Few voices can cut through the marketing noise around zero trust as well as John Harmon’s. Ex-NSA analyst and current Regional Vice President of Cyber Solutions at Elastic, John has a compelling perspective on the journey to zero trust, because, as he puts it, “I’ve been the person on the keyboard that you’re trying to stop.”
We sat down with John to tap into his 20+ years of experience in federal security, and explore the most pragmatic approaches to zero trust, along with some pitfalls to avoid.
There’s been so much discussion around zero trust lately, that it’s easy to forget the true purpose of the mandate. Why zero trust and why now?
John: The M-21-31 Executive Order requires more extensive logging. M-22-09, which followed, calls for zero trust. Both of these EOs are a reaction to the SolarWinds attack that happened two or so years ago. There was a nation-state adversary that was in, not just government networks, but all kinds of networks, and they were there for 18+ months. And when it was discovered, nobody had that much data to verify it, and nothing was actionable. It took them weeks, if not months, to answer the really simple question of, ‘Have we seen this adversarial activity in our network?’, which should be a case of running a query and getting a yes or no. And that was untenable.
What are some of the biggest challenges government agencies face when implementing zero trust?
John: Budget is a big one. These executive orders are unfunded, which causes a problem for US agencies, because there's a thing they were told to do, but they weren't given any additional funds to do it. In the US government, we’re still in what’s called a CR, or continuing resolution. So technically the government can't buy new things at the moment. We usually get a budget passed in January or February, and that makes it a very tough environment to fund these kinds of things.
For most agencies, zero trust is going to require changes in their technology stack. What are some pitfalls to avoid when choosing those systems?
John: The biggest thing with zero trust is that a lot of companies will say, ‘Hey, spend 10 million dollars with us, and we'll fix your zero trust problem. Let's go all in our ecosystem. Let’s replace every little thing you have.’ I try to take the approach of crawl, walk, run into zero trust.
You don’t have to rip out everything and start over. You can be compliant with the requirements by understanding what you have deployed, and doing an internal exercise to understand what you have in place that can cover the zero trust pillars. Then you can decide what systems you need to supplement that.
For a lot of agencies, it seems like zero trust will require a pretty significant mindset shift.
John: Totally. For many of them, this is a new, more modern way to think about your data and your IT assets. Don't think of zero trust as this big, expensive time and money suck. It's about spending a little bit of time understanding what you have and what you need. Then you’re going to plug systems in where those gaps are. Customers need all of their zero trust data searchable and accessible. A data mesh.
Zero trust has caused some confusion among security teams at federal agencies. What are some of the things that are tripping them up?
John: I think it’s important to understand that being a hundred percent compliant is not necessarily the goal. It's probably unachievable, actually. It’s more about how can we make sure that we're getting the gist of the executive order, and changing our mindset so we don't have these huge breaches happen again in the same way.
Tell us a little bit about the partnership between Tines and Elastic, and how that can help agencies implement zero trust.
John: Tines and Elastic provide agencies with the information they need to investigate alerts and make important decisions in one place. That combination of high-fidelity detection and alerting by Elastic and robust automation by Tines helps them with continuous monitoring, threat detection and prevention, alert enrichment, incident response, and lots more. That’s a compliant, compelling, and budget-friendly offering for zero trust. It’s kind of like Elastic is the brain, and Tines are the arms moving stuff around. And then you can also plug in other vendors as needed.
Let’s dig a little deeper into SIEM and SOAR, which are directly called out as zero trust essentials. What are some of the misconceptions you hear about SOAR?
John: A lot of agencies still think that SOAR is an expert system, because many of the prior SOARs were expert systems. You had to have team members who knew how to develop with Python and forget switching in between vendors. You’d have to recreate all your workflows. When I talk to agencies, I ask, ‘How many of your users are actually able to do anything within your SOAR that wasn't built for them by somebody else?’ And they usually say, ‘We have like one or two people, and if they left, we'd be screwed.’ With a platform like Tines, those barriers don’t exist anymore - your analysts become automators. Most Tines users are automating dozens of use cases in their first year, which means that agencies can see value in days or weeks, not months.
🪄Tip
What should agencies consider when thinking about SIEM?
John: To me, traditional SIEM is legacy. Elastic is a modern SIEM that leverages analytics and AI. Elastic’s foundation as a search analytics platform serves as a data mesh for all your data and telemetry. It's your IT data, all your log data, all of your security data, and then one place where it can be analyzed, protected, and detected. Say folks are storing 10 TB a day. Storing that data and keeping it actionable becomes problematic and expensive. With Elastic, you can snapshot data into our Frozen Tier. When 14 days is up, we snapshot that data, and ship it off to the S3, so it's really outside of Elastic. But the cool thing is the data is still actionable or searchable 9, 12, 18 months from now. Using our Frozen Tier, customers can build a compliant, compelling, and affordable zero trust solution.
Tines: So let’s go back to the story of the SolarWinds breach. How can next-generation tech put us in a better position in those kinds of incidents?
John: Let’s say it happens all over again. 18 months from now we learn that some new nation-state actor was in our network, and the NSA or FBI knock on our agency's door. They say, ‘Hey, here's the TTP for this adversary. Have you seen this?’ The old answer was, ‘Uh, I don't know. We don't even have that data…’ They were literally going to hard drives, like, ‘OK, December 2019, let's load this data up and see what's in there’, and each one was taking a couple of days.
With Elastic and Tines, that week-long or month-long exercise of trying to find the needle in the haystack becomes running a query, going to refresh your coffee, and coming back to a result.
That’s a game-changer. And it's good for the C suite too, because they’re reducing the amount of money that they need to spend answering that really simple question.
Learn more about how a unified data access layer can help your agency in Elastic’s white paper.