TL;DR: The NSA’s “Advancing Zero Trust Maturity Throughout the Automation and Orchestration Pillar” Cybersecurity Information Sheet
The National Security Agency (NSA) has released a series of cybersecurity information sheets (CSIs) that offer prescriptive guidance for how agencies can pilot DoD-defined zero trust systems, and integrate zero trust guidance into their enterprise strategy, design, and operations. These documents are dense and granular, so we are going to summarize the key points into a quick(ish) “TL;DR” to help you orient yourself around this guidance. Today, we are focusing on the “Advancing Zero Trust Maturity Throughout the Automation and Orchestration Pillar” CSI — and will break out each of the key areas into three bullet points: an overview, what preparation entails, and our key takeaways.
Skip right to the key areas:
Leveraging automation and orchestration can add efficiency and agility to a system, but implementation has to be handled carefully to avoid introducing unintended vulnerabilities.
Adhering to core ZT principles like “never trust, always verify,” the NSA approach to secure automation and orchestration hinges on continuous monitoring, dynamic updates, and real-time analysis to maximize security. This emphasis on integrated security architecture is focused on protecting data, applications, assets, and services (DAAS). Perhaps most excitingly, the automation and orchestration pillar presents one of the best opportunities for defenders to embrace the power of AI and machine learning as they strive for zero trust maturity.
What is the Automation and Orchestration Pillar?
We’re all fairly comfortable with the concept of “users” and “data,” but defining “orchestration” feels a little more nebulous and vague. So what’s the deal with the automation and orchestration pillar? The automation and orchestration pillar in the DoD Zero Trust Strategy interacts dynamically with the user, devices, data, network, and visibility and analytics pillars to enhance security and efficiency. (Note: this is a cross-cutting function if you follow the CISA Zero Trust model, I outline the differences between the CISA and DoD ZT frameworks in this blog post.) According to the DoD Zero Trust Reference Architecture, this synergy enables a cohesive, scalable, and resilient security posture that adapts to evolving cyber threats.
A Word of Warning: Secure Automation is Important
While automation reduces the workload of network defenders, it can also introduce risks. We don’t want our critical security systems to be “asleep at the wheel” due to insecure automation.
But how do we automate securely?
Through playbooks. A ZT playbook is a structured set of predetermined actions, activated as needed to address and mitigate incidents. These playbooks allow for the automation of security workflows by dictating the workflow that’s triggered by a particular scenario. Playbook-driven automation can quiet distractions and minimize busywork, enabling analysts to focus more on analysis and investigation.
How to properly plan and define a ZT playbook is a major theme throughout the CSI document series. Let’s break down the NSA guidance on the key areas that aid in developing a ZT playbook for key functions involving automation and orchestration.
Key Areas to Implement Zero Trust
Policy Orchestration Using Policy Decision Points
Overview: Security policies dictate how access decisions are made, and protect data and services. In a ZT model, security policies rely on policy information points (PIPs) for storing policies and contextual data, policy decision points (PDPs) for interpreting these policies, and policy enforcement points (PEPs) for implementing access decisions. In traditional networks, security devices often perform these functions together, but in a ZT environment, these functions are decoupled to ensure that automations are only triggered when authenticated and authorized entities are involved.
Getting there: Preparation involves threat models and criticality analyses to inform policies. At the basic level, rule-based policies are mapped to access and security profiles for users and non-person entities (NPEs), while intermediate and advanced stages see PEPs, PIPs, and PDPs enforce dynamic, fine-grained, machine-readable policies for all access requests.
Takeaway: Do the homework to make sure your automations are built on policies that are well-thought through in terms of who or what can access which resources (and when/how), and leverage ZT architecture to keep those policy decisions isolated from each other and your users. Save yourself time in the long run by making those policies machine-readable.
Critical Process Automation
Overview: Critical process automation (CPA) involves automating essential processes while ensuring that no entity is trusted. This approach continuously verifies and validates trust for all users and devices (because, remember, zero trust is assumed.) Robotic process automation (RPA) enhances CPA by automating repetitive tasks such as user provisioning and access approvals, improving efficiency and reducing human error.
Getting there: Preparation involves identifying critical processes and automating low-risk, repetitive work. At the basic level, target automation on critical processes with simple rules, while intermediate and advanced stages expand automation using RPA on repetitive tasks, focusing on improvements in incident response time and risk management.
Takeaway: Automation can reduce burden and accelerate productivity, but you want to scope it to processes that won’t disrupt important business functions if the automation fails or is incorrect. CPA should be used to minimize busy work.
Artificial Intelligence
Overview: Artificial intelligence (AI) involves building machines that can apply logic, learn, and act in ways that typically require human intelligence, or handle data beyond human analytical capabilities. AI can analyze large data sets to detect and respond to security threats swiftly, reducing breach impacts. However, AI can create its own set of security challenges, and attention should be paid to scope, and ensuring continuous human oversight for accuracy.
Getting there: Preparation involves defining the scope and ensuring data accuracy and completeness for models. At the basic level, add and test relevant tools, limiting scope and activity to avoid impacting critical operations. Intermediate stages implement AI/machine learning (ML) tools based on system analytics throughout the network, while advanced stages increase automation, focusing on prediction, anomaly detection, and appropriate response actions.
Takeaway: AI and AI-based tools are great, but they need to be used carefully and intentionally. Like CPA, use AI to ease toil for human workers and improve response times, but avoid leveraging it in spaces where errors, hallucinations, or failures can drastically impact workflow. Monitor closely.
