Zero Trust is evolving, and agencies must adapt fast or fall behind in securing dynamic environments

Steve Shirley The National Defense ISAC is a non-profit, non-federal entity established and funded by its member companies to support their collective cybersecurity and resilience against all hazards. We do this through multiple lines of effort to include secure cyber threat sharing, knowledge exchange events, and technical solution working groups. All these efforts are anchored by a key principle, though, and that’s while our member companies compete energetically for work, they agree to collaborate and share intimately on cybersecurity threats and allied risks within the ISAC trust pyramid. We really see this vividly in our 24 or so technical solution working groups. It’s in these peer-led groups where member companies really drill into a range of topics of common concerns such as CM and C Prep and implementation or vulnerability management or cloud security and architecture or Zero Trust architecture, which is today’s focus. On the latter, a member company may detail challenges and successes in implementing ZTA across their network enterprise. This creates a huge learning opportunity for the other peers in the group. And so Leidos is a tremendous contributor in these groups and JR is a great thought leader across our 170 or so member companies.

Terry Gerton And so JR, tell us about Leidos’ participation in the ISAC.

JR Williamson So we were very much an early adopter of this sort of collective community of defense and big fans of the National Defense ISAC to sort of raise all the boats up. So it’s not just about keeping Leidos safe. It’s not just about keeping our customers safe. It’s about keeping all of us safe. So that sort of collective defense concept very much meets the mission that Steve talked about. And I think we get sort of the extra lift because the National Defense ISAC is also our direct integration to the government through the sector coordinating councils. And so being a participant there allows us to be aware of what’s going on with our governments, but also to be able to influence and shape those outcomes, for the benefit of all the membership.

Terry Gerton And so to both of you, and JR, we’ll continue with you first, as you are in this group and you’re talking with your peers and your collaborators, what do you see as the biggest challenges agencies are facing right now when it comes to keeping their missions running smoothly while also staying secure?

JR Williamson Wow, that’s a really big question, Terry. So there are a lot of challenges that we’re dealing with. And it’s funny, people ask me all the time, hey, you’re a CISO of a large corporation working in national security and defense space, what keeps you up at night? And I tell people, me? I sleep like a baby. I wake up every two hours crying and screaming, because it’s very dynamic. The threats that we’re facing right now are just changing so rapidly. It’s really difficult to stay in front of them, and I feel like it’s so much easier to be the attacker in this world right now, because they can try all kinds of new things and toss things at you, but as a defender, you’re constantly having to change and learn and adapt to those situations, and it’s hard, and all they have to do is break into one place and it all goes crazy. So it’s a difficult thing. I think with our government, as we see in our industry, is we tend to be very vertically oriented. And so things are in silos. We don’t share information always as fast as we need to. And sometimes even when we are sharing information, Terry, we’re not sharing it with the necessary context so that somebody could really understand what that information means in a way that they could operationalize it in a meaningful way. So, I think that’s really our biggest thing, we have to break down those barriers. We have to understand threat faster. We have be able to improve our speed of dealing with those threats, and sharing is caring. I mean, we have got to open up the aperture on trust. I know we’re here today to talk about Zero Trust, but sometimes our government customers don’t trust industry as much as we’d like for them to, which sometimes can inhibit how much we share information effectively back and forth.

Terry Gerton Steve, let me toss it over to you for your thoughts on that.

Steve Shirley Well, JR put his finger on the most difficult thing that we do within ND-ISAC, and that’s create a, really what I think of as, a fabric of trust. And we do that by emphasizing a couple of things that each company who agrees to contribute within a perimeter, if you will, of ND-ISAC owns that information. And can set how it’s used, and we do that through something called the traffic light protocol, where TLP Red, the most sensitive designation, is exclusively for the ears in the room when it’s disclosed. And then on down to TLP Clear where it can be used for any purpose. And if a member company wants to use it for any other purpose than what the originator specifies, that member needs to go back to the originater and ask for permission to use it. We also have, as you’d expect within an industry organization, a very carefully nurtured non-disclosure agreement, both at the corporate level, but also the participants in each ND-ISAC activity. And so we focus on preserving, and I used the term nurture a couple of times, that relationship because trust is really, really difficult to develop. It’s easy to lose, but it’s tough to restore after a hiccup. So, but even within ND-ISAC, companies make very fine determinations about what they want to share within that peer group. I have to say though, having been in a prior life a govvy, some of the most granular and most detailed discussions of events or insider threats have occurred within the working groups within ND-ISAC.

