Presented by Zscaler

An automatic dog feeder seemed like a good idea at the time. One of our team members had a COVID puppy, Mango, who ate constantly and their kids had long abandoned the promises to help. All was good, until a malfunction dumped a pound of dog food on Mango, mid-feed. The “brave” puppy was too scared to ever eat from it again.

What does this have to do with cybersecurity? Well, it illustrates the importance of automation and orchestration as they are pillars of proper cybersecurity architecture. But it highlights that there can be unforeseen risks to consider, as well. 

Successful secure digital transformation requires an automation and orchestration mindset. Humans are simply not capable of keeping pace with the amount of data, threats and the ever-increasing sophistication of attackers who are leveraging their own automation strategies. As one embarks on their zero trust journey, this becomes even more critical. Automation and orchestration are foundational elements of the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model.

But what does automation and orchestration mean in the context of cybersecurity? We’ll start with some definitions. Automation refers to the use of technology to automatically perform tasks or actions that were previously done manually by humans. Orchestration, on the other hand, refers to the integration and coordination of different tools and technologies to create a unified security platform. In the case of the automatic pet feeder, automation would be the dispensing of food at scheduled times, while orchestration would be aligning feeding times with Mango’s dietary needs and ordering more food when supplies went low.

Automation and orchestration in a zero-trust architecture

How are these practices implemented? As suggested earlier, automation can simplify the enforcement of security policy. Take, for example, the manual process of application segmentation in the context of a zero trust architecture. Zero trust is a security model that assumes that all users, devices and applications are untrusted and must be verified before granting access to resources and then only grants what is needed by the business — moving away from implicit trust, hence the term “zero trust.” Thus, moving to zero trust allows for granular application segmentation policies that grant access based on business policies. 

This is powerful, but creating these rules manually can be difficult and time consuming. The first step is having the visibility to be able to understand the landscape and what is really happening in the environment to set up proper segmentation policies. This was discussed in more depth in this article.

But next comes the processes of creating, maintaining and enforcing the segmentation rules, which will rely heavily on automation techniques coupled with AI/ML insight to create recommendations based on actual usage. It could say, for example, visibility shows that only the finance department accesses a critical financial software package, even though the entire company has access. It could then automate the creation of a segmentation rule, and thereby reduce the attack surface by removing unnecessary trust in the environment.

In a zero trust world, the network stack and the network itself have been removed from the attack surface, leaving effectively the zero trust platform (like an SSE architecture), the endpoint and identities as the reduced enterprise attack surface. This means that tools like SSE, EDRs and IDPs might each employ automation for efficiency but need orchestration among them. 

Take, for example, the previous case where an automatically created segmentation policy grants access to an application only to the finance department. What if the EDR was able to spot risky behavior from an employee in the finance department whose device also wasn’t up to security standards? Orchestration between the EDR and SSE would limit access (either a block, limited access or isolated browser access) to the important financial application. In a more radical example, deception could be brought into play with lures that a legitimate employee in finance would never find or use, but an attacker might; and automation could immediately send a signal to the security operations team and also create a false application with false data for the attacker to access.

Automation allows for the quick and efficient deployment of security policies, which are essential for enforcing the zero trust model. By automating the deployment of security policies, security teams can ensure that access is only granted to authorized users and devices. Orchestration enables security teams to automate workflows and processes across different security tools, allowing them to quickly and efficiently respond to security incidents. In Mango’s case, these techniques did provide her with food on time and reduced the burden on her owners.

Where things get complicated

So what are the challenges? Automation and orchestration are fine when it is done incrementally and strategically, but can potentially be used by an attacker even when they don’t know the specific pages of the playbook or code of the automated scripts. With an intelligent opponent and given multiple opportunities to attack and learn from one another, automation that can be seen and triggered intentionally can be exploited. This is seen in the fraud world where large volumes of fraudulent transactions give real-time feedback to cyber criminals: when something is effective, it is noted and used again immediately with swarm-like intensity. 

There are three general principles to employ when using automation and orchestration to minimize these risks and maximize the gains in efficiency, cost reduction, and security effectiveness:

  1. Scale: automate at small scales, not large. Large-scale automation can be done, but is best done through incremental increases and gains over time rather than in monumental leaps and gains.
  2. Look and test: look at the blind spots that automation can cause and test actively with red teaming and purple teaming. If automation is driving analysts to investigate a certain way, occasionally send them different types of prompts or alerts or look at the data that is ignored.
  3. Check under the hood: make sure that those who are getting support and are growing their skills in the shadow of automation and orchestration understand how that happens. Encourage skepticism in the system itself in operations.   

Overall, automation and orchestration are both critical components of a strong cybersecurity strategy. Arguably, they may be necessary to grow in maturity and handle advanced threats at scale. But the real goal in all this is business transformation: network, application, and security. Having this mentality is what will enable us to focus on that and get on with that transformation. Automation and orchestration are vital qualities of a large-scale zero trust platform, and as we’ve seen, they have to be done in a way that minimizes the ability for adversaries to abuse and turn them on the defenders.

After all, accidentally dropping a pound of dog food on my puppy is one thing, but hacking the dispenser and shooting dog food at Mango is completely unacceptable! Used correctly, these methods will serve us and enable secure digital transformation, and maybe help ease the burden on puppies and their owners. 

To see how Zscaler is helping its customers reduce business risk, improve user productivity and reduce cost and complexity, visit

Sanjit Ganguli is VP Transformation Strategy & Field CTO at Zscaler. Sam Curry is VP, CISO at Zscaler. Nathan Howe is VP Emerging Technology at Zscaler.

Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact