Use Case 3 - SOC Improvement

Use Case 3 - SOC Improvement

Zero Trust architecture eliminates traditional chokepoints as seen in Legacy Trusted Internet Connection (TIC)  and DOD Joint Regional Security Stacks (JRSS)/Internet Access Points (IAP)/Cloud Access Points (CAP). Decentralizing these chokepoints and designing into a distributed architecture that aligns with the NIST Special Publication 800-207 PEP/PE/PDP framework may improve security and support digital transformation initiatives. Creating secure access from anywhere on any network giving a user the right access under the right conditions is vital. NIST 800-207 outlines three approaches to Zero Trust of software-defined networking or perimeter, identity governance, and application micro-segmentation. While all three areas may interact together, each focuses on a specific piece of an access attempt.

  1. Software-defined perimeter and network infrastructure are focused on delivering and routing network and internet traffic.
  2. Identity governance is focused on uniquely identified people or things requesting access.
  3. Application micro-segmentation is focused on network segmentation but also relies on identity governance.

o.

  • Agency X has a SOC maturity level of 3:

  1. Automated scanning/patching of 90% of enterprise pre-connection.
  2. Playbooks are used for the majority of incidents, managed workflows for operations, and trends are reported.
  3. All cyber workforce position descriptions reflect NIST NICE framework Knowledge, Skills, and Abilities with workforce planning efforts driven at the executive level.
  • SOC analysts are inundated with false-positive indicators, which consume analysts time to investigate.
  • Data is often collected and analyzed in isolation from one another, creating a bottleneck in building a compromise or threat entry point to potential compromise.
  • A Zero Trust framework employs many metrics: attributes (Strong Authentication), device telemetry, behavior, threat intelligence, vulnerability scans, full visibility and context on all flows for traffic analysis, and more to create a framework of least privilege across the organization.
  • The impact on SOC operations can take many paths. A ZT framework drives an organization towards a well-integrated set of technologies to orchestrate and automate processes to prevent/detect/respond/recover from security issues. It always goes back to addressing all sides of the people, processes, and technology triangle.
  • An organization that currently does not have the means to ingest data across the enterprise (from all the aforementioned sources) may find that additional resources (people) are required to begin enabling a ZT approach for the enterprise.
  • Attribution. Jumping around different data sources. Who and where did the traffic originate. Zero Trust may allow attribution, devices/users authenticate and authorize to a resource. Help correlate across gateways. Potential non-repudiation angle depending on architecture and PKI.
  • Conversely, other organizations may find a reduced burden on SOC teams because of how ZT can drastically reduce the attack surface. Whether it be from connections from users, have conditional/context-aware policies applied to them, or simply that access is no longer Binary (As in users get “Access to Everything” or “Access to Nothing”). Fine Grain controls about which users get what access under certain conditions, coupled with restricting traffic flows between applications and workload (e.g., micro-segmentation), could reduce the number of events where all access is secured with very strict guard rails in place.
  • Zero Trust principles emphasize the benefit of integrated components.
  • Automations, be it from the SecDevOps environment, ITSM, SIEM, etc., should result in SOC teams having full visibility across the enterprise allowing indicators of compromise to be correlated from multiple systems in an easy to digest way so that prevention, mitigation, and remediation process can occur in a well-orchestrated and automated way.
  • Fine-grain information reporting beyond IP and port access attempts to include device information such as type, OS, browser, source location, and destination location.
  • Gain visibility into fine-grain activity information including login, logout, share, upload, download, edit, or update.
  • SIEM integration with identity management systems allows correlation of events across applications, networks, and other access attempts.
  • Coordination and collaboration on SOC processes across discipline areas.