By Chris Cullerot, Director of Technology and Innovation, iTech AG
Earlier this year, the Cybersecurity and Infrastructure Security Agency released its Zero Trust Maturity Model 2.0 to help agencies develop zero trust strategies and actionable implementation roadmaps.
CISA’s updated maturity model aligns with previous efforts, continuing to provide resources and roadmaps to help agencies protect their most sensitive data and meet security standards required by the end of FY24.
Effective zero trust architectures combat persistent threats by validating every user and device, and continuously validating identities within the environment before authorizing access. It’s an approach that benefits organizations of all kinds—and the maturity models put out by CISA can provide a roadmap for all sectors as well.
Improving the detection of cyber incidents and creating standard playbooks greatly assist agencies in addressing common challenges agencies may encounter and will empower agencies to face cyber incidents head on, complementing zero trust principles for a more secure organization.
Improving detection of cyber incidents
Effective cyber defense requires enhanced speed and agility to stay ahead of dynamic threats. An advanced or optimal zero trust posture requires automated controls and centralized visibility into the IT environment. This starts in the security operations center (SOC).
Even with zero trust principles in place, incidents will inevitably occur so addressing the most significant threats first is essential to managing the deluge of events that SOC analysts face. The volume of tickets can mean more severe alerts get lost in a rush of information. Analysts need a detection and event management process that helps them prioritize those events deemed most critical.
To enhance threat detection and response, one federal agency implemented an incident detection and response solution that allows them to collect, interpret and store audit logs to perform analytics and detect anomalies.
Teams are then alerted once a threat is detected, and the solution automatically creates actionable tickets that are managed through the incident response workflow for validation, response, and remediation. The incident response system also provides threat context to assist in validating an event and informing the appropriate response.
Security teams now draw critical insights that help them identify and prioritize cyber incidents and take the appropriate actions to contain and eradicate the threat. Approaches like this demonstrate realistic ways that agencies can address zero trust requirements, recognizing that not every incident can be immediately investigated.
Creating standard playbooks
When responding to a cybersecurity incident, descriptive playbooks equip security teams with the proper resources to support containment, eradication and recovery from the threat.
As organizations continue their zero trust journeys, security leaders may notice common threats. In these situations, standard playbooks can identify patterns and provide a repeatable response to remediate these attacks. The playbooks also allow IT leaders to automate responses to security incidents such as email phishing, malware, and denial of service.
These automated solutions can be tailored to an organization’s specific needs to better respond to threats moving forward. Furthermore, by automating security responses, SOC teams become more efficient and effective by reducing the amount of time spent on identifying and remediating taxing events, and instead allocating the time and resources to higher priority or more complex cyber incidents.
For example, to better position the team in its zero trust journey and progress its modernization posture, another federal agency was focused on improving response time to evolving threats and streamline enterprise security operations. By implementing functions such as security orchestration and automation response (SOAR), errors resulting from manual processes were eliminated across teams. These standard playbooks and dashboards helped expedite investigations, response processes, and corrective actions across the agency’s IT, security, and risk teams.
The agency cultivated a more uniform approach to cyber incidents and improved its ability to respond to emerging threats.
Looking ahead
Achieving zero trust is a significant undertaking as agencies need to protect their data while meeting evolving security standards and mandates from CISA and other federal agencies. To meet these expectations and upcoming deadlines, advance their zero trust journeys and best protect government holistically, agencies will benefit from approaches that streamlines and helps automate important functions.
Taking incremental, concrete steps to improve detection of cyber incidents and creating standard playbooks will accelerate and advance security postures as organizations continue a zero trust journey, better positioning them in today’s digital threat landscape.
About the Author
Chris Cullerot is a security leader and strategist with over 18 years of experience in security management and operations. He has led numerous security programs and initiatives during his career including the incident response program for the 2016 Presidential Transition Team. He is driven by a passion for innovation with the ability to integrate the security function with corporate goals and business strategies. Chris currently serves as the Director of Technology and Innovation for iTech AG, overseeing the delivery of the company’s technical portfolio of services including digital innovations and cybersecurity. Learn more about iTech AG at https://www.itechag.com/.