It’s no secret that security operations are under fire. In most enterprises, the only thing standing between a normal day and a financially devastating data breach is the security analyst. Yet, despite decades of investment in cyber security protection, detection, and intelligence tools, the analyst lacks a centralized software platform to operationalize all of this data in time to effectively prevent breaches from occurring. Drowning in a sea of alerts, and with the business on the line, SOC analysts are desperately seeking solutions. Automation is being hailed as the answer.

But what does “security automation” really mean?

Security Automation is only one facet of Security Orchestration

Among cyber professionals, orchestration and automation are frequently used interchangeably. Some have positioned orchestration as the “next” phase of automation. It’s no wonder security leaders are confused.

In our review of the landscape, almost all automation point solutions simply remediate individual, low level alerts. The idea is that this will offload a portion of the analyst workload to free up time to investigate the important stuff. But with what tool?

To be clear, automating the response to low level, false positive, and duplicate alerts is just one piece of orchestration. The list of individual processes that can be automated is growing. And effective automation simplifies routine tasks to execute them with far more efficiency. Yet, even the most advanced automation systems filter only a percentage of security alerts that register on a company’s network.

Even if organizations could automate the full scope of alerts, leaders are simply not inclined to turn the complete control of their security to a black box. Thus, for most organizations, incident responders are still required to sort through alerts and make the tough calls as to whether an attack is truly occurring. The analyst is more important than ever. The question is how do we empower them and strike the right balance of machine driven vs. analyst driven response.  The answer is orchestration.

In security parlance, orchestration is a method of connecting security tools, integrating disparate security data, and providing security teams the broad functionality to respond to all types of threats. When executed properly, it is the connective tissue that streamlines security processes and powers effective security response.

Effective Security Orchestration Applied

You cannot find or eradicate the threat by playing whack-a-mole with individual alerts. Humans must contextualize alerts and security data into a threat storyline, using automation as an enabler along the way. Comprehensive security orchestration is all about providing the capabilities to navigate the full scope of security operations and incident response from the initial alert through remediation. Regardless of maturity or size of the security team, effective orchestration is built on a few key tenants:

  • Context – understanding of the relationships across alerts, intelligence, and security data into prioritized cases with the complete contextual threat storyline.
  • Automation – integrating automated capabilities in a flexible manner; from basic playbooks, to semi-automatic workflow, to complete automation of incident response where appropriate. One size fits all doesn’t work with security automation.
  • Analyst Enablement – giving analysts the proper tools and visibility to effectively intervene throughout the investigation and response process and ultimately ensuring we are curing the disease, not just the symptoms.

With effective security orchestration, teams are able utilize a single pane of glass for a coordinated response, both machine led and analyst driven. There is a delicate balance between human intervention and automation that requires the right underlying architecture and intelligence. Automation must be earned, not given.

Final Thoughts – Driving ROI

Security orchestration is transforming how analysts approach their job. The analyst isn’t going away, and given the shortfall in staffing, they must be armed with a comprehensive orchestration platform designed specifically for them.

The average breach costs businesses north of $10M, which makes the status quo no longer tenable. Given the stakes, security leaders recognize the importance of driving analyst productivity, increasing the number of mitigated threats, and perhaps most importantly, a dramatic shortening in mean time to remediation, for all alerts (both automated and human led).

Once again, enterprise security leaders must avoid the distraction of point solutions that create yet another dangerous silo in the security operation and arm the organization with the right balance of automation and human intuition from a single pane of glass.


This article originally appeared on CYBER DEFENSE MAGAZINE. Click here to read more….