Visibility and Analytics Capabilities

Identify scaling requirements to perform a comprehensive needs assessment:

• Engage with stakeholders and partners to identify current and future requirements for scaling the ZT Architecture (ZTA), focusing on how core ZT principles and capabilities, such as Least Privilege access, micro-segmentation, and continuous verification, can be maintained and enhanced as the environment expands.
• Use the information gathered to conduct a comprehensive needs assessment that incorporates operational needs and aligns with ZT Pillar requirements.

Analyze and prioritize existing Component environment in preparation for scaling:

• Evaluate the current Component infrastructure (e.g., bandwidth capacity, distributed environments, etc.) to understand limitations and risks in supporting the scalability and performance of the ZTA.
• Conduct a gap analysis to identify areas where the current architecture and infrastructure must be enhanced to effectively scale the ZT implementation and maintain its security posture as the environment expands.
• Develop a prioritization plan for scaling the ZTA that aligns with mission and business continuity considerations, ensuring that risk mitigation efforts and resource allocation prioritize the most critical ZT capabilities and address the Component's essential business/mission needs.

Align the scaling strategy with ZT Pillar requirements:

• Adopt a phased approach to scaling the ZTA, prioritizing the most critical ZT capabilities and ensuring that each Phase maintains core ZT principles and strengthens the overall security posture. Verify and validate the effectiveness of each scaling Phase before proceeding to the next.

Design scalable architecture(s) and integrate with the existing environment:

• Develop scalable architectures that seamlessly integrate ZT monitoring and analytics solutions with the existing security infrastructure. Ensure these integrations enhance, rather than hinder, the overall effectiveness of the ZT security posture as the environment scales.
• Develop a governance structure to oversee the scaling of the ZTA, incorporating policies that ensure the consistent application of ZT principles, maintain continuous monitoring and response capabilities, and effectively manage risks as the environment expands.

Review existing BCP and DRP group strategies:

• Coordinate with BCP and DRP teams to ensure scaling strategies are incorporated into emergency plans for distributed environments, ensuring resilience during scaling and/or disaster recovery.

Integrate ZT considerations into BCP/DRP planning and execution:

• Collaborate with BCP/DRP teams to ensure the resilience and availability of ZT capabilities during emergencies and disaster recovery.
• Update BCP/DRP plans to reflect scaling requirements and leverage Visibility and Analytics to inform decision-making and restore ZT security following a disruption.

Update BCP/DRP frameworks:

• Adjust existing plans to reflect the newly identified scaling needs, ensuring the integration of Visibility and Analytics Pillar outcomes support decision-making during emergency operations.

Assess existing standards and define standardized log fields:

• Review current industry-standard log formats (e.g., JavaScript Object Notation (JSON), Common Event Format, System Logging (Syslog) Protocol, etc.) and Enterprise compliance requirements.
• Define standardized log fields that support ZT visibility, analytics, and Incident Response (IR), ensuring compliance with Enterprise policies, National Institute of Standards and Technology (NIST) guidance, and ZT requirements.
• In collaboration with the Enterprise, the Component establishes a common log format, including mandatory standardized fields (e.g., timestamp, source, severity, etc.).

Develop documentation for environment integration:

• Create documentation detailing the log format structure, mapping rules, and compliance requirements necessary for integration into the existing environment.

Develop Component Log Source Codex:

• Leverage Activity 1.1.1 (Discovery) – Inventory User, to obtain an accurate and comprehensive User/PE inventory.
• Leverage Activity 2.1.1 (Discovery) – Device Health Tool Gap Analysis, to obtain an accurate and comprehensive Hardware/Software inventory.
• Leverage Activity 3.1.1 (Discovery) – Application and Code Identification, to obtain an accurate and comprehensive application inventory.
• Identify and document all log sources in the Component Log Source Codex
• Leverage the Component Log Source Codex to further identify critical log-producing assets (e.g., security devices, network devices, Users/PEs, etc.).
• Leverage automation where possible, such as network discovery solutions, SIEM, asset inventory discovery, to ensure completeness and validate logging sources.

Collaborate with Cyber Threat Intelligence (CTI) teams, from Activity 7.5.1 – Cyber Threat Intelligence (CTI) Program Part 1, to prioritize log sources from inventory lists:

• Categorize logs based on their relevance to ZT security, prioritizing logs that support access control decisions, threat detection, and IR within the ZT Framework.
• Leverage Cyber Threat Intelligence (CTI) to prioritize log sources that provide insights into potential threats to the ZT Architecture (ZTA), focusing on User/PE/NPE access, device behavior, and application activity.

Develop a log collection strategy:

• Establish procedures for log collection, ensuring minimal impact on system performance and storage.
• Configure logging to retain the most critical information while filtering out redundant data.

Standardize log configuration across the Component environment:

• Apply logging standards across all systems to ensure adherence to Enterprise requirements.

Monitor collection efficacy:

• Continuously verify log collection accuracy by comparing expected vs. actual collected logs.
• Set up alerts for missing logs, time errors, and/or inconsistencies.

Evaluate current log formats:

• Inventory existing log sources and determine compatibility with the standardized format.
• Use appropriate log analysis solutions to map current formats to the new logging schema.

Develop log transformation rules:

• Use log parsers to normalize logs in alignment with standardized format.

