In an ideal approach to zero trust, in which every user and device must continually prove their identity, automation is more than a useful tool, it’s essential to your federal agency’s success. You don’t need to take our word for it - security automation and orchestration is mandated by M-22-09 and M-21-31, and forms an integral part of the framework in CISA’s ZTMM (zero trust maturity model).
The message from the government and security experts alike is clear - without automation, there is no zero trust.
There are lots of areas where automation can come into play — I think we’re going to fail if we don’t automate as we implement zero trust.
ℹ️Info
The stakes are high for agencies that have yet to implement or leverage the full potential of automation. While it’s true that CISA recommends a “gradual evolution” to zero trust, automation is listed as one of the first steps. But that doesn’t mean you have to start automating overnight. It’s important to spend some time defining your automation strategy and finding the right tools to help you execute it.
So, what exactly does the government say about security automation and orchestration? How can federal agencies use automation to take meaningful strides toward improving their security posture? And what kind of capabilities do security orchestration, automation, and response (SOAR) platforms need to comply with regulations? In this post, we’ll find out.
The role of automation and orchestration in zero trust
Zero trust and automation are inextricably linked. In zero trust, users and devices are treated as untrustworthy until proven otherwise, making manual access management close to impossible. Even a large IT organization working around the clock would struggle to keep pace.
In most cases, automated workflows are the only way to implement CISA's mandate of "just-in-time and just-enough access tailored to individual actions and individual resource needs."
As agencies grapple with security events throughout their systems and cloud
infrastructure, automation of security monitoring and enforcement will be a practical necessity.
This is reinforced by the five pillars and three cross-cutting capabilities listed in CISA’s ZTMM:
Zero trust pillars
Identity
Devices
Networks
Applications and Workloads
Data
Zero trust cross-cutting capabilities
Visibility and Analytics
Automation and Orchestration
Governance
As agencies transition towards optimal zero trust implementations, associated solutions increasingly rely upon automated processes and systems that more fully integrate across pillars and more dynamically enforce policy decisions.
- CISA's zero trust maturity model
In the document, CISA also outlines three stages in the journey to ZTMM, each requiring greater levels of protection, detail, and complexity for adoption.
Initial
Advanced
Optimal
Automation appears in the initial stage of the zero trust journey, which means it requires immediate attention and action.
Automation for zero trust: choosing your approach
Making security automation work - measurably improving security posture and efficiency without disrupting the daily work of the agency - will require careful tuning, iteration, and sensitivity to business needs. For an automated security system to operate effectively with a mostly hands-off approach, false positives and false negatives must be low.
Successful automation of security responses will require rich data to inform systems for orchestration, as well as permission management. This includes the protected data types and who is accessing the data.
When choosing an approach to automation and orchestration, agencies generally base their decision on their specific needs and goals. Some partner with a low-code solution, others choose SOAR platforms with a heavy code and service overhead, and others still take a do-it-yourself approach to automation.
Things to consider when choosing your approach to automation
Adoption speed - coding comes with a steep learning curve, meaning systems take longer to deploy
Development speed - no-code or low-code workflow automation platforms can help your team build faster than coding
Hosting and maintenance - high-code automation platforms can demand robust hosting infrastructure and extensive maintenance efforts
Personnel - no-code automation enables everyone on your team to create, manage, and maintain workflows, not just engineers
Scalability - maintaining custom scripts or code, especially as they grow in complexity, poses challenges
Security risks - custom code can be an unintended insecure entry point for adversaries
Cost - ineffective systems lead to costly incidents, and platforms that aren’t fit for purpose can end up as shelfware
Every agency has different needs and priorities, but the list above highlights some of the key benefits of a no-code and low-code SOAR platform.
The right-fit SOAR platform will be the connective tissue of your zero trust architecture, creating a unified defense strategy by extracting data from disparate tools and orchestrating responses to potential threats. The wrong-fit SOAR platform will gather dust on the shelf.
SOAR platforms: shelfware or a fast track to zero trust?
We’ve written previously about how you can’t buy zero trust, and how vendors that promise this should be treated with caution. Your zero trust program must be intentionally designed and tailored for your organization and mission set.
When it comes to choosing a SOAR, it’s crucial to establish, in as much detail as possible, what you need your platform to do, before considering your options.
The truth is, many SOAR platforms are underutilized because they don’t fulfill the organization’s needs, or there aren’t sufficient resources to support them. The problem of software becoming shelfware is well represented in data - in one study by CSO online, security leaders reported that they only use 72% of the security technologies that they purchase.
This is one of many reasons why federal agencies are moving away from legacy SOAR and towards modern platforms like Tines.
Challenges with legacy SOAR
Difficult and time-consuming to learn and deploy
Requires engineers to build and manage workflows
Long build times - playbooks can take weeks to create when they could take hours
Lacking a relentless focus on automation and orchestration - it's often a bolted-on feature in a bigger system e.g. SIEM and TIP platforms
Limited ability to connect to internal or external tools without a long wait time or added cost
With this in mind, we’ve drafted a list of questions to use when evaluating SOAR platforms.
Things to consider when choosing a zero trust SOAR platform
What exactly do we need our SOAR platform to do? Incident response, endpoint management, etc.
Is the platform quick to deploy? What’s the onboarding process like?
Is it intuitive to use? Can the whole team use it, or does it require engineers to build and maintain workflows?
What’s the development speed like? How long will it take for the team to build each workflow?
Is it flexible enough to connect to all of our tools, internal and external?
Will it work within our hosting infrastructure?
Providers that supply broad-based, vendor-neutral SOAR… What sets these products apart is their ability to receive inputs from a broad ecosystem of security products, and organize the workflow of the security operations team. […]
Buyers who prefer the best-of-breed approach will find that SOAR still offers more flexibility, genuine vendor-neutrality, and opportunities for non security use cases.
- Gartner's 2023 Market Guide for Security Orchestration, Automation and Response Solutions
Now, we’ll take a look at how Oak Ridge National Laboratory, a federally-funded research organization, used a no-code, low-code workflow and automation platform to reach their zero trust goals.
Case study: Oak Ridge National Laboratory
Oak Ridge National Laboratory (ORNL) faced the complex task of implementing the zero trust framework while managing a rotating security automation team.
They needed:
A way to quickly automate a large number of processes that require continuous monitoring and reporting
A platform that could connect internal and external systems in their wide and varied tech stack
A system that could be easily used and managed by anyone on ORNL’s security team, which includes team members who can’t code, and team members who regularly step out for military training and deployments
Increased metric evaluation and reporting capabilities
Pete Wood, Lead Engineer, used a phishing analysis workflow to test several vendors. Tines was the only platform that was able to achieve this in the eight-week timeframe.
Mike Crider, Cyber Vulnerability Analyst, explained, “It was a game changer during onboarding when we could connect all our systems. We have a lot of tools in our environment. Anything that has a backend API, we’re now using Tines to tie into that tool. Our ability to integrate new tools has taken out so much of our everyday tasks from before.”
The team now uses Tines for:
Organization-wide reporting
Curating and combining information across databases
Vulnerability management
Cyber threat intelligence
Endpoint management
Firewall rule management
Forensics
Digital investigations
Incident response
Our zero trust strategy relies heavily on integration and automation. With Tines, we're able to quickly and easily build integrations and automated workflows across our tooling to ensure our zero trust-related processes are repeatable and reliable.
Maria Mcclelland, Chief Information Security Officer, Oak Ridge National Laboratories
Tines: automation and orchestration for zero trust
Tines stands out from other SOAR solutions because of its intuitive and flexible design.
Unlike many SOARs, Tines offers a no-code or low-code interface that the whole team can use - there’s no need to wait for a developer to build or edit workflows, and no chance that it will become shelfware.
The platform’s unique approach to integrations makes it easy to connect to any tool that offers an API. This also makes it adaptable to changes in other technologies. As one customer put it, “No matter how many tools you change, you can keep Tines in place.”
Tines' workflow interface, "storyboard," is both documentation and automation. From action descriptions and annotations to viewer roles, there's little to no need for external documentation. It's all in-line and legible from the storyboard This drives consistency and helps compliance with executive orders, particularly when combined with a next-gen SIEM like Elastic.
Why federal agencies choose Tines
Fast, easy implementation
Designed for the whole team to use - anyone can build and manage workflows
Integrates with any tool, internal or external, that offers an API
Deployed where you need it - self-hosted, on-prem or hybrid
Adaptable to changes in your tech stack
Provides the controls you need to reinforce your security posture
Documentation capabilities drive consistency and aid compliance
Capable of handling massive complexity
Allows teams to still use code when it’s needed
Tines and zero trust framework
Tines users can choose from hundreds of pre-built, end-to-end playbook templates that they can import and customize to meet their agency's needs. Let's take a look at some popular use cases and templates for federal agencies pursuing zero trust.
Identity verification
Implement access control policies for multifactor authentication and access controls.
Monitor application access changes in Okta
Monitor Okta logs to identify recent access changes to applications. Easily export reports to CSV for further analysis.
Tools
Created by
Continuous monitoring
Auto-remediate identity and device verification to reinforce security protocols.
Access controls
Control access across environments and applications dynamically.
Block suspicious IPs by creating firewall rule groups with CrowdStrike
Create firewall rule groups to block the suspicious or malicious IP addresses submitted and contain devices.
Tools
Device verification
Automate device profiling, endpoint security, and threat intelligence in a bring-your-own-device economy.
Investigate & remediate critical container vulnerabilities in Aqua Security Cloud Workload Protection Platform
Automate remediation of all critical container vulnerability alert findings in the Aqua Security Cloud Workload Protection Platform in line with best practices to achieve a more robust security posture around your container environment.
Tools
Process automation
Enrich, prioritize, de-duplicate, and auto-respond to alerts and incidents for scaled security response.
Implement data loss prevention policies
Respond to DLP alerts if a user makes something on Google Drive public, accidentally or deliberately. This Story will contact the user via Slack, remove the relevant permissions from the file, and make it private again if necessary.
Find 100s more playbook templates in the Tines library.
The quickest path to zero trust
Federal agencies are at a critical junction in the journey towards zero trust, but, the right workflow automation platform can help them get there faster, and with fewer resources.
In Tines, agencies will find a valuable partner, a new kind of SOAR platform that not only aids compliance but reduces bottlenecks.