Zero-Trust and SOAR, the Perfect Operational Match

Zero-trust architecture (ZTA) is an information security design concept, first offered in 2004 through the former security-practitioners consortium known as the Jericho Forum. Forum members believed traditional perimeter-protection approaches to network and system security architecture and design could not cope with important contemporary business drivers for collaboration.[1]

Attempting to confine data behind a corporate firewall—restricting it to a controlled network—was one of the biggest contributing factors to failed security architectures over the last two decades. It inhibited the monetization of data, placing a drag on innovation and growth. Protecting data required a paradigm shift in thinking from security architects. This shift was referred to as de-perimeterization, and the Jericho Forum Commandments [1] formed today's zero-trust vision. The originators of zero-trust focused on the benefits, not the consequences of collapsing the perimeter. They couldn't have imagined the necessity of orchestration and automation required to realize zero-trust fully. And then again, how could they? Security automation use cases didn't arrive on the scene for several years.

Adopting zero-trust principles has been slow but has gained momentum, experiencing a meteoric rise since the onset of the COVID-19 pandemic. The lean-in workplace quickly became the get-out workplace, scattering users and data to the four corners of the world. Organizations had to accept a hybrid workforce with many employees working from home and devise new ways to protect data. 

In April 2021, Microsoft published the results of a global research study of 900 senior security decision-makers on the adoption of a zero-trust strategy. Ninety-six percent of the participants stated that zero trust is their number one priority.[2] The most concrete example of the wild west is having the predominant part of the workforce working in unsecured locations using all manner of devices to access sensitive information and resources. 

Organizations that implement a zero-trust architecture begin to experience an increase in the number of security alerts besieging their security operations center (SOC). 

But how can that be? Zero-trust was never intended to make cybersecurity programs more efficient; but rather make IT estates more secure. Zero-trust works because IT estate assets are not trustworthy, and their security posture must be continually monitored and evaluated, ensuring assets reflect the highest hygiene discipline. Assets with an unknown state should never be allowed access to the enterprise.

Adhering to this fundamental principle of zero-trust will create a lot of noise on the network until baselines can be established and the network settles down, if ever. Undoubtedly, the increase in alerts is going to add to SOC analyst alert fatigue, but also the brings the critical capabilities of curation, enrichment, refinement and ultimately acceptance, to the table, to even think about the implementation of this model.

Source: "CISO Guidance for Zero-Trust Architecture: A NIST-Based Approach," Aite-Novarica Research, October 20, 2021.

What can organizations do if they want to pursue zero-trust, but not to the detriment of their SOC? You don’t want your analysts walking out when they see this memo. Deploying a security orchestration, automation, and response (SOAR) solution may be just the ticket. Zero-trust provides the ‘taste great,’ and a SOAR solution supplies less filling – the best of both worlds. 

Zero-trust creates virtually unlimited enforcement points that cannot be humanly kept abreast. These requests will pile up, creating a backlog of access requests longer than the many cargo ships waiting to be docked and unloaded during a pandemic. The hundreds of thousands of status alerts created by IT estate resources reporting on their policy state are compounding this backlog. 

SOAR solutions will address this alert fatigue unwittingly created by zero-trust in several ways.

First, integrating threat intelligence and risk scoring to identify and eliminate false positives allows SOC analysts to investigate legitimate alerts. Secondly, SOAR solutions execute pre-programmed actions or playbooks that automate many rote tasks reducing tedious SOC analyst tasks from hours to minutes.

So tantamount is orchestration and automation, the General Services Administration (GSA) published in June 2021 a zero-trust buyers guide that declared orchestration and automation one of the eight pillars of zero-trust.

Pillar eight specifies the automation of security and network operational processes across the zero-trust architecture by orchestrating functions between similar and disparate security systems and applications. 

SOAR solutions are an integral component of a zero-trust architecture, without which realizing the full complement of zero-trust benefits will be unattainable. In fact, independent research firm Aite-Novarica recently published a report that aligns the NIST framework with zero-trust modeling, and you can see some example vendors fit into what would be an extremely comprehensive, multi-vendor model. Cyware's SOAR platform fits the zero-trust model in both Threat Intelligence and Response.[3]

[1] “Jericho Forum Commandments,” Jericho Forum, May 2007, accessed September 23, 2021.

[2] Vasu Jakkal, “Zero Trust Adoption Report,” Microsoft Security, July 2021, accessed September 23, 2021.

[3] "CISO Guidance for Zero-Trust Architecture: A NIST-Based Approach," Aite-Novarica Research, October 20, 2021.