Terry Gerton It’s got to be a great forum for sharing lessons learned as well as information about the cyber threat. Steve, let me go to you first with this next question. What kinds of lessons learned have you heard where people are sharing the things that work well when it comes to keeping their operations secure without slowing people down?

Steve Shirley Well, every company comes into ND-ISAC with their own maturity level. We have, at one end, the very largest companies, like Leidos and peers, on down to smaller companies who are somewhere in the supply chain of one of those larger companies. So one of the things that we often see in a technical working group as company acts details, here’s the challenge I had with Zero Trust architecture and how I found that my plan didn’t survive first contact with implementation. The other peers in that group are taking notes about that. And I should also add that our working groups are led not by a staffer in the ISAC, they’re led by subject matter peers within the member companies. And so this really gets into kind of iterative questions and scenario development. Okay, you had challenge X, how did you solve it? And so the other people, the companies listening to that really, it saves them a solo voyage of discovery and cost, which, to JR’s earlier point, everyone else in that group is now on that learning curve without the experience of one of their peers, so it’s really cool to watch.

Terry Gerton And JR, obviously you’re the CISO for one of those big companies, but a company that works with lots of government agencies. What’s your best advice for how they balance security and mobility?

JR Williamson Well, let’s say two things, maybe 20, but the first is that bringing these teams together, as Steve mentioned, is really critical for success. So again, we solve it once where we can all do it in a standard, consistent way, which is great because that really feeds the collective defense modality that really the purpose of the National Defense ISAC. And so I think that’s great. And really for the second is that we have to build solutions that ultimately enable these mission outcomes. And to do that, because the mission can be very dynamic and change, even though the outcomes are typically very specific, but how we go about achieving those can change, so it’s very important for us to be adaptable to those kinds of things. So how do you do that? You adopt a risk-based approach to it. So all of our security paradigms are based on risk. And look, I’m an engineer by trade. What engineers do, we make up words. I made up a word called risktacity, and so risktasticity is really about the elasticity of rigor based on risk. And so when risk is high, rigor needs to be high. Why? Because we need to assure an outcome. And to do that, we have to do proper prior planning to prevent this poor result. And so, when risk is up, rigor’s up. But equally true, when risk is down and risk is not very high, we shouldn’t be applying all that rigor. So that’s what risktacity is. It’s that elasticity of rigor based on risk. And that’s really important for assuring these kinds of outcomes that we’re just now talking about. Get it risk-based, make sure that it follows the principles of risktacity. It’s built in a way that we’re using automation to speed up those things that are very repetitive and simple to do and to provide very consistent outcomes. Make sure that we build resiliency into these solutions, because as Steve said, your plan doesn’t survive first contact, and it has to adapt. So again, I think focusing on those mission outcomes first and building resiliency into those solutions is ultimately how we get to the answer that we need.

Terry Gerton JR, let me pick up with you because Zero Trust really is this big buzzword in cyber security, but putting it into practice seems to me to not always be easy. So what do agencies need to really get right to make Zero Trust work in the real world?