Machine Learning
Overview: ZT heavily relies on data tagging based on sensitivity and access, generating vast amounts of data from access logs, network traffic, user behavior, device attributes, and security events. This data can train ML models to establish activity baselines and detect anomalies, which can inform User and Entity Behavior Analytics (UEBA), perform root cause analysis, detect and respond to data loss prevention (DLP) incidents, and mitigate threats. Like with AI, regular testing and human review are essential to improve model accuracy and validate actions.
Getting there: Preparation involves identifying data sources and tagging them for machine use. At the basic level, tag and classify data using ML tools while monitoring for biases and errors. Intermediate stages expand ML tools throughout the network, tuning hyperparameters for optimization, while advanced stages allow ML to self-evaluate and expand scope.
Takeaway: Tag your data early and often, otherwise, see AI.
Security Orchestration, Automation, and Response
Overview: Security orchestration, automation, and response (SOAR) technologies gather and enrich data, provide decision logic, and execute actions and tasks supporting security policies. A SOAR product operates under three main capabilities: threat and vulnerability management, security incident response, and security operations automation. SOAR facilitates automation and orchestration by ingesting alert data and triggering playbooks for automated responses and remediation, improving incident detection speed and response, enhancing security team collaboration, and mitigating threats with greater speed and scale.
Getting there: Preparation involves building a log and audit policy to inform SOAR and exploring tooling. At the basic level, implement policies and tools, leveraging predefined playbooks for logging, incident response, and triage to build automation and automate decision-making (PEPs and PDPs). Intermediate stages refine tools and expand automation to threat and vulnerability management alerts. Advanced stages test and improve automations, tuning for speed and efficiency, and introducing iterative decision logic (AI/ML) to aid in response.
Takeaway: SOAR and SIEM tooling offer great tool sets for incident response that are built to leverage AI and ML. Do the work early on to set up environmental triggers to execute response playbooks that can quiet noise and focus your human incident responders efforts.
Data Exchange Standardization
Overview: Standardization of data formats, protocols, and application programming interfaces (APIs) enables services and applications to communicate consistently, enhancing orchestration and interoperability. If our services and tools can’t communicate, their utility is greatly decreased. The increasing reliance on cloud services for security and data transportation further underscores the need for interoperability standards.
Getting there: Preparation involves gathering data from integration points to inform future standardization, considering industry-adopted APIs and OSS. At the basic level, choose standards, build a catalog and style guide for APIs, and ensure system compliance, including in product purchasing. Intermediate stages enhance guides, gather feedback from DevOps, expand standardization, and test API functions using standards. Advanced stages automate tracking for performance, errors, and usage patterns to detect anomalies in APIs, protocols, and formatting.
Takeaway: Orchestration is challenging if your tools and resources don’t speak the same language. Standardization is a daunting task, but by leveraging OSS and industry APIs, it's worth it for your team to take on this effort for the dividends it pays down the line.
Security Operations Coordination and Incident Response
Overview: Security operations centers (SOCs) provide visibility and tactical security management through the development, testing, and implementation of incident response plans. Using automated tools and technologies like security incident and event management (SIEM) and SOAR enables SOCs to leverage rapid analysis, automated data collection, and automated threat responses, ingesting vast amounts of data that often exceeds human processing capacity.
Getting there: Preparation involves determining SOC scope, developing an incident response plan (IRP), identifying requirements, and exploring tooling. At the basic level, create a SOC if needed, integrate data with SIEM, and develop playbooks and workflows. Intermediate stages involve tuning IR plans, ensuring SIEM captures all relevant data, and automating playbooks with SOAR. Advanced stages see SOAR automating incident response using AI/ML, anomaly detection, and historical data, with fully automated playbooks.
Takeaway: A SOC represents an opportunity to leverage all the above technologies to support an agile, effective, and coordinated zero trust system. Avoid the temptation of skipping this step and simply using a SIEM or a SOAR, and you’ll find that your enterprise can evolve and adapt more easily over time.
Embracing Automation and Orchestration to Enhance Zero Trust
Let’s recap: For ZT automation and orchestration, organizations should focus on four key areas to enhance their cybersecurity posture.
Automate repetitive, labor-intensive, and predictable tasks related to critical functions such as data enrichment, security controls, and incident response (IR) workflows, following system security engineering principles.
Employ advanced algorithms and analytics, particularly AI/ML, to improve critical functions like risk and access determinations, environmental analysis, IR, anomaly detection, user baselining, and data tagging.
Embrace the SOC, coordinating security operations and incident response through a security operations center (SOC) to detect, respond, and mitigate threats more quickly and effectively.
Start small. Over-reliance on automation can lead to complacency and reduced human oversight. To mitigate these risks, organizations should start small with low-risk tasks, maintain human oversight, and continuously monitor and evaluate automated processes.
Orchestrating these tasks across interoperable capabilities enhances efficiency and reduces the manual burden on defenders. By following the guidelines outlined in the NSA's automation and orchestration CSI, organizations can ensure that security policies are consistently enforced, advanced analytics are effectively utilized, and incident response is efficiently managed. Ultimately, these practices will help organizations stay ahead of evolving cyber threats and maintain a secure environment.
Are you looking for support creating and implementing a comprehensive zero trust strategy? Give us a shout! We’d love to put our experience to work for you.