Test, verify, and validate migrations:

• Conduct pilot tests on a subset of logs before full-scale migration to test compatibility.
• Verify and validate that logs maintain accuracy and completeness after transformation.

Establish continuous migration testing and update processes accordingly:

• Regularly update log transformation rules to accommodate new log sources.

Define log filtering criteria:

• Establish event filtering policies to ensure only security-relevant and ZT-aligned telemetry is forwarded to the SIEM.
• Collaborate with the IR team to define inclusion and exclusion rule sets for threat prioritization, for example:
  • Include: authentication failures, privilege escalations, firewall denials
  • Exclude: routine successful logins, low-severity debug messages

Implement secure log forwarding mechanisms:

• Configure log sources to transmit data using secure, encrypted protocols. Approved methods are defined in Activity 5.4.4 – Protect Data in Transit.
• Validate that systems and SIEM ingestion pipelines can scale to handle log volume without degradation or data loss.

Optimize log storage and processing efficiency:

• Apply log aggregation and normalization techniques to reduce duplication.
• Configure log retention policies in alignment with Enterprise and Component compliance requirements.

Ensure adherence to Enterprise logging standards:

• Verify and validate that all forwarded logs conform to the standardized schemas and field requirements to support ZT visibility, analytics, and IR automation.

Continuously monitor and refine filtering rules as needed:

• Regularly review and adjust log filtering criteria based on evolving threat intelligence and updates to the ZTA. Prioritize logs related to User/PE/NPE access, device posture, and application activity within the environment.
• Implement automated tuning mechanisms to dynamically adjust log collection in response to emerging threats and security incidents. Ensure the SIEM receives the most relevant data for accurate threat detection and effective IR.

Establish baseline User/Person Entity (PE)/Non-Person Entity (NPE) behavior profiles:

• Define process, rules, and attributes to establish normal activity baselines per each User/PE/NPE:
  • Expected login locations
  • Working hours
  • Typical access patterns

Identify security-relevant activities and events that should be assigned a risk level:

• Map security-relevant activities (e.g., authentication, access, escalation, data movement, etc.) to policy-driven access control decisions, ensuring alignment with policies that enforce ZT through dynamic, role- and attribute-based rules.
• Leverage Activity 7.1.2 (Phase One) – Log Parsing, to implement a reliable and appropriate event logging and retention policy with the capability to process, sort, search, and purge logs.
• Audit logs for common User/PE/NPE activity details.
  • Leverage the Component Log Source Codex, developed in Activity 7.1.2 (Phase One) – Log Parsing, to compare against the existing logs in order to identify any missing sources/prevent blind spots within the environment.

Prioritize activities and events based on risk level and associated threat potential:

• Activities and events are classified based on risk to the ZT Architecture (ZTA), prioritizing those that indicate potential policy violations, unauthorized access attempts, or anomalous behavior.
• High-risk examples may include:
  • Multiple failed logins from unusual locations and/or devices.
  • Attempts to access sensitive data without proper authorization or from unmanaged devices.
  • Anomalous network traffic patterns indicative of data exfiltration or suspicious activity.
  • Unexpected disabling of logging or telemetry.

Develop Cyber Risk Scoring (CRS) and define thresholds for security action:

• In collaboration with the Enterprise, the Component defines CRS methodology and assigns initial weights based on security criticality (e.g., weighted scoring, statistical anomaly detection, etc.).
• Example thresholds:
  • 0-30: Normal (no action)
  • 31-70: Medium risk (log for review, minor alert)
  • 71-100: High risk (trigger immediate security response)

Leverage contextual enrichment to strengthen ZT policy enforcement and automation:

• Enrich raw event data with context, such as application behavior, time-sync validation, data access patterns, and network traffic analysis, to inform policy decisions and enable automated responses to security events within the ZT framework.

Implement dynamic risk adjustments:

• Leverage behavioral analytics to inform policy decisions by detecting deviations from historical activity patterns, triggering binary outcomes such as access grant/deny or triggering supplemental protections based on predefined ZT procedures.

Continuously refine CRS to support ZT policy enforcement:

• Analyze false positives/negatives to enhance the accuracy of risk signals that inform binary policy outcomes (e.g., access grant/deny).
• Automatically update risk scores based on new Indicators of Compromise (IoC) and Tactics, Techniques, and Procedures (TTPs) to ensure dynamic, context-aware adjustments that drive real-time policy decisions.

Ensure security solutions can process and act on risk scores for all User/PE/NPEs based on ZT principles:

• Feed risk scores into SIEM and SOAR solutions and configure solutions to trigger automated responses, as needed.

Correlate behavioral and contextual signals across User/PE/NPEs to inform consistent policy-based access decisions in accordance with ZT principles:

• Track cumulative risk based on various signals across multiple activities (i.e., one high-risk event may not trigger action, but multiple events over time should be investigated).
• Implement entity risk scoring to assess collective risk and support identity stitching across multiple accounts or identities for the same User/PE/NPE.

Deploy and configure the existing SIEM solution to support ZT threat alerting:

• Confirm that the SIEM solution supports the collection, normalization, and analysis of security event data from all required sources.
• Identify and configure existing data sources to forward relevant data into the SIEM.
• Ensure SIEM data handling complies with Component data retention, integrity, and auditability policies.

Develop SIEM rules and alerts that detect threats to the ZT Architecture (ZTA):

• Integrate validated threat intelligence to identify and alert on activities that violate ZT policies or indicate anomalous behavior (e.g., unauthorized access attempts, atypical data access patterns, etc.).
• Develop rules to detect known attack patterns capable of bypassing or exploiting weaknesses in ZT enforcement points, leveraging frameworks such as MITRE ATT&CK and prioritizing threats based on their potential impact to protected assets.
• Continuously update alert logic and threat signatures based on evolving threat intelligence, SIEM insights, and Incident Response (IR) feedback to maintain detection efficacy.

Monitor SIEM for continuous ZT enhancement:

• Review SIEM alerts and event trends to identify gaps within ZT policies, logging, segmentation decisions, and enforcement controls. Use findings to iteratively strengthen the overall ZT posture.

Leverage threat intelligence to identify and correlate threats to the ZTA:

• Review historical security incidents and known attack vectors that have previously bypassed or exploited weaknesses in ZT controls.
• Align with validated internal and external threat intelligence to identify threats that pose the highest risk to critical assets and ZT enforcement points.

Configure SIEM rules and alerts to support data-driven ZT security:

• Develop correlation rules that combine enriched log data, entity behavior, and threat intelligence to identify and prioritize suspicious activity.
• Tune alert logic and severity thresholds based on ZT-aligned risk assessments to ensure the SIEM drives effective and timely data-driven security decisions.

Enhance alert quality, by aligning with Activity 7.2.4 (Phase One) – Asset ID and Alert Correlation:

• Where feasible, include asset identification data in alerts to improve future correlation and response decisions when Activity 7.2.4 (Phase One) – Asset ID and Alert Correlation is implemented.

Test, verify, and validate rules before operational use:

• Simulate representative threat scenarios to verify alerts trigger consistently and accurately.
• Refine correlation rule parameters based on results to optimize detection effectiveness and reduce false positives.

Monitor alert performance for continuous ZT enhancement:

• Review alert trends and outcomes to identify detection gaps and refine ZT policies and SIEM detection logic to prevent future incidents.

Gather accurate User/PE/NPE lists for environment:

• Leverage Activity 1.1.1 (Discovery) – Inventory User, to obtain an accurate and comprehensive User/PE List as established in the User Pillar.
• Leverage Activity 2.1.1 (Discovery) – Device Health Tool Gap Analysis, to obtain an accurate and comprehensive Hardware/Software List, as established in the Device Pillar.
• Where possible, monitor and maintain asset inventories using automated solutions.

Align IR procedures to asset types to support ZT responses:

• Define and document IR workflows tailored to different assets categories (e.g., endpoints, servers, etc.).
• Ensure procedures include rapid asset identification, location, and criticality assessment.

Enable automation of the asset impact assessment in the IR procedures:

• Quickly assess the impact on assets before, during, and after an incident (e.g., automatically retrieve asset details from inventory, etc.).
• Predefine IR actions for specific types of assets based on risk for future automated response capabilities.

Monitor and update IR procedures and asset rules:

• Review and refine asset-based alert logic regularly to reflect changes in asset inventory and Component priorities.

Identify threat events suitable for future automation using known and discovered threat signatures:

• Collaborate with IR and threat-hunting teams to identify alert types appropriate for automated response in future capability maturation.
• Prioritize low-risk events with appropriate mitigation actions.

Develop data-driven response playbooks aligned with ZT security:

• Create playbooks that define response actions mapped to specific alert types and risk levels based on enriched security data, threat intelligence, and contextual information.
• Incorporate decision points using contextual data to ensure actions remain appropriate and proportional.

Validate playbook logic in a controlled environment:

• Test response pathways using simulations to confirm they support ZT enforcement without operational disruption.
• Continuously monitor and improve responses to enhance resilience and minimize false positives to support automation readiness.

Integrate CTI data feeds to enhance ZT threat detection and response:

• Leverage CTI data feeds, from Activity 7.5.1 (Phase One) – Cyber Threat Intelligence (CTI) Program Part 1, focusing on those that deliver relevant, actionable insights into threats targeting ZT vulnerabilities, or attempting to bypass ZT controls.

Implement a standardized data normalization process and ingest data into SIEM:

• Utilize Structured Threat Information eXpression (STIX)/Trusted Automated Exchange of Intelligence Information (TAXII) or similar standards to map CTI data to a common format within the SIEM. This may require custom parsers or data transformation scripts.
• Ingest normalized CTI data into the SIEM, mapping it to relevant event categories to enable correlation with internal security logs and improve threat detection capabilities within the ZT framework.
• Ensure seamless integration into SIEM to avoid performance issues or data inconsistencies.

Document CTI feed integration details:

• Maintain CTI feed and SIEM integration data (e.g., source, format, update frequency and expiration).

Conduct threat modeling:

• Perform threat modeling exercises to identify potential vulnerabilities within the Zero Trust Architecture (ZTA). Focus on scenarios that attempt to bypass ZT controls.
• Leverage the threat model to guide SIEM rule development.

Create automated rules to detect and prevent ZT policy violations and data exfiltration:

• Correlate CTI data with internal logs to detect malicious activity.
• Develop and prioritize SIEM rules leveraging behavioral analytics that trigger alerts on anomalous activities indicative of:
  • Deviations from network and/or behavioral baselines
  • ZT policy violations
  • Unapproved access attempts
  • Correlations between CTI-identified threat actor Tactics, Techniques, and Procedures (TTPs) with internal events
  • Data exfiltration attempts, such as increased traffic volume or time-based anomalies

Refine and optimize rules:

• Implement a rigorous testing and tuning process of SIEM rules to minimize false positives/negatives and ensure accurate detection.
• Analyze alert data through a rigorous testing process to refine rules to:
  • Minimize false positives.
  • Improve the accuracy of threat detection and prevention.
  • Improve the efficiency of threat detection and prevention.
• Regularly update CTI data feeds and review integration processes to adapt to emerging threats and maintain a strong ZT security posture.
• Establish a feedback loop to continuously refine rules based on real-world incidents and threat intelligence updates.

Develop IR Playbooks:

• Create IR playbooks for responding to alerts generated by SIEM rules that outline specific steps for investigation, containment, and remediation in alignment with ZT response actions.
• Integrate the SIEM with a Security Orchestration, Automation and Response (SOAR) solution to automate IR tasks, where possible.

Define alert escalation procedures:

• Establish clear, risk-based escalation paths for different alert types, to include:
  • How and when alerts should be triaged
  • Who is responsible for each escalation tier
  • How incidents are transferred across teams (e.g., Security Operations Center (SOC), IR, leadership)

Establish a rule review process:

• Conduct regular reviews of all SIEM rules to ensure their continued effectiveness and relevance.
• Update SIEM rules as needed based on changes to the threat landscape and the Component environment.

Maintenance of CTI feed by authorized User/Person Entities (PEs):

• Authorized User/PEs:
  • Monitor the health and performance of CTI feeds (e.g., feed stops updating, latency increases, source becomes unreachable).
  • Evaluate and ingest new CTI feeds.

Monitor SIEM performance and rule efficacy:

• Track key performance metrics, for example:
  • Alert volume
  • False positive rate
  • Mean Time to Detect (MTTD)
  • Mean Time to Respond (MTTR)
• Generate regular reports on threat detection and response activities.

Document SIEM rules and parameters:

• Maintain comprehensive documentation of all developed rules, including purpose, logic, and tuning parameters.

Gather accurate User/PE/NPE lists for environment:

• Leverage Activity 1.1.1 (Discovery) – Inventory User, to obtain an accurate and comprehensive User/PE List as established in the User Pillar.
• Leverage Activity 2.1.1 (Discovery) – Device Health Tool Gap Analysis, to obtain an accurate and comprehensive Hardware/Software List, as established in the Device Pillar.

Ensure all assets are identified and logged in SIEM with relevant metadata:

• Integrate authoritative asset telemetry sources (e.g., Content Management Database (CMDB), Endpoint Detection and Response (EDR), vulnerability management solutions, etc.) with the SIEM to:
  • Provide real-time context for trust evaluation and enforcement for alert enrichment.
  • Support continuous validation of device state, ownership, and ZT compliance.
• Continuously discover and validate assets through dynamic telemetry ingestion. Flag unmanaged, orphaned, or non-compliant assets to reinforce deny-by-default principles.

Verify and validate asset visibility and accuracy:

• Cross-check SIEM asset inventory against external asset repositories.
• Perform periodic audits to confirm asset inventory completeness and accuracy.

Enrich alerts with asset and identity metadata:

• Ensure predecessor Activity 7.1.2 (Phase One) – Log Parsing is completed, to provide standardized and normalized log fields (e.g., User/PE/NPE identifiers, device IDs, application identifiers), enabling accurate asset correlation within the SIEM.
• Map asset identifiers to alerts to enable policy enforcement based on the type and criticality of affected resources based on contextual understanding of threats.

Implement data enrichment pipelines:

• Use SIEM enrichment capabilities to automatically populate security alerts to enable ZT-aligned Incident Response (IR) decisions based on dynamic trust factors based on contextual asset identification data, including:
  • Asset ownership
  • Device posture/compliance indicators
  • Asset criticality
  • Recent access activity
• Consider completing Activity 7.2.1 – Threat Alerting Part 1, to align alert enrichment with Enterprise policies and procedures to maintain asset identifiers across SIEM alerts.
• Tag alerts that indicate potential violations of ZT policies, such as:
  • Unauthorized access attempts.
  • Suspicious resource access behavior.
  • Deviations from established baselines.
• Use alert tags to categorize and track policy violations, enabling trend analysis and informing policy refinement.

Verify and validate the accuracy and completeness of ZT asset correlation:

• Simulate representative incidents to verify alerts consistently display accurate asset and identity information for decision-making within the ZT Framework.
• Collaborate with Component security team(s) to identify and address any discrepancies or gaps in enrichment data.

Enable ZT-driven alert triage and asset containment:

• Enable Component security team(s) to quickly investigate impacted assets and associated threats using contextual identity, with visibility into assigned roles, authentication history, and current compliance posture.
• Support prioritization of alerts involving unmanaged or non-compliant assets.
• Ensure containment respects the Least Privilege model, applying narrowly scoped actions (e.g., network micro-segmentation, revoking access to specific resources, etc.) rather than broad-based shutdowns.

Enhance IR workflows with identity-based telemetry and correlation:

• Correlate identity provider (IdP) signals, device compliance status, and segmentation zone context to improve impact evaluation and scope definition.
• Provide IR teams with enriched context, such as:
  • Asset criticality
  • Role/privilege level
  • Segmentation zone membership
  • History of policy violations
• Tailor IR workflow based on asset criticality, User/PE/NPE role, and real-time trust level (e.g., deny, quarantine, monitor).

Continuously improve correlation quality and ZT support:

• Conduct post-incident reviews to determine whether enriched alerts enabled effective containment and response.
• Refine enrichment sources and correlation logic based on ZT posture gaps, telemetry blind spots, and IR feedback.

Identify key subjects and attributes for profiling:

• Ensure all Users/Person Entities (PEs)/Non-Person Entities (NPEs) are uniquely and non-reputably identified via strong identity binding (e.g., Public Key Infrastructure (PKI) certificates, etc.), then explicitly assigned to roles based on approved functions. Group entities by role and required access to resources and assets as defined by Enterprise and Component-level policies.
• Define, and continually refresh, attributes that support Attribute-Based Access Control (ABAC) by providing contextual input to policy decisions based on assigned roles and approved access. Attribute categories include:
  • User/PE attributes: Login behavior, geographic location, typical working hours, access patterns to resources and systems
  • NPE attributes: Network communication patterns, installed software, expected workloads, and service interaction behaviors

Establish subject and attribute baseline behavior:

• Leverage tools procured in Activity 1.6.1 (Phase Two) – Implement User and Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) Tooling, to measure and document baseline behaviors.
• Leverage Activity 7.1.3 (Phase Two) – Log Analysis and Activity 7.3.2 (Phase Two) – Establish User Baseline Behavior, to establish subject and attribute baseline behaviors.
• Adjust baselines to account for changes in User/PE/NPE roles, responsibilities, and/or expected behavior patterns.

Leverage established baselines to build profiles in Activity 7.4.1 (Phase Two) – Baseline and Profiling Part 1:

• Define policy-driven criteria that determine whether User/PE/NPE activity satisfies conditions for access, based on identity, assigned role, and contextual attributes, in real-time, to enforce decisions (e.g., grant, deny, or apply safeguards) consistent with ZT principles.
• Use a non-repudiation service for User/PE/NPE attribution for all actions performed.

Build adaptive profiling:

• Implement dynamic profiling that updates as new behavior trends emerge.
• Create role-based baselines to compare User/PE/NPEs to peer groups and/or standard behavior as established in the baseline behavior data.

Integrate baseline profiles to enhance ZT anomaly detection and response:

• Feed profiles into Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and User and Entity Behavior Analytics (UEBA) solutions to establish baselines of normal activity within the environment and enable detection of anomalous behavior that could indicate policy violations, unapproved access attempts, and/or malicious activity. Prioritize anomalies that pose the greatest risk to ZT security.
• Implement dynamic monitoring to compare live activity against baseline behaviors.
• Implement analysis rules to detect deviations from typical behavior patterns.

Define requirements for analytics tools to enable data-driven ZT security and policy enforcement:

• Identify data sources and analytical capabilities needed to support continuous trust evaluation, threat detection, and security monitoring across all ZT pillars.
• Determine performance and scalability requirements to ensure that analytics tools can process the data volume needed for ZT security insights.
• Plan deployment to ensure data accessibility, security, and integration with existing ZT enforcement and telemetry solutions.

Define ZT-aligned integration points within the environment:

• Identify how analytic tools will integrate with existing policy enforcement and telemetry platforms (e.g., Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), Identity Provider (IdP), etc.) to support dynamic trust evaluation and enforcement.
• Prioritize integration paths that enable real-time context sharing and identity- and asset-aware alerting aligned to ZT principles.
• Identify automation capabilities for future maturation that will support dynamic monitoring and risk-based alert prioritization in accordance with ZT decision-making models.

Finalize and document analytic tool requirements:

• Compile requirements into Enterprise-aligned procurement documentation.
• Verify and validate with stakeholders prior to procurement, where applicable.

Research industry solutions:

• Evaluate SIEM, User and Entity Behavior Analytics (UEBA), and other analytics technologies for their ability to support ZT operations, including identity-centric anomaly detection, continuous trust evaluation, and integration with enforcement mechanisms.
• Consider commercial, open-source, and custom-built options, where applicable.

Evaluate and select analytic tools that strengthen ZT security monitoring:

• Assess the ability of tools to integrate with existing ZT visibility and decision-support solutions.
• Evaluate capabilities based on scalability, usability, detection efficacy, and cost.
• Select tools that demonstrate alignment with defined requirements and existing ZT security infrastructure.

Select and procure analytic tool(s) based on findings:

• Collaborate with procurement teams to acquire licenses and associated services.
• Establish vendor support agreements and Service Level Agreements (SLAs), where required.

Deploy analytic tool(s) and integrate with existing infrastructure:

• Prepare the environment for deployment and configure secure data pipelines for data sharing and ingestion.
• Integrate analytics tools with SIEM, EDR, firewalls, and threat intelligence feeds to enable continuous trust assessment, identity-aware correlation, and real-time policy enforcement across the ZT architecture (ZTA).

Define custom detection rules, as needed:

• Implement analytics rules that incorporate threat indicators, historical incidents, and dynamic trust signals (e.g., identity behavior, device posture, access anomalies, etc.) to support continuous trust evaluation and adaptive ZT policy enforcement.

Verify and validate data accuracy and alerting:

• Run test scenarios across identity, device, and access contexts to verify that analytics support accurate threat detection and monitoring.
• Continuously refine detection thresholds and behavioral baselines to reduce false positives while maintaining sensitivity to anomalous activity.

Monitor performance and threat detection quality:

• Monitor ZT efficacy metrics such as alert accuracy, reduction in false positives, and trust score fluctuations.
• Continuously adjust analytics and trust evaluation models based on evolving threat intelligence, identity behavior shifts, and post-incident ZT assessments.

Enhance threat intelligence correlation:

• Once validated, integrate new and/or updated threat feeds into analytics tool(s) to improve analytic accuracy.
• Cross-reference alerts with approved threat intelligence, ensuring that only verified and validated, context-rich intelligence is used to inform security decisions and actions, in accordance with ZT principles.
• Ensure correlation logic continues to elevate threats with strongest contextual risk signals.

Gather feedback and refine analytic capabilities:

• Conduct periodic reviews with Component security team(s) to refine analytics configurations and outputs.
• Update analytic techniques as needed to reflect evolving threats, ensuring that access and actions are governed by dynamic, context-driven policies that align with the Policy-Based Access Control (PBAC) model to enforce least-privilege and adaptive security principles.

Utilize existing analytics solutions and logs to establish baseline behaviors:

• Leverage Activity 1.6.1 (Phase Two) – Implement User and Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) Tooling, to obtain existing analytics solutions.
• Leverage predecessor Activity 7.1.3 (Phase Two) – Log Analysis, to obtain assign risk scores for security-relevant activities and events.

Analyze behavior and determine baseline behaviors/patterns:

• Analyze identity-centric log data to establish behavioral baselines for Users/Person Entities (PEs) and Non-Person Entities (NPEs) (e.g., typical logon times, resource access patterns, etc.).
• Ensure consistent PEs behavior analysis across multiple accounts/devices by applying the principle of identity stitching.
• Use these baselines to inform ZT rule modeling and adaptive policy enforcement, enabling detection of anomalous behavior and context-aware access decisions.
• Determine the frequency in which baselines will be reevaluated to account for shifting responsibilities, mission, and operating requirements.
• Periodically reassess and reestablish baselines in accordance with the Enterprise or Component defined frequency.

Analyze behavior patterns to detect and respond to ZT policy violations and unauthorized access attempts:

• Leverage SIEM and SOAR solutions to continuously monitor User/PE/NPE behavior within the environment, detecting deviations from established baselines that may indicate unauthorized attempts to:
• Bypass access controls
• Escalate privileges
• Access sensitive data
• Investigate anomalous behaviors to determine the root cause in correlation with User/PE/NPE posture and/or network context before taking appropriate action to enforce ZT policies and mitigate potential threats.

Leverage ML to enhance ZT threat detection and response:

• Assess the effectiveness of current SIEM and SOAR analytics in detecting threats to the Zero Trust Architecture (ZTA) and identify opportunities where ML can:
• Improve accuracy
• Reduce false positives/negatives
• Automate response actions
• Evaluate and select ML models suitable for detecting anomalous behavior and policy violations within the environment, prioritizing those that align with ZT principles and address specific ZT security challenges.
• Train and validate ML models using historical data representative of a healthy environment, ensuring that they effectively identify and prioritize threats.
• Integrate ML-driven insights into security monitoring and Incident Response (IR) workflows, enabling more proactive and automated threat detection and response within the ZT framework.

Utilize existing analytics tools, logs, and baseline behaviors:

• Leverage Activity 1.6.1 (Phase Two) – Implement User and Entity Behavior Analytics (UEBA) and User Activity Monitoring (UAM) Tooling, to obtain existing analytics tools.
• Leverage Activity 7.1.3 (Phase Two) – Log Analysis, to gather User/Person Entity (PE)/Non-Person Entity (NPE) logs and associated risk scores.
• Leverage Activity 7.3.2 (Phase Two) – Establish User Baseline Behavior, to determine baseline behaviors/patterns for Users/PEs/NPEs.

Develop adaptive ZT threat profiles using data-driven insights:

• Create and continuously refine threat profiles based on historical data, real-time activity, and threat intelligence feeds, enabling a dynamic and adaptive approach to ZT security.
• Threat profiles should expire and be recalculated regularly to ensure they remain accurate and up to date as Users/PEs/NPEs evolve over time.

Enhance threat profiling with dynamic risk scoring:

• Leverage the Cyber Risk Scoring (CRS) methods, from Activity 7.1.3 (Phase Two) – Log Analysis, to assign weights based on security criticality of subjects and events (e.g., weighted scoring, statistical anomaly detection, etc.).
• Secure and integrate threat profiles and risk scores into automated security workflows and decision-making processes, enabling a data-driven and responsive ZT security posture.

Develop analytics to detect and respond to ZT policy violations and anomalies:

• Develop analytics that continuously monitor User/PE/NPE behavior within the environment, detecting deviations from established baselines that may indicate both overt (e.g., brute-force, privilege misuse, etc.) and covert (e.g., lateral movement, data staging, etc.) activities.
• Conduct rigorous testing to verify and validate the accuracy of analytics in identifying and prioritizing threats to ZT security.
• Leverage SIEM and SOAR solutions to correlate threat profile deviations with security events, enabling automated responses and streamlined incident investigation within the ZT framework.
• Establish alert thresholds based on dynamic risk scoring assessments and ZT policy requirements, ensuring that security teams are notified of critical events that could compromise ZT security.

Leverage threat profiles to define and enforce access rules, from Activity 6.1.2 (Phase One) – Organization Access Profile:

• Create dynamic access rules based on established threat profiles, such as restricting access for high-risk Users/PEs/NPEs.
• Integrate SIEM and SOAR solutions into the ZT framework to dynamically adjust access policies based on real-time threat intelligence and anomalous behavior detection, reinforcing continuous verification and adaptive access control with auditable and reversible actions.
• Enforce Component dynamic access policies to guide a decision-making framework, such as a Policy Decision Point (PDP) capable of consuming threat profiles.

Continuously monitor and update analytics:

• Implement continuous monitoring and automated policy enforcement to ensure access decisions reflect the latest risk, as determined by the Enterprise and Component.
• Continuously review and refine threat profiles and SIEM/SOAR rules within the ZT framework to incorporate insights from behavioral analytics and shifts in baseline activity, ensuring access decisions remain context-aware and responsive to emerging threats.

Develop a CTI program to enable data-driven ZT security and adaptation:

• Create a CTI program that provides rich threat context and data-driven insights to support continuous monitoring, risk assessment, and policy adaptation within the ZT Architecture (ZTA).
• Develop a CTI policy that emphasizes the collection and analysis of diverse threat data sources, including open-source intelligence, commercial threat feeds, and internal security logs (e.g., National Institute of Standards and Technology (NIST) Cybersecurity Framework, MITRE ATT&CK, etc.).
• Define processes for correlating threat intelligence with internal security data and integrating it into ZT security analytics platforms, enabling a more comprehensive and data-driven approach to ZT security.
• Design policies to be scalable and adaptable, ensuring they continuously integrate verified and validated threat intelligence to support context-aware enforcement decisions consistent with ZT principles.

Prepare for CTI integration to improve ZT adaptation and resilience:

• Establish a process for regularly updating and integrating validated threat intelligence, enabling the architecture to adapt to evolving threats and maintain a strong security posture.
• Define integration points for CTI data that support improved visibility and context for policy and enforcement decisions across the ZTA.

Establish CTI teams to enable ZT adaptation and informed decision-making:

• Identify key stakeholders responsible for making decisions regarding ZT security policies, architecture, and operations.
• Ensure CTI teams provide timely and actionable threat intelligence to stakeholders, enabling them to adapt the ZTA to emerging threats and make informed decisions about risk mitigation and resource allocation.

Define CTI team collaboration and information-sharing processes:

• Develop structured workflows for intelligence sharing within Enterprise-approved Communities of Interest (COI).
• Establish protocols for ingesting, validating, and distributing threat intelligence based on operational relevance and impact.

Integrate CTI to enhance ZT adaptation and resilience:

• Establish processes for continuously integrating and maintaining validated threat intelligence within the environment to improve situational awareness and resilience.
• Define how CTI data will inform policy adjustments, support risk-based prioritization, and improve the resilience of the ZTA against evolving and emerging threats.
• Regularly review and refine CTI integration strategies to ensure ongoing support ZT adaptation and resilience objectives.

Identify, verify, and validate common threat intelligence feeds:

• Select and continuously verify and validate threat intelligence feeds based on Enterprise-defined validation standards to ensure only high-confidence, relevant indicators are used to inform policies and enforcement.

Ingest and normalize threat intelligence for policy-driven usage:

• Integrate threat intelligence feeds into the SIEM using standardized formats (e.g., Structured Threat Information eXpression (STIX), Trusted Automated Exchange of Intelligence Information (TAXII), etc.) to ensure consistency across analytics and ZT Policy Decision Points (PDPs).

Correlate threat intelligence with security events:

• Map verified and validated threat indicators (e.g., Internet Protocols (IPs), domains, file hashes, Tactics, Techniques, and Procedures (TTP), etc.) to real-time user, workload, and system activity to improve visibility and enable context-aware security assessments.

Formalize intelligence-sharing partnerships and define secure sharing protocols:

• Build trusted relationships with Enterprise approved COIs.
• Establish structured processes for securely sharing threat intelligence in compliance with Enterprise and Component security and privacy policies.

Integrate shared intelligence into Component operations:

• Ensure CTI teams apply proper validation processes before sharing or acting on external intelligence.
• Integrate validated intelligence into SIEM, SOAR, and other analytics solutions to support situational awareness and informed security decision-making.

Continuously evolve sharing strategies:

• Regularly assess the value and relevance of intelligence-sharing partnerships.
• Refine engagement and collaboration strategies as threat landscape evolves.

Establish CTI-driven integration and enforcement points:

• CTI teams coordinate with existing enforcement solutions (e.g., firewalls, endpoint security, intrusion prevention systems) to incorporate validated CTI context into access control and segmentation logic.
• Leverage technologies such as Identity and Access Management (IAM), Policy Enforcement Points (PEPs), Policy Decision Points (PDPs), and Endpoint Detection and Response (EDR) to apply ZT-aligned policies across the environment.

Ensure cross-pillar integration:

• Align integration points across identity, device, network, application, and data security layers to achieve consistent CTI-driven visibility and control across the ZTA.

Implement continuous monitoring to maintain threat awareness:

• Continuously assess evolving threat landscape using validated threat intelligence to inform policy decisions, alert tuning, and control prioritization across SIEM, SOAR, and related monitoring solutions.

Enable dynamic alerting and reporting:

• Configure SIEM and related solutions to handle alerts based on CTI-informed context (e.g., observed TTP, malicious indicators).
• Ensure alerts are actionable and prioritized based on validated intelligence and associated risk.

Continuously refine CTI detection and policy efficacy:

• Conduct routine evaluations to ensure CTI-informed detections align with ZT enforcement priorities.
• Regularly test and validate monitoring, alerting, and response mechanisms through threat-informed assessments (e.g., penetration tests, red teaming, on-net assessments, etc.) to enhance ZT enforcement accuracy and effectiveness.
• Refine detection logic, CTI data feeds, and validation workflows based on findings from postincident reviews, assessments, and evolving threat intelligence to continuously improve the fidelity and relevance of ZT-aligned detections.

Review CTI program maturity and perform gap analysis:

• Leverage CTI policy and team(s), from Activity 7.5.1 (Phase One) – Cyber Threat Intelligence (CTI) Program Part 1, to identify gaps in processes, teams, and tools.
• Integrate CTI program improvements by mapping threat intelligence to potential attack paths within the Zero Trust Architecture (ZTA). Use this intelligence to meet Component mission priorities by:
  • Informing policy tuning.
  • Refining risk-based access controls.
  • Prioritizing monitoring of high-risk assets and identities.

Expand stakeholder engagement:

• Identify and onboard new Enterprise approved Communities of Interest (COI), to include mission-critical stakeholders.

Enhance threat intelligence for data-driven ZT security:

• Continuously update CTI feeds with validated, diverse, and high-quality data sources that enrich security context within the environment.
• Prioritize data that can be integrated into security analytics platforms and used to inform automated responses, enabling a more data-driven and adaptive ZT security posture.

Strengthen ZT enforcement integration across pillars:

• Extend enforcement points across ZT Pillars, incorporating User and Entity Behavior Analytics (UEBA), User Activity Monitoring (UAM), and other advanced analytics tools.
• Automate enforcement of CTI-informed policies by integrating threat intelligence into ZT decision points (e.g., identity, device, and application access) to dynamically adjust security controls in accordance with ZT policy and continuous risk evaluation.

Document and update the CTI program to support ZT security:

• Maintain a CTI strategy document that aligns with the Component’s ZT strategy and Enterprise cybersecurity guidance. Clearly articulate the CTI program:
  • Supports ZT principles.
  • Informs ZT policy enforcement.
  • Enhances threat detection and response.
• Ensure strategy documents are accessible to all relevant teams and integrated into operational workflows.

Analyze threat intelligence to enhance ZT security:

• Verify and validate CTI data feeds for accuracy, relevance, and alignment with ZT security objectives, prioritizing data that:
  • Informs access control decisions.
  • Enables automated responses.
  • Supports proactive threat hunting.
• Categorize intelligence data based on its applicability to ZT pillars and enforcement points (e.g., UEBA, UAM, etc.) to ensure that relevant threat information is readily available to the appropriate security solutions and teams.

Correlate threat intelligence to enhance ZT visibility and proactive defense:

• Leverage Threat Intelligence Platforms (TIPs) and Security Information and Event Management (SIEM) to correlate CTI data with security events and logs within the environment.
• Identify trends and patterns in threat activity that could bypass or exploit weaknesses in ZT controls, enabling proactive security measures and enhancing visibility into the threat landscape.

Prioritize and assess threats:

• Consider using the Component defined CRS methodology from Activity 7.1.3 (Phase Two) – Log Analysis, to assign risk scores
• Alternatively, evaluate threats based on impact, likelihood, and relevance to mission-critical assets.

Enforce and continuously improve security controls across ZT Pillars:

• Apply Identity and Access Management (IAM) policies to protect sensitive assets and dynamically adjust access based on threat intelligence.
• Regularly refine and validate CTI data ingestion, analysis, and enforcement mechanisms to ensure threat intelligence informs dynamic, risk-based access decisions and policy updates across ZT enforcement points, to include Policy Decision Points (PDPs), Policy Enforcement Points (PEPs), UEBA, etc.
• Conduct regular assessments to verify and validate the efficacy of ZT policy enforcement, ensuring access controls, segmentation, and detection mechanisms function as intended under adversarial conditions.

Maintain stakeholder engagement and collaboration:

• Regularly update stakeholder roles and responsibilities to reflect emerging threat landscapes and shifts in organizational priorities.
• Foster ongoing collaboration among stakeholders to ensure continuous alignment of CTI initiatives with ZT principles, enabling informed decision-making, dynamic policy enforcement, and continuous verification across the Component environment.

Continuously optimize the CTI program for data-driven ZT security:

• Regularly evaluate the quality, relevance, and timeliness of threat intelligence data used within the ZTA.
• Refine the CTI program to improve data collection, analysis, and integration processes, ensuring that the program effectively supports data-driven security decisions and automated responses within the ZT framework.
• Validate CTI program security decisions and automated response pathways, for example: intel -> decision -> enforcement, with consistent logging and visibility of events.