possible, through President Joe Biden’s cybersecurity executive order last May and now the Office of Management and Budget’s Memorandum M-21-31, which requires federal agencies to rapidly move toward log event management capabilities to improve the ability to investigate and respond to cloud security attacks.

M-21-31 concerns logging maturity levels for federal agencies, ranging from 0-3, with zero representing no maturity, and three representing an advanced security state. Each level dictates a certain number and categories of logs an agency is expected to save, and for how long. The benefit here is that it creates a baseline that can be measured against when making changes. And that is where it ties in to zero trust.

“There’s great opportunity here to use them together in a mutually beneficial way,” said Steve Faehl, security chief technology officer for Microsoft Federal. “Zero trust encompasses a lot of pillars and domains in which you can apply many different patterns and best practices. For a lot of organizations, that can be overwhelming: knowing which patterns to pick, which scenarios to solve for first. It’s advantageous having rich telemetry streams at your disposal, not just for investigations, but for planning your zero trust strategy.”

Log Storage vs. Telemetry

What logs agencies collect and how they store them is important and has historically been the focus of security teams. But far more important, especially for achieving zero trust objectives, is how agencies use those logs. Telemetry can be used to empower analysts with a greater understanding of their environment and what’s going on within it.

“There’s a historical context of how logs have traditionally been used in that they were records of events collected; they were primarily for use in investigations after the fact,” Faehl said.

But recent efforts toward security transformation have borrowed concepts from digital transformation, including the usefulness of near-real time data to power analytics and derive insights. Treating security data the same way you’d treat other forms of digital data by applying analytics provides better outcomes.

Having rich telemetry at an agency’s disposal can help security officers determine what scenarios to tackle next. For instance, understanding current authentication patterns allows them to track progress towards universal multifactor authentication and identify where incremental gains can be made. Network telemetry can be used to determine maturity of application segmentation or if there is overlap in IT/OT infrastructure. Knowing the current state can inform agencies about what to solve for next in their zero trust adoption. In fact, most agencies have this data sitting around already. It’s just not being operationalized. Many times, it’s as easy as deciding to put together a dashboard.

After applying a new zero trust control, measuring changes from current state via telemetry will indicate the success or failure of the control.

Telemetry can inform the user experience as well. Understanding what users are doing and how they’re navigating the system can help security personnel plan a strategy that not only improves the security posture of the agency, but also minimizes friction improving the user experience.

“One of the great things about having modern log management provide rich telemetry is that, as a first step, it generally has very little impact on user experience,” Faehl said. “So by starting off with discovery, we are now better informed to continue to improve user experience while also improving the security and the environment.”