JR Williamson Perfect question, Terry. Well, first of all, let me just start with saying I am not a big fan of Zero Trust, that term, that phrase. We’ve been doing the key principles of how we maintain and build safety in our environments forever, long before this buzzword showed up called Zero Trust. In fact, I actually prefer the term earned trust or managed trust over Zero Trust. It’s hard to get anything done when we have zero. Zero times anything equals zero, so it’s really hard to collaborate with zero. But I get the point. The intent of the messaging is to say that we start that collaboration, we start that conversation with nothing. And now we have to build it. We have to earn that trust, we build that trust so that we can actually get something done together in a collaborative setting. So that’s really sort of the idea behind of it. And if we of use like a building analogy, in the old days, you’d have a key to come into the building, you’d unlock the door. Maybe if you had a fancy one, you had a key card that you can open up the door, but once you got in, you pretty much had access to everything. And in today’s modern Zero Trust world, you don’t have access to anything. First of all, we’re going to challenge you at the front door. We’re going ask you a whole lot of questions. You’ve got to present a whole lot of identity information and context aware kinds of attributes, and then maybe we’ll let you in. But then once you get in, every door now is armed. Every door is restricted. We have cameras, we have sensors, we are assuring that your behavior and what you’re doing is appropriate for the accesses that you’re requesting to do. And oh by the way, in the old days if we had a fire in that building, the building would typically burn down. In a Zero Trust architecture, if we had a breach or we had a concern in one area of the environment, it would be isolated and contained. So we wouldn’t lose the whole building. We would contain it into just that area. So Zero Trust ultimately then is about building up and earning the accesses that are essential to get something done at the moment that you need to get it done. So what does it take to get to what you need? You have to have strong identity and access management. It’s a core foundation. And yes, we’ve been doing identity and access management long before Zero Trust was a thing. But you have to have that identity and access management in place in order to be successful with your Zero Trust model. Remember, we talked a little bit about risk-based analysis and assessment, huge in this area here because you can’t defend everything or shouldn’t even try at the same level. So you want it based on your risk classifications, make sure you provide the right mechanisms in place. You have to know where your data is. You have know what your data is, you have to label it and you have to persist policies around controlling that data. You have to have dynamic access policies that can change based on these threats that you’re dealing with every day. Long gone are the days where I would just control it all at one level in one time, in one place, and just leave it forever. That doesn’t work that way. So it has to be very threat based and mission outcome in order to defend and protect it. And we build resiliency into these models because threats will affect outcomes that we have based on just our normal operation of these environments. So strong asset management, strong data management, strong identity management, good monitoring, effective governance and policy and training of the people who are using these systems, these are really the keys I think to being successful. And the beauty is, for our government and mission areas, we’ve got a fantastic document that NIST put together, it’s 800-207, that really lays out these core principles of Zero Trust. And I think the thing I would leave you with on this one is just recognizing that Zero Trust as a concept is very powerful, but it is really difficult and hard to get right. And so it’s important that we both embrace and understand what those principles are so we can focus, back to risktacity, on the right areas of highest risk and make sure that we are building these solutions for the outcomes that we need. And I think it begins, Terry, with a strong mindset towards both continuous improvement, continuous validation of identity and access management, the right culture that understands the need to protect these mission outcomes. We need to know where all our users are, where all of our devices are, where all of their applications are, and of course their corresponding data. And we have to have the ability to enforce policy in a very dynamic way. So that sort of learning culture and that mindset around safety is essential to any Zero Trust initiative.

Terry Gerton Thank you, JR. Steve, JR has just rattled off a long list of important characteristics, organizational indicators, but he also said earned trust. So JR, I’m using your words back, earned trust is hard to get right. You oversee this inter-agency, inter-company collaboration space. How are you seeing organizations share what they are accomplishing in the earned trust space and still keeping their data and their missions protected?

Steve Shirley Oh wow, that’s kind of a tough question in terms of giving it a ten-word answer. There’s an old chestnut about the military commander who walks into the unit, says there will be good morale. And so the the obverse of that, of course, is that to generate that takes a whole lot of things on the part of the group to get right. And so, in terms of the community of interest that is the National Defense ISAC, it’s not as though the director can walk in and say, there will be trust. That trust is a carefully developed and nurtured artifact of setting the stage with an architecture of collaboration that depends to start with, again, going back to those sorts of the rule sets I talked about in terms of appropriate nondisclosure agreements and appropriate setting where the originator or disclosure of the information believes their interests are attended to within that setting. You almost see a process of evolution when a new company and their teammates arrive in a ND-ISAC working group. At first, it’s like a junior high school dance, their backs to the wall and, geez, I’m not going to say a thing. But as they understand and see the other members of that working group talk about things that they absolutely would not disclose in another setting, they begin to get the idea that there is more than just text on paper, that the participants in the process really live that premise of disclosing sensitive information within, again, what I’ve talked about as a perimeter of trust or trust fabric. And so it’s only in that kind of context where you see a company who will say, geez, here’s what I did right in terms of when we begin to approach this journey of Zero Trust architecture. Here’s what we think we did wrong. Here are some of the tools we trialed and discarded. Here’s where we ended up. And so while they’re discussing this, they’re getting inputs from their peers about, well, how did you come to that determination? What made you take that fork in the road versus this other? And so when you see that work in a setting, it really is gratifying to see that. And again, the different participants in that group are coming to that discussion with different maturity levels in many cases. And some are able to operationalize those lessons in different ways. And others are using it to inform, OK, here’s what I see I have to do on my cybersecurity journey. And maybe I’m not ready for X, but maybe I’m ready for Y. That’s kind of a word picture, I guess.

Terry Gerton I’m sorry, but I can’t get the middle school dance metaphor out of my head, but yes, that’s a great word picture. JR, let me come back to you and I want to ask you to think forward a few years. What do you think will be the biggest shift, whether it’s in technology or mindset, as you talked about, or policy that agencies need to prepare for to stay secure and resilient?

JR Williamson I think it’s about the data and ultimately, what’s going to happen over the next few years as we adopt more machine learning algorithms into understanding our data, we do a better job of data classification and data labeling, we use artificial intelligence to help do some sense-making around this. I think that’s the big change. I mean, right now, Terry, I mean we are drowning in data and starving for insights. And so this type of tooling can really help us get the insights and the insights are essential to making decisions, whether you’re at the tactical edge or in an offline type of environment, I mean, it’s about making decisions to affect the mission outcome. And the more insight you have, not just the more data that you have — that used to be the story, now we just got too much data — so now it’s about getting to the insight, insight that helps inform a decision that needs to get made. And if we can improve the speed of that decision making, that’s a differential advantage. So I think that is the key thing that’s going to happen over the next few years is really adopting these core technologies. But look, I do want to say a little bit about technical debt because even though I think we could all agree that’s what the future looks like, getting there is hard. It’s hard because particularly in large organizations and many of our large government agencies, back to that stovepipe thing we talked about, we have so much technical debt in there. We don’t understand all the places our data is. We don’t know how to fuse it together very well. And because of that, that will become the big barrier to getting to those insights. And so first and foremost, we need to focus on that, get our data set right, get it structured properly the way that we need to. Think of it as making it AI ready. And as we get our data AI ready, then we’re really going to start to get the benefit that will come from this advanced technology.

Terry Gerton Steve, what do you see as the role of ND-ISAC in helping agencies prepare for the future that JR just laid out?

Steve Shirley Well, one, it’s creating that forum for dialogue that’s unvarnished and where each company can talk about what they’ve done, perhaps either right or wrong. Plus, what we do in those is structure the working groups around the requirements that the members themselves articulate that are important to them. In terms of our menu, for example, we’ve got a working group on, not surprising, on Zero Trust architecture, but also on many of the other things that JR enumerated earlier, data categorization and DLP, application security, cloud security and architecture. And so, an exec such as JR can identify which of his teammates should probably participate in that group, either sometimes as a mentor, sometimes as, here’s a place where I can find out what someone else has trialed and perhaps how it might influence our thinking. And so, I’m not sure that gets exactly at what you were looking at, Terry, but it’s to establish, basically, create and establish the forum for the members to say, this is important to me, here’s what I want to talk about, here’s how. And so we on the staff team will coordinate the sessions, set it up, support the member company subject matter experts who are leading it in collaboration with their peers and sort of proctor the conversation along, so to speak.

JR Williamson I think I’d add with the intent and bias for collective defense, I think you said earlier, we’re ultimately, we’re trying to solve this riddle one time and then replay it and reuse it wherever we can, which saves everybody time and money and allows us to get more consistency for collective defense and speed.